my understanding of sphinx is that user is constructing *hash(password, hash(password)^device_key)* in such way that user never sees *device_key* and device never sees *hash(password). *That is achieved by sending *hash(password)^p *with random *p *to device/server, which responds with *hash(password)^(p*device_key) *and then user calculates *hash(password)^(p*device_key)^1/p=**hash(password)^device_key* to get final randomized password.
Expanding on Alexey question: which curves/libs currently support calculations of inverse (1/p) so that it is possible to restore *hash(password)^device_key ? *We run into this issue exactly while considering adding sphinx to our crypto relays (which are completely on curve25519) - max vault12 <https://vault12.com/> blog <http://skibinsky.com/> *linkedin <http://bit.ly/max-li>* On Tue, May 30, 2017 at 3:37 PM, Mike Hamburg <m...@shiftleft.org> wrote: > Is it enough to use 8*r and 8*(r^-1 mod q) for this protocol? > > If not, or if you can’t prove it, you could always use my library at > > https://sourceforge.net/projects/ed448goldilocks/ > > It gives a prime-order quotient group of Ed448 and Curve25519, and it > implements Elligator and division mod q. > > — Mike > > > On May 30, 2017, at 3:31 PM, Alexey Ermishkin <scratch....@gmail.com> > wrote: > > Thanks for pointing out at my mistakes and a very good explanation. I will > continue to dig deeper > > _______________________________________________ > Curves mailing list > Curves@moderncrypto.org > https://moderncrypto.org/mailman/listinfo/curves > > > > _______________________________________________ > Curves mailing list > Curves@moderncrypto.org > https://moderncrypto.org/mailman/listinfo/curves > >
_______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves