Erik is right: there must be very strong motivation to consider using a cryptographic mechanism/protocol which is not `standard` (de-facto standards are Ok). When this motivation is supposedly improved security, the new (supposedly more secure) primitive should preferably be composed with a supposedly-weaker but standard mechanism, in a `cryptanalysis-tolerant` manner, i.e. an attack should apply to _both_ mechanisms. But of course other motivations (e.g. performance) may rule out this approach.

The basic security argument underlying computational cryptography is always the fact that it withstood cryptanalysis. Even when we provide `provable security`, what the proofs really show is only that the mechanism/protocol is as secure as some other assumption. The only exception is unconditional secure systems such as one-time pad, but these are usually not practical (e.g. due to key length requirements); in particular public key systems are always `only` computationally secure.

This is not really a problem and certainly not a motivation to design new systems, without a proof of security...

Best, Amir Herzberg

--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to