On Thu, Oct 2, 2014 at 3:54 PM, Michael Hamburg <[email protected]> wrote: > Hello [curves], > > So I’ve been writing up this paper on PAKE, and it’s been a bit of a struggle > because there are so many models for how PAKE works, what it means to be > secure, and so on. I can target many different options, but I’d rather write > a paper which just has one or two concrete proposals. This is especially > true because I’d rather not write 2^n proofs of security. > > So I’m curious what models people on this list actually care about.
Hi Mike, Good questions. The answers should probably be based on analyzing protocols where PAKE might be adopted. I've recently talked to developers involved with OpenSSH and OTR about this. Both had interest in this topic, so I would suggest those as a starting point. I'll try to get those developers on this list. But here's a paraphrase of discussions: OTR - possible use case is modernizing the "Socialist Millionaire's Protocol" to use EC - there's a desire for small messages, apparently due to IRC rate-limiting OpenSSH - also interested in a "zero-knowledge password scheme" rather than PAKE per se - wants a rigorous security proof, no IPR caveats, low DoS potential, and can work with hashed passwords. - nice to have: work with unmodified existing password hashes - non-goal: doesn't have to be terribly fast, as the user typing the password will be slow element Perhaps those protocols could be analyzed to extract out more requirements and answer your questions. If anyone knows other protocols where PAKE would be useful, that would also be helpful. Trevor _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
