Large Primes

Owen Lewis oml at sysrx.uk.com
Fri, 16 Aug 2002 19:48:51 +0100 

> -----Original Message-----
> From: ukcrypto-admin@chiark.greenend.org.uk
> [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Matthew
> Byng-Maddick
> Sent: 16 August 2002 15:15
> To: ukcrypto@chiark.greenend.org.uk
> Subject: Re: Large Primes
>
>
> On Fri, Aug 16, 2002 at 02:36:22PM +0100, Owen Lewis wrote:
> > Therefore, the content of transmissions so protected offers two
> different
> > and equally attractive foci for cryptanalysis. Recover the RSA
> private key
> > and, hence, obtain the session key or attack the bulk
> ciphertext directly to
> > recover the session keys.
> [snip reasonable conclusions drawn from this wrong starting point]
>
> This is, I'm afraid, not true.
>
> Attacking the session key allows me to decrypt this one message. Attacking
> the RSA key allows me to decrypt this and all future messages. They are
> therefore *not* ``equally attractive foci for cryptanalysis''. After all,
> you can trivially switch algorithm for the main data, and the data you've
> previously encrypted may have fallen, but the future data won't. This is
> a good thing.

Good thinking, Robin....

I was trying (too hard) to keep something quite complex simple in
expression.

A serious PK user org will have a large number of private keys.

Org or no org, the total number of private keys Unit X may need to recover
may well be within an order of the number of bulk cipher messages it needs
to crack open.

If one has the method to crack the bulk cipher in a useful time, from then
on there is no reason not to do so repeatedly. It may well be the more
attractive attack. One cannot know.

Yes, you can play ring-a-roses with a handful of bulk ciphers. In doing so,
you can never know that you do not weaken rather than strengthen your
security.

Let's not go on. The only point I wished to register was that the common
arrangement of a PK cryptosystem increases for certain an otherwise
unquantifiable level of risk in using a good cipher. Whether or not this
significant, no one can say. Nevertheless, it is a cryptosystem design
weakness and, I think, an unnecessary one. Whether it is an inevitable
concomitant of obtaining the conveniences of PK, I have not yet concluded.

Owen