Re: Chaffing and Winnowing

New Message Reply About this list Date view Thread view Subject view Author view

Anonymous (nobody@replay.com)
Thu, 4 Feb 1999 13:10:13 +0100


> > Well, the crypto-police could argue that this is equivalent to using k-bit
> > conventional encryption (the k bits being a sort of "key"). Besides, are we
> > sure that all-or-nothing transforms are unencumbered?
>
> This idea, using (e.g.) 512-bit RSA to encrypt k bits of an otherwise
> unencrypted A|N message, doesn't address the export issue at all, since it
> doesn't interfere with the gov't reading the message.

(Disclaimer: it's 11:00 at night; I'm almost sure I'm wrong somewhere. :)

I think nobody@remailer.ie was talking about using the construct for more
efficient exportable symmetric confidentiality by taking the public keys out of
the picture -- if not, allow me to propose it. :-) I don't think that the
posted method, if handled correctly, leaves any substantive trace of the value
of the modulus... assuming plaintexts are as unknown as the randomness+a|n
should leave them, and that there are enough possible 512-bit RSA keys that
exh-- exhau-- brute-forcing would not matter, it comes out secure even if
NSA/FBI/CIA can do BXA-OK RSA's IFP PDQ.

It ends up like the old legend about the exportable PRNG and exportable XOR
program -- you can export each component and assemble them into strong
symmetric crypto -- and that only if this use of weak public-key crypto isn't
already covered and the method doesn't have some weakness too obvious for me to
see.

But don't get any crazy convictions, anybody; if anything, this is probably
going to serve mainly as bonus documentation of the silliness of export regs,
not as an actual means of evasion. (although this could always be one of the
holes in crypto regs the Walsh Report mentioned)

...
>
> It's all pretty moot, though, since it reduces to much the same thing
> as the current practice of RSA-encrypting a nonce for use with a
> symmetric cipher: it eliminates the symmetric key setup cost and
> reduces very slightly the total transmission size of the whole
> thing, but to unwind the A|N package we pay about twice the
> cost of some symmetric cipher (if I'm reading the paper right), so
> overall we lose compared to the usual hybrid systems.

Well, it's possible, if potentially terrifyingly unsafe, to use a cipher's
round function on a bigger block, like some of the AES candidates did. Might be
properly sized, fast, and everything.

> That is, it's faster than RSA alone, but slower than RSA+symmetric.
>
> I don't know the intellectual property status of the A|N package
> transform.

Although there might be some patent on the use of one for confidentiality w/o
strong encryption, I really can't imagine a patent covering any suitable
transform; that would probably include some physics-sim programs. :)

>
> --
> Jim Gillogly
> 14 Solmath S.R. 1999, 01:05
> 12.19.5.16.9, 3 Muluc 2 Pax, Fifth Lord of Night


New Message Reply About this list Date view Thread view Subject view Author view

 
All trademarks and copyrights are the property of their respective owners.

Other Directory Sites: SeekWonder | Directory Owners Forum

The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:25