security analysis of cpacecfrg has setup a pake selection process in 2019, which led to the...
TRANSCRIPT
-
Security Analysis of CPaceMichel Abdalla
CNRS and DI/ENS, PSL UniversityParis, France
Bjรถrn HaaseEndress+Hauser Liquid Analysis
Gerlingen, [email protected]
Julia HesseIBM Research
Zurich, [email protected]
ABSTRACTIn response to standardization requests regarding password-authen-ticated key exchange (PAKE) protocols, the IRTF working groupCFRG has setup a PAKE selection process in 2019, which led to theselection of the CPace protocol in the balanced setting, in whichparties share a common password.
In this paper, we provide a security analysis of CPace in theuniversal composability framework for implementations on elliptic-curve groups. When doing so, we restrict the use of random or-acles to hash functions only and refrain from modeling CPaceโsMap2Point function that maps field elements to curve points as anidealized function. As a result, CPace can be proven secure understandard complexity assumptions in the random-oracle model.
Finally, in order to extend our proofs to different CPace variantsoptimized for specific environments, we employ a new approach,which represents the assumptions required by the proof as librarieswhich a simulator can access. By allowing for the modular replace-ment of assumptions used in the proof, this new approach avoids arepeated analysis of unchanged protocol parts and lets us efficientlyanalyze the security guarantees of all the different CPace variants.
1 INTRODUCTIONSecurity analysis and efficient implementation of cryptographicprotocols are often split into separate working groups. As a result,subtle differences between the actually implemented and analyzedprotocols easily emerge, for example when implementors slightlytweak the protocol to improve efficiency. An example where par-ticularly aggressive optimization for efficiency is implemented onthe protocol level is CPace as specified in current internet drafts[Haa20, HL18]. CPace is a password-authenticated key exchangeprotocol (PAKE) [BM92], which allows two parties to establish ashared cryptographic key from matching passwords of potentiallylow entropy. On a high level, CPace works as follows. Given a cyclicgroup G, parties first locally and deterministically compute a gen-erator ๐ โ G from their passwords in a secure way, so that ๐ revealsas little information about the password as possible. Then, bothparties perform a Diffie-Hellman key exchange by choosing secretexponents ๐ฅ and ๐ฆ, respectively, exchanging ๐๐ฅ and ๐๐ฆ and locallycompute ๐พ = (๐๐ฅ )๐ฆ = (๐๐ฆ)๐ฅ . The final key is then computed asthe hash of ๐พ together with session-identifying information suchas transcript. The currently most efficient implementations of theabove blueprint protocol use elliptic curve groups of either prime orcomposite order. To securely compute the generator, the passwordis first hashed to the finite field F๐ the curve is constructed over,and then mapped to the curve by a map calledMap2Point. Depend-ing on the choice of curve, efficiency tweaks such as simplifiedpoint verification on curves with twist security, or computationwith only x-coordinates of points can be applied [HL19, Haa20].
Unfortunately, until today, it is not clear how these modificationsimpact security of CPace.A short history of CPace. In 1996, Jablon [Jab96] introduced theSPEKE protocol, which performs a Diffie-Hellman key exchangewith generators computed as ๐โ H(pw). Many variants of SPEKEhave emerged in the literature since then, including ones that fixedinitial security issues of SPEKE. Among them, the PACE proto-col [PAC08, BFK09] aims at circumventing direct hashing ontothe group with an interactiveMap2Point protocol to compute thepassword-dependent generators. From this, CPace [HL19] emergedby combining the best properties of PACE and SPEKE, namely com-puting the generator without interaction while avoiding the need tohash directly onto the group. More precisely, password-dependentgenerators are computed as ๐โ Map2Point(H(pw)). In 2020, theIRTF working group CFRG has chosen CPace as the recommendedprotocol for (symmetric) PAKE.
Our Contributions. In this paper, we provide the first compre-hensive security analysis of the CPace protocol that applies also tovariants of CPace optimized for usage with state-of-the-art ellipticcurves. On a technical level, in Section 3.3 we first identify the coreproperties of the deterministic Map2Point function that allow toprove strong security properties of CPace. Crucially, we restrict theuse of random oracles to hash functions only and refrain from mod-elingMap2Point as an idealized function, as it would not be clearhow to instantiate it in practice. We show that, using some weakinvertibility properties of Map2Point that we demonstrate to holdfor many candidate implementations, CPace can be proven secureunder standard Diffie-Hellman-type assumptions in the random-oracle model. Our security proof captures adaptive corruptions andweak forward secrecy and is carried out in the Universal Compos-ability (UC) framework, which is todayโs standard when analyzingsecurity of PAKE protocols.
In Section 6 we then turn our attention to modifications of CPaceand, for each modification individually, state under which assump-tions the security properties are preserved. In more detail, ouranalysis captures the following modifications.โข Using groups of composite order ๐ ยท ๐ , where ๐ is a largeprime and ๐ is a small cofactor coprime to ๐ .โข Consider both, constructions based on a map-twice-and-addstrategy and single execution of Map2Point.โข Using only single-coordinate representations of elliptic curvepoints in order to speed up and facilitate implementation.โข Avoiding computationally costly point verification on curveswith secure quadratic twists such as Curve25519[Ber06].
To demonstrate the security of these variants, we take a newapproach that saves us from a repeated analysis of unchanged partsof CPace. Namely, we implement the CDH-type cryptographic as-sumptions required by CPace as libraries which a simulator can
-
access. This allows for modular replacement of assumptions re-quired in the security proof, and lets us efficiently analyze all thedifferent CPace variantsโ security guarantees. We believe that thisnew proof technique introduced in Section 5.1 might be of inde-pendent interest in particular for machine-assisted proving, sincereductions are captured in code instead of textual descriptions only.
As a side contribution, we identify a common shortcoming inall UC PAKE security definitions in the literature [CHK+05, JKX18,Hes20, ABB+20a], which may impact the usability of these defi-nitions as building blocks in higher-level applications. All thesedefinitions allow amalicious party to learn the shared key computedby an honest party without knowing her password. We strengthenthe definition to prevent such attacks, and demonstrate with ouranalysis of CPace that our fix yields a security definition that is stillmet by PAKE protocols. Even more, our analysis captures adaptivecorruptions, where an adversary can corrupt users who alreadystarted the protocol and computed secret values. Our work providesthe first evidence that SPEKE-like protocols can withstand thesestrong corruptions.
In conclusion, our results demonstrate that CPace enjoys strongprovable security guarantees in all its variants that have been pro-posed for the sake of efficiency improvements.
Related Work. In [BFK09] a game-based security analysis of ex-plicitly authenticated PACE protocol variants as used in traveldocuments has been carried out, with a focus on different variantsof interactive Map2Point constructions. Security of CPace (includ-ing Map2Point and cofactor clearing) was formally analyzed in[HL19]. However, the proof was found to be insufficient by reviewsdone during the CFRG selection process, and indeed, the claimedsecurity under plain CDH seems to be difficult to achieve. Further,no analysis of real world implementation artifacts such as cofactorclearing, map2point function and twist security was conductedin that work. Altogether, for establishing full trust in real-worldimplementations of CPace we identify the urgent need for fillingthe gaps in the existing analysis in [HL19].
[ABB+20a] analyzed the security of several EKE [BM92] andSPEKE variants in the UC framework, including SPAKE2 [AP05]and TBPEKE [PW17]. They also indicated that their proof forTBPEKE could be extended to CPace with the inclusion of theprotocol transcript and password-dependent generator in the fi-nal key derivation hash [ABB+20b]. Although the need for thepassword-dependent generator in the final hash could be excludedwith a more refined argument, their analysis still does not dealwith adaptive security and only considers a simplified version ofCPace, similar to the CPacebase variant in Section 5, which doesnot account for the implementation issues being addressed in thispaper.
[ABK+20] formalized the algebraic-group model within the UCframework and proved that the SPAKE2 and CPace protocols areuniversally composable in the new model with respect to the stan-dard functionality for password-based authenticated key exchangein [CHK+05]. As in [ABB+20a], their analysis does not deal withadaptive security and only considers a simplified version of CPace,similar to CPacebase.
Organization of this paper. We introduce the PAKE securitymodel in Section 2, hardness assumptions and requirements for
the map in Section 3. We then repeat the essential properties ofthe CPace construction in Section 4. Then we analyse CPace, firstusing a simplified CPace in Section 5 (modeling the map as random-oracle) and then extending the analysis to real-world instantiationsusing mapping constructions in Section 6. Section 7 presents someconcluding remarks and possible directions for future work.
Session initiation
On (NewSession, sid, P, Pโฒ, pw) from P, ignore this query if recordโจsid, P, ยท, ยทโฉ already exists. Otherwise record โจsid, P, Pโฒ, pwโฉ marked freshand send (NewSession, sid, P, Pโฒ) to A.
Active attackโข On (TestPwd, sid, P, pwโ) from A, if โ a fresh recordโจsid, P, Pโฒ, pw, ยทโฉ then:โ If pwโ = pw then mark it compromised and return โcorrect guessโ;โ If pwโ โ pw then mark it interrupted and return โwrong guessโ.
โข On (RegisterTest, sid, P) from A, if โ a fresh record โจsid, P, Pโฒ, ยทโฉthen mark it interrupted and flag it tested.
โข On (LateTestPwd, sid, P, pwโ) from A, if โ a recordโจsid, P, Pโฒ, pw, ๐พ โฉ marked completed with flag tested thenremove this flag and do:
โ If pwโ = pw then return ๐พ to A;
โ If pwโ โ pw then return ๐พ$ โR {0, 1}๐ to A.
Key generation
On (NewKey, sid, P, ๐พโ) from A, if โ a record โจsid, P, Pโฒ, pwโฉ not markedcompleted then do:
โข If the record is compromised, or either P or Pโฒ is corrupted, thenset ๐พ := ๐พโ .
โข If the record is fresh and โ a completed record โจsid, Pโฒ, P, pw, ๐พ โฒโฉthat was fresh when Pโฒ output (sid, ๐พ โฒ) , then set ๐พ := ๐พ โฒ.
โข In all other cases pick ๐พ โR {0, 1}๐ .Finally, append ๐พ to record โจsid, P, Pโฒ, pwโฉ, mark it completed, and output(sid, ๐พ) to P.
Adaptive corruption
On (AdaptiveCorruption, sid, P) from A, if โ a record โจsid, P, ยท, pwโฉ notmarked completed then mark it completed and output (sid, pw) .
Figure 1: UC PAKE variants: The original PAKE functional-ity FpwKE of Canetti et al. [CHK+05] is the version with allgray text omitted. The lazy-extraction PAKE functionalityFlePAKE [ABB+20a] includes everything, and the variant ofFlePAKE used in this work includes everything but the dashedbox.
2 PAKE SECURITY MODELWe use the Universal Composability (UC) framework of Canetti[Can01] to formulate security properties of CPace. For PAKE, usageof the simulation-based UC framework comes with several advan-tages over the game-based model for PAKE introduced by Bellare etal. [BPR00]. Most importantly, UC secure PAKE protocols preservetheir security properties in the presence of adversarially-chosenpasswords andwhen composed with arbitrary other protocols. Orig-inally introduced by Canetti et al. [CHK+05], the ideal functionalityFpwKE for PAKE (depicted in Fig. 1) is accessed by two parties,P andP โฒ, who both provide their passwords. FpwKE then provides bothparties with a uniformly random session key if passwords match,
-
and with individual random keys if passwords mismatch. Since anadversary can always engage in a session and guess the counter-partโs password with non-negligible probability, FpwKE must in-clude an adversarial interface TestPwd for such guesses. Crucially,only one guess against every honest party is allowed, modeling thefact that password guessing is an online attack and cannot be usedto brute-force the password from a protocolโs transcript. We referthe reader to [CHK+05] for a more comprehensive introduction tothe PAKE functionality.
