On Thu, May 03, 2007 at 07:57:18PM +1000, James A. Donald wrote: > Assume Ann's secret key is a, and her public key is A = G^a mod P > > Assume Bob's secret key is b, and his public key is B = G^b mod P > > Bob wants to send Ann a message. > > Bob generates a secret random number x, and sends Ann X = G^x mod P > > Ann responds with Y = G^y mod P, where y is another secret random number. > > Ann calculates [(B*X)^(a+y)] mod P
This appears to simplify to: (G^b * G^x)^(a+y) = (G^(b+x))^(a+y) = G^((b+x)(a+y)) Right? This doesn't appear to be anything like the latest rev of the OTR protocol: http://www.cypherpunks.ca/otr/Protocol-v2-3.0.0.html Apparently they key exchange is now a variant of the SIGMA protocol, and relies upon the implementation to disclose MAC keys automagically as the related session keys are destroyed/expired. Apparently this fixes an identity-binding flaw: http://lists.cypherpunks.ca/pipermail/otr-users/2005-July/000316.html And this illustrates a subtlety: > For example, if Bob thinks he's talking to Mallory, he may tell her > something in confidence he would not want Alice to hear. Note that > although Mallory could relate this confidential information to Alice > herself, but in the attack scenario Alice has assurance that the > message came from Bob rather than having to take Mallory's word for it. Contrast this to sign-then-encrypt, where Mallory could decrypt, then forward to Alice. Compare with encrypt-then-sign. But it brings up an interesting point; that when a party relays a piece of data it may not be equivalent to receiving it directly; that is, authenticity may not be transitive. Put another way, maybe it's not the information that matters, but who says it. The New York Times may say that someone did XYZ, but that's not entirely the same as the person admitting it under oath. In international politics, many believe that admitting to having performed some provocative action can be more provocative than actually the action itself, even if everyone already knows who is responsible. If you believe this, I suppose the official lie can be said to serve the interest of both sides, as the government receiving the provocation can allow the story to go unchallenged, and probably not be forced into taking an overt retaliatory action. Thus it preserves their options, and avoids forcing them into what could be a disastrous confrontation. If they are too weak to confront the provocateur, they aren't likely to shout this from the rooftops. -- Kill dash nine, and its no more CPU time, kill dash nine, and that process is mine. -><- <URL:http://www.subspacefield.org/~travis/> For a good time on my UBE blacklist, email [EMAIL PROTECTED]
pgp2OKJBtiEKs.pgp
Description: PGP signature