[Cryptography] Non-Authenticated Key Agreement

Guus Sliepen guus at sliepen.org
Wed Sep 23 03:16:40 EDT 2015


On Wed, Sep 23, 2015 at 12:11:01AM -0500, Davy Durham wrote:

> Given an encrypt (and decrypt, for that matter) function based the one-time
> pad idea:
>     E(d, k) = d xor k

A one-time pad is only a one-time pad if you use it once. You are using
them twice in your protocol.

>    d = data
>    ka = random bits
>    d' = E(d, ka)
>                              d'
>           ---------------------------------------->
>                                                   kb = random bits
>                                                   d'' = E(d', kb)
>                              d''
>           <----------------------------------------
>    d''' = E(d'', ka)
>                              d'''
>           ---------------------------------------->
>                                                   d = E(d''', kb)

An eavesdropper can see d', d'' and d'''. Using your equation for E, the
eavesdropper can easily calculate:

d' xor d'' = kb
d'' xor d''' = ka
d' xor d'' xor d''' = d

-- 
Met vriendelijke groet / with kind regards,
      Guus Sliepen <guus at sliepen.org>


More information about the cryptography mailing list