Sc00bz · September 21, 2024 21:22
diff --git a/srp6b.txt b/srp6b.txt
 SRP is deprecated.

 Use BS-SPEKE defined on multiplicative groups:
 https://gist.github.com/Sc00bz/ec1f5fcfd18533bf0d6bf31d1211d4b4

 Or better BS-SPEKE defined on ECC:
 https://gist.github.com/Sc00bz/e99e48a6008eef10a59d5ec7b4d87af3

 --------

 SRP6b is SRP6a with blind salt (OPRF) which is arguably better than OPAQUE.
 Consider using BS-SPEKE or (strong) AuCPace instead of this. As those have
 quantum annoyance.

 Costs per step
 C: E   EE^^^**
 S:  ^^*       ^^*

 E: Full size exponential
 ^: Exponential
 *: Multiplication

 Properties
 Forward secrecy:    Yes
 Not fragile:        Yes
 Quantum annoying:   No
 No pre-computation: Yes

 Both have:
      idS = server identity
      N = safe prime
      g = generator
      k = H(N, g)
 Client has:
      idC = client identity
 Server has these for "idC":
      salt
      settings
      v = g ^ pwKdf(password, BlindSalt, idC, idS, settings) (mod N)

 C:    r = randomRange(1, (N-3)/2)
 C:    R = H(password, idC, idS) ^ (2 * r) (mod N)
 C->S: idC, R
   S: b = random()
   S: B = g ^ b + k * v (mod N)
   S: R' = R ^ H(salt) (mod N)
 C<-S: B, R', settings
 C:    1/r = r ^ ((N-5)/2) (mod (N-1)/2)
 C:    BlindSalt = R' ^ (1/r) (mod N)
 C:    x = pwKdf(password, BlindSalt, idC, idS, settings)
 C:    a = random()
 C:    A = g ^ a (mod N)
 C:    u = H(A, B)
 C:    K_c = H((B - k * g ^ x) ^ (a + u * x) (mod N))
 C:    verifierC = H(K_c, verifyCModifier)
 C->S: A, verifierC[, encryptedDataC]
   S: u = H(A, B)
   S: K_s = H((A * v ^ u) ^ b (mod N))
   S: Checks verifierC == H(K_s, verifyCModifier)
   S: verifierS = H(K_s, verifySModifier)
 C<-S: verifierS[, encryptedDataS]
 C:    Checks verifierS == H(K_c, verifySModifier)

 On success K_c == K_s, thus derived verifiers and encryption keys are the same.

 Do all the same checks for SRP6a.

 Note "R ^ H(salt) (mod N)" vs "R ^ salt (mod N)", this is so you don't need to
 store a large salt. A salt of just 128 to 256 bits is fine once expanded to the
 required length.
	SRP is deprecated.

	Use BS-SPEKE defined on multiplicative groups:
	https://gist.github.com/Sc00bz/ec1f5fcfd18533bf0d6bf31d1211d4b4

	Or better BS-SPEKE defined on ECC:
	https://gist.github.com/Sc00bz/e99e48a6008eef10a59d5ec7b4d87af3

	--------

	SRP6b is SRP6a with blind salt (OPRF) which is arguably better than OPAQUE.
	Consider using BS-SPEKE or (strong) AuCPace instead of this. As those have
	quantum annoyance.

	Costs per step
	C: E EE^^^**
	S: ^^* ^^*

	E: Full size exponential
	^: Exponential
	*: Multiplication

	Properties
	Forward secrecy: Yes
	Not fragile: Yes
	Quantum annoying: No
	No pre-computation: Yes

	Both have:
	idS = server identity
	N = safe prime
	g = generator
	k = H(N, g)
	Client has:
	idC = client identity
	Server has these for "idC":
	salt
	settings
	v = g ^ pwKdf(password, BlindSalt, idC, idS, settings) (mod N)

	C: r = randomRange(1, (N-3)/2)
	C: R = H(password, idC, idS) ^ (2 * r) (mod N)
	C->S: idC, R
	S: b = random()
	S: B = g ^ b + k * v (mod N)
	S: R' = R ^ H(salt) (mod N)
	C<-S: B, R', settings
	C: 1/r = r ^ ((N-5)/2) (mod (N-1)/2)
	C: BlindSalt = R' ^ (1/r) (mod N)
	C: x = pwKdf(password, BlindSalt, idC, idS, settings)
	C: a = random()
	C: A = g ^ a (mod N)
	C: u = H(A, B)
	C: K_c = H((B - k * g ^ x) ^ (a + u * x) (mod N))
	C: verifierC = H(K_c, verifyCModifier)
	C->S: A, verifierC[, encryptedDataC]
	S: u = H(A, B)
	S: K_s = H((A * v ^ u) ^ b (mod N))
	S: Checks verifierC == H(K_s, verifyCModifier)
	S: verifierS = H(K_s, verifySModifier)
	C<-S: verifierS[, encryptedDataS]
	C: Checks verifierS == H(K_c, verifySModifier)

	On success K_c == K_s, thus derived verifiers and encryption keys are the same.

	Do all the same checks for SRP6a.

	Note "R ^ H(salt) (mod N)" vs "R ^ salt (mod N)", this is so you don't need to
	store a large salt. A salt of just 128 to 256 bits is fine once expanded to the
	required length.