On 10/15/14, 3:25 PM, "Trevor Perrin" <[email protected]> wrote:
>Below I've listed cases where people are using (or might be interested >in) an EC PAKE. I've also tried to list the requirements that matter >for these cases. > >Am I missing any requirements? > >It seems like a few people are working on proposals (EC-SRP, SPAKE2, >"Elligator edition", J-PAKE). It would be good to have a survey that >shows how known protocols fit these requirements. Maybe I'll get to >it in a few weeks, or someone can beat me to it. > > >Obvious requirements >--------------------- > - IPR free > - security proof > - efficient (in messages, computation) > - simple > - flexible to different curves > - sidechannel resistant > - no backdoors > > >Use cases and additional requirements >-------------------------------------- >OTR >https://moderncrypto.org/mail-archive/curves/2014/000292.html > - currently using Socialist Millionaire's Protocol > - goals: > - non-augmented > - small messages > >OpenSSH >https://moderncrypto.org/mail-archive/curves/2014/000292.html > - had support for J-PAKE, removed it > - goals: > - augmented and hashed passwords > - work with existing hashed passwords > - low DoS potential > >Chrome Remote Desktop >https://support.google.com/chrome/answer/1649523 > - currently using SPAKE2 > >Pond >https://pond.imperialviolet.org/tech.html ("Key Exchange Details") > - currently using ECDH-EKE (aka "EKE2") with Rijndael-256-bit blocks > - goals: > - non-augmented > - simultaneous initiate allowed > >802.11S SAE >http://en.wikipedia.org/wiki/IEEE_802.11s > - currently using Dragonfly > - goals: > - simultaneous initiate allowed > >WiFi WPA Wi-Fi WPA2-Personal >http://www.ietf.org/mail-archive/web/cfrg/current/msg05232.html > - currently not using PAKE - to be upgraded to use SAE (Dragonfly) > > >All Requirements >----------------- > - IPR free > - security proof > - efficient (in messages, computation) > - simple > - flexible to different curves > - sidechannel resistant > - no backdoors > - small messages > - non-augmented and augmented options > - work with existing hashed passwords > - low DoS potential > - simultaneous initiate allowed > > >Trevor >_______________________________________________ >Curves mailing list >[email protected] >https://moderncrypto.org/mailman/listinfo/curves _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
