[curves] password authenticated key exchange (PAKE)

Michael Hamburg mike at shiftleft.org
Thu Oct 2 15:54:06 PDT 2014

Hello [curves],

So I’ve been writing up this paper on PAKE, and it’s been a bit of a struggle because there are so many models for how PAKE works, what it means to be secure, and so on.  I can target many different options, but I’d rather write a paper which just has one or two concrete proposals.  This is especially true because I’d rather not write 2^n proofs of security.

So I’m curious what models people on this list actually care about.  Here are the options I have:

Explicit key confirmation: Require or no?

Parties: Is one a client and is the other a server?  Are the parties named peers?  Unnamed peers?

Flow: Server speaks first?  Client speaks first?  They both send messages simultaneously, or in either order?

Augmentation: Should the server’s credential be insufficient to log in without a dictionary attack?  Maybe augmentation on both sides is even desirable, for some reason?

Security model: Does anyone care about GapDH, DDH, SquareDH etc assumptions?  This is definitely in the random oracle model, by the way.

Basically, I can support almost any combination of these, but it costs complexity and performance, and I need to construct a security model for it.

On a somewhat related note, is there any desire to encrypt the user name?  A man in the middle can recover it at the cost of disrupting the session, but it should be possible to hide it from passive eavesdroppers (at the cost of more rounds and more complexity).

— Mike

More information about the Curves mailing list