[curves] PAKE use cases

[Trevor Perrin]

On Fri, Feb 6, 2015 at 6:57 PM, Brian Warner <warner at lothar.com> wrote:
>
> I've been working on PAKE recently, so I thought I'd resurrect this
> four-month-old thread to mention the use-cases that I've cared about at
> various times in the last several years:

Nice, thanks Brian,

I think your use cases have consistent requirements with the earlier
discussion, so that reinforces that we're considering the right
things, and the requirements are mostly straightforward:

https://moderncrypto.org/mail-archive/curves/2014/000294.html

You also touched on the main complication from earlier: It would be
nice to have augmented schemes with a server-only workfactor, as
compared to a "traditional" augmented PAKE like SRP where
password-stretching has to be done by the client:

https://moderncrypto.org/mail-archive/curves/2014/000297.html
https://moderncrypto.org/mail-archive/curves/2014/000319.html

That's a good theoretical problem.  My question for the group: Is
moving the password stretching workfactor to the server a requirement
for augmented PAKE to be useful?

The examples I recall for augmented PAKE are:

 * Firefox Sync - you're envisioning slow Javascript clients, so you
"really wanted" the server side workfactor, and I'm not sure that a
traditional augmented PAKE is that useful?

 * OpenSSH - I read Damien's requirements as wanting augmentation but
not being terribly concerned with client computation.  So perhaps
traditional augmentation is OK here?

https://moderncrypto.org/mail-archive/curves/2014/000302.html

Trevor