[messaging] Peerio

Ben Harris mail at bharr.is
Sun Mar 1 04:33:39 PST 2015

On 01/03/2015 7:45 pm, "Ben Laurie" <ben at links.org> wrote:
> On 1 March 2015 at 07:24, Michael Hamburg <mike at shiftleft.org> wrote:
> > Perhaps you should use oblivious function evaluation with a
> > secret at the server.  So for example, server has a per-user secret key
> > and user has a (salted, scrypted) password p.  Let h = hash(p) on some
> > curve.
> >
> > client chooses a uniformly random scalar r.
> > client -> server: Q = h^r
> > server -> client: P = Q^e = h^er
> > client computers P^1/r = h^e, and uses the hash of that point as part
of the
> > secret key derivation.
> I feel sure I'm missing something, but doesn't the server also need h^e?

The server receives Q from the client and multiplies the point Q by e. The
client then removes the random blanking factor r to get h^e. The server
doesn't know r so it can't remove the blanking.

I thought there was an attack on this discussed on this list though?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150301/3469a138/attachment.html>

More information about the Messaging mailing list