[14879] in cryptography@c2.net mail archive
Re: safety of Pohlig-Hellman with a common modulus?
daemon@ATHENA.MIT.EDU (Peter Fairbrother)
Sun Dec 7 14:36:36 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 07 Dec 2003 17:32:43 +0000
From: Peter Fairbrother <zenadsl6186@zen.co.uk>
To: David Wagner <daw-usenet@taverner.cs.berkeley.edu>,
<cryptography@metzdowd.com>
In-Reply-To: <bqugrd$ne8$1@abraham.cs.berkeley.edu>
David Wagner wrote:
> Peter Fairbrother wrote:
>> Not usually. In general index calculus attacks don't work on P-H, [...]
>
> Sure they do. If I have a known plaintext pair (M,C), where
> C = M^k (mod p), then with two discrete log computations I can
> compute k, since k = dlog_g(C)/dlog_g(M) (mod p-1). This works for
> any generator g, so I can do the precomputation for any g I like.
Duuuh. I _knew_ that. I've even proposed changing p from time to time to
limit the take from an IC attack. Dumb of me.
Too much beer, no coffee, got a brainstorm and couldn't see the wood for the
trees... Sorry.
--
Peter Fairbrother
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
