Cryptography Reference
In-Depth Information
is transmitted to B. B, in turn, uses his or her encryption system and his or her key
K
B
to compute
K
2
=
E
K
B
(
K
1
)
=
E
K
B
(
E
K
A
(
K
))
.
This double encrypted value is returned to A. A then uses
K
A
to decrypt
K
2
,
and compute
K
3
=
D
K
A
(
K
2
)
=
D
K
A
(
E
K
B
(
E
K
A
(
K
)))
=
D
K
A
(
E
K
A
(
E
K
B
(
K
)))
=
E
K
B
(
K
)
accordingly. This value is sent to B, and B uses
K
B
to decrypt
K
3
:
K
=
D
K
B
(
K
3
)=
D
K
B
(
E
K
B
(
K
))
Both entities can now output the key
K
and use it for a symmetric encryption
system.
Unfortunately, it is currently not known how to instantiate Shamir's three-pass
protocol efficiently (i.e., using only symmetric encryption systems). Because one
needs symmetric encryption systems that commute, an obvious choice would be
additive binary stream ciphers, such as the one-time pad introduced in Section 10.4.
In this case, however, one faces the problem that all encryptions cancel themselves
out and that the protocol becomes completely insecure. Let
r
A
be the sequence of
random bits that A uses to compute
K
1
and
K
3
,and
r
B
be the sequence of random
bits that B uses to compute
K
2
.
K
1
,
K
2
,and
K
3
can then be expressed as follows:
K
1
r
A
⊕
K
=
K
2
=
r
B
⊕
K
1
=
r
B
⊕
r
A
⊕
K
K
3
=
r
A
⊕
K
2
=
r
A
⊕
r
B
⊕
r
A
⊕
K
=
r
B
⊕
K
K
1
,
K
2
,and
K
3
are the values an adversary can observe when he or she
mounts a passive wiretapping attack. In this case, the adversary can add
K
1
and
K
2
modulo 2 to retrieve
r
B
: