[tahoe-dev] cleversafe says: 3 Reasons Why Encryption isOverrated

David-Sarah Hopwood david-sarah at jacaranda.org
Mon Aug 10 12:12:17 PDT 2009


Jason Resch wrote:
> james hughes wrote:
>> On Aug 6, 2009, at 1:52 AM, Ben Laurie wrote:
>>> Zooko Wilcox-O'Hearn wrote:
>>>> I don't think there is any basis to the claims that Cleversafe makes
>>>> that their erasure-coding ("Information Dispersal")-based system is
>>>> fundamentally safer, e.g. these claims from [3]: "a malicious party
>>>> cannot recreate data from a slice, or two, or three, no matter what 
>>>> the advances in processing power." ... "Maybe encryption alone is
>>>> 'good enough' in some cases now  - but Dispersal is 'good always' and
>>>> represents the future."
>>>
>>>> [3] http://dev.cleversafe.org/weblog/?p=63
>>>
>>> Surely this is fundamental to threshold secret sharing - until you 
>>> reach the threshold, you have not reduced the cost of an attack?
>>
>> Until you reach the threshold, you do not have the information to 
>> attack. It becomes information theoretic secure.
> 
> With a secret sharing scheme such as Shamir's you have information
> theoretic security.  With the All-or-Nothing Transform and dispersal
> the distinction is there is only computational security.  The practical
> difference is that though 2^-256 is very close to 0, it is not 0, so
> the possibility remains that with sufficient computational power useful
> data could be obtained with less than a threshold number of slices.
> The difficulty of this is as hard as breaking the symmetric cipher
> used in the transformation.

So I'm confused. You understand perfectly well that the dispersal+AONT
scheme depends on the computational security of the cipher [*], but you
use the risk of a computational attack on the cipher as an argument
against encryption. Isn't that part of the argument in the blog post
(quoted by Zooko above) just completely invalid, and in need of
retraction?

Yes, I realise that a later post argued that you were talking about
attacks against asymmetric encryption. But:

a) The title of the original post is not "3 Reasons Why Asymmetric
   Encryption is Overrated." The criticism of encryption in general
   is repeated several times in the subsequent posts, without making
   any symmetric vs asymmetric distinction.

b) Suppose that we accept for the sake of argument the negative opinions
   expressed about the long-term security of asymmetric schemes. Then
   any benefits of CleverSafe's approach in that respect would apply
   also to other systems using conventional symmetric encryption with
   a long-term key, if they either used symmetric cryptography
   exclusively, or only used shorter-term asymmetric authentication
   keys (subject to point c) below). In other words, it's not the use
   of dispersal+AONT that is the relevant factor here.

c) If an asymmetric scheme used for authentication is later broken,
   it is not clear that the new attack will not be usable against
   previously recorded sessions to obtain their session keys.
   Whether it can depends on the kind of attack -- but a direct
   attack against the private->public key one-way function, such as
   an advance in factoring, for example, probably can be used in this
   way. So CleverSafe's system -- using asymmetric cryptography only
   for authentication -- would be just as vulnerable as systems using
   asymmetric encryption in this situation.


[*] In fact, the specific scheme described in
    <http://dev.cleversafe.org/weblog/?p=111> is *exactly* as secure
    as the cipher, used in whatever encryption mode is employed in
    step 2 under the heading "All-Or-Nothing Transform". Note that
    this applies to any attack against the cipher (assuming that the
    conditions of the attack, e.g. amount of ciphertext and known
    plaintext available, are satisfied), and not just brute force.

    (Some contributors to the discussion seem to have been confused
    by the difference between security properties of secret sharing
    vs dispersal. A k-of-n dispersal scheme only guarantees that
    k shares are *sufficient* to retrieve all of the input; not that
    k shares are *necessary* to retrieve any part of the input.
    Since the first k shares in the dispersal scheme used by the
    CleverSafe system are just 1/kth slices of the input, there is
    obviously no additional security provided by the dispersal scheme
    that could frustrate attacks on the cipher in this case.)

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com



More information about the tahoe-dev mailing list