On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 - - PowerPoint PPT Presentation

PAKEs Dragonfly Results Conclusion

On the Provable Security of the Dragonfly protocol

Jean Lancrenon1 Marjan Škrobot1

1Interdisciplinary Centre for Security, Reliability and Trust

University of Luxembourg

ISC 2015

1 / 18

PAKEs Dragonfly Results Conclusion

Outline

• 1. PAKEs
• 2. Dragonfly
• 3. Results
• 4. Conclusion

2 / 18

PAKEs Dragonfly Results Conclusion Intro

Password Authenticated Key Exchange

PAKE Problem:

3 / 18

PAKEs Dragonfly Results Conclusion Intro

Password Authenticated Key Exchange

PAKE Problem:

◮ Setup: Shared low-entropy secret (password)

3 / 18

PAKEs Dragonfly Results Conclusion Intro

Password Authenticated Key Exchange

PAKE Problem:

◮ Setup: Shared low-entropy secret (password) ◮ Goal: High-entropy session key

3 / 18

PAKEs Dragonfly Results Conclusion Intro

Password Authenticated Key Exchange

PAKE Problem:

◮ Setup: Shared low-entropy secret (password) ◮ Goal: High-entropy session key ◮ Without PKI

3 / 18

PAKEs Dragonfly Results Conclusion Intro

Password Authenticated Key Exchange

PAKE Problem:

◮ Setup: Shared low-entropy secret (password) ◮ Goal: High-entropy session key ◮ Without PKI ◮ Only password for authentication

3 / 18

PAKEs Dragonfly Results Conclusion Intro

Password Authenticated Key Exchange

PAKE Problem:

◮ Setup: Shared low-entropy secret (password) ◮ Goal: High-entropy session key ◮ Without PKI ◮ Only password for authentication ◮ Prevent offline-dictionary attacks

3 / 18

PAKEs Dragonfly Results Conclusion Intro

Password Authenticated Key Exchange

PAKE Problem:

◮ Setup: Shared low-entropy secret (password) ◮ Goal: High-entropy session key ◮ Without PKI ◮ Only password for authentication ◮ Prevent offline-dictionary attacks ◮ Limit online-guessing attacks

3 / 18

PAKEs Dragonfly Results Conclusion Intro

Design Techniques Typical approaches for designing efficient PAKEs in (ROM):

4 / 18

PAKEs Dragonfly Results Conclusion Intro

Design Techniques Typical approaches for designing efficient PAKEs in (ROM):

• 1. "EKE-style"

Epw(gx)

− − − − − − − − − − →

Epw(gy)

← − − − − − − − − − −

4 / 18

PAKEs Dragonfly Results Conclusion Intro

Design Techniques Typical approaches for designing efficient PAKEs in (ROM):

• 1. "EKE-style"

Epw(gx)

− − − − − − − − − − →

Epw(gy)

← − − − − − − − − − −

• 2. "SPEKE-style"

(H(pw))x

− − − − − − − − − − →

(H(pw))y

← − − − − − − − − − −

4 / 18

PAKEs Dragonfly Results Conclusion Intro

Design Techniques Typical approaches for designing efficient PAKEs in (ROM):

• 1. "EKE-style"

Epw(gx)

− − − − − − − − − − →

Epw(gy)

← − − − − − − − − − −

• 2. "SPEKE-style"

(H(pw))x

− − − − − − − − − − →

(H(pw))y

← − − − − − − − − − −

• 3. "J-PAKE-style"

(D1)xpw, π1

− − − − − − − − − − →

(D2)ypw, π2

← − − − − − − − − − −

4 / 18

PAKEs Dragonfly Results Conclusion Security Models

Security Models for PAKE PAKE Security Models:

5 / 18

PAKEs Dragonfly Results Conclusion Security Models

Security Models for PAKE PAKE Security Models:

• 1. Indistinguishability-Based Model [BR93,95]

◮ Find-then-Guess [BPR00] ◮ Real-or-Random [AFP05] 5 / 18

PAKEs Dragonfly Results Conclusion Security Models

Security Models for PAKE PAKE Security Models:

• 1. Indistinguishability-Based Model [BR93,95]

◮ Find-then-Guess [BPR00] ◮ Real-or-Random [AFP05]

• 2. Simulation-Based Model [S99]

◮ Modified Shoup’s model [BMP00] ◮ Plain model PAKEs [GL01] 5 / 18

PAKEs Dragonfly Results Conclusion Security Models

Security Models for PAKE PAKE Security Models:

• 1. Indistinguishability-Based Model [BR93,95]

◮ Find-then-Guess [BPR00] ◮ Real-or-Random [AFP05]

• 2. Simulation-Based Model [S99]

◮ Modified Shoup’s model [BMP00] ◮ Plain model PAKEs [GL01]

• 3. Universal Composability Model [CK02]

◮ UC for PAKE [CHKLM05] 5 / 18

PAKEs Dragonfly Results Conclusion Security Models

Security Models for PAKE PAKE Security Models:

• 1. Indistinguishability-Based Model [BR93,95]

◮ Find-then-Guess [BPR00] ◮ Real-or-Random [AFP05]

• 2. Simulation-Based Model [S99]

◮ Modified Shoup’s model [BMP00] ◮ Plain model PAKEs [GL01]

• 3. Universal Composability Model [CK02]

◮ UC for PAKE [CHKLM05] 5 / 18

PAKEs Dragonfly Results Conclusion Indistinguishability-Based Model for PAKEs

Find-then-Guess BPR Model Queries available to PPT adversary A:

◮ Send

Send(U i, M) - message exchange

◮ Execute

Execute(Ci, Sj) - eavesdropping

◮ Reveal

Reveal(U i) - leakage of the session key

◮ Corrupt

Corrupt(U) - leakage of the long term secret*

◮ Test

Test(U i) - semantic security of the session key

6 / 18

PAKEs Dragonfly Results Conclusion Indistinguishability-Based Model for PAKEs

Find-then-Guess BPR Model Queries available to PPT adversary A:

◮ Send

Send(U i, M) - message exchange

◮ Execute

Execute(Ci, Sj) - eavesdropping

◮ Reveal

Reveal(U i) - leakage of the session key

◮ Corrupt

Corrupt(U) - leakage of the long term secret*

◮ Test

Test(U i) - semantic security of the session key

What security means in BPR model?

6 / 18

PAKEs Dragonfly Results Conclusion Indistinguishability-Based Model for PAKEs

Find-then-Guess BPR Model Queries available to PPT adversary A:

◮ Send

Send(U i, M) - message exchange

◮ Execute

Execute(Ci, Sj) - eavesdropping

◮ Reveal

Reveal(U i) - leakage of the session key

◮ Corrupt

Corrupt(U) - leakage of the long term secret*

◮ Test

Test(U i) - semantic security of the session key

What security means in BPR model?

Definition

Protocol P is forward secure PAKE if for all PPT adversaries A making at most nse online attempts, where N is the size of the dictionary and C is a constant Adv Advake

P

(A) ≤ C · nse N + ε . (1)

6 / 18

PAKEs Dragonfly Results Conclusion The Dragonfly Protocol

Motivation Why Dragonfly?

7 / 18

PAKEs Dragonfly Results Conclusion The Dragonfly Protocol

Motivation Why Dragonfly?

◮ Submitted for standard in IETF (patent free)

◮ Dragonfly PAKE ◮ PSK (PWD) for IKE - RFC 6617 (Experimental), 2012 ◮ EAP-PWD - RFC 5931 (Informational), 2010 ◮ TLS-PWD 7 / 18

PAKEs Dragonfly Results Conclusion The Dragonfly Protocol

Motivation Why Dragonfly?

◮ Submitted for standard in IETF (patent free)

◮ Dragonfly PAKE ◮ PSK (PWD) for IKE - RFC 6617 (Experimental), 2012 ◮ EAP-PWD - RFC 5931 (Informational), 2010 ◮ TLS-PWD

◮ Fully symmetric (no strict roles)

7 / 18

PAKEs Dragonfly Results Conclusion The Dragonfly Protocol

Motivation Why Dragonfly?

◮ Submitted for standard in IETF (patent free)

◮ Dragonfly PAKE ◮ PSK (PWD) for IKE - RFC 6617 (Experimental), 2012 ◮ EAP-PWD - RFC 5931 (Informational), 2010 ◮ TLS-PWD

◮ Fully symmetric (no strict roles) ◮ Follows SPEKE design approach

7 / 18

PAKEs Dragonfly Results Conclusion The Dragonfly Protocol

Motivation Why Dragonfly?

◮ Submitted for standard in IETF (patent free)

◮ Dragonfly PAKE ◮ PSK (PWD) for IKE - RFC 6617 (Experimental), 2012 ◮ EAP-PWD - RFC 5931 (Informational), 2010 ◮ TLS-PWD

◮ Fully symmetric (no strict roles) ◮ Follows SPEKE design approach ◮ Without security proof

7 / 18

PAKEs Dragonfly Results Conclusion The Dragonfly Protocol

Motivation Why Dragonfly?

◮ Submitted for standard in IETF (patent free)

◮ Dragonfly PAKE ◮ PSK (PWD) for IKE - RFC 6617 (Experimental), 2012 ◮ EAP-PWD - RFC 5931 (Informational), 2010 ◮ TLS-PWD

◮ Fully symmetric (no strict roles) ◮ Follows SPEKE design approach ◮ Without security proof ◮ Stirred some controversy

7 / 18

PAKEs Dragonfly Results Conclusion The Dragonfly Protocol

Dragonfly draft specifications

Client Server Initialization Public: G, p, q; H0, H2 : {0, 1}∗ → {0, 1}k; H1 : {0, 1}∗ → {0, 1}2k; π ∈ Passwords; seed := H0(C, S, π, c)max,min; PW := H&P(seed, l1). m1, r1 ← Zq m2, r2 ← Zq s1 := r1 + m1 s2 := r2 + m2 E1 := PW −m1 E2 := PW −m2 C, E1, s1 S, E2, s2 abort if ¬Good(E2, s2) abort if ¬Good(E1, s1) σ := (PW s2 × E2)r1 σ := (PW s1 × E1)r2 kck|skC := H1(σ, l2) kck|skS := H1(σ, l2) κ := H2(kck, C, s1, s2, E1, E2) τ := H2(kck, S, s2, s1, E2, E1) ˆ τ := H2(kck, S, s2, s1, E2, E1) ˆ κ := H2(kck, C, s1, s2, E1, E2) κ τ abort if τ = ˆ τ abort if κ = ˆ κ

8 / 18

PAKEs Dragonfly Results Conclusion The Dragonfly Protocol

Dragonfly draft specifications

Client Server Initialization Public: G, p, q; H0, H2 : {0, 1}∗ → {0, 1}k; H1 : {0, 1}∗ → {0, 1}2k; π ∈ Passwords; seed := H0(C, S, π, c)max,min; PW := H&P(seed, l1). m1, r1 ← Zq m2, r2 ← Zq s1 := r1 + m1 s2 := r2 + m2 E1 := PW −m1 E2 := PW −m2 C, E1, s1 S, E2, s2 abort if ¬Good(E2, s2) abort if ¬Good(E1, s1) σ := (PW s2 × E2)r1 σ := (PW s1 × E1)r2 kck|skC := H1(σ, l2) kck|skS := H1(σ, l2) κ := H2(kck, C, s1, s2, E1, E2) τ := H2(kck, S, s2, s1, E2, E1) ˆ τ := H2(kck, S, s2, s1, E2, E1) ˆ κ := H2(kck, C, s1, s2, E1, E2) κ τ abort if τ = ˆ τ abort if κ = ˆ κ

9 / 18

PAKEs Dragonfly Results Conclusion Provable Secure Dragonfly

Our Dragonfly

Client Server Initialization Public: G, p, q; H0 : {0, 1}∗ → G; H1 : {0, 1}∗ → {0, 1}3k π ∈ Passwords; PW := H0(C, S, π). m1, r1 ← Zq s1 := r1 + m1 E1 := PW −m1 C, E1, s1 abort if ¬Good(E1, s1) m2, r2 ← Zq s2 := r2 + m2 S, E2, s2 E2 := PW −m2 abort if ¬Good(E2, s2) σ := (PW s2 × E2)r1 tr := (C, S, s1, s2, E1, E2) κ|ˆ τ|skC := H1(tr, σ, PW) κ σ := (PW s1 × E1)r2 tr := (C, S, s1, s2, E1, E2) ˆ κ|τ|skS := H1(tr, σ, PW) τ abort if κ = ˆ κ abort if τ = ˆ τ

