Re: biological systems and cryptography

2003-01-01 Thread dmolnar
On Tue, 31 Dec 2002, Michael Cardenas wrote:

> How do you all see the future use of biologically based systems
> affecting cryptography in general?

As Tim pointed out, barring some incredible breakthrough, such systems are
unlikely to affect cryptography at all. You may be interested to see that
some people have tried to base cryptography on problems which are hard to
learn:

"Cryptographic Primitives Based on Hard Learning Problems"
http://www.cis.upenn.edu/~mkearns/papers/prim.ps

-David Molnar




Re: Psuedo-Private Key (eJazeera)

2002-11-20 Thread dmolnar
On Wed, 20 Nov 2002, Tyler Durden wrote:

> to have a big jpg of a hand with middle finger extended...) More than this,
> they will have unknowingly destroyed the real data. (Perhaps a 3rd key is
> needed that DOESN'T destroy the original data, just 'hides' it a la
> Rubberhose.)

The question I've seen asked about this is then -- how do you get them to
stop beating you? If they know you might have some number of duress keys,
one of which might undetectably hide the data, what stops them from
beating you until

1) you give them a key that shows them what they want to see
2) you die

Maybe this isn't that different from the ordinary unencrypted case, where
if they don't find it on your HD they can accuse you of burying disks in
the backyard or something. Or is the goal protecting the data and not
protecting your life?

-David




Re: Proofs of security

2002-10-08 Thread dmolnar

On Sun, 6 Oct 2002, Adam Shostack wrote:

> Has anyone done any research into how much better new cryptosystems
> with proofs of security do, as opposed to their unproven cousins?  It
> seems that having a proof of security doesn't actually improve the
> odds that a system will survive attacks.  But thats my intuition, not
> a proven fact. ;)
>
> Has anyone read a stack of papers and done some statistics?

Cool idea...

If you're going to do this study, you might want to first split off block
ciphers into their own separate category. My understanding is that the
proofs of security you see there are more along the lines of "we prove we
don't fall victim to differential cryptanalysis." In contrast, with
public-key crypto the proofs are of the typically of form "if you can
break the scheme, then you can factor/break DH/break DDH/something else."

The empirical 'benefit' of both kinds of proofs is certainly of interest,
but I think it'd be way too confusing to treat them together. Not that I
think you were making that suggestion, of course. I merely want to point
out that the term "proof of security" covers a bunch of different things
with different characteristics.

For a while, the "proof of security success story" I would have cited was
OAEP vs. PKCS #1 v1.5 . The water there seems a little more murky now than
it did in 1998.

I personally think that a case can be made that OAEP is "better" than PKCS
#1 v1.5, and we can observe that OAEP has a proof of security in the
random oracle model, while PKCS #1 v1.5 has no proof. (Before everyone
jumps in pointing to Shoup's paper, I know about that - that's why I wrote
the water is more murky). Making that case takes more time than I have for
this e-mail.

-David




Re: employment market for applied cryptographers?

2002-08-18 Thread dmolnar



On Sat, 17 Aug 2002, John Kelsey wrote:

> Also, designing new crypto protocols, or analyzing old ones used in odd
> ways, is mostly useful for companies that are offering some new service on
> the net, or doing some wildly new thing.  Many of the obvious new things

I agree with this as far as "crypto" protocols go. But one thing to keep
in mind is that almost all protocols impact security, whether their
dsigners realize it or not. Especially protocols for file transfer, print
spooling, or reservation of resources. most of these are designed without
people identifying them as "crypto protocols."

Another thing that makes it worse -- composition of protocols. You can do
an authentication protocol and prove you're "you." Then what? Does that
confer security properties upon following protocols, and if so what?

-David




Re: employment market for applied cryptographers?

2002-08-16 Thread dmolnar



On Fri, 16 Aug 2002, Adam Back wrote:

> failure to realise this issue or perhaps just not caring, or lack of
> financial incentives to care on the part of software developers.
> Microsoft is really good at this one.  The number of times they
> re-used RC4 keys in different protocols is amazing!

Don't forget schedule pressure, the overhead of bringing in a contractor
to do crypto protocol design, and the not-invented-here syndrome. I think
all of these contribute to keeping protocol design in-house, regardless of
the technical skill of the parties involved. It takes a serious investment
in time to qualify a consultant. If having the protocol right isn't a top
priority, that investment won't be made...and I'd guess that designing a
new protocol isn't common enough to merit a separate job/new hire in most
organizations.

-David




Bay area cypherpunks

2002-08-16 Thread dmolnar

Hi,

I am currently in the SF Bay Area and wondering whether any cypherpunks
are around and might want to say hi. Right now I'm in Berkeley, but I'm
willing to travel (public transportation) to see people.

thanks,
-David Molnar




S-DART

2002-07-12 Thread dmolnar

This seems to be related to the "Stego Watch" program sold by Wetstone
Technologies. Does anyone have more information about it? I've found
citations for a few papers on it, but none are online. I'll go to the
library later, but in the meantime has anyone read these papers or had
experience with the system in action?

How does it compare to Provos' stegdetect?

