ElGamal, the current P/K encryption in .4 has some weaknesses with
chosen-ciphertext attacks that make breaking ElGamal easier than
breaking the underlying discrete logarithm problem.
For that reason I've written a replacement algorithm, DLES, described in
the paper "DHAES: An Encryption Scheme Based on the Diffie-Hellman
Problem", (1998) by Abdalla, Bellare, Rogaway.
The algorithm has about the same performance as ElGamal (2 modexps for
encrypt, 1 to decrypt), but provides much stronger security guarantees.
In addition, the algorithm involves a keyed message authentication code,
for which we'll be using HMAC. The mac lets Bob know if the encrypted
quantity will actually decrypt to valid data and not gibberish. For
this reason, we would be able to eliminate the 0x00000000 we encrypt at
the beginning of a restart request, which would eliminate a possible
partial known-plaintext attack.
Comments?
Scott
_______________________________________________
Devl mailing list
Devl at freenetproject.org
http://lists.freenetproject.org/mailman/listinfo/devl
