Amitabh Saxena

2005-08-07 21:44:01 UTC

Doesn't the original Diffie Hellman key agreement provide signcryption

(without non-repuditation) functionality by default? Let me

demonstrate.

Define generator g for a large prime p.

Assume we have users Alice and Bob with secret keys x and y

respectively and the corresponding public keys a = (g^x mod p) and b =

(g^y mod p).

Alice is the sender and Bob is the receiver. To digitally signcrypt a

message m, first Alice computes m1=(a||m) [concatenation]

Alice then computes c = ((b^x mod p) XOR m1) and sends c to Bob.

Bob computes the message m1 = (c XOR (b^x mod p)) and checks that the

leftmost bits of m1 correspond to a. The message is the rest of the

part.

(without non-repuditation) functionality by default? Let me

demonstrate.

Define generator g for a large prime p.

Assume we have users Alice and Bob with secret keys x and y

respectively and the corresponding public keys a = (g^x mod p) and b =

(g^y mod p).

Alice is the sender and Bob is the receiver. To digitally signcrypt a

message m, first Alice computes m1=(a||m) [concatenation]

Alice then computes c = ((b^x mod p) XOR m1) and sends c to Bob.

Bob computes the message m1 = (c XOR (b^x mod p)) and checks that the

leftmost bits of m1 correspond to a. The message is the rest of the

part.