[prev in list] [next in list] [prev in thread] [next in thread]
List: cfrg
Subject: Re: [Cfrg] PAKE review
From: Björn_Haase <bjoern.m.haase () web ! de>
Date: 2019-08-17 13:08:54
Message-ID: 637616d4-c84c-8085-33e9-bd77745eaca9 () web ! de
[Download RAW message or body]
Dear Brian,
> The magic-wormhole protocol currently uses SPAKE2 (a symmetric PAKE) on
> an Ed25519 group, with an additional form of symmetry: the two sides do
> not have to decide ahead of time which role they are playing. In SPAKE2
> terms, the "M" and "N" elements are equal, which saves a roundtrip.
IIUC the proofs for SPAKE2 assume that "M != N" but this most probably could be \
addressed by a somewhat modified security proof. IMO it should suffice to blind one \
of the Diffie-Hellman points: IIRC this is also what is done in the PAK-Family of \
protocols.
When using this approach in a product, I'd recommend you to have a look on the patent \
applications/patents on the PAK protocol family. Using distinct M and N and blinding \
two points might have been one component necessary/helpful for the patent \
circumvention strategy that was in mind when designing the SPAKE2 construction.
Yours,
Björn.
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic