[messaging] Addition in place of concatenation in TripleDH
Trevor Perrin
trevp at trevp.net
Wed Aug 26 22:55:16 PDT 2015
On Wed, Aug 26, 2015 at 9:34 PM, Michael Hamburg <mike at shiftleft.org> wrote:
> In particular, your proposal would allow a key-compromise impersonation at least.
As a footnote, this trick also broke the Overlier-Syverson proposal
for Tor, which was basically a server-auth (instead of mutual-auth)
version of the same thing:
Alice has ephemeral g^x, Bob has static g^b and ephemeral g^y, K = g^bx * g^yx.
Fake Bob sends (g^y)/(g^b) in place of g^y, cancelling out g^bx.
So Tor went to "Ntor", which is sort of the server-auth version of a
"TripleDH": K = Hash(g^bx || g^yx).
The "Ace" proposal for Tor gives Alice two ephemerals (x1, x2) where K
= g^bx1 * g^yx2, so Fake Bob's cancelling trick doesn't work, but you
get the efficiency win from simultaneous exponentiation:
https://www.infsec.cs.uni-saarland.de/~mohammadi/paper/owake.pdf
Robert Ransom proposed extending Ace to the mutual-auth case (both
parties have 2 ephemerals, K = g^bx1 * g^ay1 * g^x2y2:
https://moderncrypto.org/mail-archive/curves/2014/000151.html
That's a cool idea that had some exploration in that thread, but it
would be nice to see benchmarks from a real implementation.
(Though this thread should maybe move to "curves" list, since this is
a pretty generic discussion of key agreement).
Trevor
More information about the Messaging
mailing list