safety of Pohlig-Hellman with a common modulus?

Peter Fairbrother zenadsl6186 at zen.co.uk
Sun Dec 7 12:32:43 EST 2003


David Wagner wrote:

> Peter Fairbrother  wrote:

>> Not usually.  In general index calculus attacks don't work on P-H, [...]
> 
> Sure they do.  If I have a known plaintext pair (M,C), where
> C = M^k (mod p), then with two discrete log computations I can
> compute k, since k = dlog_g(C)/dlog_g(M) (mod p-1).  This works for
> any generator g, so I can do the precomputation for any g I like.

Duuuh. I _knew_ that. I've even proposed changing p from time to time to
limit the take from an IC attack. Dumb of me.

Too much beer, no coffee, got a brainstorm and couldn't see the wood for the
trees... Sorry.


-- 
Peter Fairbrother

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list