Key Pair Agreement?
David Wagner
daw at mozart.cs.berkeley.edu
Mon Jan 20 18:34:59 EST 2003
Jack Lloyd wrote:
>However there is no way to be sure the RSA key is actually at all safe in
>this case. For example, Alice could choose a 950 bit prime, and then
>whenever she needed a new key, just choose a small (50 or 100 bit) prime as
>the other factor.
Hold on a minute. The problem was to generate a new public key that
had been certified as fresh. The original poster did not state any
requirement that the public key also be "safe".
Let's take a look at the original problem statement again:
Jeroen C. van Gelderen wrote:
>Here is a scenario: Scott wants Alice to generate a key pair after
>which he will receive Alice's public key. At the same time, Scott wants
>to make sure that this key pair is newly generated (has not been used
>before).
See? There's nothing about Alice proving that her key is safe.
If you do want to add a "safety" requirement, then the problem is
unsolvable. Alice can always publish her private key at any time, and
there is nothing Scott can do about this. This is true no matter what
method you use -- RSA, discrete log, or something entirely different.
So I wouldn't use this "safety" business as a way of choosing which method
to use. If you want a "safety" requirement, give up. If you don't,
select a method that achieve van Gelderen's requirement as efficiently
as possible, without regard to "safety".
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list