In particular, your proposal would allow a key-compromise impersonation at least.
If Alex knows y = dlog B or even DH(A,B), then he can set $a = xg - A$ for random x, so that DH(a,b) + DH(A,b) + DH(a,B) = DH(a+A,b) + DH(a,B) = xb + ya = x(b + yg) - DH(A,B). So he can impersonate Alice to Bob. If I understand correctly, tripleDH and at least some variants of MQV prevent this. — Mike > On Aug 26, 2015, at 5:43 PM, Trevor Perrin <[email protected]> wrote: > > On Wed, Aug 26, 2015 at 5:17 PM, Jeff Burdges <[email protected]> wrote: >> >> TripleDH combines the three DH values by feeding them into a hash >> function. >> >> What would be lost by using addition in the curve instead? >> I.e. KDF( DH(a,b) + DH(A,b) + DH(a,B) ) > > Lookup MQV and HMQV, there's a lot of literature on fast implicit key > agreements, and there was some discussion here: > > https://moderncrypto.org/mail-archive/curves/2014/000148.html > > These are nice algorithms, but patents from Certicom and IBM have > probably held back adoption. > > You'll generally want to hash or MAC or somehow "bind" the actual > public key values, so someone can't tamper with keys in ways that > compute the same value. > > Trevor > _______________________________________________ > Messaging mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/messaging _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
