I've started work on this in the "pake2+" branch. The algorithm is defined in the last section of "The Twin Diffie-Hellman Problem and Applications" (Cash, Kiltz, Shoup), available at http://www.research.rutgers.edu/~dc789/dh.pdf :
- password (maybe after stretching) is split into two pieces,
pw0 and pw1
- setup: server stores
pw0 and L=B*pw1
- client: pick random scalar
x, send element X = B*x + U*pw0
- server: pick random scalar
y, send element Y = B*y + V*pw0
- server: compute element
Z = (X-U*pw0)*y
- server: compute element
N = L*y
- server: compute shared key as
hash(pw0, X, Y, Z, N)
- client: compute element
Z = (Y-V*pw0)*x
- client: compute element
N = (Y-V*pw0)*pw1
- client: compute shared key as
hash(pw0, X, Y, Z, N)
A server compromise doesn't immediately reveal a password-equivalent, because the server stores B*pw1 instead of pw1, so the attacker must first run an offline dictionary attack to reverse the scalarmult.
Relative to (symmetric) SPAKE2, this just adds the N term and server-side storage for L.
I've started work on this in the "pake2+" branch. The algorithm is defined in the last section of "The Twin Diffie-Hellman Problem and Applications" (Cash, Kiltz, Shoup), available at http://www.research.rutgers.edu/~dc789/dh.pdf :
pw0andpw1pw0andL=B*pw1x, send elementX=B*x + U*pw0y, send elementY=B*y + V*pw0Z=(X-U*pw0)*yN=L*yhash(pw0, X, Y, Z, N)Z=(Y-V*pw0)*xN=(Y-V*pw0)*pw1hash(pw0, X, Y, Z, N)A server compromise doesn't immediately reveal a password-equivalent, because the server stores
B*pw1instead ofpw1, so the attacker must first run an offline dictionary attack to reverse the scalarmult.Relative to (symmetric) SPAKE2, this just adds the
Nterm and server-side storage forL.