<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Okay, so I've lurked on this list for a couple of weeks and wasn't
sure if it was a safe place to propose crypto ideas, but given the
recent threads, and the plethora of friendly discuss, I feel that I
can do this :) And, I agree with Rule #1 of crypto, namely not to
invent your own. But I think the unstated rest of that thought is
"... and then to put it into practice without gobs of scrutiny".
Since I'm not doing that, here goes.<br>
<br>
I'm no crypto expert. I've dabbled, used libraries, read a bit and
taken an online course or two (Dan Boneh is awesome!). But the
following occurred to me, and I'm initially just curious if it has
been described before, does it have a name. And if its original,
and if truly has the properties I believe it has, the next question
is what value it might have in practice. I've googled around quite
a bit and haven't seen it described.<br>
<br>
It's so simple, it's either been thought of and discarded out of
hand (for reasons I don't yet realize) or else perhaps the 'big
brains of crypto' were just too distracted by more advanced topics
to notice it.<br>
<br>
Consider the following for a non-authenticated key agreement
mechanism that does not involve any complex math (beyond a [P]RNG)
and requires no previous knowledge between the parties... Further,
I believe it has all of the good qualities of DH and the same number
of steps in a ladder diagram, but remains much simpler in concept
and implementation.<br>
<br>
Given an encrypt (and decrypt, for that matter) function based the
one-time pad idea:<br>
E(d, k) = d xor k<br>
Where:<br>
- d is data given to encrypt<br>
- k is the one-time pad key to encrypt with<br>
- k is at least as long as d.<br>
- k is ephemeral, i.e. it is picked at random each time
the algorithm is used<br>
<br>
Notice the obvious property of E:<br>
E(E(d, k1), k2) is bit-equivalent to E(E(d, k2, k1)<br>
<br>
<br>
Alice wishes to send Bob a piece of information d. Alice and Bob
have not exchanged any information previously.<br>
Alice makes up a random key, ka, and Bob makes up a random key, kb.<br>
The following sequence diagram allows Alice to send d to Bob while
the d remains protected from eavesdropping in between.<br>
<br>
<blockquote><tt> Alice
Bob</tt><tt><br>
</tt><tt>d = data</tt><tt><br>
</tt><tt>ka = random bits</tt><tt><br>
</tt><tt>d' = E(d, ka)</tt><tt><br>
</tt><tt> d'</tt><tt><br>
</tt><tt> ----------------------------------------></tt><tt><br>
</tt><tt> kb = random
bits</tt><tt><br>
</tt><tt> d'' = E(d',
kb)</tt><tt><br>
</tt><tt> d''</tt><tt><br>
</tt><tt> <----------------------------------------</tt><tt><br>
</tt><tt>d''' = E(d'', ka)</tt><tt><br>
</tt><tt> d'''</tt><tt><br>
</tt><tt> ----------------------------------------></tt><tt><br>
</tt><tt> d = E(d''',
kb)</tt><tt><br>
</tt><tt><br>
</tt></blockquote>
At this point, by having taken advantage of the property of E
pointed out above, Bob now has the value of d that Alice originally
wanted Bob to know.<br>
Considering that d could be a symmetric key, Alice and bob could
continue a conversation using standard methods.<br>
<br>
<br>
Assuming it hasn't been proposed before, is it useful?<br>
<br>
The method described above is protected against eavesdropping, but
it is vulnerable to an active man-in-the-middle. As a middle party,
Mallory, could insert herself in the insecure communications channel
and Alice wouldn't know that she initially communicated with Mallory
instead of Bob.<br>
<br>
It appears to have the same security properties as Diffie-Hellman,
and would seem to have some value in practice anywhere DH is used
(e.g. in combination with other methods for authentication like
ECDHE uses DH or STS uses DH). However, this method's computation
would appear to be less expensive than DH (if generating the random
bits for the keys is cheaper than computing the DH parameters) and
is conceptually as easy to understand as the one-time pad. And DH
is only as strong as the the computation is difficult to reverse but
this method uses the perfect secrecy property of the one-time pad
and is thus as good as the keys, ka and kb, were random (assuming
MiM is prevented by its use in combination with other things)<br>
<br>
Your thoughts?<br>
<br>
Thanks<br>
</body>
</html>