IETF Logo Mail Archive

Re: [Cfrg] [CFRG] PAKE / Hash2Curve First Internet draft for balanced CPace subcomponent available

"Hao, Feng" <Feng.Hao@warwick.ac.uk> Tue, 07 January 2020 16:17 UTC

Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEA2A120052 for <cfrg@ietfa.amsl.com>; Tue, 7 Jan 2020 08:17:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qGO9YCZGfFOG for <cfrg@ietfa.amsl.com>; Tue, 7 Jan 2020 08:17:52 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70072.outbound.protection.outlook.com [40.107.7.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DB9112003E for <cfrg@irtf.org>; Tue, 7 Jan 2020 08:17:51 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HSrkf0rB1CqqJ2227HexrNp+ae/jOEy20SPVsUq3sjve14GcnvOWX1FjXYqfli62mY7XNLtA0cTurtd0k8ueNeh6lmzv7r7tk/iuxIebZ4hO9kaSm15ER2o6k8UHq8WqzyAWt89UwjlcXHLNAdTlc638PPIli6ILTpdXokKWvboGT0GAIZ5AiVahNZGmDXuUkeGH2rZxnqg2LfOjJtcDzbL/dyKqoguZqmuBfmFfXTneB85kzsvrvtLsFwAcTCIYOzHI9oGnSeKC4X7DHWsYyHLRl71QMBKMDTRLydC/NNKJI/cVRtGaVn73zMKOPeKf0uWD6EDw/GRekyAZ3Q+iDg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JNjEtQRCit2ovGIB0CgFis5OfMZA2r2E65RL7OxfERA=; b=cpthl4Oi1L63Gx7VstFRYo3qsce0fqEkZEhuP2vqe7wurT/N6ImlJAspWEb/s2Pu6kCMcinHh57b1VB5plKAQmfQfX9QWXmAj5+n1LtLycZoWp9cr4Eu522e1WTtqPCHmGdmAM5+TQabFYkR5cMC3fJHE/rL2//9s/S3Wzf/oLd5YQYvGLo0J8kPkSoGKwljj3t50csT44YfLOrbYfVIVhUqvopq1n/AGe9DSbNN+OJbyLpJ1y1G0eUHCS4g3pe2dvEzuvUDBOPI8mqvqlLtUxEafQO62mMlW8d8pipuHnKIDKC9vtoZonIlsJ6FHlJQk14x7m+Cqf+0xanMu+Q8nA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=warwick.ac.uk; dmarc=pass action=none header.from=warwick.ac.uk; dkim=pass header.d=warwick.ac.uk; arc=none
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com (20.178.104.28) by DB7PR01MB4395.eurprd01.prod.exchangelabs.com (52.135.137.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2602.12; Tue, 7 Jan 2020 16:17:49 +0000
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::f059:923a:d030:fc69]) by DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::f059:923a:d030:fc69%4]) with mapi id 15.20.2602.016; Tue, 7 Jan 2020 16:17:49 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: Björn Haase <bjoern.haase@endress.com>, "\"Björn Haase\"" <Bjoern.M.Haase@web.de>
CC: "cfrgirtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] [CFRG] PAKE / Hash2Curve First Internet draft for balanced CPace subcomponent available
Thread-Index: AdXFZsWj+BgRX8HvTDuxE8jfSMPPRQADzq0A
Date: Tue, 07 Jan 2020 16:17:48 +0000
Message-ID: <0A892720-D1F1-44A9-8E53-529453D566BD@live.warwick.ac.uk>
References: <VI1PR05MB650941DEC988A4E3DD3D7E53833F0@VI1PR05MB6509.eurprd05.prod.outlook.com>
In-Reply-To: <VI1PR05MB650941DEC988A4E3DD3D7E53833F0@VI1PR05MB6509.eurprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Enabled=True; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_SiteId=52daf2a9-3b73-4da4-ac6a-3f81adc92b7e; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Owner=bjoern.haase@endress.com; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_SetDate=2020-01-07T14:28:51.3036332Z; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Name=Not Protected; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Application=Microsoft Azure Information Protection; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_ActionId=e1852067-2352-49e5-a203-c5708541722f; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Extended_MSFT_Method=Automatic
user-agent: Microsoft-MacOutlook/10.20.0.191208
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Feng.Hao@warwick.ac.uk;
x-originating-ip: [137.205.238.72]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fe6b9aaf-897c-46be-61f5-08d7938d239b
x-ms-traffictypediagnostic: DB7PR01MB4395:
x-microsoft-antispam-prvs: <DB7PR01MB439595A3E382237B39098946D63F0@DB7PR01MB4395.eurprd01.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 027578BB13
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(376002)(366004)(346002)(39860400002)(136003)(189003)(199004)(76116006)(8676002)(91956017)(66946007)(81156014)(81166006)(66476007)(66446008)(64756008)(66556008)(86362001)(71200400001)(6486002)(6512007)(2906002)(6506007)(33656002)(186003)(478600001)(26005)(110136005)(316002)(786003)(5660300002)(8936002)(4326008); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR01MB4395; H:DB7PR01MB5435.eurprd01.prod.exchangelabs.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: warwick.ac.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sLx0lusaFJ5uDtJkq/7JPMIsey8zb+NPLRqyGqnVAls8+qq3wSfVB8n6uqe4rpz50V7xzx8L/DQrvUNFP9ch0ifuiGvgs76iMncIb40BIUvyskLQeaYo0h+KJ8eGBCu6ryhUnqm2a+GSj8XcATgLGbiYek0y7ezkgdkQajiWZFBrlwTRwIGh7k8aJG4uhax0Q7lIkNR1fAI3i2zqTeH5MeKBUehjdOGd+yRo5Adq14l2265UWwxH1rrs808mNMqogRloXLOsp1cVs7IBpV8FTBX54hHwKx497jAVYQ958YhZDc4ljIgq4CTt0nCR08qrfwzzYup/rrobdVba/GriSRf1k2f2MLGcmy084ZUzJLJkBA8vwaII5uzePEcVZf+PFJwlAm3FVzIRYOdJJtqsFHtvXQhX7x/yhnaOLNycoSdK6wdvkPjN03CVF6DPbvAf
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_0A892720D1F144A98E53529453D566BDlivewarwickacuk_"
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: fe6b9aaf-897c-46be-61f5-08d7938d239b
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jan 2020 16:17:49.2282 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: XF2Dh9fKbtfPZad0xkmjvL8XL0+vAf4IDD6zrhamFlK+n/+x8CFehqs6CYJUCQJ6/j0WdV/i02bR1hRI8isrssnbItJmIZmJubtztLBhuX4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR01MB4395
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/OWtChZ69b9C_cukqVRB1Vq09e7g>
Subject: Re: [Cfrg] [CFRG] PAKE / Hash2Curve First Internet draft for balanced CPace subcomponent available
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2020 16:17:59 -0000

Dear Bjorn,


  *   There seems to be the need for more clearly specify, what is "identity".  For the CPace draft, I assumed that the receiver or sender "identity", i.e. the content  of the strings A and B in the CPace draft, would be something like a destination IP address and  a destination port on this machine. I.e. information that is required for establishing the link and exchanging the message.

At the protocol level, we normally don’t concern the communicating identities such as IP/MAC addresses (although they might be used as identities in special circumstances) as they are implementation details at a lower level. By “identity”, I mean the normal definition in a key exchange protocol in a general case: a unique string that identifies each party in the communication process. If you require the other party’s “identity” to be known beforehand, you need to state that assumption explicitly. I just wanted to point out that it’s not safe to make that assumption in the general case.


  *   It's also all about patents, IMO, why J-PAKE has been integrated by companies like Mozilla, and SPEKE and SPAKE2 were not considered. (In fact, I  believe that very few people will be talking openly about this type of reasoning.)

I can’t talk about other people’s reasoning (the decision to choose J-PAKE in Mozilla and Thread is entirely the result of the industry’s own “independent” assessment; as designers of J-PAKE we were not involved). But I want to clarify that the motivation of J-PAKE was not to avoid patent, but to actually solve the problem! Patented alternatives such as EKE and SPEKE have various idiosyncrasies that make technical analysis and implementation difficult. Patent is a thorny issue, but not a blocker as ultimately people need a secure and efficient solution (for that paying royalty is a common practice in business).


  *   Actually as mentioned above, I personally don't see any remaining technical or security risks. (This is also what I did take with me from discussions with the BSI people that designed the PAKE protocol for the german identity cards.) Also note, that there *are* already high security applications that use PAKE with mapping, such as the "french" version of PACE. Maybe you could be more specific, where exactly, you identify security issues with hashing to curves.

I suggest we wait until the hash-to-curve draft is complete and fixed first so we are not analysing a moving target. But as a suggestion, I recommend authors of the hash-to-curve draft to provide more explicit design requirements that the proposed function is supposed to satisfy. That would be helpful. Currently the draft mentions “plausibly constant time”, “random oracle encoding” … These are a bit vague. Presumably, with a hash-to-curve function, you want to (somehow) randomly maps an input string from an infinite domain to a point in a finite domain which satisfies specific curve constraints while keeping the operation constant-time. Clearly due to the domain mismatch, such an ideal (random oracle) mapping is theoretically impossible, so the best that can be done is to have one that is computationally secure. For that purpose specific requirements should be defined, e.g., they might include similar requirements as a hash such as pre-image, second pre-image and collision resistance + guaranteed validity of the output (valid point in the designated group) + constant time? With the list of requirements, it will help other researchers to analyse the functions in a more concrete way. The very tricky thing here is that there is a custom-built security primitive for each of the many curves that people want to support, so you need to ensure each must be secure and be analysed properly … Still this gives no forward compatibility – things might break in the future with new curves. A general solution that securely works with any elliptic curve suitable for cryptography at a reasonable cost will be far more attractive. That problem remains open as far I know.

v2.23.0 | Report a Bug | By Email