[messaging] Common secret comparing

Van Gegel torfone at ukr.net
Wed Jan 24 02:45:45 PST 2018

Hi all!
Please advise on this protocol:

Two parties comparing 2 bytes short  common secret  using EC25519 (only mul and mul_base procedures) and SHA3 hash.
Any side can be active adversary trying obtain secret.

c = H(secret)

Side A:
- picks a at random
- computes A = mul_base(a)
- computes A' = mul(c, A)
- sends A' to side B

Side B:
- picks b at random
- computes B = mul_base(b)
- computes B' = mul(c, B)
- sends B' to side A

Side A:
- computes S =  mul(a, B')
- sends MB=H(A' | B' | S) to side A

Side B:
- computes S= mul(b, A')
- sends MA=H(B' | A' | S) to side B

Both A and B checks MA and MB.

Is this protocol safe?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20180124/c27a6c0f/attachment.html>

More information about the Messaging mailing list