On Wed, Aug 26, 2015 at 9:34 PM, Michael Hamburg <[email protected]> wrote: > In particular, your proposal would allow a key-compromise impersonation at > least.
As a footnote, this trick also broke the Overlier-Syverson proposal for Tor, which was basically a server-auth (instead of mutual-auth) version of the same thing: Alice has ephemeral g^x, Bob has static g^b and ephemeral g^y, K = g^bx * g^yx. Fake Bob sends (g^y)/(g^b) in place of g^y, cancelling out g^bx. So Tor went to "Ntor", which is sort of the server-auth version of a "TripleDH": K = Hash(g^bx || g^yx). The "Ace" proposal for Tor gives Alice two ephemerals (x1, x2) where K = g^bx1 * g^yx2, so Fake Bob's cancelling trick doesn't work, but you get the efficiency win from simultaneous exponentiation: https://www.infsec.cs.uni-saarland.de/~mohammadi/paper/owake.pdf Robert Ransom proposed extending Ace to the mutual-auth case (both parties have 2 ephemerals, K = g^bx1 * g^ay1 * g^x2y2: https://moderncrypto.org/mail-archive/curves/2014/000151.html That's a cool idea that had some exploration in that thread, but it would be nice to see benchmarks from a real implementation. (Though this thread should maybe move to "curves" list, since this is a pretty generic discussion of key agreement). Trevor _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
