Ivan Krstic > ... But hey, if the peer is malicious or compromised to begin with, > it could just as well do DH normally and explicitly send the secret > to the listener when it's done. Not much to see here.
But it gets more interesting if the endpoints are not completely and solely controlled by Alice and Bob. Suppose the computers and communication link are protected from tampering but that interfering with the power supply sometimes produces a DH private key of 0. What about a (covert and deniable) contribution to a project? Underhanded prime selection appears in the ElGamal-RSA discussion by Piper and Stephens in ISBN 0-19-853691-7. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]