[Cryptography] Elgamal Variant

Nathaniel McCallum npmccallum at redhat.com
Thu Sep 10 18:02:10 EDT 2015


On Tue, 2015-09-08 at 12:02 -0700, Robert Relyea wrote:
> On 09/08/2015 11:35 AM, Nathaniel McCallum wrote:
> > On Tue, 2015-09-08 at 10:50 -0700, Robert Relyea wrote:
> > > NOTE: I'm wondering if there's a way to have the server help the
> > > client
> > > recover b^A without exposing k at all. I can think of some
> > > options,
> > > but
> > > I'm worried they make the job of authenticating the client
> > > harder.
> 
> On decryption:
> Calculate x =g^X, b' = b^X
>      discard X
>      send a*x to the server,
>      Server returns (a*x)^B
>      Client recovers b^A =g^AB as follows:
>         (a*x)^B= g^B*(A+X)=(g^AB)*(g^XB)=(g^AB)*b'
>        b^A = (a*x)^B/b'
>        discard x and b'
> Get a new x for every time.
> In this scheme a,x and k must all be secret from the snooper.
> 
> It's heavier weight on the client than the scheme you described.

Thinking through this, it seems to me that the randomness needed to
protect B is generated by Alice not Bob. If this randomness is not
properly obtained, Bob cannot detect it. Does this provide any
advantage to an attacker if Alice is buggy (or has low entropy)?

Nathaniel


More information about the cryptography mailing list