IETF Logo Mail Archive

Re: [Cfrg] My review of the four balanced PAKE (SPAKE2, SPEKE, CPACE, J-PAKE)

"Hao, Feng" <Feng.Hao@warwick.ac.uk> Sun, 08 September 2019 15:58 UTC

Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E297120059 for <cfrg@ietfa.amsl.com>; Sun, 8 Sep 2019 08:58:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3aXDvagg4Wgk for <cfrg@ietfa.amsl.com>; Sun, 8 Sep 2019 08:58:16 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80073.outbound.protection.outlook.com [40.107.8.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B265F12003F for <cfrg@ietf.org>; Sun, 8 Sep 2019 08:58:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eJRKlvnqzY//ATNhurfcSo3vC2AyYyiF3BrBUrUXpXAfkWoYsm/aGUPwxMJzfOBQrehk+bQGs/4K6Ljo0wKzLCnq42Nm/I7mZ/GeM+f/P0zGnVNPpkN5pnzNFncpdEVac3aM7WA3KBDVZzYmAiJvfQ1m6pGTz1FVVKSu2WYumiG2bAJnYEqyHRIY5a8OuSstkaL/be6wsfR7PkJWm8plkOPOL9MJgwFU47KUM9NYEGhj8r45Vgu/VdoU1XjxK1lOvR8bWZIvztJn0TkEeZ04B1KvqX7w178eDLF/tIGhU1d5m0/LjEP6zLquhQHgyjkqZembkBmf9OtnwlbRgsltrw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1iqUpj8CDtsEAUHW402tkqqmMD1/DyZbdIalK+53Qfc=; b=NodtY2Pd3pR7gBcBts+TtempfL9i+vV7Plu/821FW/Z3iFxZ0yEsqqHd4rtG4Py5O26OIby+R+ivlMYMatfzf2K+Eq48T2am+iz2EF05YjiHSnOoSYqTusbEu6FbIV/a9gsv5jrZZ6/9Qfsp0m3ubIqVr8C56SZoa5OvVxyU8baNDEMg3yh4UJF+4KDfWEwSkFrj0HnQwSEV3lrL/y0taBHFlVHlmXhuiOVOPv+p+LQnideyphuIGJmPF5W/iD1kULIXjpCKC1GIjrhiSKMCYi0q7m3TWHZxPwSbHAmLMjRfhuGp1+8m8Z3AMNCb1c3xjRV0Qm7OGh92zKK7ZS4n6g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=warwick.ac.uk; dmarc=pass action=none header.from=warwick.ac.uk; dkim=pass header.d=warwick.ac.uk; arc=none
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com (20.178.104.28) by DB7PR01MB5130.eurprd01.prod.exchangelabs.com (20.178.106.223) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2241.18; Sun, 8 Sep 2019 15:58:11 +0000
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::55eb:f0c1:7e8e:3af5]) by DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::55eb:f0c1:7e8e:3af5%7]) with mapi id 15.20.2241.018; Sun, 8 Sep 2019 15:58:11 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
CC: "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: [Cfrg] My review of the four balanced PAKE (SPAKE2, SPEKE, CPACE, J-PAKE)
Thread-Index: AQHVZPYJE9IdTF5V4EG+/Jp97dMlF6cfMF1wgALS5AA=
Date: Sun, 08 Sep 2019 15:58:10 +0000
Message-ID: <D99ADAD0.4773A%u1775114@live.warwick.ac.uk>
References: <D99879C6.47687%u1775114@live.warwick.ac.uk> <BL0PR11MB31727858D86D170DDA4B622CC1BA0@BL0PR11MB3172.namprd11.prod.outlook.com>
In-Reply-To: <BL0PR11MB31727858D86D170DDA4B622CC1BA0@BL0PR11MB3172.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.7.170905
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Feng.Hao@warwick.ac.uk;
x-originating-ip: [86.1.47.16]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 092f43a1-122e-414a-ffcf-08d7347559ba
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DB7PR01MB5130;
x-ms-traffictypediagnostic: DB7PR01MB5130:
x-microsoft-antispam-prvs: <DB7PR01MB513006EBFEBD6E1AB2230453D6B40@DB7PR01MB5130.eurprd01.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0154C61618
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(346002)(376002)(366004)(39850400004)(396003)(51914003)(199004)(189003)(76176011)(478600001)(786003)(58126008)(25786009)(316002)(6436002)(2906002)(229853002)(66066001)(99286004)(6116002)(14454004)(102836004)(486006)(476003)(6916009)(6506007)(11346002)(446003)(26005)(186003)(4326008)(8936002)(81166006)(81156014)(8676002)(66446008)(64756008)(5660300002)(7736002)(91956017)(6486002)(3846002)(86362001)(66946007)(66476007)(66556008)(71190400001)(19623405002)(71200400001)(53936002)(6512007)(54896002)(6306002)(6246003)(14444005)(256004)(76116006); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR01MB5130; H:DB7PR01MB5435.eurprd01.prod.exchangelabs.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: warwick.ac.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: c0ANZn7QBtupzjDwws1/07ttE8/FORJn3qcWQtGMgqBa6fIcDXRLYcCcxNvGSBvDxACETigvophyDsugxwpBlYkXJdChOyke65OeoFSfMO5ut6iGxAiX6jHoVBlqFznf1Xyo7mj8VAlij4owVWpr6agR5NhG4/gcvebvgPnvneB0nvMdV36Eip7xv0uZu5m56/5nQQJ4L0/t4S2EqJHau6YvreSlVNZ3FBBUoJKkTn56jvEenNkpiD2nMSVyR9Pb+6WkM4yGWjP35hmdMppwtuN30rDZQVmYQWu31oeObhbOZwhP+TbNum7Vp2CDxE0RSi9CIAqLuSYHe27qwpbtUGlOolA7EFjjKlMEwQnYuYuQscFiZXQ/8mrp4jR+BptXAo+lUjgp6DhG+X+u135bYy9yZK+fpaGbVKOivGDHc2s=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_D99ADAD04773Au1775114livewarwickacuk_"
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 092f43a1-122e-414a-ffcf-08d7347559ba
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Sep 2019 15:58:10.8684 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: XQVfmhgFSPDom0Rh9pzctzSHpTvw7kEnvCsUAraeMSmOmfgG3oo+Yzs8lgvBY/2uJA44JRhUvOwSajHaaBMDo9WMvpNHDe9OsW3fbhm5UgQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR01MB5130
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ZnSzuxmidCBrkMNRb65471lSPSU>
Subject: Re: [Cfrg] My review of the four balanced PAKE (SPAKE2, SPEKE, CPACE, J-PAKE)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Sep 2019 15:58:19 -0000

