IETF Logo Mail Archive

Re: [Cfrg] [CFRG] PAKE / Hash2Curve First Internet draft for balanced CPace subcomponent available

"Hao, Feng" <Feng.Hao@warwick.ac.uk> Fri, 10 January 2020 14:45 UTC

Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 629C71200FF for <cfrg@ietfa.amsl.com>; Fri, 10 Jan 2020 06:45:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2AplVoIgWv9U for <cfrg@ietfa.amsl.com>; Fri, 10 Jan 2020 06:45:27 -0800 (PST)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40054.outbound.protection.outlook.com [40.107.4.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6F1B1200F7 for <cfrg@irtf.org>; Fri, 10 Jan 2020 06:45:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ay9dWXEzl9BUKYEAM/mLAss7uqsdwNxtQNq/bKYhUhe73MaW5+1pUBnQuuHkOBOlCp4kbbv6rweYfr13iddQZ06XxgytUDvtkLua2a/LlTx3s5ec9crCRUEk5wpEv45YKEw+3bFFHWuXx45EBP3eE0HC3w8QAuEEEqM1VPtgVax1mmYTDl1d1dUi+4SOTyhvwDp9m/DPNefxzeSWPkYDfUUqZqNQqV02Y08sZuymz0vZ0cotRyps11eljQ0XLT1FCKvMQNHjE4aR5A+Mqoag3yZzBOhq2CauZC/Fhb681d8L5Ku/Y3AS0bA3tGROQTttDBJBvE9BQpnFejBnZiESVw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xtgE1F/i1HZ+vZ28OXrQoOKF7aGE9MkxkcLVDViEyfQ=; b=PVJosC9TzzZwWHbwZ1p94SZe8qOil5Xs/DA99rNVETpRaNWXK61S3zajYPAk+m6o0FFkmojbneDt2BtFe7l9mORNaoMml94/rQJBfIdWROmKPSNMHM5/j8E4wROetDhQYC9Jkt8cARy+0bl9s2y+YzjzeUoSJfrwq7J/lyyjRY48/+lQsymZf9zCemThZinFaojiiqhD3VvzMcH2IWcOsRfrPbHpMdG1n/D7ZPUGaspryINT/fKGWMt1yqt7n/U/XWZttp/xaLIaTVUxENA7kZz4ljQOKiTTixMtZ31mDn7Azs650hXbP8iquHw8GTbf7pQYYM7hNukujbCzab9uPw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=warwick.ac.uk; dmarc=pass action=none header.from=warwick.ac.uk; dkim=pass header.d=warwick.ac.uk; arc=none
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com (20.178.104.28) by DB7PR01MB5163.eurprd01.prod.exchangelabs.com (20.178.108.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.10; Fri, 10 Jan 2020 14:45:24 +0000
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::a1c8:9042:f44b:916e]) by DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::a1c8:9042:f44b:916e%5]) with mapi id 15.20.2623.013; Fri, 10 Jan 2020 14:45:24 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: Björn Haase <bjoern.m.haase@web.de>, cfrg <cfrg@irtf.org>
Thread-Topic: [Cfrg] [CFRG] PAKE / Hash2Curve First Internet draft for balanced CPace subcomponent available
Thread-Index: AdXFZsWj+BgRX8HvTDuxE8jfSMPPRQADzq0AAAyaZgAAhwslgA==
Date: Fri, 10 Jan 2020 14:45:23 +0000
Message-ID: <3168DBA4-CDA5-44F5-A0EC-175E67DD446B@live.warwick.ac.uk>
References: <VI1PR05MB650941DEC988A4E3DD3D7E53833F0@VI1PR05MB6509.eurprd05.prod.outlook.com> <0A892720-D1F1-44A9-8E53-529453D566BD@live.warwick.ac.uk> <f51d77f8-11ac-8b2d-6ec4-beca3f66a19a@web.de>
In-Reply-To: <f51d77f8-11ac-8b2d-6ec4-beca3f66a19a@web.de>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.20.0.191208
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Feng.Hao@warwick.ac.uk;
x-originating-ip: [137.205.238.72]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f9d7136b-2d87-44e5-2f28-08d795dbb9d3
x-ms-traffictypediagnostic: DB7PR01MB5163:
x-microsoft-antispam-prvs: <DB7PR01MB516360DFA86221C1040A0B8CD6380@DB7PR01MB5163.eurprd01.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02788FF38E
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(39860400002)(136003)(396003)(346002)(376002)(189003)(199004)(66946007)(110136005)(71200400001)(2906002)(8936002)(6512007)(478600001)(66476007)(6486002)(66446008)(81166006)(64756008)(91956017)(76116006)(66556008)(86362001)(5660300002)(33656002)(8676002)(186003)(26005)(786003)(6506007)(81156014)(316002); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR01MB5163; H:DB7PR01MB5435.eurprd01.prod.exchangelabs.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: warwick.ac.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rrcL9TfWExI2RfmsxuLhqxm2QzXhRmXbavYzeWCWkPAm5mf3dtwNm26+YDiy0uIjUjSasduI3ayDjPtioZdSmxVJ4TferBQUvyf3hNiETHBc0oUZe24zbVNhkwDrqngqE4w0U+yp1KECu7WbH2yTMk0gHxH4lWKoMJoWfwJQYxiC80/u9EA+7CcuF2uaTBx2pkao2gS0t1lfFZUHvAh+BBbjY1kQZF4RHFGNS96Qn5mwD3iK9fP5ieuEaRksvddMWxuqZmQfKR9Ei02VBgnf6VWjtrP028Xj0zr2SEjRGBojTozRMZkiOTXz8hh2lPYhYQSC96ah5xWwI452TnbtK0MS7iNXPjJ2Ao3CiAU+/4LSPe6sn9JOvQ4DOT6z+bDAUViF4UUfgM6kZ4k/x/J8HsmtyV5Hus+xQ8Y9SqtFXwr/Y3h4Y3RTZxJ3wNCIVyBZ
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <E8DC22E4309D2C4DAA3A219C7251ADED@eurprd01.prod.exchangelabs.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: f9d7136b-2d87-44e5-2f28-08d795dbb9d3
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jan 2020 14:45:24.0898 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pzKCNzff1gT9xevEuvobDuHB10/oqVYW7QA+Zuzy98sns7D/EimEJwpVop5X4jXVMMKHrlQrfQmquC9NlG1kv3yF/92gm+OJ5JNO3xq/jn4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR01MB5163
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/eShR65K9iTWMfsWmKFZ_PlxdVmk>
Subject: Re: [Cfrg] [CFRG] PAKE / Hash2Curve First Internet draft for balanced CPace subcomponent available
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2020 14:45:32 -0000

