[messaging] Peerio
Ben Laurie
ben at links.org
Sun Mar 1 03:44:54 PST 2015
On 1 March 2015 at 07:24, Michael Hamburg <mike at shiftleft.org> wrote:
> Perhaps you should use oblivious function evaluation with a user-specific
> secret at the server. So for example, server has a per-user secret key e,
> and user has a (salted, scrypted) password p. Let h = hash(p) on some
> curve.
>
> client chooses a uniformly random scalar r.
> client -> server: Q = h^r
> server -> client: P = Q^e = h^er
> client computers P^1/r = h^e, and uses the hash of that point as part of the
> secret key derivation.
I feel sure I'm missing something, but doesn't the server also need h^e?
More information about the Messaging
mailing list