[messaging] Addition in place of concatenation in TripleDH
Michael Hamburg
mike at shiftleft.org
Wed Aug 26 21:34:51 PDT 2015
In particular, your proposal would allow a key-compromise impersonation at least.
If Alex knows y = dlog B or even DH(A,B), then he can set $a = xg - A$ for
random x, so that DH(a,b) + DH(A,b) + DH(a,B) = DH(a+A,b) + DH(a,B) = xb + ya
= x(b + yg) - DH(A,B). So he can impersonate Alice to Bob.
If I understand correctly, tripleDH and at least some variants of MQV prevent this.
— Mike
> On Aug 26, 2015, at 5:43 PM, Trevor Perrin <trevp at trevp.net> wrote:
>
> On Wed, Aug 26, 2015 at 5:17 PM, Jeff Burdges <burdges at gnunet.org> wrote:
>>
>> TripleDH combines the three DH values by feeding them into a hash
>> function.
>>
>> What would be lost by using addition in the curve instead?
>> I.e. KDF( DH(a,b) + DH(A,b) + DH(a,B) )
>
> Lookup MQV and HMQV, there's a lot of literature on fast implicit key
> agreements, and there was some discussion here:
>
> https://moderncrypto.org/mail-archive/curves/2014/000148.html
>
> These are nice algorithms, but patents from Certicom and IBM have
> probably held back adoption.
>
> You'll generally want to hash or MAC or somehow "bind" the actual
> public key values, so someone can't tamper with keys in ways that
> compute the same value.
>
> Trevor
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
More information about the Messaging
mailing list