# Looking for a very fast key agreement system

*From*: fabrice.gautier@xxxxxxxxx*Date*: 8 Apr 2006 06:17:30 -0700

Hi,

I'm looking for a secure and performant key agreement system.

By secure I mean it must have pretty much the same properties than PGP

has

By efficient, I mean that on the receiving side, it must cost about

that same as an RSA signature verification operation.

- There is one recipient, many senders.

- The senders have a lot of processing power and storage. The recipient

has limited processing power and very limited storage.

- The communication is one way only: the recipient cannot communicate

with the sender.

I have 3 systems that would almost work but do not quite:

A) RSA : sender choose a random session key, encrypt it with recipient

public RSA key. Recipient decrypt with its private key.

B) Half Ephemeral DH: Recipient has private key a and public key g^b.

Sender choose b, the ephemeral private key, calculate session key is

(g^a)^b and sends public key g^b to recipient. Recipient calculate

session key (g^b)^a

C) AES with shared secret key. Recipient has a private AES key K.

Sender has a public key S. Recipient generate sender private key by

encrypting S with K, and send it to Sender. For each session the sender

sends its public key, the Sender private key is the session key. The

recipient recalculate the session key everytime.

The problem with A and B is that it is not efficient enough: they both

require an expensive exponentiation. If there was a Public key

encryption algorithm where the private key operation is inexpensive

that would work very well.

C satisfies performance requirement, as well as storage (the Senders

private keys are not

stored by the recipient) but has drwabacks:

- it does require a one time communication from recipient to sender

- the sender has to store a private key (it doesnt need to with RSA and

DH)

- the session key is always the same.

I'm thinking this last point could be mitigated by having the sender

generate send a public session key along with it public key S, the

session key being the public session key encrypted with the sender

private key. (Lets call that system D )

So have several questions:

1) Is there any other systems that would satisfie all my needs

2) Is system C a known system ?

3) Is system D really better than C ?

Thanks

.

**Follow-Ups**:**Re: Looking for a very fast key agreement system***From:*xmath

**Re: Looking for a very fast key agreement system***From:*Kristian Gjøsteen

- Prev by Date:
**Re: CTR and disk sector encryption** - Next by Date:
**Re: The Blum-Blum-Shub generator and a guessable seed** - Previous by thread:
**LRW's tweak values** - Next by thread:
**Re: Looking for a very fast key agreement system** - Index(es):