[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cfrg
Subject:    Re: [Cfrg] PAKE review
From:       Björn_Haase <bjoern.m.haase () web ! de>
Date:       2019-08-17 13:08:54
Message-ID: 637616d4-c84c-8085-33e9-bd77745eaca9 () web ! de
[Download RAW message or body]

Dear Brian,

> The magic-wormhole protocol currently uses SPAKE2 (a symmetric PAKE) on
> an Ed25519 group, with an additional form of symmetry: the two sides do
> not have to decide ahead of time which role they are playing. In SPAKE2
> terms, the "M" and "N" elements are equal, which saves a roundtrip.

IIUC the proofs for SPAKE2 assume that "M != N" but this most probably could be \
addressed by a somewhat modified security proof. IMO it should suffice to blind one \
of the Diffie-Hellman points: IIRC this is also what is done in the PAK-Family of \
protocols.

When using this approach in a product, I'd recommend you to have a look on the patent \
applications/patents on the PAK protocol family. Using distinct M and N and blinding \
two points might have been one component necessary/helpful for the patent \
circumvention strategy that was in mind when designing the SPAKE2 construction.

Yours,

Björn.

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg


[prev in list] [next in list] [prev in thread] [next in thread]