On 2013-10-04 03:45, Adam Back wrote:
Is it just me or could we better replace NIST by DJB ? ;) He can do
that EC
crypto, and do constant time coding (nacl), and non-hackable mail servers
(qmail), and worst-time databases (cdb). Most people in the world
look like
rank amateurs or no-real-pro
On Thu, Oct 03, 2013 at 04:53:09PM +0100, Michael Rogers wrote:
Presumably if you ensure that the private key is valid, the public key
derived from it must be a point on the curve. So it's a matter of
validating private rather than public keys.
I understand what you're saying about a timing sid
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/10/13 16:45, Trevor Perrin wrote:
> Suppose you are a good guy with a static curve25519 key, and a bad
> guy is sending you 32-byte strings, claiming them to be ephemeral
> curve25519 public keys for use in an ephemeral-static
> Diffie-Hellman.
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/10/13 15:14, Adam Back wrote:
> Well I think there are two issues:
>
> 1. if the public key is derived from a password (like a bitcoin
> brainwallet), or as in EC based PAKE systems) then if the point
> derived from your password isnt on the c
On Thu, Oct 3, 2013 at 6:41 AM, Michael Rogers wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 29/09/13 20:24, Nico Williams wrote: > Just because curve25519
> accepts every 32-byte value as a public key
> > doesn't mean that every 32-byte value is a valid public key (one
> > resul
Well I think there are two issues:
1. if the public key is derived from a password (like a bitcoin
brainwallet), or as in EC based PAKE systems) then if the point derived from
your password isnt on the curve, then you know that is not a candidate
password, hence you can for free narrow the passwo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 29/09/13 20:24, Nico Williams wrote: > Just because curve25519
accepts every 32-byte value as a public key
> doesn't mean that every 32-byte value is a valid public key (one
> resulting from applying the curve25519 operation). The Elligator
> pap
On Sun, Sep 29, 2013 at 9:29 PM, Trevor Perrin wrote:
> On Sun, Sep 29, 2013 at 9:27 AM, Michael Rogers
> wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Sorry for making so much noise on the list today. I have a quick
>> question about public keys.
>>
>> The Curve25519 paper say
On Sun, Sep 29, 2013 at 9:27 AM, Michael Rogers
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Sorry for making so much noise on the list today. I have a quick
> question about public keys.
>
> The Curve25519 paper says that "every 32-byte string is accepted as a
> Curve25519 public
I should add that the ability to distinguish public DH keys from
random is a big deal in some cases. For example, for EKE: there's a
passive off-line dictionary attack that can reject a large fraction of
possible passwords with each EKE iteration -- if that fraction is 1/2
then after about 20 roun
Just because curve25519 accepts every 32-byte value as a public key
doesn't mean that every 32-byte value is a valid public key (one
resulting from applying the curve25519 operation). The Elligator
paper discusses several methods for distinguishing valid public keys
from random.
Nico
--
_
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sorry for making so much noise on the list today. I have a quick
question about public keys.
The Curve25519 paper says that "every 32-byte string is accepted as a
Curve25519 public key". Yet Elligator doesn't use Curve25519. So I
guess there must be a
12 matches
Mail list logo