Re: [Cfrg] Re-review of the four balanced PAKEs
Paul Grubbs <pag225@cornell.edu> Thu, 24 October 2019 16:13 UTC
Return-Path: <pag225@cornell.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DF18120974 for <cfrg@ietfa.amsl.com>; Thu, 24 Oct 2019 09:13:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cornell.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lIOBvX3GpsI6 for <cfrg@ietfa.amsl.com>; Thu, 24 Oct 2019 09:12:57 -0700 (PDT)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 737891209D0 for <cfrg@irtf.org>; Thu, 24 Oct 2019 09:12:57 -0700 (PDT)
Received: by mail-io1-xd33.google.com with SMTP id c6so30128736ioo.13 for <cfrg@irtf.org>; Thu, 24 Oct 2019 09:12:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cornell.edu; s=g.20171207; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/cJhr4QrnGsAiooLoKEEw+bZA1cgtmcljX9xcQfxYDE=; b=OPIRjh+56p7CM6/WyjXa+tKgUoQOV83bVM6jf08p5K0AWyBPfrcGlOfm34Qct/iO8a 2NbCN4+aHG6bmpI4rzYReQHLxkPQY9FIiuphy0vPMyrEb4QaF0I7Wy/osplEG3H2GqtA 8lz4tlCPfG6Pipw6oCe4P7Pi84p/G9O8VI1cyzdccD7j6be5TV3W6bwj6t17hTYXaiK8 rP2zc18Cl3Plm1lyYgdrj/2NB3GagLJwDYEb9+IXa/rviZT0Xo/U9J8605BQx91KvzUc 4gxpBPPo3efKf+ROaF3ObEjtn7VVBDtDcc5Ta/6HRcaKwf8mLivovDPcSCs7XYQ5oEGr /v4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/cJhr4QrnGsAiooLoKEEw+bZA1cgtmcljX9xcQfxYDE=; b=Ud36Tnceb/rtMORTrIKHkFHdkm80weZOGsSNGYiP8fXRcxt8bRMe2DXILy9U2oEJ/s dKEi4mfz8nsZbC/g63OuFyzyEu2c0/kJ44iwrCCsQCIWFpFs7e4LxCSCpUME4Ba7yFeR gN1qmUxRuYRjHzNOfkTcXcBqgV9Xv6q+NSjj1JQIP1Al6n9xNLecwqkD73l7L7yqINkz DQa+N1EqqtqvEQOyKlNsReR8YpLfgjnN7v6uUgj8/s7itanT5n6TCpHGViBNynI25f3R fTeFjJZR7sbVDcixCVvRVNc7KQpHRQO4dZsux3Q2WfURF/RVeOL5Je61RaEbF9PhjIdg Gamg==
X-Gm-Message-State: APjAAAU211g8kFtLIztb68HKYMRcOLgf61mV3QdqdxyiNcWHe52KBgwe Nbh1IVim8Xv+tR+UL3XhVHk/RULgnWC0ujw9Iu46Ug==
X-Google-Smtp-Source: APXvYqzLyd/WO8TZFVLpG1OKGK+MnNLdY57ZYimh5tYeq1Sxr+/1qrPScQTQCqbkofPbfx1j0PFmnHugV7+Fq3gUiwY=
X-Received: by 2002:a6b:f40c:: with SMTP id i12mr1352822iog.14.1571933576407; Thu, 24 Oct 2019 09:12:56 -0700 (PDT)
MIME-Version: 1.0
References: <BN8PR11MB36665D2F38B0E91D734A96CFC16A0@BN8PR11MB3666.namprd11.prod.outlook.com>
In-Reply-To: <BN8PR11MB36665D2F38B0E91D734A96CFC16A0@BN8PR11MB3666.namprd11.prod.outlook.com>
From: Paul Grubbs <pag225@cornell.edu>
Date: Thu, 24 Oct 2019 12:12:45 -0400
Message-ID: <CAKDPBw-fKQ_-GSCu=GHpEZjfv1WfqsTnK_DYPw-7akNGYm3tnA@mail.gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000006ec8550595aa4e3d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/zxT2HCKZEcXFACze-44Ko9dki4M>
Subject: Re: [Cfrg] Re-review of the four balanced PAKEs
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2019 16:13:05 -0000
Hey Scott, thanks for your comments. I have a couple questions: 1. Regarding SPAKE-2, you said this > the issue still remains that if someone were to be able to solve a single ECDLog problem, they could then perform an on-line dictionary attack against anyone using that parameter set. I don't quite understand what you mean - can you explain this on-line dictionary attack? In general, aren't all PAKEs vulnerable to online dictionary attacks? 2. This 'quantum annoying' property is the subject of much CFRG discussion, but it seems ill-specified. Can you explain it in a bit more detail, maybe by example (e.g., why does CPace have 'good' quantum annoyance)? On Thu, Oct 24, 2019 at 11:23 AM Scott Fluhrer (sfluhrer) < sfluhrer@cisco.com> wrote: > I re-reviewed the four balanced PAKEs, looking at the more practical > issues. > > > > Summary: it comes down to the choice between CPace and SPAKE-2 (J-PAKE can > be discounted because of the extra round trip needed, and the expense; > SPEKE can be discounted because of the lack of a single proposal (and the > single proven one is no better than CPace). > > > > SPAKE-2 is better than CPACE in the sense that it is a single round > protocol (and so can be used as a drop-in replacement for