[curves] encoding points -> bitstrings: indistinguishability, PAKE?

Ben Harris mail at bharr.is
Wed Jun 23 20:07:44 PDT 2021


On Thu, 24 Jun 2021, 9:50 am Trevor Perrin, <trevp at trevp.net> wrote:

>
> I think (b) is easy to check, so the risk with Encrypt()=XOR of
> Hash(password) is about (a):  maybe Alice could find two DH public
> values whose encodings have some XOR difference, and for which she
> knows the discrete log?
>

Alice could generate a nonce for the encryption using Hash(Encode(g^a)).
Bob can very the nonce was correctly generated before replying to Alice.
This makes the XOR depend on the public value?

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20210624/83957018/attachment.htm>


More information about the Curves mailing list