[Cryptography] Elliptic Curve Key Sharing
Phillip Hallam-Baker
phill at hallambaker.com
Fri Oct 9 22:18:40 EDT 2015
On Fri, Oct 9, 2015 at 5:35 PM, Nathaniel McCallum <npmccallum at redhat.com>
wrote:
> Alice does an independent ECDH (using private key X) with n parties (in
> this case 3: A, B, C) such that she has:
>
> k1 = g^(XA)
> k2 = g^(XB)
> k3 = g^(XC)
>
> She has now discarded X.
>
> She would like to encrypt a secret S such that any combination of r (in
> this case 2) keys will allow decryption. Normally, she'd use Shamir's
> Secret Sharing. But she doesn't know of any way to apply SSS to
> elliptic curve points.
>
> Are there any methods commonly available?
>
> Can the simple "brute-force" method work without revealing any data
> about the keys? For example:
>
> c1 = S + g^(XA) + g^(XB)
> c2 = S + g^(XA) + g^(XC)
> c3 = S + g^(XB) + g^(XC)
>
What I would do is encrypt the data under key S, then split that into SA,
SB, SC and encrypt SA under a key agreed with XA, SB under a key agreed
with XB, etc.
There are extensive games that you can play with the DH cryptopuzzle. In
fact it is rather more open to them in many ways than RSA is. If P and Q
are DH public keys, then so is P+Q. And you can calculate X^(P+Q) = X^P .
X^Q
There are some IP claims but the one that gets in the way should expire in
2019.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151009/48ceb3af/attachment.html>
More information about the cryptography
mailing list