[messaging] Common secret comparing

Mike Hamburg mike at shiftleft.org
Wed Jan 24 12:56:42 PST 2018 

Er, you would compute A’ =  mul(8*a, elligator(c)).  That is, you don’t also have to multiply by c.

Whoops,
— Mike

> On Jan 24, 2018, at 12:56 PM, Mike Hamburg <mike at shiftleft.org> wrote:
> 
> It’s not safe against dictionary attacks by Alice or Bob.  For that, you want SPEKE, SPAKE2, PAK, …
> 
> This is a variant of SPEKE.  To make it secure you would compute A = mul(8*a, elligator(c)) and B = mul(8*b, elligator(c)) instead of what you have here, and also hash elligator(c) in the final MA/MB computation, in addition to adding identities or something to address Katriel’s concern.
> 
> — Mike
> 
>> On Jan 24, 2018, at 3:37 AM, Katriel Cohn-Gordon <me at katriel.co.uk <mailto:me at katriel.co.uk>> wrote:
>> 
>> What does "safe" mean in this context?
>> 
>> For example, an adversary could reflect Alice's initial message back to Alice, and then reflect the hash back as well. The result is that Alice will complete a protocol execution without Bob even existing. Is that bad?
>> 
>> Katriel
>> 
>> 
>> On Wed, 24 Jan 2018, at 10:45 AM, Van Gegel wrote:
>>> Hi all!
>>> Please advise on this protocol:
>>> 
>>> Two parties comparing 2 bytes short  common secret  using EC25519 (only mul and mul_base procedures) and SHA3 hash.
>>> Any side can be active adversary trying obtain secret.
>>> 
>>> c = H(secret)
>>> 
>>> Side A:
>>> - picks a at random
>>> - computes A = mul_base(a)
>>> - computes A' = mul(c, A)
>>> - sends A' to side B
>>> 
>>> Side B:
>>> - picks b at random
>>> - computes B = mul_base(b)
>>> - computes B' = mul(c, B)
>>> - sends B' to side A
>>> 
>>> Side A:
>>> - computes S =  mul(a, B')
>>> - sends MB=H(A' | B' | S) to side A
>>> 
>>> Side B:
>>> - computes S= mul(b, A')
>>> - sends MA=H(B' | A' | S) to side B
>>> 
>>> Both A and B checks MA and MB.
>>> 
>>> Is this protocol safe?
>>> _______________________________________________
>>> Messaging mailing list
>>> Messaging at moderncrypto.org <mailto:Messaging at moderncrypto.org>
>>> https://moderncrypto.org/mailman/listinfo/messaging <https://moderncrypto.org/mailman/listinfo/messaging>
>> 
>> _______________________________________________
>> Messaging mailing list
>> Messaging at moderncrypto.org <mailto:Messaging at moderncrypto.org>
>> https://moderncrypto.org/mailman/listinfo/messaging <https://moderncrypto.org/mailman/listinfo/messaging>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20180124/9b01b48b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3571 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20180124/9b01b48b/attachment.bin>

More information about the Messaging mailing list