Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B49FD12965B for ; Wed, 16 Nov 2016 07:17:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MD-4F5X1buPj for ; Wed, 16 Nov 2016 07:17:45 -0800 (PST) Received: from mail-ua0-x234.google.com (mail-ua0-x234.google.com [IPv6:2607:f8b0:400c:c08::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41A80129686 for ; Wed, 16 Nov 2016 07:17:45 -0800 (PST) Received: by mail-ua0-x234.google.com with SMTP id 12so116747687uas.2 for ; Wed, 16 Nov 2016 07:17:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=h8zYp8bqMa7F2rqidt8qIHZxp/CkRZdewZoMnk6N2so=; b=zvD0Ku/6Dys2b7p70lakYXQt9/9zveb1TtOU9wQXNilkWkx1wh7k4Yfwy/iMFcdST/ 0wRcmWMUM289q19yPjRnl7qYxIAoLxjuSfKhkEdMytWtrEeLGHpYuIy8Yz7GvsxQP488 zho9CqTD0zLzgK02oGymaQ8CT2KSuyaUAFCHCJZnW/VWJQ9H/rfTSBJKK91laY+sJdd0 2Lqcyhsv/oucatfHmee2oaWZrxYbljcBzFn7uW8g+G/2tD71bPhIgdlU/GtkTPuUY0Mb zu47JGlWXVClUoDx8jZS71cEz0PvFCpaYM3bXCn7vo3qPoF9FyfKrX2Ani0D3Q58GKa1 8emg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=h8zYp8bqMa7F2rqidt8qIHZxp/CkRZdewZoMnk6N2so=; b=VdJZTnHPzU0MjdNZ+A6EH67Vmctx2NeoIDqACvQPjO1geUjbyI6xAbz09XHH3/fl7m eyOyh4ayer6iRpPUBrhlJRnZgPAVcAP1Hm9a3NW88XvJWcO9b7+5lhbYX3R82jFFv16h sdG1Oiq7MmZtpV7NjxfT0TGUmkWGI5QEJCZ06Z0v/q3y0xCVTEeAQiPo3fsn0RwkE2ob JBbzpQ5hDMADrX8lsH7u12LN5yD7chazloF8rwwrSbRMktWDbQnhx2nmq7kKWkBidx7Z OKL6jyD6I8LIgB9g9RDvHNMm4wnc+Rb1aPR+LD8mHZJYzuu5e+Fk7U4kzm5B0XWbnynQ o/bg== X-Gm-Message-State: ABUngvfyyKrhD727Q8ji+y01DUAA0udYK9aKV3YlkrLezLgxGa/lvs7N2g4bW+jo56aHwqfCUuS7SdUTouD+Yw== X-Received: by 10.176.86.205 with SMTP id c13mr1598859uab.151.1479309464027; Wed, 16 Nov 2016 07:17:44 -0800 (PST) MIME-Version: 1.0 Received: by 10.176.85.18 with HTTP; Wed, 16 Nov 2016 07:17:43 -0800 (PST) In-Reply-To: References: From: Watson Ladd Date: Wed, 16 Nov 2016 07:17:43 -0800 Message-ID: To: Feng Hao Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Cc: "cfrg@irtf.org" Subject: Re: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Nov 2016 15:17:47 -0000 On Wed, Nov 16, 2016 at 2:25 AM, Feng Hao wrote: > Hi Watson, > > On your comments about comparing costs between SPAKE2 and J-PAKE > > * It's not a fair comparison as the setup assumptions are different. SPA= KE2 requires a trusted setup, while J-PAKE doesn't. Instead, you should com= pare SPAKE2 with KOY, Jiang-Gong and GL protocols as they require the same = trusted setup. J-PAKE should be compared with EKE, SPEKE and Dragonfly (whi= ch is based on SPEKE). Different setup assumptions do not make it impossible to compare different protocols. > > * When you say "SPAKE2 with M and N generated by hashing is secure, and = the proofs found in the SPAKE2 paper do work", it's best that you write up = the full details how you do the hashing, proofs that why it's secure and wh= y > it doesn't affect the original proofs in the SPAKE2 paper in any way. The= n people can check and verify your proofs instead of having to take your wo= rd for it. I see you are always rigorous in asking "security proofs" from o= thers for everything they do (which is good), so you should consider applyi= ng the same rigor to yourself. This a) cannot be done with standard foundations and b) is a trivial exercise with any kind of ideal hash/ROM model. I'll sit down and do it, but while drafting this email someone went and did it. > > * The KOY, Jiang-Gong and GL papers are relevant as they are the same ty= pe of CRS-based designs as SPAKE2. These papers state that the setup needs = to be done by a trusted party and they don't specify using a hash. > SPAKE2 is in the same model. It's appropriate you compare these protocols= and definitions. This is necessary especially since you're doing something= not specified in the original SPAKE2 paper and other related peer-reviewed= papers. Except I'm not interested in writing a review paper. I'm interested in looking at all the proposals before us for PAKE, and determining which should be promoted. > > * You will need to convince IETF users that there is no possibility of t= rapdoor for M and N (which may prove a bit tricky). Knowledge (or partial k= nowledge) of the relation between M and N may allow one to > systematically break all instances of the protocol execution. > > * Kindly note that if you can manage to convince IETF users that M and N= are completely random, one might just plug M and N as the input of two ran= dom points to DUAL_EC and make it work? Are you aware that DUAL_EC included a point generation mechanism that, if used, would have completely avoided the backdoor? Do you think that the hashing argument presented downthread