<div dir="ltr">If I have this right (??), the attack is:<div><br></div><div>Alice sends A which is equivalent to a*c*G.</div><div>Mallory takes A and multiplies by random b and sends back B as b*G.</div><div>Alice computes S as a*B = a*b*G and sends MA as H(A | B | S).</div><div><br></div><div>Mallory now guesses a password to compute c'. She then computes a guess S' as (1/c')*b*A = (1/c')*b*a*c*G. If c' == c then this is a*b*G and S' == S.</div><div>Mallory checks S' by computing H(A | B | S') and comparing to MA.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 25 January 2018 at 07:56, Mike Hamburg <span dir="ltr"><<a href="mailto:mike@shiftleft.org" target="_blank">mike@shiftleft.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space">Er, you would compute A’ =  mul(8*a, elligator(c)).  That is, you don’t also have to multiply by c.<div><br></div><div>Whoops,</div><div>— Mike<div><div class="h5"><br><div><br><blockquote type="cite"><div>On Jan 24, 2018, at 12:56 PM, Mike Hamburg <<a href="mailto:mike@shiftleft.org" target="_blank">mike@shiftleft.org</a>> wrote:</div><br class="m_-8676758380686965015Apple-interchange-newline"><div><div style="word-wrap:break-word;line-break:after-white-space">It’s not safe against dictionary attacks by Alice or Bob.  For that, you want SPEKE, SPAKE2, PAK, …<div><br></div><div>This is a variant of SPEKE.  To make it secure you would compute A = mul(8*a, elligator(c)) and B = mul(8*b, elligator(c)) instead of what you have here, and also hash elligator(c) in the final MA/MB computation, in addition to adding identities or something to address Katriel’s concern.</div><div><br></div><div>— Mike</div><div><div><br><blockquote type="cite"><div>On Jan 24, 2018, at 3:37 AM, Katriel Cohn-Gordon <<a href="mailto:me@katriel.co.uk" target="_blank">me@katriel.co.uk</a>> wrote:</div><br class="m_-8676758380686965015Apple-interchange-newline"><div><div style="font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-family:georgia,serif">What does "safe" mean in this context?<br></div><div style="font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-family:georgia,serif"><br></div><div style="font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-family:georgia,serif">For example, an adversary could reflect Alice's initial message back to Alice, and then reflect the hash back as well. The result is that Alice will complete a protocol execution without Bob even existing. Is that bad?<br></div><div style="font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-family:georgia,serif"><br></div><div style="font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-family:georgia,serif">Katriel</div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br></div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br></div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">On Wed, 24 Jan 2018, at 10:45 AM, Van Gegel wrote:<br></div><blockquote type="cite" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div style="font-family:georgia,serif"><span>Hi all!<br>Please advise on this protocol:<br><br>Two parties comparing 2 bytes short  common secret  using EC25519 (only mul and mul_base procedures) and SHA3 hash.<br>Any side can be active adversary trying obtain secret.<br><br>c = H(secret)<br><br>Side A:<br>- picks a at random<br>- computes A = mul_base(a)<br>- computes A' = mul(c, A)<br>- sends A' to side B<br><br>Side B:<br>- picks b at random<br>- computes B = mul_base(b)<br>- computes B' = mul(c, B)<br>- sends B' to side A<br><br>Side A:<br>- computes S =  mul(a, B')<br>- sends MB=H(A' | B' | S) to side A<br><br>Side B:<br>- computes S= mul(b, A')<br>- sends MA=H(B' | A' | S) to side B<br><br>Both A and B checks MA and MB.<br><br>Is this protocol safe?<br></span></div><div><u>______________________________<wbr>_________________</u><br></div><div>Messaging mailing list<br></div><div><a href="mailto:Messaging@moderncrypto.org" target="_blank">Messaging@moderncrypto.org</a><br></div><div><a href="https://moderncrypto.org/mailman/listinfo/messaging" target="_blank">https://moderncrypto.org/<wbr>mailman/listinfo/messaging</a><br></div></blockquote><div style="font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-family:georgia,serif"><br></div><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">______________________________<wbr>_________________</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">Messaging mailing list</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="mailto:Messaging@moderncrypto.org" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">Messaging@moderncrypto.org</a><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="https://moderncrypto.org/mailman/listinfo/messaging" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">https://moderncrypto.org/<wbr>mailman/listinfo/messaging</a></div></blockquote></div><br></div></div></div></blockquote></div><br></div></div></div></div><br>______________________________<wbr>_________________<br>
Messaging mailing list<br>
<a href="mailto:Messaging@moderncrypto.org">Messaging@moderncrypto.org</a><br>
<a href="https://moderncrypto.org/mailman/listinfo/messaging" rel="noreferrer" target="_blank">https://moderncrypto.org/<wbr>mailman/listinfo/messaging</a><br>
<br></blockquote></div><br></div>