Key Pair Agreement?
Jack Lloyd
lloyd at acm.jhu.edu
Mon Jan 20 17:54:22 EST 2003
On 20 Jan 2003, David Wagner wrote:
> If you're worried about the security of allowing Scott to choose the
> low bits of Alice's public key, you could have Scott and Alice perform
> a joint coin-flipping protocol to select a random 64-bit string that
> neither can control, then proceed as before.
STRING = LOW_64(SHA-1(SEED_FROM_SCOTT || SEED_FROM_ALICE))
seems simple enough.
However there is no way to be sure the RSA key is actually at all safe in
this case. For example, Alice could choose a 950 bit prime, and then
whenever she needed a new key, just choose a small (50 or 100 bit) prime as
the other factor. All in all the DSA case seems easier because there are
fewer things which an observer cannot verify.
Doing something like this for the DSA case (with y) might be nice, since
that would force Alice to choose a new x each time as well as new p,q,g.
-Jack
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list