An ideal functionality for the SPEKE protocol family. Unfortu-nately, FpwKE is not suitable to analyze SPEKE-like PAKE protocolssuch as CPace, where session keys are computed as hashes of Diffie-Hellman keys (and possibly parts of the transcript). The reasonis that FpwKEโs TestPwd interface allows password guesses onlyduring a protocol run, which requires a simulator to extract pass-word guesses from the protocolโs transcript. When the final outputis a hash, the adversary might postpone its computation, keepinginformation from the simulator that is required for password ex-traction. To circumvent these issues, recently a โlazy-extractionPAKEโ functionality FlePAKE was proposed and shown useful inthe analysis of SPEKE-like protocols by Abdalla et al. [ABB+20a].FlePAKE, which we also depict in Fig. 1, allows either one onlineor one offline password guess after the key exchange was finished.One might argue that usage of keys obtained from FlePAKE is neversafe, since the adversary might eventually extract the key from itat any later point in time. This however can be easily prevented byadding a key confirmation round, which keeps an adversary frompostponing the final hash query and guarantees perfect forward se-crecy [ABB+20a]. We refer the reader to [ABB+20a] for a thoroughdiscussion of FlePAKE.
Our adjustments to FlePAKE. The main difference between ourFlePAKE and all PAKE functionalities from the literature [CHK+05,JKX18, Hes20, ABB+20a] is that we remove a shortcoming that ren-dered these functionalities essentially useless as building blocks forhigher-level applications. More detailed, we remove the ability ofthe adversary to determine an honest partyโs output key in a cor-rupted session. The change can be seen in Fig. 1, where the dashedbox shows the weakening that we simply omit in our version ofFlePAKE. In reality, nobody would want to use a PAKE where anadversary can learn (even set) the key of an honest party withoutknowing the honest partyโs password. This is not what one wouldexpect from an authenticated key exchange protocol. In Appendix Bwe explain why existing PAKE protocols can still be considered se-cure, but also provide an illustrating example how this shortcominghinders usage of PAKE functionalities in modular protocol analysis.In this paper, we demonstrate that CPace can be proven to protectagainst such attacks.
We also make two minor adjustments, which are merely to easepresentation in this paper. Namely, we add an explicit interface foradaptive corruptions, and we omit roles since we analyze a protocolwhere there is no dedicated initiator.
3 PRELIMINARIES3.1 NotationThroughout the paper, we use ๐ as security parameter. WithโRwe denote uniformly random sampling from a set. With oc(๐๐ , ๐ ๐ )we denote ordered concatenation, i.e., oc(๐๐ , ๐ ๐ ) = ๐๐ | |๐ ๐ if ๐๐ โค ๐ ๐and oc(๐๐ , ๐ ๐ ) = ๐ ๐ | |๐๐ otherwise.
3.2 Cryptographic assumptionsThe security of CPace is based on the hardness of a combination ofstrong and simultaneous Diffie-Hellman problems. To ease accessto the assumptions, we state them with increasing complexity.
Definition 3.1 (Strong CDH problem (sCDH) [ABR01]). LetG be a cyclic group with a generator ๐ต and (๐๐ = ๐ต๐ฆ๐ , ๐๐ = ๐ต๐ฆ๐ ) sam-pled uniformly from (G\๐ผG)2. Given access to oraclesDDH (๐ต,๐๐, ยท, ยท)and DDH (๐ต,๐๐ , ยท, ยท), provide ๐พ such that ๐พ = ๐ต๐ฆ๐ ยท๐ฆ๐ .
We note that sCDH is a weaker variant of the so-called gap-CDHassumption, where the adversary has access to โfullโ DDH oracleswith no fixed inputs. Next we provide a stronger variant of sCDHwhere two CDH instances need to be solved that involve a common,adversarially chosen element.
Definition 3.2 (Strong simultaneous CDH problem (sSDH)).Let G be a cyclic group and (๐๐,๐บ1,๐บ2) sampled uniformly from (G\๐ผG)3. Given access to oracles DDH (๐บ1, ๐๐, ยท, ยท) and DDH (๐บ2, ๐๐, ยท, ยท),provide (๐๐ , ๐พ1, ๐พ2) โ
(G \ ๐ผG
)ร G ร G s. th. DDH (๐บ1, ๐๐, ๐๐ , ๐พ1)
= DDH (๐บ2, ๐๐, ๐๐ , ๐พ2) = 1Again we note that sSDH is a weaker variant of the gap simulta-
neous Diffie-Hellman problem from [PW17] and [ABB+20a] as theaccess to the DDH oracles is restricted by fixing two inputs. Lastly,we state a variant of the sSDH assumption where generators aresampled according to some probability distribution. Looking ahead,we require this variant since in CPace parties derive generators byapplying a map which does not implement uniform sampling fromthe group. We state the non-uniform variant of sSDH for arbitraryprobability distributions and investigate its relation to โuniformโsSDH afterwards.
Definition 3.3 (Strong simultaneous non-uniform CDHproblem (DG-sSDH)). Let G be a group and DG be a probabilitydistribution on G. The strong simultaneous non-uniform CDH prob-lem DG-sSDH is defined as the sSDH problem but with (๐๐,๐บ1,๐บ2)sampled using UG ร DG ร DG , where UG denotes the uniformdistribution on G.
Clearly,UG\๐ผG -sSDH is equivalent to sSDH. We show that hard-ness of uniform and non-uniform sSDH are equivalent given thatthe distribution allows for probabilistic polynomial time (PPT) re-jection sampling, which we now formalize.
Definition 3.4 (Rejection sampling algorithm for (G,DG)).Let G be a group and DG be a probability distribution on G. WithDG (๐บ) we denote the probability for point๐บ . Let RS be a probabilisticalgorithm taking as input elements๐บ โ G and outputtingโฅ or a valueโ โฅ. Then ๐ ๐ is called a rejection sampling algorithm for (G,DG )if ๐๐ [RS(๐บ) โ โฅ] = DG (๐บ) for ๐บ โ G.
Informally RS is a probabilistic algorithm which accepts (outputdifferent from โฅ) or rejects (output โฅ) a candidate point. When
-
queried multiple times on the same input ๐บ โ G, the probabilitythat ๐บ will be accepted or rejected models the distribution DG .Looking ahead, we define such a rejection sampler algorithm forthe maps used in CPace and use this as part of our proof strategy.For avoiding that our simulator gets computationally exhausted,we require that DG allows for a PPT instantiation of a rejectionsampling process using RS with a sufficiently large acceptance rate.We formalize this requirement as follows.
Definition 3.5 (Acceptance rate of a rejection sampler for(G,DG)). Let G be a group andDG be a probability distribution onG. Let RS be a rejection sampling algorithm for (G,DG). Let๐บ๐ โ Gbe a sequence of๐ uniformly drawn points and ๐๐ = RS(๐บ๐ ). Then RSis said to have an acceptance rate of (1/๐) if the number of acceptedpoints with ๐๐ โ โฅ converges to๐/๐ when๐ โโ.
Using these definitions, we are able to prove that given someassumptions on the distribution DG hardness of sSDH and DG-sSDH are equivalent up to the additional PPT computational effortgenerated by the rejection sampling algorithm.
Theorem 3.6 (sSDHโโDG-sSDH). Let G be a cyclic group oforder ๐ and DG a probability distribution on G. If there exists a PPTrejection sampler RS for
(G,DG
)with acceptance rate (1/๐) then the
probability of PPT adversaries againstDG-sSDH and sSDH of solvingthe respectively other problem differs by at most (2D(๐ผG ) + (1/๐)) andsolving sSDH with the help of aDG-sSDH adversary requires at most2๐ executions of RS on average.
Proof. sSDH hardโDG โ sSDH hard: Given an adversaryBDGโsSDH against DG โ sSDH with non-negligible success prob-ability ๐ , we show how to construct an adversary AsSDH. On re-ceiving an sSDH-challenge (๐๐,๐บ1,๐บ2), first note that ๐๐ is uni-formly sampled from G \ {๐ผG}. AsSDH uniformly samples ๐, ๐ โZ๐ until RS(๐บ๐1) = 1 and RS(๐บ
๐ 2) = 1, which requires 2๐ calls
to RS on average. AsSDH runs BDGโsSDH on input (๐๐,๐บ๐1,๐บ๐ 2).
If B queries DDH(๐บ๐1, ๐๐, ๐, ๐ฟ), A queries his own oracle withDDH(๐บ1, ๐๐, ๐, ๐ฟ1/๐ ) and relays the answer to B (queries ๐บ๐ 2 arehandled analogously). On receiving (๐๐ , ๐พ1, ๐พ2) from BDGโsSDH,AsSDH provides (๐๐ , ๐พ
1/๐1 , ๐พ
1/๐ 2 ) as solution in his sSDH experi-
ment.As RS is a rejection sampler for DG , (๐๐,๐บ๐1,๐บ
๐ 2) is a random
DG โ sSDH challenge, and thus B solves it with probability ๐ . IfB provides a solution, then AsSDH succeeds in solving his ownchallenge unless ๐บ๐1 or ๐บ
๐ 2 = ๐ผG or ๐บ
๐1 = ๐บ
๐ 2 which occurs at most
with probability (2DG (๐ผG) +1/๐). As RS executes in PPT,AsSDH isPPT, uses (2๐) calls to RS on average and succeeds with probability๐ (1 โ 2DG (๐ผG) โ 1/๐), which is non-negligible since ๐ is.
sSDH hardโDG โ sSDH hard: Given an adversary AsSDHagainst sSDH with non-negligible probability ๐ we show how toconstruct aDGโsSDH adversaryBDGโsSDH. On receiving aDGโsSDH challenge (๐๐,๐บ1,๐บ2), B samples ๐, ๐ โ Z๐ \ 0 and startsAsSDH on input (๐๐,๐บ๐1,๐บ
๐ 2). DDH oracle queries are handled the
same as above. On receiving (๐๐ , ๐พ1, ๐พ2) from AsSDH, B provides(๐๐ , ๐พ
1/๐1 , ๐พ
1/๐ 2 ) as solution to his own challenge.
If A is successful, then B succeeds unless either ๐บ1 or ๐บ2 = ๐ผGor๐บ๐1 = ๐บ
๐ 2 which occurs at most with probability (2DG (๐ผG) +1/๐).
Thus, B is a PPT adversary against DG โ sSDH succeeding withnon-negligible probability ๐ (1 โ 2DG (๐ผG) โ 1/๐). โก
Informally, the assumptions sSDH and DG โ sSDH becomeequivalent if stepping over an element that gets accepted in thesampling process becomes sufficiently likely for a randomly drawnsequence of candidates. Secondly, the probability of accidentalydrawing the neutral element from DG needs to be negligible.
On elliptic curves groups G that provide a property coined twistsecurity in [BL19], CPace allows for implementations with reducedcomputational complexity and code size under an additional as-sumption including the group Gโฒ on the curveโs quadratic twist.We formalize the corresponding problem sTCDH as follows.
Definition 3.7 (Strong twist CDH problem (sTCDH)). LetG be a first cyclic group with a generator ๐ต and (๐๐ = ๐ต๐ฆ๐ ) sampleduniformly from (G \ ๐ผG). Let Gโฒ be a second cyclic group. Givenaccess to DDH oracle DDH(๐ต,๐๐, ยท, ยท) in G, provide ๐,๐ โ Gโฒ \ ๐ผGโฒwith ๐ = ๐ ๐ฆ๐ .
