On Thu, 24 Jun 2021, 9:50 am Trevor Perrin, <tr...@trevp.net> wrote: > > I think (b) is easy to check, so the risk with Encrypt()=XOR of > Hash(password) is about (a): maybe Alice could find two DH public > values whose encodings have some XOR difference, and for which she > knows the discrete log? >
Alice could generate a nonce for the encryption using Hash(Encode(g^a)). Bob can very the nonce was correctly generated before replying to Alice. This makes the XOR depend on the public value? >
_______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves