Re: biological systems and cryptography
On Tue, 31 Dec 2002, Michael Cardenas wrote: > How do you all see the future use of biologically based systems > affecting cryptography in general? As Tim pointed out, barring some incredible breakthrough, such systems are unlikely to affect cryptography at all. You may be interested to see that some people have tried to base cryptography on problems which are hard to learn: "Cryptographic Primitives Based on Hard Learning Problems" http://www.cis.upenn.edu/~mkearns/papers/prim.ps -David Molnar
Re: Psuedo-Private Key (eJazeera)
On Wed, 20 Nov 2002, Tyler Durden wrote: > to have a big jpg of a hand with middle finger extended...) More than this, > they will have unknowingly destroyed the real data. (Perhaps a 3rd key is > needed that DOESN'T destroy the original data, just 'hides' it a la > Rubberhose.) The question I've seen asked about this is then -- how do you get them to stop beating you? If they know you might have some number of duress keys, one of which might undetectably hide the data, what stops them from beating you until 1) you give them a key that shows them what they want to see 2) you die Maybe this isn't that different from the ordinary unencrypted case, where if they don't find it on your HD they can accuse you of burying disks in the backyard or something. Or is the goal protecting the data and not protecting your life? -David
Re: Proofs of security
On Sun, 6 Oct 2002, Adam Shostack wrote: > Has anyone done any research into how much better new cryptosystems > with proofs of security do, as opposed to their unproven cousins? It > seems that having a proof of security doesn't actually improve the > odds that a system will survive attacks. But thats my intuition, not > a proven fact. ;) > > Has anyone read a stack of papers and done some statistics? Cool idea... If you're going to do this study, you might want to first split off block ciphers into their own separate category. My understanding is that the proofs of security you see there are more along the lines of "we prove we don't fall victim to differential cryptanalysis." In contrast, with public-key crypto the proofs are of the typically of form "if you can break the scheme, then you can factor/break DH/break DDH/something else." The empirical 'benefit' of both kinds of proofs is certainly of interest, but I think it'd be way too confusing to treat them together. Not that I think you were making that suggestion, of course. I merely want to point out that the term "proof of security" covers a bunch of different things with different characteristics. For a while, the "proof of security success story" I would have cited was OAEP vs. PKCS #1 v1.5 . The water there seems a little more murky now than it did in 1998. I personally think that a case can be made that OAEP is "better" than PKCS #1 v1.5, and we can observe that OAEP has a proof of security in the random oracle model, while PKCS #1 v1.5 has no proof. (Before everyone jumps in pointing to Shoup's paper, I know about that - that's why I wrote the water is more murky). Making that case takes more time than I have for this e-mail. -David
Re: employment market for applied cryptographers?
On Sat, 17 Aug 2002, John Kelsey wrote: > Also, designing new crypto protocols, or analyzing old ones used in odd > ways, is mostly useful for companies that are offering some new service on > the net, or doing some wildly new thing. Many of the obvious new things I agree with this as far as "crypto" protocols go. But one thing to keep in mind is that almost all protocols impact security, whether their dsigners realize it or not. Especially protocols for file transfer, print spooling, or reservation of resources. most of these are designed without people identifying them as "crypto protocols." Another thing that makes it worse -- composition of protocols. You can do an authentication protocol and prove you're "you." Then what? Does that confer security properties upon following protocols, and if so what? -David
Re: employment market for applied cryptographers?
On Fri, 16 Aug 2002, Adam Back wrote: > failure to realise this issue or perhaps just not caring, or lack of > financial incentives to care on the part of software developers. > Microsoft is really good at this one. The number of times they > re-used RC4 keys in different protocols is amazing! Don't forget schedule pressure, the overhead of bringing in a contractor to do crypto protocol design, and the not-invented-here syndrome. I think all of these contribute to keeping protocol design in-house, regardless of the technical skill of the parties involved. It takes a serious investment in time to qualify a consultant. If having the protocol right isn't a top priority, that investment won't be made...and I'd guess that designing a new protocol isn't common enough to merit a separate job/new hire in most organizations. -David
Bay area cypherpunks
Hi, I am currently in the SF Bay Area and wondering whether any cypherpunks are around and might want to say hi. Right now I'm in Berkeley, but I'm willing to travel (public transportation) to see people. thanks, -David Molnar
S-DART
This seems to be related to the "Stego Watch" program sold by Wetstone Technologies. Does anyone have more information about it? I've found citations for a few papers on it, but none are online. I'll go to the library later, but in the meantime has anyone read these papers or had experience with the system in action? How does it compare to Provos' stegdetect? -David Molnar
Re: Fwd: Re: CP meet at H2K2?]
