[messaging] Common secret comparing

Katriel Cohn-Gordon me at katriel.co.uk
Wed Jan 24 03:37:57 PST 2018


What does "safe" mean in this context?

For example, an adversary could reflect Alice's initial message back
to Alice, and then reflect the hash back as well. The result is that
Alice will complete a protocol execution without Bob even existing.
Is that bad?
Katriel


On Wed, 24 Jan 2018, at 10:45 AM, Van Gegel wrote:
> Hi all! Please advise on this protocol:
>
> Two parties comparing 2 bytes short  common secret  using EC25519
> (only mul and mul_base procedures) and SHA3 hash. Any side can be
> active adversary trying obtain secret.
>
> c = H(secret)
>
> Side A:
> - picks a at random
> - computes A = mul_base(a)
> - computes A' = mul(c, A)
> - sends A' to side B
>
> Side B:
> - picks b at random
> - computes B = mul_base(b)
> - computes B' = mul(c, B)
> - sends B' to side A
>
> Side A:
> - computes S =  mul(a, B')
> - sends MB=H(A' | B' | S) to side A
>
> Side B:
> - computes S= mul(b, A')
> - sends MA=H(B' | A' | S) to side B
>
> Both A and B checks MA and MB.
>
> Is this protocol safe?> _________________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20180124/078fb133/attachment.html>


More information about the Messaging mailing list