PAKE Candidates

March 12, 2020 · View on GitHub

This repository includes the source material for the CFRG PAKE selection process (summer of 2019), and a summary of the published reviews of the 8 candidates.

PAKE Candidates

Balanced Algorithms

NameSubmittersRound 2Authoritative SourceAdditional ContentComments
SPAKE2Benjamin Kaduk, Watson Ladddraft-irtf-cfrg-spake2-09 (updated)Requirements
J-PAKEFeng HaoRFC8236Requirements
SPEKEDan Harkinshttps://eprint.iacr.org/2014/585RequirementsSubmitter note: The only thing to add is that when SPEKE is used with ECC a hash-to-curve method from the RFC that comes out of the CFRG (when it comes out of the CFRG) is necessary to produce the secret generator that SPEKE requires.
CPaceBjörn Haasehttps://eprint.iacr.org/2018/286 (updated)Addendum
Corrigendum
Simulator Code

Augmented Algorithms

NameSubmittersRound 2Authoritative SourceAdditional ContentComments
OPAQUEHugo Krawczykdraft-krawczyk-cfrg-opaque-03Requirements
AuCPaceBjörn Haasehttps://eprint.iacr.org/2018/286 (updated)Addendum
Corrigendum
Simulator Code
VTBPEKEGuilin Wanghttps://www.di.ens.fr/david.pointcheval/Documents/Papers/2017_asiaccsB.pdfRequirements
BSPAKESteve ThomasInformation Requirements

Summary of Reviews

The table below lists all reviews submitted to the CFRG mailing list. We mention only the first message of each mail thread. Reviewers who feel the initial does not reflect their latest position are requested to provide feedback (see below), preferably with a single message/file that covers their entire review.

AuthorAlgorithms CoveredLink
Scott FluhrerAll balancedhttps://mailarchive.ietf.org/arch/msg/cfrg/HssFKRoUdM2kyVt4T9j_KPZqAmE
Re-review: https://mailarchive.ietf.org/arch/msg/cfrg/MZ-L7qSTDZEtC9hjhPNyGOhXUlQ
Bill CoxOPAQUEhttps://mailarchive.ietf.org/arch/msg/cfrg/-B16hIOerRsHgoIxiln05TiJ17o
Valery SmyslovAll candidates, for IKEv2https://tools.ietf.org/html/draft-smyslov-ikev2-pake-00
Yoav NirAll candidates, for IKEv2https://mailarchive.ietf.org/arch/msg/cfrg/PWhIOQKBHapZ1Rpbd7Brr_JFIg8
Kevin LewiAll augmentedhttps://mailarchive.ietf.org/arch/msg/cfrg/9E1owZANyjCEZW44IWj0u1Lze2I
Jonathan HoylandAll augmented, for TLShttps://mailarchive.ietf.org/arch/msg/cfrg/FaY_3w5lWtygha0DTY5hJ9Yy7WU
Bjoern TackmannAll augmented (preliminary)https://mailarchive.ietf.org/arch/msg/cfrg/euWBn5Nku0WFGKQ6qcITaCKVM-k
Brian WarnerAll balanced, for Magic-Wormholehttps://mailarchive.ietf.org/arch/msg/cfrg/BBQ2gwCECu5ouTJjE_CE6d9Rg-0
Karthik BhargavanAll balanced, for TLS 1.3https://mailarchive.ietf.org/arch/msg/cfrg/5VhZLYGpzU8MWPlbMr2cf4Uc-nI
Steve ThomasAll augmentedhttps://mailarchive.ietf.org/arch/msg/cfrg/AQtLrLSfATpOKxdjAakacnp2cBo
Thyla van der MerweAll candidateshttps://docs.google.com/document/d/114t9rTk-d4nkTJZbEwwAn83uRy0ru2dm5qwOj0AMFaw/edit?usp=sharing
Stanislav SmyshlyaevAll balancedhttps://docs.google.com/document/d/1czsluXWzGNnlzJDChcULAB_sqFaUWHzGMKjkjZDBMok/edit?usp=sharing
David GotrikAll candidates, for constrained IoTreview
Tibor JagerAll augmentedhttps://docs.google.com/document/d/1jAQm4lCUSJO73vyS14hF8Cl__grsOTF-Jj_CCStJDuU/edit?usp=sharing

Overall Reviews by Crypto Review Panel

The table below lists all overall reviews submitted by the Crypto Review Panel members during Stage 5 of the PAKE selection process.

