Re: [Cfrg] Re-review of the four balanced PAKEs
Scott Arciszewski <scott@paragonie.com> Thu, 24 October 2019 16:21 UTC
Return-Path: <scott@paragonie.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B51B5120113 for <cfrg@ietfa.amsl.com>; Thu, 24 Oct 2019 09:21:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=paragonie-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d3o3O3YXX9fz for <cfrg@ietfa.amsl.com>; Thu, 24 Oct 2019 09:21:24 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04B151208B3 for <cfrg@irtf.org>; Thu, 24 Oct 2019 09:21:24 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id g21so18530972lfh.4 for <cfrg@irtf.org>; Thu, 24 Oct 2019 09:21:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragonie-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ewan1/QXdjw8OnJx9yvd4AdUPdxbLyRWq3ZhX8dRxZY=; b=LHTFFl29C3MgVZG+b2OAYcKrUsPfhYp3CjELTOhvYxgOtguwtOxXrlGRvCjU7MIgAF BfOsNjIhIPCAEh3v/GqnXjKMNR2xI28xwnNI9/KEQw/fWj4E3Xm7GvcID3CP79NFhbCQ pAwnybezVauFzeIpNpL7LCqWE3p2zbSXdmrNcvDsfD5iCV3qJFVroa1z1WzplwwlaHZy sU2KFGpVRJbrwN6RcM2J3Nb2NXR5+E21Uc2eeMKfmlDdYMUpSCViVCzsQdlnSZoNrRm1 Ou3iJz6tU9OHidbiVDhtWbDgHyM/xr7Deo7BTVdH+E9dY6hkzjkZQhU5pGnLvpXPYxb2 krQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ewan1/QXdjw8OnJx9yvd4AdUPdxbLyRWq3ZhX8dRxZY=; b=ox+HgWpS9sSO4zqJPC52U2pM76/ebPuDq1z9klJC/kbWFn+avEMkHdpJIHg9b+f2xY sZ998qDB7i8fMu0H+qiQGm3P9oh7yt2kkl2NtEVklnno4eX08g7gvlRNEPKpMfgG0a75 gyN5WmNae5bJZrPBVbBFjI5BCHeE6Tzc8viMcu4YH38oyskr+Bmbr3WjYJG4L+VRhSmA GKAoK/nHiLPFNLf12KR56k0gSdptiOZqslBek2boa+tJ2Vypdpv8Vf2J0G1xTRaVe5q2 BDHyGX08t6vsRYxGbQOQIhFCvpphGXborGPW1JAqp1/tZZHyqMwJJhAW9wwgrJq3gL/S qeZA==
X-Gm-Message-State: APjAAAUO78hA6usfGTM30BdNPQJ+U6mrK62oOrXCnyIsP0pNvO6S9VLi 6fWWCGh2+sznHAYUYLdUpwsaprMq1qsuDDL5xir6FQ==
X-Google-Smtp-Source: APXvYqwgm+Kpgh8DfeGVzusXbM73Xt40fhPl41nMqxP3T2wbuA5MN/AVTukcfFMPOXbqr2nbJSf3Vnmtonf68fRVGTo=
X-Received: by 2002:ac2:5108:: with SMTP id q8mr22748674lfb.150.1571934081960; Thu, 24 Oct 2019 09:21:21 -0700 (PDT)
MIME-Version: 1.0
References: <BN8PR11MB36665D2F38B0E91D734A96CFC16A0@BN8PR11MB3666.namprd11.prod.outlook.com> <CAKDPBw-fKQ_-GSCu=GHpEZjfv1WfqsTnK_DYPw-7akNGYm3tnA@mail.gmail.com>
In-Reply-To: <CAKDPBw-fKQ_-GSCu=GHpEZjfv1WfqsTnK_DYPw-7akNGYm3tnA@mail.gmail.com>
From: Scott Arciszewski <scott@paragonie.com>
Date: Thu, 24 Oct 2019 12:21:09 -0400
Message-ID: <CAKws9z3dn+JgFGgQoRokCBAi+3j3nn_rrgDcpmKWrRtdNAEnBA@mail.gmail.com>
To: Paul Grubbs <pag225@cornell.edu>
Cc: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000090e2070595aa6c24"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/NzvN1SfpkxSPBDdps-YJok7ptTA>
Subject: Re: [Cfrg] Re-review of the four balanced PAKEs
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2019 16:21:29 -0000
"Quantum Annoying" was something Steve Thomas coined (IIRC). It means you have to break an ECDLog problem per attempt. It's O(n) rather than O(1). It's not quite post-quantum resistance (where each attempt requires breaking PQ crypto algorithms). But it does make attacks "annoying" if a quantum computer is ever developed. BSPAKE is argued to be quantum annoying. OPAQUE is not. I like both designs. Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com> On Thu, Oct 24, 2019 at 12:13 PM Paul Grubbs <pag225@cornell.edu> wrote: > Hey Scott, thanks for your comments. I have a couple questions: > > 1. Regarding SPAKE-2, you said this > > the issue still remains that if someone were to be able to solve a > single ECDLog problem, they could then perform an on-line dictionary attack > against anyone using that parameter set. > I don't quite understand what you mean - can you explain this on-line > dictionary attack? In general, aren't all PAKEs vulnerable to online > dictionary attacks? > > 2. This 'quantum annoying' property is the subject of much CFRG > discussion, but it seems ill-specified. Can you explain it in a bit more > detail, maybe by example (e.g., why does CPace have 'good' quantum > annoyance)? > > On Thu, Oct 24, 2019 at 11:23 AM Scott Fluhrer (sfluhrer) < > sfluhrer@cisco.com> wrote: > >> I re-reviewed the four balanced PAKEs, looking at the more practical >> issues. >> >> >> >> Summary: it comes down to the choice between CPace and SPAKE-2 (J-PAKE >> can be discounted because of the extra round trip needed, and the expense; >> SPEKE can be discounted because of the lack of a single proposal (and the >> single proven one is no better than CPace). >> >> >> >> SPAKE-2 is better than CPACE in the sense that it is a single round >> protocol (and so can be used as a drop-in replacement for DH, assuming some >> hooks for exchanging identities), and so would be slightly easier to use in >> a protocol; CPACE requires a key confirmation to be sent after the exchange >> (possibly along with the first encrypted message). On the other hand, I >> wouldn’t expect that a protocol would have a major issue with the extra >> message that CPACE requires. >> >> >> >> SPAKE-2 is better in that it uses only standard (point multiplication) >> operations, which are more likely to be implemented in crypto libraries in >> constant time. CPACE requires a hash-to-curve operation; it is less likely >> that a crypto library has a constant time implementation of that available. >> >> >> >> SPAKE-2 is better in that it uses somewhat less message overhead (two >> hashes less). However, even with this additional overhead, CPACE is still >> quite reasonable (perhaps 128 bytes total, not counting overhead). >> >> >> >> SPAKE-2 (as specified in the RFC) is worse than CPACE in that it relies >> on global M and N parameters. While the M and N values in the SPAKE-2 RFC >> are claimed to be generated in a NUMS manner, the issue still remains that >> if someone were to be able to solve a single ECDLog problem, they could >> then perform an on-line dictionary attack against anyone using that >> parameter set. >> >> >> >> In terms of other practical issues (computation, message overhead), they >> are mostly identical. >> >> >> >> My opinion is that CPACE is better, the single disadvantage that SPAKE-2 >> has (vulnerable if someone somewhere solves just one ECDLog problem) is >> worse than the three disadvantages of CPACE. >> >> >> >> >> >> A more detailed listing of the comparison: >> >> >> >> >> >> * Fragile is you give an attacker offline password guessing if there is a >> minor error in the implementation of ECC. >> >> * Quantum annoying (“PQ-ish”) is the property that an attacker with a >> quantum computer needs to solve a DLP per password guess. >> >> >> >> Balanced PAKE summary >> >> Name | PQ-ish | Rounds* | Fragile >> >> ------------------+----------+---------------+--------- >> >> CPace | Good | 1.5 (1/2) | Moderate** >> >> J-PAKE | Bad | 2 (2/2)*** | Good >> >> SPAKE-2 | Bad | 1 (1/1) | Good >> >> SPEKE (EC based) | Good | 1 (1/1)**** | Moderate** >> >> SPEKE (ModP based)| Moderate | 1 (1/1)**** | Good >> >> >> >> * "number of total trips" ("number of messages received before initiator >> can encrypt"/"number of messages received before responder can encrypt") >> >> ** CPace and SPEKE (EC) is listed as moderately fragile because they >> depend on a hash-to-curve operation based on the secret password; a timing >> variation there might leak the secret. While constant-time hash-to-curve >> algorithms are known, they are less common than standard EC operations, and >> hence this needs to be considered. >> >> *** This assumes that we use the three-pass variant, and we do use the >> recommended key confirmation. >> >> **** Note that SPEKE claims to be secure without an explicit key >> confirmation pass; we assume the “Patched SPEKE” protocol found in the >> paper. See my concerns about this below. >> >> >> >> Balanced PAKE summary (continued) >> >> Name | Comp per side (*) | Total Message Size (**) >> >> ------------------+-------------------|------------------ >> >> CPace | H+2x | 2P+2H >> >> J-PAKE | 2g+3x+3pg+3pv | 6P+4Z+2H >> >> SPAKE-2 | d+x | 2P >> >> SPEKE (EC based) | H+2x | 2P >> >> SPEKE (ModP based)| 2M | 2M >> >> >> >> >> >> * In all cases, the initiator and the responder perform the same overall >> amount of computation, hence we don’t break it down per side. In addition, >> we omit the costs of hashes, point additions, modular multiplications, as >> they are expected to be insignificant compared to the point >> multiplications/modular exponentiations listed. >> >> ** Note that none of the protocols are defined in bits-on-the-wire >> format; there are likely to be some additional overhead (such as identities >> and nonces) exchanged, but those are not listed. This additional overhead >> would appear to be likely to be similar for all the candidates. >> >> >> >> Cost: >> >> H: Hash to point >> >> x: Point multiplication >> >> g: Point multiplication of the generator (which is potentially cheaper >> than a point multiplication of an arbitrary point) >> >> d: Double scalar point multiply and add, that is, aB + cD >> >> pg: Zero knowledge proof generation (approximately the same as a field >> multiplication) >> >> pv: Zero knowledge proof verification (approximately the same as a double >> scalar point multiply and add) >> >> M: Modular exponentiation >> >> >> >> Message Size: >> >> P: An elliptic curve point >> >> H: A hash >> >> Z: A zero knowledge proof (an elliptic curve point plus an integer the >> size of the group) >> >> M: An integer of the size of the DH group >> >> >> >> Notes: >> >> >> >> - In general, none of these proposals are defined at the level that I >> believe that the CFRG needs. Most of them do not document bits-on-the-wire >> format, or call out required error checking. I believe that we need to >> generate a sufficiently detailed protocol that could be inserted as a >> blackbox into real protocols; whichever we pick, there’s some work required >> before we get to that point. >> - As a reminder, if we go with the SPAKE-2 option, someone would need >> to verify the generation of the M and N values specified in the RFC. I was >> able to do a partial validation (which looked good); however, I was unable >> to accomplish a complete one. >> - The more recent SPEKE paper (https://eprint.iacr.org/2014/585.pdf) >> claims that they don’t need an explicit key confirmation step, however I >> find their argument unsatisfying. The claim appears in section 5.3 >> “Countermeasures and suggested changes to standards”; they give several >> suggestions in this section, and it is unclear which is being proposed. >> They state that, in the case of multiple concurrent negotiations, the two >> sides should use distinct identifiers for each one (e.g. “Alice-1” for the >> first session, “Alice-2” for the second); that has obvious practical >> problems in the case that the two sides don’t agree on which session is the >> first. In addition, the relevant text is: >> >> As long the user identifiers are unique between concurrent sessions, the >> use of the extra session identifier *does not seem* needed. [emphasis >> added] >> >> They give no proof as to the above statement. This lack of rigor, and >> the lack of a single concrete proposal leads me to discount SPEKE as a >> desirable proposal >> >> >> >> - Reasoning behind Quantum Annoying statements: >> - J-PAKE is not Quantum Annoying, computing three discrete logs >> would allow an adversary to perform an off-line dictionary search for the >> password (that is, on a recorded session). In addition, if the password is >> known, three discrete logs are sufficient to recover the shared secret on a >> recorded session. >> - SPAKE-2, as proposed, is not Quantum Annoying, a single discrete >> log of the global M (or N) parameters would allow an adversary to perform >> an on-line dictionary attack. >> - SPEKE (ModP based) is listed as moderate, as an attacker could >> attempt to compute a large number of discrete logs in an attempt to form a >> factor base (which would allow him to efficiently compute any discrete >> log). However, the number of discrete logs required would be huge, and so >> this might not be a practical issue. >> >> >> >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg >> > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] Re-review of the four balanced PAKEs Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Re-review of the four balanced PAKEs Björn Haase
- Re: [Cfrg] Re-review of the four balanced PAKEs Paul Grubbs
- Re: [Cfrg] Re-review of the four balanced PAKEs Scott Arciszewski
- Re: [Cfrg] Re-review of the four balanced PAKEs Hao, Feng
- Re: [Cfrg] Re-review of the four balanced PAKEs Björn Haase
- Re: [Cfrg] Re-review of the four balanced PAKEs Scott Fluhrer (sfluhrer)