1

There is DH key exchange, but it requires an exchange before participants get to the shared secret. If Bob has only published a verifying key VB, is there a scheme where the following can be achieved?

  1. Alice, from Bob's verification key VB and some nonce N, derives an ephemeral encryption key EB for Bob
  2. Bob, from EB, N and SB, reduces the decryption key DB
  3. Without knowledge of SB, Alice can not reduce DB from what they have
Blair Noctis
  • 11
  • 3
  • Welcome to cryptography.se. $E_A$ is not Alice encryption key in DHKE. There is a secret number of Alice $a$ and similarly for Bob $b$. Alice shares $g^a$ and Bob shares $g^b$ then they can arrive the same value $g^{ab}$. After this a key derivation function is used for derive symmetric encryption key. Your use of words make your question unclear. Could you modify your question ❓ – kelalaka Oct 15 '23 at 09:02
  • @kelalaka Thanks for pointing out! I've reworded it. – Blair Noctis Oct 15 '23 at 12:20
  • There is https://crypto.stackexchange.com/questions/15207 that asked the same question (basically). Apologies for a duplicate, I really couldn't find such a question until it appeared in Related. – Blair Noctis Oct 15 '23 at 12:32
  • If it satisfies you we can make it duplicate. It is a good character to look around to find it, we rarely see it from new contributors. – kelalaka Oct 15 '23 at 15:32
  • BIP32 specified such a scheme, while BIP32-Ed25519 is BIP32 applied to Ed25519, specified in https://ieeexplore.ieee.org/document/7966967. – Blair Noctis Oct 18 '23 at 04:35

0 Answers0