Date: Thu, 17 Apr 1997 22:48:44
From: Ant
To: Adam Back
Cc: coderpunks@toad.com
Subject: Re: non-interactive forward secrecy
Adam and others,
>
> After each time period, Bob uses a new public parameter X_t, and Alice
> uses a new private parameter x_t. Alice calculates her new private
> parameter x_{t+1} from her current private parameter x_t:
>
> [1] x_{t+1} = x_t . X_t
Suppose Alice is rubber-hosed into disclosing her current
private key x_{t+1}. Knowledge of the previous chain of public
keys (that have been known to Bob) allows repeated division,
exposing all session keys along the way.
This series of public keys is also known to Eve isn't it ?
> After each time period, Bob uses a new public parameter X_t, and Alice
> uses a new private parameter x_t. Alice calculates her new private
> parameter x_{t+1} from her current private parameter x_t:
>
> [1] x_{t+1} = x_t . X_t
Eve can work this backwards by division (Euclidean Algo or similar),
if she knows x_{t+1} and X_t.
> Bob Calculates Alice's next public parameter X_{t+1}from her previous
> public parameter X_t:
>
> [2] X_{t+1} = X_t ^ X_t (mod p)
If Eve caught X_0 and p, she knows all of these.
Ant