Op 6-6-2021 om 16:16 schreef Max:
> I'm still digesting your yesterday's answer. I dug myself in a hole
> there by pointing out the weakness of the modulo not being prime and
> then coming up with the Extended Euclidean Algorithm, right?
Well, I was a bit confused by it actually. As I understand it, normally
when a modulus is required to be prime (or relatively prime to
something), the requirements are there to ensure that the algorithm
works in the first place (otherwise "unique" decryption is not possible
for example).
I don't think it applies here that the modulo is required to be prime,
since "mod 1" is the only modulo operation throughout the entire
algorithm. When we attack the algorithm, we are forced to use modulo's
of powers of 10, so that's at least an advantage (for Alice and Bob) in
this case.
> Thanks for digging deeper here. Yes, if the modulo isn't prime we get
> those sub-rings with shorter periods giving Bob (and Eve) more than one
> result they have to check and Eve a faster way to find a as the
> different possible keys are always a period length apart.
I don't think that Bob would ever need to check anything (*); He just
multiplies 'whatever he got from Alice' with his own random 'b', and
then has established the key (Alice does the same on her end).
But now you mention it, there may be fewer possible keys because of
that. On the other hand, the modulus is 1, so not sure if it applies
here.
(*): according to the paper, they need to check that a != b and retry if
a == b. (makes sense, because Eve would notice that they both sent the
same number).
>
> I agree, the paper looks decent, but I really cringe at some of its
> general ideas:
>
>
> 1. "layers of security"
> Slapping together 2 half-assed security measures to get to your desired
> security level is, at least in cryptography, highly dubious to me.
>
>
> 2. mixing up two such completely different approaches (no-shared-secret
> key exchange vs shared-key enhancement) in one paper with one underlying
> algorithm.
>
> Just look at 3. (page 4):
> "If the transcendental x is distributed via a secure channel, why not
> use this number directly as the encryption key?
> [...]
> using the transcendental x as the encryption key would, of course, be a
> possibility. A problem though is one of robustness; if the secrecy of
> this number was to be compromised, the encryption would be completely
> broken if this was the actual key. However, with this protocol, the rest
> of the procedure would then serve as an additional layer of security."
>
> That's reasonable thinking, but that's what one might use a salted
> decent hash for or something and it has definitely nothing to do with
> Diffie-Hellman and thus with the title of the paper. That's why I only
> consider thinking about this with "the transcendental x" being in the open.
Yes, I agree with that. In my number example, I assumed that we know
what's also known in 'regular' DH.
This is what I had troubles with as well. I suppose the author is saying
"if someone can break the numbers, use bigger numbers". But since we
don't need to bruteforce anything, the numbers would need to be very large.
> so if it is applicable to an algorithm, this simply is no
> one-way-function and no key-length will really save you. Either Eve can
> break it or Bob has a hard time decrypting it himself.
But Bob does not need to decrypt anything, he just needs to multiply his
'b' with Alice's 'a'.
> 4. Making the key-length part of the key
> Then, in 3.1 the author writes:
> "there is an additional element of difficulty for the cryptanalyst
> provided by not knowing how many digits of accuracy in the
> transcendental are needed for the actual encryption key."
>
> So the length of the key is also part of the key? How long could it be?
> 65.000 bits? So I get 16 extra-bits of key max out of this? For the
> price of a ridiculously long key?
Yes, valid point.
>
> Ozz, could this be a "pet project" of a professional mathematician with
> just not that much of a cryptography background?
I realy don't know. But I think any mathematician would have enough
crypto background to not publish very naive algorithms. So I give him
the benefit of the doubt for now that we're missing something.
> Apologies, if I offend anyone or sound cocky by writing this. It just
> bothers me (a little). Especially, as at first glance the paper looks so
> neat.
I don't think anyone is offended. At least it's on-topic, and if I were
the author of the paper, I would be happy that it was being discussed.
Ozz