> > On Oct 17, 2014, at 6:14 AM, Feng Hao <[email protected]> wrote: > > Hi Trevor, > >> All Requirements >> ----------------- >> - IPR free >> - security proof >> - efficient (in messages, computation) >> - simple >> - flexible to different curves >> - sidechannel resistant >> - no backdoors >> - small messages >> - non-augmented and augmented options >> - work with existing hashed passwords >> - low DoS potential >> - simultaneous initiate allowed > > This looks good. I would suggest to change the third one to > > - efficient (in rounds, message, computation) > > Then you don't need the last one, as the simultaneous initiation is related > to the round efficiency. > > Cheers, > Feng
I disagree. You can have a 2 flow PAKE, plus one flow for explicit key confirmation, which would not be safe if simultaneously initiated. Such a PAKE is as efficient as possible unless you count a simultaneous round as cheaper than a round, and in any case it’s efficient enough for most users. — Mike _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
