> the result was something like checking which subgroup a point was in leaking log2(cofactor) bits about the secret. The normal way of avoiding this by multiplying all your values by the cofactor isn't readily available when you're doing some ugly trick of constructing points with no known discrete log from a hash.
Ah, a partition attack. Could you fix this with more ugly by just iterating the hashing/munging process until your commitment was in a predetermined subgroup? I'm not at all familiar with EC subgroup theory, but the EC-SRP scheme proposed already does some deterministic munging to select the y-coordinate. Of course, even if you can do this, you're open to another timing side-channel.
I don't see what the problem is, exactly. If you have a secure hash function taking some string into a point of elliptic curve E, multiplying said point by the cofactor is also a secure hash function into the relevant subgroup of E. See §6.1 of [1].
Neat. It's also pointed out in Icarts paper[0] that the naive 'try and increment' algorithm, which I believe is utilised in Yongge Wangs draft EC-SRP proposal I linked up above, is vulnerable to timing attacks. Oops
Interestingly, both Dragonfly and TLS-SRP describe a 'Hunting and Pecking' algorithm to paper over this problem. Perhaps Icarts solution would be more elegant
Hunting-and-pecking is essentially the same algorithm as try-and-increment, where instead of incrementing an x-coordinate on failure one picks another x (pseudo-)randomly. Therefore both are susceptible to the same kind of timing attacks. Dragonfly went to some pains to try to make the process side-channel-free, but it looks ugly as sin, and it's still unclear whether it is actually secure (cf [1]).
Thanks for that. The tone of Dan Harkins reply is fun. There's clearly a lot of ego in crypto ;) Not sure I see the point in balanced PAKE myself. If you turn weak passwords in to preshared keys then why not just use strong preshared keys to begin with and trust in the bits? Worrying about parameter binding to the verifier seems irrelevant to EC as well.
I'm probably not the best person to argue in favor of one flavor or another of PAKE, but balanced schemes give you forward security whereas a naive preshared-key scheme does not.
> If you have a secure hash function taking some string into a point of elliptic curve E, multiplying said point by the cofactor is also a secure hash function into the relevant subgroup of E.
Fair enough. Though this requires an additional multiplication (at least it's a cheap one). I'm pretty sure some protocols have missed this.
Ah, a partition attack. Could you fix this with more ugly by just iterating the hashing/munging process until your commitment was in a predetermined subgroup? I'm not at all familiar with EC subgroup theory, but the EC-SRP scheme proposed already does some deterministic munging to select the y-coordinate. Of course, even if you can do this, you're open to another timing side-channel.