3.3 The function Map2PointThe generators of the Diffie-Hellman exchange in CPace are com-puted via a deterministic function Map2Point : F๐ โ G, either byusing one single execution ofMap2Point or, alternatively, by addingthe results of two independent invocations of Map2Point. In bothcases, security of CPace relies onMap2Point meeting the require-ments from this section. Informally, we first require thatMap2Pointis invertible. That is, for any point on the image of the map, theremust be an efficient algorithmMap2PointPreImages that outputsall preimages in F๐ . Details on how such an inversion algorithmcan be efficiently implemented for various elliptic curve groupsare given in [FHSS+19, BHKL13, BCI+10a, Ham20] and referencestherein. Secondly, the maximum number of preimages ๐max map-ping to the same element must be konwn and needs to be small.This is needed in order to construct a rejection sampling algorithmwhose acceptance rate must depend on ๐max.
Definition 3.8. LetG be a group of points on an elliptic curve overa field F๐ . LetMap2Point : F๐ โ G be a deterministic function. ThenMap2Point(ยท) is called probabilistically invertible with at most ๐maxpreimages if there exists a probabilistic polynomial-time algorithm(๐1, . . . , ๐๐ (๐บ) ) โ Map2PointPreImages(๐บ) that outputs all ๐(๐บ)values ๐๐ โ F๐ s.th. ๐บ = Map2Point(๐๐ ) for all ๐บ โ G; and โ๐บ โ G,๐max โฅ ๐(๐บ).
For a map that fulfills this property an inverse probabilisticmap Map2Pointโ1 can be defined that also serves as rejectionsampling algorithm for the distribution DG that is produced byMap2Point(๐ ) for uniformly distributed inputs ๐ โ F๐ :
Algorithm 1 Map2Pointโ1 (ยท)On input ๐บ โ G: Sample ๐ uniformly from {1, . . . , ๐max}; Then
obtain๐ โ {0, . . . , ๐max} pre-images(๐1, . . . , ๐๐) โ Map2PointPreImages(๐บ); If๐ < ๐ return (โฅ), else
return (๐๐ )
-
Lemma 3.9. Given a probabilistically invertible map with at most๐max preimages according to Definition 3.8, then Algorithm 1 is a PPTrejection sampler for (G,DG) according to the Definition 3.5 withaverage acceptance rate ( |F๐ |/|G|)/๐max.
Proof. We first define the average number of preimages ๐max โฅ๐ โฅ 1 as the quotient of the order of the field F๐ and the numberof points on the image of the map, i.e., ๐ = |F๐ |/|support (DG) |.When drawing an element ๐บ uniformly from G, the probabilitythat the number of preimages๐ for ๐บ is nonzero is given by thequotient of the order of the support of DG and the order of thegroup. By the definition of ๐ above this is |F๐ |/(๐ |G|).
For any point on the map with a nonzero number๐ of preimages,Algorithm 1 returns a result โ โฅ with probability๐/๐max. As theaverage value for the number of preimages for any point on theimage of the map is ๐, the average acceptance rate is ( |F๐ |/(๐ |G|)) ยท๐/๐max = ( |F๐ |/|G|)/๐max. โก
Use of Map2Pointโ1 for uniformly sampling field elements fromF๐ . ForMap2Pointโ1 fromAlgorithm 1 the probability of returning๐ โ โฅ increases proportionally with the number of preimages for agiven input. As a result we can use it for transforming a sequenceof uniformly sampled group elements ๐บ๐ โ G to a sequence ofuniformly sampled field elements ๐๐ โ F๐ .
Corollary 3.10. Given a probabilistically invertible map with atmost ๐max preimages according to Definition 3.8, and points ๐บ๐ uni-formly sampled fromG, then ๐๐ โ Map2Pointโ1 (๐บ๐ ) according to Al-gorithm 1 outputs results ๐๐ โ โฅwith probability๐ โฅ (|F๐ |/|G|)/๐maxand the distribution of outputs ๐๐ โ โฅ will be uniform in F๐ .
Collision probability for map-generated points: Moreover, we cangive a bound the collision probability. When sampling two field ele-ments ๐๐, ๐๐ โR F๐ uniformly from F๐ , the probability of a collision๐บ๐ = ๐บ๐ , where ๐บ๐ โ Map2Point(๐๐) and ๐บ๐ โ Map2Point(๐๐ ),is bounded by ๐2max/๐.
4 THE CPACE PROTOCOLAs described in Section 1, the CPace protocol [HL19], whose de-scription can be found in Fig. 2, is a SPEKE-like protocol [Jab96]allowing parties to compute a common key via a Diffie-Hellmankey exchange with password-dependent generators. Informally, aparty P willing to establish a key with party P โฒ first computes agenerator ๐บ from a password pw, a session identifier sid, and theparty identifiers P and P โฒ. Next, P generates an element ๐๐ froma secret value ๐ฆ๐ sampled at random and sends it to P โฒ togetherwith sid. Upon receiving a value ๐๐ from P โฒ with respect to samesession identifier sid and verifying its validity, P then computes aDiffie-Hellman key ๐พ and aborts if ๐พ equals the identity element.Finally, it computes the session key as the hash of ๐พ together withsid, the party identifiers, and the exchanged values ๐๐ and ๐๐ .
In order to allow for efficient instantiations over different ellipticcurve groups, the CPace description in Fig. 2 contains several speci-ficities: (1) for our analysis the concatenation of party identifiersand exchanged messages uses an ordered concatenation functionoc so that messages can be sent in any order and parties do not haveto play a specific initiator or responder role (see Appendix C); (2) toavoid directly hashing onto a group or using interactiveMap2Point
P P โฒ
hโ H1 (๐ ๐๐ | |oc(P,P โฒ) | |pw) hโฒ โ H1 (๐ ๐๐ | |oc(P,P โฒ) | |pwโฒ)๐บ โ Map2Point(h) ๐บ โฒ โ Map2Point(hโฒ)๐ฆ๐ โ SampleScalar() ๐ฆ๐ โ SampleScalar()๐๐ โ ScalarMult(๐บ,๐ฆ๐) ๐๐ โ ScalarMult(๐บ โฒ, ๐ฆ๐ )
(sid, ๐๐ )
(sid, ๐๐)
๐พ โ ScalarMultVfy(๐๐ , ๐ฆ๐) ๐พ โฒ โ ScalarMultVfy(๐๐, ๐ฆ๐ )Abort if ๐พ = ๐ผG Abort if ๐พ โฒ = ๐ผG๐ผ๐๐พ โ H2 (๐ ๐๐ | |๐พ | |oc(๐๐, ๐๐ )) ๐ผ๐๐พ โฒ โ H2 (๐ ๐๐ | |๐พ โฒ | |oc(๐๐, ๐๐ ))Erase ๐พ, pw, ๐ฆ๐,๐บ Erase ๐พ โฒ, pwโฒ, ๐ฆ๐ ,๐บ โฒ
Output ๐ผ๐๐พ Output ๐ผ๐๐พ โฒ
Figure 2: The parallel CPace protocol.
functions, ๐ ๐๐ | |oc(P,P โฒ) | |pw is first hashed to the finite field F๐overwhich the curve is constructed and thenmapped onto the curvevia aMap2Point function; (3) the computation of the๐ฆ and๐ valuesdoes not assume a particular group and uses generic functions forsampling (SampleScalar) and scalar multiplication (ScalarMult); (4)point verification is performed to protect against trivial attacksagainst the scheme and merged with scalar multiplication into aScalarMultVfy function; (5) ephemeral values are erased as soonas they are no longer needed for adaptive security; and (6) tran-scripts are included in the final key computation to protect againstman-in-the-middle attacks.
CPace is usually implemented with elliptic curves. In the up-coming section, however, we start with a security analysis of theโbasicโ CPace protocol on general groups which is shown in Fig. 10.This simplified protocol is parametrized by a security parameter ๐a group G and two hash functions H1 and H2, both modeled as arandom oracle, where H1 hashes to G (i.e. without the map).
5 SECURITY OF SIMPLIFIED CPACEIn this Section, as a warm-up, we analyze security of a simplifiedvariant of CPace, which we call CPacebase. The main simplificationis that we assume the function H1 to hash onto the group G, suchthat parties compute generators as ๐บ โ H1 (๐ ๐๐ | |oc(P,P โฒ) | |pw),omitting the map Map2Point. Further, we assume G to be a mul-tiplicatively written group of prime order ๐ . We further instanti-ate ScalarMult(๐ต,๐ฆ) := ๐ต๐ฆ as exponentiation, ScalarMultVfy(๐,๐ฆ)such that it returns the neutral element if ๐ is not in the groupand ๐ ๐ฆ otherwise, and SampleScalar with uniform sampling from{1 . . . ๐}. We postpone dealing with security-related issues intro-duced by instantiating G with an elliptic curve, which comes withโimperfectโ Map2Point mappings and other artifacts such as X-coordinate-only and cofactor clearing, to a later Section. For clarity,we give a UC execution of CPacebase in Fig. 10 and prove its securityproperties in the following theorem.
Theorem 5.1 (Security of CPacebase). Let ๐, ๐ โ N with ๐ primeand of bit size ๐ . Let G be a group of order ๐ , and let H1 : {0, 1}โ โ
-
The simulator S (G2) samples and stores a generator ๐ต โ G.
On (NewSession, sid, ๐๐ , ๐ ๐ ) from FlePAKE:(G4) sample ๐ง๐ โR Z๐ , set ๐๐ โ ๐ต๐ง๐ , store (๐๐ , ๐ง๐ , ๐๐ ,โฅ)(G4) send ๐๐ to A intended to ๐ ๐
On ๐ โ from A as msg to (sid, ๐๐ ):(G4) if ๐ โ is adversarially generated and ๐ โ โ G \ ๐ผG ,
then send (RegisterTest, sid, ๐๐ ) to FlePAKE
Upon ๐๐ receiving ๐๐ โ G from ๐ ๐ :(G4) retrieve record (๐๐ , ๐ง๐ , ๐๐ , โ)(G4) if โ records (G5) (H1, oc(๐๐ , ๐ ๐ ), pw, ๐ , ๐โ1,๐บ), (H2, ๐พ | |oc(๐๐ , ๐๐ ), ๐ผ๐๐พ) such that ๐พ = ๐๐ง๐๐
โ1
๐
(G5) store (guess,๐บ,๐๐ ), abort if โ record (guess,๐บ โฒ, ๐๐ ) with ๐บ โ ๐บ โฒ and (G4) send (TestPwd, sid, ๐๐ , pw) to FlePAKE(G4) send (NewKey, sid, ๐๐ , ๐ผ๐๐พ) to FlePAKE and store (๐๐ , ๐ง๐ , ๐๐ , ๐ผ๐๐พ)(G4) else sample a fresh random ๐ผ๐๐พ โฒ and send (NewKey, sid, ๐๐ , ๐ผ๐๐พ โฒ) to FlePAKE //FlePAKE will discard ๐ผ๐๐พ โฒ
On H1 (sid | |P | |P โฒ | |pw) from A:(G2) if this is the first such query then(G2) create one by sampling ๐ โR F๐ \ {0}(G3) abort if there exists a record (H1, โ, โ, ๐ , โ, โ)(G2) store (H1,P||P โฒ, pw, ๐ , ๐โ1, ๐ต๐ ) and set โ โ ๐ต๐(G2) else retrieve record (H1,P||P โฒ, pw, โ, โ, โ)(G2) reply with โ
On receiving (AdaptiveCorruption, sid) from A as msg to ๐๐ :send AdaptiveCorruption, sid, ๐๐ ) to FlePAKEretrieve record (sid, pw)(G4) if a message ๐๐ := ๐ต๐ง๐ was already sent to ๐ ๐ , then(G4) if a record (H1, โ, pw, ๐ , ๐โ1, โ) exists then set ๐ฆ๐ โ ๐ง๐๐โ1(G4) else store (H1, โ, pw, ๐ โฒ, ๐ โฒโ1, ๐ต๐
โฒ), ๐ โฒ โR Z๐ and set ๐ฆ๐ โ ๐ง๐๐ โฒโ1(G4) send (pw, ๐ฆ๐ ) to A
On H2 (sid | |๐พ | |๐๐ | |๐๐ ) from A:(G4) if this is the first such query then(G7) if โ records (๐๐ , ๐ง๐ , ๐๐ , โ), (๐ ๐ , ๐ง ๐ , ๐๐ , โ), (H1, oc(๐๐ , ๐ ๐ ), ๐ , ๐โ1, โ) such that ๐พ๐ = ๐ต๐ง๐๐ง ๐ then abort(G4) if records (๐๐ , โ, ๐๐ , โ) or (๐ ๐ , โ, ๐๐ , โ), or if ๐๐ | |๐๐ โ oc(๐๐, ๐๐ ), then sample ๐ดโR {0, 1}2๐
(G4) if โ records (๐๐ , ๐ง๐ , ๐๐ , ๐ผ๐๐พ) and (G5) (H1, oc(๐๐ , ๐ ๐ ), pw, ๐ , ๐โ1,๐บ) such that ๐พ = ๐๐ง๐๐โ1
๐, (G5) record (guess,๐บ,๐๐ ), abort if
โ record (guess,๐บ โฒ, ๐๐ ) with ๐บ โ ๐บ โฒ. Send (LateTestPwd, sid, ๐๐ , pw) to FlePAKE. Upon answer ๏ฟฝฬ๏ฟฝ set ๐ดโ ๏ฟฝฬ๏ฟฝ(G4) if โ records (๐ ๐ , ๐ง ๐ , ๐๐ , ๐ผ๐๐พ) with ๐ผ๐๐พ โ โฅ and (G5) (H1, oc(๐๐ , ๐ ๐ ), pw, ๐ , ๐โ1,๐บ) such that ๐พ = ๐
๐ง ๐๐โ1
๐, (G5) store (guess,๐บ,๐๐ ),
abort if โ record (guess,๐บ โฒ, ๐๐ ) with ๐บ โ ๐บ โฒ. Send (LateTestPwd, sid, ๐ ๐ , pw) to FlePAKE. Upon answer ๏ฟฝฬ๏ฟฝ set ๐ดโ ๏ฟฝฬ๏ฟฝ(G4) if no matching H1 records are found set ๐ดโR {0, 1}2๐(G4) finally, store (H2, ๐พ | |๐๐ | |๐๐ , ๐ด) and reply with ๐ด(G4) else retrieve record (H2, ๐พ | |๐๐ | |๐๐ , ๐ด) and reply with ๐ด
Figure 3: Simulator for CPacebase, with game numbers to indicate which game introduces a particular line of code (cf. fullproof of Theorem 5.1 in Appendix A. For brevity we omit session identifiers sid from all records stored by the simulator.
