<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Sat, Jun 6, 2015 at 12:04 AM, Bill Cox <span dir="ltr"><<a href="mailto:waywardgeek@gmail.com" target="_blank">waywardgeek@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>For any prime p suitable for Diffie-Hellman key agreement with group generator g = 2, simply generate the binary digits of fraction(2^n/p), where n is a shared secret. XOR these digits over the message stream for both encryption and decryption.<br></div><div><br></div><div><div>I'm ignoring issues such as the need for a unique nonce, and maliability defense. The standard fixes apply. The ability to determine n is trivially equivalent to solving the discrete log problem.</div></div><div><br></div><div>Is this well known? I'm pretty much finding that everything seems to be already known in crypto...</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>Bill</div></font></span></div>
</blockquote></div><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Sorry! While true that we cannot recover n, as that is DLP equivalent, this is not a secure stream cipher at all, as only log(p) bits is enough to determine the rest of the pattern forever. Specifically, this is _not_ suitable as a stream cipher. It does seem to make a pretty nice PRNG, though too slow for practical use.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Jun 6, 2015 at 12:04 AM, Bill Cox <span dir="ltr"><<a href="mailto:waywardgeek@gmail.com" target="_blank">waywardgeek@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>For any prime p suitable for Diffie-Hellman key agreement with group generator g = 2, simply generate the binary digits of fraction(2^n/p), where n is a shared secret. XOR these digits over the message stream for both encryption and decryption.<br></div><div><br></div><div><div>I'm ignoring issues such as the need for a unique nonce, and maliability defense. The standard fixes apply. The ability to determine n is trivially equivalent to solving the discrete log problem.</div></div><div><br></div><div>Is this well known? I'm pretty much finding that everything seems to be already known in crypto...</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>Bill</div></font></span></div>
</blockquote></div><br></div>