Comment by loup-vaillant
7 years ago
Couldn't we instead just cut the shared password in 2 (or use 2 passwords, it's the same), so we don't require point addition? I really don't feel like implementing key exchange in Edwards space just so I can have the complete addition law… unless maybe I don't need the law to be complete?
Here's how it could work (unless you tear it apart):
Alice and Bob share two passwords out of band: Pa and Pb
Alice and Bob generate two key pairs ka/KA, and kb/KB
Alice sends KA, Bob sends KB
Alice and Bob compute ss = HASH(DH(kb, KA) = DH(ka, KB))
Alice responds to KB with Ha = HMAC(Pb, KB || ss)
Bob responds to KA with Hb = HMAC(Pa, KA || ss)
Alice verifies Hb
Bob verifies Ha
The session key is HASH(ss) or something
The main disadvantage is that to achieve the security of a true PAKE, passwords here must be twice as long. A 4 digit Pin number here would only have the security of two digits (1/100). You'd need 8 digits to get to 1/10,000 security. On the other hand, it's extremely simple, doesn't require point addition, and if there's any flaw you probably already have spotted it.
No comments yet
Contribute on Hacker News ↗