Oskar writes: > - I don't see why all the Bob's can collude to control the value, since > Alice also has a value XORed into the result. Of course, they can decide > as they wish what key value they actually reference Alice from, so it > doesn't matter. I think better stated the goal is that for any honest > party in the process, the value they will know as the final result is > random.
You are right, the Bobs can't do it. I guess I was thinking that they could collude with Alice to do it, but it's not clear that accomplishes much. > - I believe that Scott is already doing encryption in the node connection > process, and that he would use ElGamal using the same primitives as we > have for DSA. This is not always such a great idea. DSA keys are not particularly well suited for ElGamal and DH operations, although sometimes you can get away with it. The problem is that DSA keys use a relatively small subgroup of 160 bits, and more specifically, that they don't care if (p-1)/2q has many small factors. This is not an issue for DSA signatures, but it turns out that some protocols can leak key information if this happens. The classic paper on this is Lim and Lee, "A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroup," from Crypto 97. Unfortunately I can't find it online. Actually I have a PDF of it from the Crypto proceedings CD-ROM. Darn, I can't find it. Well, I'll put it up if I do. If Freenet uses random keys for the DH-exchange, and the DSA keys just to sign using DSA signatures, then it should be okay. Doing ElGamal with these keys can be risky, especially in an automated environment like Freenet. An attacker could hammer your node with connection attempts and see which ones decrypt properly for you, and in some cases this could leak a lot of information about a DSA key when used for ElGamal decryption, using the Lim and Lee technique. I can provide more information on the math if you want. Hal _______________________________________________ Devl mailing list Devl at freenetproject.org http://www.uprizer.com/mailman/listinfo/devl
