In the TLS meeting on Tuesday, Kenny asked about the analysis of OPAQUE in the context of TLS. One important property of OPAQUE is that its design and analysis is modular. It applies to the composition of *any* OPRF with *any* (KCI-secure) key exchange. This is why we can integrate OPAQUE with different KE protocols including TLS 1.3 and get a combined proof of security. Of course, these high level analyses do not take into account all the details in a complex protocol like TLS 1.3 so any more specific analysis, including those using automated tools (Tamarin, Everest, etc) would be more than welcome. However, if there is interest in defining an asymmetric PAKE for TLS to replace old designs such as SRP then we can start moving towards that goal with the draft Nick presented. This will also motivate more analysts (including those based on tools like the above) to look into this question more seriously.
Hugo
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
