*** Watson Ladd [2015-05-04 05:00]: >This attack can be prevented by using Elligator, or by using >alternative PAKE schemes which are proved to be secure such as SPAKE2. Elligator encoding is applied to DH public key before its encryption in development branch. So, as I clearly understand, we can not determine successful decryption of public DH when guessing passwords. Do you mind if I mention you on the Thanks page for your suggestion and pointing this issue out? If so, should I specify your email address? -- Happy hacking, Sergey Matveev