On Thu, 24 Jun 2021, 9:50 am Trevor Perrin, <[email protected]> wrote: > > I think (b) is easy to check, so the risk with Encrypt()=XOR of > Hash(password) is about (a): maybe Alice could find two DH public > values whose encodings have some XOR difference, and for which she > knows the discrete log? >
Alice could generate a nonce for the encryption using Hash(Encode(g^a)). Bob can very the nonce was correctly generated before replying to Alice. This makes the XOR depend on the public value? >
_______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
