[messaging] Two-pass DH instead commitment

Ben Harris mail at bharr.is
Mon Feb 22 12:16:46 PST 2016

On 22 Feb 2016 6:51 pm, "Van Gegel" <torfone at ukr.net> wrote:
> For example, an attacker must obtain a specified 32-bit SAS (for MitM).
He receive a 224-bit key and then must send your 224-bit, and then receive
remaining 32 bits and must send remaining 32 bits. Can the attacker pick
your key effectively to solve the problem in polinomal time?

You are effectively asking if an attacker can generate many 256bit public
keys with the same 224bit prefix (and know the private key for them). The
answer is "probably", I don't believe there is a quick way of doing it -
but as the attacker can pick the first 224 bits they can probably find some
class of points that speeds the search up.

(the attacker won't have a 100% chance for the attack, as there aren't 2^32
valid points in that space)

Just use the existing methods and then you don't need to worry about
hypotheticals like the above.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20160223/d1462ba0/attachment.html>

More information about the Messaging mailing list