📅 Original date posted:2018-01-18
📝 Original message:Thank you for your comments, Gregory and Russell!
Gregory, thank you for you explanation of perfect secrecy, there is no
need for that, however. I'm professional mathematician and cryptographer.
> I read the above
> as "these are similar because they are based on math"...
They are based on algebra (group and commutative ring theory), which is
a great similarity. RSA and SHA, for example, are based on completely
distinct parts of mathematics.
> Complicated does not mean secure. And from an information theoretic
> perspective the hash does almost nothing (other then some small
> destruction of entropy due to its lack of perfect uniformity which is
> information theoretically equivalent to using a smaller perfect code).
> using error correcting codes and truncated hash functions create
identical amounts of information theoretic redundancy
I agree, see my last note in the previous mail. Adding redundancy by a
hash function is more secure than adding redundancy by a linear
relations. Just my opinion.
I see the difference between RSA and SSS you mentioned and I understand
your arguments about perfect secrecy. Just two comments:
(1) Our proposal doesn't use SSS for the whole secret, but it divides
the secret into bytes and uses SSS for every byte separately. This
scheme is weaker because to reconstruct n-th byte it suffices to have
n-th bytes from k shares.
(2) SSS is information-theoretic secure if you know k-1 or less
shares, where k is the threshold. But the proof doesn't hold if you know
for example a small part of every share.
> It is of no use to apply the precautionary principle against
impossible attacks, especially at the cost of losing the useful
properties of a real error correcting codes that would provide actual
guarantees against likely errors.
The discussion isn't about mathematics or about security proofs but
about cryptographic scheme design. In our use case you cannot assume
that all premises of security proof theorems (including SSS's perfect
secrecy) hold true (see the comment above).
In my opinion, to make a cryptographic scheme more robust it's better to
stick to general "intuitive" principles. Of course you have to consider
the advantages and disadvantages of this approach. That's why we
disclosed our draft and welcome all comments.
> The discussion of using a proper code was primarily related to the
> outer check value which protects the shares themselves and is sitting
> unprotected in plaintext
OK then. I was defending the hash in the inner check value.
Ondřej Vejpustek [ARCHIVE] /
npub1f2…svzp8
2023-06-07 18:09:33
in reply to nevent1q…t04l
Author Public Key
npub1f2v97kt6qhpp6eey57fvtf8yw29rh02nz6rc4zvt2306l6s9nl9swsvzp8Published at
2023-06-07 18:09:33Event JSON
{
"id": "8fcfa268c540f9228f1d8bffa5aba916e2409ccf66621a055caf86e7e9354c0e",
"pubkey": "4a985f597a05c21d6724a792c5a4e4728a3bbd5316878a898b545fafea059fcb",
"created_at": 1686161373,
"kind": 1,
"tags": [
[
"e",
"ac3c87f148ca764c85262d935c0d26818cde51a790aa045223a08240c1ff8e91",
"",
"root"
],
[
"e",
"0618d2f033a1eb27c9475b050e2a4a8b8f6ca2a33661387d6cae7fafbf45143e",
"",
"reply"
],
[
"p",
"cd753aa8fbc112e14ffe9fe09d3630f0eff76ca68e376e004b8e77b687adddba"
]
],
"content": "📅 Original date posted:2018-01-18\n📝 Original message:Thank you for your comments, Gregory and Russell!\n\nGregory, thank you for you explanation of perfect secrecy, there is no\nneed for that, however. I'm professional mathematician and cryptographer.\n\n\u003e I read the above\n\u003e as \"these are similar because they are based on math\"...\nThey are based on algebra (group and commutative ring theory), which is\na great similarity. RSA and SHA, for example, are based on completely\ndistinct parts of mathematics.\n\n\u003e Complicated does not mean secure. And from an information theoretic\n\u003e perspective the hash does almost nothing (other then some small\n\u003e destruction of entropy due to its lack of perfect uniformity which is\n\u003e information theoretically equivalent to using a smaller perfect code).\n\u003e using error correcting codes and truncated hash functions create\nidentical amounts of information theoretic redundancy\nI agree, see my last note in the previous mail. Adding redundancy by a\nhash function is more secure than adding redundancy by a linear\nrelations. Just my opinion.\n\nI see the difference between RSA and SSS you mentioned and I understand\nyour arguments about perfect secrecy. Just two comments:\n (1) Our proposal doesn't use SSS for the whole secret, but it divides\nthe secret into bytes and uses SSS for every byte separately. This\nscheme is weaker because to reconstruct n-th byte it suffices to have\nn-th bytes from k shares.\n (2) SSS is information-theoretic secure if you know k-1 or less\nshares, where k is the threshold. But the proof doesn't hold if you know\nfor example a small part of every share.\n\n\u003e It is of no use to apply the precautionary principle against\nimpossible attacks, especially at the cost of losing the useful\nproperties of a real error correcting codes that would provide actual\nguarantees against likely errors.\nThe discussion isn't about mathematics or about security proofs but\nabout cryptographic scheme design. In our use case you cannot assume\nthat all premises of security proof theorems (including SSS's perfect\nsecrecy) hold true (see the comment above).\n\nIn my opinion, to make a cryptographic scheme more robust it's better to\nstick to general \"intuitive\" principles. Of course you have to consider\nthe advantages and disadvantages of this approach. That's why we\ndisclosed our draft and welcome all comments.\n\n\u003e The discussion of using a proper code was primarily related to the\n\u003e outer check value which protects the shares themselves and is sitting\n\u003e unprotected in plaintext\nOK then. I was defending the hash in the inner check value.",
"sig": "cc589e95cb5123a4ae5ca6b372dae32ad73c391de17668ecdd2e9764603b7e913b1293ba29d688df2224920b6fb0009d40aaca12490f72032e72ee7d25285762"
}