On 7/09/13 03:58 AM, Jon Callas wrote:

Could an encryption algorithm be explicitly designed to have properties like this?  I 
don't know of any, but it seems possible.  I've long suspected that NSA might want this 
kind of property for some of its own systems:  In some cases, it completely controls key 
generation and distribution, so can make sure the system as fielded only uses 
"good" keys.  If the algorithm leaks without the key generation tricks leaking, 
it's not just useless to whoever grabs onto it - it's positively hazardous.  The gun that 
always blows up when the bad guy tries to shoot it....

We know as a mathematical theorem that a block cipher with a back door *is* a 
public-key system. It is a very, very, very valuable thing, and suggests other 
mathematical secrets about hitherto unknown ways to make fast, secure public 
key systems.

I'm not as yet seeing that a block cipher with a backdoor is a public key system, but I really like the mental picture this is trying to create.

In order to encrypt to that system, one needs the (either) key. If everyone has it (either) the system is ruined.

A public key system is an artiface where one can distribute the public key, and not have to worry about the system being ruined; it's still perfectly usable. Whereas with a symmetric system with two keys, either key being distributed ruins the system.

One could argue that the adversary would prefer the cleaner, more complete semantics of the public key system -- maybe that is what the theorem assumes? But if I was the NSA I'd be happy with the compromise. I'm good at keeping *my key secret* at least.

The cryptography mailing list

Reply via email to