[curves] encoding points -> bitstrings: indistinguishability, PAKE?
Joe
joe at celo.io
Wed Jun 23 16:43:17 PDT 2021
On 6/24/21 1:30 AM, Joe wrote:
> You probably want a PRP (or key-wide block cipher) to avoid scenarios
> where flipping individual bits lead to weird corner cases. At the very
> least an attacker could structure their key such that e.g. two guesses
> would decode to related keys, which weakens the properties of your EKE
> PAKE ever so slightly (no longer one guess per interaction).
>
Sorry, I was tired and mixing up threat models.
With XOR the biggest problem as I see it is MITM with deterministic bit
flipping, where targeting related keys could lead to a key confirmation
attack (if Alice & Bob pair successfully with a bit-flipped key, you
know your bitflip resulted in a related key). I'm not sure how practical
that is, you or Mike are probably better situated to answer that.
The precomputation stuff is a separate issue that is relevant for
encoding schemes like UniformDH and Elligator/Elligator2/Elligator^2
where several encodings lead to the same or related keys upon decoding.
It looks like Mike was a co-author of the Elligator 1+2 paper [1], so
perhaps he can comment regarding which algorithm seems most relevant.
Elligator Squared [2] was written by Mehdi Tibouchi.
Binary Elligator Squared [3] is yet another paper, I haven't looked into
this one.
Loup Vaillant has an implementation of Elligator 2 in the "Monocypher"
library [4], it's the only maintained implementation I've seen.
[1] https://elligator.cr.yp.to/papers.html
[2] https://ifca.ai/pub/fc14/paper_25.pdf
[3] https://eprint.iacr.org/2014/486.pdf
[4] https://github.com/LoupVaillant/Monocypher
More information about the Curves
mailing list