[curves] The SPEKE Protocol Revisited

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Sep 29 12:59:11 PDT 2014

On 09/29/2014 03:13 PM, Michael Hamburg wrote:

> What do you think of a KDF that amounts to H(minmax((Alice’s identity,Alice’s message),(Bob’s identity,Bob’s message), shared secret)

For clarification, the above is missing a close-paren, and "minmax()" i
probably more simply described as sort()

so i think Mike is asking about:

 H(sort((Alice's identity, Alice's message),
        (Bob's identity, Bob's message)),
   shared secret)

> It seems safer than the method you proposed, because it associates Alice’s identity to her message, but the wormhole attack you proposed worked because it confuses who sent which message.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20140929/a4e57bb4/attachment.sig>

More information about the Curves mailing list