Re: [messaging] Common secret comparing

Wed, 24 Jan 2018 12:56:56 -0800 

It’s not safe against dictionary attacks by Alice or Bob.  For that, you want 
SPEKE, SPAKE2, PAK, …

This is a variant of SPEKE.  To make it secure you would compute A = mul(8*a, 
elligator(c)) and B = mul(8*b, elligator(c)) instead of what you have here, and 
also hash elligator(c) in the final MA/MB computation, in addition to adding 
identities or something to address Katriel’s concern.

— Mike

> On Jan 24, 2018, at 3:37 AM, Katriel Cohn-Gordon <m...@katriel.co.uk> wrote:
> 
> What does "safe" mean in this context?
> 
> For example, an adversary could reflect Alice's initial message back to 
> Alice, and then reflect the hash back as well. The result is that Alice will 
> complete a protocol execution without Bob even existing. Is that bad?
> 
> Katriel
> 
> 
> On Wed, 24 Jan 2018, at 10:45 AM, Van Gegel wrote:
>> Hi all!
>> Please advise on this protocol:
>> 
>> Two parties comparing 2 bytes short  common secret  using EC25519 (only mul 
>> and mul_base procedures) and SHA3 hash.
>> Any side can be active adversary trying obtain secret.
>> 
>> c = H(secret)
>> 
>> Side A:
>> - picks a at random
>> - computes A = mul_base(a)
>> - computes A' = mul(c, A)
>> - sends A' to side B
>> 
>> Side B:
>> - picks b at random
>> - computes B = mul_base(b)
>> - computes B' = mul(c, B)
>> - sends B' to side A
>> 
>> Side A:
>> - computes S =  mul(a, B')
>> - sends MB=H(A' | B' | S) to side A
>> 
>> Side B:
>> - computes S= mul(b, A')
>> - sends MA=H(B' | A' | S) to side B
>> 
>> Both A and B checks MA and MB.
>> 
>> Is this protocol safe?
>> _______________________________________________
>> Messaging mailing list
>> Messaging@moderncrypto.org <mailto:Messaging@moderncrypto.org>
>> https://moderncrypto.org/mailman/listinfo/messaging 
>> <https://moderncrypto.org/mailman/listinfo/messaging>
> 
> _______________________________________________
> Messaging mailing list
> Messaging@moderncrypto.org <mailto:Messaging@moderncrypto.org>
> https://moderncrypto.org/mailman/listinfo/messaging 
> <https://moderncrypto.org/mailman/listinfo/messaging>

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Messaging mailing list
Messaging@moderncrypto.org
https://moderncrypto.org/mailman/listinfo/messaging

Reply via email to