1994-02-08 - Re: Some stuff about Diffie-Hellman (and more :-)

Header Data

From: rcain@netcom.com (Robert Cain)
To: cypherpunks@toad.com (cypherpunks)
Message Hash: 75b0dd30fc9f069e6cbe4d5d9b40a5873e3b3a7662c686a2397a1b3320570331
Message ID: <199402082324.PAA16784@mail.netcom.com>
Reply To: <9402052233.AA04867@toad.com>
UTC Datetime: 1994-02-08 23:27:02 UTC
Raw Date: Tue, 8 Feb 94 15:27:02 PST

Raw message

From: rcain@netcom.com (Robert Cain)
Date: Tue, 8 Feb 94 15:27:02 PST
To: cypherpunks@toad.com (cypherpunks)
Subject: Re: Some stuff about Diffie-Hellman (and more :-)
In-Reply-To: <9402052233.AA04867@toad.com>
Message-ID: <199402082324.PAA16784@mail.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain

smb@research.att.com sez:
> Two problems...  First, many attacks on the discrete log problem are
> based on massive precomputation for a known modulus.  That probably
> isn't an issue when you get to ~1K bits (*not* digits!).

Hey, some of us have forgotton there are other number bases than
binary.  :-)

> Second, you
> need to specify things far more concretely, and in particular define
> the random number generation process.  You can't pick w till you know m.

I don't remember that a good w depends on m but if a well-known m
could be calculated that is prime and big enough (I suggested a way
to do this via algorithm) then it seems you are saying that a w
would then follow algoritmically from the choice of m.  Right?

> 	 I've found a solution to this that is more than sufficiently secure in
> 	 practice and even theoretically secure in most practical situations.
> Well, I'd certainly be interested in hearing about it...

With a little luck you shall.  I want to apply for a patent on it
first but have been reluctant (as well as too poor) to file because
I fear it being snagged at the application stage by the national
security laws that I am told allow them to do that and stamp it
top secret.  Can anybody verify or debunk that?

> There have
> been a number of mechanisms for preventing eavesdropping with DH;
> a lot depends on what assumptions you want to make.  My attempts --
> which involve the two parties sharing a weak (i.e., PIN- or password-grade
> secret) can be found in /dist/smb/{neke,aeke}.ps on research.att.com.

Yes, when there is private sharing of any info, several means exist
that are secure but that leaves the problem of exchanging this info
securely in the first place.  My method obviates the need for any prior
exchange.  I have ftp'ed your papers and mailed them to where I have a
PostScript printer.  I'm anxious to see what you have done.

> There's also Rivest and Shamir's Interlock Protocol (April '84 CACM).
> Davies and Price suggest using it for authentication, but Mike Merritt
> and I showed that that doesn't work under certain circumstances.

Yep, it has been found wanting.  There was some strong reason I found
it not applicable to my voice application but without my notes I cannot
recall it.  I spoke with Ron about that at last year's RSA conference
and he concurred.  Damned aging memory.  :-(



Bob Cain    rcain@netcom.com   408-354-8021

           "I used to be different.  But now I'm the same."

--------------PGP 1.0 or 2.0 public key available on request.------------------