Well, I got such a good response from my last technical question that I'll try again :) If it's actually secure, it'll go really well with my credential system. Trent generates primes p,q. He publishes n=pq and some random value g. Trent calculates a and a' such that aa' = 1 % (p-1)(q-1) and a' is prime. He sends Alice a' and g^a%n. a' is her secret exponent and g^a%n her public value. Bob can establish a shared secret with Alice if Alice got a' from Trent. He picks a random r and sends her g^ar%n. She raises it to a' to compute the shared secret g^r%n. So the important questions are: * Given g^a%n and a', can Alice derive (p-1)(q-1)? If so, she'd be able to take over Trent's job. * Given g^k%n and k' for lots of different k, can we derive (p-1)(q-1) or otherwise imitate Trent's ability to give out (g^k%n, k') pairs? So IOW the goal is for Bob to be able to send Alice a message iff she knows a secret from Trent. And if Alice's secret is compromised, only messages sent to (or possibly from) Alice become vulnerable. A friend of mine pointed out that Alice can trivially compute another working pair of keys from her own: g^-a and -a'. And if the a' keys weren't prime, Alice and Bob could factor them and generate other keypairs. Both of those seem manageable, though. The common modulus attack in which you use g^k and g^k' to get information on g (which is public in this case) by calculating rk+sk'=1 caused me problems in earlier equations I tried, but doesn't seem to help the attacker here. -J
participants (1)
-
Jason Holt