Jerrold Leichter wrote:
"N-version programming" - which is what you are proposing here - can increase
your level of trust against random errors[2], but its of no use at all against
a deliberate attack.
I heartly disagree. If the N-outputs are continuously verified for coherence, any difference readily stands out. The number N and the cost of always using those N-outputs should, of course, be outweighed against the cost of failure to detect an attack. Theoretically, however, there is always a finite number N that can make the probability of such an attack _ as small as you please_.
The mathematical basis for this result was proven by Shannon more than 50 years ago; the practical intuition for this result was demonstrated during the Mogul period in India (more than 500 years ago), who are known to have used at least three parallel reporting channels to survey their provinces with some degree of reliability, notwithstanding the additional efforts to do so.
(Recall the conversation here a couple of months ago about how difficult - to the point of impossibility - it would be to use external testing to determine if a crypto-chip had been "spiked".)
Aren't we talking about different things? A covert channel, looking at the crypto-chip by itself, is demonstrably impossible to detect with certainty. However, what I was talking about is NOT this situation. You are looking at *one* crypto-chip, a single source of information, a single trusted source, when you have no correction channel available. I am looking at N outputs, N sources of information (each one as independent as possible but not necessarily 100% independent). You have no reference for detecting a "spike", I have N-1.
Cheers, Ed Gerck
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