G,H2 : {0, 1} โ {0, 1}๐ be two hash functions. If the sCDH andsSDH problems are hard in G, then protocol CPacebase depicted inFig. 10 UC-emulates FlePAKE in the random oracle model with respectto adaptive corruptions and both hash functions modeled as randomoracles. More detailed, it holds that
|๐๐ [RealZ (CPacebase,A)] โ ๐๐ [IdealZ (FlePAKE,S)|
โค ๐2H1/๐ + 2๐2H1Adv
sSDH + AdvsCDH
where ๐H1 denotes the number of H1 queries made by the adversaryA and simulator S is depicted in Fig. 3.
Proof Sketch. The main idea of the simulation is to fix a secretgenerator ๐ต โ G and carry out the simulation with respect to ๐ต.Messages of honest parties are simulated as ๐ต๐ง for a fresh expo-nent ๐ง. Queries H1 (sid | |oc(P,P โฒ) | |pw) are answered with ๐ต๐ fora freshly chosen โtrapdoorโ ๐ . The simulator might learn an hon-est partyโs password via adaptive corruption or via an adversarialpassword guess. The simulator can now adjust the simulation in ret-rospective to let the honest party use ๐ต๐ = H1 (sid | |oc(P,P โฒ) | |pw)
by claiming the partyโs secret exponent to be ๐ง๐โ1. This already con-cludes simulation of honest parties without passwords. Adversarialpassword guesses can be read from A injecting ๐ (or, similarly,๐ ) and then querying H2 (sid | |๐พ | |๐ | |๐ ) with ๐พ being a correctlycomputed key w.r.t some generator ๐ต๐ provided by the simulation.S can now read the guessed password from the H1 list, and submitit as password guess to FlePAKE. In case of success, the simulatorsets the key of the honest party to H2 (sid | |๐พ | |๐ | |๐ ).
The simulation is complicated by the order of honest partiesโ out-puts (which are generated upon receipt of the single message) andthe adversaryโs computation of final session keys via H2 queries. Ifthe key is generated by FlePAKE beforeA computes it viaH2 (whichconstitutes a password guess as detailed above), then S needs toinvoke the LateTestPwd query of FlePAKE instead of TestPwd. Incase of a correct guess, this letsS learn the output key of the honestparty, which S can then program into the corresponding H2 query.
Finally, the simulation can fail in some cases. Firstly, S mightfind more than one password guesses against an honest party with
-
simulated message ๐ . In this case simulation cannot continue sinceFlePAKE allows for only one password guess per party. In this case,however, A would provide (๐ต๐ , ๐,๐ , ๐พ),(๐ต๐ โฒ, ๐,๐ , ๐พ โฒ) which aretwo CDH tuples for passwords pw, pwโฒ with ๐ต๐ โ H1 (pw), pwโฒ โH1 (pwโฒ) (omitting session and party identifiers for brevity). Pro-vided that the simultaneous strong CDH assumption (sSDH, cf.Definition 3.2) holds, this cannot happen. Here, the โstrongโ prop-erty, providing a type of DDH oracle, is required to help S identifyCDH tuples among all queries to H2. A second case of simulationfailure occurs when A wants to compute a key of an uncorruptedsession via a H2 query. Since S does not know such keys, it wouldhave to abort. Using a similar strategy as above, pseudorandomnessof keys can be shown to hold under the strong CDH assumption,and thus the probability of A issuing such a H2 query is negligible.The full proof can be found in Appendix A. โก
5.1 Embedding CDH experiment libraries intothe simulator
In this section, we discuss an alternative approach to carrying outreductions to cryptographic assumptions in the case of CPace/CDH.Both assumptions required by CPacebase, sCDH and sSDH, allowfor an efficient implementation in the following sense: the secretexponents that are sampled by the experiment code (often alsocalled the challenger) for generating challenges are sufficient foranswering the restricted DDH queries allowed by both assump-tions. An example for an assumption that does not allow for suchefficient instantiation is, e.g., gap CDH. In gap-CDH, the adversaryis provided with a โfullโ DDH oracle that he can query on arbitraryelements, of which the experiment might not know an exponentfor.
Due to this property, we can integrate implementations of theCDH experiments in the simulatorโs code. The simulator will thusimplement the DDH oracles on its own, and abort if at any timean oracle query solves the underlying assumption. We chose tointegrate experiments as libraries (written as objects in python-stylenotation) into the simulatorโs code. This eases not only presentationbut will also become useful when analyzing variants of CPace thatrequire slightly different assumptions.
The corresponding result for CPacebase is shown in Fig. 4. ThesCDH class in Fig. 4 produces a challenge consisting of two uni-formly drawn group elements ๐1 โ ๐ต๐ฆ1 , ๐2 โ ๐ต๐ฆ2 . The limitedDDH oracle provided by the sCDH assumption can only receiveinputs w.r.t one of these elements, and thus it can be implementedefficiently using secret exponents ๐ฆ1, ๐ฆ2. If a correct CDH solution๐ต,๐1, ๐2, ๐ต๐ฆ1,๐ฆ2 is provided, the library aborts. The simulator fromFig. 3 is adapted to call the libraries. As an example, honest partiesโmessages are simulated by calling the challenge sampling procedureexp.sampleY().
Proving indistinguishability. With this simulation approach, aproof consists in demonstrating that ideal and real world execu-tions are indistinguishable except for events in which the experi-ment libraries abort because a challenge was correctly answered.Compared to our proof of Theorem 5.1, the indistinguishabilityargument becomes simpler because the reduction strategies to bothCDH-type assumptions are already embedded in the correspond-ing assumption experiment libraries. Losses such as the factor of
2๐2H1AdvssCDH in the reduction to sSDH in game G5 translate to
libraries producing more than one challenge per simulation run,as is the case for the sSDH experiment from Fig. 4. Altogether, thesimulation with integrated CDH experiment libraries is an alter-native approach of proving Theorem 5.1, as we formalize in thefollowing.
Theorem 5.2 (Alternative simulation for Theorem 5.1). The simu-lator depicted in Fig. 4 is a witness for the UC emulation statement inTheorem 5.1
Proof sketch. The output distribution of the simulator S fromFig. 4 is indistinguishable from the one of the simulator from Fig. 3as it is obtained from internal restructuring. S aborts if either thesSDH or the sCDH experiment class aborts, which occurs iff a cor-rect solution has been provided to the experiment implementationor a H1 collision is observed. These cases coincide with the abortcases in the proof of Theorem 5.1. As the sSDH object outputs2๐2H1 different challenges and as it is sufficient forZ to provide asolution to one of these challenges for distinguishing both worlds,the advantage for solving the sSDH problem needs to be multipliedby this factor, thus reproducing the bounds from Theorem 5.1. โก
Advantages of embedding libraries in the simulation. To clarify, theapproach presented in this section does not allow to prove strongersecurity statements. As demonstrated above, it is merely an alter-native way of presenting security proofs in the UC framework orother simulation-based frameworks, and it works whenever the un-derlying cryptographic assumptions are efficiently implementable.However, we believe that the approach has its merits especially inthe following dimensions.โข Modular security analysis. Slight modifications in the pro-tocol might require to change the cryptographic assumption.As long as the public interface does not change, our approachallows to switch between assumptions by simply calling adifferent library. Cryptographers then need to only analyzethis โlocalโ change in the simulation, which prevents themfrom re-doing the whole indistinguishability argument.โข Presentation of reduction strategies. In normal game-based indistinguishability arguments [Sho04], reductionsto cryptographic assumptions are hidden within side-longproofs. With our approach, the reduction strategy is depictedin clear code as part of the simulatorโs code. This makeschecking of proofs easier not only for readers but also mightmake simulation-based proofs more accessible to automatedverification.
In this paper, our motivation is the first dimension. In the upcomingsection, the library-based approach will turn out to be extremelyuseful to analyze the various variants of CPace that stem from(efficiency-wise) optimized implementations on different ellipticcurves.
