On Sat, Nov 03, 2012 at 12:50:47PM +0100, Ralph Holz wrote: > Hi, > > > In the past there have been a few proposals to use asymmetric cryptosystems, > > typically RSA, like symmetric ones by keeping the public key secret, the > > idea > > behind this being that if the public key isn't known then there isn't > > anything > > for an attacker to factor or otherwise attack. Turns out that doing this > > isn't secure: > > > > http://eprint.iacr.org/2012/588 > > A question: The attack seems to aim at getting n = p * q, and then > factor it. I.e. what they really show is that it is possible to derive > the public key from two plain/ciphertext pairs; alternatively a multiple > of n. In essence, there is no point in keeping the public key secret as > it can be guessed. > > However, the factoring would still remain as a huge task for the > attacker, unless RSA is used at a meagre bit length, as in their example. > > Correct?
This paper was actually quite timely for us. One of our group was proposing a key management protocol for federated wireless sensor networks that relied on both halves of an ECC keypair being kept secret. In this particular protocol, the main advantage was that each sensor node would maintain a unique public key for an authentication server, which was then used to negotiate session keys. The combination allowed a minimal number of asymmetric operations while preserving perfect forward secrecy. My initial reaction was that using asymmetric crypto in a relatively unproven way was likely to cause more problems, or at least risks, than it was worth, and I proposed a more 'traditional' alternative. This turned into a relatively long argument. I stumbled across this paper the next day on the cryptology ePrint archive, which finally let me convince my colleague to go with the more traditional approach. The point here is that the secrecy of the public key was used for properties beyond an extra layer of obscurity against factoring. Learning the public key as described in the paper (admittedly for RSA not ECC) would have completely broken the protocol. Joss -- Joss Wright | @JossWright http://www.pseudonymity.net _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
