[noise] Noise and PAKE handhakes
Trevor Perrin
trevp at trevp.net
Mon Dec 17 08:45:20 PST 2018
On Mon, Dec 17, 2018 at 3:42 PM david wong <davidwong.crypto at gmail.com> wrote:
>
> Thanks for the explanations Trevor! I now realize that OPAQUE is not really useful in a lot of scenarios where you want to type the password on both devices to connect them.
OPAQUE could be made to work there, but is probably more designed for
a password-login scenario where the server is storing some data that
might be compromised.
> I gotta ask as well: why SPAKE2? My knowledge of PAKEs is very limited, but I’ve seen a lot of them being mentioned here and there: PAK, PAKE, SPAKE, JPAKE, SPAKE2, JPAKE2. Is there a good survey of all of them, their differences and what the state of the art is?
I don't know any great survey, but the 2 most efficient/generic
approaches aside from OPAQUE I thought were EKE-style (masking the
ephemeral with a password-derived value like SPAKE2, PAK) or
SPEKE-style (deriving a generator from password). (JPAKE is less
efficient IIRC; SRP doesn't map well to EC.)
EKE-style (masking the ephemeral) integrates cleanly into our existing
patterns, I'm not sure if SPEKE does as well though haven't thought
about it as much.
Trevor
More information about the Noise
mailing list