> > Don't ever encrypt the same message twice that way, or you're likely to > > fall to a common modulus attack, I believe. > > Looks like it (common modulus attack involves same n, > different (e,d) pairs). > > However, you're likely to be picking a random symmetric key as the > "message", and Schneier even suggests picking a random r in Z_n and > encrypting hash(r) as the symmetric key. > > More generally, I wonder about salting all operations to prevent using > the same value more than once. It seems like it's generally a bad > idea to reuse values, as a heuristic, and applying some kind of > uniquification operation to everything, just as it's a good idea to > pad/frame values in such a way that the output of one stage cannot be > used in another stage of the same protocol.
I forget the beginning of this conversation... but if you're salting all public-key encryption operations you may as well just use a standard RSA encryption scheme, such as OAEP or RSA-KEM. OAEP is specified in PKCS#1, available from http://www.rsasecurity.com/rsalabs/node.asp?id=2125; it's well- studied and has a proof of security, and should certainly be used in preference to any home-grown system. If you were talking about salting something other than public key operations, accept my apologies... William --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]