Re: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs
Feng Hao <feng.hao@newcastle.ac.uk> Tue, 15 November 2016 18:05 UTC
Return-Path: <feng.hao@newcastle.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 343B6129435 for <cfrg@ietfa.amsl.com>; Tue, 15 Nov 2016 10:05:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=newcastle.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1YLk0Cs52mLT for <cfrg@ietfa.amsl.com>; Tue, 15 Nov 2016 10:05:31 -0800 (PST)
Received: from cheviot22.ncl.ac.uk (cheviot22.ncl.ac.uk [128.240.234.22]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 705C8128E19 for <cfrg@irtf.org>; Tue, 15 Nov 2016 10:05:30 -0800 (PST)
Received: from exhubvm01.ncl.ac.uk ([128.240.234.5] helo=EXHUBVM01.campus.ncl.ac.uk) by cheviot22.ncl.ac.uk with esmtp (Exim 4.63) (envelope-from <feng.hao@newcastle.ac.uk>) id 1c6i6q-0000Q5-FP; Tue, 15 Nov 2016 18:05:28 +0000
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (213.199.154.211) by exhub.ncl.ac.uk (128.240.234.5) with Microsoft SMTP Server (TLS) id 14.3.266.1; Tue, 15 Nov 2016 18:05:00 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=newcastle.onmicrosoft.com; s=selector1-newcastle-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Gae0Isv5ZHhZ/lO42ASo8OCt2V0OVFdpFMAdfVTE2DQ=; b=UqMk3C2f/GMSKEf3CwcS44+x598mII9jxhWahbv3KJW/AoYbSlcbKqBz1UQkl8WVDgJydOIMz4WJY4tZwLkYV82QK+2BBtE6yuHb2Np13eu3u09RKyE1iAgffc/34j1xE1re8IyjCJiTdvf2HB4EXZx1VWTPNbiYUHH0daoc6DQ=
Received: from DB5PR0701MB1928.eurprd07.prod.outlook.com (10.167.228.24) by DB5PR0701MB1925.eurprd07.prod.outlook.com (10.167.228.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.734.2; Tue, 15 Nov 2016 18:04:57 +0000
Received: from DB5PR0701MB1928.eurprd07.prod.outlook.com ([10.167.228.24]) by DB5PR0701MB1928.eurprd07.prod.outlook.com ([10.167.228.24]) with mapi id 15.01.0734.004; Tue, 15 Nov 2016 18:04:57 +0000
From: Feng Hao <feng.hao@newcastle.ac.uk>
To: Mike Hamburg <mike@shiftleft.org>
Thread-Topic: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs
Thread-Index: AdI+bZzQZch4zeUeTNyFcWq6Y0INHQAHCdeAABAiwAAABCp6gAASKUpwABAuGYAAATCz8A==
Date: Tue, 15 Nov 2016 18:04:57 +0000
Message-ID: <DB5PR0701MB1928C227C92DC65094AB2ACED4BF0@DB5PR0701MB1928.eurprd07.prod.outlook.com>
References: <DB5PR0701MB19282BB2E03816405AF5DF91D4BC0@DB5PR0701MB1928.eurprd07.prod.outlook.com> <CACsn0ck4uFHrKzX9EDGSADjv1BkpnGPA3v4ncR8R9dkTn5DWgg@mail.gmail.com> <D44FD9E6.186BF%feng.hao@newcastle.ac.uk> <1B6B7B9F-F166-42EE-A35E-4D899CA1BAFE@shiftleft.org> <DB5PR0701MB19280CCCD49D130767900EA3D4BF0@DB5PR0701MB1928.eurprd07.prod.outlook.com> <4633DF67-CF9E-47A5-979E-C77F10279899@shiftleft.org>
In-Reply-To: <4633DF67-CF9E-47A5-979E-C77F10279899@shiftleft.org>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=feng.hao@newcastle.ac.uk;
x-originating-ip: [128.240.225.103]
x-microsoft-exchange-diagnostics: 1; DB5PR0701MB1925; 7:n2DT0gIOixGdt0Doa2YViE3Lko+LoKKSXQvKzxIgn748sdscHrE6stCF3nNcOR4K0oU/MJEYpJElZcz90rUruj/82q+ToRs/HRHWSF5AafgjKb3WRZB3V3YeSpY+WKAzgg6dZ3eIboEdLAOmLsh4f5GXvt6aAULV1fM9818TgttKt85NGtYHOeNt0HVbiGBcOklR+J+6IhV6yJDa77mhhTNoSqdCBJlAOPylWJIzUf3du1uRRPgrd9D0kfxaCKygfylAouPDDUDb5IvYXpq6lCtty0uzt7kHnsvws7b9vvyTociJXSvvINh5ndBlijtTz6xAA+YwW71kjP9fY5Pqyn0GuskHccxiQqvca27ZypY=
x-ms-office365-filtering-correlation-id: 88ebbd84-4d99-4272-3dbb-08d40d81e8e2
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:DB5PR0701MB1925;
