Re: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs

Feng Hao <> Wed, 16 November 2016 10:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 90C141296F6 for <>; Wed, 16 Nov 2016 02:25:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fEC5p8YaESJm for <>; Wed, 16 Nov 2016 02:25:55 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6FC0D1296F3 for <>; Wed, 16 Nov 2016 02:25:54 -0800 (PST)
Received: from ([] by with esmtp (Exim 4.63) (envelope-from <>) id 1c6xPc-0006sk-F4; Wed, 16 Nov 2016 10:25:52 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Wed, 16 Nov 2016 10:25:40 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-newcastle-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=kRpubGZBCz/tBm5ue/fXobU7shrY6vPa5o+1HPNNyuQ=; b=aMhKx4SyGZTeQsTQDJSpDvZMWSYmnXhD/g30SQZ5FTCQmKP/PZa0iLqnT41mJJWEQPwiL0NM80TzCozUEgOy7fI/VAIVlkt0TSetiV63KINlG+Qy7X9jdixFT1itEc66VpPUFdevyy5Tdb32bJvGtYl+TsqtrN9p5nk0S+s00eQ=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.734.2; Wed, 16 Nov 2016 10:25:39 +0000
Received: from ([]) by ([]) with mapi id 15.01.0734.004; Wed, 16 Nov 2016 10:25:39 +0000
From: Feng Hao <>
To: Watson Ladd <>
Thread-Topic: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs
Date: Wed, 16 Nov 2016 10:25:39 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
authentication-results: spf=none (sender IP is );
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: []
x-microsoft-exchange-diagnostics: 1; DB5PR0701MB1926; 7:dR0I6g5fc68IkOrta4xAV7f2lfeNgwmv5kkPpD+/0v6OYPrKnvtljsSfBfukaVHLqzRe2fs0VSUZFRWwoD/JjuX3+/ODb6/eyumgocwRup+/Me/V3w68JBcwuYSNWUnpqI+Pv6cl+gL+p4RQSxpcfFKwHiegXQ0APGc3uJoeRt0uADRNbRag0Jl7hfZFUJI9VPxa7rNi7qbOrRKcrn/intGV06HH7rKf8xjuQYkWKH3aPQvObZgfwy4qY94biIlSmAHyFiwcXTrCACeOD7PNeMbg1o9zSgu+dWKpme2iGNFtZAOw0j6WRT61NnYQ/ja5mVtG1dLqUkl1jU29CoERF8GO4ZEInWlmTU/dSNQ4uzw=
x-ms-office365-filtering-correlation-id: 7422bf5b-33e4-44dc-42ed-08d40e0ae95b
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:DB5PR0701MB1926;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(266576461109395);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6060326)(6040281)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6041223)(6061324); SRVR:DB5PR0701MB1926; BCL:0; PCL:0; RULEID:; SRVR:DB5PR0701MB1926;
x-forefront-prvs: 01283822F8
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(24454002)(199003)(189002)(54356999)(2906002)(8676002)(4326007)(77096005)(83506001)(229853002)(66066001)(97736004)(101416001)(2900100001)(93886004)(8936002)(9686002)(7696004)(76176999)(2950100002)(42882006)(110136003)(81156014)(7846002)(5660300001)(3846002)(6116002)(74316002)(102836003)(50986999)(6916009)(81166006)(87936001)(7736002)(305945005)(122556002)(33656002)(1411001)(92566002)(86362001)(68736007)(189998001)(3280700002)(74482002)(4001350100001)(105586002)(106356001)(76576001)(3660700001)(6506003); DIR:OUT; SFP:1101; SCL:1; SRVR:DB5PR0701MB1926;; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Nov 2016 10:25:39.1955 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c5012c9-b616-44c2-a917-66814fbe3e87
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR0701MB1926
Archived-At: <>
Cc: "" <>
Subject: Re: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 16 Nov 2016 10:25:57 -0000

Hi Watson,

On your comments about comparing costs between SPAKE2 and J-PAKE
 * It's not a fair comparison as the setup assumptions are different. SPAKE2 requires a trusted setup, while J-PAKE doesn't. Instead, you should compare SPAKE2 with KOY, Jiang-Gong and GL protocols as they require the same trusted setup. J-PAKE should be compared with EKE, SPEKE and Dragonfly (which is based on SPEKE).

