On Wed, Sep 05, 2001 at 11:48:23AM -0700, Scott Miller wrote:
> ElGamal, the current P/K encryption in .4 has some weaknesses with
> chosen-ciphertext attacks that make breaking ElGamal easier than
> breaking the underlying discrete logarithm problem.
>
> For that reason I've written a replacement algorithm, DLES, described in
> the paper "DHAES: An Encryption Scheme Based on the Diffie-Hellman
> Problem", (1998) by Abdalla, Bellare, Rogaway.
>
> The algorithm has about the same performance as ElGamal (2 modexps for
> encrypt, 1 to decrypt), but provides much stronger security guarantees.
> In addition, the algorithm involves a keyed message authentication code,
> for which we'll be using HMAC. The mac lets Bob know if the encrypted
> quantity will actually decrypt to valid data and not gibberish. For
> this reason, we would be able to eliminate the 0x00000000 we encrypt at
> the beginning of a restart request, which would eliminate a possible
> partial known-plaintext attack.
When are the macs sent?
> Comments?
How do you want to phase this in?
Also, a while back you mentioned an issue with the ElGamal block size.
Does the new algorithm solve or otherwise obviate this?
--
:: tavin cole (tcole at espnow.com) ::
"I can hear them in the dark sharpening their lasers."
- Erwin Chargaff
_______________________________________________
Devl mailing list
Devl at freenetproject.org
http://lists.freenetproject.org/mailman/listinfo/devl
