[Cryptography] Which big-name ciphers have been broken in living memory?
Jerry Leichter
leichter at lrw.com
Sat Aug 16 21:42:51 EDT 2014
On Aug 16, 2014, at 2:50 PM, Marc W. Abel <marc at clique4.us> wrote:
> Wow. So, pretend for a minute that I have a threat model that doesn't trust asymmetric cryptography, period. Is it possible to design a PFS protocol for this model? I'm all in favor of forward secrecy, but I also have great respect for human capacity to solve extremely challenging puzzles.
The descriptions of PFS tend to focus on asymmetric crypto, but its actual properties are easy to get without asymmetric crypto - something I've discussed here in the past.
Sending side:
(We have cleartext block C1 ... Cn to send)
1. Negotiate initial key K0.
2. For i = 1 to n do
Ki = OneWayHash(K{i-1})
Destroy K{i-1}
send Enc(Ki, Ci)
The receiving side is obvious.
This pseudo-code generates a new key for every block, but of course you don't have to do that - you can generate them for every new user-defined message, or every K blocks, or whenever the phase of the moon becomes waxing gibbous.
The only real difficulty here is step 1. If you don't want to use asymmetric crypto but are willing to accept simple DH, then this is simple. Otherwise, I'm not sure how to accomplish it: Typical work on key exchange protocols doesn't worry about retrospective attacks if the keys are later revealed.
-- Jerry
More information about the cryptography
mailing list