Key Pair Agreement?
Jeroen C. van Gelderen
jeroen at vangelderen.org
Mon Jan 20 16:53:18 EST 2003
Hi,
Here is a scenario: Scott wants Alice to generate a key pair after
which he will receive Alice's public key. At the same time, Scott wants
to make sure that this key pair is newly generated (has not been used
before).
I do not know what the proper terminology is to discuss this. Assuming
there is none, I will call the solution Key Pair Agreement.
From HAC we know that "Key Agreement is a key establishment technique
in which a shared secret is derived by two (or more) parties ... such
that no party can pre-determine the resulting value".
Let's see if we can come up with a informal definition of Key Pair
Agreement:
Key Pair Agreement is a protocol in which two parties A and S interact
such that
- A generates a private key Kpriv and the corresponding public
key Kpub
- S can randomize the key generation process by providing a
SEED1 such that A cannot pre-determine either Kpriv or Kpub
- S cannot not learn anything about Kpriv
(S cannot pre-determine either Kpriv or Kpub)
- Given SEED1 and Kpub one can determine if the Key Pair
generation process was randomized by SEED1.
It would seem that the DSA key structure facilitates this:
1. Scott sends SEED1 to Alice.
2. Alice picks a random number SEED2.
3. Alice sets SEED=SHA1(SEED1 || SEED2).
4. Alice generates a set of DSA parameters P, Q, G using the
algorithm in Appendix 2, FIP-186-2.
5. Alice generates a key pair (x,y) using the parameters from (4).
6. Alice sends SEED2, counter, P, Q, G, y to Scott.
7. Scott generates P', Q', G' based on SEED=SHA1(SEED1 || SEED2),
counter, and compares them to P, Q, G.
This is a very expensive key generation operation but it would
seem to work.
My questions are:
0) who has invented this before?
1) does it achieve what I think it achieves?
2) does anybody know of more efficient algorithms?
Cheers,
Jeroen
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list