-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/10/13 16:45, Trevor Perrin wrote: > Suppose you are a good guy with a static curve25519 key, and a bad > guy is sending you 32-byte strings, claiming them to be ephemeral > curve25519 public keys for use in an ephemeral-static > Diffie-Hellman. > > You repeatedly perform your side of the ephemeral-static DH. I.e., > you perform a curve25519 operation betweeen the bad guy's alleged > ephemeral public key and your private key. After each DH, you give > the bad guy, say, some MAC based on the Diffie-Hellman result. > > At issue is whether this is safe without checking that the bad > guy's strings correspond to possible public keys. > > And it is, with curve25519!
Thanks! I think I finally understand what it means to say that all 32-byte values are allowed as public keys but not all are valid public keys. Sorry for taking so many round-trips. :-) Cheers, Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSTZXwAAoJEBEET9GfxSfMUQ4H/R+89hfxD8Wy8wjPt8Bj7gsx rLLquJlvVqlvWqAGXzZcW/zkiqqb8nR5fCU+J5d8dAdB9M1J6AAJC10sDMoj+5/z vIQMBIO+9W28bhaQbb3cWLsaG+tI4Uo/rkZrEPVkBvELXq33fBNjFd4VZFcNUX63 0ZZQwYZ08JzoDtOAIKLHjHq3xEkwi2a5TDGwQMy2p5KUmSf1kIRdyQIMMGoGmKua KWtnfbeledr65+iqFIYyZlntMeMxSrgIJ0CRnjk09sqbkkjz8Pzau4/JEcuLBYhd uJb7y73L2OdKjzWVdYWjLhThKDPnVOf3FVX6CHP121YxBa7zmEYxhhOmpBNOPqc= =PH7z -----END PGP SIGNATURE----- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography