Key Pair Agreement?
Ben Laurie
ben at algroup.co.uk
Tue Jan 21 08:11:10 EST 2003
David Wagner wrote:
> Jeroen C. van Gelderen wrote:
>
>>Here is a scenario: Scott wants Alice to generate a key pair after
>>which he will receive Alice's public key. At the same time, Scott wants
>>to make sure that this key pair is newly generated (has not been used
>>before).
>
>
> You might be able to have Scott specify a 64-bit string, and then ask
> Alice to come up with a RSA public key that has this string as its low
> 64 bits. I believe it is straightforward to modify the RSA key generation
> algorithm to generate keypairs of the desired form.
>
> If you're worried about the security of allowing Scott to choose the
> low bits of Alice's public key, you could have Scott and Alice perform
> a joint coin-flipping protocol to select a random 64-bit string that
> neither can control, then proceed as before.
Presumably if you add 64 bits (or so) to the desired keylength, this
also helps with any concerns you might have.
Its worth noting that allowing the attacker (err, sorry, I mean Scott)
to choose the _high_ 64 bits would work more efficiently with some fast
key generation algorithms, though this might give more cause for concern.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list