6 ANALYSIS OF REAL-WORLD CPACEThe currently most efficient way to run CPace is over elliptic curves.Therefore, from this point onwards, we consider G to be an ellipticcurve constructed over field F๐ . From a historical perspective, bothCPace research and implementation first focused on prime order
-
# using python-style notation with self pointer ๐ for accessing members in methods and _init_ constructordef class sCDH:
def _init_(๐ ,๐บ): { ๐ .๐ต โ ๐บ ; ๐ .๐ โ 0; ๐ .stateโ fresh; }def sampleY(s): { if ๐ .๐ โค 2: {๐ .๐+ = 1; sample ๐ .๐ฆ๐ โR F๐ \ 0; return (๐ .๐ต)๐ .๐ฆ๐ ; } }def corrupt(s,๐ ): { for 1 โค ๐ โค ๐ .๐): {if (๐ = (๐ .๐ต)๐ .๐ฆ๐ ): ๐ฅ โ ๐ .๐ฆ๐ ; ๐ .stateโ corrupt; return x; } }def DDH(๐ , ๐ต, ๐ , ๐, ๐พ ):
if ({๐,๐ }={๐ .๐1, ๐ .๐2}) and (๐ .state= fresh) and (๐พ = (๐ .๐ต)๐ .๐ฆ1 ยท๐ .๐ฆ2 ) : abort("sCDH(๐ต,๐1, ๐2) solved");for 1 โค ๐ โค ๐ .๐: { if (๐ = (๐ .๐ต)๐ .๐ฆ๐ ): return (๐พ = ๐๐ .๐ฆ๐ ); } # compute DDH oracle reply from secret exponent of ๐
def isValid(๐ ): return (๐ โ G \ ๐ผG )def class sSDH: # using python-style notation [ ] for list containers
def _init_(๐ ,sCdhExp): { sample ๐ .๐ต โR G; ๐ .๐ ๐๐โ = sCdhExp(๐ .๐ต); ๐ .records =[ ]; ๐ .guess = "yet no guess"; }def sampleY(๐ ): { return (๐ .๐ ๐๐โ) .sampleY(); }def isValid(๐ ): return (๐ .๐ ๐๐โ).isValid(๐ );def sampleH1(๐ ): { sample ๐ โR F๐ \ 0; if: ๐ in ๐ .records abort("H1 collision"); else: {๐ .records.append((๐, (๐ .๐ต)๐ )); return (๐ .๐ต)๐ ; }}def corrupt(๐ ,๐บ,๐ ): { if there is (๐,๐บ) in ๐ .records: return (๐ .๐ ๐๐โ) .corrupt(๐ 1/๐ ); }def DDH(๐ ,๐บ,๐,๐, ๐พ ):
if there is (๐,๐บ) in ๐ .records:matchโ (๐ .๐ ๐๐โ).DDH(๐ .๐ต, ๐ , ๐, ๐พ1/๐ );if match and (guess = "yet no guess"): (guess.๐บ ,guess.๐ )โ (๐บ,๐ );elif match and (guess.๐ = ๐ ) and (guess.๐บ โ ๐บ): abort("sSDH problem (๐,๐บ,guess.๐บ) solved");return match;
On first invokation S creates an experiment class instance exp= sSDH(sCDH);
On (NewSession, sid, ๐๐ , ๐ ๐ ) from FlePAKE:(G4) Set ๐๐ โ exp.sampleY(), store (๐๐ , ๐ ๐ , ๐๐ ,โฅ)(G4) send ๐๐ to A intended to ๐ ๐
On ๐ โ from A as msg to (sid, ๐๐ ):(G4) if ๐ โ is adversarially generated and exp.isValid(๐ โ)(G4) send (RegisterTest, sid, ๐๐ ) to FlePAKE
Upon ๐๐ receiving ๐๐ from ๐ ๐ : retrieve record (๐๐ , โ, ๐ง๐ , ๐๐ , โ)(G1) if not exp.isValid(๐๐ ): return;(G4) if โ records (H1, pw,oc(๐๐ , ๐ ๐ ), โ), (H2, ๐พ | | (oc(๐๐ , ๐๐ ), ๐ผ๐๐พ) such that exp.DDH(โ,๐๐ , ๐๐ , ๐พ ) = 1:(G4) send (TestPwd, sid, ๐๐ , pw) to FlePAKE(G4) send (NewKey, sid, ๐๐ , ๐ผ๐๐พ) to FlePAKE and store (๐๐ , ๐ ๐ , ๐๐ , ๐ผ๐๐พ)(G4) else sample a fresh random ๐ผ๐๐พ โฒ and send (NewKey, sid, ๐๐ , ๐ผ๐๐พ โฒ) to FlePAKE # FlePAKE will discard ๐ผ๐๐พ โฒ
On H1 (sid | |๐๐ | |๐ ๐ | |pw)) from A:(G2) if this is the first such query then(G2) โ โ exp.sampleH1()(G2) store (H1, pw, ๐๐ | |๐ ๐ , โ)(G2) lookup (H1, pw, ๐๐ | |๐ ๐ , โ) and reply with โ
On receiving (AdaptiveCorruption, sid) from A as msg to ๐๐ :Lookup (๐๐ , ๐ ๐ , ๐๐ , โ); send (AdaptiveCorruption, sid, ๐๐ ) to FlePAKE, obtain (sid, pw)(G4) if a message ๐๐ was already sent to ๐ ๐ , then(G4) query H1 for (sid | |pw, oc(๐๐ , ๐ ๐ )) and retrieve record (H1, pw, oc(๐๐ , ๐ ๐ ), โ)(G4) send (pw,exp.corrupt(โ,๐๐ ))
On H2 (sid | |๐พ | |๐๐ | |๐๐ ) from A:(G4) Lookup (H2, sid | |๐พ | |๐๐ | |๐๐ , โ) and send โ if it exists; else if this is the first such query:(G4) if there are no records (๐๐ , ๐ ๐ , ๐๐ , โ) or (๐ ๐ , ๐๐ , ๐๐ , โ), or if ๐๐ | |๐๐ โ oc(๐๐, ๐๐ ): sample ๐ดโ {0, 1}2๐ ;(G4) if โ records (๐๐ , ๐ ๐ , ๐๐ , ๐ผ๐๐พ) with ๐ผ๐๐พ โ โฅ and (H1, pw, oc(๐๐ , ๐ ๐ ), โ) such that exp.DDH(โ,๐๐ , ๐๐ , ๐พ ) = 1:(G5) send (LateTestPwd, sid, ๐๐ , pw) to FlePAKE. Upon answer ๏ฟฝฬ๏ฟฝ set ๐ดโ ๏ฟฝฬ๏ฟฝ(G4) if โ records (๐ ๐ , ๐๐ , ๐๐ , ๐ผ๐๐พ) with ๐ผ๐๐พ โ โฅ and (H1, pw, oc(๐๐ , ๐ ๐ ), โ) such that exp.DDH(โ,๐๐ , ๐๐ , ๐พ ) = 1:(G5) send (LateTestPwd, sid, ๐ ๐ , pw) to FlePAKE. Upon answer ๏ฟฝฬ๏ฟฝ set ๐ดโ ๏ฟฝฬ๏ฟฝ(G4) if no matching H1 records are found set ๐ดโ {0, 1}2๐(G4) finally, store (H2, sid | |๐พ | |๐๐ | |๐๐ , ๐ด) and reply with ๐ด
Figure 4: Simulator for โbasicโ parallel CPace embedding CDH challenges generated by libraries
curves, such as the NIST-P-256 curve [DSS13]. Subsequently signif-icantly improved performance was shown on Montgomery- and(twisted-)Edwards curves, notably Curve25519 and Ed448 curves[Ber06, Ham15b], which both have a small cofactor ๐ in their grouporder ๐ ยท ๐ . These approaches consider also implementation pitfalls,
e.g., by designing the curve such that there are no incentives for im-plementers to use insecure speed-ups. Thirdly, recently ideal groupabstractions have been presented in order to avoid the complexityof small cofactors in the group order [Ham15a, dVGT+20], whilemaintaining all advantages of curves with cofactor.
-
For smooth integration into each of these different curve ecosys-tems, CPace needs to be instantiated slightly different regarding,e.g., computation of the DH generator, group size, multiplicationand sampling algorithms. In this section, we analyze how suchdifferences impact security. Using our modular approach with as-sumption libraries called by a simulator, we are able to presentsecurity in terms of differences from our basic CPace analysis inSection 5 in a concise way.
6.1 CPace without Hashing to the GroupIn this subsection we analyze the CPace protocol as depicted inFig. 2 and where G is an elliptic curve constructed over some fieldF๐ . The only difference to simplified CPace analyzed in the previ-ous section is how parties compute the generators: now the func-tion H1 hashes onto the field F๐ , and generators are computed as๐บ โ Map2Point(H1 (๐ ๐๐ | |oc(๐๐ , ๐ ๐ ) | |pw) for a map Map2Point :F๐ โ G. This way, the H1 outputs can be considered to form analternative encoding of group elements, whereMap2Point decodesto the group. ScalarMult, ScalarMultVfy and SampleScalar are asin Section 5.
Security analysis. Security analysis is complicated by this changein essentially two ways: first, the possibly non-uniform distributionof Map2Point induces non-uniformity of DH generators computedby the parties. Second, embedding of trapdoors no longer worksby simply programming elements with known exponents into H1.Instead, the proof will exploit thatMap2Point is probabilisticallyinvertible, such that preimages of generators with known expo-nents can be programmed into H1 instead. Consequently, securityof CPace will be based on theDG โsSDH problem Definition 3.3 in-stead of the sSDH problem, where the distributionDG correspondsto the distribution of group elementsMap2Point(โ๐ ) obtained foruniformly sampled field elements โ๐ โR F๐ . All these changescan be captured by replacing library sSDH with a new library forDG โ sSDH, as we demonstrate below.
Theorem 6.1 (Security of CPace with Map2Point). Let ๐, ๐, ๐ โ Nwith ๐ prime and of bit size ๐ . Let G an elliptic curve of order ๐over field F๐ . Let H1 : {0, 1}โ โ F๐,H2 : {0, 1}โ โ {0, 1}๐ be twohash functions and Map2Point : F๐ โ G probabilistically invertiblewith bound ๐๐๐๐ฅ . Let DG denote the distribution on G induced byMap2Point. If the sCDH andDG-sSDH problems are hard in G, thenthe CPace protocol depicted in Fig. 2 UC-emulates FlePAKE in therandom oracle model with respect to adaptive corruptions and bothhash functions modeled as random oracles. More detailed, it holdsthat
|๐๐ [Real(Z,A,๐ถ๐๐๐๐)] โ ๐๐ [Ideal(FlePAKE,S)|โค (๐H1 )2/๐ + (๐max ยท ๐H1 )2/๐ + 2๐2H1Adv
๐ทGโsSDH + AdvsCDH
where ๐H1 denotes the number of H1 queries made by the adversaryA and simulator S is as in Fig. 4 but using the object distExp (cf.Fig. 5) instead of the object sSdhExp.
Proof Sketch. We adjust the simulator for โbasicโ CPace fromFig. 4 as follows. First, we embed the reduction strategy from Theo-rem 3.6 into an experiment library that converts sSDH challengesinto DG โ sSDH challenges and obtain the class DG_sSDH de-picted in Fig. 5. The classDG_sSDH uses theMap2PointPreImages
function (passed as a constructor parameter) for implementing theMap2Pointโ1 as defined in Algorithm 1 and an instance of the sSDHclass implementing a sSDH experiment and an instance of the sSDHclass that is assigned to a member variable. Note thatMap2Pointโ1is a rejection sampler for DG by Lemma 3.9 and, correspondingly,Theorem 3.6 applies. Each time the main body of the simulator fromFig. 4 makes calls to its exp object, the corresponding method of thenew DG_sSDH object will be executed, which itself translates thequeries into calls to the sSDH object that was passed as constructorparameter.
Importantly, DG_sSDH provides the same public API as thesSDH class with the distinction that sampling forH1 returns resultsfrom F๐ instead of G. Moreover DG_sSDH aborts if the code of itssSDH object aborts and upon H1 collisions.
We explain now how the indistinguishability argument of Theo-rem 5.1 needs to be adjusted in order to work for Theorem 6.1 andthis new simulator. The first difference applies in game G2, wherewe must make sure that the distribution of points provided by theDG_sSDH object is uniform in F๐ as was in the previous game. Thisis the case due to Corollary 3.10. In gameG3 no change is needed ex-cept for adjusting the collision probability following the derivationfrom Section 3.3 as which is now bound by (๐max ยท ๐H1 )2/๐ in addi-tion to the previous ล2H1/๐ probability. Apart of these modificationthe proof applies without further changes.
โก
Actual implementations of Map2Point. The property of proba-bilistic invertibility is fulfilled for a wide variety of mapping al-gorithms, specifically those currently suggested in [FHSS+19], i.e.Elligator2 [BHKL13], simplified SWU [FHSS+19] and the Shallue-van de Woestijne method (SvdW) [SvdW06]. The most genericof these algorithm, SvdW, works for all elliptic curves, while thesimplified SWU and Elligator2 algorithms allow for more efficientimplementations given that the curve fulfills some constraints.
