Well I think there are two issues:
1. if the public key is derived from a password (like a bitcoin
brainwallet), or as in EC based PAKE systems) then if the point derived from
your password isnt on the curve, then you know that is not a candidate
password, hence you can for free narrow the
On Thu, Oct 3, 2013 at 6:41 AM, Michael Rogers mich...@briarproject.orgwrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 29/09/13 20:24, Nico Williams wrote: Just because curve25519
accepts every 32-byte value as a public key
doesn't mean that every 32-byte value is a valid public
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/10/13 15:14, Adam Back wrote:
Well I think there are two issues:
1. if the public key is derived from a password (like a bitcoin
brainwallet), or as in EC based PAKE systems) then if the point
derived from your password isnt on the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/10/13 16:45, Trevor Perrin wrote:
Suppose you are a good guy with a static curve25519 key, and a bad
guy is sending you 32-byte strings, claiming them to be ephemeral
curve25519 public keys for use in an ephemeral-static
Diffie-Hellman.
On Thu, Oct 03, 2013 at 04:53:09PM +0100, Michael Rogers wrote:
Presumably if you ensure that the private key is valid, the public key
derived from it must be a point on the curve. So it's a matter of
validating private rather than public keys.
I understand what you're saying about a timing
On 2013-10-04 03:45, Adam Back wrote:
Is it just me or could we better replace NIST by DJB ? ;) He can do
that EC
crypto, and do constant time coding (nacl), and non-hackable mail servers
(qmail), and worst-time databases (cdb). Most people in the world
look like
rank amateurs or
I should add that the ability to distinguish public DH keys from
random is a big deal in some cases. For example, for EKE: there's a
passive off-line dictionary attack that can reject a large fraction of
possible passwords with each EKE iteration -- if that fraction is 1/2
then after about 20
On Sun, Sep 29, 2013 at 9:27 AM, Michael Rogers
mich...@briarproject.org wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sorry for making so much noise on the list today. I have a quick
question about public keys.
The Curve25519 paper says that every 32-byte string is accepted as a
On Sun, Sep 29, 2013 at 9:29 PM, Trevor Perrin tr...@trevp.net wrote:
On Sun, Sep 29, 2013 at 9:27 AM, Michael Rogers
mich...@briarproject.org wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sorry for making so much noise on the list today. I have a quick
question about public keys.