[Cfrg] proofs for augmented PAKEs
Hugo Krawczyk <hugokraw@gmail.com> Wed, 27 March 2019 13:10 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 648BE1202AD for <cfrg@ietfa.amsl.com>; Wed, 27 Mar 2019 06:10:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U_eZCOQxm9df for <cfrg@ietfa.amsl.com>; Wed, 27 Mar 2019 06:10:44 -0700 (PDT)
Received: from mail-it1-x136.google.com (mail-it1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D0FD120047 for <cfrg@irtf.org>; Wed, 27 Mar 2019 06:10:44 -0700 (PDT)
Received: by mail-it1-x136.google.com with SMTP id u65so16683422itc.2 for <cfrg@irtf.org>; Wed, 27 Mar 2019 06:10:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=2NNeYr0AP1/YbjCi1ZCFLhqWUvIFieTVrvFL2Xfbm8U=; b=NOCN/v9+LYns1ZBORDCIV743XvSxIHF2TtjnyOQTWrqfsC+CyOq2TWnbQIEwyrbLYo hcfgt1IOm3Ce0ELcb92spRtMBt2+OPrUhlaKG3QOf2RJtOxameU/kO0Y9BVUOkhvEV1x 6VLJ9CXlC61ljoyq9zVcOZQNgIv0jCKB/epyNLgxQUDVeOd+Ei7Vpmw7ahEZ8dEiyjlt qD+JpO9el9frqyZ4Lg1ovDYxEq49q7QRtmfT9JPV2gPCClF/++Sb6e8BKCLy5DFndzPS PdUwkaPCcab8cj1CpdBEP+nv66KcO+JlCnyE1YlYPq6Ta3ClFZiFVcEvpeV9tE8rxOJ8 TUBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=2NNeYr0AP1/YbjCi1ZCFLhqWUvIFieTVrvFL2Xfbm8U=; b=a6b3Bt93plj4pnfJhuxIJMDI1nqUCsEPaecDf/v6Lt/KmdG6vYN8OD8SeYfftNV7Tp xfCz7HFE7Ght8HbgsqtD+lsX9CoDQrWae9sFEChncRMSmXU8WMtjlNDp5+wsFmfKtWLh dCBEC58pqMaRpkspdQg9M+04i7t/CeFvLIHveQxIDA3ejgP/3wiLbOMsx7EAWZ1gXgIf x/2bTge6N5qFhjW6RfvVulacLfOeRVJ7PQWV9h/rcWITM5pkKKO3bM3IqlDBd8Kj1uUA HJkKcly2GU7cunDMSTLknJgH0Bh6DP/fr6jCBY9AxB1+SONFBhjykG3SbiApPsDBnkYG OXRQ==
X-Gm-Message-State: APjAAAU+XS4W79bu/kdoyhdv7O7EMd6TtZVCbJulzME9/oVeAybhgDtv wEyhbFn3gx663pFJ75vLBUs55huE1GVB0yVC06R82YiP
X-Google-Smtp-Source: APXvYqxr6SZwd0uvltnroXb+E973DgcYVETyF+c9INMfDa2Dxwulu5gJ1XfyJTXvxxkTSSAbAeH6Nc7BC6ewj9z4bxs=
X-Received: by 2002:a02:ab95:: with SMTP id t21mr25172573jan.89.1553692243342; Wed, 27 Mar 2019 06:10:43 -0700 (PDT)
MIME-Version: 1.0
From: Hugo Krawczyk <hugokraw@gmail.com>
Date: Wed, 27 Mar 2019 09:10:01 -0400
Message-ID: <CADi0yUNCNw2Yx-4xk8SkP4HjUk1-htr_bMaEOs1acBzqYsd=Tg@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000413cb00585132ab6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/QOtEMvfRzGBrjFIN4hQg6Wm0pHc>
Subject: [Cfrg] proofs for augmented PAKEs
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2019 13:10:46 -0000
In Stanislav's excellent presentation today there was a slide about whether the mentioned schemes have proofs. In the cases of augmented schemes SPAKE2+, AugPAKE, VTBPEKE, Stanislav had quotes from me regarding the existence of proofs. I want to note that this is not a personal/subjective opinion. So let me elaborate. SPAKE2+ has given a design rationale in Section 9 of https://eprint.iacr.org/2008/067.pdf but no proof or model, or any form of formal argument was presented (or intended). The protocol is presented as a potential application of techniques in that paper whose main subject is not PAKEs. I asked one of the authors and there is no other publication they have (or that they know about) with such a proof. I have no particular reason to believe the protocol is insecure but proofs of augmented PAKEs are very tricky, including the theoretical modeling. So a proof will be very welcome but not available now. Let me stress that this applies to augmented SPAKE2+. The balanced version SPAKE2 has a proof of security. AugPAKE has an analysis in https://eprint.iacr.org/2010/334.pdf However the analysis is only in the balanced model. That paper does not present a proof or model for the augmented case. VTBPEKE has a proof of security in a augmented PAKE model that allows for pre-computation attacks. Vulnerability to pre-computation attacks (due to the need to send salt over unprotected channel) is common to all the above protocols. As far as I know OPAQUE is the first to be secure against such attacks. This is significant since resistance to pre-computation attacks is what motivates the notion of Augmented PAKE in the first place. If anyone knows of information that changes the above description, please let us know. Hugo
- [Cfrg] proofs for augmented PAKEs Hugo Krawczyk