From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: Date: Tue, 20 Oct 2015 05:33:47 +0200 From: cinap_lenrek@felloff.net To: 9fans@9fans.net In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] dp9ik draft Topicbox-Message-UUID: 74193240-ead9-11e9-9d60-3106f5b1d025 Robert Ransom pointed out offlist that the pak crypto is flawed in this draft so its back to the drawing board. please consider this version of the draft retracted :-) > If an attacker can find scalars s1 and s2 such that s1*H(p1) = > s2*H(p2), then he can send s1*H(p1) as his public key, receive the > other party's public key P and a message encrypted using the resulting > shared secret key, then compute both possible shared secrets s1*P and > s2*P and try each of them to decrypt the message. > > If H(p) = p*G, then s1*H(p1) = s1*p1*G = s1*(p1/p2)*p2*G = > s1*(p1/p2)*H(p2) (with the divisions and multiplications computed in > the ring of scalars). -- cinap