ben at links.org
Sun Mar 1 05:20:28 PST 2015
On 1 March 2015 at 12:33, Ben Harris <mail at bharr.is> wrote:
> On 01/03/2015 7:45 pm, "Ben Laurie" <ben at links.org> wrote:
>> On 1 March 2015 at 07:24, Michael Hamburg <mike at shiftleft.org> wrote:
>> > Perhaps you should use oblivious function evaluation with a
>> > user-specific
>> > secret at the server. So for example, server has a per-user secret key
>> > e,
>> > and user has a (salted, scrypted) password p. Let h = hash(p) on some
>> > curve.
>> > client chooses a uniformly random scalar r.
>> > client -> server: Q = h^r
>> > server -> client: P = Q^e = h^er
>> > client computers P^1/r = h^e, and uses the hash of that point as part of
>> > the
>> > secret key derivation.
>> I feel sure I'm missing something, but doesn't the server also need h^e?
> The server receives Q from the client and multiplies the point Q by e. The
> client then removes the random blanking factor r to get h^e. The server
> doesn't know r so it can't remove the blanking.
Yeah, so now the client has h^e, but no-one else does - so what use is
that? I'm confused.
> I thought there was an attack on this discussed on this list though?
More information about the Messaging