IETF Logo Mail Archive

Re: [CFRG] Does OPRF/OPAQUE require full implementation of RFC 9380

Hubert Kario <hkario@redhat.com> Thu, 04 April 2024 12:39 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99D9EC14F68E for <cfrg@ietfa.amsl.com>; Thu, 4 Apr 2024 05:39:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.175
X-Spam-Level:
X-Spam-Status: No, score=-7.175 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.08, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KyU_uBK0ItHv for <cfrg@ietfa.amsl.com>; Thu, 4 Apr 2024 05:38:59 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3514EC14F5FA for <cfrg@irtf.org>; Thu, 4 Apr 2024 05:38:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1712234338; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5GKtvR6za9S+ZM5yd6kk/95YSnaWZp06kXVWPlUnIoQ=; b=VFX/gF/6zCq3FwtwKnUQm+BXl7yQtYzWBLpTyjOnAW/Z7t/OPR93L/t40kAtWSe08H72f+ rXSNX3DrA1dwZZ/dY20AaOYBOA78KMB61beNK84jOtKuqz8ZSgxdE64SYJ+NIQ7FKbOU2z O0/0vjOu5dQ8QLpNLTDOI0IM1AwHJb0=
Received: from mail-lf1-f72.google.com (mail-lf1-f72.google.com [209.85.167.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-632-cu5ZCvhkMnaxelW-botGsQ-1; Thu, 04 Apr 2024 08:38:56 -0400
X-MC-Unique: cu5ZCvhkMnaxelW-botGsQ-1
Received: by mail-lf1-f72.google.com with SMTP id 2adb3069b0e04-515a79483afso915946e87.1 for <cfrg@irtf.org>; Thu, 04 Apr 2024 05:38:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712234335; x=1712839135; h=content-transfer-encoding:user-agent:organization:references :in-reply-to:message-id:mime-version:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=HZQ0ZkuI+vX9nEW3+IH78yLzerf3i1iJV+9zOLb3NGo=; b=KxBFGHeOiMBK11qIDmdLKXx8vlanmzs6+sFEwMspEWnVWToLs/vCvuGXAhkusny8Ho ZPgRzgr3Xn38DHofJm8uOKKEi7SsLs7rn88qX7NTYi5MM9sVQBYjqgAEkqJZf4vh3hXN DcyC9/bi/JJEOYOGOn721ZUihMPCvBHOEFshMkj7iv6GMCuS0n5gyhMzf0uaID3a0XPt HVfo0uj/T+Vhg50zCEzrbl/7H3JRJUnfju5UWyIX08kTLvUUn7e5RK7puwThg9g9Ozzr Q32rkP+irDhbNUAviVz90gTrk5O7l07zQEG8lOBgA/6Ohb+0NM9PEUQ4EYZpsy1sici9 5Gjw==
