[curves] ECSRP

Steve Thomas steve at tobtu.com
Sat Aug 16 23:04:36 PDT 2014

Can you take a look at this: https://github.com/Sc00bz/ECSRP

P and Q are points on the curve in the same cyclical group (ie aP = Q for some
unknown a)
k is the key derived from the password
1/k is done by modular inverse for the cyclical group order
Server has (1/k)P and (1/k)Q
a and b are random private keys
X(P) returns the x coordinate of a point
|| is concatenation

C->S: Identity
C<-S: b(1/k)P + (1/k)Q, salt, password KDF settings
C:    k(b(1/k)P + (1/k)Q) - Q = bP
C->S: X(aP), H(X(bP) || X(abP))
S:    Verify
C<-S: H(X(aP) || X(bP) || X(abP))
C:    Verify


I am having problems with point Q. For Curve25519, I picked Q as (16, ...), but
I do not know if that is a good choice. It appears that there are two cyclical
groups of the same order (2^252+27742317777372353535851937790883648493) on that
curve, but I do not know if there is an issue with adding two points on the same
curve but in different cyclical groups. I have not found any problems but
obviously I can only test a very small fraction of them. I'm thinking that any
point that is on this curve and has the same order as point P is fine for point
Q, but I am not positive. (Well obviously P = Q is a bad choice or really any aP
= Q for a known a.)

More information about the Curves mailing list