Re: A-B-a-b encryption
- Original Message - From: Jeremiah Rogers [EMAIL PROTECTED] To: crypto list [EMAIL PROTECTED] Sent: Sunday, November 16, 2003 12:50 PM Subject: Re: A-B-a-b encryption This is Shamir's Three-Pass Protocol, described in section 22.3 of Schneier. It requires a commutative cryptosystem. - Jeremiah Rogers Also described in HAC, protocol 12.22. It's like basic DH, except it provides key transport instead of key agreement. --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: A-B-a-b encryption
martin f krafft wrote: it came up lately in a discussion, and I couldn't put a name to it: a means to use symmetric crypto without exchanging keys: - Alice encrypts M with key A and sends it to Bob - Bob encrypts A(M) with key B and sends it to Alice - Alice decrypts B(A(M)) with key A, leaving B(M), sends it to Bob - Bob decrypts B(M) with key B leaving him with M. Are there algorithms for this already? What's the scheme called? I searched Schneier (non-extensively) but couldn't find a reference. Thanks, The protocol is called the Shamir three-pass protocol. It needs a commutative cipher. Probably the only cipher that it can be securely used with is called the Pohlig-Hellman cipher, a simple exponentiating cipher over Zp. Whether it's a symmetric cipher is a matter of precise definition, though despite the encryption and decryption keys being different I would consider it such. A better term might be a secret-key cipher. It's quite easy to find the decryption key d from the encryption key e: d*e = 1 mod (p-1) C = M^e mod p M = C^d mod p p should be a safe (= 2q+1, q prime) prime, and all keys used should be odd and !=q. There is an ECC variant. There are lots of things to watch out for in implementations. I'm trying to develop (or find? anyone?) a secure symmetric cipher which is a group, where if you know A and B you can find a key C that decrypts B(A(M)), but that's a different story. -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: A-B-a-b encryption
On Nov 16, 2003, at 12:24 PM, lrk wrote: Stupid crypto, probably. Unless I'm missing something, this only works if A(A(M)) = M. Symetric crypto, not just symetric keys. NEVER willingly give the cryptanalyst the same message encrypted with the same system using two different keys. For the simple case, suppose F(X) = X ^ S (exclusive or with a string generated from the key). Then M = A(M) ^ B(M) ^ B(A(M)), right? Probably something similar for other symetric systems. This is Shamir's Three-Pass protocol and it doesn't require a symmetric system, it requires a commutative system. See Schneier p 516 (section 22.3) or [1] for details. so A(A(M)) != M Unless I'm mistaken, this commutative system does not leak information in the same way as XOR does. - Jeremiah [1] http://www.afn.org/~afn21533/keyexchg.htm - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: A-B-a-b encryption
In message [EMAIL PROTECTED], Perry E.Metzger writes: Hmm. You need a cipher such that given B(A(M)) and A you can get B(M). I know of only one with that property -- XOR style stream ciphers. Unfortunately that makes for a big flaw, so I'm not sure we should throw out our Diffie-Hellman implementations yet. I believe that Pohlig-Hellman with the same modulus has this property, too. But I don't recall seeing any analysis if Pohlig-Hellman modulus reuse has the same failings as RSA with modulus reuse. --Steve Bellovin, http://www.research.att.com/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: A-B-a-b encryption
martin f krafft wrote: it came up lately in a discussion, and I couldn't put a name to it: a means to use symmetric crypto without exchanging keys: - Alice encrypts M with key A and sends it to Bob - Bob encrypts A(M) with key B and sends it to Alice - Alice decrypts B(A(M)) with key A, leaving B(M), sends it to Bob - Bob decrypts B(M) with key B leaving him with M. Are there algorithms for this already? What's the scheme called? It's called Pollig-Hellman. It only works if your encryption scheme is commutative. Most symmetric-key encryption schemes aren't commutative, but one scheme that does work is A(M) = M^A mod p. One scheme that doesn't work is A(M) = M xor A; XOR is indeed commutative, but it becomes insecure when used in the above protocol. Anyway, the Pollig-Hellman protocol is no better (and probably no worse) than a straight Diffie-Hellman, so there seems to be little reason to adopt it. Just stick to standard Diffie-Hellman. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
A-B-a-b encryption
it came up lately in a discussion, and I couldn't put a name to it: a means to use symmetric crypto without exchanging keys: - Alice encrypts M with key A and sends it to Bob - Bob encrypts A(M) with key B and sends it to Alice - Alice decrypts B(A(M)) with key A, leaving B(M), sends it to Bob - Bob decrypts B(M) with key B leaving him with M. Are there algorithms for this already? What's the scheme called? I searched Schneier (non-extensively) but couldn't find a reference. Thanks, -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! time wounds all heels. -- groucho marx pgp0.pgp Description: PGP signature