Scare tactic?

Sidney Markowitz sidney at
Thu Sep 20 16:24:04 EDT 2007

Ben Laurie wrote, On 21/9/07 1:34 AM:
> It seems to me that the requirement cited:
> "Entity i cannot be coerced into sharing a key with entity j without i’s
> knowledge, ie, when i believes the key is shared with some entity l != j."

The "without i's knowledge" part is critical to the argument, as the
author is assuming that entity i is monitoring all of entity j's
channels of communication and either entity j has no communication of
any kind outside of that used for the DH protocol with entity i, or else
entity i would be able to recognize whether any other communication with
anyone is a revelation of the secret session key that entity i is
sharing with entity j.

Note that entity i would even have to be sure that entity j is not using
any side channels such as variations in the timing of response packets
during the subsequent encrypted session to communicate with a colluding
passive attacker who is eavesdropping.

That is an awfully impractical constraint on the threat model, which
makes this issue moot in practice.

 Sidney Markowitz

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list