David Wagner wrote: > Peter Fairbrother wrote:
>> Not usually. In general index calculus attacks don't work on P-H, [...] > > Sure they do. If I have a known plaintext pair (M,C), where > C = M^k (mod p), then with two discrete log computations I can > compute k, since k = dlog_g(C)/dlog_g(M) (mod p-1). This works for > any generator g, so I can do the precomputation for any g I like. Duuuh. I _knew_ that. I've even proposed changing p from time to time to limit the take from an IC attack. Dumb of me. Too much beer, no coffee, got a brainstorm and couldn't see the wood for the trees... Sorry. -- Peter Fairbrother --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
