Hi Scott,
On 3/8/21 7:09 AM, Scott Fluhrer (sfluhrer) wrote:
Again, last minute reviews…
It would appear that the exact computations that both the client and
the server need to perform needs to be explicitly spelled out, as
there are several possibilities.
Here is the one I could see that appear to have the security
properties that you appear to be looking for:
Variable names:
g – Well known group generator
h – The secret generator that is private to the client
and the server
z – The secret value known to the client; g^z = h
x – The client’s ephemeral DH private value
y – The server’s ephemeral DH private value:
Client keyshare:
This is the value g^x
When the server receives this, he selects y (and retrieves the value
h); he then transmits (as his keyshare) the value:
h^y
and stirs the value (g^x)^y into his KDF
When the client receives this (h^y), he computes:
(h^y) ^ (x z^-1)
(where z^-1 is the modular inverse of z modulo the group order), and
stirs that value into his KDF.
With this protocol, it appears that the client needs to know not only
h, but also the value z. However, this really needs to be spelled out
(and run past the CFRG to check for subtle issues)
That is an interesting exchange but it is not DPP and it is not TLS-pok.
regards,
Dan.
--
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
