On 1 March 2015 at 07:24, Michael Hamburg <[email protected]> wrote: > Perhaps you should use oblivious function evaluation with a user-specific > secret at the server. So for example, server has a per-user secret key e, > and user has a (salted, scrypted) password p. Let h = hash(p) on some > curve. > > client chooses a uniformly random scalar r. > client -> server: Q = h^r > server -> client: P = Q^e = h^er > client computers P^1/r = h^e, and uses the hash of that point as part of the > secret key derivation.
I feel sure I'm missing something, but doesn't the server also need h^e? _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