x-microsoft-antispam-prvs: <DB5PR0701MB1925271CC5E020D23872285DD4BF0@DB5PR0701MB1925.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(120809045254105)(192374486261705)(35073007944872)(21748063052155)(266576461109395);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6060326)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6061324); SRVR:DB5PR0701MB1925; BCL:0; PCL:0; RULEID:; SRVR:DB5PR0701MB1925;
x-forefront-prvs: 012792EC17
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(7916002)(377424004)(51914003)(377454003)(13464003)(189002)(199003)(24454002)(66066001)(105586002)(76576001)(2906002)(68736007)(54356999)(4326007)(7736002)(50986999)(101416001)(3660700001)(76176999)(551544002)(74316002)(790700001)(3280700002)(8676002)(7846002)(86362001)(7906003)(6116002)(3846002)(102836003)(33656002)(106356001)(93886004)(77096005)(4001150100001)(97736004)(92566002)(2900100001)(189998001)(87936001)(81166006)(8936002)(6916009)(9686002)(2950100002)(74482002)(42882006)(9326002)(110136003)(5660300001)(81156014)(7696004)(122556002)(229853002)(579004); DIR:OUT; SFP:1101; SCL:1; SRVR:DB5PR0701MB1925; H:DB5PR0701MB1928.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: newcastle.ac.uk does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DB5PR0701MB1928C227C92DC65094AB2ACED4BF0DB5PR0701MB1928_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Nov 2016 18:04:57.3682 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c5012c9-b616-44c2-a917-66814fbe3e87
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR0701MB1925
X-OriginatorOrg: newcastle.ac.uk
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/o8CABITqu7NC_kYiyjrGriYr7Ro>
X-Mailman-Approved-At: Thu, 17 Nov 2016 10:21:37 -0800
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2016 18:05:34 -0000
Hi Mike, Thanks for the clarification. I’m still not entirely sure when the point falls into a small subgroup, simply multiplying a co-factor will resolve it and everything will still be in constant time. It would become clearer if you have a complete specification, and then we can see how the EC parameters interact with the protocol. As said, this is a non-trivial problem as far as I understand. In IEEE P1363.2 and ISO/IEC 11770-4, there lacks a clean solution. The existing hashing-to-curve algorithm as defined in ISO/IEC 11770-4 is basically search then trial and error, which is not strictly constant time. Hence I would recommend you consider writing this up and get a peer-reviewed publication. It will be a good contribution to the community as well as to standards such as ISO/IEC 11770-4. (I’m happy to be your contact for ISO/IEC if you go this route). Cheers, Feng From: Mike Hamburg [mailto:mike@shiftleft.org] Sent: 15 November 2016 17:19 To: Feng Hao <feng.hao@newcastle.ac.uk> Cc: cfrg@irtf.org Subject: Re: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs Hi Feng, Thanks for your reply. My comments are inline. Sent from my phone. Please excuse brevity and typos. On Nov 15, 2016, at 02:55, Feng Hao <feng.hao@newcastle.ac.uk<mailto:feng.hao@newcastle.ac.uk>> wrote: Hi Mike, Thanks for the thoughtful comments. There indeed exist encoding algorithms that can hash an input to a (somehow random) point on the curve in constant time. One of them (based on the icart method) is used by PACE in the implementation of e-passport. But these algorithms have very specific requirements on the parameters of the curve (e.g., the modulus needs to be in some form etc). I'm not aware of any general algorithm that can flexibly and efficiently do the hashing-to-curve for general elliptic curves which are suitable for cryptography (i.e., where ECDLP is hard). The