Dear Bjorn,

> I aim at being fair to all candidates in the discussions and specifically also to J-PAKE.

Thanks for doing this. I believe a fact-based approach is what's needed to drive this process forward. We often see too many opinions which are not substantiated.

> J-PAKE beside the two additional rounds and the efficiency disadvantages, in my opinion has four outstanding points:

Being 2 rounds is a factual limitation for J-PAKE as compared to 1-round PAKE (acknowledged in the original J-PAKE paper). However, in terms of computation efficiency, J-PAKE has no disadvantage if you compare protocols side-by-side fairly.
    
So far, the most established 1-round protocol (without trusted setup) is the (patched) SPEKE, which is specified in ISO/IEC 11770-4 (2017). We can have a fair comparison since neither requires a trusted setup.

 * In the finite field setting, SPEKE requires 2 modular exponentiations (with long exponents) while J-PAKE needs 14 modular exponentiation (with short exponents). Overall, the computational cost of SPEKE is about the same as (or even higher than) J-PAKE. This is explained in the original J-PAKE paper. Unfortunately, several experts in the reviewing process only counted the number of modular exponentiations without considering the critical difference in the bit length on the exponent. The unfortunate use of the long bit length in SPEKE is a known idiosyncrasy in the design, which is rooted in the need to perform an hash-to-field-element operation. Given that CPace is a SPEKE variant, if you specify CPace in the finite field, you should find it will have no computational advantage than J-PAKE for the same reason.
 * In the elliptic curve setting, the SPEKE specification in ISO/IEC 11770-4 is not really established, so its efficiency is yet to be established. For this reason, it cannot be compared with J-PAKE. SPEKE critically depends on a hash-to-curve function (also called Integer-to-Point or I2P in the IEEE P1363.2 and ISO/IEC documents; but it's the same thing). Such a function is provided in ISO/IEC 11770-4, but with the following note

" This function is believed to hold properties of the randomness and onewayness, i.e. converting an integer to a point such that the point is randomly distributed in the selected group and that given current knowledge, recovering the integer from the point is computationally infeasible. This function is also used by IEEE P1363[7]. However, there is no formal security proof of this function published"

The same note might be applicable to the current IETF draft on hash-to-curve. This is why I suggested that we should wait until the IETF draft to be finalized before we can evaluate the security and efficiency of PAKE protocols that critically depend on it.

> Even if it was quite obviously not your main objective, I believe that from all of the advantages the feature 4.) might indeed have been the single one most valuable property of J-PAKE for industry.
    
I agree parents have unfortunately messed up the PAKE field, but if you look at the history of the developments in this field and take a critical view to examine all the proposed solutions, you may find that a more fundamental obstacle in deploying PAKE is actually a technical one.

About 10-20 years ago (IEEE P1363.2 had a public and intensive standardization process on PAKE in 2000-2008), many people believed the PAKE problem had been solved - with an "ideal cipher" that performs a random-oracle like mapping keyed by a low-entry password, you can have a "provably secure" PAKE with formal security proofs. Hence the problem is reduced to a simpler task of instantiating the "ideal cipher". But later it turned out that this was much trickier than what one might have expected. Instead, alternative approaches were proposed based on "trusted setup", and "hash-to-curve" functions. All these proposals were intensively reviewed during the IEEE standardization process, but by the end of 2008 (8 years after when the standardization started and that was the maximum life span normally expected for a standardization project), it became all clear that the PAKE problem had actually remained unsolved, as none of the techniques (including patented ones) was found filling the bill. This was what motivated us to design a practical solution to this engineering problem back in 2008, by taking a fresh and completely different approach. Whether J-PAKE has actually solved this problem of if there will be a better solution remains to be seen but I recall back in the time when I was a PhD student, David Wheeler (Cambridge) used to say to us: 

"In computer science, you can solve any problem by adding an extra layer of indirection, until that extra layer of indirection becomes a new problem."

I'm happy to say, at least, J-PAKE was fully specified and fixed (without any extra layer of indirection) at the time when it was first presented at SPW'08, and since then it hasn't changed despite intensive public scrutiny.

v2.23.0 | Report a Bug | By Email