[18937] in cryptography@c2.net mail archive
RE: On Digital Cash-like Payment Systems
daemon@ATHENA.MIT.EDU (Whyte, William)
Mon Nov 14 10:01:19 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 14 Nov 2005 09:47:42 -0500
From: "Whyte, William" <WWhyte@ntru.com>
To: "Travis H." <solinym@gmail.com>,
"cyphrpunk" <cyphrpunk@gmail.com>
Cc: <cryptography@metzdowd.com>, <cypherpunks@jfet.org>
> > Don't ever encrypt the same message twice that way, or you're likely =
to
> > fall to a common modulus attack, I believe.
>=20
> Looks like it (common modulus attack involves same n,=20
> different (e,d) pairs).
>=20
> However, you're likely to be picking a random symmetric key as the
> "message", and Schneier even suggests picking a random r in Z_n and
> encrypting hash(r) as the symmetric key.
>=20
> More generally, I wonder about salting all operations to prevent using
> the same value more than once. It seems like it's generally a bad
> idea to reuse values, as a heuristic, and applying some kind of
> uniquification operation to everything, just as it's a good idea to
> pad/frame values in such a way that the output of one stage cannot be
> used in another stage of the same protocol.
I forget the beginning of this conversation... but if you're
salting all public-key encryption operations you may as well
just use a standard RSA encryption scheme, such as OAEP or
RSA-KEM. OAEP is specified in PKCS#1, available from=20
http://www.rsasecurity.com/rsalabs/node.asp?id=3D2125; it's well-
studied and has a proof of security, and should certainly be
used in preference to any home-grown system.
If you were talking about salting something other than public
key operations, accept my apologies...
William
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
