[noise] PAKE in Noise

Ximin Luo ximin at dfinity.org
Mon Jan 14 16:45:46 PST 2019

On Mon, Jan 14, 2019 at 12:50 PM David Wong <davidwong.crypto at gmail.com>

> [..]
> > My previous proposal had both an "eke" modifier to indicate that the
> > ephemeral is being masked, and listed "SPAKE2" as a public-key
> > algorithm specifying how the masking value is derived, giving us more
> > options, e.g. specifying "Elligator2" to derive the masking value via
> > Elligator.
> We talked about that as well actually. I'm not pro-flexibility and
> Elligator seems like a nightmare to implement.

There is an additional issue with Elligator which is that not all curve
points get mapped from a string. To quote [1]:

"-2u(u + A) is a square [..] [this] excludes about half the points on the

The recommended flow is to generate the random string first, then apply
Elligator to turn this into a curve point. This means if we add Elligator
to Noise, we also need to generate private keys in this way - as opposed to
picking a random curve point first, then delegating to the blinding scheme.

As we also discussed, in SPAKE2 one has to *add* two curve points (if I
remember right), so we would additionally require that "-2u(u +A) is a
square" holds for both u = x, y, and (x + y), and this constrained would
also have to be done "inside" Noise before the blinding itself. Not sure if
this is possible/feasible with Curve25519, and I couldn't find discussion
of this in the original paper [2] either.


[1] https://www.imperialviolet.org/2013/12/25/elligator.html
[2] https://eprint.iacr.org/2013/325.pdf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20190114/a6d80522/attachment.html>

More information about the Noise mailing list