[messaging] Two-pass DH instead commitment

Natanael natanael.l at gmail.com
Sun Feb 21 12:52:11 PST 2016

This sounds like what KDF:s were invented for. You can send public key
hashes before the public keys in your key exchange to verify that the
keypairs was generated prior to learning the public key of the counterpart,
then use a KDF like scrypt or the new Argon2 on the shared secret which was
generated to derive the SAS.

- Sent from my tablet
Den 20 feb 2016 21:21 skrev "Van Gegel" <torfone at ukr.net>:

> I want to perform DH on the EC25519 and verify the secret using a short
> fingerprint (32 bits SAS). Typically in this case the commitment needed for
> preventing MitM by influence the responder's key after originator's key was
> received.
> To be securely the following scheme instead commitment:
> first exchange parts of the keys (first 224 bits) and then the remaining
> 32 bits during second pass?
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20160221/de6076d2/attachment.html>

More information about the Messaging mailing list