Symmetric Ciphers Really DO Have Crummy Scaling Properties!

Wed Feb 23 23:46:46 PST 1994

> tcmay:
> # The problem with symmetrical ciphers is one of *scaling*.
> # 
> # Since a key must be exchanged with each other person, the total number
> # of keys growns rapidly as the community of participants increases. At
> 
> Russell Brand has observed that many people only send PGP mail to
> people with whom they have personally exchanged keys -- that even the
> "web of trust" idea is not used as much as the "personal key exchange" idea.
I think Strick is missing the incredible implications of public keys:

1. Most people who send me PGP-encrypted messages get my public key
off the key servers, not from me. I generated this key once, for a
Cypherpunks keyring hoopla circa November 1992, and that was that.
Very painless. Just like the "phone directory" of public keys the
pioneers of public key promised.

2. With symmetric ciphers, each person has to keep track of the keys
used with _each_ communicant. Instead of, say, 100 people having a
total of 100 public keys and 100 private keys, for a total of 200
keys, each person would have to keep track of *99 keys*, for a total of
9,900 keys! In my book, 200 keys total beats 9,900 keys any day. And the
difference grows rapidly with the number of likely communicants. (That
one does not communicate with all of them is beside the point: one
wants the _potential_ to communicate securely and hence one will need
to arrange keys in advance. In reality, of course, you won't have
arranged these keys or one-time pads or whatever in advance, and so
secure communication will be impossible....this was the situation
until recently for all but the military and the like.)

More to the point, I have only one public-private key pair, and that's
all I want to have keep track of. Storing 20 or 50 or 200 keys
securely and being able to retrieve them securely and reliably is not
a welcome alternative.

3. And don't forget security issues during key exchange! With
conventional, symmetric ciphers, the keys must be exchanged by a
secure channel. Anyone who sees or hears the key can read all
traffic. Public key exchanges are less susceptable to eavesdropping
breaches in security. (Technically, with p-k key exchanges, the key
exchange channel still needs to be secure, but with some practical
differences: at not point is the private key of either party shown or
produced. There are some spoofing attacks--cf. Schneier--but these are
easy to deal with and don't offer the same dangers of the keys being
intercepted.)

To make this point more succinct: In the pre-p-k days, trusted
couriers carried the key material. And carried it to the many pairwise
sites needed (see Point #1). With public key methods, this was ended.

Diffie-Hellman even allows key exchange to take place between parites
who've never met. A revolution.

> I have thought seriously about a revival of symmetric key exchange,
> with the look and feel of a PGP key signing session, but without
> the transitive effect and without the legal hassles.   
> 
> 					<strick>

Well, good luck then. But I don't plan to participate. I have no
desire to carry around a floppy containing the symmetric keys of 100
or more Cypherpunks and others--not when I can look up their public
key in a keyserver, finger them for it, or just ask for it to be sent
to me over normal channels.

--Tim May

-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay at netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^859433 | Public Key: PGP and MailSafe available.
"National borders are just speed bumps on the information superhighway."