[curves] encoding points -> bitstrings: indistinguishability, PAKE?

Ben Harris mail at bharr.is
Wed Jun 23 20:07:44 PDT 2021

On Thu, 24 Jun 2021, 9:50 am Trevor Perrin, <trevp at trevp.net> wrote:

> I think (b) is easy to check, so the risk with Encrypt()=XOR of
> Hash(password) is about (a):  maybe Alice could find two DH public
> values whose encodings have some XOR difference, and for which she
> knows the discrete log?

Alice could generate a nonce for the encryption using Hash(Encode(g^a)).
Bob can very the nonce was correctly generated before replying to Alice.
This makes the XOR depend on the public value?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20210624/83957018/attachment.htm>

More information about the Curves mailing list