Re: [TLS] Elliptic Curve J-PAKE
Watson Ladd <watsonbladd@gmail.com> Mon, 15 April 2019 15:53 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E637312038F for <tls@ietfa.amsl.com>; Mon, 15 Apr 2019 08:53:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RoOiy8-0OZ0n for <tls@ietfa.amsl.com>; Mon, 15 Apr 2019 08:53:50 -0700 (PDT)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4306812038B for <tls@ietf.org>; Mon, 15 Apr 2019 08:53:50 -0700 (PDT)
Received: by mail-lj1-x22e.google.com with SMTP id t4so7645576ljc.2 for <tls@ietf.org>; Mon, 15 Apr 2019 08:53:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9HYBJjFGxQ887vNRslrxKdWUA7foYJBSLHiyhlxFw2A=; b=h1gM9v6GP9jGgeiQw2rCbNU/mMyNnqmXFaUU4C3bXAaFSPESEkc7FD8EwIK4CYbZ3/ hOUhLPmHLeS2fvUfO61UMNWRFCNF1KSCWXtCJC6voNST0KWjkOupKpb8zwVdLPVtcDAC unNTpj2eisVG7HmxdXC3rjjNimkMI8VTysYTreHHhtnNxKhq2DJu9tfnlzugGpROtVu/ ewm0wNkQVmeOItn8jDl+QMIUd/b4LO/YwQ75Ft8wF/XGOQ2gT1rkhu+de+m1YmOB6g1i gIcCbXPsJXzI74tfswvvK7EnQZ2UwJc9AG6lSvLGZ/NdX5w3GV4jmlp3XH8+utr5chi2 ovAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9HYBJjFGxQ887vNRslrxKdWUA7foYJBSLHiyhlxFw2A=; b=LLI4DUdG/EpmDDerV7SoAFDzQJd/26jUPC0RUCuJ01dduN8rEPhL028keYosng/Rd6 VUj/AqZ9ezn077iQRnXZaniN8dha1iAdAltiXSKL9TezDvKMufUgb3gUwB0cA/095mLc Ir/iusA+vRMTkh8jGpH29HSlfIjrDjqrljUdCOeugD136uIPl5ln+8OJ6mN0DltiQ2YQ X7qi68L5V9oi5wTYc5YbJEvKeRJScWJnKJ55rHLOoRubdbGDCeHUBcWwXjeUlF6LHF0N v2NSzdpSSOlM6KfBka9Gwcb10pRccDWLVpAPUk2W8UnIhsuHACJv67vurbGLCOryzgsB Tj/Q==
X-Gm-Message-State: APjAAAWB92UGC9Aw8jWBKesrvu0CnAQh8XAJZF+eCpdT84IchzlSuRps GnVthhOKUfNI3g24WNElDyW9X6E+abYKuBE0PSM=
X-Google-Smtp-Source: APXvYqycbOHc/OlfPvRV2hhqJMbh6IDfGH4pP0JUZVaJ/FoPM6Nm7E0sZiqtf7q5UcwTvkPlX6a7wvHKblhPbIF5X40=
X-Received: by 2002:a2e:97d3:: with SMTP id m19mr1392259ljj.63.1555343628449; Mon, 15 Apr 2019 08:53:48 -0700 (PDT)
MIME-Version: 1.0
References: <VI1PR0801MB2112CFD46565F1BC8B3697D8FA5F0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CADi0yUP+xwWzej7+uvQCaO5xzvJOdwZ-0c-Ot7WF30R25jRxjQ@mail.gmail.com> <WM!3b68eb47588f67d9aaca229cf8c9e30dd2ddb828af3905daaa86a4172d790fff2ad158c5fb15a70a4484183790470a68!@mailhub-mx4.ncl.ac.uk> <6ADEC907-1273-41AF-A964-68E654103645@ncl.ac.uk> <WM!624962044e5b7753628d65d82a819fc287f20b66b28b7326bc1508f7f7d97f90cbf3d0c6dc796efa81e820d8dab51428!@mailhub-mx4.ncl.ac.uk> <CACsn0ckNiC27tbPr_QOboGuvQjsy+ERi2QuydD4pvW0JefnApQ@mail.gmail.com> <D8C1A660.42B1E%feng.hao@newcastle.ac.uk> <WM!c4e3c9f13abc7000dfbbde9eb12c9144d5d8234a17a0174a6949c158c95ffbaf8a2f24ff15a15f8486836962cd47d319!@mailhub-mx5.ncl.ac.uk> <WM!0582133d51ba80a26ba8d63cfde5c9963d11dc9f58798d78949e0216c82fa7d4d61faccee0685f9c317449bb1f65b1e7!@mailhub-mx1.ncl.ac.uk> <CACsn0cmgST5pCOy-OMVigW-MJvvnjcgO+tay3bhbnVG8YhrL-g@mail.gmail.com> <ED38F419-4251-4775-8F07-6877590EAEF0@live.warwick.ac.uk>
In-Reply-To: <ED38F419-4251-4775-8F07-6877590EAEF0@live.warwick.ac.uk>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 15 Apr 2019 08:53:34 -0700
Message-ID: <CACsn0cnOA11qHbVjC3fphkUTKjzP-0Ts4mOCj8D+vUJ-=MZTbQ@mail.gmail.com>
To: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
Cc: tls@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007a3f62058693a817"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xYLF_B8FECPc-My3JYSoersa4m4>
Subject: Re: [TLS] Elliptic Curve J-PAKE
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2019 15:53:54 -0000
On Mon, Apr 15, 2019, 5:50 AM Hao, Feng <Feng.Hao@warwick.ac.uk> wrote: > Hi Watson, > > On 15/04/2019, 00:39, "TLS on behalf of Watson Ladd" < > tls-bounces@ietf.org on behalf of watsonbladd@gmail.com> wrote: > > On Wed, Mar 27, 2019 at 11:36 PM Feng Hao <feng.hao@newcastle.ac.uk> > wrote: > > > > Hi Watson, > > > > When the attacker knows the relation, besides the active attack, > there may > > be other things he can exploit. This however is not usually analysed > as by > > the assumption of the proof, this should never happen. > > Random self-reducibility seems relevant here, as does the fact an > attacker should be able to solve any discrete logarithm problems over > a group one is using. > > OK, jargons apart - my point was about the assumption. If the relation of > the two system generators is known, the assumption of the proof is > violated, and the proof becomes invalid. > > > You¹re correct that J-PAKE uses Shamir-Fiat heuristics, hence the > proof is > > in ROM. The key design principle in J-PAKE is based on understanding > the > > importance of zero-knowledge proof. The use of Shamir-Fiat > heuristics to > > make ZKP non-interactive is a standard technique in cryptography. In > the > > field of secure two/multi-party computation, ZKP is almost > universally > > used in every protocol. However, in the field of PAKE, to my > knowledge, > > J-PAKE is the only protocol that uses ZKP. On the other hand, if you > think > > about PAKE, it¹s fundamentally a two-party secure computation > problem on > > an equality function (with the side benefit that both sides produce a > > common session key when the equality holds). > > This paragraph is not responsive to my assertion that ROM=> common > random string. > > J-PAKE is an instance of a generic design approach where an honest but > curious protocol is transformed into a malicious party secure on > through adding proofs of correctness. Each of those proofs and > verifications is expensive. Hence J-PAKE is expensive. The security of > JPAKE versus SPAKE2 is the same: both are secure in the ROM. > > As explained earlier, the difference is the "assumption" in the proof. > From the engineering perspective, we ought to prepare for the worst. When > one specific instance of the discrete logarithm is resolved, there is a big > difference between the class attack and the session attack. This is in no > way to say the SPAKE2 draft that you're working on is not useful (on the > contrary, I think it can be useful in some specific applications where the > effect of a class attack is tolerable), but I just want to point out the > factual differences between the two. > Attackers shouldn't be able to compute any discrete logs, and they cannot go back and break old SPAKE2 sessions with that information (DH reduction I should write up). > > > > Cheers, > > Feng > > > > On 27/03/2019, 20:08, "Watson Ladd" <watsonbladd@gmail.com> wrote: > > > > >On Wed, Mar 27, 2019 at 7:56 PM Feng Hao <feng.hao@newcastle.ac.uk> > wrote: > > >> > > >> Hi Hugo, > > >> > > >> > > >> > > >> Thanks for your comments. > > >> > > >> > > >> Just to clarify the difference between SPAKE2 and J-PAKE - The > proof of > > >>SPAKE2 depends on the assumption of a trusted setup: the discrete > > >>logarithm between the two group generators must be unknown by > anyone. > > > > > >The above is not true: we rely on the common random string model, > not > > >the common reference model. This matters for below. > > > > > >>If a powerful adversary (3 letter agency) gathers sufficient > resources > > >>and time (say 1 year) to break one instance of discrete logarithm, > it > > >>will be a class attack, breaking all >instances of SPAKE2 without > anyone > > >>knowing it. By contrast, they can only break one session in J-PAKE, > > >>since by design the randomness is refreshed in every session > >rather > > >>than being built into a static setup. This explain why J-PAKE > requires > > >>more computation than SPAKE2. Hope it clarifies. > > > > > >I don't know of a JPAKE proof that doesn't rely on Shamir-Fiat > > >heuristic, which implies common random string. Your proof is in the > > >ROM no? Also I do not see how one recovers the password from past > > >sessions