[messaging] Two-pass DH instead commitment

Ben Harris mail at bharr.is
Mon Feb 22 16:00:40 PST 2016

On 23 February 2016 at 08:02, Van Gegel <torfone at ukr.net> wrote:

> Another problem: what is the minimum bit length of the hash (commitment)
> is required for reliable verification by 32-bit short fingerprints of
> secret? Note: data transfer price is very high in our case.
If data is so expensive, you might want to look at M-221 or E-222 as
smaller curves. [https://safecurves.cr.yp.to/]

If you used a memory/cpu hard function (PBKDF/scrypt/argon) to generate the
32-bit fingerprint then you could lower the size of the hash commitment. It
would come down to the type of adversary you want to protect from. You
could use a 64-bit commitment and a memory hard function that takes 1
second to calculate for instance and get a very high level of protection.
It is a tradeoff, as with most things in life.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20160223/17d8fe1a/attachment.html>

More information about the Messaging mailing list