Cryptography Reference
In-Depth Information
K
1
⊕
K
2
=
r
A
⊕
K
⊕
r
B
⊕
r
A
⊕
K
=
r
A
⊕
r
A
⊕
K
⊕
K
⊕
r
B
=
r
B
This value can then be added to
K
3
modulo 2 to determine
K
:
r
B
⊕
K
3
=
r
B
⊕
r
B
⊕
K
=
K
Consequently, although we use a perfectly secure symmetric encryption sys-
tem (i.e., the one-time pad), the resulting key distribution protocol is completely
insecure.
Shamir's three-pass protocol can be instantiated using modular exponentia-
tion in
Z
p
. This idea is due to James L. Massey and Jim K. Omura, and hence
the resulting key distribution protocol is sometimes also referred to as the
Massey-
Omura protocol
. Let A and B be two entities that want to run the Massey-Omura
protocol. A has an encryption exponent
e
A
and a corresponding decryption exponent
d
A
≡
(
e
A
)
−
1
(mod
p
1), and B has an encryption exponent
e
B
and a correspond-
ing decryption exponent
d
B
that is the multiplicative inverse modulo
p
−
−
1 (i.e.,
(
e
B
)
−
1
(mod
p
d
B
≡
1)). Shamir's three-pass protocol can then be instantiated
with the following values for
K
1
,
K
2
,and
K
3
:
−
K
e
A
(mod
p
)
K
1
≡
(
K
e
A
)
e
B
K
e
A
e
B
(mod
p
)
K
2
≡
≡
((
K
e
A
)
e
B
)
d
A
K
3
≡
((
K
e
A
)
d
A
)
e
B
≡
(
K
e
A
d
A
)
e
B
≡
K
e
B
(mod
p
)
≡
Finally, B can use
d
B
to retrieve
K
:
(
K
e
B
)
d
B
K
e
B
d
B
K
≡
≡
≡
K
(mod
p
)
Unfortunately, this instantiation of Shamir's three-pass protocol employs mod-
ular exponentiation, and hence there is no immediate advantage related to the use of
an asymmetric encryption system in the first place.
