IP: More on the Harvard unbreakable encryption

[David Farber <dave@farber.net>]

>Date: Mon, 19 Mar 2001 17:04:00 -0400
>From: "Bruce I. Galler" <bgaller@cisco.com> (by way of Bernard A. Galler)
>Subject: IP: More on the Harvard unbreakable encryption
>Cc: farber@linc.cis.upenn.edu
>
>
>
>From: Steve Goldhaber [mailto:goldy@cisco.com]
>Sent: Monday, March 19, 2001 2:12 PM
>To: bgaller@cisco.com
>Subject: More on the Harvard unbreakable encryption
>
>
> From Bruce Schneier's Crypto-Gram newsletter
>-----------------
>Harvard's "Uncrackable" Crypto
>
>Last month the New York Times reported a cryptography
>breakthrough. Michael O. Rabin and Yan Zong Ding, both of
>Harvard, proposed an information-theoretical secure cipher.
>(Yonatan Aumann was also involved in the research.) The idea is
>that a satellite broadcasts a continuous stream of random bits. The
>sender and receiver agree on several random starting point in that
>stream, and use the streams as continuous keys to XOR with the
>message. Since the eavesdropper doesn't know the starting point,
>he can't decrypt the message. And since the stream is too large to
>store in its entirety, the eavesdropper can't try different starting
>points.
>
>That's basically it. The crypto isn't worth writing about (although
>there's some interesting mathematics), but the context is.
>
>One, the popular press does not count as peer review. I have often
>watched in amazement as the press grabs hold of some random
>piece of cryptography and reports on it like it changes the world,
>only to ignore important pieces of research. When you read about
>something like this in the popular press, pay attention to the
>motivations of the researchers and the public relations people who
>convinced the reporters to write about it. Academic peer-review will
>happen in the upcoming years.
>
>One of my biggest gripes with these sorts of press announcements
>is that they ignore the research and the researchers that come
>before. The model and approach are not new; Ueli Maurer proposed
>it ten years ago. (If you want to look it up, the citation is: U.
>Maurer, "Conditionally-Perfect Secrecy and a Provably-Secure
>Randomized Cipher," Journal of Cryptology, vol. 5, no. 1, pp. 53-66,
>1992. I discuss some of this work in _Applied Cryptography_, p.
>419.) Rabin and Ding are not to blame -- their academic paper
>credits Maurer heavily, as well as other work that went before -- but
>none of that came out in the press.
>
>Two, while the paper's mathematical result is a new contribution to
>cryptography, it's nowhere near strong enough to unleash the full
>potential of the model. I think there are better techniques in
>Maurer's paper for finding public randomness, such as using the
>face of the moon as a public source of randomness (his paper also
>includes in its model a satellite broadcasting random bits). And it's
>totally impractical. Maurer's paper provides better methods for
>establishing a secret channel in the presence of an eavesdropper.
>But because Harvard has a better public relations machine, this
>result magically becomes news.
>
>Three, this scheme will never be used. Launching satellites gets
>cheaper all the time, but why would someone have them broadcast
>random numbers when they could be doing something useful
>instead? Remember, strong encryption is not our problem; we have
>secure algorithms. In fact, it's the one security problem we have
>solved; solving it better just doesn't matter. I often liken this to
>putting a huge stake in the ground and hoping the enemy runs right
>into it. You can argue about whether the stake should be a mile tall
>or two miles tall, but a smart attack is just going to dodge the
>stake. I don't mean to trash the work; it is a contribution of
>theoretical interest. It's just that it should not be mistaken for a
>practical scheme.
>
>Oh, and by the way, an attacker can store the continuous random
>stream of bits from the satellite. Just put another satellite in space
>somewhere, and store the bits in a continuous transmission loop.
>The neat property of this attack is that the capacity of this storage
>mechanism scales at exactly the same rate as the data stream's
>rate does. There's no way to defeat it by increasing data rate. Isn't
>satellite data storage science fiction? Sure. But no more than the
>initial idea.
>
><http://www.nytimes.com/2001/02/20/science/20CODE.html>
><http://cryptome.org/key-poof.htm>
><http://slashdot.org/articles/01/02/20/136219.shtml>
>
>Maurer's Research:
><http://www.inf.ethz.ch/department/TI/um/research/itc/>
>
>A demo of one of Maurer's schemes, more practical than the Rabin
>scheme:
><http://www.inf.ethz.ch/department/TI/um/research/keydemo>



For archives see: http://www.interesting-people.org/