One of the most interesting chapters in the ultra-interesting history of
public key cryptography is that all of the Fathers of Public Key
Cryptography,  Diffie, Hellman, Rivest, Shamir and Adelman missed the
observation that from a (unauthenticated) DH key exchange you can get an
encryption scheme just by fixing one of the exponents. It was Taher
ElGamal, a few years later that made that observation and that is why this
encryption is known as ElGamal encryption.

As for the comment below:

On Thu, Sep 22, 2016 at 7:50 PM, Colm MacCárthaigh <>

> On Thu, Sep 22, 2016 at 4:41 PM, Hugo Krawczyk <>
> wrote:
>> If the problem is the use of forward secrecy then there is a simple
>> solution, don't use it.
>> That is, you can, as a server, have a fixed key_share for which the
>> secret exponent becomes the private key exactly as in the RSA case. It does
>> require some careful analysis, though.
> I think that this may be possible for TLS1.3 0-RTT data, but not for other
> data where an ephemeral key will be generated based also on a parameter
> that the client chooses.

The key_share contributed by the client is indeed ephemeral and it replaces
the random key chosen by the client in the RSA-based scheme.


> --
> Colm
TLS mailing list

Reply via email to