Shallue-vanDeWoestijne-Ulas algorithm (SWU) meets these requirements on any elliptic curve over a large-characteristic field. See https://eprint.iacr.org/2009/340.pdf Section 2.1. I don't remember if there is a known solution for small-characteristic. With regard to the algorithm you specify below, I'm not sure it's a constant algorithm though. There is a conditional check for the square root (which needs some care in the implementation). Right. You can compute the Legendre symbol z^((p-1)/2) in constant time easily. Then you have to conditionally select between the two options based on whether the symbol is -1; or else use arithmetic based on the fact that the symbol is necessarily in {-1,0,1}. Also, if the point falls into the subgroup, you say it doesn't matter because it will be multiplied by a co-factor. Are u sure? I should have been more clear because this is security-critical. The most natural choice of DH algorithm for SPEKE on a Montgomery curve is X25519, or maybe X448. These algorithms both multiply by the cofactor. In this case, it doesn't matter whether P is in the subgroup. For SPAKE2-EE, and for SPEKE with an algorithm that doesn't multiply by the cofactor, this would be a security hole. In that case, you need to multiply the encoded point by the cofactor before using it. On a side note, if this algorithm works as it says, then one should be able to easily apply it to Dragonfly? There were a lot discussion on this list on how to do efficient hashing-to-curve in constant time for the Dragonfly protocol (RFC 7664). I don't recall there is a consensus. Maybe there is an easy solution to that problem? I'm pretty sure SWU works for Dragonfly. The one I presented requires a Montgomery curve, or at least a curve with a 2-torsion point, and I don't recall if Dragonfly uses those. Of course, if you're respeccing Dragonfly, you might as well change it to some other PAKE, maybe one with a security proof. Cheers, Feng Cheers, -- Mike -----Original Message----- From: Mike Hamburg [mailto:mike@shiftleft.org] Sent: 15 November 2016 00:56 To: Feng Hao <feng.hao@newcastle.ac.uk<mailto:feng.hao@newcastle.ac.uk>> Cc: Watson Bernard Ladd <watsonbladd@gmail.com<mailto:watsonbladd@gmail.com>>; cfrg@irtf.org<mailto:cfrg@irtf.org> Subject: Re: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs I’d like to note that for both SPEKE and SPAKE2-EE, the encoding to the curve doesn’t need to be uniform. It just needs to be inverse-sampleable and within some reasonable factor of uniform. This means that either SWU or Elligator can be used for this purpose. If you’re doing SPEKE on a Montgomery curve y^2 = x(x^2+Ax+1), such as X25519, then Elligator2 is actually pretty simple to specify: Let u be a fixed quadratic non-residue. For example, u=-1 for 3mod4, or u=2 for 5mod 8. (The other reasonable choice is u=sqrt(-1) for 5mod 8.) Take as input a sequence of bytes to be encoded, eg h=really_slow_hash(salt,password). Convert it to a field element using a little-endian convention, because Montgomery curves are Bernstein country. Let x := -A / (1+u*h^2). if x*(x^2+A*x+1) isn’t square, then change x := -A-x, which is also equal to x*u*h^2 by construction. Now x is the x-coordinate of a point on the curve. In the unlikely event that 1+uh^2=0, then the output is 0, or the point at infinity, or 0/0, or whatever. These are all equivalent for SPEKE-X25519. It doesn’t matter whether the point is in the subgroup or not, because you’ll multiply by the cofactor during the scalar mul. For SPAKE2-EE, the