-David Molnar




Re: Fwd: Re: CP meet at H2K2?]

2002-07-10 Thread dmolnar

According to the TimeOutNewYork eating and drinking guide:

Blarney Rock
137 W 33rd street between Broadway and Seventh Avenue
212-947-0825

Let's say midnight for *sure* as a meeting time, and perhaps people can
dart out there earlier if they feel like it. I plan to arrive at the con
around 2pm on Saturday and will stick my head in Blarney Rock on the way.
In case anyone wants my number, e-mail me.

-David


On Wed, 10 Jul 2002, Greg Newby wrote:

> Sounds like a plansomeone try to remember to put a sign
> up on-site for this.  An actual address for the
> bar would be nice - is this the one on 33rd?




Re: CP meet at H2K2?

2002-06-21 Thread dmolnar

On Thu, 20 Jun 2002, Greg Newby wrote:

> the next couple of days.  I'm thinking of a CP
> meet Saturday night July 12.  Anyone else gonna be there?

I should be there, since I'm free and in the area.

In a similar vein, who's going to be at DEF CON?

-David




Re: Forward-secure public-key encryption eprint

2002-05-30 Thread dmolnar

On Thu, 30 May 2002, Anonymous wrote:

> David Hopwood writes:

Did I miss a separate message in which David Hopwood followed up to my
post? Cypherpunks is more reliable for me than it used to be, but it's not
always all there.

>
> math is really advanced and not many implementors or users are likely
> to understand it very well.  Sure we've got a library but the kind of
> people who want forward security would like to understand the principles
> a little better.

Thanks for the detailed summary! Even if the system may not be ready for
prime time, I think it may still be worth looking at it and following
future developments.

-David




Forward-secure public-key encryption eprint

2002-05-28 Thread dmolnar

Forward-secure public-key encryption has been discussed here, on
sci.crypt, and elsewhere. To recap - the goal is that an adversary who
breaks into your computer today can't read messages sent/received
yesterday. In the interactive case, you use ephermal Diffie-Hellman. The
non-interactive case is more complicated and has had some ideas considered
by Ross Anderson, Adam Back, and David Hopwood (among others). Cypherpunks
relevance: forward security is nice for remailers.

Anyway, there's a new eprint up which shows how to construct such a scheme
starting from an ID-based encryption scheme by Boneh + Franklin.

"A Forward-Secure Public-Key Encryption Scheme"
Jonathan Katz
http://eprint.iacr.org/2002/060/

It's worth noting that the scheme this is based on has code available.
http://crypto.stanford.edu/ibe/download.html

-David




Upcoming workshop on category theory and concurrency

2002-04-29 Thread dmolnar

[concerning category theory and crypto protocols]
> So when you have done some real work on the matter, at least written some
> paper on the stuff, and published it, you may well write about it here.

I think that sets the bar a bit too high - there is a place for saying
"this area looks interesting and relevant, but I don't have it down yet."
Perhaps one thing to do might be to make the discussion more specific by
finding particular applications of category theory to areas "close" to
cryptography and looking at those applications in more detail.
(No, I'm not necessarily volunteering to do this.)

In any case, if Tim or anyone else wants to submit a paper, this is a page
on a workshop in "Categorical Methods for Concurrency, Interaction, and
Mobility"
http://www.cwi.nl/events/2002/cmcim/

the call for papers just showed up in my inbox yesterday. While not
specifically about crypto protocols, "interaction and mobility" seems to
cover some of what I think Tim is getting at.

-David




Re: My current readings in Category Theory

2002-04-03 Thread dmolnar

In passing about category theory and ML:

* ML supports generic programming by a language feature called
a "functor." I don't know enough category theory to know how
close ML's notion of "functor" is to a mathematician's.
this page is a small intro
http://www.kingston.ac.uk/~bs_s075/MLWorkshop/unit8.html

* ocaml and ML may not be as widely used as C++, but I have
seen them used fairly widely in academia. Sometimes in conjunction
with other fun topics. Check out this course on computational
game theory
http://www.eecs.harvard.edu/~avi/CS281r/
exercises include programming in ocaml.

* The Fox project at CMU wants to use ML for systems programming.
http://foxnet.cs.cmu.edu/HomePage.html
Note that Peter Lee is also involved in "proof-carrying code."

-David




Re: Internet is dead (Was Re: Celsius 451 -the melting point of Cat-5)

2002-04-02 Thread dmolnar

On Tue, 2 Apr 2002, Tim May wrote:

> Imagine N transponders. Coded sequences are broadcast, recipients are
> unknown. (Actually, _everyone_ receives, but only some can decode.)

Sounds vaguely like the setting for this paper:

Xor-Trees for Efficient Anonymous Multicast and Reception
Shlomi Dolev, Rafail Ostrovsky
http://citeseer.nj.nec.com/dolev98xortree.html

Abstract:
In this work we examine the problem of efficient anonymous broadcast and
reception in general communication networks. We show an algorithm which
achieves anonymous communication with O(1) amortized communication
complexity on each link and low computational complexity. In contrast, all
previous solutions require polynomial (in the size of the network and
security parameter) amortized communication complexity.