Re: [Cfrg] Review of PAKE protocols (for Magic-Wormhole)
Brian Warner <warner@lothar.com> Tue, 17 September 2019 16:42 UTC
Return-Path: <warner@lothar.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F18611209F4 for <cfrg@ietfa.amsl.com>; Tue, 17 Sep 2019 09:42:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hJrJX4ddpbSt for <cfrg@ietfa.amsl.com>; Tue, 17 Sep 2019 09:42:43 -0700 (PDT)
Received: from smtp.lothar.com (smtp.lothar.com [204.246.122.77]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1044A1209FA for <cfrg@irtf.org>; Tue, 17 Sep 2019 09:42:34 -0700 (PDT)
Received: from [10.0.2.174] (99-124-154-248.lightspeed.sntcca.sbcglobal.net [99.124.154.248]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: warner) by smtp.lothar.com (Postfix) with ESMTPSA id 7154F7811B; Tue, 17 Sep 2019 09:42:30 -0700 (PDT)
To: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
References: <de0d0cae-72ba-3b8c-627c-ab6b555cbdad@lothar.com> <342699DE-1271-470F-90CE-487DC6668C75@live.warwick.ac.uk>
From: Brian Warner <warner@lothar.com>
Openpgp: preference=signencrypt
Autocrypt: addr=warner@lothar.com; prefer-encrypt=mutual; keydata= mQINBFNK1VsBEADMrGiCKsx/d0bO13WpMb1xNDTiGs/cCBZK7vRUqZFCfApBrcmjBtnW9F0K PHY71ys9fJYV+YGX3Z/zX9+OIo5ssGdX5Uas46wDci7LHFwdbBBV6pyZep3yJlaTRUf/D4F3 9niXSTXPIMDlaP4RmyycbrortvaF5/X5EMXS6/KvakRsBygftqzqx6nAkqMPPsY6ouuLk9g1 zSu9tByT7hqzIsbKyFO/3fhVNy8Y03PY8eC0kr9mZ3+BonKu8Vp+f0mp9zCaunby8A5ci9ba By+b0JZATZlAPpQLLkz+pettwPNSC87o1xuxs7WTwlgnH9H8eRK/qSbR9rlRmjxK+ufsi5qs E/WZI0jc51OI26WDQnpvXSqluCAZ/Ge5BoPYcf9KmBNF3MJlEfdhM2iXYatNlwxJP00uAuWi ds00ZZBFxy4l2/ITVoLSZemQtlcj1j8Rh7969fIVM7gAgp9KFaLusq5WEwrIVAbV2zk5v5T+ ISJ4MtFyrKF9de7bQnJlcTJcnUvV1EcFlmkVR/METXvEt7fhPeYIq9OIRQAGaUIREsP22lhr E5v077QLiXCoc6hSMl5iDQk2YYYZ0i71vIt4ULru2yrSWRbjy/ukvfy3clAeb9RzVhz2kNnh KvQxLPStJkjm5fY4HzQSFKBhEANsFFyaWXdLGNg7fTLR6rEbQQARAQABtChCcmlhbiBXYXJu ZXIgKGVtYWlsKSA8d2FybmVyQGxvdGhhci5jb20+iQI4BBMBAgAiBQJTStVbAhsDBgsJCAcD AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRADhugbEcqgejEBD/0di4Y4OrD94WaUvTkp0D1+DkRY souttQ6TfBp5gfsBVkR2lkIjDK3gJwAeIu9QxkIiV8RjTRI8SKLat8XcW1keLALBYo6Gt0ip UumUHHa+graskB2rRqb/PnXeZcaDFks2uDB5j5oy4Rn2IS/P9TG81GpXNfpzCOJPpdgH9+fE Sj3OyB4+/oV4KsEk0r8k23BEWPjlw1boemZBQLJg6YveIDgWJQ2FxXrHzF+cg2tQQFpPMEc/ pU27mnquLqs8kmYTHmVlGYfw4tSg8VZng0f2QuRLN/lgHpESnzVNIk+lY0z4ckgTWMTUHjj+ bhh6SEfE7I6LDNntyKjHXa/m11RhOaM/Z7bjbKAyOeJlqA0/SUOti6T8RrFNKKvr+UiBz0Ws ZYc74AQvwddty45EQsxsBNoq8OKWkNmE8vylkYdLcExJ6vzHkWLzzQDawxPdP8qm1LaxrIYh bD4m5CZvc9ZvsfAI3Kemo8omWyEsXBR4y1wI4VVCkbZnmzo1M9p1tLjx/VAcm9aQqOgJ+X3Z 2+S2cNDoQagr6+dknLVqo2dZ98MvzbS/t1/K/QWelGI0xY7xyWjHvLcb9SR3c3JSQDTY9hTJ NNq5yv/hakdqwanbiAjOFs0fErViuTrXeTpwrz0TdSY90bZf4c0muoNswWLXgfnaSg/cnTNh w4uP+rMsQ7kCDQRTStVbARAAx7GYFLqau7Nx+hZUL7pq39XsV+JvAt0kgyy20RwuwqkOb30/ Ra2LkJkqBLU7/EicJ5nE66KwsSdoloehv2Hc8XPb5lynbshfjMCbPYnnNekWzI8wyqtEB9tt AOs+44phnSWjP/Z8xWT2BDLKuEWvKkOU+AldY8s9K1nzy71HW0rxnsYqBUBj4KTlKU/q98S5 piiiEZjMHt8sqL7Q98axMVhpWahUoAVzYs8ksbJslP9UH7QAMAt1eqU41oJXk2hZIvpY3eaQ K4ic3fhfE/Dd/ex3sSiAjI5YcC2sVAFBSNeJxDOLN0giC7aXeAaUEi1LkXP8wLUcFtljP+Gf FpVbJUCLd2mKwzKVfBJcE/9k1rQlNGgP9X5YtOdcRodk3PfzIQ2btpOes585UsG/fS62ayu2 nJt4vWIqWd0q1eCD3FyaPO/a5wM16QGDiPDmZnrKNdy7B0lzcjl3iaaFYgBD19JA7ETpLFpL 1r6jWP5wm/EcFGrESKvRV7iGLq6bV4tJTu0f6faj7AyODf1JnXLOtE4Aeld7FSHqUUqA8ijn UG1+YjEnvfZsi1pYzty2tlO4GdSQftmyEGh43VGzl1S6OFbOcQ4NUHasLCDnVtaPDLgAbgAj HNfMWJrXMaie/Dtwgvz+G4SkdaMxb0RxvFIRsrDcJrdmDEaPHVdYXT8AWvEAEQEAAYkCHwQY AQIACQUCU0rVWwIbDAAKCRADhugbEcqgepcJD/9DWVNiLB31+HYbwSd3XMH/kejR4EnsT8R/ dC/esadiHza4xSQbiXPmk0t9N5VHlcp4I7gI0P/AKnshZJmZL3QTPUBy9QX7caJu+vOHJHot