smb@research.att.com sez:
Two problems... First, many attacks on the discrete log problem are based on massive precomputation for a known modulus. That probably isn't an issue when you get to ~1K bits (*not* digits!).
Hey, some of us have forgotton there are other number bases than binary. :-)
Second, you need to specify things far more concretely, and in particular define the random number generation process. You can't pick w till you know m.
I don't remember that a good w depends on m but if a well-known m could be calculated that is prime and big enough (I suggested a way to do this via algorithm) then it seems you are saying that a w would then follow algoritmically from the choice of m. Right?
I've found a solution to this that is more than sufficiently secure in practice and even theoretically secure in most practical situations.
Well, I'd certainly be interested in hearing about it...
With a little luck you shall. I want to apply for a patent on it first but have been reluctant (as well as too poor) to file because I fear it being snagged at the application stage by the national security laws that I am told allow them to do that and stamp it top secret. Can anybody verify or debunk that?
There have been a number of mechanisms for preventing eavesdropping with DH; a lot depends on what assumptions you want to make. My attempts -- which involve the two parties sharing a weak (i.e., PIN- or password-grade secret) can be found in /dist/smb/{neke,aeke}.ps on research.att.com.
Yes, when there is private sharing of any info, several means exist that are secure but that leaves the problem of exchanging this info securely in the first place. My method obviates the need for any prior exchange. I have ftp'ed your papers and mailed them to where I have a PostScript printer. I'm anxious to see what you have done.
There's also Rivest and Shamir's Interlock Protocol (April '84 CACM). Davies and Price suggest using it for authentication, but Mike Merritt and I showed that that doesn't work under certain circumstances.
Yep, it has been found wanting. There was some strong reason I found it not applicable to my voice application but without my notes I cannot recall it. I spoke with Ron about that at last year's RSA conference and he concurred. Damned aging memory. :-( Peace, Bob -- Bob Cain rcain@netcom.com 408-354-8021 "I used to be different. But now I'm the same." --------------PGP 1.0 or 2.0 public key available on request.------------------