[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

discrete log attack on 1st use of Kong signature? (Re: Using a password as a private key.)

To: [email protected]
Subject: discrete log attack on 1st use of Kong signature? (Re: Using a password as a private key.)
From: Adam Back <[email protected]>
Date: Fri, 30 Oct 1998 10:10:41 GMT
CC: [email protected]
In-reply-to: <[email protected]> (message from Anonymous onThu, 29 Oct 1998 19:21:02 +0100)
Sender: [email protected]

Anonymous writes:
> Bill Stewart writes:
> > Kong takes an interesting approach to key certification and signatures -
> > it doesn't use the "True Name" model with a Certificate Authority Trusted
> > Third Party Subject To Many Government Regulations certifying that the
> > person who has this key has that True Name.  Instead, you sign messages,
> > and it keeps a database of signed messages from peop le, and you can
> > compare a message you have with a message you've received previously to
> > see if it's signed by the same key, and you can send encrypted messages
> > to the person who sent you a previous message.
> 
> What happens if you create another key which signs an existing message,
> as was illustrated here recently in the case of Toto's key.  Can you
> convince Kong that you are the same person who sent the earlier message?

Depends if the discrete log attack anonymous used works over elliptic
curves, or if an analogous attack can be mounted on the elliptic curve
signature scheme James is using.

Anonymous wrote on his attack:

: N is the product of two primes, but each p-1 has about 16 small
: prime factors (about 25-35 bits) to allow calculating the discrete
: log efficiently.  With this choice of primes it took about three
: hours to run the discrete log.

in otherwords n is 1024 bit, p and q 512 bit, p1..p16, q1..q16 are
about 25-35 bits each:

	n = p x q
	p-1 = p1 x p2 x .... x p16
	q-1 = q1 x q2 x .... x q16

then he can take discrete logs modulo n.  With this given signature s
on message m with unpublished public key, he can compute a public and
private exponent e, d which could have signed message m:

	s = m ^ d mod n
and	m = s ^ e mod n

so compute discrete log of m mod n in base s to compute an e.  Then
compute a d using the normal: 

	e.d = 1 mod (p-1)(q-1)

If something like this worked on Kong's signatures, you would need two
signatures, or a signature on a message together with a signed public
key.  Does Kong use self signed public keys?

Adam

Prev by Date: IP: FCC Proposes Location Tracking for Wireless Phones
Next by Date: Bic-Assassins Convicted
Prev by thread: Re: IP: FCC Proposes Location Tracking for Wireless Phones
Next by thread: Bic-Assassins Convicted
Index(es):
- Date
- Thread