specification is more complicated, but not by much. Efficiency-wise, this can be implemented in constant time, in approximately the same amount of time as a single square root operation. So can SWU, if you aren’t on a Montgomery or Edwards curve. — Mike On Nov 14, 2016, at 2:56 PM, Feng Hao <feng.hao@newcastle.ac.uk<mailto:feng.hao@newcastle.ac.uk>> wrote: Hi Watson, Can you be specific what alternative you are talking about? In [1], J-PAKE is compared with EKE and SPEKE, which are widely considered the simplest and the most efficient balanced PAKEs. It is shown that the computational efficiency of J-PAKE is about the same as EKE and SPEKE in the finite field setting. J-PAKE is better in the EC setting because: 1) EKE in EC is unspecified (a straightforward implementation of EKE in EC will trivially leak information about the password); 2) SPEKE in EC requires an additional primitive of hashing a password to a random point on the curve (which is a non-trivial problem on its own). J-PAKE needs 2 rounds instead of one, which is a downside and is acknowledged in the paper. But security is never perfect; it is always a trade-off. Two points are worth reminding: 1. There is an unfortunate misconception in quite a number of PAKE papers in the literature that merely count the number of exponentiations as the computational cost without considering the specific group settings required by the protocol (e.g., if the protocol accommodates short or long exponents). See Section 2.2 in [1] for a full discussion. 2. There is also a category of PAKE protocols that assume a trusted setup to define the randomness in the group setting: in particular, to define a pair of generators whose discrete logarithm must be unknown. SPAKE2 (which I understand you¹re working on for an IEFT submission) is only one example. Other examples include KOY [2], Jiang-Gong [3] and Gennaro-Lindell [4]. Implementing such as trusted set up (i.e., the common reference model if you¹re a fan of jargon) is a tricky task. The most concrete advice in terms of implementation that you may find is probably from Gennaro and Lindell [4]: ³An example of where it is reasonable to assume a common reference string is when a large organization wishes to implement secure login for its employees. In this case, the organization is trusted to choose the common reference string properly, and this string can then be hardwired into the software code.² As an example we can have Google to define a trusted setup, which will be trusted by its employees. However, it will limit the PAKE application to the internal use within that organization. EKE, SPEKE and SPEKE do not have this issue. Note that I¹m not objecting PAKE protocols that rely on a common reference string; they are one category of PAKE designs and are useful in specifically identified scenarios. I¹m merely highlighting that there are diversified PAKE designs with different assumptions and properties. Having the diversity is a good thing in the research field. However, disparaging some without noting the weaknesses/merits of others in the context of that diversity is not fair. Regards, Feng [1] J-PAE: http://eprint.iacr.org/2010/190.pdf [2] J. Katz, R. Ostrovsky, M. Yung, ³Efficient password-authenticated key exchange using human-memorable passwords², Advances in Cryptology, LNCS 2045, pp. 475-494, 2001. [3] S.Q. Jiang, G. Gong, ³Password based key exchange with mutual authentication,² Selected Area in Cryptography, LNCS 3357, pp. 267-279, 2004 [4] R. Gennaro, Y. Lindell, ³A