[OTR-users] What type of encryption?

[Gregory Maxwell]

On 3/22/06, Ian Goldberg <ian at cypherpunks.ca> wrote:
> We've talked about this before, and in fact there's a much cooler way to
> do this, which I totally have plans to implement.  It's called the
> "socialist millionaire's protocol", and it lets two people determine if
> they both know the same secret, while revealing no information about
> each other's secret if they're not the same.  The way that it works is
> that both sides end up computing r^(sA-sB), where sA and sB are Alice
> and Bob's secrets (which don't have to have high entropy), and r is a
> random number neither side learns.  So if the secrets are the same, the
> value of this expression is 1, and if they're different, it's a random
> number.
>
> This was hard to do in OTRv1, when fingerprint verification was done
> before any data could be exchanged.  But this would be another (easier)
> way to go from "unverfied" to "private" in OTRv2.

Ah, that is cool!

Doesn't address my other blather about providing additional security
against DH weaknesses.. but I'm just paranoid... the total dependence
of so many cryptographic protocols on discrete log problem based
cryptosystems, which are already known to be sub-exponential...  I
just find it troubling, I used to think it was because I didn't really
understand them... but even no, so many years later, with a reasonable
understanding of the math... it still seems imprudent, so as I said,
I'm just paranoid. :)   I wish there were multiple proven-unrelated
selections for the popular public key systems... oh well.