[tor-dev] Proposal 332: Ntor protocol with extra data, version 3.

Ian Goldberg iang at uwaterloo.ca
Mon Jul 12 19:04:11 UTC 2021

On Mon, Jul 12, 2021 at 12:01:47PM -0400, Nick Mathewson wrote:
> Both parties know that they used the same verification string; if
> they did not, they do not learn what the verification string was.
> (This feature is required for HS handshakes.)

I'm not sure the protocol you specify has this feature as written.  For
example, if the verification string has low entropy, the server could
brute-force the client's verification string (using the MAC to check its
guess).  This is unlike, say, OTR's SMP or a PAKE, in which each online
execution of the protocol allows the server just one guess.

But perhaps you don't actually need the property in as strong a form as
you wrote it, since the HS handshake application has high-entropy

More information about the tor-dev mailing list