framework for password-based authenticated key exchange,² Eurucrypt¹03, LNCS, No. 2656, pp. 524-543, 2003. On 14/11/2016 15:14, "Watson Ladd" <watsonbladd@gmail.com<mailto:watsonbladd@gmail.com>> wrote: I'm sad to see J-PAKE continue to have legs given its terrible performance compared to alternatives. What's the point? On Mon, Nov 14, 2016 at 3:53 AM, Feng Hao <feng.hao@newcastle.ac.uk<mailto:feng.hao@newcastle.ac.uk>> wrote: Hi, Recently I submitted J-PAKE and Schnorr NIZK to IETF for "informational RFC". Both drafts are currently under review in the independent submission stream. As per the reviewers' comments, I've revised the drafts to clarify a few points. Schnorr draft * Clarify the parameters for the finite field and elliptic curves. The DSA/ECDSA parameters are used only as an example; other groups can also be used. * Clarify the requirement for the hash function. It needs to be collision-resistant in a practical realisation with recommended hash functions given. J-PAKE draft * Clarify that key confirmation can be implicit or explicit, and that explicit key confirmation is recommended in a practical implementation of J-PAKE. The latest drafts are below: Name: draft-hao-schnorr Revision: 05 Title: Schnorr NIZK Proof: Non-interactive Zero Knowledge Proof for Discrete Logarithm Document date: 2016-11-14 Group: Individual Submission Pages: 11 URL: https://www.ietf.org/internet-drafts/draft-hao-schnorr-05.txt Status: https://datatracker.ietf.org/doc/draft-hao-schnorr/ Htmlized: https://tools.ietf.org/html/draft-hao-schnorr-05 Diff: https://www.ietf.org/rfcdiff?url2=draft-hao-schnorr-05 Name: draft-hao-jpake Revision: 05 Title: J-PAKE: Password Authenticated Key Exchange by Juggling Document date: 2016-11-14 Group: Individual Submission Pages: 14 URL: https://www.ietf.org/internet-drafts/draft-hao-jpake-05.txt Status: https://datatracker.ietf.org/doc/draft-hao-jpake/ Htmlized: https://tools.ietf.org/html/draft-hao-jpake-05 Diff: https://www.ietf.org/rfcdiff?url2=draft-hao-jpake-05 Your comments are most welcome! Cheers, Feng _______________________________________________ Cfrg mailing list Cfrg@irtf.org<mailto:Cfrg@irtf.org> https://www.irtf.org/mailman/listinfo/cfrg -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ Cfrg mailing list Cfrg@irtf.org<mailto:Cfrg@irtf.org> https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] J-PAKE and Schnorr NIZK for informational … Feng Hao
- Re: [Cfrg] J-PAKE and Schnorr NIZK for informatio… Watson Ladd
- Re: [Cfrg] J-PAKE and Schnorr NIZK for informatio… Feng Hao
- Re: [Cfrg] J-PAKE and Schnorr NIZK for informatio… Mike Hamburg
- Re: [Cfrg] J-PAKE and Schnorr NIZK for informatio… Feng Hao
- Re: [Cfrg] J-PAKE and Schnorr NIZK for informatio… Feng Hao
- Re: [Cfrg] J-PAKE and Schnorr NIZK for informatio… Watson Ladd
- Re: [Cfrg] J-PAKE and Schnorr NIZK for informatio… Feng Hao
- Re: [Cfrg] J-PAKE and Schnorr NIZK for informatio… Watson Ladd
- Re: [Cfrg] J-PAKE and Schnorr NIZK for informatio… Feng Hao
- Re: [Cfrg] J-PAKE and Schnorr NIZK for informatio… Stanislav V. Smyshlyaev
- Re: [Cfrg] J-PAKE and Schnorr NIZK for informatio… Michel Abdalla
- Re: [Cfrg] J-PAKE and Schnorr NIZK for informatio… Watson Ladd
- Re: [Cfrg] J-PAKE and Schnorr NIZK for informatio… Feng Hao
- Re: [Cfrg] J-PAKE and Schnorr NIZK for informatio… Feng Hao
- Re: [Cfrg] J-PAKE and Schnorr NIZK for informatio… Michel Abdalla
- Re: [Cfrg] J-PAKE and Schnorr NIZK for informatio… Mike Hamburg
- Re: [Cfrg] J-PAKE and Schnorr NIZK for informatio… Feng Hao