On 1 March 2015 at 12:33, Ben Harris <[email protected]> wrote: > On 01/03/2015 7:45 pm, "Ben Laurie" <[email protected]> wrote: >> >> On 1 March 2015 at 07:24, Michael Hamburg <[email protected]> wrote: >> > Perhaps you should use oblivious function evaluation with a >> > user-specific >> > secret at the server. So for example, server has a per-user secret key >> > e, >> > and user has a (salted, scrypted) password p. Let h = hash(p) on some >> > curve. >> > >> > client chooses a uniformly random scalar r. >> > client -> server: Q = h^r >> > server -> client: P = Q^e = h^er >> > client computers P^1/r = h^e, and uses the hash of that point as part of >> > the >> > secret key derivation. >> >> I feel sure I'm missing something, but doesn't the server also need h^e? > > The server receives Q from the client and multiplies the point Q by e. The > client then removes the random blanking factor r to get h^e. The server > doesn't know r so it can't remove the blanking.
Yeah, so now the client has h^e, but no-one else does - so what use is that? I'm confused. > > I thought there was an attack on this discussed on this list though? _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
