Re: [Crypto-panel] Stage 5 of PAKE selection process
"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Wed, 23 October 2019 15:11 UTC
Return-Path: <smyshsv@gmail.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01204120A1D for <crypto-panel@ietfa.amsl.com>; Wed, 23 Oct 2019 08:11:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJElqt-_4Vm5 for <crypto-panel@ietfa.amsl.com>; Wed, 23 Oct 2019 08:11:20 -0700 (PDT)
Received: from mail-lj1-x243.google.com (mail-lj1-x243.google.com [IPv6:2a00:1450:4864:20::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEF0F120A34 for <crypto-panel@irtf.org>; Wed, 23 Oct 2019 08:11:13 -0700 (PDT)
Received: by mail-lj1-x243.google.com with SMTP id l21so21530845lje.4 for <crypto-panel@irtf.org>; Wed, 23 Oct 2019 08:11:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5u/Cvh119oAmVqKpY/U86AJQTZa8IrfhXtFZIfX2APc=; b=aDWTmqda8L6JhiETtYU4ycpHVA3TBRquUZtL5YqHmn9lJm0CDoLFti4LWrnzgVSZNz /CeYMH6Q/GCL9IGxhcGEPNNkS0KjtRKemA7TtQdhDN0Ake4fM63vtjM8k7u7AwIAFdFg BLF1QBCVSnNZmUj3uTVjPRUXFm0ZbBrzNc2CcjbH7azF6KjPssxiazWmtcpBqemcL2bD bDF/uYTZxjvu/5bTnqjxNNrc5fAaZN3LzShZIbzunGltoZLuLXXGtsvRLGVeD/AkxzLp +vKxyy8qqWGTz+/GgUarLI9riFO7lEfxqObj++bUKt38JkawIML4PWwx43vKzgacPLf1 dPTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5u/Cvh119oAmVqKpY/U86AJQTZa8IrfhXtFZIfX2APc=; b=USRPNYceuqXSUzoV1ud7MyT5eO/TKrtU/OgUI+plcxA6/jXlv/zji+kDnH0j+N4TZ9 4X30YKcxZV1mC8+W7pY7gTO0MIw5FF0BTXqVK0xPcP52rz/D8ueIbwsq7eraXt5pX+nQ sLJCVDjBVfwdDHr016rPlmh7olJwcBOW1ju1m5kadPAOJFjlfnw3Tpvt/lJ3W9IUl9C+ c85fhCfCYA2u8CwBh23QmQYraho4+Pyv8qSGQ//q8ZIWnHmUQVeJPgT96AQ/Km8Lovjc zC0Pkzv9bCJa+Ssyh7pYvRSd9lY+tDHmO5ZCmLudBAshJsyHamw0FaXMqEgpyozR/afj JvzA==
X-Gm-Message-State: APjAAAUA05HX91khG3cMdFs9sIA4Z4ySxEPxEpfCu95tgBc2eDY7GeNJ 4Tz5pPaoVI2nhOkqeU42Q3EYKQSNUWApWIBub04=
X-Google-Smtp-Source: APXvYqxhuTVya+yM4qaGoC+v4f18y6ZrcqX9U9skESPbeyGG35PKiAIzCbIrFeq8nUzMpDge1oTqtPvWg3m6qkHtuFI=
X-Received: by 2002:a2e:9bc1:: with SMTP id w1mr6333978ljj.136.1571843471899; Wed, 23 Oct 2019 08:11:11 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6kNUPCMTm2Y37Q0y4pt-PPneKJYb07dxuiF9g33Qj3f_Q@mail.gmail.com>
In-Reply-To: <CAMr0u6kNUPCMTm2Y37Q0y4pt-PPneKJYb07dxuiF9g33Qj3f_Q@mail.gmail.com>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Wed, 23 Oct 2019 18:09:22 +0300
Message-ID: <CAMr0u6m3sUkTkC1X1ED35DVdurcaTauoADho4ZTUPqLoN+Wx4Q@mail.gmail.com>
To: Bjoern Tackmann <bjoern.tackmann@ieee.org>, Scott Fluhrer <sfluhrer@cisco.com>, Tibor Jager <tibor.jager@upb.de>, Russ Housley <housley@vigilsec.com>, Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: crypto-panel@irtf.org, cfrg-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c8ff5c059595535f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/J_TcGJZjxyFGOpT8iww1ZD3zfFk>
Subject: Re: [Crypto-panel] Stage 5 of PAKE selection process
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2019 15:11:24 -0000
Dear CFRG chairs, Please find below my review of the nominated PAKEs (a Stage 5 review - i.e., an overall review, taking into account the partial reviews published at https://github.com/cfrg/pake-selection) with my opinion about possible recommendations. According to the PAKE selection process plan, it is one of the Crypto Review Panel experts reviews, which are to be taken into account by the CFRG chairs at Stage 6 ("01.11.2019-16.11.2019: CFRG chairs discuss the obtained reviews and make their recommendations to CFRG/convey to CFRG that they can’t make a recommendation yet.") – so I am not sure that we want to disclose these reviews to the group beforehand. Documents: 8 PAKEs, nominated to the PAKE selection process; partial reviews provided at Stage 4 (see https://github.com/cfrg/pake-selection). Reviewer: Stanislav Smyshlyaev Review Date: 2019-10-23 Summary: *I would recommend selecting two PAKEs (one balanced and one augmented): SPAKE2 and OPAQUE. * *No strong objections against: CPace, AuCPace, VTBPEKE* 1. Balanced 1.1. SPAKE2 The main issue with SPAKE2 is potential existence of a backdoor in case when the parameters M and N have not been selected in a way that their joint discrete logarithm is guaranteed to be unknown. A variant of the protocol has been proposed, which is using a hash-to-curve function – but such a change would lead to a different protocol, which requires a separate security analysis. Another possible issue is that the protocol is not “quantum annoying”, since one needs to calculate only one discrete logarithm