Re: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs

Feng Hao <> Tue, 15 November 2016 18:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 343B6129435 for <>; Tue, 15 Nov 2016 10:05:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1YLk0Cs52mLT for <>; Tue, 15 Nov 2016 10:05:31 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 705C8128E19 for <>; Tue, 15 Nov 2016 10:05:30 -0800 (PST)
Received: from ([] by with esmtp (Exim 4.63) (envelope-from <>) id 1c6i6q-0000Q5-FP; Tue, 15 Nov 2016 18:05:28 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Tue, 15 Nov 2016 18:05:00 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-newcastle-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Gae0Isv5ZHhZ/lO42ASo8OCt2V0OVFdpFMAdfVTE2DQ=; b=UqMk3C2f/GMSKEf3CwcS44+x598mII9jxhWahbv3KJW/AoYbSlcbKqBz1UQkl8WVDgJydOIMz4WJY4tZwLkYV82QK+2BBtE6yuHb2Np13eu3u09RKyE1iAgffc/34j1xE1re8IyjCJiTdvf2HB4EXZx1VWTPNbiYUHH0daoc6DQ=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.734.2; Tue, 15 Nov 2016 18:04:57 +0000
Received: from ([]) by ([]) with mapi id 15.01.0734.004; Tue, 15 Nov 2016 18:04:57 +0000
From: Feng Hao <>
To: Mike Hamburg <>
Thread-Topic: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs
Date: Tue, 15 Nov 2016 18:04:57 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-microsoft-exchange-diagnostics: 1; DB5PR0701MB1925; 7:n2DT0gIOixGdt0Doa2YViE3Lko+LoKKSXQvKzxIgn748sdscHrE6stCF3nNcOR4K0oU/MJEYpJElZcz90rUruj/82q+ToRs/HRHWSF5AafgjKb3WRZB3V3YeSpY+WKAzgg6dZ3eIboEdLAOmLsh4f5GXvt6aAULV1fM9818TgttKt85NGtYHOeNt0HVbiGBcOklR+J+6IhV6yJDa77mhhTNoSqdCBJlAOPylWJIzUf3du1uRRPgrd9D0kfxaCKygfylAouPDDUDb5IvYXpq6lCtty0uzt7kHnsvws7b9vvyTociJXSvvINh5ndBlijtTz6xAA+YwW71kjP9fY5Pqyn0GuskHccxiQqvca27ZypY=
x-ms-office365-filtering-correlation-id: 88ebbd84-4d99-4272-3dbb-08d40d81e8e2
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:DB5PR0701MB1925;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(120809045254105)(192374486261705)(35073007944872)(21748063052155)(266576461109395);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6060326)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6061324); SRVR:DB5PR0701MB1925; BCL:0; PCL:0; RULEID:; SRVR:DB5PR0701MB1925;
x-forefront-prvs: 012792EC17
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(7916002)(377424004)(51914003)(377454003)(13464003)(189002)(199003)(24454002)(66066001)(105586002)(76576001)(2906002)(68736007)(54356999)(4326007)(7736002)(50986999)(101416001)(3660700001)(76176999)(551544002)(74316002)(790700001)(3280700002)(8676002)(7846002)(86362001)(7906003)(6116002)(3846002)(102836003)(33656002)(106356001)(93886004)(77096005)(4001150100001)(97736004)(92566002)(2900100001)(189998001)(87936001)(81166006)(8936002)(6916009)(9686002)(2950100002)(74482002)(42882006)(9326002)(110136003)(5660300001)(81156014)(7696004)(122556002)(229853002)(579004); DIR:OUT; SFP:1101; SCL:1; SRVR:DB5PR0701MB1925;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DB5PR0701MB1928C227C92DC65094AB2ACED4BF0DB5PR0701MB1928_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Nov 2016 18:04:57.3682 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c5012c9-b616-44c2-a917-66814fbe3e87
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR0701MB1925
Archived-At: <>
X-Mailman-Approved-At: Thu, 17 Nov 2016 10:21:37 -0800
Cc: "" <>
Subject: Re: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Nov 2016 18:05:34 -0000

Hi Mike,

Thanks for the clarification. I’m still not entirely sure when the point falls into a small subgroup, simply multiplying a co-factor will resolve it and everything will still be in constant time. It would become clearer if you have a complete specification, and then we can see how the EC parameters interact with the protocol.

As said, this is a non-trivial problem as far as I understand. In IEEE P1363.2 and ISO/IEC 11770-4, there lacks a clean solution. The existing hashing-to-curve algorithm as defined in ISO/IEC 11770-4 is basically search then trial and error, which is not strictly constant time.

