The check should be simple-ish. In fact, you can have both sides compute habX
instead of abX, where h is the cofactor, check that it’s not the identity
point, and then use it.
Suppose Rob is trying to impersonate Bob. Rob sends bG and/or bJ in a small
subgroup. Then abG or abJ is also in the
Hello, Mike Hamburg!
Thank you, now I understand this problem better.
So, I understand that G and J must generate the entire group and also that p
must be negligibly-close to a power of 2.
But I don't understand that Alice must check that Gb and Jb aren’t in the small
subgroup for preventing
Hello Van Gegel,
This seems reasonable, but it’s worth the exercise to prove security in order
to make sure there aren’t subtle attacks. For example, G and J must generate
the entire group and not just the subgroup (unlikely the canonical Curve25519
G), or else there is a passive dictionary at
Hello all!
I searches simple solution for PAKE using only X25519 library.
Unfortunately mostly all protocols requires group addition or/and elligator.
Thanks Mike Humburg refers to inverse square root code and also AMBER
Cryptography library (https://github.com/bernedogit/amber) I successfully ad