On Sun, Sep 20, 2015 at 7:37 PM, Trevor Perrin <[email protected]> wrote: > > Instead, this check is apparently trying to make it hard for an > adversary to synchronize session keys with two honest parties, by > making this problem hard: > - given g^a and g^b, find C, D, such that C^a == D^b
Maybe it's more complicated - maybe this only matters if the adversary also knows the discrete log of C or D? I'm still confused what the goal is here, and how this check addresses it. Trevor _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
