On the Provable Security of the Dragonfly Protocol [chapter]

Jean Lancrenon, Marjan Škrobot
2015 Lecture Notes in Computer Science  
Dragonfly Dragonfly is a password-authenticated key exchange protocol that was proposed by Harkins [11] in 2008. It is currently a candidate for standardization by the Internet Engineering Task Force, and would greatly benefit from a security proof. In this paper, we prove the security of a very close variant of Dragonfly Dragonfly in the random oracle model. It shows in particular that Dragonfly Dragonfly's main flows -a kind of Diffie-Hellman variation with a password-derived base -are sound.
more » ... We employ the standard Bellare et al. [2] security model, which incorporates forward secrecy. Diffie-Hellman base is proven forward-secure and analyzed using [2] . As in [17], Dragonfly Dragonfly's security is based on the Computational Diffie-Hellman (CDH) and Decisional Inverted-Additive Diffie-Hellman (DIDH) assumptions (see Sect. 2.2). Related Work. PAKE has been heavily studied in the last decade. It began with the works of Bellovin and Merrit [5] and Jablon [13], but with no precise security analysis. Security models in the vein of [3] and [20] were then introduced by Bellare et al. [2] and Boyko et al. [6] respectively, and the number of provably secure schemes -with random oracles (RO) or ideal ciphers [2,7], common reference strings [14,8], universal composability [8], to name a few -has exploded. We refer to Pointcheval's survey [19] for a more complete picture. As for Dragonfly Dragonfly, it first appeared in [11] . The attention it has received as an IETF proposal has led it to being broken by Clarke and Hao [9] , and subsequently fixed. Organization. The rest of the paper is structured as follows. In Sect. 2, we recall the commonly-used security model of [2] . Section 3 contains a description of the version of Dragonfly Dragonfly we analyze, while the description of the original Dragonfly protocol from [12] can be found in the appendix. Next, Sect. 4 presents the security proof. Finally, the paper is concluded in Sect. 5. Security Model We use the indistinguishability-based framework of [2], designed for two-party PAKE. In what follows, we will assume some familiarity with the model in [2]. Model
doi:10.1007/978-3-319-23318-5_14 fatcat:xbrir56lwjg7pgc7abv4bgcedq