[messaging] Common secret comparing

Mike Hamburg mike at shiftleft.org
Wed Jan 24 12:56:03 PST 2018 

It’s not safe against dictionary attacks by Alice or Bob.  For that, you want SPEKE, SPAKE2, PAK, …

This is a variant of SPEKE.  To make it secure you would compute A = mul(8*a, elligator(c)) and B = mul(8*b, elligator(c)) instead of what you have here, and also hash elligator(c) in the final MA/MB computation, in addition to adding identities or something to address Katriel’s concern.

— Mike

> On Jan 24, 2018, at 3:37 AM, Katriel Cohn-Gordon <me at katriel.co.uk> wrote:
> 
> What does "safe" mean in this context?
> 
> For example, an adversary could reflect Alice's initial message back to Alice, and then reflect the hash back as well. The result is that Alice will complete a protocol execution without Bob even existing. Is that bad?
> 
> Katriel
> 
> 
> On Wed, 24 Jan 2018, at 10:45 AM, Van Gegel wrote:
>> Hi all!
>> Please advise on this protocol:
>> 
>> Two parties comparing 2 bytes short  common secret  using EC25519 (only mul and mul_base procedures) and SHA3 hash.
>> Any side can be active adversary trying obtain secret.
>> 
>> c = H(secret)
>> 
>> Side A:
>> - picks a at random
>> - computes A = mul_base(a)
>> - computes A' = mul(c, A)
>> - sends A' to side B
>> 
>> Side B:
>> - picks b at random
>> - computes B = mul_base(b)
>> - computes B' = mul(c, B)
>> - sends B' to side A
>> 
>> Side A:
>> - computes S =  mul(a, B')
>> - sends MB=H(A' | B' | S) to side A
>> 
>> Side B:
>> - computes S= mul(b, A')
>> - sends MA=H(B' | A' | S) to side B
>> 
>> Both A and B checks MA and MB.
>> 
>> Is this protocol safe?
>> _______________________________________________
>> Messaging mailing list
>> Messaging at moderncrypto.org <mailto:Messaging at moderncrypto.org>
>> https://moderncrypto.org/mailman/listinfo/messaging <https://moderncrypto.org/mailman/listinfo/messaging>
> 
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org <mailto:Messaging at moderncrypto.org>
> https://moderncrypto.org/mailman/listinfo/messaging <https://moderncrypto.org/mailman/listinfo/messaging>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20180124/9ffd1343/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3571 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20180124/9ffd1343/attachment.bin>

More information about the Messaging mailing list