Better key negotiations
Jason Holt
jason at lunkwill.org
Sat Sep 2 02:34:43 UTC 2006
On Fri, 1 Sep 2006, Watson Ladd wrote:
> I have a good idea for key negotiations (NOTE:UNPUBLISHED). Here it is:
> Let the server have a public key y=h^x mod p, p=2q+1, h=g^2, and private
> key x^-1 mod q, or z. (g is a generator).
>
> A client will send y^a and remember a.
> A server will send back h^b and remember b.
> The client will compute (h^b)^a.
> The server will compute (y^a)^(bz).
> We note that:
> (y^a)^(bz)=h^(ax*bz)=h^(abxz)=h^(ab)=(h^b)^a, as z and x are
> multiplicative inverses mod q.
> We further note that this is just Diffie-Hellman if we replace y with
> h^z, a with a*x, and z with 1, b with b. So this is secure if DDH holds.
>
> I am not a cryptographer, so will someone please check this method. I
> have not found it anywhere.
Why would we use this instead of plain-vanilla Diffie-Hellman?
-J
More information about the tor-talk
mailing list