[Cfrg] OPAQUE: Secure aPAKE (presentation and draft)

Hugo Krawczyk <hugo@ee.technion.ac.il> Wed, 11 July 2018 07:14 UTC

Return-Path: <hugokraw@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id B83F3130ED2 for <cfrg@ietfa.amsl.com>; Wed, 11 Jul 2018 00:14:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id RAIJic9JmrOs for <cfrg@ietfa.amsl.com>; Wed, 11 Jul 2018 00:14:05 -0700 (PDT)
Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B582D130ECD for <cfrg@irtf.org>; Wed, 11 Jul 2018 00:14:05 -0700 (PDT)
Received: by mail-io0-x22d.google.com with SMTP id z20-v6so22690560iol.0 for <cfrg@irtf.org>; Wed, 11 Jul 2018 00:14:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=TnKQIrRHi02f/GQvFd2YEfYtyO403Bk1Fk0bVVNsUKg=; b=S45DI1NQXObFAhejRhqxgguifidOXH/4RvFi7UiTfS6e1fd8nMdjf4VfVejP/jCXM5 f+jzmx7IclyjecqChELBsGQVkmyUkOyimrJHkorieZIYpqk6auo0gJojYGv4ixvF9Koc E/7gl+AhJy8K1QMgSVXS3Xn3PCxzrpxO5mwzOsTG6Q04UzSMA7LeisvjVLcL+/4fGl5d 1xxXwZo6/Gx5y5kCbmBSjC6Y0YhR0CtrlHPbDZ6nkfBSUa/5uIxrtUSaq1l2zfP721JC YVjv6ozeNXYy69WJrWh+E7Fcbfxko8/MK6LW+aeBXL62+mKA8SnQr5a52cVmKH52+UNh VwKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=TnKQIrRHi02f/GQvFd2YEfYtyO403Bk1Fk0bVVNsUKg=; b=A3XYYh+wx+zDewUK4t3lOFz/7e8uVmrPEy5Ft5Zh+N3cyFw0e+nu5fL7hIgZavMoNF n+04awMavHG6WcNlST4CyaiqPcD6eVAGZoGhjUVzCm8lgHdb3sj+jtNIh1/ZXElmweZk KbETJzvQP/tSCLwuyBJ4uD8w/toaAz60vZNPiA/VuRUd6UvAqVaFcyeNk896ItkEjUaA nTWXVlGZFZ8GRhixHrOA/0HtbyjmBpQyJegMQAzLVieg5nUFIEEJLx26U1VLioQP2ZuG Be+jKWZWJXkiJpuOwu2c+/qvotffGvGmerZF/cXqLxNGf+hXCQWoO1eoQCAe5f5pTqJo mqhQ==
X-Gm-Message-State: AOUpUlEVAin+FFwz1iEw0NiRAB1WuWMRfo7KO2jVT1+OS5Fr5VI1B6HM BtzaOaENIDXGSksoWZiIABmx8IOrQpN0UugCWufueg==
X-Google-Smtp-Source: AAOMgpcL2qoxomGUfdqygdx5zttyUT9r/cj8Ma332qIWDxr3qkcmyNoeecG4OnCFdhetjaNslRpMXd2WsrMV+VsQ6rE=
X-Received: by 2002:a6b:7312:: with SMTP id e18-v6mr6489498ioh.57.1531293244459; Wed, 11 Jul 2018 00:14:04 -0700 (PDT)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 2002:a02:c502:0:0:0:0:0 with HTTP; Wed, 11 Jul 2018 00:13:33 -0700 (PDT)
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Wed, 11 Jul 2018 03:13:33 -0400
X-Google-Sender-Auth: 2BFwc4b_VX2bQi1_kexlnSvZjCg
Message-ID: <CADi0yUM+rm6A-pPqxFUh_Hn+msVCo1TpbWL=e=vz+p7E3VaK3g@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000e20fcb0570b3fda0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/YhxDQT1a-jcH6nDC0AeDCZOrmi0>
Subject: [Cfrg] OPAQUE: Secure aPAKE (presentation and draft)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2018 07:14:08 -0000

​During the CFRG meeting in Montreal I will have a short presentation about
the OPAQUE protocol, the first PKI-free aPAKE ('a' is for asymmetric or
augmented)   to accommodate secret salt and be secure against
pre-computation attacks.  In contrast, prior aPAKE protocols did not use
salt and if they did, the salt was transmitted in the clear from server to
user allowing for the building of pre-computed dictionaries.

OPAQUE was presented in a recent paper at Eurocrypt 2018
that includes a full proof of security in a strong aPAKE model that
guarantees security agai​nst pre-computation.

I believe OPAQUE to be a good candidate for standardization as an aPAKE. It
compares favorably, both in actual security and proven security, to other
aPAKE schemes considered for standardization, including SPAKE2+, AugPAKE
and the old SRP. In particular, none of these protocols

 a proof of security (*), not even in a weak model, and none can
accommodate secret salt.

I have not made the deadline for posting a draft before the IETF meeting so
I am posting an unofficial version (that I will submit after the meeting)

Comments are welcome (although I may be slow in responding)


(*) Clarification: Contrary to what recent drafts have claimed, SPAKE2+
does not have a proof as aPAKE - the protocol was described by Cash et al
with a short informal discussion of its rationale and no intention to claim
its security formally (the paper does not even contain a security model for
aPAKE protocols). This is in contrast to SPAKE2 that does have a proof as
PAKE (without the augmented part).