[curves] encoding points -> bitstrings: indistinguishability, PAKE?

Trevor Perrin trevp at trevp.net
Wed Jun 23 20:36:34 PDT 2021

On Wed, Jun 23, 2021 at 8:07 PM Ben Harris <mail at bharr.is> wrote:
> On Thu, 24 Jun 2021, 9:50 am Trevor Perrin, <trevp at trevp.net> wrote:
>> I think (b) is easy to check, so the risk with Encrypt()=XOR of
>> Hash(password) is about (a):  maybe Alice could find two DH public
>> values whose encodings have some XOR difference, and for which she
>> knows the discrete log?
> Alice could generate a nonce for the encryption using Hash(Encode(g^a)). Bob can very the nonce was correctly generated before replying to Alice. This makes the XOR depend on the public value?

Remember (b): if you add something which Bob can check to Alice's
message, then Bob can rule out passwords.


More information about the Curves mailing list