is wrong. > > * What you say about the 4 exponentiations in the subgroup is correct (c= onsistent with the original paper), but this hasn't included the validation= of the public key (which is free in EC but takes one full exponentiation i= n the finite field setting). See my further comment below. The next part of my email did describe the validation costs: 1 exponentiation per element to be validated. That is not a full exponentation: if the subgroup is the unique subgroup of order q in the finite field, we need only check x^q=3D1. I said the validation doubled the cost of SPAKE2: this is not exactly right, as only one point needs to be validated. > > I read again the original SPAKE2 paper as well as your I-D. I have the fo= llowing comments > > * I think SPAKE2 is underspecified in the original paper. It doesn't sta= te the requirements for M and N, but it should be clear that they must be c= ompletely random. Also, it doesn't state if the discrete logarithm between = M and g (and symmetrically between M and g) must be unknown. It's not immed= iately clear to me if knowledge of the discrete logarithm for M and g will = break anything, but all these should have been explicitly specified in the = paper. > > * I'm a bit worried that in the actual protocol specification in the ori= ginal paper, there is no step to perform public key validation. This could = be due to two reasons: 1) an inadvertent omission by the authors; 2) an int= entional design choice. In case of ambiguity like this, one normally takes = it as the latter. The reason is simple: if public key validation is conside= red essential, it MUST be clearly specified, which is the case with most ke= y agreement protocols. However, from early 2000s, some researchers called f= or abandoning the public key validation, as long as the protocol has formal= security proofs (HMQV is one notable example, but it backfired in the end)= . The draft completely specifies an equivalent protection. This is the reason we use the cofactor. I believe I explicitly required on-curve checks, but will make it more clear if you don't think so. > > * The above observation reminds me of a paper " Multi-Factor Authenticat= ed Key Exchange" by Poincheval and Zimmer in 2008 [1] where the protocol is= specified in a similar manner as SPAKE2 without public key validation. We = analysed the protocol and it took us a while to conclude that it is insecur= e without public key validation (despite the security proofs in the paper) = [2]. We contacted authors of [1] and they kindly acknowledged the attack an= d also confirmed that public key validation needed to be added in their pro= tocol. The attack can be traced to a subtle deficiency in their theoretical= model which implicitly assumes that a server is trusted when it communicat= es with a client. This assumption is clearly invalid, but it is implicit in= the model/proofs and it took 5 years for peer researchers to identify it! > > * At the moment, I don't see an obvious attack due to the missing public= key validation in the SPAKE2 specification (as in the original paper), but= it's a potential issue that needs some attention. > > Cheers, > Feng > > [1] D. Pointcheval and S. Zimmer, "Multi-Factor Authenticated Key Exchang= e," Proceedings of Applied Cryptography and Network Security (ACNS=C2=B908)= , pp. 277-295, LNCS 5037, 2008. > > [2] Security Analysis of a Multi-Factor Authenticated Key Exchange Protoc= ol https://eprint.iacr.org/2012/039.pdf > > On 15/11/2016 19:14, "Watson Ladd" wrote: > >>Dear Feng, >> >>Let me make this very clear, to avoid your misunderstandings: J-PAKE >>is substantially less efficient than SPAKE2 over the same group. >>SPAKE2 with M and N generated by hashing is secure, and the proofs >>found in the SPAKE2 paper do work for this case. If we use a small >>subgroup of a finite field group, then the necessary validations for >>group membership double the cost of SPAKE2, but J-PAKE is still >>slower. J-PAKE requires an additional round, while SPAKE2 fits into >>the same flow as Diffie-Hellman. There is no relevance of KOY, or >>Jiang-Gong, or any other paper that may or may not (I didn't bother to >>look) present its own definitions and security model. >> >>SPAKE2 requires exactly 4 exponentations in the subgroup if we do not >>do anything smart about them. Two of these can be combined and >>replaced with a dual base exponentiation via Strauss's algorithm. >> >>Do you have anything to say to this? >> >>Sincerely, >>Watson > --=20 "Man is born free, but everywhere he is in chains". --Rousseau.