PANDA's an interesting use case for EKE2. https://pond.imperialviolet.org/tech.html https://github.com/agl/pond/blob/master/papers/panda/panda.tex
On Wed, Mar 19, 2014 at 11:30 AM, Trevor Perrin <[email protected]> wrote: > > Hi, > > One thing we could discuss is Elliptic Curve PAKEs (Password Authenticated > Key Exchange). > > There's some ideas worth exploring due to expiry of Lucent patents; > developments such as SPAKE2, J-PAKE, and AugPAKE; and "hashing to curve" > algorithms like SWU and Elligator [1,2]. For example, Mike Hamburg's ideas > in [3] seem promising. > > But are there good use cases to focus discussion? Possibilities - > > * PAKE for the web has been attempted in TLS (RFC 5054) with little > interest from browsers or sites. Partly this is a layering problem > (username in clear, too early in the connection, and the TLS terminator is > the wrong place for client auth). But there are deeper UI problems: > browsers would have to display an unspoofable dialog; users would have to > be trained to enter certain passwords only into this dialog; and sites > would lose control of login UI. Client auth for the web seems likely to > evolve in other directions (e.g. password managers, 2-factor, federation). > > * SSH already has J-PAKE which (I think?) is rarely used, though I'm not > sure why. If part of the reason is performance, is there room for > improvement here? > > * IEEE 802.11s I think has standardized on "Simultaneous Authentication > of Equals" (aka Dragonfly) as an EC PAKE. I don't know if it's seen real > deployment, nor do I understand the "mesh networking" scenario it's being > used for, which seems different from just authenticating a client to an AP. > Anyone know more? > > * There are smaller, more specialized uses of PAKE for protocols like > online backups or device pairing. E.g. I think Chrome is (using? > investigating?) SPAKE2 for "chromoting", whatever that is. > > Anyways, it's not clear that there are strong-enough use cases to motivate > a good discussion and keep it on track. Though I wish there were! PAKEs > are cool, it seems like they should be useful somewhere. > > Other thoughts? > > > Trevor > > > [1] http://eprint.iacr.org/2009/340.pdf > [2] http://elligator.cr.yp.to > [3] http://www.ietf.org/mail-archive/web/cfrg/current/msg03840.html > > > _______________________________________________ > Curves mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/curves > >
_______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
