[noise] PAKE (was Re: Multi party psk)

[Trevor Perrin]

On Thu, Jun 8, 2017 at 11:02 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>
> I always wondered about doing something like Noise_NNpsk0 as a
> replacement for the various PAKEs. You expand the password into a
> proper shared secret, which you then set as the PSK. The PSK would
> then act as both an authenticator and as some poorman's PQ, while the
> dhee would provide forward secrecy. Though, perhaps this doesn't have
> all the same properties as a proper PAKE?

That doesn't have the PAKE property, PAKE should not enable offline
guessing for either party.  But above, an attacker who interacts with
a legitimate party and receives a ciphertext based on the PSK can
check offline guesses for the PSK.

One way to get a PAKE in DH protocols is to encrypt DH ephemerals with
a password ("DH-EKE" idea from Bellovin and Merritt).  Provided that
decryption always yields a plausible ephemeral, then offline guessing
isn't enabled.

The "Provided" part is tricky - you can't do regular encryption,
because with EC only 1/2 of decrypted bitstrings would be valid EC
public keys.  So you'd have to "encrypt" the ephemeral by first
mapping the password to a point (e.g. with Elligator), then adding
this point to the ephemeral (this overall approach from Abdalla's
SPAKE2, plus Mike Hamburg).

I haven't thought much about PAKE in Noise, but it could be interesting.

Maybe something like this would work?

Noise_NK+pake(rs):
  <- s
  ...
  -> e, es, u, p
  <- e, ee, pe

 Noise_NX+pake(rs):
   -> e
   <- e, ee, s, es
   -> u, p
   <- pe

Where "p" is a password-encrypted ephemeral", "pe" is DH between some
p and e ephemerals, and "u" is a payload-like field for containing
usernames.


Trevor