Re: [Cfrg] Re-review of the four balanced PAKEs
"Hao, Feng" <Feng.Hao@warwick.ac.uk> Fri, 25 October 2019 09:18 UTC
Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5A911207FF for <cfrg@ietfa.amsl.com>; Fri, 25 Oct 2019 02:18:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0as704VXuEh4 for <cfrg@ietfa.amsl.com>; Fri, 25 Oct 2019 02:18:47 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20088.outbound.protection.outlook.com [40.107.2.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E709B12006B for <cfrg@irtf.org>; Fri, 25 Oct 2019 02:18:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=f5FqzruPujBUSHihHWDgh0ip0pCbGqkAXheqFNndNUFTidl6P1D5XklM4u+QRmnckWIuW8vFxe7ALssaEM1oPqUPh2FXpRTZw2OjGjcaKrC7LaiEXVT64GSGUGR8R4uSrpVL5ThR38/sp/fJvOvJCjUPKZXa0E7Ym+MYGytFak/XTorzyBewKRQJdsCuOL0r51X0SZqiH6Pf+rrOnk0SvQicQyk78E4Iqv+LpluT4Jn6z1EiP23HYsX4MoImLHp+ZhzULehX2oJAfx5vbWHl+jSIyQZMiV7EhM3MPN0p72szb08lDmn3lxL+zlelHdy9qjd5VGzQYZhBhrHhClilxA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7HWg0aEgipoWIF0oPlbDYZXyu2INkw/ZjDlGpnqs+nQ=; b=RYrx2PSDLWK1jDKM1LwlLobSLz29iI+bBjuyTU5bkSwVLqgJWUT6gXlwVg8bwIw69PfvpHe4mCqxExftqO20ov587dZxmvFNhBWIBva1EH7AAj4tlxSoED4Bwc7YDwg19jyWCGKL+GSlVhxqnCfgZawz5EjPoyMxJBKd2BJhM9AdexgXoqFtXiC1K6V1kMNcqn45TRZ5Ck1csd9iiCD9rOgEnX1urd21ekuFRzu0T3jSUxcn2QfD1Nsw3Ombom23K+Y5iRbcPMCg216kDINhY6zZGuBmQbMxEVpuWnwcMNZj9MfdnxchGRtZOG02qQPbFQpUBJyRYMvjRZNoat3VMA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=warwick.ac.uk; dmarc=pass action=none header.from=warwick.ac.uk; dkim=pass header.d=warwick.ac.uk; arc=none
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com (20.178.104.28) by DB7PR01MB5306.eurprd01.prod.exchangelabs.com (20.178.106.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.22; Fri, 25 Oct 2019 09:18:44 +0000
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::64bb:99b3:3e20:83ea]) by DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::64bb:99b3:3e20:83ea%7]) with mapi id 15.20.2387.021; Fri, 25 Oct 2019 09:18:43 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Re-review of the four balanced PAKEs
Thread-Index: AdWKfpeNyowtemLATmKh32ioCi5OfQAB0c2AACXtTYA=
Date: Fri, 25 Oct 2019 09:18:43 +0000
Message-ID: <62945D75-2207-491A-8868-CE134849467B@live.warwick.ac.uk>
References: <BN8PR11MB36665D2F38B0E91D734A96CFC16A0@BN8PR11MB3666.namprd11.prod.outlook.com> <CAKDPBw-fKQ_-GSCu=GHpEZjfv1WfqsTnK_DYPw-7akNGYm3tnA@mail.gmail.com>
In-Reply-To: <CAKDPBw-fKQ_-GSCu=GHpEZjfv1WfqsTnK_DYPw-7akNGYm3tnA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.f.191014
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Feng.Hao@warwick.ac.uk;
x-originating-ip: [137.205.238.191]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: afb2fe9f-64fd-4dad-b572-08d7592c552f
x-ms-traffictypediagnostic: DB7PR01MB5306:
x-microsoft-antispam-prvs: <DB7PR01MB5306D6E5F1883BC9C74604CBD6650@DB7PR01MB5306.eurprd01.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 02015246A9
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(396003)(346002)(136003)(376002)(366004)(189003)(199004)(51444003)(71200400001)(14454004)(76116006)(446003)(99286004)(7736002)(6116002)(8936002)(486006)(8676002)(33656002)(81156014)(91956017)(3846002)(81166006)(14444005)(66946007)(86362001)(66446008)(5660300002)(476003)(66476007)(64756008)(66556008)(11346002)(229853002)(256004)(6916009)(6246003)(6512007)(6306002)(54896002)(71190400001)(6436002)(76176011)(6506007)(478600001)(186003)(6486002)(9326002)(4326008)(25786009)(58126008)(26005)(5070765005)(102836004)(786003)(2906002)(316002)(66066001); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR01MB5306; H:DB7PR01MB5435.eurprd01.prod.exchangelabs.