Re: Thanks for the living hell, and question about OpenSSL
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tim May wrote:
Not meaning to sound too harsh, but you need to think deeply about what cryptography is all about and why "trust me, I promise not to look" systems are not desirable or interesting.
I'm writing "(unblind (sign (blind X))) = (sign x)" on the board one hundred times. - -- Patrick http://fexl.com -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPqm3I1A7g7bodUwLEQLBtQCgxyXbUvKDtgfIM1yPdpy1CuynegMAnjWd NDt1h4fmiu1OBreIZdrc8CnV =deYX -----END PGP SIGNATURE-----
On Friday, April 25, 2003, at 03:30 PM, Patrick Chkoreff wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tim May wrote:
Not meaning to sound too harsh, but you need to think deeply about what cryptography is all about and why "trust me, I promise not to look" systems are not desirable or interesting.
I'm writing "(unblind (sign (blind X))) = (sign x)" on the board one hundred times.
You don't need to take our word for it--you need to see why modern cryptography avoids trust issues almost completely. I suggest that you dig up Chaum's "Communications of the ACM" paper from 1985: "Transaction Systems to Make Big Brother Obsolete." I read it when it came out, and it triggered many ideas. It's online, or was as of a few years ago. Also, look at his paper on "Dining Cryptographers" to see how information-theoretically secure messages can be sent. Forget worrying about the details of various ciphers in Schneier's book, at least until you have grasped the essence of not relying on trust or "I promise not to look" b.s. schemes. BTW, a more abstract book is Oded Goldreich's "Foundations of Cryptography--Basic Tools," 2001. A little disorganized in places, but lots of core concepts. When you have fully grokked the way messages can be sent without any practical way of tracing their origin, as in the dining cryptographers example, your eyes will be opened. And zero-knowledge interactive proof systems (ZKIPS) will blow your mind. Never again will you argue in terms of "trust me" and "so long as they don't subpoena me" and "I promise not to look." (My simple explanation of ZKIPS in terms of demonstrating a Hamiltonian cycle for a graph is in the archives, from around 1992-3.) --Tim May "Al Qaida was never the real threat...Afghanistan is." "Aghanistan was never the real threat...Iraq is." "Iraq was never the real threat...Syria is." "Syria was never the real threat...stay tuned."
Tim May wrote:
You don't need to take our word for it--you need to see why modern cryptography avoids trust issues almost completely.
Like mathematicians saying "Trust Us, no algorithm exists which can factor the 309 digit product of two large distinct odd primes in a few seconds on a cheap PC?" Perhaps I'm missing something, but it seems to me that public key cryptography is fundamentally a trust-based system. With the rise of the Internet, and almost all crypto being done by people who do not physically meet to exchange keys, almost all crypto is public key crypto. Therefore, almost all cryptography (at the present moment) is based on trust. And it's trust based on the "It doesn't exist, because if it did, I'm so smart I would have found it by now" paradigm, which I've never regarded as being particularly reliable. (Insert comments about simple algorithms whose direct derivation lies just slightly beyond the limits of human ingenuity here.) With regard to the utility of digital cash. Digital cash will never be useful for funding retaliation against The State unless its use is so widespread that the problematical transactions are drowned out by noise. Since sheeple will always pick convenience over security, and The State, through regulation, controls what will be convenient, digital cash will never achieve widespread use. The wild success of PayPal, even as it embargos some customers cash for 6 months over their political views, and the long list of failed anonymous payment ventures, should drive this point home to even the most dense. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law"
Since sheeple will always pick convenience over security, and The State, through regulation, controls what will be convenient, digital cash will never achieve widespread use.
Obstacles don't make something impossible. I refer you to http://inventors.about.com/library/inventors/bledison.htm : "Edison actually had to invent a total of seven system elements that were critical to the practical application of electric lights as an alternative to the gas lights that were prevalent in that day. These were the development of: the parallel circuit, a durable light bulb, an improved dynamo, the underground conductor network, the devices for maintaining constant voltage, safety fuses and insulating materials, and light sockets with on-off switches. " There are many compelling, legitimate, and legal uses for anonymous digital bearer instruments. Their utility far outweighs any negative side effects. If a State disagrees, there are 200 more to choose from. Patrick M http://lucrative.thirdhost.com/
On Saturday, April 26, 2003, at 11:41 AM, Eric Cordian wrote:
Tim May wrote:
You don't need to take our word for it--you need to see why modern cryptography avoids trust issues almost completely.
Like mathematicians saying "Trust Us, no algorithm exists which can factor the 309 digit product of two large distinct odd primes in a few seconds on a cheap PC?"
Perhaps I'm missing something, but it seems to me that public key cryptography is fundamentally a trust-based system. With the rise of the Internet, and almost all crypto being done by people who do not physically meet to exchange keys, almost all crypto is public key crypto.
Therefore, almost all cryptography (at the present moment) is based on trust.
And it's trust based on the "It doesn't exist, because if it did, I'm so smart I would have found it by now" paradigm, which I've never regarded as being particularly reliable. (Insert comments about simple algorithms whose direct derivation lies just slightly beyond the limits of human ingenuity here.)
I'm surprised at you for thinking trust is some number that is either 0 or 1. All crypto is economics, and so is all trust. Consider two situations: Situation 1: "I have generated a key for you and will send it securely. You can trust me not to look at it and not to reveal it to anyone else....Well, not unless Saddam's men force me to, or not until John Ashcroft threatens to hold me as an illegal combatant if I don't cooperate. Or not until someone offers me $500 cash, no questions asked, for just a peek. Or not until I realize that this key is being used to further right wing Nazi causes. Or..." Situation 2: "Determining your private key requires an attacker to either monitor your keystrokes and bug your computer, so you'd better secure it, or it requires factoring a 309 decimal digit number associated and derivable from your public key. So far, the best algorithms have only factored a 137-digit number [for example] and no mathematicians have yet found cleverer ways. Great fame would await anyone who found a significantly faster method, even a Fields Medal, and yet no one has yet revealed one." Now I maintain there is a huge difference in the valuations placed on the "trust" in these two cases. If you wish to believe that Joe Sixpack saying he promises to keep your private key secret is on the same footing as the apparent difficulty of factoring very large numbers (and if 309 digits is deemed too small, only a tiny increase in key generation effort and later use to go to 500 decimal digits or even 1000) then you are of course welcome to your delusion. All crypto is economics. All trust is economics. --Tim May "In the beginning of a change the patriot is a scarce man, and brave, and hated and scorned. When his cause succeeds, the timid join him, for then it costs nothing to be a patriot." -- Mark Twain
Tim writes:
I'm surprised at you for thinking trust is some number that is either 0 or 1.
The same could be said about "good" and "evil", yet in ordinary conversation, one doesn't use the words to refer to their zero values. Unqualified "trust" is somewhere between "more likely than not" and "absolutely certain."
All crypto is economics, and so is all trust.
To a Jewish friend of mine, everything is marketing. I suppose it depends on ones perspective. :)
Consider two situations:
Situation 1: "I have generated a key for you and will send it securely. You can trust me not to look at it and not to reveal it to anyone else....Well, not unless Saddam's men force me to, or not until John Ashcroft threatens to hold me as an illegal combatant if I don't cooperate. Or not until someone offers me $500 cash, no questions asked, for just a peek. Or not until I realize that this key is being used to further right wing Nazi causes. Or..."
Sounds like a good description of the difference between confidentiality and anonymity. I prefer the latter.
Situation 2: "Determining your private key requires an attacker to either monitor your keystrokes and bug your computer, so you'd better secure it, or it requires factoring a 309 decimal digit number associated and derivable from your public key.
This is the difference between wishful thinking and anonymity.
So far, the best algorithms have only factored a 137-digit number [for example] and no mathematicians have yet found cleverer ways. Great fame would await anyone who found a significantly faster method, even a Fields Medal, and yet no one has yet revealed one."
How silly. Factoring is like the Poincare Conjecture. Solving it doesn't let us do anything new and exciting, and nothing else we care about has a reduction into it. Fast factoring will be greeted by "oh, yes, of course", and the sound of mass yawning and moving on. In 10 years, "factor" will be a commodity microprocessor opcode. Is anyone even working on factoring any more? How long has it been since the last RSA Challenge number was factored? Seems like aeons.
Now I maintain there is a huge difference in the valuations placed on the "trust" in these two cases.
There is a huge difference in the valuation *YOU* place on the "trust" in these two cases. Valuation is hardly an absolutely quantifiable notion, completely independent of who is doing the valuating. I choose to avoid both situation 1 and situation 2 above. You avoid situation 1, and think you are safe in situation 2. You very well could be, but then again...
If you wish to believe that Joe Sixpack saying he promises to keep your private key secret is on the same footing as the apparent difficulty of factoring very large numbers (and if 309 digits is deemed too small, only a tiny increase in key generation effort and later use to go to 500 decimal digits or even 1000) then you are of course welcome to your delusion.
Yes, I believe Joe Sixpack saying that he promises to keep my key safe to be on the same footing as Joe Sixdiploma saying that because he can't figure out how to factor 309 digit numbers quickly, it must not be possible. Vanity, Vanity, All is Vanity.
All crypto is economics. All trust is economics.
All RSA is faith-based crypto. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law"
On Saturday 26 April 2003 10:54 pm, Eric Cordian wrote:
Yes, I believe Joe Sixpack saying that he promises to keep my key safe to be on the same footing as Joe Sixdiploma saying that because he can't figure out how to factor 309 digit numbers quickly, it must not be possible.
There are a lot more Joe Sixdiploma's that have tried figuring out how to factor 309 digit numbers and failed than Joe Sixpacks that have successfully kept their promise to keep a secret.
All RSA is faith-based crypto.
Like I said, I have more faith in the math than human nature. -- Neil Johnson http://www.njohnsn.com PGP key available on request.
On Saturday 26 April 2003 10:54 pm, Eric Cordian wrote:
To a Jewish friend of mine, everything is marketing.
I suppose it depends on ones perspective. :)
In a way, marketing is about convincing customers to trust (the value) your product or service enough to exchange something of they have of value for it. So we are back to economics. -- Neil Johnson http://www.njohnsn.com PGP key available on request.
On Sun, 27 Apr 2003, Neil Johnson wrote:
In a way, marketing is about convincing customers to trust (the value) your product or service enough to exchange something of they have of value for it.
Only partially so, it also involves convincing them they -need- it. If they already believe they need it little effort with regard to trust is needed, they'll stand there with money and exchange 1-to-1 for it.
So we are back to economics.
No, human psychology. -- ____________________________________________________________________ We are all interested in the future for that is where you and I are going to spend the rest of our lives. Criswell, "Plan 9 from Outer Space" ravage@ssz.com jchoate@open-forge.org www.ssz.com www.open-forge.org --------------------------------------------------------------------
On Sat, 26 Apr 2003, Eric Cordian wrote:
How silly. Factoring is like the Poincare Conjecture. Solving it doesn't let us do anything new and exciting, and nothing else we care about has a reduction into it.
Fast factoring will be greeted by "oh, yes, of course", and the sound of mass yawning and moving on.
Fast factoring will be greeted (if it wasn't already) by loud and top-secret cheer of all the No-Such-Agencies. We the People will be told much later. That Joe Sixpacks will yawn and move on will only signify his lack of understanding of the problem.
In 10 years, "factor" will be a commodity microprocessor opcode.
Why? Solving it doesn't let us do anything new and exciting, and nothing else we care about has a reduction into it. And every opcode occupies some chip space, and chip space is (at least for now) too expensive for unimportant functions.
Is anyone even working on factoring any more? How long has it been since the last RSA Challenge number was factored? Seems like aeons.
That there is no published activity doesn't mean there is no activity.
