[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNUnet-developers] key exchanges [updated, resend]

From: Jeff Burdges
Subject: Re: [GNUnet-developers] key exchanges [updated, resend]
Date: Thu, 27 Aug 2015 00:13:31 +0200

Just a brief summery thus far : 

We've a complicated four round key exchange described two messages ago
(Tuesday) in which Alice signs the xor of a message hash with a special
collaborative random number. 

We hoped that pairing that with the modified ECDSA from three messages
ago (Monday) would give a system that's both deniable and resistant to
Dominic's wildcard attack.  

I found a limited attack on that combined scheme : 

Eve wishes to prove Alice initiated a specific key exchange.  Eve
somehow compromises Alice's z and (r,s) from the key exchange session,
say by performing an MITM attack after compromising Bob's private key.
And Eve later compromise Alice's private key.  

Eve examines the (r,s) sent by Alice.  As Eve knows d_A she can solve
for the random scalar k in  s = k^{-1} (z + r d_A) mod n  to deduce the
random point (x_1,y_1) and find the collaborative random value x, thus
voiding Alice's deniability.

A priori, I could imagine any of these schemes still having value :
Scheme   |  Info Eve needs to violate deniability
DT       |  z and (r,s) and Alice's public key
J error  |  x, z, and (r,s) and Alice's public key
C & J    |  z and (r,s) and Alice's private key
TripleDH |  Impossible
Also, my issues with EdDSA had this character too, so maybe equivalent
tricks can be played with EdDSA now. 


Attachment: signature.asc
Description: This is a digitally signed message part

reply via email to

[Prev in Thread] Current Thread [Next in Thread]