[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Provably "Secure" Crypto


At 7:03 AM 11/25/1996, Adam Back wrote:
>deGriz (sic) wrote:
>> At 4:18 AM 11/26/1996, Peter M Allan wrote:
>> >That is a bound on a _reliable_ algorithm.  A faster one is to shuffle
>> >the elements and present it as sorted.  Lightning fast, but only with
>> >low probability of correctness.  That is what we are up against in a key
>> >search attack.  The other guy just might guess my 100 bit key first time,
>> >millionth time or whatever - early enough anyway.
>> 
>> >So to get a lower bound you have to show that a lucky guess cannot be
>> >distinguished from an unlucky one - and if you do that without a one
>> >time pad I take my hat off.
>> 
>> If the chance of a successful guess is absurdly low, the algorithm can
>> be considered to be secure.  It is quite unlikely that you will guess
>> a random 128-bit key.  
>
>Agreed.  However you _can_ instantly verify once you have guessed.
>This makes the algorithm cryptographically secure, but _not_ perfectly
>secure as is the case with a OTP with a truly random pad.
>
>I think we agree, it is just a distinction in definitions of terms.

We are in agreement.  I would add, for the benefit of others, that it
is a good idea to keep in mind that the focus of our work is to build
physical systems which are secure.  For instance, we determine the
primality of numbers using probabilistic methods.  This is not
"perfect" in the sense that a OTP is, but it is certainly good enough
to bet somebody else's life on it.  ;-)

OTPs, for that matter, are engineering problems, too.  It is difficult
to find a random number generator in which we have complete
confidence.  If we buy a board from somebody, how do we know there
isn't a back door?  How do we know they did a good job?  Many
commercially available hardware random number generators are of
shockingly poor quality.  Caveat emptor.

diGriz