Way back on 05/20/2004 Ivan Krstic wrote:
Michael O. Rabin....  lectures on hyper-encryption and provably
everlasting secrets.
...
View here: http://athome.harvard.edu/dh/hvs.html

To my surprise, there has been no follow-up discussion on this list.

  (Hint:  Most people on this list will want to skip
  the first four parts of the presentation, which are
  just an introduction to cryptography, and start with
  the part entitled "hyper-encryption and semantic
  security".)

We should not let Rabin's assertions to go unchallenged.
Here is a brief review:

In this presentation, there are some remarkable claims,
including claims of a method that produces "provably"
everlasting secrets.  Alas no such proof is provided;
the alleged proof is full of holes.

By way of example, a particularly glaring hole surrounds
the notion that a PSN ("page server node") should serve
a given page only twice.  That causes all sorts of
difficulties to the legitimate system users (see the
discussion of "page reconciliation") but poses no
particular burden on the attackers, who can passively
copy one of those two issuances.

As another example, the "proof" of correctness uses
randomness in invalid ways.  It asserts that the
system users will randomly select a subset of the
available pages of random numbers (which is OK as
far as it goes) but alas it further assumes that the
attackers will only be able to select pages by an
_independent_ random process.  Perhaps this comes
from an assumption that attacks will be directed
against the servers.  However, attacks can perfectly
well be directed against the system users' PCs.  The
attacker therefore only needs communication bandwidth
and storage capabilities comparable to the system
users who are under attack (!!not!! all users total).

As far as I can tell, the whole topic of "hyper-encryption"
would be more usefully discussed under the heading of
_privacy amplification_.  I get 2000 hits from
  http://www.google.com/search?q=privacy-amplification

It remains to be seen whether these authors will make
any useful contributions in this area.  To do so, they
will need to come out with some more modest claims
and/or some stronger proofs.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to