_shared_keys_and_validators() does:
k0 = H(cId, sId, X, Y, Z, V)
When it should do:
k0 = H(cId, sId, X, Y, Z, k3, V)
Where k3 is from _create_keys():
h_M, h_N, k3, h_L = crypto_pwhash(...)
This is because SPAKE2-EE is h_M, h_N, k3 = crypto_pwhash(...) and k0 = H(cId, sId, X, Y, Z, k3). The h_L is added for the aPAKE version and not replaces k3. I forget what k3 is called in the paper or where ever. Now that I think about it, it was probably k2 because SPAKE2 is k1, k2 = crypto_pwhash(...) with blinding points k1*M and k1*N.
I feel like I mentioned this before, but I couldn't find it. X doesn't have a length, but this doesn't really matter because X, Y, Z, V, and soon k3 are fixed length:
_shared_keys_and_validators()
does:k0 = H(cId, sId, X, Y, Z, V)
When it should do:
k0 = H(cId, sId, X, Y, Z, k3, V)
Where
k3
is from_create_keys()
:h_M, h_N, k3, h_L = crypto_pwhash(...)
This is because SPAKE2-EE is
h_M, h_N, k3 = crypto_pwhash(...)
andk0 = H(cId, sId, X, Y, Z, k3)
. Theh_L
is added for the aPAKE version and not replacesk3
. I forget whatk3
is called in the paper or where ever. Now that I think about it, it was probablyk2
because SPAKE2 isk1, k2 = crypto_pwhash(...)
with blinding pointsk1*M
andk1*N
.I feel like I mentioned this before, but I couldn't find it.
X
doesn't have a length, but this doesn't really matter becauseX
,Y
,Z
,V
, and soonk3
are fixed length:https://github.com/jedisct1/spake2-ee/blob/d0665cb26ceb762f2e35185e8c9b4b9e4b1a507b/src/crypto_spake.c#L85-L94