[noise] Noise and PAKE handhakes
Brian Warner
warner at lothar.com
Mon Dec 17 18:48:49 PST 2018
On Mon, Dec 17, 2018 at 3:42 PM david wong <davidwong.crypto at gmail.com>
wrote:
> I gotta ask as well: why SPAKE2? My knowledge of PAKEs is very
> limited, but I’ve seen a lot of them being mentioned here and there:
> PAK, PAKE, SPAKE, JPAKE, SPAKE2, JPAKE2. Is there a good survey of all
> of them, their differences and what the state of the art is?
FWIW, when we were using J-PAKE in Firefox Sync years ago (probably
around 2010), and I asked Dan Boneh about our protocol, he told me that
if you need a PAKE, you should probably use SPAKE2. It's the only PAKE
he included in his textbook[1]. I used it in magic-wormhole based on his
advice.
Also, I don't believe J-PAKE had a great security proof. And it requires
an extra pair of roundtrips compared to SPAKE2.
cheers,
-Brian
[1]: http://crypto.stanford.edu/~dabo/cryptobook/
More information about the Noise
mailing list