Re: [Cfrg] Isn't BSPAKE just a valid instantiaion of OPAQUE?
Hugo Krawczyk <hugo@ee.technion.ac.il> Tue, 10 September 2019 05:18 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69FD2120828 for <cfrg@ietfa.amsl.com>; Mon, 9 Sep 2019 22:18:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.026, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id frodGiWyHi9E for <cfrg@ietfa.amsl.com>; Mon, 9 Sep 2019 22:18:54 -0700 (PDT)
Received: from mail-io1-f41.google.com (mail-io1-f41.google.com [209.85.166.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FE6612081A for <cfrg@irtf.org>; Mon, 9 Sep 2019 22:18:54 -0700 (PDT)
Received: by mail-io1-f41.google.com with SMTP id h144so34586504iof.7 for <cfrg@irtf.org>; Mon, 09 Sep 2019 22:18:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ETB36SpPe4qUFvDdIcwvsQjxbGf5qebOTnWDdHVOuCs=; b=nDeCRw3vdAJEQo14QTSYxPb/2JUUs0cNAj3KEm+fCkf+8Qu0b7XJfVm2SIsCfc/Skq gHoNb+RPXPS6pf+VvfBRw0Z+ejt6HTswneB9dJD2Xh9A/d6U4GYRgBILdwDJ3mlpWk8g fisx6DxJoHN+58He11/0g2dX1tnMD/G4fMOmTgfPX41i50QmAK6IqlVPvVMXBKUMYD3C 6yjG5DbnqDbYmQnyFM6us+NhUh/kg392/QEOCGXXtWvhWyD50Yf4o6C9GdC2RKRLJWg4 BdZyk1P30xsEW2WD+XWf2wl7rDkc/PySWowi3SUMglWEqXgqq2bwaHVq9QjhdGEDwzng RpUA==
X-Gm-Message-State: APjAAAWKlVy4iqfuUKmXg3gRm0o6L3WZeRH9CsIzBYYhcDNge9RdDIRl s9rBO9XTk9c30GbIGrmss+wiOOdHzk6xjM+OeY8=
X-Google-Smtp-Source: APXvYqxw5ZL48DZGPL2S7FtbX1QrkiTsDhzZoZjyxDtH8Ic9xlfQsVQc5ArPI91koE0K3ejaDNsj3Kx73Njzq2UgcjE=
X-Received: by 2002:a02:cf10:: with SMTP id q16mr29099304jar.89.1568092733413; Mon, 09 Sep 2019 22:18:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAOLP8p6c9=Qra9Pq=_6vm1s9oDXay0JTBPsOP=hM9jnSKVDg=Q@mail.gmail.com>
In-Reply-To: <CAOLP8p6c9=Qra9Pq=_6vm1s9oDXay0JTBPsOP=hM9jnSKVDg=Q@mail.gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Tue, 10 Sep 2019 01:18:28 -0400
Message-ID: <CADi0yUObiHqZ6xc2SpEUUv-BddX_27Mof_wT7eQEuiphXtYVug@mail.gmail.com>
To: Bill Cox <waywardgeek@gmail.com>
Cc: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000599c6c05922c0a9f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/o_BfhoKwYdqLMS3Kc-Um-VnpAmc>
Subject: Re: [Cfrg] Isn't BSPAKE just a valid instantiaion of OPAQUE?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2019 05:18:57 -0000
Bill, you can use an OPRF to transform any augmented PAKE (aPAKE) into a strong aPAKE, namely one that is secure against pre-computation attacks (we prove that transformation in the OPAQUE paper). BSPAKE applies such transformation to SPAKE2+ (which does not have a published proof of security as far as I know). A more efficient and proven secure approach is to compose the OPRF with a regular KCI-secure authenticated key exchange protocol. This is exactly what OPAQUE does. This means that you can compose the OPRF directly with your favorite (or not favorite) AKE (say TLS, IKE, etc) and get a strong aPAKE. This makes OPAQUE modular and versatile. See message https://mailarchive.ietf.org/arch/msg/cfrg/kelq3KPucCGowcuFi3TaOfLidVw for more on this subject. On Mon, Sep 9, 2019 at 9:22 PM Bill Cox <waywardgeek@gmail.com> wrote: > I just started looking at BSPAKE, but the first round trip computes almost > the identical OPRF as the OPAQUE RFC. BSPAKE wisely hashes in both the ID > of the client and ID of the server, but otherwise, the computation of > "blinded salt" is identical to OPAQUE's OPRF function (though OPAQUE > specifies a slightly faster version). > > Is this a pattern? Do the PAKE schemes all do an OPRF now, overlapping > with a 3-message ephemeral key exchange? > > Not only does BSPAKE appear to be a valid instantiation of OPAQUE, but it > has exactly the same round-trip properties, where encrypted data can be > sent from the client on the 3rd message, and the server can respond with > encrypted data on the 4th. > > Is anyone else having trouble seeing the daylight between these two? > > Bill > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >