[Cfrg] proofs for augmented PAKEs
"Björn Haase" <Bjoern.M.Haase@web.de> Wed, 27 March 2019 14:11 UTC
Return-Path: <Bjoern.M.Haase@web.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B340712000F for <cfrg@ietfa.amsl.com>; Wed, 27 Mar 2019 07:11:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.675
X-Spam-Level:
X-Spam-Status: No, score=-1.675 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=web.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vdXLVu4FOfUG for <cfrg@ietfa.amsl.com>; Wed, 27 Mar 2019 07:10:58 -0700 (PDT)
Received: from mout.web.de (mout.web.de [212.227.17.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33117120004 for <cfrg@irtf.org>; Wed, 27 Mar 2019 07:10:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1553695853; bh=/H1Gqcx/uRuQJSKq5i2aVK1dTUkgRppL2gCgIZaYgSw=; h=X-UI-Sender-Class:From:To:Subject:Date; b=CV7mvsyhPxXj7OgSRJwS3oGKbFSRF17+3BEFEUDPWsmm+iFCZrsJZ4PgSZexy/lRr Bc9yXJsflI1HFxobRFOzq20m93IRGkTuwNsL/SVjyYbm+gp0bVT6EkZ+MhCg63F9E1 4j/wIHaLOUaqvNWelX/0pjcYvuqldDugdh9KXRjE=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [93.240.145.106] ([93.240.145.106]) by web-mail.web.de (3c-app-webde-bap46.server.lan [172.19.172.46]) (via HTTP); Wed, 27 Mar 2019 15:10:53 +0100
MIME-Version: 1.0
Message-ID: <trinity-90143f1d-d899-40ea-b2a0-811f4732e517-1553695853036@3c-app-webde-bap46>
From: "\"Björn Haase\"" <Bjoern.M.Haase@web.de>
To: cfrg@irtf.org
Content-Type: text/html; charset="UTF-8"
Date: Wed, 27 Mar 2019 15:10:53 +0100
Importance: normal
Sensitivity: Normal
X-Priority: 3
X-Provags-ID: V03:K1:/HvSirQjuJRZzANYWw8PcYUzZfryfWBN2jvray+KAIuqdhbfVtsXt3w7JordCgfU0Cixe LFZF6e++0FSqPWex07LGdBJkKwf1tD1ZHn2qZ8znzXi8PN4n+YKPrhmzDaVFRdosaserrjQdRA/a kb2wWjF1b2pEyExRHzup22mlQS3ubGiC8OvO9t/paFhQaicCEa4x0WlDgvTOA5v332BP0nHxmdoa TvqoBv4KswWvevnAVNXNxO9AL7KSBw3lfCs+ENLiC+zUqIgL12A87gzBkRuVtNGEZTM5tHGvHtaM UU=
X-UI-Out-Filterresults: notjunk:1;V03:K0:LR7Xg7q3VmE=:DuGtbeYDIX1lyTZZFqSf6p yV9H9xG6Q27zT4ZayDufj8l+Qv5WY5qoIIt6Wwur/J2YoqH1DP3Azx+BQbw5wm02W8nLrBjdM rC12FypXXEuHAugdJqALwYS2tcc54jHOjZr8LMznBrLlA7w6WPDYnVq680iq+1TS2yMYdBvfu ocAluk71ggE0KYGQUjRhlU5fKm2eQ5UOfQCL1T5Oz9kaFEK0i+cus+j9/hdwNAO+6OXrAUXVk 3NDm1gkqnhXL6FWHY3SzulYaIL2NNuOH+D+0me9weUsBEA+JFElR8GGGMELXu5p5hs/fmukop 2AetZw2man5mA50elQMzsSniIxlWtdDSKqQfjYDXnY0ydOKrIQF0QO/q2JZS2Uzk8zEIetUQT 51BYNWVfF4EjL/CwMtvbeIJjyAUxoYQc5cDn8K2Y8uUlchBMPTX0PkHPPZtTIiJAV0/kq0m1d BFfBSJLxFloeBh4lTrR7jeKKo9cfaXHwkDTKDcSGsZV5xTrmkDLQkXgKyPE0ZVrdqWuZNavC4 z0QJMJkr9cHWts1ab8M9cIU4ZToO7HhUGrEmqhklCeOm2Tlo1flBRObU4tks3fiYfeRgEmbPv tcuIqnF8QBIp8=
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/o4a_Jb3W9P8wAPg0q3BtDO5vgt0>
Subject: [Cfrg] proofs for augmented PAKEs
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2019 14:11:43 -0000
Hello to all,
I do fully support Hugo’s statement and the assessment regarding the status of proofs of different augmented PAKE protocols.
My own analysis regarding the rather complex topic of security analysis of augmented PAKE protocols for IoT is found in my recent CHES publication
https://tches.iacr.org/index.php/TCHES/article/view/7384" rel="nofollow">https://tches.iacr.org/index.php/TCHES/article/view/7384 (“AuCPace: Efficient verifier-based PAKE protocol tailored for the IIoT”). This paper also covers an analysis and a comparison with other proposals such as AugPake and SPAKE2+.
Hugo’s and my assessment regarding SPAKE2+ is also in line with the analysis of Pointcheval and Wang in (https://www.di.ens.fr/david.pointcheval/Documents/Papers/2017_asiaccsB.pdf" rel="nofollow">https://www.di.ens.fr/david.pointcheval/Documents/Papers/2017_asiaccsB.pdf). I’d like to cite Pointcheval and Wang from this paper:
“Cash et al. proposed […] SPAKE2+. While it has been proven secure against server compromise, as for SPAKE, forward-secrecy has never been considered.”
Their result is in line with my analysis. This means, while, IMO, there is no specific reason to believe that SPAKE2+ is insecure. However just as for AugPake the security analysis covers only part of the security guarantees associated with augmented PAKE. Notably forward secrecy (which is the main objective for the use-case of bootstrapping security on a IoT device!) is not formally considered neither by SPAKE2+ nor by AugPake.
One possible problem of using PAKE protocols in a larger environment is that vulnerabilities might be introduced by the larger protocol framework (of which the PAKE is only one sub-component). OPAQUE unlike SPAKE2+ and AugPake has been analyzed in a composable framework (UC) allowing for modular security analysis. I do see this as a significant advantage of OPAQUE. Moreover the security guarantees within UC also cover the case of applications which use related passwords.
Regarding security analysis, in my assessment (see also the AuCPace paper) the best security properties available today are offered by OPAQUE:
The currently unique feature of OPAQUE among all candidates suggested for TLS is it’s resistance to pre-computation attacks. So if having the choice between OPAQUE and all of the other augmented PAKE candidates (SPAKE2+, AugPake), I’d clearly opt for OPAQUE!
My personal objections regarding OPAQUE are only the following:
- Patent issues, which appearantly will be *no* issue for use in TLS at all.
- Secondly I see some minor advantages for my own augmented PAKE proposal AuCPace in specific, extremely resource-constrained environments which could afford neither SPAKE2+ nor OPAQUE.
For the general IoT use-case, in my humble opinion, OPAQUE is *clearly* the best current available proposal, specifically if used on Montgomery or Edwards curves in conjunction with Elligator2 for the OPRF and with a memory-hard password hash such as Argon2 or scrypt.
Yours,
Björn
- [Cfrg] proofs for augmented PAKEs Björn Haase