Skip to content

Instantly share code, notes, and snippets.

Sc00bz / aucpace.txt
Created Feb 2, 2020
AuCPace is an augmented PAKE
View aucpace.txt
AuCPace with blind salt (OPRF) is the best augmented PAKE that I know of that
comes with a proof.
Costs per step
C: H*i fffI*i*iH**[ii]
S: f*iH***[iii] f*i
*: Scalar point multiply
Sc00bz / cpace.txt
Created Jan 21, 2020
CPace is a balanced PAKE
View cpace.txt
CPace is the best balanced PAKE that I know of.
Costs per step
A: - fH**[ii]
B: H*i f*i
-: Negligible work
*: Scalar point multiply
Sc00bz / Ed25519-optimization.txt
Last active Dec 24, 2019
Ed25519 optimization that really only helps with embedded processors
View Ed25519-optimization.txt
Awhile ago I found this pointless optimization for Ed25519 because it only saves a few
multiples. Also it doesn't help much unless you're on a 32bit or 8bit processor then it
kinda helps, but since you do 4x more doubles than adds it really isn't noticeable. Also
you can precalculate T*(2*-121665/121666) so it only helps on the initial 3 adds when
building 1*P, 2*P, 3*P, ... 8*P. If you store 60833*(Y-X), 60833*(Y+X), 121666*Z, 121665*T
then it's a little less work than storing Y-X, Y+X, 2*Z, k*T. Well this really only helps
if you are on an embedded processor and don't have the RAM to build the 1*P, 2*P, 3*P, ...
8*P lookup table. So it's not completely pointless.
This is from the Explicit-Formulas Database with d = -121665/121666
Sc00bz / bs-speke.txt
Last active Jan 21, 2020
BS-SPEKE is an augmented PAKE
View bs-speke.txt
BS-SPEKE is a modified B-SPEKE with blind salt (OPRF). Modified B-SPEKE is a
similar change from SPEKE as from SPAKE2 to SPAKE2+ to make it augmented. Doing
this saves a scalar point multiply vs original B-SPEKE with blind salt. BS-SPEKE
is the best augmented PAKE that I know of. Only problem is there are no proofs,
but it's not hard to take the SPEKE proof, add the OPAQUE proof for OPRF, and
it's obvious that the augmented change makes it augmented. So if anyone knows
how to formally state that in a proof, that would be awesome to have.
Sc00bz / bspake-explicit.txt
Last active Aug 5, 2019
Description of BSPAKE with all optional features and implementation ways explicitly pointed out
View bspake-explicit.txt
For an easier read that glosses over a few details see:
Both have:
G = generator
idS = server identity
H() is a KDF or hash that serializes the inputs and outputs enough bits.
hashToPoint() is either Elligator or SWU depending on curve.
Sc00bz / bspake-easy.txt
Last active Aug 5, 2019
Description of BSPAKE that glosses over a few details
View bspake-easy.txt
For an explicit description with all optional features and implementation ways
explicitly pointed out see:
Both have:
G = generator
idS = server identity
Client has:



The goal of this API is to make it easy to use and misuse resistant. The bulk of the code using this API can be reused. With the only difference being the start() call and getting the server secret at the end when registering. When registering, the server passes a null/empty secret to start() since it doesn't have one yet. Also start() might not return a message. This is fine. It just means the other party sends the first message.

Pseudocode API

Sc00bz / pake.txt
Created Jan 10, 2019
Quantum Resistance in PAKEs
View pake.txt
TL;DR The best PAKE in this list is SPAKE2+EE with blind salt and client verifies first. Also don't
use standard clamping with Ed25519. For the 32 byte scalars, clear the highest bit and lowest 3 bits
then check for zero.
Number of DLPs to solve to do offline guessing of N passwords
| SRP6a | "SRP6b" | OPAQUE | SPAKE2+ | SPAKE2+EE
Client, client verifies first | - | - | 1 | - | -