Re: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs

Feng Hao <> Mon, 14 November 2016 22:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C60DD1294DC for <>; Mon, 14 Nov 2016 14:56:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rW9F8cmPkqNt for <>; Mon, 14 Nov 2016 14:56:27 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AF4E01293E9 for <>; Mon, 14 Nov 2016 14:56:26 -0800 (PST)
Received: from ([] by with esmtp (Exim 4.63) (envelope-from <>) id 1c6QAq-0001oz-Fo; Mon, 14 Nov 2016 22:56:24 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Mon, 14 Nov 2016 22:56:24 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-newcastle-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=eWOtKrRCsPB916h7LqDN60OwHJ3dn9YAU+TPiNw3iaQ=; b=L/OjBUv2P3ivgCsAvhX2sfCnrnNu1S7f18WUGF7CnGpuk04XaeQzrxY3J3HitqvyDpJ9LhDZTHqpdBHYCTVQW76lFYNdCx/ERU1gp8GfvxK0WNpvG2q+JnN1RiAJkos0E5/3tg0nnBGEZ2IEq3VG09anhbqusb1ACIu7sz8rbz8=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.734.2; Mon, 14 Nov 2016 22:56:22 +0000
Received: from ([]) by ([]) with mapi id 15.01.0734.004; Mon, 14 Nov 2016 22:56:22 +0000
From: Feng Hao <>
To: Watson Ladd <>
Thread-Topic: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs
Thread-Index: AdI+bZzQZch4zeUeTNyFcWq6Y0INHQAHCdeAABAiwAA=
Date: Mon, 14 Nov 2016 22:56:22 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
authentication-results: spf=none (sender IP is );
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: []
x-microsoft-exchange-diagnostics: 1; DB5PR0701MB1926; 7:KxkJCb8y+/nuLDELtKL3L/VxvAaDuNdJpHNZQ3HdnYxgHCMthIGCwXvbMyaJjnwbrks3grJfQiZyYi/nG+Dr9c2+nGpWR55Mt8WA+JokQy8PbHxteSDHCr+HW+xtMo25UCn7R5rJ+pc9ZCZb27MwlQ5KLY3dFtqQQXrGEWVadV4bQ6cL3Q/PRaiS7sHv2jgC1Lwq39HwvxjGASagij80DCDF8jOvDGeeAV/PAbuYC7SrqXzSQK1kHhPHg4Bk1SzXWgR0HPXzx7pOtzKm7Rth+qK4U/NjZdYd9+IbDLVCrvqgHwRLfBiE2tEwLPMqu89PpfqLb4GF86XHWh9MA9pGYIDokqiP+KcypOUmkz4o8ao=
x-ms-office365-filtering-correlation-id: 32b66877-0377-4b2e-eac7-08d40ce1749c
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:DB5PR0701MB1926;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(120809045254105)(192374486261705)(266576461109395);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6060326)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6061324); SRVR:DB5PR0701MB1926; BCL:0; PCL:0; RULEID:; SRVR:DB5PR0701MB1926;
x-forefront-prvs: 0126A32F74
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(199003)(24454002)(189002)(377454003)(377424004)(86362001)(1411001)(68736007)(101416001)(122556002)(97736004)(189998001)(4001150100001)(3280700002)(3660700001)(4001350100001)(74482002)(92566002)(36756003)(106356001)(105586002)(2900100001)(66066001)(229853002)(551544002)(77096005)(2906002)(8676002)(4326007)(83506001)(6916009)(81156014)(7736002)(76176999)(54356999)(6116002)(50986999)(102836003)(81166006)(305945005)(3846002)(87936001)(8936002)(5660300001)(7846002)(42882006)(2950100002)(110136003); DIR:OUT; SFP:1101; SCL:1; SRVR:DB5PR0701MB1926;; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Nov 2016 22:56:22.7566 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c5012c9-b616-44c2-a917-66814fbe3e87
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR0701MB1926
Archived-At: <>
Cc: "" <>
Subject: Re: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Nov 2016 22:56:30 -0000

Hi Watson,

Can you be specific what alternative you are talking about?

