Forward Secrecy of SPAKE2

Abstract

Currently, the Simple Password-Based Encrypted Key Exchange (SPAKE2) protocol of Abdalla and Pointcheval (CT-RSA 2005) is being considered by the IETF for standardization and integration in TLS 1.3. Although it has been proven secure in the Find-then-Guess model of Bellare, Pointcheval and Rogaway (EUROCRYPT 2000), whether it satisfies some notion of forward secrecy remains an open question.

In this work, we prove that the SPAKE2 protocol satisfies the so-called weak forward secrecy introduced by Krawczyk (CRYPTO 2005). Furthermore, we demonstrate that the incorporation of key-confirmation codes in SPAKE2 results in a protocol that provably satisfies the stronger notion of perfect forward secrecy. As forward secrecy is an explicit requirement for cipher suites supported in the TLS handshake, we believe this work could fill the gap in the literature and facilitate the adoption of SPAKE2 in the recently approved TLS 1.3.

A Terminology from [3]

We introduce the terminology necessary to refer to adversary’s actions.

We say “in a CLIENT ACTION k query to \(\varPi _{C}^{i}\)” to refer to “in a Send query directed to the client instance \(\varPi _{C}^{i}\) that results in CLIENT ACTION k procedure being executed” and “in a SERVER ACTION k” to refer to “in a Send query directed to the server instance \(\varPi _{S}^{j}\) that results in SERVER ACTION k procedure being executed”.

A client instance \(\varPi _{C}^{i}\) is paired with server instance \(\varPi _{S}^{j}\) if there was a CLIENT ACTION 0 query to \(\varPi _{C}^{i}\) with output \(\langle C, X^* \rangle \), a SERVER ACTION 1 to \(\varPi _{S}^{j}\) with input \(\langle C, X^* \rangle \) and output \(\langle S,Y,k \rangle \) and a CLIENT ACTION 1 to \(\varPi _{C}^{i}\) with input \(\langle S,Y,k \rangle \). A server instance \(\varPi _{S}^{j}\) is paired with client instance \(\varPi _{C}^{i}\) if there was a CLIENT ACTION 0 query to \(\varPi _{C}^{i}\) with output \(\langle C, X^* \rangle \) and a SERVER ACTION 1 to \(\varPi _{S}^{j}\) with input \(\langle C, X^* \rangle \) and output \(\langle Y,k \rangle \), additionally, if there is a SERVER ACTION 2 query with input \(k'\), then there was a previous CLIENT ACTION 1 to \(\varPi _{C}^{i}\) with input \(\langle Y,k \rangle \) and ouput \(k'\).

Next we define the events that will allow us to proof the security of the protocol by sequence of games.

testpw(\(C,i,S,\pi ,l\)): Adversary \(\mathcal {A}\) makes (i) an \(H_l(C,S,X^*,Y,\sigma ,\pi )\) query for some \(l\in \{1,2,3\}\), (ii) a CLIENT ACTION 0 to \(\varPi _{C}^{i}\) with output \(\langle S,X^*\rangle \) and (iii) a CLIENT ACTION 1 to \(\varPi _{C}^{i}\) with input \(\langle C,Y,k \rangle \), where \(X^* = X \cdot M^\pi \) and \(\sigma =DH(X,Y)\). The associated value to this event is the output of the \(H_l(\cdot )\) query, or the \(k,k',sk_C^i\) values, respectively for \(l=1,2,3\), whichever is set first.

testpw(\(S,j,C,\pi ,l\)): \(\mathcal {A}\) makes an \(H_l(C,S,X^*,Y,\sigma ,\pi )\) for some \(l\in \{1,2,3\}\) and a SERVER ACTION 1 to \(\varPi _{S}^{j}\) with input \(\langle S,X^*\rangle \) and output \(\langle C,Y,k \rangle \), where \(X^* = X \cdot M^{\pi }\) and \(\sigma = DH(X,Y)\). The associated value to this event is the output of the \(H_l(\cdot )\) query, or the \(k,k',sk_S^j\) values, respectively for \(l=1,2,3\), whichever is set first.

testpw!(\(C,i,S,\pi \)): In a CLIENT ACTION 1 query with input \(\langle \mu ,k \rangle \), causes a testpw\((C,i,S,\pi ,2)\) event to occurs, with associated value k.

testexecpw(\(C,i,S,j,\pi \)): \(\mathcal {A}\) makes (i) an \(H_l(C,S,X^*,Y,\sigma ,\pi )\) for some \(l\in \{1,2,3\}\), where \(X^* = X \cdot M^\pi \) and \(\sigma =DH(X,Y)\) and (ii) previously an Execute(C, i, S, j) which produces \(X^*,Y\). The associated value to this event is the output of the \(H_l(\cdot )\) query, or the \(k,k',sk_S^j\) values, respectively for \(l=1,2,3\), whichever is set first.

correctpw: Before any Corrupt query, either a testpw!(\(C,i,S,\pi _c\)) event occurs, for some C, i, S, or a testpw(\(S,j,C,\pi _c,l\)) event occurs for some S, j, C and \(l\in \{1,2,3\}\), where \(\pi _c\) is the correct password.

pairedpwguess: For some client and server instance \(\varPi _{C}^{i}\) and \(\varPi _{S}^{j}\) respectively, both testpw(\(C,i,S,\pi _c,l\)) and testpw(\(S,j,C,\pi ,l\)) event occurs for \(l\in \{1,2,3\}\), where \(\varPi _{C}^{i}\) is paired with \(\varPi _{S}^{j}\), and \(\varPi _{S}^{j}\) is paired with \(\varPi _{C}^{i}\) after its SERVER ACTION 1.

doublepwserver: Before any Corrupt query, both a testpw(\(S,j,C,\pi _1,l\)) and a testpw(\(S,j,C,\pi _2,l\)) event occurs, for some S, j, \(\pi _1\) and \(\pi _2\), with \(\pi _1 \ne \pi _2\) and \(l \in \{1,2,3\}\).