Skip to content

Instantly share code, notes, and snippets.

@Sc00bz
Sc00bz / bspake-easy.txt
Last active August 5, 2019 14:41
Description of BSPAKE that glosses over a few details
BSPAKE
For an explicit description with all optional features and implementation ways
explicitly pointed out see:
https://gist.github.com/Sc00bz/ef0951ab98e8e1bac4810f65a42eab1a
Both have:
G = generator
idS = server identity
Client has:
@Sc00bz
Sc00bz / bspake-explicit.txt
Last active August 5, 2019 14:41
Description of BSPAKE with all optional features and implementation ways explicitly pointed out
BSPAKE
For an easier read that glosses over a few details see:
https://gist.github.com/Sc00bz/09b5836923ad986921b905723b0d0c02
Both have:
G = generator
idS = server identity
H() is a KDF or hash that serializes the inputs and outputs enough bits.
hashToPoint() is either Elligator or SWU depending on curve.
@Sc00bz
Sc00bz / Ed25519-optimization.txt
Last active December 24, 2019 15:42
Ed25519 optimization that really only helps with embedded processors
Awhile ago I found this pointless optimization for Ed25519 because it only saves a few
multiples. Also it doesn't help much unless you're on a 32bit or 8bit processor then it
kinda helps, but since you do 4x more doubles than adds it really isn't noticeable. Also
you can precalculate T*(2*-121665/121666) so it only helps on the initial 3 adds when
building 1*P, 2*P, 3*P, ... 8*P. If you store 60833*(Y-X), 60833*(Y+X), 121666*Z, 121665*T
then it's a little less work than storing Y-X, Y+X, 2*Z, k*T. Well this really only helps
if you are on an embedded processor and don't have the RAM to build the 1*P, 2*P, 3*P, ...
8*P lookup table. So it's not completely pointless.
This is from the Explicit-Formulas Database with d = -121665/121666
@Sc00bz
Sc00bz / aucpace.txt
Created February 2, 2020 19:42
AuCPace is an augmented PAKE
AuCPace
AuCPace with blind salt (OPRF) is the best augmented PAKE that I know of that
comes with a proof.
Costs per step
C: H*i fffI*i*iH**[ii]
S: f*iH***[iii] f*i
*: Scalar point multiply
@Sc00bz
Sc00bz / pake.txt
Created January 10, 2019 01:06
Quantum Resistance in PAKEs
TL;DR The best PAKE in this list is SPAKE2+EE with blind salt and client verifies first. Also don't
use standard clamping with Ed25519. For the 32 byte scalars, clear the highest bit and lowest 3 bits
then check for zero.
Number of DLPs to solve to do offline guessing of N passwords
| SRP6a | "SRP6b" | OPAQUE | SPAKE2+ | SPAKE2+EE
------------------------------+-------+---------+--------+---------+-----------
Client, client verifies first | - | - | 1 | - | -
@Sc00bz
Sc00bz / cpace.txt
Last active October 8, 2021 17:20
CPace is a balanced PAKE
CPace
CPace is the best balanced PAKE that I know of. CPace defined on multiplicative
groups can be found here:
https://gist.github.com/Sc00bz/1375a5dc7d1e8a1ffdfb789d3f4c6593
Costs per step
A: - fH**[ii]
B: H*i f*i
@Sc00bz
Sc00bz / srp6b.txt
Last active October 8, 2021 18:31
SRP6b is an augmented PAKE
SRP is deprecated.
Use BS-SPEKE defined on multiplicative groups:
https://gist.github.com/Sc00bz/ec1f5fcfd18533bf0d6bf31d1211d4b4
Or better BS-SPEKE defined on ECC:
https://gist.github.com/Sc00bz/e99e48a6008eef10a59d5ec7b4d87af3
--------
@Sc00bz
Sc00bz / collision.php
Created March 17, 2022 16:09
HMAC-SHA1 Collision
<?php
// Collision taken from https://shattered.io/
// Outputs:
// HMAC-SHA1(key, msg1): 9b4dee1a35fc03786f1162989d1e441ba0e69f4d
// HMAC-SHA1(key, msg2): 9b4dee1a35fc03786f1162989d1e441ba0e69f4d
//
// HMAC-SHA256(key, msg1): e98a27bd93001cda9810b93c2191f5099817bb31f5445bc12cafd27a78cb4506
// HMAC-SHA256(key, msg2): 97aa871b175a99417f7f1c44ac2793730821caf7da697ff374c60f595ef5173a
@Sc00bz
Sc00bz / broken.py
Created April 9, 2022 04:42
Broken Python: bytearray(), Process(), and Queue() don't like each other
# Prints "done" 4 times then doesn't exit ~50% of the time.
from multiprocessing import Process, Queue
def f(q):
while 1:
try:
data = q.get(False)
except:
break
@Sc00bz
Sc00bz / bs-speke.txt
Last active August 10, 2022 16:20
BS-SPEKE is an augmented PAKE
BS-SPEKE
BS-SPEKE is a modified B-SPEKE with blind salt (OPRF). Modified B-SPEKE is a
similar change from SPEKE as from SPAKE2 to SPAKE2+ to make it augmented. Doing
this saves a scalar point multiply vs original B-SPEKE with blind salt. BS-SPEKE
is the best augmented PAKE that I know of. Only problem is there are no proofs,
but it's not hard to take the SPEKE proof, add the OPAQUE proof for OPRF, and
it's obvious that the augmented change makes it augmented. So if anyone knows
how to formally state that in a proof, that would be awesome to have. BS-SPEKE
defined on multiplicative groups can be found here: