-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Nov 3, 2012, at 7:03 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> Jon Callas <j...@callas.org> writes:
>
>> Which immediately prompts the question of "what if it's long or secret?" [1]
>> This attack doesn't work on that.
>
> The "asymmetric-as-symmetric" was proposed about a decade ago as a means of
> protecting against new factorisation attacks, and was deployed as a commercial
> product. I don't recall them keeping the exponent secret because there wasn't
> any need to... until now that is. So I think Taral's comment about not using
> crypto in novel ways is quite apropos here, the asymm-as-sym concept only
> protected you against the emergence of novel factorisation attacks (or the use
> of standard factorisation attacks on too-short keys) as long as no-one
> bothered trying to attack the public-key-hiding itself.
Point taken. I'm being too grumpy.
I think this is a brilliant result because it gives us a "see, see" reference
to give to people.
I'm big on sneering at proofs of security because they often do not relate to
real security in the real world in ways that upset me (a guy whose degree is in
mathematical logic) to my core. If you want the same sort of rigor that math
has, security is useless.
On the other hand, and Hal Finney drove this home to me many times, they do
tell you what sort of things you can ignore.
This one is great because of the way it slaps intuition around.
>
>> If you believe that the only attack against RSA is factoring the modulus,
>> then you can be seduced into thinking that hiding the modulus makes the
>> attacker's job harder.
>
> Yup, and that was the flaw in the reasoning behind the keep-the-public-key-
> secret system. So this a nice textbook illustration of why not to use crypto
> in novel ways based purely on intuition.
There are all sorts of things people do based on an intuition. Hell, I've done
them. Sometimes they just present themselves. If I had a protocol that didn't
expose public keys (suppose they're all wrapped in a secure transfer), I might
point out that hey, this system has hidden RSA keys. But this points out that
unless there is a lot of extra work you do, you didn't do squat. It also
suggests that the conservative engineering approach, which is to say that
unless you can characterize added security it's just fluff, has new backing in
fact.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFQluTIsTedWZOD3gYRAvvGAKDAGkbALD3jqLq8kmG7VIXWtJ2sWACfWOwG
DFFKn3LjBEqvpwv4lqHYn04=
=G0xh
-----END PGP SIGNATURE-----
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