X-Forwarded-Encrypted: i=1; AJvYcCX7l+o+8d4VPhM5A/+GOaiK64BeBGIksdy5KrKLGEyfO/5OnhFvBN95lwUsZkTM+2ctibtjbfKngoskRvQZ
X-Gm-Message-State: AOJu0YyQ1znsJz5fa+3WPy6uX0xjD1xN75ZY/SCyrf0XF6xeCONKZztJ BynOV77UkBFaXOyMCEDvkx9143HaXW3nJGo2PyUHIstPHD5AYJd5+gp8TCjo4qRJXJbZ/aKqoqp kSKk57+iJV3x6yG99yjQuJ7ThJCfW3SEwcuslTeN52g==
X-Received: by 2002:a05:6512:3a91:b0:515:8564:28c8 with SMTP id q17-20020a0565123a9100b00515856428c8mr1981016lfu.67.1712234335461; Thu, 04 Apr 2024 05:38:55 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHJM9/3mOzWWf4d9bZubEH9+BQpSaPJkvaMO44/nxOVs+iVTUNDKEaSq9egAQx0qEVAEgGg6Q==
X-Received: by 2002:a05:6512:3a91:b0:515:8564:28c8 with SMTP id q17-20020a0565123a9100b00515856428c8mr1980926lfu.67.1712234332938; Thu, 04 Apr 2024 05:38:52 -0700 (PDT)
Received: from localhost (nat-pool-brq-u.redhat.com. [213.175.37.12]) by smtp.gmail.com with ESMTPSA id f12-20020a056000036c00b00341ce80ea66sm19999622wrf.82.2024.04.04.05.38.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 05:38:52 -0700 (PDT)
From: Hubert Kario <hkario@redhat.com>
To: Stefan Santesson <stefan@aaa-sec.com>
Cc: Mike Hamburg <mike@shiftleft.org>, IRTF CFRG <cfrg@irtf.org>
Date: Thu, 04 Apr 2024 14:38:51 +0200
MIME-Version: 1.0
Message-ID: <555b51d6-f9df-4e9c-a22e-d98effca48ad@redhat.com>
In-Reply-To: <4976080c-12eb-4bfe-8301-19fafb20661d@aaa-sec.com>
References: <410a0800-78ff-422f-8ca3-5a0211478cbd@aaa-sec.com> <ZggHSDs5bRweThW5@localhost> <CAPC=aNUSTv=JtpkG71vhu25jgpVqzL5XS81543ntLMUuXcchqw@mail.gmail.com> <a5ec7b9e-62d3-4bd0-8bc9-ad23c9818e2b@aaa-sec.com> <739A462E-D02A-4B36-871E-19C282A09F90@shiftleft.org> <eb7dd447-adab-47cc-870a-51c31d4b42b4@aaa-sec.com> <4976080c-12eb-4bfe-8301-19fafb20661d@aaa-sec.com>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.15.11; xcb; Linux; Fedora release 38 (Thirty Eight)
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/aNXIZbPvDRH9yFpoTxJaQYneE2c>
Subject: Re: [CFRG] Does OPRF/OPAQUE require full implementation of RFC 9380
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 12:39:01 -0000