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: warwick.ac.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: JiPUA3jllTI/VJjclmSqJkUe6CFlYPK1y5GZ8DRb0VdgW6h1WwcdCY/+AjN6niOWmGKtV9yeMWjjp5kNDsoNWrvWUCAeVRFvnRo/e2QPfkrXYDd8UkxRggfQFmAYk4Zp+eYCSZFGeX0Zq2UFgSFLQtE5h82wEcOxPMUubnTy8aoA8tGsJCOTuPOb9UZC9HkIg4erQWZmCrFZyS9Lu4NCwdxNfgD8TCgO4dFhCuQApl9REZ+3lF7mztx1pABzu7dprXclk0/gVQUMwQUkN9pEvGpVkc3D1TDSU299CWFuXUqyuBqn3RhTLw+CeoNMBfF6i2I/eDWPSCig/OvdL0+Htc8ZNqFehKWHJ6GALTueUnVcFQuIVI/PTLNC+fiROB8kbNIyURAMOEWKklBlB9vEmPgGGmVxpq1wUHwCofngdFA9S0zVevqg96T6ok2nIRy/
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_62945D752207491A8868CE134849467Blivewarwickacuk_"
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: afb2fe9f-64fd-4dad-b572-08d7592c552f
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Oct 2019 09:18:43.6838 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: LIc5Wjm/MXglJNdJyDhVSUS+IXK8GIVTG/F5K0lIC2XFVFhJxhIKT9aVj+vI5hIIep2EDYbIlE+aNdmjBfVDzg3k5L2q/xnMOq+Xo8jGsBA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR01MB5306
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/cIq3qN7akdSH8kHgl2GlvUCXzK8>
Subject: Re: [Cfrg] Re-review of the four balanced PAKEs
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2019 09:18:50 -0000
Hi Sott, When you consider the finite field setting (ModP), I think you need to count the cost of the hash-to-field-element operation, which is the equivalent of the hash-to-curve operation in the EC setting. To avoid the need for such an expensive mapping operation, SPEKE uses a safe prime for modulus. But then one exponentiation in SPEKE for 2048-bit modulus is about 7-8 times more expensive than that in J-PAKE. Overall, it can be even more expensive than J-PAKE! This is not reflected in your table. The same issue would apply to other PAKE candidates that rely on hash-to-curve functions.. One might avoid this issue by abandoning the finite field setting, but I think that’s inappropriate for the “completeness” of the protocol specification and the diversity of security choices. After all, the finite field and ECC are just two different ways to implement the same protocol. J-PAKE is specifically designed to eliminate a trusted setup and the need for any hash-to-curve (or the equivalent in the finite field), as neither was considered desirable. I hope this gives more context to understand the design rationale of this protocol. Cheers, Feng Balanced PAKE summary (continued) Name | Comp per side (*) | Total Message Size (**) ------------------+-------------------|------------------ CPace | H+2x | 2P+2H J-PAKE | 2g+3x+3pg+3pv | 6P+4Z+2H SPAKE-2 | d+x | 2P SPEKE (EC based) | H+2x | 2P SPEKE (ModP based)| 2M | 2M Cost: H: Hash to point x: Point multiplication g: Point multiplication of the generator (which is potentially cheaper than a point multiplication of an arbitrary point) d: Double scalar point multiply and add, that is, aB + cD pg: Zero knowledge proof generation (approximately the same as a field multiplication) pv: Zero knowledge proof verification (approximately the same as a double scalar point multiply and add) M: Modular exponentiation
- [Cfrg] Re-review of the four balanced PAKEs Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Re-review of the four balanced PAKEs Björn Haase
- Re: [Cfrg] Re-review of the four balanced PAKEs Paul Grubbs
- Re: [Cfrg] Re-review of the four balanced PAKEs Scott Arciszewski
- Re: [Cfrg] Re-review of the four balanced PAKEs Hao, Feng
- Re: [Cfrg] Re-review of the four balanced PAKEs Björn Haase
- Re: [Cfrg] Re-review of the four balanced PAKEs Scott Fluhrer (sfluhrer)