mail at bharr.is
Sun Mar 1 04:33:39 PST 2015
On 01/03/2015 7:45 pm, "Ben Laurie" <ben at links.org> wrote:
> On 1 March 2015 at 07:24, Michael Hamburg <mike at shiftleft.org> wrote:
> > Perhaps you should use oblivious function evaluation with a
> > secret at the server. So for example, server has a per-user secret key
> > and user has a (salted, scrypted) password p. Let h = hash(p) on some
> > curve.
> > client chooses a uniformly random scalar r.
> > client -> server: Q = h^r
> > server -> client: P = Q^e = h^er
> > client computers P^1/r = h^e, and uses the hash of that point as part
> > secret key derivation.
> I feel sure I'm missing something, but doesn't the server also need h^e?
The server receives Q from the client and multiplies the point Q by e. The
client then removes the random blanking factor r to get h^e. The server
doesn't know r so it can't remove the blanking.
I thought there was an attack on this discussed on this list though?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging