Thanks all! Katriel Cohn-Gordon, I'm sorry, I assumed checking A'!=B! but not include this in trascription. Of cource, UKS protecting also can be achived including IDs into hashing.
Mike Hamburg, ops, it is a real dictionary attack! Now I see SPEKE paper: https://eprint.iacr.org/2014/585.pdf The difference only in key deriving function: f(s) = (H(s))^ 2 mod p; Can I applied this to curve? And now I find this thread: https://moderncrypto.org/mail-archive/curves/2017/000940.html My problem is closely same: I use Cortex M0 with limited program code memory so small for Edvards Ed25519. I havn't elligator's C code for Montgomery 25519: I have only EC25519 refference DJB's code with only mul() and mul_base() in my system. And also have Keccak Sponge as near "ideal" hash, mac and crypt (like Shake-128). Is it possible to design any safe PKE in this environment? Maybe even with extra passes and decreasing computation efficiency but without any additional math. --- Original message --- From: "Ben Harris" <m...@bharr.is> Date: 25 January 2018, 10:46:03 If I have this right (??), the attack is: Alice sends A which is equivalent to a*c*G. Mallory takes A and multiplies by random b and sends back B as b*G. Alice computes S as a*B = a*b*G and sends MA as H(A | B | S). Mallory now guesses a password to compute c'. She then computes a guess S' as (1/c')*b*A = (1/c')*b*a*c*G. If c' == c then this is a*b*G and S' == S. Mallory checks S' by computing H(A | B | S') and comparing to MA. On 25 January 2018 at 07:56, Mike Hamburg <m...@shiftleft.org> wrote: Er, you would compute A’ = mul(8*a, elligator(c)). That is, you don’t also have to multiply by c. Whoops, — Mike On Jan 24, 2018, at 12:56 PM, Mike Hamburg <m...@shiftleft.org> wrote: It’s not safe against dictionary attacks by Alice or Bob. For that, you want SPEKE, SPAKE2, PAK, … This is a variant of SPEKE. To make it secure you would compute A = mul(8*a, elligator(c)) and B = mul(8*b, elligator(c)) instead of what you have here, and also hash elligator(c) in the final MA/MB computation, in addition to adding identities or something to address Katriel’s concern. — Mike On Jan 24, 2018, at 3:37 AM, Katriel Cohn-Gordon <m...@katriel.co.uk> wrote: What does "safe" mean in this context? For example, an adversary could reflect Alice's initial message back to Alice, and then reflect the hash back as well. The result is that Alice will complete a protocol execution without Bob even existing. Is that bad? Katriel On Wed, 24 Jan 2018, at 10:45 AM, Van Gegel wrote: Hi all! Please advise on this protocol: Two parties comparing 2 bytes short common secret using EC25519 (only mul and mul_base procedures) and SHA3 hash. Any side can be active adversary trying obtain secret. c = H(secret) Side A: - picks a at random - computes A = mul_base(a) - computes A' = mul(c, A) - sends A' to side B Side B: - picks b at random - computes B = mul_base(b) - computes B' = mul(c, B) - sends B' to side A Side A: - computes S = mul(a, B') - sends MB=H(A' | B' | S) to side A Side B: - computes S= mul(b, A') - sends MA=H(B' | A' | S) to side B Both A and B checks MA and MB. Is this protocol safe? _______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging _______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging _______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging _______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
_______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
