[curves] Checking for all-zeros ECDH output
Trevor Perrin
trevp at trevp.net
Sun Sep 20 20:17:06 PDT 2015
On Sun, Sep 20, 2015 at 7:37 PM, Trevor Perrin <trevp at trevp.net> wrote:
>
> Instead, this check is apparently trying to make it hard for an
> adversary to synchronize session keys with two honest parties, by
> making this problem hard:
> - given g^a and g^b, find C, D, such that C^a == D^b
Maybe it's more complicated - maybe this only matters if the adversary
also knows the discrete log of C or D?
I'm still confused what the goal is here, and how this check addresses it.
Trevor
More information about the Curves
mailing list