#StackBounty: #key-exchange #password-based-encryption #srp Is there any SRP-like key exchange only using "standard" cryptogr…

Bounty: 200

I am looking into PAKEs (password-authenticated key exchanges), and it seems like SRP (Secure Remote Password) is essentially the de-facto standard.

However, implementing SRP actually requires doing modular arithmetic, and is similar to, say, implementing Diffie-Hellman. That is, you’d have to have constant-time exponentiation algorithms, a fast bignum library, and getting one of any of these subtly wrong and you might have a terrible side-channel attack.

And unlike algorithms like AES or Curve25519, there aren’t many crypto libraries that contain a primitive for SRP, so “rolling your own” is often unavoidable anyway.

Are there any PAKEs that instead of using “custom” mathematics like SRP, simply is implemented in terms of more standard primitives, such as “any secure cryptographic hash”, “any secure Diffie-Hellman-like exchange”, “any secure signature scheme”? It would be a lot more obvious that it’s secure – SRP isn’t obviously secure at first glance unless you actually follow the reduction to the discrete log problem – and a lot easier to securely implement providing you have secure implementations of the primitives.

For example, I could think of a weak PAKE, where you simply do a Diffie-Hellman key exchange, but both parties attach a MAC to the ephemeral public keys derived from the password. This is obviously secure if the password is strong, but unlike SRP an attacker gains enough information for an offline brute-force attack, and the server has to store the password in plaintext.

I’m looking for whether there are PAKEs similar to SRP in strength that are as easy as the above weak scheme to intuitively understand and implement in terms of other primitives.


Get this bounty!!!

Leave a Reply