[messaging] Common secret comparing

Ben Harris mail at bharr.is
Thu Jan 25 00:45:15 PST 2018 

If I have this right (??), the attack is:

Alice sends A which is equivalent to a*c*G.
Mallory takes A and multiplies by random b and sends back B as b*G.
Alice computes S as a*B = a*b*G and sends MA as H(A | B | S).

Mallory now guesses a password to compute c'. She then computes a guess S'
as (1/c')*b*A = (1/c')*b*a*c*G. If c' == c then this is a*b*G and S' == S.
Mallory checks S' by computing H(A | B | S') and comparing to MA.

On 25 January 2018 at 07:56, Mike Hamburg <mike at shiftleft.org> wrote:

> Er, you would compute A’ =  mul(8*a, elligator(c)).  That is, you don’t
> also have to multiply by c.
>
> Whoops,
> — Mike
>
>
> On Jan 24, 2018, at 12:56 PM, Mike Hamburg <mike at shiftleft.org> wrote:
>
> It’s not safe against dictionary attacks by Alice or Bob.  For that, you
> want SPEKE, SPAKE2, PAK, …
>
> This is a variant of SPEKE.  To make it secure you would compute A =
> mul(8*a, elligator(c)) and B = mul(8*b, elligator(c)) instead of what you
> have here, and also hash elligator(c) in the final MA/MB computation, in
> addition to adding identities or something to address Katriel’s concern.
>
> — Mike
>
> On Jan 24, 2018, at 3:37 AM, Katriel Cohn-Gordon <me at katriel.co.uk> wrote:
>
> What does "safe" mean in this context?
>
> For example, an adversary could reflect Alice's initial message back to
> Alice, and then reflect the hash back as well. The result is that Alice
> will complete a protocol execution without Bob even existing. Is that bad?
>
> Katriel
>
>
> On Wed, 24 Jan 2018, at 10:45 AM, Van Gegel wrote:
>
> Hi all!
> Please advise on this protocol:
>
> Two parties comparing 2 bytes short  common secret  using EC25519 (only
> mul and mul_base procedures) and SHA3 hash.
> Any side can be active adversary trying obtain secret.
>
> c = H(secret)
>
> Side A:
> - picks a at random
> - computes A = mul_base(a)
> - computes A' = mul(c, A)
> - sends A' to side B
>
> Side B:
> - picks b at random
> - computes B = mul_base(b)
> - computes B' = mul(c, B)
> - sends B' to side A
>
> Side A:
> - computes S =  mul(a, B')
> - sends MB=H(A' | B' | S) to side A
>
> Side B:
> - computes S= mul(b, A')
> - sends MA=H(B' | A' | S) to side B
>
> Both A and B checks MA and MB.
>
> Is this protocol safe?
> *_______________________________________________*
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>
>
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>
>
>
>
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20180125/88fc9fb3/attachment.html>

More information about the Messaging mailing list