[curves] PAKE use cases & requirements

[Trevor Perrin]

Below I've listed cases where people are using (or might be interested
in) an EC PAKE.  I've also tried to list the requirements that matter
for these cases.

Am I missing any requirements?

It seems like a few people are working on proposals (EC-SRP, SPAKE2,
"Elligator edition", J-PAKE).  It would be good to have a survey that
shows how known protocols fit these requirements.  Maybe I'll get to
it in a few weeks, or someone can beat me to it.


Obvious requirements
---------------------
 - IPR free
 - security proof
 - efficient (in messages, computation)
 - simple
 - flexible to different curves
 - sidechannel resistant
 - no backdoors


Use cases and additional requirements
--------------------------------------
OTR
https://moderncrypto.org/mail-archive/curves/2014/000292.html
 - currently using Socialist Millionaire's Protocol
 - goals:
   - non-augmented
   - small messages

OpenSSH
https://moderncrypto.org/mail-archive/curves/2014/000292.html
 - had support for J-PAKE, removed it
 - goals:
   - augmented and hashed passwords
   - work with existing hashed passwords
   - low DoS potential

Chrome Remote Desktop
https://support.google.com/chrome/answer/1649523
 - currently using SPAKE2

Pond
https://pond.imperialviolet.org/tech.html ("Key Exchange Details")
 - currently using ECDH-EKE (aka "EKE2") with Rijndael-256-bit blocks
 - goals:
   - non-augmented
   - simultaneous initiate allowed

802.11S SAE
http://en.wikipedia.org/wiki/IEEE_802.11s
 - currently using Dragonfly
 - goals:
   - simultaneous initiate allowed

WiFi WPA
http://www.ietf.org/mail-archive/web/cfrg/current/msg05232.html
 - currently not using PAKE


All Requirements
-----------------
 - IPR free
 - security proof
 - efficient (in messages, computation)
 - simple
 - flexible to different curves
 - sidechannel resistant
 - no backdoors
 - small messages
 - non-augmented and augmented options
 - work with existing hashed passwords
 - low DoS potential
 - simultaneous initiate allowed


Trevor