On 20 Jan 2003, David Wagner wrote: > If you're worried about the security of allowing Scott to choose the > low bits of Alice's public key, you could have Scott and Alice perform > a joint coin-flipping protocol to select a random 64-bit string that > neither can control, then proceed as before.
STRING = LOW_64(SHA-1(SEED_FROM_SCOTT || SEED_FROM_ALICE)) seems simple enough. However there is no way to be sure the RSA key is actually at all safe in this case. For example, Alice could choose a 950 bit prime, and then whenever she needed a new key, just choose a small (50 or 100 bit) prime as the other factor. All in all the DSA case seems easier because there are fewer things which an observer cannot verify. Doing something like this for the DSA case (with y) might be nice, since that would force Alice to choose a new x each time as well as new p,q,g. -Jack --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