Well, I just spent a disgusting amount of time slogging through four different simulation-based proofs of PAKE, and they were all pretty much clear as mud.   I did not find any problems with your proof, however I am not entirely convinced (because of the subtlety involved) that I didn’t miss anything.
In contrast, with my idea, well, that severely limits the games that an attacker can play.  I suspect that we could simply list the various things that an adversary can try (e.g. keep the first message unchanged, replace the values in the second and third messages with values whose dlog he knows) and show that none of the attacks allows the adversary any unwarranted advantage.  Why would such a proof (which I have not worked out the details) be considered attractive?  Because it’d be clear that it covers everything an adversary can do, and between a proof which is opaque (and which might hide hidden flaws) and one which is obviously valid, I would err in favor of the latter. :)

Of course, as a compromise, you could have the responder’s x3, x4 values have only (x3, x4) as the OtherInfo; that would make both the 2 pass and the 1.5 pass version identical.  It would allow the attacker more options (e.g. he could now leave x3 and x4 unchanged, but insert his own B value), but there might not be *that* many more cases…

Thanks for the suggestion. However, I don’t think including those values would make any fundamental difference when we consider an active attacker. The attacker is better off to come up with his own g^x3 and g^x4 values so he has the advantage of knowing the secret keys. But then this is exactly what the ZKP is supposed to do – enforcing the attacker to follow the protocol specification. If you also have a read of the security proofs in the original J-PAKE paper [HR10], it should be clear that the security of J-PAKE is essentially reduced to the security of the ZKP, or more specifically Schnorr NIZK proof. As long as the sender demonstrates the knowledge of x when sending g^x, J-PAKE provably satisfies the four security requirements as specified in the paper. In the construction of Schnorr NIZK proof, we include the statement (I.e., in terms of three items g, g^v, g^x) and the user identity in the hash as mandatory. If you take a broader view to look at PAKE, not as an isolated problem, but an instance of a more general two/multi-party secure computation problem (on an equality function), you will find our construction of ZKP is in line with the best practice in the the field (although some MPC protocols don’t explicitly include the user identity in the hash for the Fiat-Shamir transformation, we include it as mandatory we believe that’s necessary; otherwise, the attacker might be able to replay the NIZP proof back to the sender so to introduce some unexpected correlation effect.)

v2.23.0 | Report a Bug | By Email