[noise] PAKE in Noise

[David Wong]

Brian, Ximin and I spent some time at the Noise workshop to brainstorm
what PAKE protocols would look like in Noise.

1. Symmetric PAKE. There is no other pattern besides NN where this
seem to be useful:

NNpw:
  -> e
  <- e, ee

where:

* `e` tokens are now blinded ephemeral keys with the password g^e_priv
* u^H(pw) where u is different depending on write/readMessage
* `ee` tokens are now unblinding the other ephemeral key before doing DH

This is based on SPAKE2. Trevor says that the second `e` token doesn't
need to be blinded though (or the first one resp.). It sounds like it
works, but why doesn't SPAKE2 do that? Also, should we have a special
token like `be` for blinded ephemeral instead of adding extra behavior
to `e`? If we don't blind both-side, how do we know what to do when we
reach `ee`?


2. Asymmetric/augmented PAKE. This seems to be useful for NN, NK or NX:

NNpw:
registration
...
-> id, blinded_pw, e
<- encrypted_bundle, blinded_oprf_result, e
-> ee, es, se, ss

Not too sure about the third line :) probably only three of them are
needed. We could also mask the id to prevent passive mitm from
observing it by doing NN or NK before:

NNpw:
registration
...
-> e
<- e, ee
-> id, blinded_pw
<- encrypted_bundle, blinded_oprf_result
-> ee, es, se, ss

Jason also mentioned that the `encrypted_bundle` doesn't have to
contain the server's static public key. `id` could also be contained
in a certificate or something outside of the encrypted bundle.

Trevor also mentioned that this should be interesting work for SSH.

Cheers,
David