# [messaging] Common secret comparing

Van Gegel torfone at ukr.net
Fri Jan 26 01:59:56 PST 2018

```Thanks all!

Katriel Cohn-Gordon, I'm sorry, I assumed checking A'!=B! but not include this in trascription.
Of cource, UKS protecting also can be achived including IDs into hashing.

Mike Hamburg, ops, it is a real dictionary attack!
Now I see SPEKE paper:
https://eprint.iacr.org/2014/585.pdf
The difference only in key deriving function:  f(s) = (H(s))^ 2 mod p;
Can I applied this to curve?

And now I find this thread:
https://moderncrypto.org/mail-archive/curves/2017/000940.html
My problem is closely same: I use Cortex M0 with limited program code memory so small for Edvards Ed25519.
I havn't elligator's C code for Montgomery 25519: I have only EC25519 refference DJB's code with only mul() and mul_base() in my system.
And also have Keccak Sponge as near "ideal" hash, mac and crypt (like Shake-128).

Is it possible to design any safe PKE in this environment? Maybe even with extra passes and decreasing computation efficiency but without any additional math.

--- Original message ---
From: "Ben Harris" <mail at bharr.is>
Date: 25 January 2018, 10:46:03

If I have this right (??), the attack is:

Alice sends A which is equivalent to a*c*G.
Mallory takes A and multiplies by random b and sends back B as b*G.
Alice computes S as a*B = a*b*G and sends MA as H(A | B | S).

Mallory now guesses a password to compute c'. She then computes a guess S' as (1/c')*b*A = (1/c')*b*a*c*G. If c' == c then this is a*b*G and S' == S.
Mallory checks S' by computing H(A | B | S') and comparing to MA.

On 25 January 2018 at 07:56, Mike Hamburg <mike at shiftleft.org> wrote:
Er, you would compute A’ =  mul(8*a, elligator(c)).  That is, you don’t also have to multiply by c.

Whoops,
— Mike

On Jan 24, 2018, at 12:56 PM, Mike Hamburg <mike at shiftleft.org> wrote:

It’s not safe against dictionary attacks by Alice or Bob.  For that, you want SPEKE, SPAKE2, PAK, …

This is a variant of SPEKE.  To make it secure you would compute A = mul(8*a, elligator(c)) and B = mul(8*b, elligator(c)) instead of what you have here, and also hash elligator(c) in the final MA/MB computation, in addition to adding identities or something to address Katriel’s concern.

— Mike

On Jan 24, 2018, at 3:37 AM, Katriel Cohn-Gordon <me at katriel.co.uk> wrote:

What does "safe" mean in this context?

For example, an adversary could reflect Alice's initial message back to Alice, and then reflect the hash back as well. The result is that Alice will complete a protocol execution without Bob even existing. Is that bad?

Katriel

On Wed, 24 Jan 2018, at 10:45 AM, Van Gegel wrote:

Hi all!

Two parties comparing 2 bytes short  common secret  using EC25519 (only mul and mul_base procedures) and SHA3 hash.
Any side can be active adversary trying obtain secret.

c = H(secret)

Side A:
- picks a at random
- computes A = mul_base(a)
- computes A' = mul(c, A)
- sends A' to side B

Side B:
- picks b at random
- computes B = mul_base(b)
- computes B' = mul(c, B)
- sends B' to side A

Side A:
- computes S =  mul(a, B')
- sends MB=H(A' | B' | S) to side A

Side B:
- computes S= mul(b, A')
- sends MA=H(B' | A' | S) to side B

Both A and B checks MA and MB.

Is this protocol safe?

_______________________________________________

Messaging mailing list

Messaging at moderncrypto.org

https://moderncrypto.org/mailman/listinfo/messaging

_______________________________________________
Messaging mailing list
Messaging at moderncrypto.org
https://moderncrypto.org/mailman/listinfo/messaging

_______________________________________________
Messaging mailing list
Messaging at moderncrypto.org
https://moderncrypto.org/mailman/listinfo/messaging

_______________________________________________
Messaging mailing list
Messaging at moderncrypto.org
https://moderncrypto.org/mailman/listinfo/messaging
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20180126/d0c4f0e1/attachment.html>
```