_shared_keys_and_validators() does:
k0 = H(cId, sId, X, Y, Z, V)
When it should do:
k0 = H(cId, sId, X, Y, Z, k3, V)
Where k3 is from _create_keys():
h_M, h_N, k3, h_L = crypto_pwhash(...)
This is because SPAKE2-EE is h_M, h_N, k3 = crypto_pwhash(...) and k0 = H(cId, sId, X, Y, Z, k3). The h_L is added for the aPAKE version and not replaces k3. I forget what k3 is called in the paper or where ever. Now that I think about it, it was probably k2 because SPAKE2 is k1, k2 = crypto_pwhash(...) with blinding points k1*M and k1*N.
I feel like I mentioned this before, but I couldn't find it. X doesn't have a length, but this doesn't really matter because X, Y, Z, V, and soon k3 are fixed length:
jedisct1
commented
5 years ago
_shared_keys_and_validators()does:k0 = H(cId, sId, X, Y, Z, V)When it should do:
k0 = H(cId, sId, X, Y, Z, k3, V)Where
k3is from_create_keys():h_M, h_N, k3, h_L = crypto_pwhash(...)This is because SPAKE2-EE is
h_M, h_N, k3 = crypto_pwhash(...)andk0 = H(cId, sId, X, Y, Z, k3). Theh_Lis added for the aPAKE version and not replacesk3. I forget whatk3is called in the paper or where ever. Now that I think about it, it was probablyk2because SPAKE2 isk1, k2 = crypto_pwhash(...)with blinding pointsk1*Mandk1*N.I feel like I mentioned this before, but I couldn't find it.
Xdoesn't have a length, but this doesn't really matter becauseX,Y,Z,V, and soonk3are fixed length:https://github.com/jedisct1/spake2-ee/blob/d0665cb26ceb762f2e35185e8c9b4b9e4b1a507b/src/crypto_spake.c#L85-L94