From: Jim Gillogly <jim@rand.org>
Date: Sat, 14 May 94 16:08:22 PDT
To: cypherpunks list <cypherpunks@toad.com>
Subject: In defense of paranoia in cryptography
Message-ID: <9405142308.AA00589@mycroft.rand.org>
MIME-Version: 1.0
Content-Type: text/plain


Yes, excessive paranoia is inefficient.  For example, assuming that NSA
is godlike could lead people to choose 4K-bit RSA keys, with the associated
penalty, when 700 bits or so would be plenty for the near term.

However, a successful cryptographer must be cautious at a level that would
be judged paranoid in more civilized communities.  A trusting
cryptographer would accept arguments about how many more keys this new
system will accept than there are atoms in the universe (like simple
substitution, for example, which allows for 26! different keys).  A
non-paranoid user of PGP would use a shared UNIX system for all business,
since only trusted users and the very rare cracker have access to that
system.  A non-paranoid cryptographer would put her password into her
autoexec.bat file.

If you need cryptography, it's because you have enemies.  In a world of
sweetness and light, it doesn't matter if everybody knows everything about
you, because they won't take advantage of that knowledge.  In the real
world, your data and identity have value, and people may be willing to
expend resources to acquire some of that value.  You need to estimate how
much exclusive use of your data is worth to you, how much your
hypothetical enemies are willing to spend to get access to that data, and
how cheaply you can defend against that attack.

It's been observed that a good programmer will look both ways when
crossing to a one-way street.  I'll observe that a good cryptographer
will not only look both ways, but will also look up and down.

	Jim Gillogly
	Trewesday, 23 Thrimidge S.R. 1994, 23:05