[curves] Fwd: Re: Fw: Aw: SPEKE using Curve25519 - elligator2 required or recommended?

Andy Isaacson adi at hexapodia.org
Wed Oct 25 13:39:21 PDT 2017

On Wed, Oct 25, 2017 at 07:36:54PM +0200, Björn Haase wrote:
>>So to better  understand your point, if for example the hash of the 
>>password has n bits of effective security, say 128, then we would 
>>leak one bit of the hash (not the password itself), correct? Put 
>>differently, how could this information practically be exploited? Is 
>>it a realistic attack today or e.g. a potential weakness that could be 
>>attacked using a quantum computer and a nuclear power plant in e.g. 20 
>>years from now?
>As Mike has pointed out, the attack is completely realistic if you 
>are either incorporating a session-specific random value or a salt. 
>You will be leaking one bit per sniffed login. After listening to 
>5-20 logins the attacker will be able to mount an offline attack.

I'd like to understand this attack better (the description above is
pretty surprising to me), is there a canonical treatment or a phrase I
should look up in the literature?


More information about the Curves mailing list