[messaging] Common secret comparing
Katriel Cohn-Gordon
me at katriel.co.uk
Wed Jan 24 03:37:57 PST 2018
What does "safe" mean in this context?
For example, an adversary could reflect Alice's initial message back
to Alice, and then reflect the hash back as well. The result is that
Alice will complete a protocol execution without Bob even existing.
Is that bad?
Katriel
On Wed, 24 Jan 2018, at 10:45 AM, Van Gegel wrote:
> Hi all! Please advise on this protocol:
>
> Two parties comparing 2 bytes short common secret using EC25519
> (only mul and mul_base procedures) and SHA3 hash. Any side can be
> active adversary trying obtain secret.
>
> c = H(secret)
>
> Side A:
> - picks a at random
> - computes A = mul_base(a)
> - computes A' = mul(c, A)
> - sends A' to side B
>
> Side B:
> - picks b at random
> - computes B = mul_base(b)
> - computes B' = mul(c, B)
> - sends B' to side A
>
> Side A:
> - computes S = mul(a, B')
> - sends MB=H(A' | B' | S) to side A
>
> Side B:
> - computes S= mul(b, A')
> - sends MA=H(B' | A' | S) to side B
>
> Both A and B checks MA and MB.
>
> Is this protocol safe?> _________________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20180124/078fb133/attachment.html>
More information about the Messaging
mailing list