On Digital Cash-like Payment Systems

Whyte, William WWhyte at ntru.com
Mon Nov 14 06:47:42 PST 2005

> > Don't ever encrypt the same message twice that way, or you're likely to
> > fall to a common modulus attack, I believe.
> Looks like it (common modulus attack involves same n, 
> different (e,d) pairs).
> However, you're likely to be picking a random symmetric key as the
> "message", and Schneier even suggests picking a random r in Z_n and
> encrypting hash(r) as the symmetric key.
> More generally, I wonder about salting all operations to prevent using
> the same value more than once.  It seems like it's generally a bad
> idea to reuse values, as a heuristic, and applying some kind of
> uniquification operation to everything, just as it's a good idea to
> pad/frame values in such a way that the output of one stage cannot be
> used in another stage of the same protocol.

I forget the beginning of this conversation... but if you're
salting all public-key encryption operations you may as well
just use a standard RSA encryption scheme, such as OAEP or
RSA-KEM. OAEP is specified in PKCS#1, available from 
http://www.rsasecurity.com/rsalabs/node.asp?id=2125; it's well-
studied and has a proof of security, and should certainly be
used in preference to any home-grown system.

If you were talking about salting something other than public
key operations, accept my apologies...


More information about the cypherpunks-legacy mailing list