On Wed, Jun 23, 2021 at 8:07 PM Ben Harris <m...@bharr.is> wrote: > > On Thu, 24 Jun 2021, 9:50 am Trevor Perrin, <tr...@trevp.net> wrote: >> >> >> I think (b) is easy to check, so the risk with Encrypt()=XOR of >> Hash(password) is about (a): maybe Alice could find two DH public >> values whose encodings have some XOR difference, and for which she >> knows the discrete log? > > > Alice could generate a nonce for the encryption using Hash(Encode(g^a)). Bob > can very the nonce was correctly generated before replying to Alice. This > makes the XOR depend on the public value?
Remember (b): if you add something which Bob can check to Alice's message, then Bob can rule out passwords. Trevor _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves
