The existence and usefulness of blinding functions will depend on f().
For many interesting functions, computing f' is a
very large effort, so computing f'(b(y)) is as much work as computing f'(y),
so Bob will charge Alice just as much.
In the case of RSA, computing f' is very hard, but maybe Bob has lots more
resources than Alice, and the numbers are small enough to be worth trying,
e.g. 512 bit keys. There's unlikely to be a useful blinding function -
you're trying to find prime factors of a large two-factor composite number pq,
and finding factors of a different large number isn't useful -
the blinding function is multiply by b, so
either Bob will give you "b" and "pq" as factors (useless and expensive :-),
or else Bob will give you "bp" and "q" or "p" and "bq",
and it's much easier for Bob to factor the potential bp and bq, so not very
blind.
Also, if b is large enough not to cause the easy solution "b" and "pq",
it increases the work factor by about 2**b/b, which makes it too hard for Bob.
Similarly for Diffie-Hellman, cracking g**pq mod m is hard,
but cracking g**pqb mod m isn't much harder, though you're
likely to get "b" and "pq" as the factors at least half the time.
But if you do pay for it, and get lucky and get "bp" and "q",
and Bob doesn't have the connections to recognize g**q mod m as
Terry the Target's keypart, you win. How often is this useful?
Most applications either use 192-bit keys (has Sun fixed "Secure NFS"?)
or 512-bit (hard but marginally crackable, but probably not common),
1024-bit keys (believed to be way too hard), or 1536-bit (definitely too
hard).
At 12:07 PM 8/1/00 +1000, Julian Assange wrote:
>
>Let y = f(x) and f'(y) = x
>
>Imagine Bob runs a f' cracking service. Imagine Alice has y and wants x.
Alice may
>or may not know f' however she wishes to take advantage of Bob's f'
cracking service
>to obtain x. But she doesn't want Bob to know x. Yet she wants Bob to
compute it
>for her.
>
>Imagine there is a blinding function b, and an unblinding function
>b'. Alice sends Bob b(y). Bob produces z=f'(b(y)). Alice extracts x =
>b'(b).
>
>Has this been done for RSA etc?
>
>Is it possible to find blinding functions of this nature for any
>function in number theory?
>
>Cheers,
>Julian.
>
>
>
Thanks!
Bill
Bill Stewart, [EMAIL PROTECTED]
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
