[Cryptography] Squaring Zooko's triangle

Peter Fairbrother zenadsl6186 at zen.co.uk
Wed Sep 11 16:58:18 EDT 2013

On 11/09/13 12:23, Paul Crowley wrote:
>  From the title it sounds like you're talking about my 2007 proposal:
> http://www.lshift.net/blog/2007/11/10/squaring-zookos-triangle
> http://www.lshift.net/blog/2007/11/21/squaring-zookos-triangle-part-two
> This uses key stretching to increase the work of generating a colliding
> identifier from 2^64 to 2^88 steps.

That part is similar, though I go from 80 bits (actually 79.3 bits) to 
100 bits ; and a GPG key fingerprint is similar too, though my mashes 
are shorter than either, in order to make them easy to input.

There is another difference, mashes are easy to write and input without 
error - the mash alphabet only has 31 characters; A-Z plus 0-9, but 0=O, 
1=I=J=L, 2=Z, 5=S. If one of those is misread as another in the subset 
it doesn't matter when the mash is input. Capitalisation is also irrelevant.

However the main, big, huge difference is that a mash isn't just a hash 
of a public key - in fact as far as Alice, who doesn't understand public 
keys, is concerned:

It's just a secure VIOP number.

Maybe she needs an app to use the number on her iphone or googlephone. 
And another app to use it on her laptop or desktop - but the mash is 
your secure VOIP number.

Or it's a secure email address.

Or it's both.

Alice need not ever see the "real" voip IP address, or the real email 
address - and unless she's a cryptographer and hacker she simply won't 
be able to contact you without using strong authenticated end-to-end 
encryption - if the only address she has for you is your mash.

Contrast this with your proposal, or a PGP finger print. In order to use 
one of these, Alice has to have an email address or telephone number to 
begin with. She also has to find the key and compare it with the hash, 
in order to use it securely - but she can use the email address or 
telephone number without ever thinking about downloading or checking the 
public key.

That's just not possible is all you give out is mashes.

It's looking at the mash as an address, not as a public key or an 
adjunct to a public key service - which is why I think it's kind-of 
turning Zooko's Triangle on it's head (I had never heard of ZT before :( 
- but I know Zooko though, hi Zooko!).

Or maybe not, looking at the web I see ZT in several slightly different 

But it probably is turning the OP's problem - the napkin scribble - on 
it's head. You don't write your email and fingerprint on the napkin - 
just the mash.

-- Peter Fairbrother

More information about the cryptography mailing list