According to the TimeOutNewYork eating and drinking guide: Blarney Rock 137 W 33rd street between Broadway and Seventh Avenue 212-947-0825 Let's say midnight for *sure* as a meeting time, and perhaps people can dart out there earlier if they feel like it. I plan to arrive at the con around 2pm on Saturday and will stick my head in Blarney Rock on the way. In case anyone wants my number, e-mail me. -David On Wed, 10 Jul 2002, Greg Newby wrote: > Sounds like a plansomeone try to remember to put a sign > up on-site for this. An actual address for the > bar would be nice - is this the one on 33rd?
Re: CP meet at H2K2?
On Thu, 20 Jun 2002, Greg Newby wrote: > the next couple of days. I'm thinking of a CP > meet Saturday night July 12. Anyone else gonna be there? I should be there, since I'm free and in the area. In a similar vein, who's going to be at DEF CON? -David
Re: Forward-secure public-key encryption eprint
On Thu, 30 May 2002, Anonymous wrote: > David Hopwood writes: Did I miss a separate message in which David Hopwood followed up to my post? Cypherpunks is more reliable for me than it used to be, but it's not always all there. > > math is really advanced and not many implementors or users are likely > to understand it very well. Sure we've got a library but the kind of > people who want forward security would like to understand the principles > a little better. Thanks for the detailed summary! Even if the system may not be ready for prime time, I think it may still be worth looking at it and following future developments. -David
Forward-secure public-key encryption eprint
Forward-secure public-key encryption has been discussed here, on sci.crypt, and elsewhere. To recap - the goal is that an adversary who breaks into your computer today can't read messages sent/received yesterday. In the interactive case, you use ephermal Diffie-Hellman. The non-interactive case is more complicated and has had some ideas considered by Ross Anderson, Adam Back, and David Hopwood (among others). Cypherpunks relevance: forward security is nice for remailers. Anyway, there's a new eprint up which shows how to construct such a scheme starting from an ID-based encryption scheme by Boneh + Franklin. "A Forward-Secure Public-Key Encryption Scheme" Jonathan Katz http://eprint.iacr.org/2002/060/ It's worth noting that the scheme this is based on has code available. http://crypto.stanford.edu/ibe/download.html -David
Upcoming workshop on category theory and concurrency
[concerning category theory and crypto protocols] > So when you have done some real work on the matter, at least written some > paper on the stuff, and published it, you may well write about it here. I think that sets the bar a bit too high - there is a place for saying "this area looks interesting and relevant, but I don't have it down yet." Perhaps one thing to do might be to make the discussion more specific by finding particular applications of category theory to areas "close" to cryptography and looking at those applications in more detail. (No, I'm not necessarily volunteering to do this.) In any case, if Tim or anyone else wants to submit a paper, this is a page on a workshop in "Categorical Methods for Concurrency, Interaction, and Mobility" http://www.cwi.nl/events/2002/cmcim/ the call for papers just showed up in my inbox yesterday. While not specifically about crypto protocols, "interaction and mobility" seems to cover some of what I think Tim is getting at. -David
Re: My current readings in Category Theory
In passing about category theory and ML: * ML supports generic programming by a language feature called a "functor." I don't know enough category theory to know how close ML's notion of "functor" is to a mathematician's. this page is a small intro http://www.kingston.ac.uk/~bs_s075/MLWorkshop/unit8.html * ocaml and ML may not be as widely used as C++, but I have seen them used fairly widely in academia. Sometimes in conjunction with other fun topics. Check out this course on computational game theory http://www.eecs.harvard.edu/~avi/CS281r/ exercises include programming in ocaml. * The Fox project at CMU wants to use ML for systems programming. http://foxnet.cs.cmu.edu/HomePage.html Note that Peter Lee is also involved in "proof-carrying code." -David
Re: Internet is dead (Was Re: Celsius 451 -the melting point of Cat-5)
On Tue, 2 Apr 2002, Tim May wrote: > Imagine N transponders. Coded sequences are broadcast, recipients are > unknown. (Actually, _everyone_ receives, but only some can decode.) Sounds vaguely like the setting for this paper: Xor-Trees for Efficient Anonymous Multicast and Reception Shlomi Dolev, Rafail Ostrovsky http://citeseer.nj.nec.com/dolev98xortree.html Abstract: In this work we examine the problem of efficient anonymous broadcast and reception in general communication networks. We show an algorithm which achieves anonymous communication with O(1) amortized communication complexity on each link and low computational complexity. In contrast, all previous solutions require polynomial (in the size of the network and security parameter) amortized communication complexity.