Yes, I believe Joe Sixpack saying that he promises to keep my key safe to be on the same footing as Joe Sixdiploma saying that because he can't figure out how to factor 309 digit numbers quickly, it must not be possible.
So far it doesn't seem to be possible. If it is, then the method has so high strategical value that it is not used for less important operations, in order to not disclose its existence by indirect clues[1]. But for operations with so high stakes you should use one-time pads on one of the layers anyway.
All RSA is faith-based crypto.
What alternative do you suggest? [1] If decrypted plaintexts start popping up from nowhere, being used in all kinds of prosecutions, it's a strong evidence the encryption algorithm was compromised. However, the current trend with secret courts and secret evidence can make it less evident.
On Sat, 26 Apr 2003, Tim May wrote:
mathematicians have yet found cleverer ways. Great fame would await anyone who found a significantly faster method, even a Fields Medal, and yet no one has yet revealed one."
Great fame would also wait anyone who proved that a significantly faster method _does not_ exist. Not only is this conceivable, but it would move this second scenario much further along your scale of trust towards "1". I find that a lot of people (not necessarily anyone here) often forget that this possibility still exists as a possible conclusion in public key cryptography. ----- John kozubik - john@kozubik.com - http://www.kozubik.com
On Mon, 28 Apr 2003, John Kozubik wrote:
Great fame would also wait anyone who proved that a significantly faster method _does not_ exist. Not only is this conceivable, but it would move this second scenario much further along your scale of trust towards "1".
I find that a lot of people (not necessarily anyone here) often forget that this possibility still exists as a possible conclusion in public key cryptography.
I don't see how. There's an aweful lot of math that hasn't been discovered yet. So you can't prove a negative simply because you don't know all the possible methods (and never will!) Patience, persistence, truth, Dr. mike
hi,
--- John Kozubik
On Sat, 26 Apr 2003, Tim May wrote:
Great fame would also wait anyone who proved that a significantly faster method _does not_ exist. Not only is this conceivable, but it would move this second scenario much further along your scale of trust towards "1".
Proofs are build on existing knowledge of a system.How ever the knowledge of a system is incomplete.That always leaves scope for disproofs and emergence of new proofs.
I find that a lot of people (not necessarily anyone here) often forget that this possibility still exists as a possible conclusion in public key cryptography.
Lets wait and see if any one can proof If P=NP.Some body here suggested that it would be interesting if the above problem is undecidable. Regards Sarath.
----- John kozubik - john@kozubik.com - http://www.kozubik.com
__________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
On Sat, 26 Apr 2003, Tim May wrote:
All crypto is economics, and so is all trust.
So, all crypto is trust. Or is that all trust is crypto. Either way it's CACL noise. -- ____________________________________________________________________ We are all interested in the future for that is where you and I are going to spend the rest of our lives. Criswell, "Plan 9 from Outer Space" ravage@ssz.com jchoate@open-forge.org www.ssz.com www.open-forge.org --------------------------------------------------------------------
On Sat, Apr 26, 2003 at 11:41:02AM -0700, Eric Cordian wrote:
cryptography is fundamentally a trust-based system. With the rise of the Internet, and almost all crypto being done by people who do not physically meet to exchange keys, almost all crypto is public key crypto.
Therefore, almost all cryptography (at the present moment) is based on trust.
Right. But there's still a difference between: * I trust that my computer has not been black-bagged (because I've checked, or have steps to prevent that, or it would require more effort from my adversary than I'm worth) * I trust that the current state of the art in terms of factoring in the public literature is within several orders of magnitude of what's in the classified literature. And: * I trust Paypal or Microsoft Hotmail to guard my privacy at all costs when faced with an urgent, secret request from John Aschroft. -Declan
participants (11)
-
Declan McCullagh -
Eric Cordian -
Jim Choate -
John Kozubik -
Mike Rosing -
Neil Johnson -
Patrick -
Patrick Chkoreff -
Sarad AV -
Thomas Shaddack -
Tim May