All these mappings have a fixed bound ๐max regarding the num-ber of pre-images and come with a PPT algorithm for calculat-ing all preimages. For instance, Elligator2 [BHKL13] comes witha maximum ๐max = 2 of two pre-images per point and ๐max โค 4for the simplified SWU and SvdW algorithms [FHSS+19]. For allthese algorithms, the most complex substep for determining allpre-images is the calculation of a small pre-determined numberof square roots and inversions in F๐ which could be easily imple-mented in polynomial time with less computational complexitythan one exponentiation operation.
Map-twice-and-add constructions. Some mapping constructionsaim at producing more uniform distributions using a map-twice-and-add approach, such as presented in [FHSS+19] and also adoptedby the ristretto25519 and decaf ecosystems [dVGT+20, Ham15a].Variant CPacemapTwice computes generators as๐บ โ Map2Point(โ)ยทMap2Point(โโฒ), where (โ,โโฒ) โ H1 (๐ ๐๐ | |oc(P,P โฒ) | |pw). Follow-ing our modular simulation approach, we give the correspondingexperiment librarymapTwice_sSDH in Fig. 11. The library producestwo elements from F๐ instead of a single one as before. Again wemake use of the property of probabilistic invertibility which guaran-tees that the two field elements output by the sampleH1() functionare uniformly distributed in F๐ . Here the collision bound โค ๐2H1/๐ is
-
# using python-style notation with self pointer ๐ def class DG_sSDH:def _init_(๐ ,Map2PointPreImages, ๐max, sSDHExp):๐ .๐ ๐๐ท๐ป = sSDHExp; ๐ .๐๐๐๐๐๐๐ = [];๐ .๐๐๐๐ฅ = ๐max; ๐ .๐๐๐๐๐ =Map2PointPreImages;
def sampleY(๐ ): return (๐ .๐ ๐๐ท๐ป ) .sampleY();def isValid(๐ ): return (๐ .๐ ๐๐ท๐ป ).isValid(๐ );def sampleH1(๐ ):๐บ โ (๐ .๐ ๐๐ท๐ป ) .sampleH1();while (1):sample ๐ โR F๐ ; preimageList = (๐ .๐๐๐๐๐) (๐บ๐ );sample๐ โR {0 . . . (๐ .๐max โ 1)};if len(preimageList) >๐:if ๐ = 0: abort("Sampled neutral element.");โ โpreimageList[๐];if โ in ๐ .๐๐๐๐๐๐๐ abort("H1 collision");๐ .๐๐๐๐๐๐๐ .append(๐,๐บ๐ , โ);return โ;
def corrupt(๐ , โ, ๐ ):if there is (๐,๐บ, โ) in ๐ .records:return (๐ .๐ ๐๐ท๐ป ).corrupt(๐บ,๐ 1/๐ );
def DDH(๐ ,โ,๐, ๐, ๐พ ):if there is (๐,๐บ, โ) in ๐ .records:return (๐ .๐ ๐๐ท๐ป ).DDH(๐บ,๐,๐, ๐พ1/๐ );
# Chaining the experiments for CPace on prime order curve,# full (x,y) coordinate, single map executionsSdhExp = sSDH(sCDH);distExp = DG_sSDH(Map2PointPreImages, ๐max,sSdhExp);
Figure 5: Experiment class definitionDG-sSDH using singleexecutions ofMap2Point, where H1 hashes to F๐ .
maintained at the expense of doubling the computational complex-ity of the map [Ham20, BCI+10b, FHSS+19, FT12]. Security holdsunder the same assumption set as for โmap2point-onceโ (Theo-rem 6.1), specificallyMap2Point needs to be probabilistically invert-ible such that the rejection samplers in Fig. 11 can be implementedand the simulated H1 outputs become uniform in F๐ ร F๐ .
6.2 Considering curves with small co-factorIn this subsection, we now additionally consider that the ellipticcurve group can be of order ๐ ยท ๐ whereMap2Pointmaps to the fullcurve, denoted G๐ ยท๐ , but security guarantees could only be givenfor the subgroup of order ๐ , denoted G๐ . Consequently, CPaceco oncurves with co-factor ๐ requires all secret exponents to be multiplesof ๐ . Hence, CPaceco is CPace depicted in Fig. 2 where ScalarMult :(๐,๐ฆ) โฆโ (๐๐ ยท๐ฆ) and ScalarMultVfy is defined accordingly, withthe addition that the latter returns ๐ผ in case of inputs not on thecurve G๐ ยท๐ .
Theorem 6.2 (Security of CPaceco). Let ๐, ๐, ๐, ๐ โ N, ๐, ๐ co-prime with ๐ prime. Let G๐ ยท๐ an elliptic curve of order ๐ ยท ๐ overfield F๐ and G๐ โ G๐ ยท๐ a subgroup of order ๐ . Let ๐ถ๐ถ๐ : (๐บ) โฆโ((๐บ๐ )1/๐ mod ๐ ) be a cofactor clearing function for ๐ , H1 : {0, 1}โ โF๐,H2 : {0, 1}โ โ {0, 1}๐ be two hash functions and Map2Point :F๐ โ G๐ ยท๐ probabilistically invertible with bound ๐๐๐๐ฅ . Let DG
# using python-style notation with self pointer ๐ def class cofactorClearer:"interfaces S to a prime-prder experiment class"def _init_(๐ , ๐, ๐ , primeOrderExpInstance ,๐๐ก๐ค๐๐ ๐ก ):๐ .๐ = c; ๐ .i= ๐ .๐ ยทinteger(1/(๐ .๐2) mod ๐);๐ .it= ๐ .๐ ยท integer(1/(๐ .๐2) mod ๐๐ก๐ค๐๐ ๐ก );๐ .exp = primeOrderExpInstance;
def sampleY(๐ ): return ((๐ .exp).sampleY())๐ .๐ ;def isValid(๐ ): return (๐ .exp) .isValid(๐๐ .๐ )def sampleH1(๐ ): return (๐ .exp).sampleH1();def corrupt(๐ , โ, ๐ ): { return (๐ .exp) .corrupt(โ,๐๐ .i); }def DDH(๐ ,๐บ,๐,๐, ๐พ ):if ๐ โ G return (๐ .exp) .DDH(๐บ,๐ ๐ .i, ๐๐ .i, ๐พ๐ .i2 )if ๐ on twist return (๐ .exp).DDH(๐บ,๐ ๐ .it, ๐๐ .it, ๐พ๐ .it2 )
sSdhExp = sSDH(sCDH);ccExp = cofactorClearer(sSdhExp);ccDistExp = DG_sSDH(Map2PointPreImages, ๐max,ccExp);
Figure 6: Cofactor-clearer class definition use for ellipticcurves of order ๐ ยท ๐ with a quadratic twist of order ๐๐ก๐ค๐๐ ๐ก .Note that the inverses ๐ .๐ and ๐ .๐๐ก are constructed such thatthey are multiples of ๐.
denote the distribution on G๐ induced by the chained function (๐ถ๐ถ๐ โฆMap2Point). If the sCDH and DG-sSDH problems are hard in G๐ ยท๐ ,then CPaceco UC-emulates FlePAKE in the random oracle model withrespect to adaptive corruptions and both hash functions modeled asrandom oracles. More detailed, it holds that
|๐๐ [Real(Z,A,CPaceco)] โ ๐๐ [Ideal(FlePAKE,S)|โค (๐max ยท ๐ ยท ๐H1 )2/๐ + 2๐2H1Adv
๐ทGโsSDH + AdvsCDH
where ๐H1 denotes the number of H1 queries made by the adversaryA and simulator S is as in Fig. 4 but using class ccDistExp (cf. Fig. 6)instead of class sSDH.
Proof Sketch. The group G๐ ยท๐ has a point ๐ต1 of order ๐ with๐ต๐๐= ๐ผ where ๐ผ denotes the identity element in G๐ ยท๐ , i.e., there are
๐ low-order points ๐ต๐1, ๐ โ {1 . . . ๐}. For any point ๐ โ G๐ ยท๐ we canconsider the points๐๐ = ๐ +๐ต๐ as alternative ambiguous representa-tions of the point๐ถ๐ถ๐ (๐ ). For any input point ๐ โ G๐ ยท๐ , all these ๐alternative representations can be easily calculated using group op-erations and ๐ต๐ . For any of these ๐ alternative representations of๐ atmost ๐max preimages will be returned byMap2PointPreImagesG๐ ยค๐since Map2Point is probabilistically invertible on G๐ ยท๐ . If up to๐max preimages exist per point on the full curve, Map2Point isprobabilistically invertible also on G๐ and Map2PointPreImagesGfor G๐ ยท๐ can be defined such that it returns all of the preimages ofthe ๐ ambiguous representations of an input, which are boundedby ๐max ยท ๐ .
As ScalarMultVfy and ScalarMult use exponents that are a mul-tiples of ๐ they are guaranteed to produce a unique result on G๐ forall of the ๐ ambiguous representations of a point.
This change is compensated by the simulation by calling anexperiment library using the ccExp class from Fig. 6. (Note that thisclass also accepts points on the quadratic twist, a feature that willbecome relevant only in the upcoming sections.) The ccExp object
-
forwards queries to a DG_sSDH object such that all inputs to theDDH oracle will be in G๐ .
Note that without exponents being a multiple of ๐ , we wouldhave had game G3 and G4 distinguishable because without thefactor ๐ in the secret scalars of honest parties, ๐๐ and ๐๐ could havenontrivial low-order components, which is noticeable and doesoccur in game G4. โก
6.3 CPace using single-coordinateDiffie-Hellman
Some Diffie-Hellman protocols, including CPace, can be imple-mented also on a group modulo negation, i.e. a group where agroup element ๐ and its inverse ๐โ1 (i.e. the point with ๐ผ = ๐ ยท๐โ1)are not distinguished and share the same binary representation.An elliptic curve in Weierstrass representation becomes a groupmodulo negation when only using x-coordinates as representa-tion. We use the notation ๐ for such ambiguous encodings anduse ๐ โ SC(๐ ) for a function returning the x-coordinate for apoint ๐ and (๐โ1, ๐ ) โ RC(๐ ) for the inverse operation recon-structing ๐ and ๐โ1 in an undefined order. The major advantageof using this type of ambiguous encoding is that it can be helpfulin practice for all of the following: reducing code size, reducingkey sizes and network bandwidth, avoiding implementation pit-falls [Ber06] and restricting invalid curve attacks to the curveโsquadratic twist. Consequently, many real-world protocols such asTLS only use this single coordinate for deriving their session key,as to give implementers the flexibility to take benefit of the aboveadvantages.
We formalize CPace with single-coordinate DH, CPacexโonly, byletting ScalarMult(๐,๐ฆ) and ScalarMultVfy(๐,๐ฆ) use the ambigu-ous encoding ๐ .
Theorem 6.3 (Security of CPacexโonly). Assume CPace on a groupG can distinguished from an ideal-world run of FlePAKE and S withat most negligible advantage, where S embeds an experiment objectexp for the sSDH problem. Then CPacexโonly on the correspondinggroup modulo negation Gฬ can be simulated by an ideal-world simula-tor Sฬ that is obtained by chaining expwithmoduloNegationAdapter,the adapter class from Fig. 7. The difference in the distinguishing ad-vantage is bounded by a factor of 2.
Proof Sketch. First note that the functions SC and RC thatimplement conversion between group and group modulo negationsare both efficient, as in practice themost complex substep is a squareroot in F๐ . Secondly, CPace (except for instantiations using a map-twice-and-add construction) does not need a full group structureat any point. Instead, only chained exponentiations are used (๐พ =๐๐ฆ๐๐ = ๐
๐ฆ๐๐
= ๐บ๐ฆ๐ ยท๐ฆ๐ ), which can likewise be implemented on agroup modulo negation. The protocolโs correctness is not affected.