to break any instance of the protocol. In my opinion, this is not an important issue for the current PAKE selection process. From the security point of view (regarding “classical” attacks on key exchange protocols), SPAKE2 has such an advantage as absence of known attacks exploiting small subgroups. Nevertheless, the checks related to cofactors are mentioned in the draft, which is good. The experts do not see major issues with integrating SPAKE2 into TLS 1.3, while there is a note about minor issues with mixing-in a password value into KDF (but it seems to be possible to mix it as ePSK). There does not seem to be any major issues with integrating into IKEv2 also or IoT applications also. 1.2, 1.3. CPace and SPEKE SPEKE and CPace are based on the same basic scheme, but SPEKE has been initially defined for the finite fields with the proof only for that case. Therefore, it seems that it is worth considering CPace, since it is defined in the general case. The main issue with CPace seems to be about the stage of negotiating “sid” parameter. Such a stage turns the CPace into a 2-RTT protocol, which eliminates its main advantage, efficiency. Such a sid is needed to provide a proof in UC-framework. The existence of sid for UC-framework may be more a technical issue for the approach, so CPace without negotiating the sid could be considered. The important part of the protocol is a Map2Point function, which impacts the overall security of the protocol, hence a careful choice of such a primitive is required. The CPace without negotiating sid seems to be easily integrated into TLS 1.3, IKEv2 and IoT protocols. Nevertheless, CPace should be separately defined and described (not only as a part of AuCPace) and carefully studied for the case without sid. In my opinion, if CPace is selected as recommended PAKE, these actions can be done during the further steps of writing a CFRG RFC on recommendations for PAKEs. 1.4. J-PAKE The main advantage of J-PAKE seems to be that it does not use any hash-to-curve functions, that can lead to some vulnerabilities or backdoors. At the same time, it has significant problems with efficiency. Therefore, it seems to be much more problematic to integrate it into TLS and IKEv2. Moreover, since IKEv2 and IoT protocols are very sensitive to the message sizes, long messages (with up to three points in a single message) in J-PAKE look like a real problem for practical usage. There are no major problems with the security of the protocol, although some improvements of the proofs could be made (SE-NIZK-proofs, but “none of them would be nearly as practical”). 1.5. Balanced: overall Two ideas compete: DH on password-based points as generators (CPace и SPEKE) and DH on points, which are masked with password-based points (SPAKE2). In my opinion, only CPace and SPAKE can be considered in the current selection process. For CPace the security without pre-negotiation of sid should be studied. Since the only issue with SPAKE2 seems to be eliminating the discrete logarithm (between M and N) problem and since it can be done (in my opinion) during the further steps of writing a CFRG RFC on recommendations for PAKEs, I would recommend SPAKE2 as a balanced PAKE. 2. Augmented 2.1. OPAQUE OPAQUE is more a “converter” of AKEs to PAKEs using a secure OPRF. The main advantage of OPAQUE is security against precomputations, which is desirable for applications, for which augmented PAKEs are preferred. OPAQUE can be integrated into TLS 1.3 (the method of this integration has already been specified) without any changes in the protocol. The authors have recently updated the security proof, addressing the raised concerns about it; nevertheless, in my opinion, the security assessment is already mature enough and sufficient for considering it secure. The protocol is also not “quantum annoying”, but, in my opinion, that cannot be treated as a major disadvantage of the protocol. 2.2. AuCPace AuCPace is an augmented version of CPace. AuCPace itself is not secure against precomputations, but preventing precomputation is a minor change – a strong version of AuCPace is called strong AuCPace. There are some questions to the security proof of AuCPace (one of the reviewers treats the initially subitted version of it as “rather sketchy”), but, as well as OPAQUE, the security assessment seems to be already mature enough and sufficient for considering it secure. AuCPace is a «quantum annoying» PAKE. Integrating AuCPace into TLS 1.3 is deeply studied in the materials – there exist some issues, but none of them seems to be critical. 