On 7/09/13 03:58 AM, Jon Callas wrote:

Could an encryption algorithm be explicitly designed to have properties like this? I don't know of any, but it seems possible. I've long suspected that NSA might want this kind of property for some of its own systems: In some cases, it completely controls key generation and distribution, so can make sure the system as fielded only uses "good" keys. If the algorithm leaks without the key generation tricks leaking, it's not just useless to whoever grabs onto it - it's positively hazardous. The gun that always blows up when the bad guy tries to shoot it....We know as a mathematical theorem that a block cipher with a back door *is* a public-key system. It is a very, very, very valuable thing, and suggests other mathematical secrets about hitherto unknown ways to make fast, secure public key systems.

`I'm not as yet seeing that a block cipher with a backdoor is a public`

`key system, but I really like the mental picture this is trying to create.`

`In order to encrypt to that system, one needs the (either) key. If`

`everyone has it (either) the system is ruined.`

`A public key system is an artiface where one can distribute the public`

`key, and not have to worry about the system being ruined; it's still`

`perfectly usable. Whereas with a symmetric system with two keys, either`

`key being distributed ruins the system.`

`One could argue that the adversary would prefer the cleaner, more`

`complete semantics of the public key system -- maybe that is what the`

`theorem assumes? But if I was the NSA I'd be happy with the compromise.`

`I'm good at keeping *my key secret* at least.`

iang _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography