[Cryptography] Cryptographic challenge

Phillip Hallam-Baker phill at hallambaker.com
Fri Apr 27 16:39:16 EDT 2018 

OK here is an interesting cryptographic puzzle which I believe will
probably have no satisfactory solution but is fun anyway

Traditional public key encryption schemes are either a 'true' encryption
scheme that provides for message recovery (e.g. RSA) or a key agreement
which establishes a shared secret that both parties know but neither party
has direct control over.

There are advantages and disadvantages to both. The advantage of using RSA
is that if a message is sent to 100 recipients, the output of the RSA
decryption operation is exactly the same for each one and can be used as an
encryption key directly.

That is not the case with DH and ECDH of course, each recipient has a
different output value and the only way to encrypt a message for multiple
recipients is to wrap the key for each recipient.

In either of these cases, the approach works but there is one niggling
problem, the data is encrypted under a session key controlled by the sender
which provides an opportunity for a kleptography attack. The sender can
deliberately choose a weak key or use the key to transmit information.

When a message is end to a single recipient, the DH scheme has the property
that it is free of subliminal channels. There is no part of the output
message that is not either constrained by the input or has been processed
through a one way function. The generator of the message can choose the
ephemeral private key but can only use the public key as a channel through
'brute force' type approaches requiring vast amounts of processing or large
numbers of messages to communicate.


I am currently writing a spec for Data At Rest Encryption. For the sake of
minimizing the number of code paths to the absolute bare minimum, I am
using key wrapping in every case. Which leaves the opportunity for a
subliminal channel which is an irritating but probably essential compromise.

But is it possible that there is a public key cryptosystem that allows a
message to be encrypted to multiple recipients that does not have this
flaw?

I have thought up many solutions and then realized that they are flawed
because while it is easy to prevent the generator having direct control of
the ciphertext encryption key and/or IV by using hashes, this is about
preventing any nonce like information being passed to the recipient.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180427/763d88d3/attachment.html>

More information about the cryptography mailing list