Re: [curves] Fwd: Re: Fw: Aw: SPEKE using Curve25519 - elligator2 required or recommended?

: Gregory Maxwell <gmaxw...@gmail.com>; Andy Isaacson <a...@hexapodia.org> Cc: curves@moderncrypto.org Betreff: Re: [curves] Fwd: Re: Fw: Aw: SPEKE using Curve25519 - elligator2 required or recommended? While I'm posting in this thread, most PAKE schemes I looked at in the

Re: [curves] Fwd: Re: Fw: Aw: SPEKE using Curve25519 - elligator2 required or recommended?

----Ursprüngliche Nachricht- > Von: Curves [mailto:curves-boun...@moderncrypto.org] Im Auftrag von Björn > Haase > Gesendet: Sonntag, 5. November 2017 16:56 > An: Gregory Maxwell <gmaxw...@gmail.com>; Andy Isaacson <a...@hexapodia.org> > Cc: curves@moderncrypto.org > Bet

Re: [curves] Fwd: Re: Fw: Aw: SPEKE using Curve25519 - elligator2 required or recommended?

erncrypto.org] Im Auftrag von Björn Haase Gesendet: Sonntag, 5. November 2017 16:56 An: Gregory Maxwell <gmaxw...@gmail.com>; Andy Isaacson <a...@hexapodia.org> Cc: curves@moderncrypto.org Betreff: Re: [curves] Fwd: Re: Fw: Aw: SPEKE using Curve25519 - elligator2 required or recommended?

Re: [curves] Fwd: Re: Fw: Aw: SPEKE using Curve25519 - elligator2 required or recommended?

On Wed, Oct 25, 2017 at 8:39 PM, Andy Isaacson wrote: > I'd like to understand this attack better (the description above is > pretty surprising to me), is there a canonical treatment or a phrase I > should look up in the literature? I don't know if there is a standard term

Re: [curves] Fwd: Re: Fw: Aw: SPEKE using Curve25519 - elligator2 required or recommended?

On Wed, Oct 25, 2017 at 07:36:54PM +0200, Björn Haase wrote: So to better understand your point, if for example the hash of the password has n bits of effective security, say 128, then we would leak one bit of the hash (not the password itself), correct? Put differently, how could this