On Wed, Sep 05, 2001 at 03:48:39PM -0400, Tavin Cole wrote:
> On Wed, Sep 05, 2001 at 11:48:23AM -0700, Scott Miller wrote:
> > ElGamal, the current P/K encryption in .4 has some weaknesses with
> > chosen-ciphertext attacks that make breaking ElGamal easier than
> > breaking the underlying discrete logarithm problem.
> >
> > For that reason I've written a replacement algorithm, DLES, described in
> > the paper "DHAES: An Encryption Scheme Based on the Diffie-Hellman
> > Problem", (1998) by Abdalla, Bellare, Rogaway.
> >
> > The algorithm has about the same performance as ElGamal (2 modexps for
> > encrypt, 1 to decrypt), but provides much stronger security guarantees.
> > In addition, the algorithm involves a keyed message authentication code,
> > for which we'll be using HMAC. The mac lets Bob know if the encrypted
> > quantity will actually decrypt to valid data and not gibberish. For
> > this reason, we would be able to eliminate the 0x00000000 we encrypt at
> > the beginning of a restart request, which would eliminate a possible
> > partial known-plaintext attack.
>
> When are the macs sent?
The 'ciphertext' is three values, g^u mod p (where u is a random number),
the MAC, and symmetrically encrypted ciphertext (from a key generated by
the algorithm).
>
> How do you want to phase this in?
Well, we can basically replace instances of ElGamal in the source with
this algo, and we can remove the 0x00000000 checking. My implementation
throws a DecryptionFailedException if the mac doesn't verify.
> Also, a while back you mentioned an issue with the ElGamal block size.
> Does the new algorithm solve or otherwise obviate this?
>
Yes.
Scott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL:
<https://emu.freenetproject.org/pipermail/devl/attachments/20010906/a5b5ae2e/attachment.pgp>
