Starium (was Re: article: german secure phone)

Paul Crowley paul at
Thu Jun 14 09:50:20 EDT 2001

codehead at writes:
> In the spring of 1999, at the request of a VC, I went to a garage. 
> com meeting where one of the Starium versions was demonstrated.  At 
> the time it was "a bump in the line" version, but instead of having a 
> "green light" indicator, there was a 4-digit LCD display.
> Eric Blossom said that the display showed the last four digits of the 
> Diffie-Hellman key that was negotiated at the start of conversation.  
> The participants in the conversation could read the digits off and 
> confirm that there had not been a MITM attack.

This is only secure if all parties are forced to commit to the DH
information they're going to send before they send it.  Otherwise,
it's trivial to collect g^x_1, g^y_2 from the two parties, then
generate y_1, x_2 s.t. the resulting g^{x_1 y_1}, g^{x_2 y_2} collide
in the last four digits by trying about a hundred candidates for each
in a birthday attack.
  __  Paul Crowley
\/ o\ sig at
"Conservation of angular momentum makes the world go around" - John Clark

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list