 * When you say "SPAKE2 with M and N generated by hashing is secure, and the proofs found in the SPAKE2 paper do work", it's best that you write up the full details how you do the hashing, proofs that why it's secure and why
it doesn't affect the original proofs in the SPAKE2 paper in any way. Then people can check and verify your proofs instead of having to take your word for it. I see you are always rigorous in asking "security proofs" from others for everything they do (which is good), so you should consider applying the same rigor to yourself.

 * The KOY, Jiang-Gong and GL papers are relevant as they are the same type of CRS-based designs as SPAKE2. These papers state that the setup needs to be done by a trusted party and they don't specify using a hash.
SPAKE2 is in the same model. It's appropriate you compare these protocols and definitions. This is necessary especially since you're doing something not specified in the original SPAKE2 paper and other related peer-reviewed papers.

 * You will need to convince IETF users that there is no possibility of trapdoor for M and N (which may prove a bit tricky). Knowledge (or partial knowledge) of the relation between M and N may allow one to
systematically break all instances of the protocol execution. 

 * Kindly note that if you can manage to convince IETF users that M and N are completely random, one might just plug M and N as the input of two random points to DUAL_EC and make it work?

 * What you say about the 4 exponentiations in the subgroup is correct (consistent with the original paper), but this hasn't included the validation of the public key (which is free in EC but takes one full exponentiation in the finite field setting). See my further comment below.

I read again the original SPAKE2 paper as well as your I-D. I have the following comments

 * I think SPAKE2 is underspecified in the original paper. It doesn't state the requirements for M and N, but it should be clear that they must be completely random. Also, it doesn't state if the discrete logarithm between M and g (and symmetrically between M and g) must be unknown. It's not immediately clear to me if knowledge of the discrete logarithm for M and g will break anything, but all these should have been explicitly specified in the paper.

 * I'm a bit worried that in the actual protocol specification in the original paper, there is no step to perform public key validation. This could be due to two reasons: 1) an inadvertent omission by the authors; 2) an intentional design choice. In case of ambiguity like this, one normally takes it as the latter. The reason is simple: if public key validation is considered essential, it MUST be clearly specified, which is the case with most key agreement protocols. However, from early 2000s, some researchers called for abandoning the public key validation, as long as the protocol has formal security proofs (HMQV is one notable example, but it backfired in the end).

 * The above observation reminds me of a paper " Multi-Factor Authenticated Key Exchange" by Poincheval and Zimmer in 2008 [1] where the protocol is specified in a similar manner as SPAKE2 without public key validation. We analysed the protocol and it took us a while to conclude that it is insecure without public key validation (despite the security proofs in the paper) [2]. We contacted authors of [1] and they kindly acknowledged the attack and also confirmed that public key validation needed to be added in their protocol. The attack can be traced to a subtle deficiency in their theoretical model which implicitly assumes that a server is trusted when it communicates with a client. This assumption is clearly invalid, but it is implicit in the model/proofs and it took 5 years for peer researchers to identify it!

 * At the moment, I don't see an obvious attack due to the missing public key validation in the SPAKE2 specification (as in the original paper), but it's a potential issue that needs some attention.


[1] D. Pointcheval and S. Zimmer, "Multi-Factor Authenticated Key Exchange," Proceedings of Applied Cryptography and Network Security (ACNS¹08), pp. 277-295, LNCS 5037, 2008.

[2] Security Analysis of a Multi-Factor Authenticated Key Exchange Protocol

On 15/11/2016 19:14, "Watson Ladd" <> wrote:

>Dear Feng,
>Let me make this very clear, to avoid your misunderstandings: J-PAKE
>is substantially less efficient than SPAKE2 over the same group.
>SPAKE2 with M and N generated by hashing is secure, and the proofs
>found in the SPAKE2 paper do work for this case. If we use a small
>subgroup of a finite field group, then the necessary validations for
>group membership double the cost of SPAKE2, but J-PAKE is still
>slower. J-PAKE requires an additional round, while SPAKE2 fits into
>the same flow as Diffie-Hellman. There is no relevance of KOY, or
>Jiang-Gong, or any other paper that may or may not (I didn't bother to
>look) present its own definitions and security model.
>SPAKE2 requires exactly 4 exponentations in the subgroup if we do not
>do anything smart about them. Two of these can be combined and
>replaced with a dual base exponentiation via Strauss's algorithm.
>Do you have anything to say to this?