Removing 1 modular exponentiation

Mike Perry mikepery at
Tue Feb 20 04:01:41 UTC 2007

Thus spake Watson Ladd (watsonbladd at

> James Muir wrote:
> > 
> > You may already know that the current scheme has a security reduction
> > (Goldberg, PET 2006), so I imagine there would have to be a comparable
> > argument before the powers that be would consider a new scheme.
> > 
> > Out of curiosity, what is it about your scheme that makes you say it is
> > insecure?
> > 
> > -James
> Mike Perry had an MITM attack. It wasn't due to a problem with my proof
> but a problem in that what I proved wasn't sufficient to insure
> security. Basically Alice was performing DH with y the generator. So Eve
> could easily perform an MITM attack. And Eve can connect to Ricky
> easily. Still, a more efficient and still *secure* protocol would be a win.

Ah, right. My proof should still apply because even though b/k is not
an integer, it can still be written as b = r*k mod p. r is the
exponent of g you get when you do (g^b)^(1/k) after finding (1/k) mod
p using the Eucliean Algorithm as James pointed out. Right?

It's all coming back to me now (maybe). ;)

Mike Perry
Mad Computer Scientist evil labs

More information about the tor-talk mailing list