Lady Ada's Cryptophone

Hal hfinney at shell.portal.com
Thu May 5 22:11:47 PDT 1994


Lady Ada writes:

> - -- Diffie-Hellman for key exchange
> - -- Triple DES for data encryption
> - -- RSA for digital signatures/identity verification
>                 
> Rationale: 
>     Unlike encryption protocols designed for email,
> a phone system will need to exchange public keys
> bidirectonally at the beginning of every call, and
> the existance of an insecure two-directional link can
> be assumed.  Diffie-Hellman is perfect for this application.
> The alternative, RSA, would require either generation of
> new keypairs at call time, which is very slow, or the

Diffie-Hellman can be quite slow as well, depending on the size
of the exponents.  It involves calculating x**y, twice, where x
and y are about 512 to 1024 bits.  Some variants have the exponent
yl be smaller, around 140 bits, but if strong primes are used for
the modulus the exponent will be large like this.  And the Chinese
Remainder Theorem speedup used by PGP when RSA signing would not
be applicable here.  So calculating a DH key exchange could take
many times longer than an RSA signature by PGP.  This takes about
fifteen seconds on my old PC; doing a DH key exchange might take a
minute.

>    Each phone shall have a button (hard or soft)
> which can be pressed by the caller at any time.  Pressing
> it will cause a new TDES key to be generated and exchanged.
> [Should it generate a new n and g for D-H, or just create
> a new x and demand a new Y?]  Paranoid users can press
> this button every few seconds if they wish.  (In my
> humble opinion, even a single-DES phone is quite secure
> if it has this feature.)

It might be possible to compute the DH in the background while the
conversation is going on, but if the computer is also compressing,
uncompressing, encrypting and decrypting at the same time, that's
not going to be easy.









More information about the cypherpunks-legacy mailing list