# Intuitive cryptography that's also practical and secure.

Anton Stiglic astiglic at okiok.com
Tue Jan 30 22:52:41 EST 2007

```I am not convinced that we need intuitive cryptography.
Many things in life are not understood by the general public.
How does a car really work: most people don't know but they still drive one.
How does a microwave oven work?

People don't need to understand the details, but the high level concept
should be simple:  If that is what you are trying to convey, I agree with
you.

I guess we could very well do with some cryptographic simplifications.  Hash
functions are one example.  We have security against arbitrary collisions,
2nd pre-image resistance, preimage resistance.  Most of our hash functions
today don't satisfy all of these properties:  "Oh SHA1 is vulnerable to
aribitrary collisions attacks, but it is still safe agains 2nd pre-image
attacks, so don't worry!"
Why do we need all of these properties?  In most cases, we don't.
Mathematical masturbation might be to blame?
Block cipher encryption.  How many modes of operations exist?  Some use a
counter, others need a random non predictable IV, others just need a non
repeatable IV?  Do we need all of this?
I often find myself explain these concepts to non-cryptographers.  I'm often
taken for a crazy mathematician.

What is the length of a private key?  In 1024-bit RSA, your d is about 1024
bits.  But is d your private key, or is it (d,N),  in which case there is
more than 1024 bits!  No, N is public, the known modulus, but you need it to
decrypt, you can't just use d by itself.  Oh, in DSA the private key is much
shorter.  You actually also need a random k, which you can think of as part
of your key, but it's just a one time value.  Are we talking about key
lengths, of modulus lengths really?

When you encrypt with RSA, you need padding.   With Elgamal, you don't need
any, complicated story.  And don't use just any padding.  You would be
foolish to use PKCS#1 v1.5 padding, everybody knows that right?  Use OAEP.
It is provably broken, but works like a charm when you encrypt with RSA!

Going back to the million dollar paranormal challenges:  Something like a
Windows SAM file containing the NTLM v2 hash of the passphrase consisting of
the answer might be something to consider?  Not perfect but...

--Anton

-----Original Message-----
From: owner-cryptography at metzdowd.com
[mailto:owner-cryptography at metzdowd.com] On Behalf Of Matt Blaze
Sent: January 26, 2007 5:58 PM
To: Cryptography
Subject: Intuitive cryptography that's also practical and secure.

I was surprised to discover that one of James Randi's "million dollar
paranormal challenges" is protected by a surprisingly weak (dictionary-
based) commitment scheme that is easily reversed and that suffers from
collisions. For details, see my blog entry about it:
http://www.crypto.com/blog/psychic_cryptanalysis/

I had hoped to be able to suggest a better scheme to Randi (e.g., one
based on a published, scrutinized bit commitment protocol).
Unfortunately
I don't know of any that meets all his requirements, the most important
(aside from security) being that his audience (non-cryptographers
who believe in magic) be able to understand and have confidence in it.

It occurs to me that the lack of secure, practical crypto primitives and
protocols that are intuitively clear to ordinary people may be why
cryptography has had so little impact on an even more important problem
than psychic debunking, namely electronic voting. I think "intuitive
cryptography" is a very important open problem for our field.

-matt

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

```