In [1], J-PAKE is compared with EKE and SPEKE, which are widely considered
the simplest and the most efficient balanced PAKEs. It is shown that the
computational efficiency of J-PAKE is about the same as EKE and SPEKE in
the finite field setting. J-PAKE is better in the EC setting because: 1)
EKE in EC is unspecified (a straightforward implementation of EKE in EC
will trivially leak information about the password); 2) SPEKE in EC
requires an additional primitive of hashing a password to a random point
on the curve (which is a non-trivial problem on its own). J-PAKE needs 2
rounds instead of one, which is a downside and is acknowledged in the
paper. But security is never perfect; it is always a trade-off.

Two points are worth reminding:

1. There is an unfortunate misconception in quite a number of PAKE papers
in the literature that merely count the number of exponentiations as the
computational cost without considering the specific group settings
required by the protocol (e.g., if the protocol accommodates short or long
exponents). See Section 2.2 in [1] for a full discussion.

2. There is also a category of PAKE protocols that assume a trusted setup
to define the randomness in the group setting: in particular, to define a
pair of generators whose discrete logarithm must be unknown. SPAKE2 (which
I understand you¹re working on for an IEFT submission) is only one
example. Other examples include KOY [2], Jiang-Gong [3] and
Gennaro-Lindell [4]. Implementing such as trusted set up (i.e., the common
reference model if you¹re a fan of jargon) is a tricky task. The most
concrete advice in terms of implementation that you may find is probably
from Gennaro and Lindell [4]: ³An example of where it is reasonable to
assume a common reference string is when a large organization wishes to
implement secure login for its employees. In this case, the organization
is trusted to choose the common reference string properly, and this string
can then be hardwired into the software code.² As an example we can have
Google to define a trusted setup, which will be trusted by its employees.
However, it will limit the PAKE application to the internal use within
that organization. EKE, SPEKE and SPEKE do not have this issue.

Note that I¹m not objecting PAKE protocols that rely on a common reference
string; they are one category of PAKE designs and are useful in
specifically identified scenarios. I¹m merely highlighting that there are
diversified PAKE designs with different assumptions and properties. Having
the diversity is a good thing in the research field. However, disparaging
some without noting the weaknesses/merits of others in the context of that
diversity is not fair.


[1] J-PAE:

[2] J. Katz, R. Ostrovsky, M. Yung, ³Efficient password-authenticated key
exchange using human-memorable passwords², Advances in Cryptology, LNCS
2045, pp. 475-494, 2001.

[3] S.Q. Jiang, G. Gong, ³Password based key exchange with mutual
authentication,² Selected Area in Cryptography, LNCS 3357, pp. 267-279,

[4] R. Gennaro, Y. Lindell, ³A framework for password-based authenticated
key exchange,² Eurucrypt¹03, LNCS, No. 2656, pp. 524-543, 2003.

On 14/11/2016 15:14, "Watson Ladd" <> wrote:

>I'm sad to see J-PAKE continue to have legs given its terrible
>performance compared to alternatives. What's the point?
>On Mon, Nov 14, 2016 at 3:53 AM, Feng Hao <>
>> Hi,
>> Recently I submitted J-PAKE and Schnorr NIZK to IETF for "informational
>>RFC". Both drafts are currently under review in the independent
>>submission stream.
>> As per the reviewers' comments, I've revised the drafts to clarify a
>>few points.
>> Schnorr draft
>>  * Clarify the parameters for the finite field and elliptic curves. The
>>DSA/ECDSA parameters are used only as an example; other groups can also
>>be used.
>>  * Clarify the requirement for the hash function. It needs to be
>>collision-resistant in a practical realisation with recommended hash
>>functions given.
>> J-PAKE draft
>>  * Clarify that key confirmation can be implicit or explicit, and that
>>explicit key confirmation is recommended in a practical implementation
>>of J-PAKE.
>> The latest drafts are below:
>> Name:           draft-hao-schnorr
>> Revision:       05
>> Title:          Schnorr NIZK Proof: Non-interactive Zero Knowledge
>>Proof for Discrete Logarithm
>> Document date:  2016-11-14
>> Group:          Individual Submission
>> Pages:          11
>> URL:            
>> Status:
>> Htmlized:
>> Diff: 
>> Name:           draft-hao-jpake
>> Revision:       05
>> Title:          J-PAKE: Password Authenticated Key Exchange by Juggling
>> Document date:  2016-11-14
>> Group:          Individual Submission
>> Pages:          14
>> URL:            
>> Status:
>> Htmlized:
>> Diff: 
>> Your comments are most welcome!
>> Cheers,
>> Feng
>> _______________________________________________
>> Cfrg mailing list
>"Man is born free, but everywhere he is in chains".