Password keys 1 and 2 are the same

[Sc00bz]

self.pw and self.pw_scalar are the "same". They need to be cryptographically different and not dependent on the other:

self.pw_scalar = params.group.password_to_scalar(hkdf(pw, "pw1"))
self.pw = hkdf(pw, "pw2")

This is especially true for the client-server augmentation of SPAKE2, PAKE2+.

self.pw_scalar = params.group.password_to_scalar(hkdf(pw, "pw1"))
self.pw = hkdf(pw, "pw2")
self.pw3 = params.group.password_to_scalar(hkdf(pw, "pw3"))

[warner]

Hey, thanks for checking out my library. I don't think I understand what you mean, though.. what sort of attack is possible if the (blinded-then-unblinded) pw_scalar is related to the pw bytestring that gets hashed into the final transcript? In the Abdalla+Pointcheval paper, as far as I can tell, the password is used as both a scalar and a hash input, without any sort of KDF in between them. And in the PAKE2+ protocol (for which I'm looking at something Dan Boneh sent me a few years ago), the password is first split (by hashing) into two separate pieces, the first piece is used exactly as in (S)PAKE2 (both as a scalar and a hash input), and the second piece is only used as a scalar.

What am I missing?

[Sc00bz]

Yeah I'm wrong. I guess I read the paper wrong or something: bitwiseshiftleft/sjcl#273 (comment)