David

2004-11-22 08:36:04 UTC

Hi all,

I am calculating keys derived from the same initial secret S for a

group of N users. I want the N users to be able to generate in

sequential time intervals Ti the same key Ki without even having to

communicate. For this purpose, I calculate sequentially Ki = h(S+i),

being Ki each different key to be calculated, S the initial secret, i

an integer and h () a hash function. For instance:

K0 = h(S),

K1 = h(S+1),

K2 = h(S+2),

...

Kn = h(S+n).

Knowing this the pattern of Ki's:

- Is the scheme forward secure, assuming the attacker cannot ever

compromise S? i.e. assuming the attacker compromises a set of Ki's,

can he then infer any Kj with j>i (or even S) by knowing the pattern?

Thanks for your answers in advance!

David

I am calculating keys derived from the same initial secret S for a

group of N users. I want the N users to be able to generate in

sequential time intervals Ti the same key Ki without even having to

communicate. For this purpose, I calculate sequentially Ki = h(S+i),

being Ki each different key to be calculated, S the initial secret, i

an integer and h () a hash function. For instance:

K0 = h(S),

K1 = h(S+1),

K2 = h(S+2),

...

Kn = h(S+n).

Knowing this the pattern of Ki's:

- Is the scheme forward secure, assuming the attacker cannot ever

compromise S? i.e. assuming the attacker compromises a set of Ki's,

can he then infer any Kj with j>i (or even S) by knowing the pattern?

Thanks for your answers in advance!

David