[messaging] Two-pass DH instead commitment

Van Gegel torfone at ukr.net
Mon Feb 22 13:02:10 PST 2016

> Why is that more convenient for you? 

This is a long story: the our software analogue of JackPair project 
(modem problems still delaying the release of hardware by AWIT team). 
We use another pseudo-voice modem for GSM compressed audio and have very slow duplexing data channel with hight BER and latency. Data transmitted by 32 bits blocks. ARQ is unused due hight latency. We optimize IKE for these conditions. The fastest way seems two-passes DH. Maybe I'm wrong and the usual way with commitment is optimal too, but I was interested in the theory. I do not know of such an approach for the two-step DH, and haven't seen any papers about it. I don't so familar with mathematics on the curves to prove the reliability or vulnerability. Maybe this way of DH has already been used and referred in papers. 

>but as the attacker can pick the first 224 bits they can probably find some class of points that speeds the search up. 
>(the attacker won't have a 100% chance for the attack, as there aren't 2^32 valid points in that space) 

Thank you, it's about what I expected to hear. 

>Just use the existing methods and then you don't need to worry about hypotheticals like the above. 

Another problem: what is the minimum bit length of the hash (commitment) is required for reliable verification by 32-bit short fingerprints of secret? Note: data transfer price is very high in our case. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20160222/0657b04f/attachment.html>

More information about the Messaging mailing list