10 / 18

PAKEs Dragonfly Results Conclusion Provable Secure Dragonfly

Our Dragonfly

Client Server Initialization Public: G, p, q; H0 : {0, 1}∗ → G; H1 : {0, 1}∗ → {0, 1}3k π ∈ Passwords; PW := H0(C, S, π). m1, r1 ← Zq s1 := r1 + m1 E1 := PW −m1 C, E1, s1 abort if ¬Good(E1, s1) m2, r2 ← Zq s2 := r2 + m2 S, E2, s2 E2 := PW −m2 abort if ¬Good(E2, s2) σ := (PW s2 × E2)r1 tr := (C, S, s1, s2, E1, E2) κ|ˆ τ|skC := H1(tr, σ, PW) κ σ := (PW s1 × E1)r2 tr := (C, S, s1, s2, E1, E2) ˆ κ|τ|skS := H1(tr, σ, PW) τ abort if κ = ˆ κ abort if τ = ˆ τ

11 / 18

PAKEs Dragonfly Results Conclusion Provable Secure Dragonfly

Differences between draft and proven variant Differences:

◮ "Hunting-and-Pecking" procedure ◮ Session key computation (sid, PW) ◮ Confirmation codes (recipient’s identity) ◮ Symmetric nature:

◮ Ordered message exchange ◮ Min/Max 12 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

The theorem statement

Theorem

We consider Dragonfly Dragonfly protocol, with a password set of size N. Let A be an adversary that runs in time at most t, and makes at most nse Send Send queries, nex Execute Execute queries, and nh0 and nh1 RO queries to H0 and H1, resp. Then there exist two algorithms B and D running in time t′ such that Adv Advake

dragonfly(A) ≤ T where

T := 6nse N + 4(nse + nex)(2nse + nex + nh1) q2 + n2

h0 + 2nh1

q + n2

h1 + 2nse

2k + 2nh1(1 + nse

2) × Succcdh P W,G(B) + 4n3 h0 ×

• Adv

Advdidh

g,G (D) + n3 h1 + 3nse

q

• (2)

and where t′ = O(t + (nse + nex + nro)texp) with texp being a time required for exponentiation in G.

13 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

Game hops

◮ G0: The Dragonfly protocol ◮ G1: Simulation game ◮ G2: Force uniqueness and avoid collisions on H0

14 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

Game hops

◮ G0: The Dragonfly protocol ◮ G1: Simulation game ◮ G2: Force uniqueness and avoid collisions on H0 ◮ G3: Force random oracle queries

14 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

Game hops

◮ G0: The Dragonfly protocol ◮ G1: Simulation game ◮ G2: Force uniqueness and avoid collisions on H0 ◮ G3: Force random oracle queries

◮ [a]: Randomize session key H′ 1(sid) (private oracles) 14 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

Game hops

◮ G0: The Dragonfly protocol ◮ G1: Simulation game ◮ G2: Force uniqueness and avoid collisions on H0 ◮ G3: Force random oracle queries

◮ [a]: Randomize session key H′ 1(sid) (private oracles) ◮ [b]: PW isn’t used anymore (except if Corrupt

Corrupt query)

14 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

Game hops

◮ G0: The Dragonfly protocol ◮ G1: Simulation game ◮ G2: Force uniqueness and avoid collisions on H0 ◮ G3: Force random oracle queries

◮ [a]: Randomize session key H′ 1(sid) (private oracles) ◮ [b]: PW isn’t used anymore (except if Corrupt

Corrupt query)

◮ [c]: Avoid lucky guesses on PW 14 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

Game hops

◮ G0: The Dragonfly protocol ◮ G1: Simulation game ◮ G2: Force uniqueness and avoid collisions on H0 ◮ G3: Force random oracle queries

◮ [a]: Randomize session key H′ 1(sid) (private oracles) ◮ [b]: PW isn’t used anymore (except if Corrupt

Corrupt query)

◮ [c]: Avoid lucky guesses on PW (A has to query H0) 14 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

Game hops

◮ G0: The Dragonfly protocol ◮ G1: Simulation game ◮ G2: Force uniqueness and avoid collisions on H0 ◮ G3: Force random oracle queries

◮ [a]: Randomize session key H′ 1(sid) (private oracles) ◮ [b]: PW isn’t used anymore (except if Corrupt

Corrupt query)

◮ [c]: Avoid lucky guesses on PW (A has to query H0) ◮ [d]: Avoid lucky guesses on authenticators 14 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

Game hops

◮ G0: The Dragonfly protocol ◮ G1: Simulation game ◮ G2: Force uniqueness and avoid collisions on H0 ◮ G3: Force random oracle queries

◮ [a]: Randomize session key H′ 1(sid) (private oracles) ◮ [b]: PW isn’t used anymore (except if Corrupt

Corrupt query)

◮ [c]: Avoid lucky guesses on PW (A has to query H0) ◮ [d]: Avoid lucky guesses on authenticators (H1) 14 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

Game hops

◮ G0: The Dragonfly protocol ◮ G1: Simulation game ◮ G2: Force uniqueness and avoid collisions on H0 ◮ G3: Force random oracle queries

◮ [a]: Randomize session key H′ 1(sid) (private oracles) ◮ [b]: PW isn’t used anymore (except if Corrupt

Corrupt query)

◮ [c]: Avoid lucky guesses on PW (A has to query H0) ◮ [d]: Avoid lucky guesses on authenticators (H1)

AskH1 AskH13 event: A has to make "correct" combo of H0 and H1 queries to win.

14 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

The proof of security for Dragonfly We distinguish four disjoint sub-cases AskH1 AskH13:

15 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

The proof of security for Dragonfly We distinguish four disjoint sub-cases AskH1 AskH13:

◮ AskH1-Passive

AskH1-Passive3 : transcript originates from honest execution

15 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

The proof of security for Dragonfly We distinguish four disjoint sub-cases AskH1 AskH13:

◮ AskH1-Passive

AskH1-Passive3 : transcript originates from honest execution

◮ AskH1-Paired

AskH1-Paired3 : ((C, E1, s1), (S, E2, s2)) comes from an honest execution, while (κ, τ) may come from A;

15 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

The proof of security for Dragonfly We distinguish four disjoint sub-cases AskH1 AskH13:

◮ AskH1-Passive

AskH1-Passive3 : transcript originates from honest execution

◮ AskH1-Paired

AskH1-Paired3 : ((C, E1, s1), (S, E2, s2)) comes from an honest execution, while (κ, τ) may come from A;

◮ AskH1-withC

AskH1-withC3 : (S, E2, s2) is not from a matching Sj;

15 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

The proof of security for Dragonfly We distinguish four disjoint sub-cases AskH1 AskH13:

◮ AskH1-Passive

AskH1-Passive3 : transcript originates from honest execution

◮ AskH1-Paired

AskH1-Paired3 : ((C, E1, s1), (S, E2, s2)) comes from an honest execution, while (κ, τ) may come from A;

◮ AskH1-withC

AskH1-withC3 : (S, E2, s2) is not from a matching Sj;

◮ AskH1-withS

AskH1-withS3 : (C, E1, s1) is not from a matching Ci.

15 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

The proof of security for Dragonfly We distinguish four disjoint sub-cases AskH1 AskH13:

◮ AskH1-Passive

AskH1-Passive3 : transcript originates from honest execution

◮ AskH1-Paired

AskH1-Paired3 : ((C, E1, s1), (S, E2, s2)) comes from an honest execution, while (κ, τ) may come from A;

◮ AskH1-withC

AskH1-withC3 : (S, E2, s2) is not from a matching Sj;

◮ AskH1-withS

AskH1-withS3 : (C, E1, s1) is not from a matching Ci.

15 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

The proof of security for Dragonfly We distinguish four disjoint sub-cases AskH1 AskH13:

◮ AskH1-Passive

AskH1-Passive3 : transcript originates from honest execution

◮ AskH1-Paired

AskH1-Paired3 : ((C, E1, s1), (S, E2, s2)) comes from an honest execution, while (κ, τ) may come from A;

◮ AskH1-withC

AskH1-withC3 : (S, E2, s2) is not from a matching Sj;

◮ AskH1-withS

AskH1-withS3 : (C, E1, s1) is not from a matching Ci.

15 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

The proof of security for Dragonfly We distinguish four disjoint sub-cases AskH1 AskH13:

◮ AskH1-Passive

AskH1-Passive3 : transcript originates from honest execution

◮ AskH1-Paired

AskH1-Paired3 : ((C, E1, s1), (S, E2, s2)) comes from an honest execution, while (κ, τ) may come from A;

◮ AskH1-withC

AskH1-withC3 : (S, E2, s2) is not from a matching Sj;

◮ AskH1-withS

AskH1-withS3 : (C, E1, s1) is not from a matching Ci.

