[noise] PAKE (was Re: Multi party psk)
Trevor Perrin
trevp at trevp.net
Thu Jun 8 16:40:08 PDT 2017
On Thu, Jun 8, 2017 at 11:02 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>
> I always wondered about doing something like Noise_NNpsk0 as a
> replacement for the various PAKEs. You expand the password into a
> proper shared secret, which you then set as the PSK. The PSK would
> then act as both an authenticator and as some poorman's PQ, while the
> dhee would provide forward secrecy. Though, perhaps this doesn't have
> all the same properties as a proper PAKE?
That doesn't have the PAKE property, PAKE should not enable offline
guessing for either party. But above, an attacker who interacts with
a legitimate party and receives a ciphertext based on the PSK can
check offline guesses for the PSK.
One way to get a PAKE in DH protocols is to encrypt DH ephemerals with
a password ("DH-EKE" idea from Bellovin and Merritt). Provided that
decryption always yields a plausible ephemeral, then offline guessing
isn't enabled.
The "Provided" part is tricky - you can't do regular encryption,
because with EC only 1/2 of decrypted bitstrings would be valid EC
public keys. So you'd have to "encrypt" the ephemeral by first
mapping the password to a point (e.g. with Elligator), then adding
this point to the ephemeral (this overall approach from Abdalla's
SPAKE2, plus Mike Hamburg).
I haven't thought much about PAKE in Noise, but it could be interesting.
Maybe something like this would work?
Noise_NK+pake(rs):
<- s
...
-> e, es, u, p
<- e, ee, pe
Noise_NX+pake(rs):
-> e
<- e, ee, s, es
-> u, p
<- pe
Where "p" is a password-encrypted ephemeral", "pe" is DH between some
p and e ephemerals, and "u" is a payload-like field for containing
usernames.
Trevor
More information about the Noise
mailing list