<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello Jonathan,<br>
<br>
This is indeed a Simple PAKE. It's a stripped-down variant of
SPAKE1, which is described in Abdalla and Pointcheval's paper
"Simple Password-Based
Encrypted Key Exchange Protocols":<br>
<br>
<a class="moz-txt-link-freetext" href="http://www.di.ens.fr/~mabdalla/papers/AbPo05a-letter.pdf">http://www.di.ens.fr/~mabdalla/papers/AbPo05a-letter.pdf</a><br>
<div class="moz-cite-prefix"><br>
The main differences are that SPAKE uses different G2's for Alice
and Bob, and that SPAKE1 computes the session key as
Hash(Alice,Bob,P1,P2,abG). There is also a SPAKE2 which throws
the password into the hash function too, for reasons having to do
with the security proof.<br>
<br>
IIRC (and it's possible I don't), it's safe to use the same G2 on
both sides, but it weakens the security proof slightly (from CDH
to CDH squaring).<br>
<br>
Omitting the hash is a more dangerous proposition. There are lots
of attacks that the original paper doesn't have to worry about,
just because it throws everything into that hash function. In
particular, not hashing in the identities means that you aren't
sure who you're talking to, just that they have the same password.<br>
<br>
-- Mike<br>
<br>
On 11/04/2014 08:20 AM, Jonathan Cressman wrote:<br>
</div>
<blockquote
cite="mid:DF6679C03B45044EB97BA2D782E7467602D9B3@ESRVDC.energate.office"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1595821086;
mso-list-type:hybrid;
mso-list-template-ids:-2111941080 269025295 269025305 269025307 269025295 269025305 269025307 269025295 269025305 269025307;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="2050" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Sorry for potentially spamming your email
reflector. I’m an embedded wireless programmer in need of a
very simple Password Authenticated Key Exchange(PAKE). I
believe I have created something similar to SPEKE but that
works considerable better over elliptic curves. I would like
some help proving that it is secure.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>Set up<o:p></o:p></u></p>
<p class="MsoNormal">The Protocol begins with an elliptic curve
over F<sub>2m</sub> with parameters T = (m, f(x), a, b, G, n,
h) and G<sub>2</sub> as second generator of that group such
that v, where vG = G<sub>2</sub> is unknown. Also given P an
arbitrary element of the group generated by G and aP finding a
is hard. The curves 163k1 and 283k1 are such curves with
these properties. T and G<sub>2</sub> are fixed and known by
all implementers of the algorithm.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Convention: Capitals will be points on the
curve and lower case letters will be integers.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>Algorithm<o:p></o:p></u></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
lang="EN-AU"><span style="mso-list:Ignore">1.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span lang="EN-AU">Let
Alice and Bob have a shared password s, s is a “smallish”
non-negative integer.
<o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
lang="EN-AU"><span style="mso-list:Ignore">2.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span lang="EN-AU">Both
Alice and Bob choose a number between 1 and n-2. Let these
numbers be a and b. Alice sends the point P<sub>1</sub>=aG
+ sG<sub>2</sub> to Bob and Bob sends the point P<sub>2</sub>
= bG+ sG<sub>2</sub> to Alice.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:18.0pt">3a. Alice
verifies P<sub>2</sub> is a generator of the group and then
computes a(P<sub>2</sub> - sG<sub>2</sub>) = a(bG+ sG<sub>2</sub>
- sG<sub>2</sub>) = abG<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:18.0pt">3b. Bob verifies
P<sub>1</sub> is a generator of the group and then computes
b(P<sub>1</sub> - sG<sub>2</sub>) = b(aG+ sG<sub>2</sub> - sG<sub>2</sub>)
= abG<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:18.0pt">4. Alice and
Bob verify that they both know the new shared secret abG.<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal">If Alice and Bob fail to agree on the new
shared secret, abG, they know something has gone wrong.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-US">..................</span><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"" lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-US">Jonathan Cressman</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span
style="font-size:8.5pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-US">Firmware Developer</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:8.5pt;font-family:"Arial","sans-serif";color:gray"><img
id="Picture_x0020_1"
src="cid:part1.06090207.00010209@shiftleft.org"
alt="cid:image001.gif@01C91335.F4F940E0" height="45"
width="293"></span><span
style="font-size:8.5pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-US"><br>
</span><span
style="font-size:9.0pt;font-family:"Arial","sans-serif";color:gray"
lang="EN-US">Energate Inc. 2379 Holly Lane, Suite 200,
Ottawa, Ontario, Canada K1V 7P2<br>
T: 613-482-7928 x226 F: 613-288-0816 <u><a
moz-do-not-send="true" href="http://www.energate.ca/">http://www.energateinc.com</a></u></span><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Curves mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Curves@moderncrypto.org">Curves@moderncrypto.org</a>
<a class="moz-txt-link-freetext" href="https://moderncrypto.org/mailman/listinfo/curves">https://moderncrypto.org/mailman/listinfo/curves</a>
</pre>
</blockquote>
<br>
</body>
</html>