Hence I would recommend you consider writing this up and get a peer-reviewed publication. It will be a good contribution to the community as well as to standards such as ISO/IEC 11770-4. (I’m happy to be your contact for ISO/IEC if you go this route).


From: Mike Hamburg []
Sent: 15 November 2016 17:19
To: Feng Hao <>
Subject: Re: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs

Hi Feng,

Thanks for your reply. My comments are inline.

Sent from my phone.  Please excuse brevity and typos.

On Nov 15, 2016, at 02:55, Feng Hao <<>> wrote:
Hi Mike,

Thanks for the thoughtful comments.

There indeed exist encoding algorithms that can hash an input to a (somehow random) point on the curve in constant time. One of them (based on the icart method) is used by PACE in the implementation of e-passport.

But these algorithms have very specific requirements on the parameters of the curve (e.g., the modulus needs to be in some form etc). I'm not aware of any general algorithm that can flexibly and efficiently do the hashing-to-curve for general elliptic curves which are suitable for cryptography (i.e., where ECDLP is hard).

The Shallue-vanDeWoestijne-Ulas algorithm (SWU) meets these requirements on any elliptic curve over a large-characteristic field.  See
Section 2.1.  I don't remember if there is a known solution for small-characteristic.

With regard to the algorithm you specify below, I'm not sure it's a constant algorithm though. There is a conditional check for the square root (which needs some care in the implementation).

Right. You can compute the Legendre symbol z^((p-1)/2) in constant time easily.  Then you have to conditionally select between the two options based on whether the symbol is -1; or else use arithmetic based on the fact that the symbol is necessarily in {-1,0,1}.

Also, if the point falls into the subgroup, you say it doesn't matter because it will be multiplied by a co-factor. Are u sure?

I should have been more clear because this is security-critical.

The most natural choice of DH algorithm for SPEKE on a Montgomery curve is X25519, or maybe X448. These algorithms both multiply by the cofactor.  In this case, it doesn't matter whether P is in the subgroup.

For SPAKE2-EE, and for SPEKE with an algorithm that doesn't multiply by the cofactor, this would be a security hole. In that case, you need to multiply the encoded point by the cofactor before using it.

On a side note, if this algorithm works as it says, then one should be able to easily apply it to Dragonfly? There were a lot discussion on this list on how to do efficient hashing-to-curve in constant time for the Dragonfly protocol (RFC 7664). I don't recall there is a consensus. Maybe there is an easy solution to that problem?

I'm pretty sure SWU works for Dragonfly.  The one I presented requires a Montgomery curve, or at least a curve with a 2-torsion point, and I don't recall if Dragonfly uses those.

Of course, if you're respeccing Dragonfly, you might as well change it to some other PAKE, maybe one with a security proof.


-- Mike

-----Original Message-----
From: Mike Hamburg []
Sent: 15 November 2016 00:56
To: Feng Hao <<>>
Cc: Watson Bernard Ladd <<>>;<>
Subject: Re: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs

I’d like to note that for both SPEKE and SPAKE2-EE, the encoding to the curve doesn’t need to be uniform.  It just needs to be inverse-sampleable and within some reasonable factor of uniform.  This means that either SWU or Elligator can be used for this purpose.

If you’re doing SPEKE on a Montgomery curve y^2 = x(x^2+Ax+1), such as X25519, then Elligator2 is actually pretty simple to specify:

Let u be a fixed quadratic non-residue.  For example, u=-1 for 3mod4, or u=2 for 5mod 8.  (The other reasonable choice is u=sqrt(-1) for 5mod 8.)

Take as input a sequence of bytes to be encoded, eg h=really_slow_hash(salt,password).  Convert it to a field element using a little-endian convention, because Montgomery curves are Bernstein country.

Let x := -A / (1+u*h^2).

if x*(x^2+A*x+1) isn’t square, then change x := -A-x, which is also equal to x*u*h^2 by construction.

Now x is the x-coordinate of a point on the curve.  In the unlikely event that 1+uh^2=0, then the output is 0, or the point at infinity, or 0/0, or whatever.  These are all equivalent for SPEKE-X25519.  It doesn’t matter whether the point is in the subgroup or not, because you’ll multiply by the cofactor during the scalar mul.

For SPAKE2-EE, the specification is more complicated, but not by much.

Efficiency-wise, this can be implemented in constant time, in approximately the same amount of time as a single square root operation.  So can SWU, if you aren’t on a Montgomery or Edwards curve.

