Re: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs

Watson Ladd <> Wed, 16 November 2016 15:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B49FD12965B for <>; Wed, 16 Nov 2016 07:17:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MD-4F5X1buPj for <>; Wed, 16 Nov 2016 07:17:45 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400c:c08::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 41A80129686 for <>; Wed, 16 Nov 2016 07:17:45 -0800 (PST)
Received: by with SMTP id 12so116747687uas.2 for <>; Wed, 16 Nov 2016 07:17:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=h8zYp8bqMa7F2rqidt8qIHZxp/CkRZdewZoMnk6N2so=; b=zvD0Ku/6Dys2b7p70lakYXQt9/9zveb1TtOU9wQXNilkWkx1wh7k4Yfwy/iMFcdST/ 0wRcmWMUM289q19yPjRnl7qYxIAoLxjuSfKhkEdMytWtrEeLGHpYuIy8Yz7GvsxQP488 zho9CqTD0zLzgK02oGymaQ8CT2KSuyaUAFCHCJZnW/VWJQ9H/rfTSBJKK91laY+sJdd0 2Lqcyhsv/oucatfHmee2oaWZrxYbljcBzFn7uW8g+G/2tD71bPhIgdlU/GtkTPuUY0Mb zu47JGlWXVClUoDx8jZS71cEz0PvFCpaYM3bXCn7vo3qPoF9FyfKrX2Ani0D3Q58GKa1 8emg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=h8zYp8bqMa7F2rqidt8qIHZxp/CkRZdewZoMnk6N2so=; b=VdJZTnHPzU0MjdNZ+A6EH67Vmctx2NeoIDqACvQPjO1geUjbyI6xAbz09XHH3/fl7m eyOyh4ayer6iRpPUBrhlJRnZgPAVcAP1Hm9a3NW88XvJWcO9b7+5lhbYX3R82jFFv16h sdG1Oiq7MmZtpV7NjxfT0TGUmkWGI5QEJCZ06Z0v/q3y0xCVTEeAQiPo3fsn0RwkE2ob JBbzpQ5hDMADrX8lsH7u12LN5yD7chazloF8rwwrSbRMktWDbQnhx2nmq7kKWkBidx7Z OKL6jyD6I8LIgB9g9RDvHNMm4wnc+Rb1aPR+LD8mHZJYzuu5e+Fk7U4kzm5B0XWbnynQ o/bg==
X-Gm-Message-State: ABUngvfyyKrhD727Q8ji+y01DUAA0udYK9aKV3YlkrLezLgxGa/lvs7N2g4bW+jo56aHwqfCUuS7SdUTouD+Yw==
X-Received: by with SMTP id c13mr1598859uab.151.1479309464027; Wed, 16 Nov 2016 07:17:44 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Wed, 16 Nov 2016 07:17:43 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <>
From: Watson Ladd <>
Date: Wed, 16 Nov 2016 07:17:43 -0800
Message-ID: <>
To: Feng Hao <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: "" <>
Subject: Re: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 16 Nov 2016 15:17:47 -0000

On Wed, Nov 16, 2016 at 2:25 AM, Feng Hao <> wrote:
> Hi Watson,
> On your comments about comparing costs between SPAKE2 and J-PAKE
>  * It's not a fair comparison as the setup assumptions are different. SPAKE2 requires a trusted setup, while J-PAKE doesn't. Instead, you should compare SPAKE2 with KOY, Jiang-Gong and GL protocols as they require the same trusted setup. J-PAKE should be compared with EKE, SPEKE and Dragonfly (which is based on SPEKE).

Different setup assumptions do not make it impossible to compare
different protocols.

>  * When you say "SPAKE2 with M and N generated by hashing is secure, and the proofs found in the SPAKE2 paper do work", it's best that you write up the full details how you do the hashing, proofs that why it's secure and why
> it doesn't affect the original proofs in the SPAKE2 paper in any way. Then people can check and verify your proofs instead of having to take your word for it. I see you are always rigorous in asking "security proofs" from others for everything they do (which is good), so you should consider applying the same rigor to yourself.

This a) cannot be done with standard foundations and b) is a trivial
exercise with any kind of ideal hash/ROM model. I'll sit down and do
it, but while drafting this email someone went and did it.

>  * The KOY, Jiang-Gong and GL papers are relevant as they are the same type of CRS-based designs as SPAKE2. These papers state that the setup needs to be done by a trusted party and they don't specify using a hash.
> SPAKE2 is in the same model. It's appropriate you compare these protocols and definitions. This is necessary especially since you're doing something not specified in the original SPAKE2 paper and other related peer-reviewed papers.

