[curves] PAKE use cases & requirements
Michael Hamburg
mike at shiftleft.org
Fri Oct 17 10:30:39 PDT 2014
>
> On Oct 17, 2014, at 6:14 AM, Feng Hao <feng.hao at newcastle.ac.uk> wrote:
>
> Hi Trevor,
>
>> All Requirements
>> -----------------
>> - IPR free
>> - security proof
>> - efficient (in messages, computation)
>> - simple
>> - flexible to different curves
>> - sidechannel resistant
>> - no backdoors
>> - small messages
>> - non-augmented and augmented options
>> - work with existing hashed passwords
>> - low DoS potential
>> - simultaneous initiate allowed
>
> This looks good. I would suggest to change the third one to
>
> - efficient (in rounds, message, computation)
>
> Then you don't need the last one, as the simultaneous initiation is related to the round efficiency.
>
> Cheers,
> Feng
I disagree. You can have a 2 flow PAKE, plus one flow for explicit key confirmation, which would not be safe if simultaneously initiated. Such a PAKE is as efficient as possible unless you count a simultaneous round as cheaper than a round, and in any case it’s efficient enough for most users.
— Mike
More information about the Curves
mailing list