On Wed, Jun 23, 2021 at 8:07 PM Ben Harris <[email protected]> wrote: > > On Thu, 24 Jun 2021, 9:50 am Trevor Perrin, <[email protected]> wrote: >> >> >> I think (b) is easy to check, so the risk with Encrypt()=XOR of >> Hash(password) is about (a): maybe Alice could find two DH public >> values whose encodings have some XOR difference, and for which she >> knows the discrete log? > > > Alice could generate a nonce for the encryption using Hash(Encode(g^a)). Bob > can very the nonce was correctly generated before replying to Alice. This > makes the XOR depend on the public value?
Remember (b): if you add something which Bob can check to Alice's message, then Bob can rule out passwords. Trevor _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
