cleversafe says: 3 Reasons Why Encryption is Overrated

Jason Resch jresch at cleversafe.com
Mon Aug 10 13:14:00 EDT 2009 

Zooko Wilcox-O'Hearn wrote:
>
> [dropping tahoe-dev from Cc:]
>
> On Thursday,2009-08-06, at 2:52 , Ben Laurie wrote:
>
> > Zooko Wilcox-O'Hearn wrote:
> >> I don't think there is any basis to the claims that Cleversafe 
> >> makes that their erasure-coding ("Information Dispersal")-based 
> >> system is fundamentally safer
> ...
> > Surely this is fundamental to threshold secret sharing - until you 
> > reach the threshold, you have not reduced the cost of an attack?
>
> I'm sorry, I don't understand your sentence.  Cleversafe isn't using 
> threshold secret sharing -- it is using All-Or-Nothing-Transform 
> (built out of AES-256) followed by Reed-Solomon erasure-coding.

I would define that combination as a threshold secret sharing scheme.  Noting of course what you said below in that it is a computationally-secure as opposed to Shamir's information theoretically secure scheme.

> The 
> resulting combination is a computationally-secure (not information-
> theoretically-secure) secret-sharing scheme.  The Cleversafe 
> documentation doesn't use these terms and is not precise about this, 
> but it seems to claim that their scheme has security that is somehow 
> better than the mere computational security that encryption typically 
> offers.
>
> Oh wait, now I understand your sentence.  "You" in your sentence is 
> the attacker.  Yes, an information-theoretically-secure secret-
> sharing scheme does have that property.  Cleversafe's scheme hasn't.
>

Recalling what the original poster said:
"Surely this is fundamental to threshold secret sharing - until you 
reach the threshold, you have not reduced the cost of an attack?"

Cleversafe's method does have this property, the difficulty in breaking the random transformation key does not decrease with the number of slices an attacker gets.  Though the difficulty is not infinite, (as is the case with an information theoretically secure scheme) it does remain fixed until a threshold is reached.

Jason

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list