implement SPAKE2+ (augmented PAKE)

[warner]

I've started work on this in the "pake2+" branch. The algorithm is defined in the last section of "The Twin Diffie-Hellman Problem and Applications" (Cash, Kiltz, Shoup), available at http://www.research.rutgers.edu/~dc789/dh.pdf :

• password (maybe after stretching) is split into two pieces, pw0 and pw1
• setup: server stores pw0 and L=B*pw1
• client: pick random scalar x, send element X = B*x + U*pw0
• server: pick random scalar y, send element Y = B*y + V*pw0
• server: compute element Z = (X-U*pw0)*y
• server: compute element N = L*y
• server: compute shared key as hash(pw0, X, Y, Z, N)
• client: compute element Z = (Y-V*pw0)*x
• client: compute element N = (Y-V*pw0)*pw1
• client: compute shared key as hash(pw0, X, Y, Z, N)

A server compromise doesn't immediately reveal a password-equivalent, because the server stores B*pw1 instead of pw1, so the attacker must first run an offline dictionary attack to reverse the scalarmult.

Relative to (symmetric) SPAKE2, this just adds the N term and server-side storage for L.

[dlq84]

Hello, any news regarding spake2+ for this library?