[messaging] Addition in place of concatenation in TripleDH

Trevor Perrin trevp at trevp.net
Wed Aug 26 22:55:16 PDT 2015


On Wed, Aug 26, 2015 at 9:34 PM, Michael Hamburg <mike at shiftleft.org> wrote:
> In particular, your proposal would allow a key-compromise impersonation at least.


As a footnote, this trick also broke the Overlier-Syverson proposal
for Tor, which was basically a server-auth (instead of mutual-auth)
version of the same thing:

Alice has ephemeral g^x, Bob has static g^b and ephemeral g^y, K = g^bx * g^yx.

Fake Bob sends (g^y)/(g^b) in place of g^y, cancelling out g^bx.

So Tor went to "Ntor", which is sort of the server-auth version of a
"TripleDH": K = Hash(g^bx || g^yx).

The "Ace" proposal for Tor gives Alice two ephemerals (x1, x2) where K
= g^bx1 * g^yx2, so Fake Bob's cancelling trick doesn't work, but you
get the efficiency win from simultaneous exponentiation:

https://www.infsec.cs.uni-saarland.de/~mohammadi/paper/owake.pdf

Robert Ransom proposed extending Ace to the mutual-auth case (both
parties have 2 ephemerals, K = g^bx1 * g^ay1 * g^x2y2:

https://moderncrypto.org/mail-archive/curves/2014/000151.html

That's a cool idea that had some exploration in that thread, but it
would be nice to see benchmarks from a real implementation.

(Though this thread should maybe move to "curves" list, since this is
a pretty generic discussion of key agreement).

Trevor


More information about the Messaging mailing list