Please note that as Marvin[1] showed, doing "almost" exactly the same 
amount
of work doesn't work for side-channel protection. The code needs
to execute the same instructions, with the same memory accesses, in the
same order, irrespective of any checks performed.

Differences as small as individual clock cycles are realistically 
detectable
even over network, with multiple routers between the victim and the 
attacker.

 1 - https://people.redhat.com/~hkario/marvin/

On Thursday, 4 April 2024 00:01:54 CEST, Stefan Santesson wrote:
> I just have to post a correction. 
> That experimental test I posted is not correct. There is no 
> reason to reveal through the Y value if you succeeded on an odd 
> or even attempt.
>
> The correct version of the algorithm we tested was:
>
> loop a fixed amount (e.g. 0 -> 64) {
>
>  test and increment {
>
>      compressed (y,x) = hkdf(hash(pw), counter)
>
>      if (point(y,x) == valid)  also test an invalid point
>      if (point(y,x) != valid) also test a valid point
>   }
>
>   save first valid point
> }
> /Stefan
>
>
>
> On 2024-04-03 23:36, Stefan Santesson wrote:
> Mike,
>
> Thank you very much for this great answer.
>
> Yes, we were looking at that type of attacks where the 
> knowledge of the input scalar allows you to reconstruct multiple 
> OPRF responses for arbitrary input.
>
> However, in that analysis I didn't consider the client as the 
> adversary. But when you do, that attack is quite obvious and a 
> good reason not to go there!
>
>
> I totally agree on the constant-time issue. We made some 
> experimenting, just for the fun of it, and we ended up in 
> something like this as our best attempt:
>
>
> loop a fixed amount (e.g. 0 -> 64) {
>
>  test and increment {
>
>      x = hkdf(hash(pw), counter)
>
>      y = counter % 2 == 0 ? 0x02 : 0x03 // compressed
>      if (point(y,x) == valid)  also test an invalid point
>
>      if (point(y,x) != valid) also test a valid point
>   }
>
>   save first valid point
> }
>
> This way we always make almost exactly the same amount of work. 
> For each iteration in the loop we test one valid point and one 
> invalid point.
>
> But still I could detect statistically detectable difference 
> over many consecutive tests of different passwords. But to 
> detect this you needed quite some attempts.
>
> I don't think there is a way to make this perfect. But for 
> simplistic implementations where this is not an active threat, 
> it does offer a very easy implementation alternative.
>
> One we won't use of course ;)
>
> Once you have hash to curve implemented, making it any other 
> way makes no sense.
>
> Thanks again. This was very helpful!
>
> /Stefan
>
> On 2024-04-03 17:39, Mike Hamburg wrote:
> Hello Stefan,
>
> Yes, I believe that if you used the Java code implementing
>
> NOPRF(x) := g^(hash(x) * k)
>
> then this would directly lead to a complete failure in the 
> security goals of both OPRF and OPAQUE.  (I’m calling it NOPRF 
> because the problem is it’s not a PRF.)  This is because one of 
> OPRF’s security goals is that it cannot be evaluated offline 
> without the server’s key, and this goal is violated for NOPRF 
> once a single interaction has taken place (leading to the 
> recovery of g^k).  That goal is in turn required for OPAQUE; if 
> the PRF were weak and could be evaluated offline, then a 
> malicious client could brute-force the password offline after 
> one interaction with the server.
>
> This is because, when using OPRF, the client’s first message 
> commits to a guess of the password, and then the server’s first 
> message gives enough information to check that guess.  With 
> NOPRF, the client's first message does not commit to a guess of 
> the password, so the client can then use the server’s first 
> message to check any guess (i.e. to brute-force the password 
> offline).  That said, while I have worked on similar PAKEs in 
> the past, I have not studied the issue in detail for OPAQUE, so 
> I might be missing something.
>
>
> Regarding “constant-time” behavior of try-and-increment, it is 
> generally considered poor practice to try to plaster over 
> non-constant-time behavior by setting min/max timers, because 
> this usually doesn’t hide the timing as well as you want (the 
> timers aren’t as precise as you want; the number of iterations 
> still affects system load which affects timing of other tasks; 
> etc).  Best practices in this area require a more disciplined 
> approach where secrets do not affect branches, memory addresses, 
> arguments to certain instructions (such as division), etc.  This 
> difficulty was a significant part of the motivation for 
> developing the existing hashToCurve methods: those methods were 
> developed in order to be simpler to implement in constant time 
> than try-and-increment.
>
> Unlike using NOPRF, having a non-constant-time hash won’t 
> immediately and catastrophically break the system: it will be a 
> meaningful vulnerability, but one which requires effort to 
> exploit, instead of simply trying one login and then 
> brute-forcing the password.  Leaking even a small amount of 
