What does "safe" mean in this context? For example, an adversary could reflect Alice's initial message back to Alice, and then reflect the hash back as well. The result is that Alice will complete a protocol execution without Bob even existing. Is that bad? Katriel
On Wed, 24 Jan 2018, at 10:45 AM, Van Gegel wrote: > Hi all! Please advise on this protocol: > > Two parties comparing 2 bytes short common secret using EC25519 > (only mul and mul_base procedures) and SHA3 hash. Any side can be > active adversary trying obtain secret. > > c = H(secret) > > Side A: > - picks a at random > - computes A = mul_base(a) > - computes A' = mul(c, A) > - sends A' to side B > > Side B: > - picks b at random > - computes B = mul_base(b) > - computes B' = mul(c, B) > - sends B' to side A > > Side A: > - computes S = mul(a, B') > - sends MB=H(A' | B' | S) to side A > > Side B: > - computes S= mul(b, A') > - sends MA=H(B' | A' | S) to side B > > Both A and B checks MA and MB. > > Is this protocol safe?> _________________________________________________ > Messaging mailing list > Messaging@moderncrypto.org > https://moderncrypto.org/mailman/listinfo/messaging
_______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
