implement SPAKE2+ (augmented PAKE) #4
Description
I've started work on this in the "pake2+" branch. The algorithm is defined in the last section of "The Twin Diffie-Hellman Problem and Applications" (Cash, Kiltz, Shoup), available at http://www.research.rutgers.edu/~dc789/dh.pdf :
- password (maybe after stretching) is split into two pieces,
pw0andpw1 - setup: server stores
pw0andL=B*pw1 - client: pick random scalar
x, send elementX=B*x + U*pw0 - server: pick random scalar
y, send elementY=B*y + V*pw0 - server: compute element
Z=(X-U*pw0)*y - server: compute element
N=L*y - server: compute shared key as
hash(pw0, X, Y, Z, N) - client: compute element
Z=(Y-V*pw0)*x - client: compute element
N=(Y-V*pw0)*pw1 - client: compute shared key as
hash(pw0, X, Y, Z, N)
A server compromise doesn't immediately reveal a password-equivalent, because the server stores B*pw1 instead of pw1, so the attacker must first run an offline dictionary attack to reverse the scalarmult.
Relative to (symmetric) SPAKE2, this just adds the N term and server-side storage for L.