[curves] Fwd: Re: Fw: Aw: SPEKE using Curve25519 - elligator2 required or recommended?
Andy Isaacson
adi at hexapodia.org
Wed Oct 25 13:39:21 PDT 2017
On Wed, Oct 25, 2017 at 07:36:54PM +0200, Björn Haase wrote:
>>So to better understand your point, if for example the hash of the
>>password has n bits of effective security, say 128, then we would
>>leak one bit of the hash (not the password itself), correct? Put
>>differently, how could this information practically be exploited? Is
>>it a realistic attack today or e.g. a potential weakness that could be
>>attacked using a quantum computer and a nuclear power plant in e.g. 20
>>years from now?
>
>As Mike has pointed out, the attack is completely realistic if you
>are either incorporating a session-specific random value or a salt.
>You will be leaking one bit per sniffed login. After listening to
>5-20 logins the attacker will be able to mount an offline attack.
I'd like to understand this attack better (the description above is
pretty surprising to me), is there a canonical treatment or a phrase I
should look up in the literature?
-andy
More information about the Curves
mailing list