[12313] in cryptography@c2.net mail archive
Re: Key Pair Agreement?
daemon@ATHENA.MIT.EDU (Jack Lloyd)
Mon Jan 20 18:48:39 2003
X-Original-To: cryptography@wasabisystems.com
X-Original-To: cryptography@wasabisystems.com
Date: Mon, 20 Jan 2003 17:54:22 -0500 (EST)
From: Jack Lloyd <lloyd@acm.jhu.edu>
To: David Wagner <daw@mozart.cs.berkeley.edu>
Cc: <cryptography@wasabisystems.com>
In-Reply-To: <b0hsiu$p9t$1@abraham.cs.berkeley.edu>
On 20 Jan 2003, David Wagner wrote:
> If you're worried about the security of allowing Scott to choose the
> low bits of Alice's public key, you could have Scott and Alice perform
> a joint coin-flipping protocol to select a random 64-bit string that
> neither can control, then proceed as before.
STRING = LOW_64(SHA-1(SEED_FROM_SCOTT || SEED_FROM_ALICE))
seems simple enough.
However there is no way to be sure the RSA key is actually at all safe in
this case. For example, Alice could choose a 950 bit prime, and then
whenever she needed a new key, just choose a small (50 or 100 bit) prime as
the other factor. All in all the DSA case seems easier because there are
fewer things which an observer cannot verify.
Doing something like this for the DSA case (with y) might be nice, since
that would force Alice to choose a new x each time as well as new p,q,g.
-Jack
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
