<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=GBK">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi all,</p>
<p>I have a question about the protocol of OTRv3:</p>
<p>
<blockquote type="cite">
<p>Bob will be initiating the AKE with Alice.</p>
<ul>
<li>Bob:
<ol>
<li>Picks a random value r (128 bits)</li>
<li>Picks a random value x (at least 320 bits)</li>
<li>Sends Alice AES<sub>r</sub>(g<sup>x</sup>), HASH(g<sup>x</sup>)</li>
</ol>
</li>
<li>Alice:
<ol>
<li>Picks a random value y (at least 320 bits)</li>
<li>Sends Bob g<sup>y</sup></li>
</ol>
</li>
<li>Bob:
<ol>
<li>Verifies that Alice's g<sup>y</sup> is a legal value
(2 <=
g<sup>y</sup> <= modulus-2)</li>
<li>Computes s = (g<sup>y</sup>)<sup>x</sup></li>
<li>Computes two AES keys c, c' and four MAC keys m1, m1',
m2, m2' by
hashing s in various ways</li>
<li>Picks keyid<sub>B</sub>, a serial number for his D-H
key
g<sup>x</sup></li>
<li>Computes M<sub>B</sub> = MAC<sub>m1</sub>(g<sup>x</sup>,
g<sup>y</sup>,
pub<sub>B</sub>, keyid<sub>B</sub>)</li>
<li>Computes X<sub>B</sub> = pub<sub>B</sub>, keyid<sub>B</sub>,
sig<sub>B</sub>(M<sub>B</sub>)</li>
<li>Sends Alice r, AES<sub>c</sub>(X<sub>B</sub>),
MAC<sub>m2</sub>(AES<sub>c</sub>(X<sub>B</sub>))</li>
</ol>
</li>
<li>Alice:
<ol>
<li>Uses r to decrypt the value of g<sup>x</sup> sent
earlier</li>
<li>Verifies that HASH(g<sup>x</sup>) matches the value
sent earlier</li>
<li>......</li>
<li>Sends Bob AES<sub>c'</sub>(X<sub>A</sub>),
MAC<sub>m2'</sub>(AES<sub>c'</sub>(X<sub>A</sub>))</li>
</ol>
</li>
</ul>
</blockquote>
What is the point to send AES<sub>r</sub>(g<sup>x</sup>) and r
later, rather than g<sup>x</sup> in plain-text form?<br>
</p>
</body>
</html>