or recovers the negotiated key in this case: certainly an > > >active attack is possible knowing a relation! > > > > > >> > > >> > > >> Regards, > > >> > > >> Feng > > >> > > >> > > >> > > >> From: TLS <tls-bounces@ietf.org> on behalf of Hugo Krawczyk > > >><hugo@ee.technion.ac.il> > > >> Date: Wednesday, 27 March 2019 at 02:49 > > >> To: Hannes Tschofenig <Hannes.Tschofenig@arm.com> > > >> Cc: "tls@ietf.org" <tls@ietf.org> > > >> Subject: Re: [TLS] Elliptic Curve J-PAKE > > >> > > >> > > >> > > >> Hi Hannes, > > >> > > >> > > >> > > >> J-PAKE is a symmetric PAKE. Both parties store the same password. > It is > > >>not suitable for most client-server scenarios where using J-PAKE > would > > >>mean that an attacker that breaks into the server simply steals all > > >>plaintext passwords. OPAQUE is an asymmetric (or augmented) PAKE > where > > >>user remembers a password (and nothing else, including no public > key of > > >>the server) while the server stores a one-way image of the > password. > > >>Security requires that if the server is compromised, the attacker > needs > > >>to run an offline dictionary attack for each user in the database > to > > >>find the password. > > >> > > >> > > >> > > >> If what you need is a symmetric PAKE then there are better > candidates > > >>than J-PAKE such as SPAKE2 described in draft-irtf-cfrg-spake2-08. > > >>SPAKE2 is *much* more efficient than J-PAKE and while both J-PAKE > and > > >>SPAKE2 have proofs of security, SPAKE2 is proven in a stronger > security > > >>model relative to J-PAKE. > > >> > > >> > > >> > > >> I am not aware of any advantage of J-PAKE over SPAKE2 - but I may > be > > >>missing something. Maybe the PAKE presentation in cfrg will clarify > > >>these issues further. > > >> > > >> > > >> > > >> Hugo > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> On Tue, Mar 26, 2019 at 1:03 PM Hannes Tschofenig > > >><Hannes.Tschofenig@arm.com> wrote: > > >> > > >> Hi all, > > >> > > >> in context of the OPAQUE talk by Nick today at the TLS WG meeting > I > > >>mentioned that the Thread Group has used the Elliptic Curve J-PAKE > for > > >>IoT device onboarding. > > >> Here is the draft written for TLS 1.2: > > >> https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 > > >> > > >> The mechanism is described in https://tools.ietf.org/html/rfc8236 > > >> > > >> @Nick & Richard: Have a look at it and see whether it fits your > needs. > > >> > > >> Ciao > > >> Hannes > > >> > > >> IMPORTANT NOTICE: The contents of this email and any attachments > are > > >>confidential and may also be privileged. If you are not the > intended > > >>recipient, please notify the sender immediately and do not > disclose the > > >>contents to any other person, use it for any purpose, or store or > copy > > >>the information in any medium. Thank you. > > >> > > >> _______________________________________________ > > >> TLS mailing list > > >> TLS@ietf.org > > >> https://www.ietf.org/mailman/listinfo/tls > > >> > > >> _______________________________________________ > > >> TLS mailing list > > >> TLS@ietf.org > > >> https://www.ietf.org/mailman/listinfo/tls > > > > > > > > > > > >-- > > >"Man is born free, but everywhere he is in chains". > > >--Rousseau. > > > > > -- > "Man is born free, but everywhere he is in chains". > --Rousseau. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > > >
- Re: [TLS] Elliptic Curve J-PAKE Feng Hao
- [TLS] Elliptic Curve J-PAKE Hannes Tschofenig
- Re: [TLS] Elliptic Curve J-PAKE Hugo Krawczyk
- Re: [TLS] Elliptic Curve J-PAKE Hannes Tschofenig
- Re: [TLS] Elliptic Curve J-PAKE Feng Hao
- Re: [TLS] Elliptic Curve J-PAKE Watson Ladd
- Re: [TLS] Elliptic Curve J-PAKE Watson Ladd
- Re: [TLS] Elliptic Curve J-PAKE Hao, Feng
- Re: [TLS] Elliptic Curve J-PAKE Watson Ladd