Better key negotiations

Watson Ladd watsonbladd at gmail.com
Sat Sep 2 02:56:36 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jason Holt wrote:
> 
> On Fri, 1 Sep 2006, Watson Ladd wrote:
> 
>> I have a good idea for key negotiations (NOTE:UNPUBLISHED). Here it is:
>> Let the server have a public key y=h^x mod p, p=2q+1, h=g^2, and private
>> key x^-1 mod q, or z. (g is a generator).
>>
>> A client will send y^a and remember a.
>> A server will send back h^b and remember b.
>> The client will compute (h^b)^a.
>> The server will compute (y^a)^(bz).
>> We note that:
>> (y^a)^(bz)=h^(ax*bz)=h^(abxz)=h^(ab)=(h^b)^a, as z and x are
>> multiplicative inverses mod q.
>> We further note that this is just Diffie-Hellman if we replace y with
>> h^z,  a with a*x, and z with 1, b with b. So this is secure if DDH holds.
>>
>> I am not a cryptographer, so will someone please check this method. I
>> have not found it anywhere.
> 
> Why would we use this instead of plain-vanilla Diffie-Hellman?
> 
>                         -J
> 
To authenticate the server to the client. I want to dispense with RSA as
we are putting a critical egg into two baskets at once. Also, we can
migrate to exotic DDH assumption groups if a breakthrough happens. Like
GF(p^n), n>1, or elliptic curves.

- --
They who would give up an essential liberty for temporary security,
 deserve neither liberty or security
- --Benjamin Franklin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE+PLkGV+aWVfIlEMRAmWjAJ9SifzRN7uce3DfpZxn2vSBXwT3vwCcC8Hj
puJTkaE6/eDjpoDnfOvDRCM=
=F+Sr
-----END PGP SIGNATURE-----



More information about the tor-talk mailing list