2.3. BSPAKE BSPAKE – is an augmented Elligator-version of SPAKE2. The main disadvantage of it is absence of a complete security proof (the authors just say that the security follows from the security of the underlying elements of the construction). The blind salt mechanism is similar to the one used in OPAQUE (OPRF); the mechanism of using blind salt in AuCPace is different: in AuCPace the salt is chosen by the client during registration phase. BSPAKE is «quantum annoying». BSPAKE is 2-RTT, so it needs certain efforts to be integrated into TLS 1.3. It seems that a separate work of modifying the PAKE in a way similar to OPAQUE for TLS 1.3. BSPAKE does not seem to be a solid construction with detailed security analysis, in my opinion it should not be considered to be recommended as a selected PAKE. 2.4. VTBEKE VTBEKE – is an augmented version of TBEKE (a modified SPEKE). VTBEKE is not secure against precomputations, but it can be modified to be such by adding blind salt. The game-based security proof is sufficient to consider the protocol secure. The situation with integrating AuCPace into TLS 1.3 is similar to the one with AuCPace, several issues have to be resolved. 2.5. Augmented: overall In my opinion, only AuCPace, VTBEKE and OPAQUE can be considered in the current selection process. Currently only OPAQUE provides security against precomputations – and in my opinion, it is important for an augmented PAKE (otherwise, balanced PAKEs are not much less convenient for the same client-server applications). Blind-salt versions of AuCPace и VTBEKE should be considered instead of the "plain" versions of them, but the corresponding detailed security proofs should be obtained to do so. In addition, since integration of OPAQUE into TLS 1.3 also seems to be studied more deeply, I would recommend OPAQUE as an augmented PAKE, if no patent issues occur to be preventing it. 3. Remarks To be considered in the future for the selected PAKEs: while integrating a PAKE into protocol, it is important to decide, on which step to negotiate PAKE parameters (e.g., elliptic curve group); cross-cipher suite security must also be taken into account. 4. Overall recommendations Overall recommendations about the anticipated results of the PAKE selection. If we are to use PAKEs for IKEv2 or other peer-to-peer protocols, a balanced PAKE is desirable. To address the remote access applications or other client-server scenarios, it is better to also have an augmented PAKE. Therefore, I would recommend selecting one balanced PAKE and one augmented PAKE. *I would recommend selecting two PAKEs (one balanced and one augmented): SPAKE2 and OPAQUE*. In my opinion, these protocols are mature enough and do not have any significant problems; all existing concerns can be addressed during the work on a CFRG RFC on recommendations for PAKEs. CPace, AuCPace and VTBPEKE are also strong candidates (I wouldn't have any strong objections against CFRG recommending any of them). Best regards, Stanislav Smyshlyaev пт, 20 сент. 2019 г. в 19:23, Stanislav V. Smyshlyaev <smyshsv@gmail.com>: > Dear Bjoern, Scott, Russ, Yaron, Tibor (and myself :) ), > > Many thanks again for volunteering to provide overall reviews for the > nominated PAKEs on behalf of the Crypto Review Panel. > > According to the PAKE selection process plan, at Stage 5 Crypto Review > Panel members write overall reviews for all candidate PAKEs, based on the > materials that have been gathered and verified. According to the plan, > Stage 5 will last until October, 30th. > > Those materials (including all partial reviews) have been gathered (many > thanks, Yaron!) here: https://github.com/cfrg/pake-selection > > Best regards, > Stanislav, > CFRG secretary >
- [Crypto-panel] Stage 5 of PAKE selection process Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Stage 5 of PAKE selection proc… Russ Housley
- Re: [Crypto-panel] Stage 5 of PAKE selection proc… Yaron Sheffer
- Re: [Crypto-panel] Stage 5 of PAKE selection proc… Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Stage 5 of PAKE selection proc… Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Stage 5 of PAKE selection proc… Stanislav V. Smyshlyaev
- [Crypto-panel] Stage 5 of PAKE selection process Russ Housley
- Re: [Crypto-panel] Stage 5 of PAKE selection proc… Yaron Sheffer