DH, assuming some > hooks for exchanging identities), and so would be slightly easier to use in > a protocol; CPACE requires a key confirmation to be sent after the exchange > (possibly along with the first encrypted message). On the other hand, I > wouldn’t expect that a protocol would have a major issue with the extra > message that CPACE requires. > > > > SPAKE-2 is better in that it uses only standard (point multiplication) > operations, which are more likely to be implemented in crypto libraries in > constant time. CPACE requires a hash-to-curve operation; it is less likely > that a crypto library has a constant time implementation of that available. > > > > SPAKE-2 is better in that it uses somewhat less message overhead (two > hashes less). However, even with this additional overhead, CPACE is still > quite reasonable (perhaps 128 bytes total, not counting overhead). > > > > SPAKE-2 (as specified in the RFC) is worse than CPACE in that it relies on > global M and N parameters. While the M and N values in the SPAKE-2 RFC are > claimed to be generated in a NUMS manner, the issue still remains that if > someone were to be able to solve a single ECDLog problem, they could then > perform an on-line dictionary attack against anyone using that parameter > set. > > > > In terms of other practical issues (computation, message overhead), they > are mostly identical. > > > > My opinion is that CPACE is better, the single disadvantage that SPAKE-2 > has (vulnerable if someone somewhere solves just one ECDLog problem) is > worse than the three disadvantages of CPACE. > > > > > > A more detailed listing of the comparison: > > > > > > * Fragile is you give an attacker offline password guessing if there is a > minor error in the implementation of ECC. > > * Quantum annoying (“PQ-ish”) is the property that an attacker with a > quantum computer needs to solve a DLP per password guess. > > > > Balanced PAKE summary > > Name | PQ-ish | Rounds* | Fragile > > ------------------+----------+---------------+--------- > > CPace | Good | 1.5 (1/2) | Moderate** > > J-PAKE | Bad | 2 (2/2)*** | Good > > SPAKE-2 | Bad | 1 (1/1) | Good > > SPEKE (EC based) | Good | 1 (1/1)**** | Moderate** > > SPEKE (ModP based)| Moderate | 1 (1/1)**** | Good > > > > * "number of total trips" ("number of messages received before initiator > can encrypt"/"number of messages received before responder can encrypt") > > ** CPace and SPEKE (EC) is listed as moderately fragile because they > depend on a hash-to-curve operation based on the secret password; a timing > variation there might leak the secret. While constant-time hash-to-curve > algorithms are known, they are less common than standard EC operations, and > hence this needs to be considered. > > *** This assumes that we use the three-pass variant, and we do use the > recommended key confirmation. > > **** Note that SPEKE claims to be secure without an explicit key > confirmation pass; we assume the “Patched SPEKE” protocol found in the > paper. See my concerns about this below. > > > > Balanced PAKE summary (continued) > > Name | Comp per side (*) | Total Message Size (**) > > ------------------+-------------------|------------------ > > CPace | H+2x | 2P+2H > > J-PAKE | 2g+3x+3pg+3pv | 6P+4Z+2H > > SPAKE-2 | d+x | 2P > > SPEKE (EC based) | H+2x | 2P > > SPEKE (ModP based)| 2M | 2M > > > > > > * In all cases, the initiator and the responder perform the same overall > amount of computation, hence we don’t break it down per side. In addition, > we omit the costs of hashes, point additions, modular multiplications, as > they are expected to be insignificant compared to the point > multiplications/modular exponentiations listed. > > ** Note that none of the protocols are defined in bits-on-the-wire format; > there are likely to be some additional overhead (such as identities and > nonces) exchanged, but those are not listed. This