[prev in list] [next in list] [prev in thread] [next in thread]
List: moderncrypto-noise
Subject: [noise] PAKE (was Re: Multi party psk)
From: Trevor Perrin <trevp () trevp ! net>
Date: 2017-06-08 23:40:08
Message-ID: CAGZ8ZG3AbqYhL=LbBOS1xE=LAsJijc6dxkkVE_zuP_wORC9ujA () mail ! gmail ! com
[Download RAW message or body]
On Thu, Jun 8, 2017 at 11:02 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> I always wondered about doing something like Noise_NNpsk0 as a
> replacement for the various PAKEs. You expand the password into a
> proper shared secret, which you then set as the PSK. The PSK would
> then act as both an authenticator and as some poorman's PQ, while the
> dhee would provide forward secrecy. Though, perhaps this doesn't have
> all the same properties as a proper PAKE?
That doesn't have the PAKE property, PAKE should not enable offline
guessing for either party. But above, an attacker who interacts with
a legitimate party and receives a ciphertext based on the PSK can
check offline guesses for the PSK.
One way to get a PAKE in DH protocols is to encrypt DH ephemerals with
a password ("DH-EKE" idea from Bellovin and Merritt). Provided that
decryption always yields a plausible ephemeral, then offline guessing
isn't enabled.
The "Provided" part is tricky - you can't do regular encryption,
because with EC only 1/2 of decrypted bitstrings would be valid EC
public keys. So you'd have to "encrypt" the ephemeral by first
mapping the password to a point (e.g. with Elligator), then adding
this point to the ephemeral (this overall approach from Abdalla's
SPAKE2, plus Mike Hamburg).
I haven't thought much about PAKE in Noise, but it could be interesting.
Maybe something like this would work?
Noise_NK+pake(rs):
<- s
...
-> e, es, u, p
<- e, ee, pe
Noise_NX+pake(rs):
-> e
<- e, ee, s, es
-> u, p
<- pe
Where "p" is a password-encrypted ephemeral", "pe" is DH between some
p and e ephemerals, and "u" is a payload-like field for containing
usernames.
Trevor
_______________________________________________
Noise mailing list
Noise@moderncrypto.org
https://moderncrypto.org/mailman/listinfo/noise
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic