Skip to content

Instantly share code, notes, and snippets.

Steve Thomas Sc00bz

Block or report user

Report or block Sc00bz

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@Sc00bz
Sc00bz / bspake-explicit.txt
Last active Aug 5, 2019
Description of BSPAKE with all optional features and implementation ways explicitly pointed out
View bspake-explicit.txt
BSPAKE
For an easier read that glosses over a few details see:
https://gist.github.com/Sc00bz/09b5836923ad986921b905723b0d0c02
Both have:
G = generator
idS = server identity
H() is a KDF or hash that serializes the inputs and outputs enough bits.
hashToPoint() is either Elligator or SWU depending on curve.
@Sc00bz
Sc00bz / bspake-easy.txt
Last active Aug 5, 2019
Description of BSPAKE that glosses over a few details
View bspake-easy.txt
BSPAKE
For an explicit description with all optional features and implementation ways
explicitly pointed out see:
https://gist.github.com/Sc00bz/ef0951ab98e8e1bac4810f65a42eab1a
Both have:
G = generator
idS = server identity
Client has:
View pake-api.md

PAKE API

Goal

The goal of this API is to make it easy to use and misuse resistant. The bulk of the code using this API can be reused. With the only difference being the start() call and getting the server secret at the end when registering. When registering, the server passes a null/empty secret to start() since it doesn't have one yet. Also start() might not return a message. This is fine. It just means the other party sends the first message.

Pseudocode API

PAKE_USER_CLIENT
PAKE_USER_SERVER
PAKE_USER_A
@Sc00bz
Sc00bz / pake.txt
Created Jan 10, 2019
Quantum Resistance in PAKEs
View pake.txt
TL;DR The best PAKE in this list is SPAKE2+EE with blind salt and client verifies first. Also don't
use standard clamping with Ed25519. For the 32 byte scalars, clear the highest bit and lowest 3 bits
then check for zero.
Number of DLPs to solve to do offline guessing of N passwords
| SRP6a | "SRP6b" | OPAQUE | SPAKE2+ | SPAKE2+EE
------------------------------+-------+---------+--------+---------+-----------
Client, client verifies first | - | - | 1 | - | -
You can’t perform that action at this time.