[Cryptography] Silly Diffie-Hellman question using XOR

Stuart Longland stuartl at longlandclan.yi.org
Wed Mar 5 16:06:35 EST 2014

On Wed, 05 Mar 2014 19:50:36 +0100, Hanno Böck wrote:

>>    Bob signs B2 and sends B2 + signature to Alice.
>> 3. Alice verifies B2+signature, then generates
>>       A3 = A1 ^ A2 ^ B2.  Alice signs A3 and sends to Bob.
> Your protocol breaks already here. Attacker knows A2, B2 and A3.
> So he can calculate A3 ^ B2 ^ A2. And get's A1. Wow!

Yes, of course.  I soon realised this as I thought about it… but 
naturally enough, only *after* I had clicked Send.  (And too early to 
send a follow-up pointing out I had realised my error.)

I've been giving some thought as to whether a cryptographic (keyed) hash 
would work (in place of XOR), but probably not as the scheme I've been 
thinking about relies on associativity and commutativity to work.  (And 
as we've all realised, it fundamentally breaks at present.)

Exponentiation with primes works of course, that's how D-H is normally 
implemented.  They need to be big ones to work though.  I'm not sure how 
to do math with 128-bit+ numbers as yet: best bet would be to use an 
existing implementation of D-H.

Not sure if there's small implementations that could fit on embedded 
devices.  I guess there is somewhere.  XOR attracted me as it was mind-
numbingly simple: I now also see it's mind-numbingly easy to crack.

> Honestly, if you didn't see this, you shouldn't even dare to invent any
> crypto yourself.
> And rule of thumb: If you make up your own algorithm, it's broken.
> Exceptions only if you are super-intelligent and have studied number
> theory for years.

This is true, which is why I made the assumption that I had overlooked 
something, and came here to ask about it.  My assumption was correct of 
course: I had overlooked something.

The good news is I didn't race off to found a company selling it then. :-)

More information about the cryptography mailing list