On Digital Cash-like Payment Systems
WWhyte at ntru.com
Mon Nov 14 06:47:42 PST 2005
> > Don't ever encrypt the same message twice that way, or you're likely to
> > fall to a common modulus attack, I believe.
> Looks like it (common modulus attack involves same n,
> different (e,d) pairs).
> However, you're likely to be picking a random symmetric key as the
> "message", and Schneier even suggests picking a random r in Z_n and
> encrypting hash(r) as the symmetric key.
> More generally, I wonder about salting all operations to prevent using
> the same value more than once. It seems like it's generally a bad
> idea to reuse values, as a heuristic, and applying some kind of
> uniquification operation to everything, just as it's a good idea to
> pad/frame values in such a way that the output of one stage cannot be
> used in another stage of the same protocol.
I forget the beginning of this conversation... but if you're
salting all public-key encryption operations you may as well
just use a standard RSA encryption scheme, such as OAEP or
RSA-KEM. OAEP is specified in PKCS#1, available from
http://www.rsasecurity.com/rsalabs/node.asp?id=2125; it's well-
studied and has a proof of security, and should certainly be
used in preference to any home-grown system.
If you were talking about salting something other than public
key operations, accept my apologies...
More information about the cypherpunks-legacy