Anonymous (nobody@replay.com)
Fri, 5 Feb 1999 00:19:10 +0100
> AA> I think nobody@remailer.ie was talking about using the construct for more
> AA> efficient exportable symmetric confidentiality by taking the public keys
> out of
> AA> the picture -- if not, allow me to propose it. :-)
>
> Hmm -- the message from nobody@remailer.ie hasn't reached here.
Remailer.ie doesn't exist, as far as I know; that was just a reference to your
Irish (= .ie) schoolgirl comment.
(time passes)
> (could youse please pick some persistent nyms??!?)
No! :)
(nothing happens)
> Could you explain in more detail how you use this construct to take the
> public keys out of the picture?
Now that I'm not sleepy, I'm hurried -- I can try a third time if this makes no
sense.
It was intended to do exactly what chaffing and winnowing does -- provide
strong, exportable confidentiality from a shared secret -- not to do RSA
encryption without symmetric keys. Both parties use their shared secret to
deterministically generate a 512-bit RSA key, and they use this key to encrypt
the first bits of a message which has already passed through an a|n transform.
If rigged properly, no clue is provided as to what the modulus is, and BXA-OK
RSA acts like a strong symmetric cipher, not a weak asymmetric one. The
advantage is that it takes one PK operation, not 128 or so, to chaff and
winnow. It's not even necessary that RSA be secure as a public-key cryptosystem
for this to work, just that it be a secure symmetric cipher when used as it's
used.
Also, you can get the space-saving and keylessness of the construction you and
Anonymoose proposed in slightly less time:
(I have no concept of notation; consider this English with grouping symbols
and a one-letter word for "hash" :)
1. Sender fetches receiver's n-bit RSA key
2. Sender splits message into message-left (n bits) and message-right (the
rest)
3. Sender sends:
RSA-Encrypt(message-left XOR h(message-right)),
Secret-key-encrypt(message-right with key (message-left XOR h(message-right))),
RSA-Sign(h(h(message-right), message-left))
Receiver undoes the RSA encryption, decrypts the right half of the message,
hashes it, XORs the left side as received with the hash to get the original
left side, hashes the aforementioned hash with the left side and checks the sig
with it, then finally concatenates the left and right sides to get a message.
It's pretty much identical to yours (plural yours), except you don't lose by
much on speed if the sigs are part of the plan. Otherwise, there is the
possible-but-terrifyingly-unsafe alternative of using a faster nonlinear mixer
that's not a hash.
> --
> Jim Gillogly
> 14 Solmath S.R. 1999, 16:14
> 12.19.5.16.9, 3 Muluc 2 Pax, Fifth Lord of Night
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:26