<html><body><span class="xfm_48538554"><div style="height:1px;"></div>The above scheme use the classical commitment. But in my case it is more convenient to implement a two-pass key exchange instead commitment.<br/>The question is whether it is possible to effectively influence the SAS by changing at a part of the key even after most of the key was sent to the first pass? Is there a suitable mathematical methods to do this in the relative to EC25519?<br/><br/>For example, an attacker must obtain a specified 32-bit SAS (for MitM). He receive a 224-bit key and then must send your 224-bit, and then receive  remaining 32 bits and must send remaining 32 bits. Can the attacker pick your key effectively to solve the problem in polinomal time? <span><br/><br/><div style="font-size:14px;font-style:italic;">
21 February 2016, 22:52:19, by "Natanael" <<a href="mailto:natanael.l@gmail.com" target="_blank">natanael.l@gmail.com</a>>:<br/></div>
<br/><blockquote style="border-left:1px solid rgb(204, 204, 204);margin:0px 0px 0px 0.8ex;padding-left:1ex;">
<span><span><p dir="ltr">This sounds like what KDF:s were invented for. You can send public key hashes before the public keys in your key exchange to verify that the keypairs was generated prior to learning the public key of the counterpart, then use a KDF like scrypt or the new Argon2 on the shared secret which was generated to derive the SAS. </p>
<p dir="ltr">- Sent from my tablet</p>
<div class="xfmc1">Den 20 feb 2016 21:21 skrev "Van Gegel" <<a href="mailto:torfone@ukr.net" target="_blank">torfone@ukr.net</a>>:<br type="attribution"/><blockquote class="xfmc1" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div><span>I want to perform DH on the EC25519 and verify the secret using a short fingerprint (32 bits SAS). Typically in this case the commitment needed for preventing MitM by influence the responder's key after originator's key was received.  <br/>To be securely the following scheme instead commitment:<br/>first exchange parts of the keys (first 224 bits) and then the remaining 32 bits during second pass?<br/><br/></span></div>
<br/>_______________________________________________<br/>
Messaging mailing list<br/><a href="mailto:Messaging@moderncrypto.org" target="_blank">Messaging@moderncrypto.org</a><br/><a href="https://moderncrypto.org/mailman/listinfo/messaging" target="_blank">https://moderncrypto.org/mailman/listinfo/messaging</a><br/><br/></blockquote></div></span><pre>_______________________________________________
Messaging mailing list
<a href="mailto:Messaging@moderncrypto.org" target="_blank">Messaging@moderncrypto.org</a>
<a href="https://moderncrypto.org/mailman/listinfo/messaging" target="_blank">https://moderncrypto.org/mailman/listinfo/messaging</a>

</pre>
</span>
</blockquote>

</span></span><img src="https://mail.ukr.net/api/public/message_read?a=gKmgv9dJOFKr1qfkfopsNCLgD9U7FcjpW1NOerjELx6key5Lt5WL_vBmkaGOcFv9xXRtWaid46LYmeQ0bqNogn5veW28DNGhPG1ouF0prg==" alt="" width="1" height="1" style="visibility: hidden; width: 1px; height: 1px;"/>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       </body></html>