Re: [TLS] Elliptic Curve J-PAKE
Watson Ladd <watsonbladd@gmail.com> Sun, 14 April 2019 23:38 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A9651200C1 for <tls@ietfa.amsl.com>; Sun, 14 Apr 2019 16:38:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vg5e7kpcIek6 for <tls@ietfa.amsl.com>; Sun, 14 Apr 2019 16:38:38 -0700 (PDT)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 130DC1200A2 for <tls@ietf.org>; Sun, 14 Apr 2019 16:38:38 -0700 (PDT)
Received: by mail-lf1-x12c.google.com with SMTP id o19so7252514lfl.4 for <tls@ietf.org>; Sun, 14 Apr 2019 16:38:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=JjYn4yFb8tKCnK6d7OExAffEWqXwh5YJsfmQGX4uFm8=; b=WpSr9RkGmFrbHaR/I7rxWz+tPeX07XkR8xv6iRMml3dQUQg8R23oYUk6b8gBiBStm7 p1CurDGuKHnDQ2UdiVHsHSItGBcrqTJCnwthL2sDsED40bbHcnAI9HGFsZikYxt4h2Dg QdCNOvsGJS5YliXqgF4U7wOngHWoTuLMLdjRYdaUyxeKfhqB2JGqKHwxzGcBvcNyRS/D lFR9OkCPQ7wud40YTVlbSuhzgoSpJ3dbX3w6+3ssUmzqd2k+cRqLIt1JoG1Gw95aC7eU N277wLsPZlaIuBsVNS7hNWxTsKTYRQir4Gbq34RInmQ7C4EwEv6gWawWv+pdhHhXY9qH fkRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=JjYn4yFb8tKCnK6d7OExAffEWqXwh5YJsfmQGX4uFm8=; b=JtN9chL6CHNJqAr3FzjX3r6iVW8U2SSpe3Ou4e+xPKmL3FVq08fIrhTB2KSZTR70AA klacHI79XRaOELzziXmuijqkm7A1iFH4SFgpFO9OsAk7bro4d/ufmBxhv35GvODF3sS2 0hMgGO4BfIdcr94jRpsmR5ZqU9vm2aURf5N7I6pup1bgBBJtlTURPYmr2Yce6yVgGYpu Qn179FL6B4cEvgEI8NPA92EhtuB7SxhixOuKc6RauPL4aS7kXsh3LxeUFYII5utHYSA1 hTnAcmdlWR8n6v13c0sRZXUnZbIiI32GmME+mE/m3GP+tSl7rBguWPDXyoiYWy1NRfL4 tcbA==
X-Gm-Message-State: APjAAAWn1IhYk1j5VQptRig0W3z/2Fg458PSeCz8LBrhfGKxpfmrszMS shIp6j5ZwdMAsKKN4bT8OLveKXzall1edRu8z3w=
X-Google-Smtp-Source: APXvYqwEGDMPx5m9pzXAofb5OS4AMHHKbTb3C/Tj0Vd2OXCiggRlFZBdfmHD51wBUMXYiWZaEKwGq0u/dIsnyhVlUTY=
X-Received: by 2002:ac2:592b:: with SMTP id v11mr14621611lfi.85.1555285116195; Sun, 14 Apr 2019 16:38:36 -0700 (PDT)
MIME-Version: 1.0
References: <VI1PR0801MB2112CFD46565F1BC8B3697D8FA5F0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CADi0yUP+xwWzej7+uvQCaO5xzvJOdwZ-0c-Ot7WF30R25jRxjQ@mail.gmail.com> <WM!3b68eb47588f67d9aaca229cf8c9e30dd2ddb828af3905daaa86a4172d790fff2ad158c5fb15a70a4484183790470a68!@mailhub-mx4.ncl.ac.uk> <6ADEC907-1273-41AF-A964-68E654103645@ncl.ac.uk> <WM!624962044e5b7753628d65d82a819fc287f20b66b28b7326bc1508f7f7d97f90cbf3d0c6dc796efa81e820d8dab51428!@mailhub-mx4.ncl.ac.uk> <CACsn0ckNiC27tbPr_QOboGuvQjsy+ERi2QuydD4pvW0JefnApQ@mail.gmail.com> <D8C1A660.42B1E%feng.hao@newcastle.ac.uk> <WM!c4e3c9f13abc7000dfbbde9eb12c9144d5d8234a17a0174a6949c158c95ffbaf8a2f24ff15a15f8486836962cd47d319!@mailhub-mx5.ncl.ac.uk> <WM!0582133d51ba80a26ba8d63cfde5c9963d11dc9f58798d78949e0216c82fa7d4d61faccee0685f9c317449bb1f65b1e7!@mailhub-mx1.ncl.ac.uk>
In-Reply-To: <WM!0582133d51ba80a26ba8d63cfde5c9963d11dc9f58798d78949e0216c82fa7d4d61faccee0685f9c317449bb1f65b1e7!@mailhub-mx1.ncl.ac.uk>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sun, 14 Apr 2019 16:38:24 -0700
Message-ID: <CACsn0cmgST5pCOy-OMVigW-MJvvnjcgO+tay3bhbnVG8YhrL-g@mail.gmail.com>
To: Feng Hao <feng.hao@newcastle.ac.uk>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/lK9hLoLV08lRums8ft34iBD6Fxg>
Subject: Re: [TLS] Elliptic Curve J-PAKE
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Apr 2019 23:38:41 -0000