— Mike

On Nov 14, 2016, at 2:56 PM, Feng Hao <<>> wrote:

Hi Watson,

Can you be specific what alternative you are talking about?

In [1], J-PAKE is compared with EKE and SPEKE, which are widely considered
the simplest and the most efficient balanced PAKEs. It is shown that the
computational efficiency of J-PAKE is about the same as EKE and SPEKE in
the finite field setting. J-PAKE is better in the EC setting because: 1)
EKE in EC is unspecified (a straightforward implementation of EKE in EC
will trivially leak information about the password); 2) SPEKE in EC
requires an additional primitive of hashing a password to a random point
on the curve (which is a non-trivial problem on its own). J-PAKE needs 2
rounds instead of one, which is a downside and is acknowledged in the
paper. But security is never perfect; it is always a trade-off.

Two points are worth reminding:

1. There is an unfortunate misconception in quite a number of PAKE papers
in the literature that merely count the number of exponentiations as the
computational cost without considering the specific group settings
required by the protocol (e.g., if the protocol accommodates short or long
exponents). See Section 2.2 in [1] for a full discussion.

2. There is also a category of PAKE protocols that assume a trusted setup
to define the randomness in the group setting: in particular, to define a
pair of generators whose discrete logarithm must be unknown. SPAKE2 (which
I understand you¹re working on for an IEFT submission) is only one
example. Other examples include KOY [2], Jiang-Gong [3] and
Gennaro-Lindell [4]. Implementing such as trusted set up (i.e., the common
reference model if you¹re a fan of jargon) is a tricky task. The most
concrete advice in terms of implementation that you may find is probably
from Gennaro and Lindell [4]: ³An example of where it is reasonable to
assume a common reference string is when a large organization wishes to
implement secure login for its employees. In this case, the organization
is trusted to choose the common reference string properly, and this string
can then be hardwired into the software code.² As an example we can have
Google to define a trusted setup, which will be trusted by its employees.
However, it will limit the PAKE application to the internal use within
that organization. EKE, SPEKE and SPEKE do not have this issue.

Note that I¹m not objecting PAKE protocols that rely on a common reference
string; they are one category of PAKE designs and are useful in
specifically identified scenarios. I¹m merely highlighting that there are
diversified PAKE designs with different assumptions and properties. Having
the diversity is a good thing in the research field. However, disparaging
some without noting the weaknesses/merits of others in the context of that
diversity is not fair.


[1] J-PAE:

[2] J. Katz, R. Ostrovsky, M. Yung, ³Efficient password-authenticated key
exchange using human-memorable passwords², Advances in Cryptology, LNCS
2045, pp. 475-494, 2001.

[3] S.Q. Jiang, G. Gong, ³Password based key exchange with mutual
authentication,² Selected Area in Cryptography, LNCS 3357, pp. 267-279,

[4] R. Gennaro, Y. Lindell, ³A framework for password-based authenticated
key exchange,² Eurucrypt¹03, LNCS, No. 2656, pp. 524-543, 2003.

On 14/11/2016 15:14, "Watson Ladd" <<>> wrote:

I'm sad to see J-PAKE continue to have legs given its terrible
performance compared to alternatives. What's the point?

On Mon, Nov 14, 2016 at 3:53 AM, Feng Hao <<>>

Recently I submitted J-PAKE and Schnorr NIZK to IETF for "informational
RFC". Both drafts are currently under review in the independent
submission stream.

As per the reviewers' comments, I've revised the drafts to clarify a
few points.

Schnorr draft
* Clarify the parameters for the finite field and elliptic curves. The
DSA/ECDSA parameters are used only as an example; other groups can also
be used.
* Clarify the requirement for the hash function. It needs to be
collision-resistant in a practical realisation with recommended hash
functions given.

J-PAKE draft
* Clarify that key confirmation can be implicit or explicit, and that
explicit key confirmation is recommended in a practical implementation
of J-PAKE.

The latest drafts are below:

Name:           draft-hao-schnorr
Revision:       05
Title:          Schnorr NIZK Proof: Non-interactive Zero Knowledge
Proof for Discrete Logarithm
Document date:  2016-11-14
Group:          Individual Submission
Pages:          11

Name:           draft-hao-jpake
Revision:       05
Title:          J-PAKE: Password Authenticated Key Exchange by Juggling
Document date:  2016-11-14
Group:          Individual Submission
Pages:          14

Your comments are most welcome!


Cfrg mailing list<>

"Man is born free, but everywhere he is in chains".

Cfrg mailing list<>