Re: [TLS] Elliptic Curve J-PAKE
"Hao, Feng" <Feng.Hao@warwick.ac.uk> Mon, 15 April 2019 12:50 UTC
Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B53D0120157 for <tls@ietfa.amsl.com>; Mon, 15 Apr 2019 05:50:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5KSePLdVnTbI for <tls@ietfa.amsl.com>; Mon, 15 Apr 2019 05:50:40 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60048.outbound.protection.outlook.com [40.107.6.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF646120143 for <tls@ietf.org>; Mon, 15 Apr 2019 05:50:39 -0700 (PDT)
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com (20.178.106.208) by DB7PR01MB5045.eurprd01.prod.exchangelabs.com (20.177.194.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1792.14; Mon, 15 Apr 2019 12:50:36 +0000
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::8084:42e1:c111:4950]) by DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::8084:42e1:c111:4950%4]) with mapi id 15.20.1792.018; Mon, 15 Apr 2019 12:50:36 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: Watson Ladd <watsonbladd@gmail.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Elliptic Curve J-PAKE
Thread-Index: AQHU8xtJDaWZUd9YGUGG8fMPvKb5EaY9PjAA
Date: Mon, 15 Apr 2019 12:50:36 +0000
Message-ID: <ED38F419-4251-4775-8F07-6877590EAEF0@live.warwick.ac.uk>
References: <VI1PR0801MB2112CFD46565F1BC8B3697D8FA5F0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CADi0yUP+xwWzej7+uvQCaO5xzvJOdwZ-0c-Ot7WF30R25jRxjQ@mail.gmail.com> <WM!3b68eb47588f67d9aaca229cf8c9e30dd2ddb828af3905daaa86a4172d790fff2ad158c5fb15a70a4484183790470a68!@mailhub-mx4.ncl.ac.uk> <6ADEC907-1273-41AF-A964-68E654103645@ncl.ac.uk> <WM!624962044e5b7753628d65d82a819fc287f20b66b28b7326bc1508f7f7d97f90cbf3d0c6dc796efa81e820d8dab51428!@mailhub-mx4.ncl.ac.uk> <CACsn0ckNiC27tbPr_QOboGuvQjsy+ERi2QuydD4pvW0JefnApQ@mail.gmail.com> <D8C1A660.42B1E%feng.hao@newcastle.ac.uk> <WM!c4e3c9f13abc7000dfbbde9eb12c9144d5d8234a17a0174a6949c158c95ffbaf8a2f24ff15a15f8486836962cd47d319!@mailhub-mx5.ncl.ac.uk> <WM!0582133d51ba80a26ba8d63cfde5c9963d11dc9f58798d78949e0216c82fa7d4d61faccee0685f9c317449bb1f65b1e7!@mailhub-mx1.ncl.ac.uk> <CACsn0cmgST5pCOy-OMVigW-MJvvnjcgO+tay3bhbnVG8YhrL-g@mail.gmail.com>
In-Reply-To: <CACsn0cmgST5pCOy-OMVigW-MJvvnjcgO+tay3bhbnVG8YhrL-g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.8.190312
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Feng.Hao@warwick.ac.uk;
x-originating-ip: [137.205.238.55]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b97e6980-7ced-46c5-b1b2-08d6c1a0f4e5
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600140)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:DB7PR01MB5045;
x-ms-traffictypediagnostic: DB7PR01MB5045:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <DB7PR01MB5045DF4135E43F80815FFB74D62B0@DB7PR01MB5045.eurprd01.prod.exchangelabs.com>
x-forefront-prvs: 000800954F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(136003)(366004)(39860400002)(376002)(346002)(189003)(199004)(53754006)(5024004)(446003)(11346002)(6306002)(53936002)(6512007)(25786009)(81156014)(6436002)(6916009)(486006)(93886005)(1411001)(186003)(6116002)(476003)(3846002)(105586002)(106356001)(26005)(81166006)(256004)(97736004)(8676002)(14444005)(76176011)(6246003)(8936002)(6486002)(99286004)(229853002)(102836004)(4326008)(5660300002)(786003)(68736007)(305945005)(86362001)(478600001)(58126008)(33656002)(71200400001)(966005)(72206003)(82746002)(7736002)(74482002)(14454004)(2906002)(66066001)(53546011)(6506007)(316002)(71190400001)(83716004); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR01MB5045; H:DB7PR01MB5435.eurprd01.prod.exchangelabs.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: warwick.ac.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: JVI1Iz+/6tei7mzSrBsNOfY5WhVrU/w6G9ibhRekMFNAV8AQFGHM4S4n6kMuHXgfkI/Zq6a3EZ61Q3ysMEBoKTbftXC8PAYnnV4a+NZy6iFr7XDQP84yNDhBGD2r64wOd8F42yS7CLWiLizPd7MHhmMrN/FrxbaaWKFX8i9DvayvD+ZFRZekvembS8UOYeW2sgmFTyOqoKRUdrcsYXB9LbSSX1RiZ0xyNZdn7cpsbd4nb7VqzOUd3hp73XLHYgag1bb+U0jwUHmHxx8BD8eG/hKObTaiWWWJwXe6SoWhxSXdPAlUOLKdsQU6h5hi//TFYVvAenFSsoT1LmRcu8xpaLquc9Ux7Ko+vMTgjxkxefiw7wi3IY/ysPEjidZ0izxTkfntdVBUGP/BOBz2cNXDzdvOnQb71xz/NOg5lE+CMws=
Content-Type: text/plain; charset="utf-8"
Content-ID: <E0E0E7987660CF4D8C016E1AB25E95AD@eurprd01.prod.exchangelabs.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: b97e6980-7ced-46c5-b1b2-08d6c1a0f4e5
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Apr 2019 12:50:36.6745 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR01MB5045
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ijS7Ci6yLDYvYooY2WUYkk1EEWU>
Subject: Re: [TLS] Elliptic Curve J-PAKE
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2019 12:50:45 -0000
Hi Watson, On 15/04/2019, 00:39, "TLS on behalf of Watson Ladd" <tls-bounces@ietf.org on behalf of watsonbladd@gmail.com> wrote: On Wed, Mar 27, 2019 at 11:36 PM Feng Hao <feng.hao@newcastle.ac.uk> wrote: > > Hi Watson, > > When the attacker knows the relation, besides the active attack, there may > be other things he can exploit. This however is not usually analysed as by > the assumption of the proof, this should never happen. Random self-reducibility seems relevant here, as does the fact an attacker should be able to solve any discrete logarithm problems over a group one is using. OK, jargons apart - my point was about the assumption. If the relation of the two system generators is known, the assumption of the proof is violated, and the proof becomes invalid. > You¹re correct that J-PAKE uses Shamir-Fiat heuristics, hence the proof is > in ROM. The key design principle in J-PAKE is based on understanding the > importance of zero-knowledge proof. The use of Shamir-Fiat heuristics to > make ZKP non-interactive is a standard technique in cryptography. In the > field of secure two/multi-party computation, ZKP is almost universally > used in every protocol. However, in the field of PAKE, to my knowledge, > J-PAKE is the only protocol that uses ZKP. On the other hand, if you think > about PAKE, it¹s fundamentally a two-party secure computation problem on > an equality function (with the side benefit that both sides produce a > common session key when the equality holds). This paragraph is not responsive to my assertion that ROM=> common random string. J-PAKE is an instance of a generic design approach where an honest but curious protocol is transformed into a malicious party secure on through adding proofs of correctness. Each of those proofs and verifications is expensive. Hence J-PAKE is expensive. The security of JPAKE versus SPAKE2 is the same: both are secure in the ROM. As explained earlier, the difference is the "assumption" in the proof. From the engineering perspective, we ought to prepare for the worst. When one specific instance of the discrete logarithm is resolved, there is a big difference between the class attack and the session attack. This is in no way to say the SPAKE2 draft that you're working on is not useful (on the contrary, I think it can be useful in some specific applications where the effect of a class attack is tolerable), but I just want to point out the factual differences between the two. > > Cheers, > Feng > > On 27/03/2019, 20:08, "Watson Ladd" <watsonbladd@gmail.com> wrote: > > >On Wed, Mar 27, 2019 at 7:56 PM Feng Hao <feng.hao@newcastle.ac.uk> wrote: > >> > >> Hi Hugo, > >> > >> > >> > >> Thanks for your comments. > >> > >> > >> Just to clarify the difference between SPAKE2 and J-PAKE - The proof of > >>SPAKE2 depends on the assumption of a trusted setup: the discrete > >>logarithm between the two group generators must be unknown by anyone. > > > >The above is not true: we rely on the common random string model, not > >the common reference model. This matters for below. > > > >>If a powerful adversary (3 letter agency) gathers sufficient resources > >>and time (say 1 year) to break one instance of discrete logarithm, it > >>will be a class attack, breaking all >instances of SPAKE2 without anyone > >>knowing it. By contrast, they can only break one session in J-PAKE, > >>since by design the randomness is refreshed in every session >rather > >>than being built into a static setup. This explain why J-PAKE requires > >>more computation than SPAKE2. Hope it clarifies. > > > >I don't know of a JPAKE proof that doesn't rely on Shamir-Fiat > >heuristic, which implies common random string. Your proof is in the > >ROM no? Also I do not see how one recovers the password from past > >sessions or recovers the negotiated key in this case: certainly an > >active attack is possible knowing a relation! > > > >> > >> > >> Regards, > >> > >> Feng > >> > >> > >> > >> From: TLS <tls-bounces@ietf.org> on behalf of Hugo Krawczyk > >><hugo@ee.technion.ac.il> > >> Date: Wednesday, 27 March 2019 at 02:49 > >> To: Hannes Tschofenig <Hannes.Tschofenig@arm.com> > >> Cc: "tls@ietf.org" <tls@ietf.org> > >> Subject: Re: [TLS] Elliptic Curve J-PAKE > >> > >> > >> > >> Hi Hannes, > >> > >> > >> > >> J-PAKE is a symmetric PAKE. Both parties store the same password. It is > >>not suitable for most client-server scenarios where using J-PAKE would > >>mean that an attacker that breaks into the server simply steals all > >>plaintext passwords. OPAQUE is an asymmetric (or augmented) PAKE where > >>user remembers a password (and nothing else, including no public key of > >>the server) while the server stores a one-way image of the password. > >>Security requires that if the server is compromised, the attacker needs > >>to run an offline dictionary attack for each user in the database to > >>find the password. > >> > >> > >> > >> If what you need is a symmetric PAKE then there are better candidates > >>than J-PAKE such as SPAKE2 described in draft-irtf-cfrg-spake2-08. > >>SPAKE2 is *much* more efficient than J-PAKE and while both J-PAKE and > >>SPAKE2 have proofs of security, SPAKE2 is proven in a stronger security > >>model relative to J-PAKE. > >> > >> > >> > >> I am not aware of any advantage of J-PAKE over SPAKE2 - but I may be > >>missing something. Maybe the PAKE presentation in cfrg will clarify > >>these issues further. > >> > >> > >> > >> Hugo > >> > >> > >> > >> > >> > >> > >> > >> On Tue, Mar 26, 2019 at 1:03 PM Hannes Tschofenig > >><Hannes.Tschofenig@arm.com> wrote: > >> > >> Hi all, > >> > >> in context of the OPAQUE talk by Nick today at the TLS WG meeting I > >>mentioned that the Thread Group has used the Elliptic Curve J-PAKE for > >>IoT device onboarding. > >> Here is the draft written for TLS 1.2: > >> https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 > >> > >> The mechanism is described in https://tools.ietf.org/html/rfc8236 > >> > >> @Nick & Richard: Have a look at it and see whether it fits your needs. > >> > >> Ciao > >> Hannes > >> > >> IMPORTANT NOTICE: The contents of this email and any attachments are > >>confidential and may also be privileged. If you are not the intended > >>recipient, please notify the sender immediately and do not disclose the > >>contents to any other person, use it for any purpose, or store or copy > >>the information in any medium. Thank you. > >> > >> _______________________________________________ > >> TLS mailing list > >> TLS@ietf.org > >> https://www.ietf.org/mailman/listinfo/tls > >> > >> _______________________________________________ > >> TLS mailing list > >> TLS@ietf.org > >> https://www.ietf.org/mailman/listinfo/tls > > > > > > > >-- > >"Man is born free, but everywhere he is in chains". > >--Rousseau. > -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] Elliptic Curve J-PAKE Feng Hao
- [TLS] Elliptic Curve J-PAKE Hannes Tschofenig
- Re: [TLS] Elliptic Curve J-PAKE Hugo Krawczyk
- Re: [TLS] Elliptic Curve J-PAKE Hannes Tschofenig
- Re: [TLS] Elliptic Curve J-PAKE Feng Hao
- Re: [TLS] Elliptic Curve J-PAKE Watson Ladd
- Re: [TLS] Elliptic Curve J-PAKE Watson Ladd
- Re: [TLS] Elliptic Curve J-PAKE Hao, Feng
- Re: [TLS] Elliptic Curve J-PAKE Watson Ladd