questions on RFC2631 and DH key agreement

Hal Finney hal at finney.org
Sun Feb 10 12:27:16 EST 2008 

Joseph Ashwood writes:
> From: ""Hal Finney"" <hal at finney.org>
> > Joseph Ashwood writes, regarding unauthenticated DH:
> >> if b uses the same private key
> >> to generate multiple yb the value of b will slowly leak.
> >
> > I'm not familiar with this last claim, that the value of b's private key
> > (presuming that is what you mean) would slowly leak if it were reused for
> > many DH exchanges. Can you explain what you mean? Are you talking about
> > Lim&Lee style attacks where the recipient does not check the parameters
> > for validity? In that case I would say the private exponent would leak
> > quickly rather than slowly. But if the parameters are checked, I don't
> > see how that would leak a reused exponent.
>
> I am not immediately aware of any known attacks that have been published 
> about it, but it is fairly obvious that Eve has more information about the 
> private key by having a second key set with the same unknown. With only a 
> single pair Eve's information set is:
> g_1,p_1,q_1,y_1 where y_1 = g_1^x mod p_1
>
> By adding the second key set Eve now has
> g_1,p_1,q_1,y_1 where y_1 = g_1^x mod p_1
> g_2,p_2,q_2,y_2 where y_2 = g_2^x mod p_2
>
> This is obviously additional information, and with addition key set _i 
> eventually Eve has the information to guess x with improves probability.

That's hardly grounds for saying that the value of the secret "will
slowly leak". You have given no reason to believe that this information
will be of any practical value to Eve.

After all, exactly the same observation might be made about a digital
signature, that each signature gives additional information about the
private exponent.  Yet no one would say that issuing signatures causes
your private key to slowly leak, or caution against issuing signatures
because of this consideration!

Hal Finney

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list