Can you take a look at this: https://github.com/Sc00bz/ECSRP
P and Q are points on the curve in the same cyclical group (ie aP = Q for some unknown a) k is the key derived from the password 1/k is done by modular inverse for the cyclical group order Server has (1/k)P and (1/k)Q a and b are random private keys X(P) returns the x coordinate of a point || is concatenation C->S: Identity C<-S: b(1/k)P + (1/k)Q, salt, password KDF settings C: k(b(1/k)P + (1/k)Q) - Q = bP C->S: X(aP), H(X(bP) || X(abP)) S: Verify C<-S: H(X(aP) || X(bP) || X(abP)) C: Verify ----------------- I am having problems with point Q. For Curve25519, I picked Q as (16, ...), but I do not know if that is a good choice. It appears that there are two cyclical groups of the same order (2^252+27742317777372353535851937790883648493) on that curve, but I do not know if there is an issue with adding two points on the same curve but in different cyclical groups. I have not found any problems but obviously I can only test a very small fraction of them. I'm thinking that any point that is on this curve and has the same order as point P is fine for point Q, but I am not positive. (Well obviously P = Q is a bad choice or really any aP = Q for a known a.) _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