15 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

Security Assumptions

DIDH assumption

Let IDHg(X, Y ) = g1/(x+y). An algorithm D is a (t, ε)-DIDH solver if Adv Advdidh

g,G (D)

Adv Advdidh

g,G (D) :=

Pr[x, y ← Z∗

q, X ← g1/x; Y ← g1/y; Z ← IDHg(X, Y ) :

D(X, Y, Z) = 1] − Pr[x, y, z ∈ Z∗

q, X ← g1/x; Y ← g1/y; Z ← g1/z :

D(X, Y, Z) = 1] , is bigger than negligible.

16 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

The proof of security for Dragonfly

Reduction from DIDH:

17 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

The proof of security for Dragonfly

Reduction from DIDH:

◮ D chooses 3 distinct random indexes

17 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

The proof of security for Dragonfly

Reduction from DIDH:

◮ D chooses 3 distinct random indexes ◮ A triple X, Y, Z is "plugged" in H0 outputs

17 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

The proof of security for Dragonfly

Reduction from DIDH:

◮ D chooses 3 distinct random indexes ◮ A triple X, Y, Z is "plugged" in H0 outputs ◮ PW 1 := Xu1, PW 2 := Y u2, and PW 3 := Zu3

17 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

The proof of security for Dragonfly

Reduction from DIDH:

◮ D chooses 3 distinct random indexes ◮ A triple X, Y, Z is "plugged" in H0 outputs ◮ PW 1 := Xu1, PW 2 := Y u2, and PW 3 := Zu3 ◮ Extract from H1 queries: E2

x, E2 y, and E2 z 17 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

The proof of security for Dragonfly

Reduction from DIDH:

◮ D chooses 3 distinct random indexes ◮ A triple X, Y, Z is "plugged" in H0 outputs ◮ PW 1 := Xu1, PW 2 := Y u2, and PW 3 := Zu3 ◮ Extract from H1 queries: E2

x, E2 y, and E2 z

◮ D wins if E2

xE2 y = E2 z 17 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

The proof of security for Dragonfly

Reduction from DIDH:

◮ D chooses 3 distinct random indexes ◮ A triple X, Y, Z is "plugged" in H0 outputs ◮ PW 1 := Xu1, PW 2 := Y u2, and PW 3 := Zu3 ◮ Extract from H1 queries: E2

x, E2 y, and E2 z

◮ D wins if E2

xE2 y = E2 z

Pr[Coll CollC] ≤ 2n3

h0 ×

• Adv

Advdidh

g,G (D) + n3 h1 + 3nse

2q

• .

(3)

17 / 18

PAKEs Dragonfly Results Conclusion The proof of security for Dragonfly

The proof of security for Dragonfly

Reduction from DIDH:

◮ D chooses 3 distinct random indexes ◮ A triple X, Y, Z is "plugged" in H0 outputs ◮ PW 1 := Xu1, PW 2 := Y u2, and PW 3 := Zu3 ◮ Extract from H1 queries: E2

x, E2 y, and E2 z

◮ D wins if E2

xE2 y = E2 z

Pr[Coll CollC] ≤ 2n3

h0 ×

• Adv

Advdidh

g,G (D) + n3 h1 + 3nse

2q

• .

(3) Pr[AskH1-withC AskH1-withC4] ≤ 2nse N . (4)

17 / 18

PAKEs Dragonfly Results Conclusion Conclusion

Summary of results

18 / 18

PAKEs Dragonfly Results Conclusion Conclusion

Summary of results

◮ Forward secure in BRP model with ROM

18 / 18

PAKEs Dragonfly Results Conclusion Conclusion

Summary of results

◮ Forward secure in BRP model with ROM ◮ Up to 2 password guesses per online attempt

18 / 18

PAKEs Dragonfly Results Conclusion Conclusion

Summary of results

◮ Forward secure in BRP model with ROM ◮ Up to 2 password guesses per online attempt ◮ As secure as SPEKE protocol

18 / 18

PAKEs Dragonfly Results Conclusion Conclusion

Summary of results

◮ Forward secure in BRP model with ROM ◮ Up to 2 password guesses per online attempt ◮ As secure as SPEKE protocol ◮ Slightly less efficient (4 exp vs. 4 exp + 2 mexp)

18 / 18

PAKEs Dragonfly Results Conclusion Conclusion

Summary of results

◮ Forward secure in BRP model with ROM ◮ Up to 2 password guesses per online attempt ◮ As secure as SPEKE protocol ◮ Slightly less efficient (4 exp vs. 4 exp + 2 mexp) ◮ Recommendations: sid in sk and ID in authenticators.

18 / 18