When starting with single-coordinate CPace in the real world,the same proof strategy applies, however the collision probabilityin gameG3 is increased by a factor of 2. In gameG4 no change is re-quired. Also in games G5 andG6 the only difficulty shows up whensplitting off the code for the full-group versions of the sSDH andsCDH experiments from the simulator code. We cannot embed the
# using python-style notation with self pointer ๐ def class moduloNegationAdapter:"uses the strip- and reconstruct functions SC and RC."def _init_(๐ ,, baseExperiment):๐ .expโbaseExperiment;๐ .recordsโ [];
def sampleY(๐ ):๐ โ ((๐ .exp) .sampleY())๐ .๐ ;๐ .records.append(๐ ); return SC(๐ );
def isValid(๐ ):(๐0, ๐1)โRC(๐ ); return (๐ .exp) .isValid(๐0);
def sampleH1(๐ ): return (๐ .exp).sampleH1();def corrupt(๐ , โ, ๐ ):(๐,๐ โ) โ RC(๐ ); if ๐ โ in ๐ .records: ๐ โ ๐ โ;return (๐ .exp) .corrupt(โ,๐ );
def DDH(๐ ,๐บ,๐,๐, ๏ฟฝฬ๏ฟฝ ):(๐,๐ โ) โ RC(๐ ); if ๐ โ in ๐ .records: ๐ โ ๐ โ;(๐,๐ โ) โ RC(๐ ); (๐พ,๐พโ) โ RC(๏ฟฝฬ๏ฟฝ);return (๐ .exp.DDH(๐บ,๐,๐, ๐พ))or(๐ .exp.DDH(๐บ,๐,๐, ๐พโ))
# Chaining the experiments for CPace on prime order curve,# single coordinate, single map executionsSdhExp = sSDH(sCDH);distExp = DG_sSDH(Map2PointPreImages, ๐max,sSdhExp);singleCoorExp = moduloNegationAdapter(distExp)
Figure 7: Single-coordinate experiment class definition forCPace instantiations on groups modulo negation.
challenges as-is but need to reconstruct the sign information in or-der to serve the API of the full-group experiments. The correspond-ing strategy is implemented in themoduloNegationAdapter adapterclass from Fig. 7. Note that this strategy never aborts itself but itsincorporated sSDH or sCDH experiments abort upon DDH queries.As the moduloNegationAdapter adapter queries the DDH at mosttwo times, the loss of CPacexโonly in comparison to CPace is atmost a factor of two. โก
6.4 CPace using twist secure curvesFor a curve in Weierstrass form constructed over a field F๐ , a coor-dinate ๐ฅ represents either the ๐ฅ coordinate of a point on the curveitself or its so-called quadratic twist. For Diffie-Hellmann proto-cols where active adversaries are relevant, using single-coordinateDiffie-Hellman provides the advantage that the adversary may onlyinsert inputs taken from one of these two curves, thus limiting theimpact of invalid curve attacks if both, the curve and the twist,are appropriately designed. In this case, the computationally costlypoint verification algorithms can be avoided if the co-factor ofG๐ ยท๐ is an integer multiple of the co-factor of the twist Gโฒ and allexponentiations clear the cofactor by choosing their secret expo-nents by a multiple of the cofactor ๐ . This was first observed byBernstein [Ber06] for Curve25519. This property can be employedalso in the context of CPace for making implementations fasterand more resilient against implementation errors regarding thepoint verification, specifically if CPace is implemented using scalarmultiplication based on single-coordinate Montgomery ladders.
-
# using python-style notation with self pointer ๐ def class sCDH_sTCDH ():"Accepts ๐,๐พ inputs from G and the twist Gโ "def _init_(๐ ,๐บ):๐ .๐ต โ ๐บ ; ๐ .๐ โ 0; ๐ .๐ 1, ๐ .๐ 2 โ fresh;
def sampleY(s):if ๐ .๐ โค 2:๐ .๐+ = 1;sample ๐ .๐ฆ๐ โR F๐ \ 0;๐ .๐๐ โ (๐ .๐ต)๐ฆ๐ ; return ๐ .๐๐ ;
def corrupt(s,๐ ):for 1 โค ๐ โค ๐ .๐):if (๐ = (๐ .๐ต)๐ .๐ฆ๐ ):๐ฅ โ ๐ .๐ฆ๐ ; ๐ .๐ ๐ โ corrupt; return x;
def DDH(๐ , ๐ต, ๐ , ๐, ๐พ ):if ({๐,๐ }={๐ .๐1, ๐ .๐2})and(๐ .๐ 1 = fresh)and(๐ .๐ 2 = fresh) . . .
. . . and (๐พ = (๐ .๐ต)๐ .๐ฆ1 ยท๐ .๐ฆ2 ):abort("๐พ solves sCDH(๐ต,๐1, ๐2)");
if (๐ = ๐ .๐1):if(๐ .๐ 1 = fresh) and (๐ โ Gโฒ \ ๐ผGโฒ ) and (๐๐ .๐ฆ1 = ๐พ ):abort("๐,๐พ solve sTCDH(๐ต,๐1)");
return (๐๐ .๐ฆ1 = ๐พ );if (๐ = ๐ .๐2):if(๐ .๐ 2 = fresh) and (๐ โ Gโฒ \ ๐ผGโฒ ) and (๐๐ .๐ฆ2 = ๐พ ):abort("๐,๐พ solve sTCDH(๐ต,๐2)");
return (๐๐ .๐ฆ2 = ๐พ );def isValid(๐ ): return (๐ โ (G \ ๐ผG)) or (๐ โ (Gโฒ \ ๐ผGโฒ);
# Chaining the experiment objects for case of X25519 and X448sSdhExp = sSDH(sCDH_sTCDH);ccExp = cofactorClearer(sSdhExp,๐, ๐, ๐๐ก๐ค๐๐ ๐ก );distExp = DG_sSDH(Map2PointPreImages, ๐max,ccExp);twistSecExp =moduloNegationAdapter(ccExp);
Figure 8: Class combining sCDH and sTCDH experiments
Theorem 6.4 (Security of CPace on twist-secure curves.). Let G๐ ยท๐be an elliptic curve of order ๐ ยท ๐ where ๐, ๐ coprime with a subgroupG of prime order ๐ over base field ๐น๐ . Let G๐โฒ ยท๐โฒ be the quadratic twistof G๐ ยท๐ of order ๐ โฒ ยท ๐๐ก๐ค๐๐ ๐ก with a subgroup Gโฒ of order ๐๐ก๐ค๐๐ ๐ก . Let ๐be equal to ๐ โฒ or an integer multiple of ๐ โฒ.
If there is a single-coordinate implementation of CPace on G thatcould be distinguished from an ideal-world simulator S from Fig. 4with negligible advantage, where S embeds an experiment objectexp for the sCDH problem, then a modified CPace implementationthat does not discard received points from Gโฒ \ ๐ผGโฒ can be simulatedby an ideal-world simulator Sโฒ that is obtained by replacing thesCDH experiment by the experiment object twistSecExp from figure8 and the difference in the distinguisher advantages is bounded by2 ยท AdvsTCDH.
Proof. The only difference to the proof strategy for Theorem 5.1consists in the fact that we now need to handle events where theadversarial strategy is based on injecting points from the twist.
First note that the twist has cofactor ๐ โฒ and thus ๐ โฒ low-orderpoints. As ๐ is an integer multiple of ๐ โฒ the exponentiation by mul-tiples of ๐ maps all low-order points on the twist to the twistโsidentity element and these will be discarded also by the modifiedCPace version. In the simulation we additionally need to handle the
case that the adversary provides an input from the twist. We add anadditional game after G0, where we abort if the adversary queriesH2 for ๐,๐, ๐พ for a honest ๐ = ๐บ๐ฆ calculated from a generator๐บ ,an adversarial input ๐ from the twist Gโฒ such that ๐พ = ๐ ๐ฆ โ Gโฒ,where ๐ฆ is the private scalar of one of the honest parties.
This change is distinguishable only if A provided a solution tothe sTCDH problem from Definition 3.7 and the advantage of adistinguisher of in this additional game is bounded by AdvsTCDH.In any other case the honest party will return ๐ผ๐๐พ values indis-tinguishable from random values in both, the real world and theideal world. As the adversary may choose to attack both honestparties, the advantage has to be multiplied by two. We incorporatethis change in the simulator by replacing the sCDH object instancethat is embedded by the sSDH experiment class. โก
6.5 Chaining the experiment classesIn Appendix F, we describe 3 CPace implementations which com-bine the single aspects discussed in the previous sections in vari-ous combinations. The experiment that encodes the assumptionsthat apply for the construction that we recommend for use ontwist secure Montgomery curves is specified by the "twistSec-Exp" object from Fig. 8. Correspondingly the assumption set thatis necessary for proving the security of CPace on the group ab-straction construction from Appendix F for ristretto25519 and de-caf448 [Ham15a, dVGT+20] is defined by the "coffeeExp" objectfrom Fig. 11. The assumption set needed for proofs for our recom-mended construction with short-Weierstrass curves is specified bythe "singleCoorExp" object in figure Fig. 7. A concrete example howthis process is carried out is given in Appendix D.
7 CONCLUSIONWe demonstrated that the symmetric PAKE protocol CPace enjoysstrong composable security guarantees under CDH-type assump-tions, and in the random oracle model. We identify a requirementwe coin probabilistic invertibility on theMap2Point primitive be-ing employed by CPace for deriving secret generators, such thatthe random-oracle idealization can be restricted to modeling con-ventional hash functions only. AllMap2Pointfunctions currentlyconsidered by the CFRG working group fulfill this new property.We believe that this is the first work that goes beyond a modelingof Map2Point as a random oracle for a real-world cryptographicprotocol.
In the process of analyzing CPace we noticed a significant short-coming of all previously published ideal UC PAKE functionalities.We presented and used a strengthened functionality that will pro-vide major advantages when analyzing protocols that use CPace,and PAKE in general, as a building block.
We presented a flexible and modular approach for carrying outsecurity proofs in simulation-based models when reducing to as-sumptions for which experiment algorithms can be efficiently im-plemented. The approach consists of making the challenges anintegral part of the simulation algorithm. This avoids the unnaturalseparation between simulator construction and reduction argu-ments. We have employed this approach for deriving the exactchanges in the assumption set when fine-tailoring CPace for dif-ferent elliptic-curve ecosystems such as short Weierstrass curves,
-
Montgomery curves and idealized group abstractions. We were ableto prove security of many such CPace variants even in conjunctionwith adaptive corruption and believe that CPace is the first PAKEprotocol for which security guarantees are proven for such a strongadversary model.
To conclude, we believe that our techniques can also be em-ployed for more closely understanding the security properties ofother protocols operating on elliptic curves in conjunction withMap2Point primitives such as, e.g., oblivious pseudo-random func-tions (OPRF) that form building blocks of OPAQUE [JKX18] andstrong AuCPace [HL18]. Current analyses model the mapping prim-itive as a random oracle. With our work as motivating and tech-nical example, a security proof of more efficient and less com-plex OPRF constructions based on single-coordinate Montgomeryladders seems within reach. Secondly, we believe that our proofstrategy for assumptions with efficient experiments can provide ad-vantages for more flexibly analyzing different variants of a protocol,and might even open easier paths for employing machine-basedproof strategies in UC.
ACKNOWLEDGMENTSThis work was partly supported by the European Unionโs Horizon2020 Research and Innovation Programme under Grant AgreementNo. 786725 โ OLYMPUS.
REFERENCES[ABB+20a] Michel Abdalla, Manuel Barbosa, Tatiana Bradley, Stanislaw Jarecki,
Jonathan Katz, and Jiayu Xu. Universally composable relaxed passwordauthenticated key exchange. In Daniele Micciancio and Thomas Risten-part, editors, CRYPTO 2020, Part I, volume 12170 of LNCS, pages 278โ307.Springer, Heidelberg, August 2020.
