One of the most interesting chapters in the ultra-interesting history of public key cryptography is that all of the Fathers of Public Key Cryptography, Diffie, Hellman, Rivest, Shamir and Adelman missed the observation that from a (unauthenticated) DH key exchange you can get an encryption scheme just by fixing one of the exponents. It was Taher ElGamal, a few years later that made that observation and that is why this encryption is known as ElGamal encryption.
As for the comment below: On Thu, Sep 22, 2016 at 7:50 PM, Colm MacCárthaigh <[email protected]> wrote: > > > On Thu, Sep 22, 2016 at 4:41 PM, Hugo Krawczyk <[email protected]> > wrote: > >> If the problem is the use of forward secrecy then there is a simple >> solution, don't use it. >> That is, you can, as a server, have a fixed key_share for which the >> secret exponent becomes the private key exactly as in the RSA case. It does >> require some careful analysis, though. >> > > I think that this may be possible for TLS1.3 0-RTT data, but not for other > data where an ephemeral key will be generated based also on a parameter > that the client chooses. > The key_share contributed by the client is indeed ephemeral and it replaces the random key chosen by the client in the RSA-based scheme. Hugo > -- > Colm >
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
