[noise] PAKE in Noise
ximin at dfinity.org
Mon Jan 14 16:45:46 PST 2019
On Mon, Jan 14, 2019 at 12:50 PM David Wong <davidwong.crypto at gmail.com>
> > My previous proposal had both an "eke" modifier to indicate that the
> > ephemeral is being masked, and listed "SPAKE2" as a public-key
> > algorithm specifying how the masking value is derived, giving us more
> > options, e.g. specifying "Elligator2" to derive the masking value via
> > Elligator.
> We talked about that as well actually. I'm not pro-flexibility and
> Elligator seems like a nightmare to implement.
There is an additional issue with Elligator which is that not all curve
points get mapped from a string. To quote :
"-2u(u + A) is a square [..] [this] excludes about half the points on the
The recommended flow is to generate the random string first, then apply
Elligator to turn this into a curve point. This means if we add Elligator
to Noise, we also need to generate private keys in this way - as opposed to
picking a random curve point first, then delegating to the blinding scheme.
As we also discussed, in SPAKE2 one has to *add* two curve points (if I
remember right), so we would additionally require that "-2u(u +A) is a
square" holds for both u = x, y, and (x + y), and this constrained would
also have to be done "inside" Noise before the blinding itself. Not sure if
this is possible/feasible with Curve25519, and I couldn't find discussion
of this in the original paper  either.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Noise