warner/python-spake2

implement SPAKE2+ (augmented PAKE)

warner opened this issue · 1 comments

warner commented

I've started work on this in the "pake2+" branch. The algorithm is defined in the last section of "The Twin Diffie-Hellman Problem and Applications" (Cash, Kiltz, Shoup), available at http://www.research.rutgers.edu/~dc789/dh.pdf :

  • password (maybe after stretching) is split into two pieces, pw0 and pw1
  • setup: server stores pw0 and L=B*pw1
  • client: pick random scalar x, send element X = B*x + U*pw0
  • server: pick random scalar y, send element Y = B*y + V*pw0
  • server: compute element Z = (X-U*pw0)*y
  • server: compute element N = L*y
  • server: compute shared key as hash(pw0, X, Y, Z, N)
  • client: compute element Z = (Y-V*pw0)*x
  • client: compute element N = (Y-V*pw0)*pw1
  • client: compute shared key as hash(pw0, X, Y, Z, N)

A server compromise doesn't immediately reveal a password-equivalent, because the server stores B*pw1 instead of pw1, so the attacker must first run an offline dictionary attack to reverse the scalarmult.

Relative to (symmetric) SPAKE2, this just adds the N term and server-side storage for L.

dlq84 commented

Hello, any news regarding spake2+ for this library?