[noise] PAKE in Noise

Trevor Perrin trevp at trevp.net
Mon Jan 14 17:10:10 PST 2019


On Tue, Jan 15, 2019 at 12:45 AM Ximin Luo <ximin at dfinity.org> wrote:
>
> On Mon, Jan 14, 2019 at 12:50 PM David Wong <davidwong.crypto at gmail.com> wrote:
>>
>> [..]
>>
>> > My previous proposal had both an "eke" modifier to indicate that the
>> > ephemeral is being masked, and listed "SPAKE2" as a public-key
>> > algorithm specifying how the masking value is derived, giving us more
>> > options, e.g. specifying "Elligator2" to derive the masking value via
>> > Elligator.
>>
>>
>> We talked about that as well actually. I'm not pro-flexibility and
>> Elligator seems like a nightmare to implement.
>
>
> There is an additional issue with Elligator which is that not all curve points get mapped from a string. To quote [1]:
>
> "-2u(u + A) is a square [..] [this] excludes about half the points on the curve"

I don't think that affects this usage.  All paswords would map to a
curve point, which is the important thing.  This masking point gets
added to the ephemeral point, and the result point is transmitted.

An attacker might try guessing passwords and subtracting off the
hypothesized masking point, but will just get a potentially valid
ephemeral point, which they can't do anything more with.

Mike wrote up a SPAKE2 "Elligator Edition" a few years ago:

https://moderncrypto.org/mail-archive/curves/2015/000424.html

Trevor


More information about the Noise mailing list