Dominic, I should probably read the chosen protocol attack paper, not sure I understand it, but..
In, Protocol 6, there HMACs with a protocol identifier K in the first and second message, presumably making them both commit to the protocol choice early, thus limiting port scanning. In trip 1, Alice reveals the protocol K she speaks to Bob. As I understand it everyone knows K, that's problematic in countries like Russia that outlaw many protocols. I suppose Bob could ask to change the protocol choice in trip 2, but that's equally problematic. If one or both should commit early to the protocol, then maybe a better approach is : Trips 1 and 2 could contain (x, KDF(r,K,x)) where x = a_p and b_p, respectively, and then reveal (r,K) in trips 3 & 4. Jeff p.s. Are you using an HMAC here because an HMAC can use a faster hash function than SHA512?
signature.asc
Description: This is a digitally signed message part
_______________________________________________ GNUnet-developers mailing list [email protected] https://lists.gnu.org/mailman/listinfo/gnunet-developers
