Steve Thomas Sc00bz

PAKE API

Goal

The goal of this API is to make it easy to use and misuse resistant. The bulk of the code using this API can be reused. With the only difference being the start() call and getting the server secret at the end when registering. When registering, the server passes a null/empty secret to start() since it doesn't have one yet. Also start() might not return a message. This is fine. It just means the other party sends the first message.

Pseudocode API

PAKE_USER_CLIENT
PAKE_USER_SERVER
PAKE_USER_A

	TL;DR The best PAKE in this list is SPAKE2+EE with blind salt and client verifies first. Also don't
	use standard clamping with Ed25519. For the 32 byte scalars, clear the highest bit and lowest 3 bits
	then check for zero.


	Number of DLPs to solve to do offline guessing of N passwords

	\| SRP6a \| "SRP6b" \| OPAQUE \| SPAKE2+ \| SPAKE2+EE
	------------------------------+-------+---------+--------+---------+-----------
	Client, client verifies first \| - \| - \| 1 \| - \| -

	BSPAKE

	For an explicit description with all optional features and implementation ways
	explicitly pointed out see:
	https://gist.github.com/Sc00bz/ef0951ab98e8e1bac4810f65a42eab1a

	Both have:
	G = generator
	idS = server identity
	Client has:

	BSPAKE

	For an easier read that glosses over a few details see:
	https://gist.github.com/Sc00bz/09b5836923ad986921b905723b0d0c02

	Both have:
	G = generator
	idS = server identity
	H() is a KDF or hash that serializes the inputs and outputs enough bits.
	hashToPoint() is either Elligator or SWU depending on curve.

	BS-SPEKE

	BS-SPEKE is a modified B-SPEKE with blind salt (OPRF). Modified B-SPEKE is a
	similar change from SPEKE as from SPAKE2 to SPAKE2+ to make it augmented. Doing
	this saves a scalar point multiply vs original B-SPEKE with blind salt. BS-SPEKE
	is the best augmented PAKE that I know of. Only problem is there are no proofs,
	but it's not hard to take the SPEKE proof, add the OPAQUE proof for OPRF, and
	it's obvious that the augmented change makes it augmented. So if anyone knows
	how to formally state that in a proof, that would be awesome to have. BS-SPEKE
	defined on multiplicative groups can be found here:

	Awhile ago I found this pointless optimization for Ed25519 because it only saves a few
	multiples. Also it doesn't help much unless you're on a 32bit or 8bit processor then it
	kinda helps, but since you do 4x more doubles than adds it really isn't noticeable. Also
	you can precalculate T(2-121665/121666) so it only helps on the initial 3 adds when
	building 1P, 2P, 3P, ... 8P. If you store 60833(Y-X), 60833(Y+X), 121666Z, 121665T
	then it's a little less work than storing Y-X, Y+X, 2Z, kT. Well this really only helps
	if you are on an embedded processor and don't have the RAM to build the 1P, 2P, 3*P, ...
	8*P lookup table. So it's not completely pointless.

	This is from the Explicit-Formulas Database with d = -121665/121666

	CPace

	CPace is the best balanced PAKE that I know of. CPace defined on multiplicative
	groups can be found here:
	https://gist.github.com/Sc00bz/1375a5dc7d1e8a1ffdfb789d3f4c6593

	Costs per step
	A: - fH**[ii]
	B: Hi fi

	AuCPace

	AuCPace with blind salt (OPRF) is the best augmented PAKE that I know of that
	comes with a proof.

	Costs per step
	C: Hi fffIiiH*[ii]
	S: fiH*[iii] fi

	*: Scalar point multiply

	SRP is deprecated.

	Use BS-SPEKE defined on multiplicative groups:
	https://gist.github.com/Sc00bz/ec1f5fcfd18533bf0d6bf31d1211d4b4

	Or better BS-SPEKE defined on ECC:
	https://gist.github.com/Sc00bz/e99e48a6008eef10a59d5ec7b4d87af3

	--------

	CPace (defined on multiplicative groups)

	CPace is the best balanced PAKE that I know of. CPace defined on ECC can be
	found here:
	https://gist.github.com/Sc00bz/545eb39a369b67242634bd9c3302627c

	Costs per step
	A: - *^^
	B: *^ ^