[curves] PAKE use cases & requirements

Michael Hamburg mike at shiftleft.org
Fri Oct 17 10:30:39 PDT 2014


> 
> On Oct 17, 2014, at 6:14 AM, Feng Hao <feng.hao at newcastle.ac.uk> wrote:
> 
> Hi Trevor,
> 
>> All Requirements
>> -----------------
>> - IPR free
>> - security proof
>> - efficient (in messages, computation)
>> - simple
>> - flexible to different curves
>> - sidechannel resistant
>> - no backdoors
>> - small messages
>> - non-augmented and augmented options
>> - work with existing hashed passwords
>> - low DoS potential
>> - simultaneous initiate allowed
> 
> This looks good. I would suggest to change the third one to
> 
> - efficient (in rounds, message, computation)
> 
> Then you don't need the last one, as the simultaneous initiation is related to the round efficiency.
> 
> Cheers,
> Feng

I disagree.  You can have a 2 flow PAKE, plus one flow for explicit key confirmation, which would not be safe if simultaneously initiated.  Such a PAKE is as efficient as possible unless you count a simultaneous round as cheaper than a round, and in any case it’s efficient enough for most users.

— Mike


More information about the Curves mailing list