[Cryptography] Defending against weak/trapdoored keys

Henry Baker hbaker1 at pipeline.com
Thu Oct 13 08:37:19 EDT 2016


At 11:18 PM 10/12/2016, David Johnston wrote:
>On 10/12/16 11:55 AM, Henry Baker wrote:
>> Here's my (hopefully non-lame) attempt to fix DH to defend against weak and/or trapdoored primes/ECC-groups.
>
>Rather that running two DHs, why not give both ends a hand in choosing the prime randomly?
>
>Alice and bob swap random numbers and hash them.
>
>Alice and Bob both know their fresh random number went into the hash.
>
>Use the hash output to seed a CSPRNG that services a prime search algorithm.
>
>Use the prime that is found.
>
>You will want to do the usual stuff to prevent MITMs.
>
>Then it becomes a race between what's more efficient, the extra round trip of DH or the extra cost of the prime search.
>
>This will depend on compute vs network capability.

I'm not at all convinced that random "secure" primes/ECCgroups can be quickly & efficiently generated in real time.

However, by using multiple DH's, we might be able to force Eve to have to break them all.



More information about the cryptography mailing list