Consider a network of N nodes each given an id from 1 to N, each node uses a protocol where any message it receives it decrypts with it's id. All messages get sent to every node instantly, and decryption has a very high cost.
Node A wants to send a message to another node (node A just chooses an id randomly). Node A encrypts the message with the other nodes ID and sends it into the network. Node A has just securely communicated with another node (let say node B) without any prior secure channels and for another node to break that communication they must try ~n/2 decryptions. Of course A is blindly communicating with node B, but as long as node B wants the communication to be secure, the communication is secure and it requires no prior secure communications other than the protocol itself. On Thu, Jun 6, 2013 at 3:12 PM, Matthew Green <matthewdgr...@gmail.com>wrote: > I assume you're talking about confidentiality and authenticity. If all you > care about is authenticity then you can proceed under the assumption that > the channel /may/ be authentic and then later perform the authentication to > retrospectively authenticate it. This is obviously "duh", but it's also how > modern protocol negotiation works. > > Matt > > > On Jun 6, 2013, at 2:32 PM, Jonathan Katz <jk...@cs.umd.edu> wrote: > > Isn't it obvious? (I mean, there is some value in formalizing the model, > but still...) > > Consider authentication of A to B. If there is nothing distinguishing > (impersonator) Mallory from (honest) A, then anything A can do can also be > done by Mallory. > > > > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography > >
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography