[Cryptography] open questions in secure protocol design?

ianG iang at iang.org
Fri May 29 21:24:04 EDT 2015

On 30/05/2015 01:08 am, Tony Arcieri wrote:
> On Fri, May 29, 2015 at 7:30 AM, ianG <iang at iang.org
> <mailto:iang at iang.org>> wrote:
>         PGP to 2.6.
> Oh god... no, strongly disagree.
> $ gpg --gen-key
> gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.

Out by 18 years - that's gpg, not pgp.  2.6 was marked for demise in 
1997 when pgp5 was released to the world 1997.  Those crazy Dutch.

Which latter pgp5 had the new shiny algorithmic agility upgrade, dammit.

> Please select what kind of key you want:
>     (1) RSA and RSA (default)
>     (2) DSA and Elgamal
>     (3) DSA (sign only)
>     (4) RSA (sign only)
> Your selection?
> ^^^ this is an unusable mess

A+ agree.  It should be RSA only.  They should have dropped the rest 
after the patent expired.  Those crazy Germans.  I see you agree in 
follow-on post.  But this:

 > The idea of "One True Ciphersuite" complicates the elimination of
 > outmoded ciphers that should no longer be supported.

Huh?  What is this?  Blame the victim?  I am pretty sure the author of 
gpg isn't blaming me because he can't get rid of DSA/Elgamal ;)

>         Skype
> Proprietary protocol. No comment. (I dislike proprietary protocols and
> they're harder to have opinions on since their internals are obscured)

Well.  That isn't to deny that it worked, and it worked well, and it 
walloped the competition, and and and.  In some part, Skype's success 
was due to the fact that the engineering of the protocol was not weighed 
down by costly practices.

> My understanding is they abandoned end-to-end encryption, FWIW.

post 2009, possibly.  I'm assuming that the audit report from about 2006 
is indicative until about 2009.  Those crazy Americans.  It wasn't the 
engineers that decided to do that, for the beautification of the protocol.

>         Bitcoin
> Strongly disagree. I have a long-form comment on this as part of this
> blog post (see "A Bitcoin Crypto Meltdown")
> http://tonyarcieri.com/the-death-of-bitcoin

Except, you changed the topic.  Coming back to the topic ... do you 
disagree that Bitcoin uses one alg for each function?  Oh wait, your 
post is about how you agree that it's only using one alg.

You're real disagreement is that you don't like that it is using one 
alg, and predict it will therefore melt-down :)

So, we're now dividing along the lines of FUD.  If what you fear comes 
true, you're right, but there's always a version change.  If what you 
fear doesn't come true, I'm right, but there's always tomorrow.

    "How can Bitcoin avoid these sorts of attacks in perpetuity?"

Actually, I suspect regardless of our views, Bitcoin is locked into the 
1TCS for now.  Because if they add another algorithm, it is totally 
worthless until every client has got it.  Which to paraphrase Peter 
"will make them think."  And we will benefit from the experience.

>         Silent Circle [0]
> Proprietary protocol. No comment.

So, just on that proprietary "no comment" it may be that we end up 
deciding that where algorithm agility has to be used, and 1TCS can't be 
used is ... protocols written jointly in WGs.

But that's not the same as protocols approved in WGs, protocols written 
by a leader in a WG, protocols written by a corp then published, and etc 


More information about the cryptography mailing list