On Fri, Feb 6, 2015 at 6:57 PM, Brian Warner <[email protected]> wrote: > > I've been working on PAKE recently, so I thought I'd resurrect this > four-month-old thread to mention the use-cases that I've cared about at > various times in the last several years:
Nice, thanks Brian, I think your use cases have consistent requirements with the earlier discussion, so that reinforces that we're considering the right things, and the requirements are mostly straightforward: https://moderncrypto.org/mail-archive/curves/2014/000294.html You also touched on the main complication from earlier: It would be nice to have augmented schemes with a server-only workfactor, as compared to a "traditional" augmented PAKE like SRP where password-stretching has to be done by the client: https://moderncrypto.org/mail-archive/curves/2014/000297.html https://moderncrypto.org/mail-archive/curves/2014/000319.html That's a good theoretical problem. My question for the group: Is moving the password stretching workfactor to the server a requirement for augmented PAKE to be useful? The examples I recall for augmented PAKE are: * Firefox Sync - you're envisioning slow Javascript clients, so you "really wanted" the server side workfactor, and I'm not sure that a traditional augmented PAKE is that useful? * OpenSSH - I read Damien's requirements as wanting augmentation but not being terribly concerned with client computation. So perhaps traditional augmentation is OK here? https://moderncrypto.org/mail-archive/curves/2014/000302.html Trevor _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
