[cryptography] Security Discussion: Password Based Key Derivation for Elliptic curve Diffie–Hellman key agreement

James A. Donald jamesd at echeque.com
Tue Dec 17 20:20:40 EST 2013

On 2013-12-18 04:38, Joseph Birr-Pixton wrote:
> In very general terms, you cannot hope to achieve confidentiality
> without authenticity.
> Your key exchange does not offer authenticity. I would suggest instead
> having the user's keys be signing keys, and do straightforward signed
> ephemeral ECDH. This should also gain you forward secrecy.
> Unfortunately this will introduce a data dependency in your protocol,
> which may cause an unacceptable extra round trip.
> With that assumed fixed, your protocol relies entirely on a third
> party (the 'public key server') for authenticity of the key exchange.
> If the overall aim is to avoid having to trust a third party
> (Facebook) to keep messages secret, adding more third parties to the
> problem doesn't seem a great solution.

Google solution:  Implement a protocol such that the key server cannot 
tell the owner of the name on thing, and someone else trying to contact 
the owner of the name a different thing, and cannot rewrite the past.

Bittorrent serves immutable files globally, such that the file must be 
the same for all.  Need a bittorent like algorithm for serving slowly 
mutable tree structures.  Viewed as a history, it is a grow only data 
structure with an ever increasing immutable past.  The history, however, 
is kind of like a git history, representing a fully mutable but slowly 
changing present.

More information about the cryptography mailing list