On Wed, Mar 27, 2019 at 11:36 PM Feng Hao <feng.hao@newcastle.ac.uk> wrote: > > Hi Watson, > > When the attacker knows the relation, besides the active attack, there may > be other things he can exploit. This however is not usually analysed as by > the assumption of the proof, this should never happen. Random self-reducibility seems relevant here, as does the fact an attacker should be able to solve any discrete logarithm problems over a group one is using. > > You¹re correct that J-PAKE uses Shamir-Fiat heuristics, hence the proof is > in ROM. The key design principle in J-PAKE is based on understanding the > importance of zero-knowledge proof. The use of Shamir-Fiat heuristics to > make ZKP non-interactive is a standard technique in cryptography. In the > field of secure two/multi-party computation, ZKP is almost universally > used in every protocol. However, in the field of PAKE, to my knowledge, > J-PAKE is the only protocol that uses ZKP. On the other hand, if you think > about PAKE, it¹s fundamentally a two-party secure computation problem on > an equality function (with the side benefit that both sides produce a > common session key when the equality holds). This paragraph is not responsive to my assertion that ROM=> common random string. J-PAKE is an instance of a generic design approach where an honest but curious protocol is transformed into a malicious party secure on through adding proofs of correctness. Each of those proofs and verifications is expensive. Hence J-PAKE is expensive. The security of JPAKE versus SPAKE2 is the same: both are secure in the ROM. > > Cheers, > Feng > > On 27/03/2019, 20:08, "Watson Ladd" <watsonbladd@gmail.com> wrote: > > >On Wed, Mar 27, 2019 at 7:56 PM Feng Hao <feng.hao@newcastle.ac.uk> wrote: > >> > >> Hi Hugo, > >> > >> > >> > >> Thanks for your comments. > >> > >> > >> Just to clarify the difference between SPAKE2 and J-PAKE - The proof of > >>SPAKE2 depends on the assumption of a trusted setup: the discrete > >>logarithm between the two group generators must be unknown by anyone. > > > >The above is not true: we rely on the common random string model, not > >the common reference model. This matters for below. > > > >>If a powerful adversary (3 letter agency) gathers sufficient resources > >>and time (say 1 year) to break one instance of discrete logarithm, it > >>will be a class attack, breaking all >instances of SPAKE2 without anyone > >>knowing it. By contrast, they can only break one session in J-PAKE, > >>since by design the randomness is refreshed in every session >rather > >>than being built into a static setup. This explain why J-PAKE requires > >>more computation than SPAKE2. Hope it clarifies. > > > >I don't know of a JPAKE proof that doesn't rely on Shamir-Fiat > >heuristic, which implies common random string. Your proof is in the > >ROM no? Also I do not see how one recovers the password from past > >sessions or recovers the negotiated key in this case: certainly an > >active attack is possible knowing a relation! > > > >> > >> > >> Regards, > >> > >> Feng > >> > >> > >> > >> From: TLS <tls-bounces@ietf.org> on behalf of Hugo Krawczyk > >><hugo@ee.technion.ac.il> > >> Date: Wednesday, 27 March 2019 at 02:49 > >> To: Hannes Tschofenig <Hannes.Tschofenig@arm.com> > >> Cc: "tls@ietf.org" <tls@ietf.org> > >> Subject: Re: [TLS] Elliptic Curve J-PAKE > >> > >> > >> > >> Hi Hannes, > >> > >> > >> > >> J-PAKE is a symmetric PAKE. Both parties store the same password. It is > >>not suitable for most client-server scenarios where using J-PAKE would > >>mean that an attacker that breaks into the server simply steals all > >>plaintext passwords. OPAQUE is an asymmetric (or augmented) PAKE where > >>user remembers a password (and nothing else, including no public key of > >>the server) while the server stores a one-way image of the password. > >>Security requires that if the server is compromised, the attacker needs > >>to run an offline dictionary attack for each user in the database to > >>find the password. > >> > >> > >> > >> If what you need is a symmetric PAKE then there are better candidates > >>than J-PAKE such as SPAKE2 described in draft-irtf-cfrg-spake2-08. > >>SPAKE2 is *much* more efficient than J-PAKE and while both J-PAKE and > >>SPAKE2 have proofs of security, SPAKE2 is proven in a stronger security > >>model relative to J-PAKE. > >> > >> > >> > >> I am not aware of any advantage of J-PAKE over SPAKE2 - but I may be > >>missing something. Maybe the PAKE presentation in cfrg will clarify > >>these issues further. > >> > >> > >> > >> Hugo > >> > >> > >> > >> > >> > >> > >> > >> On Tue, Mar 26, 2019 at 1:03 PM Hannes Tschofenig > >><Hannes.Tschofenig@arm.com> wrote: > >> > >> Hi all, > >> > >> in context of the OPAQUE talk by Nick today at the TLS WG meeting I > >>mentioned that the Thread Group has used the Elliptic Curve J-PAKE for > >>IoT device onboarding. > >> Here is the draft written for TLS 1.2: > >> https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 > >> > >> The mechanism is described in https://tools.ietf.org/html/rfc8236 > >> > >> @Nick & Richard: Have a look at it and see whether it fits your needs. > >> > >> Ciao > >> Hannes > >> > >> IMPORTANT NOTICE: The contents of this email and any attachments are > >>confidential and may also be privileged. If you are not the intended > >>recipient, please notify the sender immediately and do not disclose the > >>contents to any other person, use it for any purpose, or store or copy > >>the information in any medium. Thank you. > >> > >> _______________________________________________ > >> TLS mailing list > >> TLS@ietf.org > >> https://www.ietf.org/mailman/listinfo/tls > >> > >> _______________________________________________ > >> TLS mailing list > >> TLS@ietf.org > >> https://www.ietf.org/mailman/listinfo/tls > > > > > > > >-- > >"Man is born free, but everywhere he is in chains". > >--Rousseau. > -- "Man is born free, but everywhere he is in chains". --Rousseau.
- Re: [TLS] Elliptic Curve J-PAKE Feng Hao
- [TLS] Elliptic Curve J-PAKE Hannes Tschofenig
- Re: [TLS] Elliptic Curve J-PAKE Hugo Krawczyk
- Re: [TLS] Elliptic Curve J-PAKE Hannes Tschofenig
- Re: [TLS] Elliptic Curve J-PAKE Feng Hao
- Re: [TLS] Elliptic Curve J-PAKE Watson Ladd
- Re: [TLS] Elliptic Curve J-PAKE Watson Ladd
- Re: [TLS] Elliptic Curve J-PAKE Hao, Feng
- Re: [TLS] Elliptic Curve J-PAKE Watson Ladd