On Wed, Mar 19, 2014 at 11:44 AM, Arlo Breault <[email protected]> wrote:
> PANDA's an interesting use case for EKE2. > > https://pond.imperialviolet.org/tech.html > https://github.com/agl/pond/blob/master/papers/panda/panda.tex > Hi Arlo, There was some discussion of Pond's "PANDA", and its PAKE, here: https://moderncrypto.org/mail-archive/messaging/2014/000086.html It's true that it uses a rough form of "EKE2" (aka the Bellare/Pointcheval/Rogaway formalization of what Bellovin/Merritt called "DH-EKE" [1,2]). But I don't think the PAKE provides value, since the "meeting ID" undermines it and enables guessing against the meeting secret (which the PAKE is also based on). My impression is that PAKE is there in the hope that the meetingID problem would one day be solved. But until that happens, this doesn't seem like a great use case. Trevor [1] http://eprint.iacr.org/2000/014.pdf [2] http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.45.3156
_______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
