At 8:38 AM -0700 5/22/01, David Honig wrote:
>At 08:00 PM 5/21/01 -0500, Aimee Farr wrote:
> >http://papers.ssrn.com/sol3/papers.cfm?abstract_id=266153
>
>Summary: toss your key and let them brute force your diary in the future.
>
>Problem: a brute force attack searches on *average* half the key space.
>But you might be unlucky and eager 'historians' might find your key sooner.
>
>Solution: repeat the process N times sequentially. Even if one key is
>found 'early', its unlikely that all will.
The paper is naive, and the reliance on "eventual brute-forcing" is
its undoing.
If, for example, Hilary Clinton counts on brute-forcing costing her
$1000 in CPU time in 2015 to undo her encryption, this clearly means
someone willing to spend, say, $20,000 to do it a couple of years
earlier (even if the current slope of Moore's Law doesn't change).
And a dedicated adversary could crack the system perhaps a decade or
more earlier.
Relying on estimates of future computer power and cost is too
"twitchy" (sensitive to slight variations).
A better scheme was proposed by some of us almost a decade ago:
beacons. Also called "timed-release crypto." (See archives, or
Cyphernomicon.)
These are agents or systems or even lawyers which release parts of a
key at contractually-arranged (or pre-paid with cash, untraceably if
need be, through lawyers or digital cash or Magic Money, etc.) times.
"It is September 1, 2015. A key or part of a key is attached to this
message. This in accordance with a payment made in 2001. Have a nice
day."
The use of lawyers works with everyday, standard technology. Not even
any special computer tools. Just a message entitled "Open this
envelope on September 1, 2015 and do the following with it." A
timed-release crypto approach would rely on various account holders
doing essentially the same thing, contractually bound. Collusion
prospects are reduced in the obvious ways (e.g., only Hilary Clinton
knows which set of lawyers she used, or which set of agent sites, or
the dispersal was done in the n-out-of-m way, with even Hilary not
knowing the sites. Akin to remailer networks.
The beacons can hold parts of a key, via an n-out-of-m protocol.
(E.g., where any 6 of the 12 pieces are sufficient to reconstruct the
full key.) Mojo uses these kinds of protocols.
What protects against early release is that the partial key holders
don't necessarily know who their original customers were (hence the
point about payment in digital cash or through lawyers) and thus
cannot conspire to reconstruct the key.
As we described the protocol back then, a public forum, a la a
newsgroup or BlackNet, could be the designated place to publish the
partial keys. The customer for the operation, in this case Hilary
Clinton, would perhaps hold one or more of the pieces herself
(further protection against collusion) and would know what to look
for, and when.
Beacons are very robust, relying only on the self-interest of
disparate parties to hold up there end of a contract to publish or
mail a number that is worthless to them.
--Tim May
--
Timothy C. May [EMAIL PROTECTED] Corralitos, California
Political: Co-founder Cypherpunks/crypto anarchy/Cyphernomicon
Technical: physics/soft errors/Smalltalk/Squeak/agents/games/Go
Personal: b.1951/UCSB/Intel '74-'86/retired/investor/motorcycles/guns
