This is partly an implementation question, since you could also imagine other scenarios like the manufacturers getting a list of private keys generated by the government so that devices fresh from the factory would already have them built in, without having been computed on the devices themselves. Also, while I would bet it’s probably true that whatever computing machine was generating individual private keys would also need to access to the master key in order to generate them, I’m not 100% sure that’s true, in the case of attribute-based encryption I’d want to have someone knowledgeable verify that this is still necessary in the case of multi-authority attribute based encryption.
I wasn’t demanding a source from you, or claiming any superiority about my comments being less speculative than yours. I was just asking if you have a source or if your comments were speculative–if the latter, the point I’m getting at is just that your criticisms are equally speculative when compared to my own speculation that you’re criticizing, namely that I’d bet there isn’t any fundamental mathematical problem with the idea since I’ve never seen cryptographers raise such objections and I would think they would if there were such fundamental problems.
[quote=“Nonentity, post:139, topic:74972”]
In your scheme as described, the attacker only needs to identify a single private key, and they have the additional information of knowing the inputs and outputs of the encryption algorithm, the public key, and at least one private key[/quote]
Those facts are all true, but if you’re using these facts as an argument for the conclusion that it’d be much easier to determine the additional private key than it is to identify the private key for encryption schemes with only a single private key, you haven’t given an reason why these facts should lead to that conclusion.
I don’t think it’s not a problem, I just don’t see why one should expect a priori that it should be a problem, which I assumed was your position since you brought it up. As I said, the main reason why I suspect it’s not much of a problem (and that is of course a speculation) is just the meta-observation that I haven’t seen cryptography experts raise such fundamental mathematical objections when explaining their reasons for thinking a government backdoor is a bad idea.
In general you seem to frequently respond to my comments as if you believe I am trying to make some sort of authoritative claims–maybe I haven’t been clear enough about this, but I have repeatedly tried to point out that I am no expert on cryptography and that I am just engaging in some idle speculations about whether any sort of “ideal” government backdoor system might be reasonably secure. And again, this tangent about the mathematical aspects only started because I expressed doubt about nimelennar’s statement that the desired scheme would be “mathematically impossible”, not any definitive claim the statement was wrong. Maybe if we can both agree that we are two non-experts engaging in some mere speculation based largely on personal intuitions and a smattering of beginner-level knowledge, we can agree to disagree about the differences in our intuitions.
Think of it this way. Every key you issue by definition reduces the effectiveness of your cipher. Second “master keys” destroy, again by definition, perfect forward secrecy (which is why a lot of crypto nerds say escrowed keys are mathematically impossible–its really that it is impossible with PFS).
“But only the good guys will have keys, and not very many of them!! And I swear this will go faster than the decade and a half we worked on AES!! And we won’t backdoor this one, like that stupid RNG we sabotaged!!” Cried the hapless TLA agent!
But of course every session key, hardware key, cert, you name it, would eventually be back doored. And not by just the US, but by 180 countries. That’s billions of master keys.
“But we will just up the key size from 4096 to… I dunno… A million!!” Squirms the weasly TLA agent. And good luck with that, your key exchange now takes long enough to go get a cup of coffee.
Or we can use strong encryption that works, and surveil criminals in other ways. Besides, straightens tie, we have the technology
Well, yes, of course it’s speculation. Precisely because there is not enough detail in your hypothetical to do anything but speculate. And such speculation remains worthless, because
it’s vanishingly unlikely that your perfect-world scenario where the math, people, and implementations are 100% perfect will ever exist
and
the experts who actually do solidly know the challenges involved have almost universally said there is no good way to do it, and that trying to have both a secure system for individual users and one that can be broken at will by the government is trying to have your cake and eat it too. And that it would be silly to try, because you won’t be able to prevent the really secure encryption from being used by criminals.
If you really think you can look up something on StackExchange and prove all those experts wrong, well… good luck.
That’s a strawman, I haven’t said anything about proving any experts wrong. My citing of the stackexchange post was again purely in reference to the mathematical issue, which I gather is not an issue you’ve seen any experts address. And I certainly am willing to grant the cryptography experts are almost certainly right in what they say about the impossibility of implementing a safe scheme of the type government authorities currently want, but see the comment I made below to ActionAbe about being unsure if any experts had ever really addressed the question of a much more limited scheme:
But japhroaig seems to be knowledgeable about these matters and has indicated that even a more limited scheme would be impossible to implement in a reasonably secure way, so I assume this is probably right (though I’d be interested to see more experts weigh in on the question of such extremely limited schemes); but then japhroaig hadn’t commented when I offered my earlier speculations. A response from someone knowledgable was exactly what I was hoping for when I raised these ideas, even if the tone you (Nonentity) have taken in your responses seems to suggest you mistakenly believed I was some kind of partisan trying to confidently suggest the scheme I proposed would work.
It fascinates me how the authoritarianism supporters never ever expect to get to the side unhappy with the regime. They essentially agree to not disagree with any future development.
If you’d like a good overview of a lot of the technical, mathematical, and conceptual issues; Applied Cryptography by Bruce Schneier is a great primer on the subject that is written in a manner not requiring the reader be a cryptographer themselves.
Me too. >: ) But keep in mind the paper linked above (the 1997 one, in regards to the clipper chip) is a flipping who’s who of the greatest minds in cryptography (did you see me freak the shit out here when I shook Whitfield Diffies hand the other week? Yeah, he was one of the authors), and they unanimously oppose escrowed keys.
Yes, that is an Argument to Authority. But cryptography is one of the few areas where that logical fallacy is treated as, “yeah, well, that’s probably right”.
I should go lurk at the crypto section of stack, there’s more I don’t know than I do.
It’s a really good book. And if you’ve read Bruce’s other books it really illustrates the Coming of Age (as a crypto nerd), to the Everything is Broken state, to the Skeptical Optimist he is today.
Bruce rocks. Some day I will shake his hand as well.
I don’t disagree in principle, only on the limitation that it’s the only possibility, that there’s only one way to do it, and that it will forever be safe.
A few years ago the standard ‘best practice’ was to store MD5 hashes instead of passwords, because of the math. That didn’t last long once rainbow tables became feasible.
Not long ago, bitcoin could be mined with a CPU. That arms race through GPUs, FPGAs, and ASICs was something to watch. Did the math predict that mining power would get so centralized that quickly?
Have you seen how many vulnerabilities have been discovered in SSL recently (nevermind it’s inherent flaws in the trust model)? The math said it was secure.
Any one standard so widely used as to become ubiquitous is going to be worth breaking by someone. They’ll find ways to get around the math limitations, or ways to backdoor it or inject flaws into the system.
The math of public-key encryption is good, but if there are easy ways around it (like ordering a company to disable it or give up the key, or faking their key, or hiring someone to plant a trusted key), and everyone is depending on one potential single point of failure, then it will be broken. Even if it isn’t easy, it will be worthwhile to someone.
Quoting because this is truer than many people think. It is good. Not perfect, not infallible. Factoring large primes is a problem that will be solved in some of our lifetimes. EC may take a little longer, or a little shorter (who knows!) but it too will be solved.
The cost of solid state memories is falling dramatically. What about, for some scenarios where the difficulties of key exchange are not prohibitive, reverting to one-time pads?
Couldn’t be done with ordinary filesystems where wear balancing would leave copies of the key material all over the disk. With a serial flash chip it however could work - any memory where a certain block you write to will be still the same block, and therefore if you erase it the data on it will be gone without leaving around copies, would do the job - the key has to be destroyed immediately after use.
Perfect forward secrecy, simple transparent algorithm, with good key generation system it is virtually unbreakable by means other than side channels.
There is another middle ground - strong crypto with bad user interfaces. It’s even quite popular today!
Of course, it could be more popular if you added magic ponies to the UI.
So, wouldn’t it be best to leave the details to cryptographers? You wouldn’t happen to know what the cryptographers happen to be saying, would you?
The other elephant in the room you seem to be missing, is this implies setting the cryptographic algorithms in stone. What happens if you want to do something else? Say, homomorphic encryption of credit card numbers? Where’s the extra key information go?