additional overhead > would appear to be likely to be similar for all the candidates. > > > > Cost: > > H: Hash to point > > x: Point multiplication > > g: Point multiplication of the generator (which is potentially cheaper > than a point multiplication of an arbitrary point) > > d: Double scalar point multiply and add, that is, aB + cD > > pg: Zero knowledge proof generation (approximately the same as a field > multiplication) > > pv: Zero knowledge proof verification (approximately the same as a double > scalar point multiply and add) > > M: Modular exponentiation > > > > Message Size: > > P: An elliptic curve point > > H: A hash > > Z: A zero knowledge proof (an elliptic curve point plus an integer the > size of the group) > > M: An integer of the size of the DH group > > > > Notes: > > > > - In general, none of these proposals are defined at the level that I > believe that the CFRG needs. Most of them do not document bits-on-the-wire > format, or call out required error checking. I believe that we need to > generate a sufficiently detailed protocol that could be inserted as a > blackbox into real protocols; whichever we pick, there’s some work required > before we get to that point. > - As a reminder, if we go with the SPAKE-2 option, someone would need > to verify the generation of the M and N values specified in the RFC. I was > able to do a partial validation (which looked good); however, I was unable > to accomplish a complete one. > - The more recent SPEKE paper (https://eprint.iacr.org/2014/585.pdf) > claims that they don’t need an explicit key confirmation step, however I > find their argument unsatisfying. The claim appears in section 5.3 > “Countermeasures and suggested changes to standards”; they give several > suggestions in this section, and it is unclear which is being proposed. > They state that, in the case of multiple concurrent negotiations, the two > sides should use distinct identifiers for each one (e.g. “Alice-1” for the > first session, “Alice-2” for the second); that has obvious practical > problems in the case that the two sides don’t agree on which session is the > first. In addition, the relevant text is: > > As long the user identifiers are unique between concurrent sessions, the > use of the extra session identifier *does not seem* needed. [emphasis > added] > > They give no proof as to the above statement. This lack of rigor, and the > lack of a single concrete proposal leads me to discount SPEKE as a > desirable proposal > > > > - Reasoning behind Quantum Annoying statements: > - J-PAKE is not Quantum Annoying, computing three discrete logs > would allow an adversary to perform an off-line dictionary search for the > password (that is, on a recorded session). In addition, if the password is > known, three discrete logs are sufficient to recover the shared secret on a > recorded session. > - SPAKE-2, as proposed, is not Quantum Annoying, a single discrete > log of the global M (or N) parameters would allow an adversary to perform > an on-line dictionary attack. > - SPEKE (ModP based) is listed as moderate, as an attacker could > attempt to compute a large number of discrete logs in an attempt to form a > factor base (which would allow him to efficiently compute any discrete > log). However, the number of discrete logs required would be huge, and so > this might not be a practical issue. > > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] Re-review of the four balanced PAKEs Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Re-review of the four balanced PAKEs Björn Haase
- Re: [Cfrg] Re-review of the four balanced PAKEs Paul Grubbs
- Re: [Cfrg] Re-review of the four balanced PAKEs Scott Arciszewski
- Re: [Cfrg] Re-review of the four balanced PAKEs Hao, Feng
- Re: [Cfrg] Re-review of the four balanced PAKEs Björn Haase
- Re: [Cfrg] Re-review of the four balanced PAKEs Scott Fluhrer (sfluhrer)