I searches simple solution for PAKE using only X25519 library.
Unfortunately mostly all protocols requires group addition or/and elligator.
Thanks Mike Humburg refers to inverse square root code and also AMBER
Cryptography library (https://github.com/bernedogit/amber) I successfully add
elligator2 to ASM Cortex M0 uNaCl library, without long multiplication
and also to forx25519-cortexm4 ASM library with long multiplication
M0 code of isr() is about 400 bytes. This solve my problem.
But recently I re-read paper of Daniel J. Bernstein, Mike Hamburg, Anna
Krasnova, Tanja Lange Elligator: Elliptic-curve points indistinguishable from
uniform random strings (http://elligator.cr.yp.to/elligator-20130828.pdf) and
find interest moment.
On "2.7 Active attacks" authors refers to old paper of Colin Boyd , Paul
Montague , Khanh Nguyen Elliptic Curve Based Password Authenticated Key
Exchange Protocols (2001)
described EC-EKE protocol with compressed Edwards points.
DJB at all. said: "Our attack is to actively rerandomize one of the two points
sent by Bob. If this point is on the same curve then Alice aborts; if this
point is not on the same curve then Alice does not notice and communication
I'm not sure, but this attack can be completely solved including all public
values under hash: if Eva will modifies any value the authentificator will be
wrong so Eva can not obtain was this work or dummy point.
I tried to rewrite Boyd at all. EC-EKE for Montgomery X25519, now it is not
require any checking of point is on curve or on twist (so not need square root):
Let G is Montgomery generator on EC25519 curve and J - on it's twist. All
multiplications are with standard X25519 procedure (i.e. *8). H is PRF
Alice is initiate and randomly select G or J for this session.
Alice generate random a and compute X*a = G*a or J*a depends selecting, set
bit 255 randomly. Now it is completely random string.
Alice encrypt X*a by password, and send Enc(X*a) to Bob.
Bob decrypt Enc(X*a) to X*a by password.
Bob generate random b and compute both G*b and J*b
Bob compute secret Sb=X*a*b
Bob compute authentificator Mb=H(Sb || Enc(X*a) || G*b || J*b)
Bob sends to Alice: Mb, G*b, J*b
Alice compute two secrets S1=G*b*a and S2=J*b*a
Alice compute two authentificators: M1=H(S1 || Enc(X*a) || G*b || J*b) and
M2=H(S1 || Enc(X*a) || G*b || J*b)
Alice checks either Mb ?= M1 or Mb ?= M2
Alice compute her authentificator Ma=(S1 || G*b || J*b || Enc(X*a)) or Ma=(S2
|| G*b || J*b || Enc(X*a)) depends M1 or M2 matched or set Ma as random if not
Alice send Ma to Bob
Bob check Ma ?= H(Sb || G*b || J*b || Enc(X*a))
This seems safe against partition attack but I'm not sure...
Messaging mailing list