<html><body><span class="xfm_05888662"><div style="height:1px;"></div>Argon2 is not a panacea in our case because we have to use hardware with limited resources (memory) while adversary can use near unlimited resources for mounting MitM.<br/>I suppose that with n-bits commitment and m-bit short authenticator attacker must do 2^(m+n) probes (exponent+PKDF each) for success MitM. While m+n near 32 - 48 bits is this more hard comparing with the obtaining keypair on the second pass of 224+32 two-passed DH described above?<br/><br/>And whether there is a suitable C implementation (library) for DH with Aranha Curve2213?  <br/><br/><div style="font-size:0.9em;font-style:italic;"> --- Original message ---<br/> From: "Ben Harris" <mail@bharr.is><br/>  Date: 23 February 2016, 02:01:22<br/></div> <br/><blockquote class="xfmc1" style="border-left:1px solid rgb(204, 204, 204);margin:0px 0px 0px 0.8ex;padding-left:1ex;"><span>
  <div dir="ltr">
    <div class="xfmc2">
      <div class="xfmc3">On 23 February 2016 at 08:02, Van Gegel <span dir="ltr"><<a href="mailto:torfone@ukr.net" target="_blank">torfone@ukr.net</a>></span> wrote:<br/><blockquote class="xfmc3" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex;"><div><span><span><div style="min-height:1px;">Another problem: what is the minimum bit length of the hash (commitment) is required for reliable verification by 32-bit short fingerprints of secret? Note: data transfer price is very high in our case.<br/></div></span><br/></span></div></blockquote><div> </div><div>If data is so expensive, you might want to look at M-221 or E-222 as smaller curves. [<a href="https://safecurves.cr.yp.to/" target="_blank">https://safecurves.cr.yp.to/</a>]</div><div><br/></div><div>If you used a memory/cpu hard function (PBKDF/scrypt/argon) to generate the 32-bit fingerprint then you could lower the size of the hash commitment. It would come down to the type of adversary you want to protect from. You could use a 64-bit commitment and a memory hard function that takes 1 second to calculate for instance and get a very high level of protection. It is a tradeoff, as with most things in life.</div></div>
    </div>
  </div>
</span></blockquote>   </span><img src="https://mail.ukr.net/api/public/message_read?a=gKmgv9dJOFKr1qfkfopsNCLgD9U4FsruVFVOfbTHJhKleC1Lt5WL_vBmkaGOcFv9xXRtWaid46LYmeQ0bqNoFd0dQ4exi8jjNw7YU_SVQA==" alt="" width="1" height="1" style="visibility: hidden; width: 1px; height: 1px;"/>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       </body></html>