Re: [Cfrg] OPAQUE: Secure aPAKE (presentation and draft)

Christopher Wood <christopherwood07@gmail.com> Tue, 17 July 2018 22:26 UTC

Return-Path: <christopherwood07@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9740130F2D for <cfrg@ietfa.amsl.com>; Tue, 17 Jul 2018 15:26:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LfBwEpC6KVm0 for <cfrg@ietfa.amsl.com>; Tue, 17 Jul 2018 15:26:37 -0700 (PDT)
Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B206813108F for <cfrg@irtf.org>; Tue, 17 Jul 2018 15:26:33 -0700 (PDT)
Received: by mail-it0-x236.google.com with SMTP id 188-v6so1406154ita.5 for <cfrg@irtf.org>; Tue, 17 Jul 2018 15:26:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ZWSEuNj3f9v+fGRzh3HuqY6BQItgx+IreJQRsmw/shM=; b=MSyoXgM9yT2Nt5EW7i8wAjLP8OKim9M+a1ny32FMcSwjVfc0AKIAXM++Jfjcx+1bBG CzZTD1FCZYhjU9axWWKuaL0W4NEw6dwU3ZfgOhCJBMM/WEK0XQl9FiD8AInv9yYe9i5X Kfh+pL6Ti22qIzzO8DYhfAVKmTIB2rlt9GZJVM1S7FtemTjf0RJ5wLkmmDtoYjivZnaF R3N00V5w/EoVtYmEcVOU/ISIiwgJ040SrykT2V7In4PlLije3PsGgxJIgB8DNLE1FlbY l0Sk8bqHc8ZgDf3QH6PKn7IcNcuSQZYL85edttRTFwbvoUSUk62bqV5YOP3lePHk1Q4G 3dXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ZWSEuNj3f9v+fGRzh3HuqY6BQItgx+IreJQRsmw/shM=; b=GGnJPNqrfEma+kRygnfFC2p8U3KO+MJ8h8/7P1LfEg7fyPnbyk6bssAKAqx0igd6Pr 2Pa1nN555IoFNze8c/FNsFpkrZClVEB0kHQq1qeErV89GlzQzZ5/d9eJtfKodlDKYctk 35I2TVUipuhXpB9WCpuZ9N6SsOam+Ap3fZh8wbTLYxfTMZHOjJyxZYPIRuOHcEuBJrND KwHhr9HmWcWCUiHdp66jL/wbdllRI24akwv6uAXBy/fWXRYFIZPkC+TvySY6PAkUv6Kl hHEKZlXCQMOiTM5mLlZUFupIDlsvKUhaA2zb4MVxg9LudQeblMRm3YkZbOQ4QIgAIeNh Nbdw==
X-Gm-Message-State: AOUpUlESzLG16PUeE6+ca0WSAtU6lPKq4C8u3fAztcIZAmNH6ab3Zq7n 77YmvGp0EWmZ0gdCzyIZMy889+Mwkvs1PRiAyno=
X-Google-Smtp-Source: AAOMgpcWs1RgPBNiPz/0QyqzmEYxFF4oif5IqFAlG6o9fDmB9bWdlS4O7o49K78oZyenM/aqwplBtYzIchLDPLaUT9A=
X-Received: by 2002:a02:3b55:: with SMTP id i21-v6mr3283147jaf.118.1531866392891; Tue, 17 Jul 2018 15:26:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:7054:0:0:0:0:0 with HTTP; Tue, 17 Jul 2018 15:26:32 -0700 (PDT)
In-Reply-To: <a3c93381-e5f7-7079-cfc2-7e7aad99cd5b@htt-consult.com>
References: <CADi0yUM+rm6A-pPqxFUh_Hn+msVCo1TpbWL=e=vz+p7E3VaK3g@mail.gmail.com> <a3c93381-e5f7-7079-cfc2-7e7aad99cd5b@htt-consult.com>
From: Christopher Wood <christopherwood07@gmail.com>
Date: Tue, 17 Jul 2018 18:26:32 -0400
Message-ID: <CAO8oSXns7fn8dWr9kUMyYZn-QpitP+8H5hob_7Fui1HkjwbstA@mail.gmail.com>
To: Robert Moskowitz <rgm-sec@htt-consult.com>
Cc: Hugo Krawczyk <hugo@ee.technion.ac.il>, cfrg@irtf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ZW3F_jDyRLnbF6dHwVUvk1MioGw>
Subject: Re: [Cfrg] OPAQUE: Secure aPAKE (presentation and draft)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 22:26:40 -0000

The PDF link works (for me).

Best,
Chris

On Tue, Jul 17, 2018 at 6:24 PM, Robert Moskowitz
<rgm-sec@htt-consult.com> wrote:
> Hugo,
>
> The link below to this draft is not working.  :(
>
> Bob
>
>
>
>
> On 07/11/2018 03:13 AM, Hugo Krawczyk wrote:
>
> During the CFRG meeting in Montreal I will have a short presentation about
> the OPAQUE protocol, the first PKI-free aPAKE ('a' is for asymmetric or
> augmented)   to accommodate secret salt and be secure against
> pre-computation attacks.  In contrast, prior aPAKE protocols did not use
> salt and if they did, the salt was transmitted in the clear from server to
> user allowing for the building of pre-computed dictionaries.
>
> OPAQUE was presented in a recent paper at Eurocrypt 2018
> https://eprint.iacr.org/2018/163
> that includes a full proof of security in a strong aPAKE model that
> guarantees security against pre-computation.
>
> I believe OPAQUE to be a good candidate for standardization as an aPAKE. It
> compares favorably, both in actual security and proven security, to other
> aPAKE schemes considered for standardization, including SPAKE2+, AugPAKE and
> the old SRP. In particular, none of these protocols
>
> has
>  a proof of security (*), not even in a weak model, and none can accommodate
> secret salt.
>
> I have not made the deadline for posting a draft before the IETF meeting so
> I am posting an unofficial version (that I will submit after the meeting)
> here:
> http://webee.technion.ac.il/~hugo/draft-krawczyk-cfrg-opaque-00.txt
> http://webee.technion.ac.il/~hugo/draft-krawczyk-cfrg-opaque-00.pdf
>
> Comments are welcome (although I may be slow in responding)
>
> Hugo
>
> (*) Clarification: Contrary to what recent drafts have claimed, SPAKE2+ does
> not have a proof as aPAKE - the protocol was described by Cash et al with a
> short informal discussion of its rationale and no intention to claim its
> security formally (the paper does not even contain a security model for
> aPAKE protocols). This is in contrast to SPAKE2 that does have a proof as
> PAKE (without the augmented part).
>
>
>
>
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>