Date: Thu, 17 Apr 1997 22:48:44 From: Ant To: Adam Back Cc: coderpunks@toad.com Subject: Re: non-interactive forward secrecy Adam and others, > > After each time period, Bob uses a new public parameter X_t, and Alice > uses a new private parameter x_t. Alice calculates her new private > parameter x_{t+1} from her current private parameter x_t: > > [1] x_{t+1} = x_t . X_t Suppose Alice is rubber-hosed into disclosing her current private key x_{t+1}. Knowledge of the previous chain of public keys (that have been known to Bob) allows repeated division, exposing all session keys along the way. This series of public keys is also known to Eve isn't it ? > After each time period, Bob uses a new public parameter X_t, and Alice > uses a new private parameter x_t. Alice calculates her new private > parameter x_{t+1} from her current private parameter x_t: > > [1] x_{t+1} = x_t . X_t Eve can work this backwards by division (Euclidean Algo or similar), if she knows x_{t+1} and X_t. > Bob Calculates Alice's next public parameter X_{t+1}from her previous > public parameter X_t: > > [2] X_{t+1} = X_t ^ X_t (mod p) If Eve caught X_0 and p, she knows all of these. Ant