Re: A-B-a-b encryption

2003-11-19 Thread Anton Stiglic 
- Original Message - 
From: Jeremiah Rogers [EMAIL PROTECTED]
To: crypto list [EMAIL PROTECTED]
Sent: Sunday, November 16, 2003 12:50 PM
Subject: Re: A-B-a-b encryption


 This is Shamir's Three-Pass Protocol, described in section 22.3 of
 Schneier. It requires a commutative cryptosystem.

 - Jeremiah Rogers

Also described in HAC, protocol 12.22.
It's like basic DH, except it provides key transport instead of key
agreement.

--Anton

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: A-B-a-b encryption

2003-11-19 Thread Peter Fairbrother 
martin f krafft wrote:

 it came up lately in a discussion, and I couldn't put a name to it:
 a means to use symmetric crypto without exchanging keys:
 
 - Alice encrypts M with key A and sends it to Bob
 - Bob encrypts A(M) with key B and sends it to Alice
 - Alice decrypts B(A(M)) with key A, leaving B(M), sends it to Bob
 - Bob decrypts B(M) with key B leaving him with M.
 
 Are there algorithms for this already? What's the scheme called?
 I searched Schneier (non-extensively) but couldn't find a reference.
 
 Thanks,

The protocol is called the Shamir three-pass protocol. It needs a
commutative cipher.

Probably the only cipher that it can be securely used with is called the
Pohlig-Hellman cipher, a simple exponentiating cipher over Zp.

Whether it's a symmetric cipher is a matter of precise definition, though
despite the encryption and decryption keys being different I would consider
it such. A better term might be a secret-key cipher. It's quite easy to find
the decryption key d from the encryption key e:

d*e = 1 mod (p-1)

C = M^e mod p
M = C^d mod p


p should be a safe (= 2q+1, q prime) prime, and all keys used should be
odd and !=q. There is an ECC variant. There are lots of things to watch out
for in implementations.



I'm trying to develop (or find? anyone?) a secure symmetric cipher which is
a group, where if you know A and B you can find a key C that decrypts
B(A(M)), but that's a different story.


-- 
Peter Fairbrother

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: A-B-a-b encryption

2003-11-17 Thread Jeremiah Rogers 
On Nov 16, 2003, at 12:24 PM, lrk wrote:
Stupid crypto, probably. Unless I'm missing something, this only 
works
if A(A(M)) = M. Symetric crypto, not just symetric keys.

NEVER willingly give the cryptanalyst the same message encrypted with
the same system using two different keys.
For the simple case, suppose F(X) = X ^ S (exclusive or with a string
generated from the key).
Then  M = A(M) ^ B(M) ^ B(A(M)), right?

Probably something similar for other symetric systems.
This is Shamir's Three-Pass protocol and it doesn't require a symmetric 
system, it requires a commutative system. See Schneier p 516 (section 
22.3) or [1] for details.

so A(A(M)) != M

Unless I'm mistaken, this commutative system does not leak information 
in the same way as XOR does.

- Jeremiah

[1] http://www.afn.org/~afn21533/keyexchg.htm

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: A-B-a-b encryption

2003-11-17 Thread Steven M. Bellovin 
In message [EMAIL PROTECTED], Perry E.Metzger writes:

Hmm. You need a cipher such that given B(A(M)) and A you can get
B(M). I know of only one with that property -- XOR style stream
ciphers. Unfortunately that makes for a big flaw, so I'm not sure we
should throw out our Diffie-Hellman implementations yet.


I believe that Pohlig-Hellman with the same modulus has this property, 
too.  But I don't recall seeing any analysis if Pohlig-Hellman modulus 
reuse has the same failings as RSA with modulus reuse.

--Steve Bellovin, http://www.research.att.com/~smb


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: A-B-a-b encryption

2003-11-17 Thread David Wagner 
martin f krafft  wrote:
it came up lately in a discussion, and I couldn't put a name to it:
a means to use symmetric crypto without exchanging keys:

  - Alice encrypts M with key A and sends it to Bob
  - Bob encrypts A(M) with key B and sends it to Alice
  - Alice decrypts B(A(M)) with key A, leaving B(M), sends it to Bob
  - Bob decrypts B(M) with key B leaving him with M.

Are there algorithms for this already? What's the scheme called?

It's called Pollig-Hellman.  It only works if your encryption scheme
is commutative.  Most symmetric-key encryption schemes aren't commutative,
but one scheme that does work is A(M) = M^A mod p.  One scheme that doesn't
work is A(M) = M xor A; XOR is indeed commutative, but it becomes insecure
when used in the above protocol.

Anyway, the Pollig-Hellman protocol is no better (and probably no worse)
than a straight Diffie-Hellman, so there seems to be little reason to adopt
it.  Just stick to standard Diffie-Hellman.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

A-B-a-b encryption

2003-11-16 Thread martin f krafft 
it came up lately in a discussion, and I couldn't put a name to it:
a means to use symmetric crypto without exchanging keys:

  - Alice encrypts M with key A and sends it to Bob
  - Bob encrypts A(M) with key B and sends it to Alice
  - Alice decrypts B(A(M)) with key A, leaving B(M), sends it to Bob
  - Bob decrypts B(M) with key B leaving him with M.

Are there algorithms for this already? What's the scheme called?
I searched Schneier (non-extensively) but couldn't find a reference.

Thanks,

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
 
time wounds all heels.
   -- groucho marx


pgp0.pgp
Description: PGP signature