[RC5] paranoia

Joe Zbiciak j-zbiciak1 at ti.com
Fri Jan 23 07:50:20 EST 1998

'Jim C. Nasby' said previously:
| Yeah... send them to the RSA homepage. I clearly states that the 
| messages begins with the phrase "the correct key is:", or something like
| it... Now, they only way that that phrase could be part of the encrypted
| message is if it was encrypted along with (ie: at the same time as) the 
| rest
| of the message. All the clients only look for this phrase, no dictionary
| searches, etc. So, the clients will only flag a message that contains 
| correct phrase. So, unless the government has some super-secret message 
| they
| need decrypted and they _know_ it contains the correct phrase at the
| beginning of the message...

You certainly haven't been keeping up with the Illuminati amongst us, 
have you?  Here's a healthy jolt of paranoia for you ... bear in mind
that this is closer to creative fiction than to reality (I hope).

    Ok, the RSA contest is just a front.  RSA knows the "right answer" 
    as does someone behind the scenes at d.net.  With all the clients
    online, d.net can issue "blocks" containing pieces of other 
    encrypted messages RSA/NSA/whoever has intercepted and need decrypted.
    The decryption job is farmed out over the set of machines.

    To maintain the front of an earnestly competing group, the d.net folks
    (try) to maintain stats of how many "blocks" each participant has
    "cracked".  Then, somewhere around the middle of the keyspace, they
    pick a participant, designate them as the winner, and move on to the
    next "contest".  Since each contest takes quite a bit longer than
    the previous one, they've got plenty of time to use their massive
    cracking farm to further the causes of the NSA/whoever...


Of course, I don't believe a word of that.  To directly refute your 
statement (about the phrase "The unknown message is:"), how do you know
exactly *what* the client has decrypted?  For all we know, it could be
just sending back the 8 bytes it decrypted, and they're analyzing all
the blocks returned for what they really want.  A given block could
decrypt to anything, you know.


Ahh yes, ain't paranoia fun?

Now, while I don't feel that the d.net folks are a front for some other
devious organization, I can imagine this being an issue with v3.
Suppose some other group comes up with a contest, and a v3 d.net core
is shipped out which just performs generic cracking tuned to their
needs.  Real encrypted packets (containing actual intercepted messages)
are sent out to the "d.net farm" to be cracked.  Meanwhile, the
coordinator for this sub-contest just waits a required minimum time
before announcing "a winner".  It could happen if we're not careful.

Someone else (memory fails me as to who) posted that this can be avoided
using the concept of "zero-knowledge proofs."  A zero-knowledge proof
is an interesting proof in that you can

   (a) Prove that you know something, and
   (b) Not reveal exactly what you know.

The clients could communicate with the key servers using this idea.  They
could "prove" to the key servers that they've cracked a block, without 
revealing the block's contents.  Then, when a client "proves" that it's
decrypted the secret message, the message can be broadcast so as to make
it obvious that no devious activity has been going on.

The _Applied Cryptography_ book that's been mentioned a couple times on
this group has information on zero-knowledge proofs, for folks who are



 +----------- Joseph Zbiciak ----------+
 | - - - -  j-zbiciak1 at ti.com  - - - - |  Join your idle CPU cycles into 
 |- http://www.primenet.com/~im14u2c/ -|  world's largest supercomputer:
 | - - -Texas Instruments, Dallas- - - |  http://www.distributed.net/
 +-----#include <std_disclaimer.h>-----+

To unsubcribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest

More information about the rc5 mailing list