Except I'm not interested in writing a review paper. I'm interested in
looking at all the proposals before us for PAKE, and determining which
should be promoted.

>  * You will need to convince IETF users that there is no possibility of trapdoor for M and N (which may prove a bit tricky). Knowledge (or partial knowledge) of the relation between M and N may allow one to
> systematically break all instances of the protocol execution.
>  * Kindly note that if you can manage to convince IETF users that M and N are completely random, one might just plug M and N as the input of two random points to DUAL_EC and make it work?

Are you aware that DUAL_EC included a point generation mechanism that,
if used, would have completely avoided the backdoor? Do you think that
the hashing argument presented downthread is wrong.
>  * What you say about the 4 exponentiations in the subgroup is correct (consistent with the original paper), but this hasn't included the validation of the public key (which is free in EC but takes one full exponentiation in the finite field setting). See my further comment below.

The next part of my email did describe the validation costs: 1
exponentiation per element to be validated. That is not a full
exponentation: if the subgroup is the unique subgroup of order q in
the finite field, we need only check x^q=1. I said the validation
doubled the cost of SPAKE2: this is not exactly right, as only one
point needs to be validated.

> I read again the original SPAKE2 paper as well as your I-D. I have the following comments
>  * I think SPAKE2 is underspecified in the original paper. It doesn't state the requirements for M and N, but it should be clear that they must be completely random. Also, it doesn't state if the discrete logarithm between M and g (and symmetrically between M and g) must be unknown. It's not immediately clear to me if knowledge of the discrete logarithm for M and g will break anything, but all these should have been explicitly specified in the paper.
>  * I'm a bit worried that in the actual protocol specification in the original paper, there is no step to perform public key validation. This could be due to two reasons: 1) an inadvertent omission by the authors; 2) an intentional design choice. In case of ambiguity like this, one normally takes it as the latter. The reason is simple: if public key validation is considered essential, it MUST be clearly specified, which is the case with most key agreement protocols. However, from early 2000s, some researchers called for abandoning the public key validation, as long as the protocol has formal security proofs (HMQV is one notable example, but it backfired in the end).

The draft completely specifies an equivalent protection. This is the
reason we use the cofactor. I believe I explicitly required on-curve
checks, but will make it more clear if you don't think so.

>  * The above observation reminds me of a paper " Multi-Factor Authenticated Key Exchange" by Poincheval and Zimmer in 2008 [1] where the protocol is specified in a similar manner as SPAKE2 without public key validation. We analysed the protocol and it took us a while to conclude that it is insecure without public key validation (despite the security proofs in the paper) [2]. We contacted authors of [1] and they kindly acknowledged the attack and also confirmed that public key validation needed to be added in their protocol. The attack can be traced to a subtle deficiency in their theoretical model which implicitly assumes that a server is trusted when it communicates with a client. This assumption is clearly invalid, but it is implicit in the model/proofs and it took 5 years for peer researchers to identify it!
>  * At the moment, I don't see an obvious attack due to the missing public key validation in the SPAKE2 specification (as in the original paper), but it's a potential issue that needs some attention.
> Cheers,
> Feng
> [1] D. Pointcheval and S. Zimmer, "Multi-Factor Authenticated Key Exchange," Proceedings of Applied Cryptography and Network Security (ACNS¹08), pp. 277-295, LNCS 5037, 2008.
> [2] Security Analysis of a Multi-Factor Authenticated Key Exchange Protocol
> On 15/11/2016 19:14, "Watson Ladd" <> wrote:
>>Dear Feng,
>>Let me make this very clear, to avoid your misunderstandings: J-PAKE
>>is substantially less efficient than SPAKE2 over the same group.
>>SPAKE2 with M and N generated by hashing is secure, and the proofs
>>found in the SPAKE2 paper do work for this case. If we use a small
>>subgroup of a finite field group, then the necessary validations for
>>group membership double the cost of SPAKE2, but J-PAKE is still
>>slower. J-PAKE requires an additional round, while SPAKE2 fits into
>>the same flow as Diffie-Hellman. There is no relevance of KOY, or
>>Jiang-Gong, or any other paper that may or may not (I didn't bother to
>>look) present its own definitions and security model.
>>SPAKE2 requires exactly 4 exponentations in the subgroup if we do not
>>do anything smart about them. Two of these can be combined and
>>replaced with a dual base exponentiation via Strauss's algorithm.
>>Do you have anything to say to this?

"Man is born free, but everywhere he is in chains".