Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA

Dan Harkins <> Sun, 02 October 2016 05:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 33B9D12B160 for <>; Sat, 1 Oct 2016 22:22:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OvIZIa8lHHaJ for <>; Sat, 1 Oct 2016 22:22:12 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 114B112B15F for <>; Sat, 1 Oct 2016 22:22:12 -0700 (PDT)
Received: from thinny.local ( []) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 572BF10224050; Sat, 1 Oct 2016 22:22:11 -0700 (PDT)
To: Paul Lambert <>, "Stanislav V. Smyshlyaev" <>
References: <> <> <>
From: Dan Harkins <>
Message-ID: <>
Date: Sat, 01 Oct 2016 22:22:11 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------52FB54069578B6352B882F66"
Archived-At: <>
Cc: "" <>
Subject: Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 02 Oct 2016 05:22:14 -0000


   Why are you and Andy Lutomirski asking for review of a couple of slides
on a powerpoint deck? Especially a deck whose focus is about a different
protocol that does not exist anymore. Make an Internet-Draft that specifies
_exactly_ how the protocol runs and not some ambiguous powerpoint suggestion
based on a slide that uses some abbreviated notation that you admit is

   An I-D should clarify the unclear stuff regarding how you suggest to
use AEAD schemes. Some of these schemes have critical usage requirements--
like NEVER reuse a counter-- that you will have to deal with. You can't
just wave your hands and say "encrypt".

   Given the fact that it is not really clear what you and Andy Lutomirski
are proposing I can only reply to the slides that you provide under the
caveat that they may be inaccurate given their poor specification. So...

   The "mutually blinded DH" you and Andy Lutomirski propose is 
completely broken
and provides absolutely no authentication at all. A DH by itself provides no
authentication so doing another DH "under the protection of" another 
DH  does not magically create authentication out of thin air.

   There is a difference between proof-of-possession and authentication. The
former is necessary for the kind of exchange you propose but it is not 
An unauthenticated DH provides the former but not the latter. Your 
mutually blinded
DH also provides the former but not the latter.

   The "mutually blinded DH" that you and Andy Lutomirski propose is 
susceptible to
a simple man-in-the-middle attack due to the fact that it provides 
absolutely no
authentication whatsoever. You have no idea who sends Rb and no idea 
whose public
key is Pb. The fact that Pb is sent encrypted by a secret derived from an
unauthenticated Diffie-Hellman does not change anything. In fact, it 
enables the

   Modulo the obvious concerns with your proposal being a couple of 
slides I feel safe in saying that the protocol you and Andy Lutomirski 
is completely broken.


On 9/29/16 1:54 AM, Paul Lambert wrote:
>     Dear Stanislav,
>     Thank you for these links – they give a slightly new viewpoint on
>     PAKEs applications (I think the most discussed question will be
>     "for which applications will combining public keys and passwords
>     be most useful?").
> Yes … it may be useful as a type of ‘introduction’ process.
>     An editorial comment on the description of the protocol in the
>     slides: it seemts that after the second message A should check
>     that "R_B - w*M_B == x_B * P_B", not "R_B == x_B * P_B" as it is
>     shown now. Similarly with the B's check.
>     And a tiny remark: there is a misprint in the plaintext that A
>     encrypts on sk_AB for the third message: "(x_A, P_A)" should be
>     there, not "(m_A, P_A)".
> Many thanks for catching my errors!
> I’ve updated the figures and reposted: 
>     About the protocol itself, I'll try my best to give you our
>     opinion today or tomorrow.
>     At a glance, it seems to be useful to add some specific
>     requirements for the used "encrypt" functions now or some concrete
>     cipher modes (e.g. GCM or CTR + HMAC)
> Yes, this is not clear. The notation slide mentions  AEAD encryption 
> but could say more on requirements. The ‘additional data’ is not being 
> used, so AEAD is not strictly required. For concrete examples, I’m 
> considering AES-SIV or GCM-SIV or something similar.
>     due to the words "decrypt is successful" (is it a real data
>     authentication or just some padding check?). EMVco used to check
>     PIN-blocks just by correctness of ECB decryption of IUN, so we
>     should have more details here.
> Yes, exactly.  The decryption provides the validity check for the 
> password based authentication and does need a better description.
> Best Regards,
> Paul
>     Kindest regards,
>     Stanislav
>     2016-09-29 4:25 GMT+03:00 Paul Lambert <
>     <>>:
>         The PKEX protocol (
>         <> )
>         provides PAKE functionality (with SPAKE2) and adds public key
>         authentication (PAKE+PKA).
>         In looking at alternatives to PKEX, combining an existing and
>         evaluated
>         authenticated public key exchange with a PAKE seems like an
>         interesting
>         design path. To this end, the SPAKE2 protocol (
>         <> )
>         combines nicely
>         with mutually blinded Diffie-Hellman (mbDH). Blinded DH (bDH)
>         is described
>         in
>         <>
>         A brief description of the resulting SPAKE2+mbDH protocol is
>         contained in
>         slides 13 to 18 of:
>         iew-and-pkex.ppt
>         <>
>         Comments would be appreciated.
>         If this protocol seems useful an RFC could be developed.
>         Paul
>         _______________________________________________
>         Cfrg mailing list
> <>
>         <>
> _______________________________________________
> Cfrg mailing list