[Cryptography] Name for three key ECDH

Thierry Moreau thierry.moreau at connotech.com
Sun Apr 7 15:31:23 EDT 2019

On 06/04/19 08:56 PM, Phillip Hallam-Baker wrote:
> One of the features I am using in the Mesh is the an authenticated and
> encrypted ECDH mode. I will explain in discrete log but y'all know what
> I mean here.
> One of my hold ups here is what to call this exchange.
> I am trying to tweak this to get the desired properties.
> * Every message should be authenticated under the sender's key.
> * The communication should not create a non repudiable proof of the
> involvement of either party
> * All communications after the first request to be encrypted
> * Enable pre-calculation of the exchange on the client side to the
> greatest extent possible
Hugo Krawczyk SIGMA ...
> The last was something I was thinking about this morning. If I have a
> light bulb and it is using a stream cipher, I don't really need to wait
> to do any of the calculations normally required to encrypt a request. I
> can prepare the 'encryption' part of the request when the device turns
> on and immediately after a message is sent.
> So Alice has long term credential {a, A (= e^a mod p)} and the service
> has long term credential {s, S}. At the start of the communication,
> Alice does not have the Service credential but we assume she can
> authenticate it from a fingerprint or whatever.
> There isn't much Alice can do until she knows the public key of the
> service except send her own public key. We generate a nonce n_A and use
> it to create a blinding function N_A. The key that we will use is
> (A.N_A) mod p.

She may send an ephemeral D-H public value and a request for same and 
some authentication from the server, thus hiding her identity. See SIGMA 
and e.g. HIP implementation (IETF Host Identity Protocol).

- Thierry

More information about the cryptography mailing list