[curves] PAKE use cases (was: password authenticated key exchange (PAKE))

[Trevor Perrin]

On Thu, Oct 2, 2014 at 3:54 PM, Michael Hamburg <mike at shiftleft.org> wrote:
> Hello [curves],
>
> So I’ve been writing up this paper on PAKE, and it’s been a bit of a struggle because there are so many models for how PAKE works, what it means to be secure, and so on.  I can target many different options, but I’d rather write a paper which just has one or two concrete proposals.  This is especially true because I’d rather not write 2^n proofs of security.
>
> So I’m curious what models people on this list actually care about.

Hi Mike,

Good questions.  The answers should probably be based on analyzing
protocols where PAKE might be adopted.

I've recently talked to developers involved with OpenSSH and OTR about
this.  Both had interest in this topic, so I would suggest those as a
starting point.

I'll try to get those developers on this list.  But here's a
paraphrase of discussions:

OTR
 - possible use case is modernizing the "Socialist Millionaire's
Protocol" to use EC
 - there's a desire for small messages, apparently due to IRC rate-limiting

OpenSSH
 - also interested in a "zero-knowledge password scheme" rather than PAKE per se
 - wants a rigorous security proof, no IPR caveats, low DoS potential,
and can work with hashed passwords.
 - nice to have: work with unmodified existing password hashes
 - non-goal: doesn't have to be terribly fast, as the user typing the
password will be slow element

Perhaps those protocols could be analyzed to extract out more
requirements and answer your questions.

If anyone knows other protocols where PAKE would be useful, that would
also be helpful.


Trevor