Roundtrip Blinding (was: A-B-a-b encryption)

bear bear at
Sun Nov 16 12:44:16 EST 2003

On Fri, 14 Nov 2003, martin f krafft wrote:

>it came up lately in a discussion, and I couldn't put a name to it:
>a means to use symmetric crypto without exchanging keys:
>  - Alice encrypts M with key A and sends it to Bob
>  - Bob encrypts A(M) with key B and sends it to Alice
>  - Alice decrypts B(A(M)) with key A, leaving B(M), sends it to Bob
>  - Bob decrypts B(M) with key B leaving him with M.
>Are there algorithms for this already? What's the scheme called?
>I searched Schneier (non-extensively) but couldn't find a reference.

This is a roundtrip blinding message protocol.

First of all, you mean asymmetric crypto (where encryption
key != decryption key).

The problem with this is that there are very few encryption
algorithms that this will work with and all the ones I know
have serious problems in modes where this is possible. In

decrypt(a, encrypt(b, encrypt(a, M))) != encrypt(b, M)

in most secure cipher systems.

RSA will do this - but in modes where stunts like this are
possible, it means you're using "straight" RSA -- ie, without
padding the blocks with randomness.  And this leaves RSA open
to some types of attacks that are very difficult to allow for
in a secure system.  Where RSA is used in this mode (for blinding
digital cash, etc) it is used in a very stylized and restricted
way, blinding "tokens" whose interpretation and use is very


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list