Re: KA=>OWF

From: Scott Fluhrer (sfluhrer_at_ix.netcom.com)
Date: 11/09/03 

Date: Sun, 09 Nov 2003 17:24:07 GMT

"Tom St Denis" <tomstdenis@iahu.ca> wrote in message
news:eBtrb.1108$HoK.428@news01.bloor.is.net.cable.rogers.com...
>
> "Gelo Ilzi" <geloilzi@hotmail.com> wrote in message
> news:bolneo$p9e$1@news2.netvision.net.il...
> >
> > "Tom St Denis" <tomstdenis@iahu.ca> wrote in message
> > news:rYqrb.1069$HoK.672@news01.bloor.is.net.cable.rogers.com...
> > >
> > > "Gelo Ilzi" <geloilzi@hotmail.com> wrote in message
> > > news:bol74k$bd7$1@news.iucc.ac.il...
> > > > It is well known (at least I know simple proof to this fact), that
key
> > > > agreement implies one-way function. Can somebody give me a reference
> > where
> > > > this claim is proven.
> > >
> > > The fact that it is wrong makes finding a reference moot.
> > >
> > > Key agreement often requires a trapdoor one-way permutation but that
> isn't
> > a
> > > strict requirement.
> >
> > Tom, I'm not looking for a reference OWF=>KA, but KA=>OWF
>
> And I'm telling you that KA =/=> OWF
>
> Take DH over a safe prime. You pick a QR as your generator g. That means
> all g^x will be a QR in a sub-group of prime order. so given a y = g^x I
> can then raise y to say z e.g. w = y^z however provided 0 < z < p [p ==
> order of group] the operation is not one-way [since the inverse of z will
> get you back to y from w]
However, it is one-way, in the sense that the function F(x) = g^x is assumed
to be one-way. This is the important sense, because if it is not one-way,
DH is not secure. In general, over any group, if F(x) = g^x is not one-way,
then DH over that group and generator is not secure. Hence, DH is not a
counter-example to what the OP was asking.

What I don't know if there is some other key agreement protocol that doesn't
assume oneway-ness, so I can't answer the OP's question. However, DH isn't
it.

>
> Therefore KA does not imply OWF and what you are asking for does not
exist.
>
> Get over it, move on, live and let learn, kubayah, etc, etc.
Tom, you *really* should stop assuming that you've learned everything
already... 

--
poncho

Relevant Pages

  • Re: Safe session IDs
    ... broken by an attacker after getting only two known consecutive outputs. ... Breaking such a function doesn't involve any advanced math and can be ... Some newer linux distributions use an additive generator based on the ... making it unusable for generating secure PRNs. ...
    (SecProg)
  • URL for Yarrow PRNG
    ... for the Yarrow PRNG. ... > linear congruential generator. ... making it unusable for generating secure PRNs. ... >> Ryan M Harris ...
    (SecProg)
  • Re: entropy of /dev/random vs. openssl rand
    ... random number generator is as secure as a true random number generator for ... as most distros seem to do at shutdown and boot does not count as secure. ... attempt to overwrite that file? ... key loop devices, use /dev/urandom. ...
    (Linux-Kernel)
  • Re: Secure hash function and AES
    ... I need a secure, but easy to calculate hash function for wireless ... sensor network. ... I may using AES128 and a random number generator. ... -Encrypt x with key x XOR r. ...
    (sci.crypt)
  • Re: Random Number Generation -----> Hardware or Software?
    ... > long repeat cycle. ... The pattern is not random. ... Whetever some generator is random vs secure is entirely ...
    (comp.arch.embedded)