On the Provable Security of the Dragonfly Protocol
Lecture Notes in Computer Science
Dragonfly Dragonfly is a password-authenticated key exchange protocol that was proposed by Harkins  in 2008. It is currently a candidate for standardization by the Internet Engineering Task Force, and would greatly benefit from a security proof. In this paper, we prove the security of a very close variant of Dragonfly Dragonfly in the random oracle model. It shows in particular that Dragonfly Dragonfly's main flows -a kind of Diffie-Hellman variation with a password-derived base -are sound.
... We employ the standard Bellare et al.  security model, which incorporates forward secrecy. Diffie-Hellman base is proven forward-secure and analyzed using  . As in , Dragonfly Dragonfly's security is based on the Computational Diffie-Hellman (CDH) and Decisional Inverted-Additive Diffie-Hellman (DIDH) assumptions (see Sect. 2.2). Related Work. PAKE has been heavily studied in the last decade. It began with the works of Bellovin and Merrit  and Jablon , but with no precise security analysis. Security models in the vein of  and  were then introduced by Bellare et al.  and Boyko et al.  respectively, and the number of provably secure schemes -with random oracles (RO) or ideal ciphers [2,7], common reference strings [14,8], universal composability , to name a few -has exploded. We refer to Pointcheval's survey  for a more complete picture. As for Dragonfly Dragonfly, it first appeared in  . The attention it has received as an IETF proposal has led it to being broken by Clarke and Hao  , and subsequently fixed. Organization. The rest of the paper is structured as follows. In Sect. 2, we recall the commonly-used security model of  . Section 3 contains a description of the version of Dragonfly Dragonfly we analyze, while the description of the original Dragonfly protocol from  can be found in the appendix. Next, Sect. 4 presents the security proof. Finally, the paper is concluded in Sect. 5. Security Model We use the indistinguishability-based framework of , designed for two-party PAKE. In what follows, we will assume some familiarity with the model in . Model