[1308] in cryptography@c2.net mail archive
Re: Useful El Gamal Variant
daemon@ATHENA.MIT.EDU (Bill Stewart)
Tue Aug 5 15:01:03 1997
Date: Mon, 04 Aug 1997 17:58:53 -0700
To: "Perry's crypto list" <cryptography@c2.net>
From: Bill Stewart <stewarts@ix.netcom.com>
Cc: John Kelsey <kelsey@plnet.net>
In-Reply-To: <MAPI.Id.0016.00656c73657920204542363430303034@MAPI.to.RFC8
22>
At 03:35 PM 8/3/97 CDT, you wrote:
>I came up with this El Gamal variant a while back, and I'm
>curious about whether anyone else has done something similar.
>(It's not so novel that I would really expect to be the first
>person to come up with it.)
I wouldn't be surprised if PGP 5.0 already does it in approximately
the way you suggest. It's fairly similar to the multiple-recipients
version from the RSA-based PGP, modulo some 160-vs-128 differences.
I don't really understand what you're doing with the check block, though -
is there some attack that it protects against, such as solving a
collection of Y[i]^z to find z?
>1. We have N recipients, with public keys Y[0] to Y[N-1].
>Each public key is a Diffie-Hellman key, as with the above
>example. I also have a private signing key, privKey.
>2. We have a message key, K[*], which is used to encrypt the
>actual message. This is 128 bits long.
>3. I form r = g^z mod p, for some random z.
>4. I form a check block, C = hash(r,K[*]).
>5. For each intended recipient i, I do the following:
> a. Form K[i] = hash(C,Y[i]^z mod p)
> b. Form B[i] = encrypt(K[i],K[*])
>6. Form ciphertext =
> encrypt(K[*],(plaintext,SIGN(privKey, plaintext))
>7. Form final message M =
> r,C,B[0],B[1],...,B[N-1],ciphertext.
# Thanks; Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
# (If this is a mailing list or news, please Cc: me on replies. Thanks.)
