In earlier discussions Mike Hamburg explained how to add augmentation to SPAKE2 (i.e. how to resist server compromise by not storing "password equivalent" data). We weren't sure this had been published [1]. Turns out it is, with a nice security argument (SPAKE2+ from [2], Section 9).
A good security proof for J-PAKE was presented at the IEEE conference in May [3]. The Thread protocol from Nest et al for home devices has gone public with specs recently, and is using J-PAKE over P-256 [4]. Trevor [1] https://moderncrypto.org/mail-archive/curves/2015/000424.html [2] https://eprint.iacr.org/2008/067.pdf [3] http://www.normalesup.org/~fbenhamo/files/publications/SP_AbdBenMac15.pdf [4] http://threadgroup.org/Portals/0/documents/whitepapers/Thread%20Commissioning%20white%20paper_v2_public.pdf _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
