: Gregory Maxwell <gmaxw...@gmail.com>; Andy Isaacson <a...@hexapodia.org>
Cc: curves@moderncrypto.org
Betreff: Re: [curves] Fwd: Re: Fw: Aw: SPEKE using Curve25519 - elligator2
required or recommended?
While I'm posting in this thread, most PAKE schemes I looked at in the
----Ursprüngliche Nachricht-
> Von: Curves [mailto:curves-boun...@moderncrypto.org] Im Auftrag von Björn
> Haase
> Gesendet: Sonntag, 5. November 2017 16:56
> An: Gregory Maxwell <gmaxw...@gmail.com>; Andy Isaacson <a...@hexapodia.org>
> Cc: curves@moderncrypto.org
> Bet
erncrypto.org] Im Auftrag von Björn Haase
Gesendet: Sonntag, 5. November 2017 16:56
An: Gregory Maxwell <gmaxw...@gmail.com>; Andy Isaacson <a...@hexapodia.org>
Cc: curves@moderncrypto.org
Betreff: Re: [curves] Fwd: Re: Fw: Aw: SPEKE using Curve25519 - elligator2
required or recommended?
On Wed, Oct 25, 2017 at 8:39 PM, Andy Isaacson wrote:
> I'd like to understand this attack better (the description above is
> pretty surprising to me), is there a canonical treatment or a phrase I
> should look up in the literature?
I don't know if there is a standard term
On Wed, Oct 25, 2017 at 07:36:54PM +0200, Björn Haase wrote:
So to better understand your point, if for example the hash of the
password has n bits of effective security, say 128, then we would
leak one bit of the hash (not the password itself), correct? Put
differently, how could this