> information about a password (through timing) is a problem, 
> because the whole point of PAKE is that passwords don’t have 
> much entropy.
>
> Regards,
> — Mike
>
> On Apr 2, 2024, at 2:36 AM, Stefan Santesson <stefan@aaa-sec.com> wrote:
>
> Thanks Jack, 
> Your answer is very helpful.
>
> To clarify, my questions here are hypothetical questions to 
> help understand exactly where the boundaries are. My sample code 
> is the worst possible way to do it and nothing we plan to use. 
> But I'm still curious about whether it would work.
>
> I fully understand the problem of deriving a point from an 
> input scalar and I can see many situations where that would be 
> catastrophic. But AFAIK that catastrophic failure is as far as I 
> understand related to one of two events:
>
> 1) You actually do an operation with the input scalar as a private key
>
> 2) The derivation process can be reproduced by an adversary
>
> It seems to me that in OPRF neither of these are the case when 
> a password is hashed to a point and then blinded. Because of the 
> blinding, the point is never known and the input scalar is never 
> used.
>
> That's why I'm curious if there is any explicit known threat 
> here, rather than this is considered good practice (which I 
> fully agree with).
>
>
> Regarding the "try-and-increment", I have also experimented 
> with constant time variants of this working simply like:
>
>   - Make attempts and increment until you reached minimum 
> constant time, then take first successful result
>
> A variant  of this is:
>
>  - Find the first working point by "try-and-increment" and 
> return result after constant time has passed:
>
> The former seems better as it would require a more uniform 
> workload, but the precision of the constant time is better with 
> the latter.
>
>
> Again. Thanks for the replies. I personally plan to implement 
> the standard RFC9380, but these questions are helpful to 
> internal debates on whether you could do this simpler with a 
> good security result.
>
> /Stefan
>
>
>
> On 2024-03-30 21:01, Jack Grigg wrote:
> Hi all,
>
> On Sat, Mar 30, 2024 at 6:56 AM Stefan Santesson <stefan@aaa-sec.com> wrote:
> Section 2.1 in OPR (RFC 9497) states:
> "HashToGroup(x):  Deterministically maps an array of bytes x to 
> an element of Group.  The map must ensure that, for any 
> adversary receiving R = HashToGroup(x), it is computationally 
> difficult to reverse the mapping."
>
> [..]
> It continues to say that "Security properties of this function 
> are described in [RFC9380]". 
> [..]
> I would really appreciate help. Has this been discussed already 
> to any detail. Is there any guidance available?
>
> As Mike Hamburg alludes to in another message in this thread, 
> the security property of HashToGroup relied upon here is that 
> the output of the function must be a uniformly random element of 
> the group, with no easily-determined relation to any canonical 
> generator of the group (more precisely, HashToGroup should be 
> indifferentiable from a random oracle; see Sections 2.2.3 and 
> 10.1 of RFC 9380). The proposed approach in your email makes 
> inputScalar a known quantity, which directly breaks this 
> property (inputScalar is the easily-determined relation to the 
> canonical generator, because outputElement = [inputScalar] G).
>
> Regardless of RFC 9497 using "must" instead of "MUST" when 
> describing it, its reliance on this security property is clear; 
> see Sections 2.1, 4.6, and 7.2.1 of RFC 9497 for further 
> details.
> If this is not good enough. Can you take any simpler path than 
> full RFC 9380 implementation?
>
> If you use ristretto255 or decaf448, then most of the work 
> should already be done by the libraries implementing the group 
> (see below). See Section 4.1 of RFC 9497 for an OPRF ciphersuite 
> instantiated over ristretto255 and SHA-512.
>
> For other groups (such as elliptic curves), there are other 
> approaches like "try-and-increment", but these are not 
> constant-time and may have other side-channel vulnerabilities in 
> your setting; you would need to consult a cryptographer.
>
> On Sat, Mar 30, 2024 at 7:37 AM stef <f3o09vld@ctrlc.hu> wrote: 
> tbh i also think this is overkill since for some groups, like 
> ristretto255 for
> example there is a widely used hashtogroup available in most big
> implementations (like crypto_scalarmult_ed25519 and
> crypto_core_ristretto255_from_hash in libsodium).
>  
> Just to clarify here for wider benefit: RFC 9496 (which 
> specifies ristretto255, as well as decaf448) includes an Element 
> Derivation function (in Section 4.3.4), which when paired with a 
> hash function can be used to build a hash-to-group operation 
> (which I believe is what library functions like 
> crypto_core_ristretto255_from_hash in libsodium provide). 
> Appendix B of RFC 9380 documents precisely how this should be 
> done to be compatible with it (specifically using an 
> expand_message function that conforms to Section 5.3 of RFC 
> 9380).
>
> Cheers,
> Jack

-- 
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic

v2.23.0 | Report a Bug | By Email