[curves] Use cases for PAKE?

Trevor Perrin trevp at trevp.net
Wed Mar 19 11:30:54 PDT 2014


One thing we could discuss is Elliptic Curve PAKEs (Password Authenticated
Key Exchange).

There's some ideas worth exploring due to expiry of Lucent patents;
developments such as SPAKE2, J-PAKE, and AugPAKE; and "hashing to curve"
algorithms like SWU and Elligator [1,2].  For example, Mike Hamburg's ideas
in [3] seem promising.

But are there good use cases to focus discussion?  Possibilities -

 * PAKE for the web has been attempted in TLS (RFC 5054) with little
interest from browsers or sites.  Partly this is a layering problem
(username in clear, too early in the connection, and the TLS terminator is
the wrong place for client auth).  But there are deeper UI problems:
 browsers would have to display an unspoofable dialog; users would have to
be trained to enter certain passwords only into this dialog; and sites
would lose control of login UI.  Client auth for the web seems likely to
evolve in other directions (e.g. password managers, 2-factor, federation).

 * SSH already has J-PAKE which (I think?) is rarely used, though I'm not
sure why.  If part of the reason is performance, is there room for
improvement here?

 * IEEE 802.11s I think has standardized on "Simultaneous Authentication of
Equals" (aka Dragonfly) as an EC PAKE. I don't know if it's seen real
deployment, nor do I understand the "mesh networking" scenario it's being
used for, which seems different from just authenticating a client to an AP.
 Anyone know more?

 * There are smaller, more specialized uses of PAKE for protocols like
online backups or device pairing.  E.g. I think Chrome is (using?
investigating?) SPAKE2 for "chromoting", whatever that is.

Anyways, it's not clear that there are strong-enough use cases to motivate
a good discussion and keep it on track.  Though I wish there were!  PAKEs
are cool, it seems like they should be useful somewhere.

Other thoughts?


[1] http://eprint.iacr.org/2009/340.pdf
[2] http://elligator.cr.yp.to
[3] http://www.ietf.org/mail-archive/web/cfrg/current/msg03840.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20140319/15e98ed7/attachment.html>

More information about the Curves mailing list