One of the most interesting chapters in the ultra-interesting history of
public key cryptography is that all of the Fathers of Public Key
Cryptography, Diffie, Hellman, Rivest, Shamir and Adelman missed the
observation that from a (unauthenticated) DH key exchange you can get an
encryption scheme just by fixing one of the exponents. It was Taher
ElGamal, a few years later that made that observation and that is why this
encryption is known as ElGamal encryption.
As for the comment below:
On Thu, Sep 22, 2016 at 7:50 PM, Colm MacCárthaigh <c...@allcosts.net>
> On Thu, Sep 22, 2016 at 4:41 PM, Hugo Krawczyk <h...@ee.technion.ac.il>
>> If the problem is the use of forward secrecy then there is a simple
>> solution, don't use it.
>> That is, you can, as a server, have a fixed key_share for which the
>> secret exponent becomes the private key exactly as in the RSA case. It does
>> require some careful analysis, though.
> I think that this may be possible for TLS1.3 0-RTT data, but not for other
> data where an ephemeral key will be generated based also on a parameter
> that the client chooses.
The key_share contributed by the client is indeed ephemeral and it replaces
the random key chosen by the client in the RSA-based scheme.
TLS mailing list