<!DOCTYPE html>
<html>
<head>
<title></title>
<style type="text/css">p.MsoNormal,p.MsoNoSpacing{margin:0}</style>
</head>
<body><div style="font-family:georgia, serif;">What does "safe" mean in this context?<br></div>
<div style="font-family:georgia, serif;"><br></div>
<div style="font-family:georgia, serif;">For example, an adversary could reflect Alice's initial message back to Alice, and then reflect the hash back as well. The result is that Alice will complete a protocol execution without Bob even existing. Is that bad?<br></div>
<div style="font-family:georgia, serif;"><br></div>
<div style="font-family:georgia, serif;">Katriel</div>
<div><br></div>
<div><br></div>
<div>On Wed, 24 Jan 2018, at 10:45 AM, Van Gegel wrote:<br></div>
<blockquote type="cite"><div style="font-family:georgia, serif;"><span>Hi all!<br>Please advise on this protocol:<br><br>Two parties comparing 2 bytes short common secret using EC25519 (only mul and mul_base procedures) and SHA3 hash.<br>Any side can be active adversary trying obtain secret.<br><br>c = H(secret)<br><br>Side A:<br>- picks a at random<br>- computes A = mul_base(a)<br>- computes A' = mul(c, A)<br>- sends A' to side B<br><br>Side B:<br>- picks b at random<br>- computes B = mul_base(b)<br>- computes B' = mul(c, B)<br>- sends B' to side A<br><br>Side A:<br>- computes S = mul(a, B')<br>- sends MB=H(A' | B' | S) to side A<br><br>Side B:<br>- computes S= mul(b, A')<br>- sends MA=H(B' | A' | S) to side B<br><br>Both A and B checks MA and MB.<br><br>Is this protocol safe?<br></span> </div>
<div><u>_______________________________________________</u><br></div>
<div>Messaging mailing list<br></div>
<div><a href="mailto:Messaging@moderncrypto.org">Messaging@moderncrypto.org</a><br></div>
<div><a href="https://moderncrypto.org/mailman/listinfo/messaging">https://moderncrypto.org/mailman/listinfo/messaging</a><br></div>
</blockquote><div style="font-family:georgia, serif;"><br></div>
</body>
</html>