The Key Vanishes: Scientist Outlines Unbreakable Code

Ray Dillinger bear at sonic.net
Tue Feb 20 14:31:05 PST 2001 



On Tue, 20 Feb 2001, Tom wrote:

>essentially, a one-time-pad with a central source of randomness, the key
>being the point in the random-number-stream that you start with.

Not quite.  The point which you start with in the random number 
stream is one of the keys, but the system he describes also includes 
another, which is used to encrypt the random number stream prior 
to the OTP's XOR operation. 

The rest of your post, I agree with. 

First, your orbital 
random number server can only be put there by someone with 
enough bucks to launch a rocket -- whom you have to trust 
implicitly. None of the twenty or thirty people whom I 
trust implicitly has that much money.  Heck, I don't even 
think I personally *know* anyone who has that much money.

What if it was just a few dozen Blum-Blum-Shub generators 
up there spewing all those bits?  We'd never see the 
difference, but a data thief who was "in the know" about 
how they were keyed could recreate any sequence at any time.  

The basic problem is the problem you always get with systems 
that have a "trusted server" sitting in the middle -- can you 
really trust that server?  Can you inspect it, and inspect 
the code it's running, personally?  Can you verify that the 
thing you were allowed to inspect is the same as the thing 
that you're trusting?

I don't see any government, or for that matter any criminal 
organization, with a significant investment in SigInt allowing 
such a launch to go up untampered if they could possibly 
prevent it. 

And we already have systems with barriers of ridiculous levels 
of computer hardware - proofs of the security of a cipher which 
rest on the assumption that the opponent has storage capacity 
limited to less than some finite value are no more nor less 
valid than proofs of the security of a cipher which rest on 
the assumption that the opponent has CPU capacity limited to 
less than some finite value.  The only value of this system, 
assuming you get random numbers you can trust, is that the 
opponent has to have the large storage capacity NOW - when we 
know how hard it would be to have it - rather than at some 
vague point in the future, where moore's law has had time to 
work its wonders. 

Finally, this system doesn't protect storage.  It protects 
communications, and communications only.  Think about it.  If 
you protect storage, you have to have the bits from the OTP 
around somewhere to decrypt it.  If you have the bits from the 
OTP around somewhere, you no longer have an unbreakable cipher.

				Bear

More information about the cypherpunks-legacy mailing list