BBCR4 on Crypto-wars today at 13:30

[Peter Fairbrother]

On 24/03/14 04:16, Mark Lomas wrote:
> If you are willing to use distributed key servers you might build on an
> observation by Gus Simmons.
>
> The RSA scheme usually generates a pair of keys, (d,n) and (e,n), where
> p and q are two large primes, n=p.q, and d.e is congruent to
> (p-1).(q-1). Encrypt by computing c = (m**e) mod n; decrypt by computing
> m = (c**d) mod n. Message padding is needed to guard again certain
> attacks, but is irrelevant to this example.
>
> Simmons observed that you can construct three or more keys the same way:
> (d,n), (e,n), (f,n) where d.e.f is congruent to (p-1)(q-1).
>
> I can give a server (f,n), declare (e,n) to be my public key, and retain
> (d,n) for myself. Together (d,n) and (f,n) comprise my private key.
> Encrypt as normal c = (m**e) mod n; decrypt by computing m = (((c**f)
> mod n) ** d) mod n. The server participates in decryption but can't
> complete the decryption operation. I can add further servers in a
> similar manner.


That's cool, but it isn't much use here, and the resulting key can still 
be used for encryption - we need a key which can't be used for 
encryption here, only for signatures (else it can be demanded).

> What I like about Simmons's scheme is that (e,n) is a normal RSA key so
> I may publish an S/MIME certificate for it. People who wish to send me
> encrypted messages don't need special software; they don't even need to
> be aware that my decryption is unusual.


That is a neat property though, and may well find a use in some other 
privacy-enhancing technique.



I just read of an idea, I don't know who by, about making RSA keys 
shorter - choose the first prime at random, then choose the second prime 
so that the first 2n/3 bits of n are some fixed, shared value.


-- Peter Fairbrother