[Cryptography] Silly Diffie-Hellman question using XOR

Craig B Agricola craig at theagricolas.org
Wed Mar 5 12:56:37 EST 2014

On Thu, Mar 06, 2014 at 12:26:28AM +1000, Stuart Longland wrote:
> i.e. two parties, Alice and Bob wish to establish a shared key.
> 1. Alice generates two keys: A1 and A2.
>    Bob generates two keys: B1 and B2.
> 2. Alice signs A2 and sends A2 + signature to Bob.
>    Bob signs B2 and sends B2 + signature to Alice.
> 3. Alice verifies B2+signature, then generates
>       A3 = A1 ^ A2 ^ B2.  Alice signs A3 and sends to Bob.
>    Bob verifies A2+signature, then generates
>       B3 = B1 ^ B2 ^ A2.  Bob signs B3 and sends to Alice.
> 4. Alice verifies B3+signature, then generates
>       A4 = B3 ^ A1 = B1 ^ B2 ^ A2 ^ A1
>    Bob verifies A3+signature, then generates
>       B4 = A3 ^ B1 = A1 ^ A2 ^ B2 ^ B1
> Since XOR is commutative; A4 and B4 should be identical.  A1 and B1 are 
> never revealed in public.  XOR is computationally inexpensive, not the 
> strongest, and probably wouldn't stop a determined (i.e. state-backed) 
> cracker.  Information theory would be useless as the keys would be random.

In step 2, Eve gets A2 and B2.
In step 3, Eve gets A3 and B3.
A3^A2^B2=(A1^A2^B2)^A2^B2=A1 (because, as you say, XOR is commutative.

B1 is obviously similarly compromized by step 3, and so Eve can easily
calculate A4/B4 as in step 4.


More information about the cryptography mailing list