[curves] PAKE use cases & requirements

Paul Lambert paul at marvell.com
Thu Oct 16 06:06:24 PDT 2014



On 10/15/14, 3:25 PM, "Trevor Perrin" <trevp at trevp.net> wrote:

>Below I've listed cases where people are using (or might be interested
>in) an EC PAKE.  I've also tried to list the requirements that matter
>for these cases.
>
>Am I missing any requirements?
>
>It seems like a few people are working on proposals (EC-SRP, SPAKE2,
>"Elligator edition", J-PAKE).  It would be good to have a survey that
>shows how known protocols fit these requirements.  Maybe I'll get to
>it in a few weeks, or someone can beat me to it.
>
>
>Obvious requirements
>---------------------
> - IPR free
> - security proof
> - efficient (in messages, computation)
> - simple
> - flexible to different curves
> - sidechannel resistant
> - no backdoors
>
>
>Use cases and additional requirements
>--------------------------------------
>OTR
>https://moderncrypto.org/mail-archive/curves/2014/000292.html
> - currently using Socialist Millionaire's Protocol
> - goals:
>   - non-augmented
>   - small messages
>
>OpenSSH
>https://moderncrypto.org/mail-archive/curves/2014/000292.html
> - had support for J-PAKE, removed it
> - goals:
>   - augmented and hashed passwords
>   - work with existing hashed passwords
>   - low DoS potential
>
>Chrome Remote Desktop
>https://support.google.com/chrome/answer/1649523
> - currently using SPAKE2
>
>Pond
>https://pond.imperialviolet.org/tech.html ("Key Exchange Details")
> - currently using ECDH-EKE (aka "EKE2") with Rijndael-256-bit blocks
> - goals:
>   - non-augmented
>   - simultaneous initiate allowed
>
>802.11S SAE
>http://en.wikipedia.org/wiki/IEEE_802.11s
> - currently using Dragonfly
> - goals:
>   - simultaneous initiate allowed
>
>WiFi WPA
Wi-Fi WPA2-Personal
>http://www.ietf.org/mail-archive/web/cfrg/current/msg05232.html
> - currently not using PAKE
  - to be upgraded to use SAE (Dragonfly)

>
>
>All Requirements
>-----------------
> - IPR free
> - security proof
> - efficient (in messages, computation)
> - simple
> - flexible to different curves
> - sidechannel resistant
> - no backdoors
> - small messages
> - non-augmented and augmented options
> - work with existing hashed passwords
> - low DoS potential
> - simultaneous initiate allowed
>
>
>Trevor
>_______________________________________________
>Curves mailing list
>Curves at moderncrypto.org
>https://moderncrypto.org/mailman/listinfo/curves



More information about the Curves mailing list