u9p4zwS/FHUwVqZV7W5UpYyPAkRngIEDubYGLcknxzgyaBHULPs247U5X1X5te6LJ0QgXJAd qvnIoH23puKbPF7AWkmyF4nhEnXEfopUndsnDupM+RoFpZ6nIt6cogFzhvQxgqk5Ejti9Vw3 6RjtpJ5QI0NXVi31YfnOJASsW+85SHxq25bXhgszHT5pB0DoJBJwjrphFgIqe400BnTz3CGe SQhK5T0Cq6maxq3Z8Fez70/CvDdrrGqI3K41Zvzd0d067iGiNYMgeLvB2tavQMW+wsxbHEL0 ZzK2nQfW5YRsVBnU+qgZ+G7u3K2DuNhMVsKwYwQJucltRO4JZIrFLI5PxWhKXyH7+4gdMulx 4GOhfq/33dsvW4meP4w+TTCbz6ZU2Ub2OuJ7bboQTqTDkj8EdpH34xcy0rOlhavuaxq82k/P VdmkDDNOWEJITQHZ+hPNw0YfKnzqsiQT0K0e0azq35toIGI0dkGZB6/KuGhDNCIHt80M23+0 bqDpP4RIcl8nbFrBD2yvEGyL9n1Lu6Z6M0Iav4dWUkkjP4Ghpohm8dun+oQrFCi3Dqe3H09B bQ==
Message-ID: <d097ac4c-f84d-0009-374d-b738415120a4@lothar.com>
Date: Tue, 17 Sep 2019 09:42:29 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <342699DE-1271-470F-90CE-487DC6668C75@live.warwick.ac.uk>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/QrtTX4R6SnYw1auHiKWhRbNk89Q>
Subject: Re: [Cfrg] Review of PAKE protocols (for Magic-Wormhole)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2019 16:42:49 -0000
On 9/16/19 5:51 AM, Hao, Feng wrote: > [FH] If you set the two blinding factors equal (M=N), that will effectively turn it into a different protocol, which is very similar to Kobara-Imai's Pretty-Simple Password-Authenticated Key Exchange at https://eprint.iacr.org/2003/038. Thank you! I've been looking for literature about the M==N case without success. I'll read that paper. In my SPAKE2 variant, I include a check that the inbound message is not the same as the outbound message, but I'm not sure how effective that is at preventing the reflection attack (i.e. I compare bytes, but maybe the attacker could transform the outbound message into a different representation of the same point, which would pass the check but still result in one side unknowingly talking to themselves). > J-PAKE includes a UserID in the NIZKs, and RFC8236 says the verifier > shall check that it differs from their own identity (presumably to > defend against reflection). To achieve my symmetry goals, I would want > these UserIDs to be constant for all users (removing that check), and I > don't know if this breaks the security properties. > > [FH] In J-PAKE, the identities are used as the basis for each communicating party to retrieve the shared password. Hence, a party can use an arbitrary identity as long as when the two parties engage in a PAKE session, they know which shared password to retrieve from their respective databases. This should be the same for all PAKEs. I don't think you can remove the check that the two identities in a session should be different (which is a natural thing to check, and necessary to prevent the ZKP being replayed back to the sender). Got it. So I think for J-PAKE (and several of the others), I *must* find a way to agree upon (different) identities ahead of time. The identities could be random and ephemeral, but they must be different. I will take a another look at each candidate and see if the peer's identity must be known before the first outgoing message is generated. If not, Magic-Wormhole could just use random ones without incurring an extra roundtrip. For SPAKE2, I could even imagine setting M=hash_to_point(randomIdA) and N=hash_to_point(randomIdB), using new values for each session, and just including the ID in the first message. I think that would get me back to the original protocol, without adding a roundtrip, at the cost of requiring the hash_to_point() function at runtime. thanks, -Brian
- [Cfrg] Review of PAKE protocols (for Magic-Wormho… Brian Warner
- Re: [Cfrg] Review of PAKE protocols (for Magic-Wo… Hao, Feng
- Re: [Cfrg] Review of PAKE protocols (for Magic-Wo… Brian Warner