[Cfrg] OPAQUE: Secure aPAKE (presentation and draft)
Hugo Krawczyk <hugo@ee.technion.ac.il> Wed, 11 July 2018 07:14 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B83F3130ED2 for <cfrg@ietfa.amsl.com>; Wed, 11 Jul 2018 00:14:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RAIJic9JmrOs for <cfrg@ietfa.amsl.com>; Wed, 11 Jul 2018 00:14:05 -0700 (PDT)
Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B582D130ECD for <cfrg@irtf.org>; Wed, 11 Jul 2018 00:14:05 -0700 (PDT)
Received: by mail-io0-x22d.google.com with SMTP id z20-v6so22690560iol.0 for <cfrg@irtf.org>; Wed, 11 Jul 2018 00:14:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=TnKQIrRHi02f/GQvFd2YEfYtyO403Bk1Fk0bVVNsUKg=; b=S45DI1NQXObFAhejRhqxgguifidOXH/4RvFi7UiTfS6e1fd8nMdjf4VfVejP/jCXM5 f+jzmx7IclyjecqChELBsGQVkmyUkOyimrJHkorieZIYpqk6auo0gJojYGv4ixvF9Koc E/7gl+AhJy8K1QMgSVXS3Xn3PCxzrpxO5mwzOsTG6Q04UzSMA7LeisvjVLcL+/4fGl5d 1xxXwZo6/Gx5y5kCbmBSjC6Y0YhR0CtrlHPbDZ6nkfBSUa/5uIxrtUSaq1l2zfP721JC YVjv6ozeNXYy69WJrWh+E7Fcbfxko8/MK6LW+aeBXL62+mKA8SnQr5a52cVmKH52+UNh VwKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=TnKQIrRHi02f/GQvFd2YEfYtyO403Bk1Fk0bVVNsUKg=; b=A3XYYh+wx+zDewUK4t3lOFz/7e8uVmrPEy5Ft5Zh+N3cyFw0e+nu5fL7hIgZavMoNF n+04awMavHG6WcNlST4CyaiqPcD6eVAGZoGhjUVzCm8lgHdb3sj+jtNIh1/ZXElmweZk KbETJzvQP/tSCLwuyBJ4uD8w/toaAz60vZNPiA/VuRUd6UvAqVaFcyeNk896ItkEjUaA nTWXVlGZFZ8GRhixHrOA/0HtbyjmBpQyJegMQAzLVieg5nUFIEEJLx26U1VLioQP2ZuG Be+jKWZWJXkiJpuOwu2c+/qvotffGvGmerZF/cXqLxNGf+hXCQWoO1eoQCAe5f5pTqJo mqhQ==
X-Gm-Message-State: AOUpUlEVAin+FFwz1iEw0NiRAB1WuWMRfo7KO2jVT1+OS5Fr5VI1B6HM BtzaOaENIDXGSksoWZiIABmx8IOrQpN0UugCWufueg==
X-Google-Smtp-Source: AAOMgpcL2qoxomGUfdqygdx5zttyUT9r/cj8Ma332qIWDxr3qkcmyNoeecG4OnCFdhetjaNslRpMXd2WsrMV+VsQ6rE=
X-Received: by 2002:a6b:7312:: with SMTP id e18-v6mr6489498ioh.57.1531293244459; Wed, 11 Jul 2018 00:14:04 -0700 (PDT)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 2002:a02:c502:0:0:0:0:0 with HTTP; Wed, 11 Jul 2018 00:13:33 -0700 (PDT)
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Wed, 11 Jul 2018 03:13:33 -0400
X-Google-Sender-Auth: 2BFwc4b_VX2bQi1_kexlnSvZjCg
Message-ID: <CADi0yUM+rm6A-pPqxFUh_Hn+msVCo1TpbWL=e=vz+p7E3VaK3g@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000e20fcb0570b3fda0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/YhxDQT1a-jcH6nDC0AeDCZOrmi0>
Subject: [Cfrg] OPAQUE: Secure aPAKE (presentation and draft)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2018 07:14:08 -0000
During the CFRG meeting in Montreal I will have a short presentation about the OPAQUE protocol, the first PKI-free aPAKE ('a' is for asymmetric or augmented) to accommodate secret salt and be secure against pre-computation attacks. In contrast, prior aPAKE protocols did not use salt and if they did, the salt was transmitted in the clear from server to user allowing for the building of pre-computed dictionaries. OPAQUE was presented in a recent paper at Eurocrypt 2018 https://eprint.iacr.org/2018/163 that includes a full proof of security in a strong aPAKE model that guarantees security against pre-computation. I believe OPAQUE to be a good candidate for standardization as an aPAKE. It compares favorably, both in actual security and proven security, to other aPAKE schemes considered for standardization, including SPAKE2+, AugPAKE and the old SRP. In particular, none of these protocols has a proof of security (*), not even in a weak model, and none can accommodate secret salt. I have not made the deadline for posting a draft before the IETF meeting so I am posting an unofficial version (that I will submit after the meeting) here: http://webee.technion.ac.il/~hugo/draft-krawczyk-cfrg-opaque-00.txt http://webee.technion.ac.il/~hugo/draft-krawczyk-cfrg-opaque-00.pdf Comments are welcome (although I may be slow in responding) Hugo (*) Clarification: Contrary to what recent drafts have claimed, SPAKE2+ does not have a proof as aPAKE - the protocol was described by Cash et al with a short informal discussion of its rationale and no intention to claim its security formally (the paper does not even contain a security model for aPAKE protocols). This is in contrast to SPAKE2 that does have a proof as PAKE (without the augmented part).
- [Cfrg] OPAQUE: Secure aPAKE (presentation and dra… Hugo Krawczyk
- Re: [Cfrg] OPAQUE: Secure aPAKE (presentation and… Dan Brown
- Re: [Cfrg] OPAQUE: Secure aPAKE (presentation and… Hugo Krawczyk
- Re: [Cfrg] OPAQUE: Secure aPAKE (presentation and… Robert Moskowitz
- Re: [Cfrg] OPAQUE: Secure aPAKE (presentation and… Christopher Wood
- Re: [Cfrg] OPAQUE: Secure aPAKE (presentation and… David Wong
- Re: [Cfrg] OPAQUE: Secure aPAKE (presentation and… Richard Barnes
- Re: [Cfrg] OPAQUE: Secure aPAKE (presentation and… Hugo Krawczyk