[ABB+20b] Michel Abdalla, Manuel Barbosa, Tatiana Bradley, Stanislaw Jarecki,Jonathan Katz, and Jiayu Xu. Universally composable relaxed passwordauthenticated key exchange. Cryptology ePrint Archive, Report 2020/320,2020. https://eprint.iacr.org/2020/320.
[ABK+20] Michel Abdalla, Manuel Barbosa, Jonathan Katz, Julian Loss, and JiayuXu. Algebraic adversaries in the universal composability framework.Pre-Print, October 2020.
[ABR01] Michel Abdalla, Mihir Bellare, and Phillip Rogaway. The oracle diffie-hellman assumptions and an analysis of DHIES. In David Naccache,editor, Topics in Cryptology - CT-RSA 2001, The Cryptographerโs Track atRSA Conference 2001, San Francisco, CA, USA, April 8-12, 2001, Proceedings,volume 2020 of Lecture Notes in Computer Science, pages 143โ158. Springer,2001.
[AP05] Michel Abdalla and David Pointcheval. Simple password-based encryptedkey exchange protocols. In Alfred Menezes, editor, CT-RSA 2005, volume3376 of LNCS, pages 191โ208. Springer, Heidelberg, February 2005.
[BCI+10a] Eric Brier, Jean-Sรฉbastien Coron, Thomas Icart, David Madore, HuguesRandriam, and Mehdi Tibouchi. Efficient indifferentiable hashing intoordinary elliptic curves. In Tal Rabin, editor, Advances in Cryptology -CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA,August 15-19, 2010. Proceedings, volume 6223 of Lecture Notes in ComputerScience, pages 237โ254. Springer, 2010.
[BCI+10b] Eric Brier, Jean-Sรฉbastien Coron, Thomas Icart, David Madore, HuguesRandriam, and Mehdi Tibouchi. Efficient indifferentiable hashing intoordinary elliptic curves. In Tal Rabin, editor, CRYPTO 2010, volume 6223of LNCS, pages 237โ254. Springer, Heidelberg, August 2010.
[Ber06] Daniel J. Bernstein. Curve25519: New Diffie-Hellman speed records. InMoti Yung, Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin, editors,PKC 2006, volume 3958 of LNCS, pages 207โ228. Springer, Heidelberg,April 2006.
[BFK09] Jens Bender, Marc Fischlin, and Dennis Kรผgler. Security analysis of thePACE key-agreement protocol. In Pierangela Samarati, Moti Yung, FabioMartinelli, and Claudio Agostino Ardagna, editors, ISC 2009, volume 5735of LNCS, pages 33โ48. Springer, Heidelberg, September 2009.
[BHKL13] Daniel J. Bernstein, Mike Hamburg, Anna Krasnova, and Tanja Lange.Elligator: elliptic-curve points indistinguishable from uniform random
strings. In Ahmad-Reza Sadeghi, Virgil D. Gligor, and Moti Yung, editors,2013 ACM SIGSAC Conference on Computer and Communications Security,CCSโ13, Berlin, Germany, November 4-8, 2013, pages 967โ980. ACM, 2013.
[BL19] Daniel J. Bernstein and Tanja Lange. SafeCurves: Choosing safe curvesfor elliptic-curve cryptography. Definition of Twist security. (accessed on15 January 2019), 2019. https://safecurves.cr.yp.to/twist.html.
[BM92] Steven M. Bellovin and Michael Merritt. Encrypted key exchange:Password-based protocols secure against dictionary attacks. In 1992 IEEESymposium on Security and Privacy, pages 72โ84. IEEE Computer SocietyPress, May 1992.
[BPR00] Mihir Bellare, David Pointcheval, and Phillip Rogaway. Authenticated keyexchange secure against dictionary attacks. In Bart Preneel, editor, EURO-CRYPT 2000, volume 1807 of LNCS, pages 139โ155. Springer, Heidelberg,May 2000.
[Can01] Ran Canetti. Universally composable security: A new paradigm for cryp-tographic protocols. In 42nd FOCS, pages 136โ145. IEEE Computer SocietyPress, October 2001.
[CHK+05] Ran Canetti, Shai Halevi, Jonathan Katz, Yehuda Lindell, and Philip D.MacKenzie. Universally composable password-based key exchange. InRonald Cramer, editor, EUROCRYPT 2005, volume 3494 of LNCS, pages404โ421. Springer, Heidelberg, May 2005.
[DSS13] Digital Signature Standard (DSS). National Institute of Standards andTechnology (NIST), FIPS PUB 186-4, U.S. Department of Commerce, July2013. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf.
[dVGT+20] H. de Valence, J. Grigg, G. Tankersley, F. Valsorda, I. Lovecruft, andM. Hamburg. The ristretto255 and decaf448 groups. Rfc, IRTF, 10 2020.
[ECC18] Elliptic Curve Cryptography. Federal Office for Information Security(BSI), Technical Guideline BSI TR-03111, Version 2.10, June 2018.
[FHSS+19] A. Faz-Hernandez, S. Scott, N. Sullivan, R. Wahby, and C. Wood. Hashingto elliptic curves, 2019. https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/.
[FT12] Pierre-Alain Fouque and Mehdi Tibouchi. Indifferentiable hashing toBarreto-Naehrig curves. In Alejandro Hevia and Gregory Neven, editors,LATINCRYPT 2012, volume 7533 of LNCS, pages 1โ17. Springer, Heidelberg,October 2012.
[Haa20] Bjรถrn Haase. CPace, a balanced composable PAKE, 2020. https://datatracker.ietf.org/doc/draft-haase-cpace/.
[Ham15a] Mike Hamburg. Decaf: Eliminating cofactors through point compression.In Rosario Gennaro and Matthew Robshaw, editors, Advances in Cryptol-ogy - CRYPTO 2015 - 35th Annual Cryptology Conference, Santa Barbara,CA, USA, August 16-20, 2015, Proceedings, Part I, volume 9215 of LectureNotes in Computer Science, pages 705โ723. Springer, 2015.
[Ham15b] Mike Hamburg. Ed448-goldilocks, a new elliptic curve. Cryptology ePrintArchive, Report 2015/625, 2015. http://eprint.iacr.org/2015/625.
[Ham20] Mike Hamburg. Indifferentiable hashing from elligator 2. CryptologyePrint Archive, Report 2020/1513, 2020. https://eprint.iacr.org/2020/1513.
[Hes20] Julia Hesse. Separating symmetric and asymmetric password-authenticated key exchange. In Clemente Galdi and Vladimir Kolesnikov,editors, SCN 20, volume 12238 of LNCS, pages 579โ599. Springer, Heidel-berg, September 2020.
[HL18] Bjรถrn Haase and Benoรฎt Labrique. AuCPace: Efficient verifier-based PAKEprotocol tailored for the IIoT. Cryptology ePrint Archive, Report 2018/286,2018. https://eprint.iacr.org/2018/286.
[HL19] Bjรถrn Haase and Benoรฎt Labrique. AuCPace: Efficient verifier-based PAKEprotocol tailored for the IIoT. IACR TCHES, 2019(2):1โ48, 2019. https://tches.iacr.org/index.php/TCHES/article/view/7384.
[HWCD08] HรผseyinHisil, Kenneth Koon-HoWong, Gary Carter, and EdwardDawson.Twisted edwards curves revisited. In Asiacrypt, volume 5350, pages 326โ343. Springer, 2008.
[Jab96] David P. Jablon. Strong password-only authenticated key exchange. Com-puter Communication Review, 26(5):5โ26, 1996.
[JKX18] Stanislaw Jarecki, Hugo Krawczyk, and Jiayu Xu. OPAQUE: An asymmet-ric PAKE protocol secure against pre-computation attacks. In Jesper BuusNielsen and Vincent Rijmen, editors, EUROCRYPT 2018, Part III, volume10822 of LNCS, pages 456โ486. Springer, Heidelberg, April / May 2018.
[LHT16] A. Langley, M. Hamburg, and S. Turner. Elliptic Curves for Security. RFC7748, IETF, January 2016.
[LM10] Manfred Lochter and Johannes Merkle. Elliptic Curve Cryptography(ECC) Brainpool Standard Curves and Curve Generation. RFC 5639, IETF,March 2010.
[PAC08] Advanced security mechanism for machine readable travel documents(extended access control (EAC), password authenticated connection es-tablishment (PACE), and restricted identification (RI)). Federal Office forInformation Security (BSI), BSI-TR-03110, Version 2.0, 2008.
[PW17] David Pointcheval and Guilin Wang. VTBPEKE: Verifier-based two-basispassword exponential key exchange. In Ramesh Karri, Ozgur Sinanoglu,Ahmad-Reza Sadeghi, and Xun Yi, editors, ASIACCS 17, pages 301โ312.
https://eprint.iacr.org/2020/320https://safecurves.cr.yp.to/twist.htmlhttps://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdfhttps://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/https://datatracker.ietf.org/doc/draft-haase-cpace/https://datatracker.ietf.org/doc/draft-haase-cpace/http://eprint.iacr.org/2015/625https://eprint.iacr.org/2020/1513https://eprint.iacr.org/2018/286https://tches.iacr.org/index.php/TCHES/article/view/7384https://tches.iacr.org/index.php/TCHES/article/view/7384
-
ACM Press, April 2017.[Sho04] Victor Shoup. Sequences of games: a tool for taming complexity in security
proofs. IACR Cryptol. ePrint Arch., 2004:332, 2004.[SvdW06] Andrew Shallue and Christiaan E. van de Woestijne. Construction of
rational points on elliptic curves over finite fields. In ANTS, volume 4076of Lecture Notes in Computer Science, pages 510โ524. Springer, 2006.
A PROOF OF THEOREM 5.1We start with the real execution of the CPace protocol with anadversary A, and gradually modify it, ending up with the idealexecution FlePAKE with a simulator S. The changes will go unno-ticed by an (adaptively corrupting) environmentZ interacting withparties and the adversary. Let RealZ (๐ถ๐๐๐๐,A) be the event thatenvironmentZ with adversary A and an execution of CPace out-puts 1 and IdealZ (FlePAKE,S) be the corresponding event in theideal execution with functionality FlePAKE depicted in Fig. 1. Weassume S to always include the session identifier sid in each storedrecord, and omit them in this proof for brevity.Game G0: The real protocol execution. This is the real world
in which the adversary interacts with real players and mayview, modify and/or drop network messages and adaptivelycorrupt parties.
๐๐ [RealZ (CPace,A)] = ๐๐ [G0]
Game G1: Introducing the simulator. In this game we movethe whole execution into one machine and call in the simula-tor S. Note that this implies that S implements the randomoracles H1,H2 and runs the execution with actual passwordsas input. We will change the simulation to work withoutpasswords in the upcoming games. In this game for any newinput query ๐ for H1 (H2) samples a point on the curve (arandom string) respectively. No re-programming operationis yet needed. The changes are only syntactical and thus
Pr [G0 ] = Pr [G1 ]Game G2: Embedding trapdoors. In this game we start keep-
ing track of secret exponents for generators created frompasswords. S samples a fixed generator ๐ต โ G. For everyhash query H1 (sid,P,P โฒ, pw), S samples ๐ โ F๐ , stores(H1,P||P โฒ, pw, ๐ , ๐โ1, ๐ต๐ ) and replies to the query with ๐ต๐ .The only difference is that the simulator now keeps track ofthe secret exponents for H1 queries and the distributions ofthis and the previous game are perfectly indistinguishable
Pr [G1 ] = Pr [G2 ]Game G3: Abort on collisions of the random oracle H1. The
simulator aborts if a collision occurs in H1, i.e., if S samplesan answer for a fresh H1 query that he already gave before.Note that without collisions two honest parties will alwaysoutput matching (respectively differing) session keys if both,passwords and party identifiers, match (respectively differ).Note that authenticating party identifiers in additi