AuthorLink
Bjoern Tackmannhttps://mailarchive.ietf.org/arch/msg/cfrg/1sNu9USxo1lnFdzCL5msUFKBjzM
Stanislav Smyshlyaevhttps://docs.google.com/document/d/1-vzeCtSrm7zfoolr1JQdNqtp6KrtVEjitkH0OmjKapc/edit?usp=sharing
Russ Housleyhttps://docs.google.com/document/d/1L6lqueEB70C4QptEnjfWx-bhBdg6cT73ymmmm9WUAR0/edit?usp=sharing
Yaron Shefferreview

Questions for Round 2

  1. (to SPAKE2): Can you propose a modification of SPAKE2 (preserving all existing good properties of PAKE2) with a correspondingly updated security proof, addressing the issue of a single discrete log relationship necessary for the security of all sessions (e.g., solution based on using M=hash2curve(A|B), N=hash2curve(B|A))?
  2. (to CPace and AuCPace): Can you propose a modification of CPace and AuCPace (preserving all existing good properties of these PAKEs) with a correspondingly updated security proof (maybe, in some other security models), addressing the issue of requiring the establishment of a session identifier (sid) during each call of the protocol for the cost of one additional message?
  3. (to all 4 remaining PAKEs) : Can the nominators/developers of the protocols please re-evaluate possible IPR conflicts between their candidates protocols and own and foreign patents? Specifically, can you discuss the impact of U.S. Patent 7,047,408 (expected expiration 10th of march 2023) on free use of SPAKE2 and the impact of EP1847062B1 (HMQV, expected expiration October 2026) on the free use of the RFC-drafts for OPAQUE?
  4. (to all 4 remaining PAKEs) What can be said about the property of "quantum annoyance" (an attacker with a quantum computer needs to solve [one or more] DLP per password guess) of the PAKE?
  5. (to all 4 remaining PAKEs) What can be said about "post-quantum preparedness" of the PAKE?

Answers on Round 2

ProtocolLink
CPace and AuCPacehttps://mailarchive.ietf.org/arch/msg/cfrg/eRNe0SYH3lwHifwZkmqHRy4pdNE
SPAKE2https://mailarchive.ietf.org/arch/msg/cfrg/senXefqczpUZo26B35ekz8d3iLo
OPAQUEhttps://mailarchive.ietf.org/arch/msg/cfrg/EJnaKEh_RamzghcjAik5v9_Fwf8

Related information on IPR (SPAKE2): https://datatracker.ietf.org/ipr/4018/

Reviews by Crypto Review Panel, Round 2

The table below lists all overall reviews submitted by the Crypto Review Panel members during Stage 5 of the PAKE selection process.

AuthorLink
Bjoern Tackmannhttps://mailarchive.ietf.org/arch/msg/cfrg/eo8O6JYPmWY6L9TlcIXStFy5gNQ/
Julia Hessehttps://mailarchive.ietf.org/arch/msg/cfrg/47pnOSsrVS8uozXbAuM-alEk0-s/
Russ Housleyhttps://mailarchive.ietf.org/arch/msg/crypto-panel/r3ktVcmPA-POVMNjVBmY84lTOHA/
Scott Fluhrerhttps://mailarchive.ietf.org/arch/msg/cfrg/JwBPf_71G6JcfUttFw9MbvnIDCU/

Providing Feedback

To update the base material for a PAKE candidate or any of the reviews, please open an issue or, better yet, submit a pull request. Any substantial change should be reported to the CFRG mailing list. Please include a link to the mailing list post.