Sc00bz · August 5, 2019 14:41
diff --git a/bspake-easy.txt b/bspake-easy.txt
 BSPAKE

 For an explicit description with all optional features and implementation ways
 explicitly pointed out see:
 https://gist.github.com/Sc00bz/ef0951ab98e8e1bac4810f65a42eab1a

 Both have:
      G = generator
      idS = server identity
 Client has:
      idC = client identity
 Server has these for "idC":
      salt
      settings
      BlindC = hashToPoint(clientBlind)
      BlindS = hashToPoint(serverBlind)
      k3
      V = v * G

 C:    r = random()
 C:    R = r * hashToPoint(H(password, idC, idS))
 C->S: idC, R
   S: b = random()
   S: B = b * G + BlindS
   S: R' = H(salt) * R
 C<-S: B, R', settings
 C:    BlindSalt = (1/r) * R'
 C:    clientBlind || serverBlind || k3 || v
          = pwKdf(password, BlindSalt, idC, idS, settings)
 C:    a = random()
 C:    A = a * G + hashToPoint(clientBlind)
 C:    B' = B - hashToPoint(serverBlind)
 C:    K_c = H(idC, idS, A, B, a * B', k3, v * B')
 C:    verifierC = H(K_c, verifyCModifier)
 C->S: A, verifierC[, encryptedDataC]
   S: A' = A - BlindC
   S: K_s = H(idC, idS, A, B, b * A', k3, b * V)
   S: Checks verifierC == H(K_s, verifyCModifier)
   S: verifierS = H(K_s, verifySModifier)
 C<-S: verifierS[, encryptedDataS]
 C:    Checks verifierS == H(K_c, verifySModifier)

 On success K_c == K_s, thus derived verifiers and encryption keys are the same.

 When receiving a point, you must check it is valid and not a low order point.
 After blinding and unblinding, check the point is not the point at infinity.
 When using H() or random() to generate a scalar, you should generate a larger
 value and modulo by one less than the order then add 1. This makes sure it is
 uniformly distributed and not zero. Similar should be done for H() when
 generating fields to avoid bad values.

 Note "H(salt) * R" vs "salt * R", this is so you don't need to store a large
 salt. A salt of just 128 to 256 bits is fine once expanded to the required
 length.
	BSPAKE

	For an explicit description with all optional features and implementation ways
	explicitly pointed out see:
	https://gist.github.com/Sc00bz/ef0951ab98e8e1bac4810f65a42eab1a

	Both have:
	G = generator
	idS = server identity
	Client has:
	idC = client identity
	Server has these for "idC":
	salt
	settings
	BlindC = hashToPoint(clientBlind)
	BlindS = hashToPoint(serverBlind)
	k3
	V = v * G

	C: r = random()
	C: R = r * hashToPoint(H(password, idC, idS))
	C->S: idC, R
	S: b = random()
	S: B = b * G + BlindS
	S: R' = H(salt) * R
	C<-S: B, R', settings
	C: BlindSalt = (1/r) * R'
	C: clientBlind \|\| serverBlind \|\| k3 \|\| v
	= pwKdf(password, BlindSalt, idC, idS, settings)
	C: a = random()
	C: A = a * G + hashToPoint(clientBlind)
	C: B' = B - hashToPoint(serverBlind)
	C: K_c = H(idC, idS, A, B, a * B', k3, v * B')
	C: verifierC = H(K_c, verifyCModifier)
	C->S: A, verifierC[, encryptedDataC]
	S: A' = A - BlindC
	S: K_s = H(idC, idS, A, B, b * A', k3, b * V)
	S: Checks verifierC == H(K_s, verifyCModifier)
	S: verifierS = H(K_s, verifySModifier)
	C<-S: verifierS[, encryptedDataS]
	C: Checks verifierS == H(K_c, verifySModifier)

	On success K_c == K_s, thus derived verifiers and encryption keys are the same.

	When receiving a point, you must check it is valid and not a low order point.
	After blinding and unblinding, check the point is not the point at infinity.
	When using H() or random() to generate a scalar, you should generate a larger
	value and modulo by one less than the order then add 1. This makes sure it is
	uniformly distributed and not zero. Similar should be done for H() when
	generating fields to avoid bad values.

	Note "H(salt) * R" vs "salt * R", this is so you don't need to store a large
	salt. A salt of just 128 to 256 bits is fine once expanded to the required
	length.