From: an41418@anon.penet.fi (wonderer)
Date: Tue, 16 Nov 93 16:30:57 PST
To: cypherpunks@toad.com
Subject: All our eggs in one basket?
Message-ID: <9311170026.AA04421@anon.penet.fi>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

As cryptography and cryptographic techniques are developed,
we tend to put more and more trust in them. It is probably
not a bad idea to step back from time to time and ask
ourselves if the risks are still reasonable.

There is no better example of this than digital cash.
Many techniques have been proposed for this as for
other applications. It is usually not long before someone
finds a critical flaw in the various implementations
under consideration. The consequences are usually a loss
of confidentiality or embarassments. For example, in the
early days of Julf's remailer people came up with surprizing
new ways to defeat it, and the consequences were that some
identities were revealed and we all marvelled at how this
hole had escaped us until that point.

Digital cash is another ball game. Before any scheme is
adopted we need total confidence in the security of the
cryptographic algorithms, protocols, and implementation
details. We need a risk analysis to tell us exactly what
will happen if two principals collaborate or the bank
cheats etc... Schemes such as Chaum's are provocative,
but what if 2 years after a digital cash scheme is
implemented, someone publishes an easy way to defeat
it or cheat? The consequenes could be total chaos.

Think of the mental poker problem. A solution was
given that seems reasonable. However, someone showed
that by taking certain properties of the encryption
technique, a bit of information could be learned that
would compromise the integrity of the system. In mental
poker, no big deal, we stop playing poker. What would happen
if your bank suddenly told you that it had no proof that
you really had an account there?

Wonderer


-----BEGIN PGP SIGNATURE-----
Version: 2.3

iQBVAgUBLOkFlx1kTJuroDD9AQEnpgH9GNMpcbjnwDzoNFdhPw5wTBdUQolvCAxk
r643e/qOjnnlsL99IazAhCnTucRbaOm/v50HcwPcP2698UYWAX1GTg==
=Ud6i
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
To find out more about the anon service, send mail to help@anon.penet.fi.
Due to the double-blind, any mail replies to this message will be anonymized,
and an anonymous id will be allocated automatically. You have been warned.
Please report any problems, inappropriate use etc. to admin@anon.penet.fi.