Er, you would compute A’ = mul(8*a, elligator(c)). That is, you don’t also have to multiply by c.
Whoops, — Mike > On Jan 24, 2018, at 12:56 PM, Mike Hamburg <m...@shiftleft.org> wrote: > > It’s not safe against dictionary attacks by Alice or Bob. For that, you want > SPEKE, SPAKE2, PAK, … > > This is a variant of SPEKE. To make it secure you would compute A = mul(8*a, > elligator(c)) and B = mul(8*b, elligator(c)) instead of what you have here, > and also hash elligator(c) in the final MA/MB computation, in addition to > adding identities or something to address Katriel’s concern. > > — Mike > >> On Jan 24, 2018, at 3:37 AM, Katriel Cohn-Gordon <m...@katriel.co.uk >> <mailto:m...@katriel.co.uk>> wrote: >> >> What does "safe" mean in this context? >> >> For example, an adversary could reflect Alice's initial message back to >> Alice, and then reflect the hash back as well. The result is that Alice will >> complete a protocol execution without Bob even existing. Is that bad? >> >> Katriel >> >> >> On Wed, 24 Jan 2018, at 10:45 AM, Van Gegel wrote: >>> Hi all! >>> Please advise on this protocol: >>> >>> Two parties comparing 2 bytes short common secret using EC25519 (only mul >>> and mul_base procedures) and SHA3 hash. >>> Any side can be active adversary trying obtain secret. >>> >>> c = H(secret) >>> >>> Side A: >>> - picks a at random >>> - computes A = mul_base(a) >>> - computes A' = mul(c, A) >>> - sends A' to side B >>> >>> Side B: >>> - picks b at random >>> - computes B = mul_base(b) >>> - computes B' = mul(c, B) >>> - sends B' to side A >>> >>> Side A: >>> - computes S = mul(a, B') >>> - sends MB=H(A' | B' | S) to side A >>> >>> Side B: >>> - computes S= mul(b, A') >>> - sends MA=H(B' | A' | S) to side B >>> >>> Both A and B checks MA and MB. >>> >>> Is this protocol safe? >>> _______________________________________________ >>> Messaging mailing list >>> Messaging@moderncrypto.org <mailto:Messaging@moderncrypto.org> >>> https://moderncrypto.org/mailman/listinfo/messaging >>> <https://moderncrypto.org/mailman/listinfo/messaging> >> >> _______________________________________________ >> Messaging mailing list >> Messaging@moderncrypto.org <mailto:Messaging@moderncrypto.org> >> https://moderncrypto.org/mailman/listinfo/messaging >> <https://moderncrypto.org/mailman/listinfo/messaging>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
