[messaging] Two-pass DH instead commitment

Van Gegel torfone at ukr.net
Tue Feb 23 00:16:11 PST 2016

Argon2 is not a panacea in our case because we have to use hardware with limited resources (memory) while adversary can use near unlimited resources for mounting MitM. 
I suppose that with n-bits commitment and m-bit short authenticator attacker must do 2^(m+n) probes (exponent+PKDF each) for success MitM. While m+n near 32 - 48 bits is this more hard comparing with the obtaining keypair on the second pass of 224+32 two-passed DH described above? 

And whether there is a suitable C implementation (library) for DH with Aranha Curve2213?  

--- Original message --- 
From: "Ben Harris" <mail at bharr.is> 
Date: 23 February 2016, 02:01:22 

On 23 February 2016 at 08:02, Van Gegel < torfone at ukr.net > wrote: 
Another problem: what is the minimum bit length of the hash (commitment) is required for reliable verification by 32-bit short fingerprints of secret? Note: data transfer price is very high in our case. 

  If data is so expensive, you might want to look at M-221 or E-222 as smaller curves. [ https://safecurves.cr.yp.to/ ] 
If you used a memory/cpu hard function (PBKDF/scrypt/argon) to generate the 32-bit fingerprint then you could lower the size of the hash commitment. It would come down to the type of adversary you want to protect from. You could use a 64-bit commitment and a memory hard function that takes 1 second to calculate for instance and get a very high level of protection. It is a tradeoff, as with most things in life. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20160223/544748b1/attachment.html>

More information about the Messaging mailing list