[Cryptography] Chaum Has a Plan to End the Crypto War

Jerry Leichter leichter at lrw.com
Thu Jan 7 16:20:17 EST 2016 

> The sum of which seems only to bolster my original argument:
> 
> Chaum may be one of the worst things that has happened to cryptography.
Actually, Chaum may end up having done us a favor.  I've only skimmed the paper, but the essence of it is to separate the expensive operations out.  So you get a pre-computation phase which does public key operations, and a real-time phase that uses the pre-computed values repeatedly to do fast, secure routing.

There's nothing magic about the use of 9 forwarding nodes; the algorithm works fine for any n.  There's inherently no requirement that you use *the same set of nodes each time*.

Tor is fully transparent to someone who controls all the nodes - exactly as is the case for cMix.  The difference is that Tor uses a whole bunch of nodes, and you pick some small number to do your forwarding.  *Your* particular forwarding is fully transparent to someone who controls *all* the nodes you picked.  We just assume that there are enough "good" nodes in Tor that an opponent it unlikely to control all the ones you chose.  As far as I can see, the exact same thing could be said of cMix.

Looked at another way:  If you want a Tor that has a "golden key", simply build one with all nodes under the control of people who will respond to "appropriate" demands from LE/spying agencies.  So ... nothing really new in the "golden key" proposal, just Chaum looking for publicity (and doing the damage others have noted along the way).

On the other hand, the algorithms themselves appear to be quite worthwhile.  I expect others will pick up the ideas - if they are good - and will build systems that have the good features of cMix without layering over it the "transparency" stuff.

BTW, this is another of those "provably secure if problem P is hard", which of course is no more useful than the strength of the evidence that P is, indeed, hard.   Here, P appears to be the decision-Diffie-Hellman assumption for prime order cyclic groups.  But based on a quick search, DDH is known *not* be be hard in those groups!  Perhaps I'm not understanding his assumptions, or not applying them correctly to the known results.
                                                        -- Jerry

More information about the cryptography mailing list