Key safety vs Backup : History of a bad day (key-restoration problem)

Atom Smasher atom at smasher.org
Sun Oct 28 13:53:00 CET 2007 

On Sun, 28 Oct 2007, Robert J. Hansen wrote:

> At this point it's abundantly clear to me that you've never learned how 
> Shamir's scheme works.  I don't know how to make a case for Shamir's 
> scheme to someone who doesn't care how it works, only that their 
> prejudice is that it's bad.
>
> So far I have given you references to PGP Corporation's use of it, to 
> Don Knuth's inclusion of it in _The Art of Computer Programming_, to how 
> fourth-graders in rural Iowa are using it to keep secrets from their 
> teacher.  It's mentioned quite favorably in _Applied Cryptography_, 
> _Practical Cryptography_ and the _Handbook of Applied Cryptography_.
>
> At some point, I have to call a halt to it.  If you value warm fuzzies 
> over math, if you trust James Bond gadgetry ideas over solid and proven 
> algorithms, then there's nothing I can say to that.
=====================

not having a particular aptitude towards higher math, and not being fluent 
at programming C are more reasonable criticisms of me. i have a very good 
understanding of most crypto primitives, protocol wise, but i often have 
to take it for granted the math does what it's supposed to.

i can pick from a few one time pad applications that do pretty much 
exactly what i want, and produce real-world verifiably and provably secure 
output. i'm not about to write an application that implements a secret 
sharing protocol, but if someone else writes one that's open source i'd be 
interested in checking it out.

in the meantime, i consider the vernam cipher a very reasonable and 
practical way to implement secret sharing.

you've mentioned, and i've agreed with you, several reasons why OTP sucks 
as an encryption algorithm. but other than referring to it as "James Bond 
gadgetry" you haven't given any reason not to use it for secret sharing, 
other than your own flavor of warm and fuzzy which seems to be that 
another algorithm was designed just for secret sharing and 4th graders can 
use it.

after a few minutes of googling - http://point-at-infinity.org/ssss/
i'll check it out.

still, the _only_ reason not to use OTP for secret sharing is that it 
doesn't work as a threshold (t,n) scheme. the only way around that is to 
make sure that each share is held by more than one player... with shares A 
B and C; alice holds shares AB, bob holds shares BC, charlie holds shares 
AC. if any one of them gets hit by a bus, the secret can still be 
recovered. problem solved.

maybe some 4th graders can understand the math behind shamir's secret 
sharing but *i* can understand (and prove and verify) the math behind 
vernam's cipher... and understanding the math certainly adds to the warm 
and fuzzy feeling.


-- 
         ...atom

  ________________________
  http://atom.smasher.org/
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------

 	God is dead.  	   - Nietzsche 1882
 	Nietzsche is dead. - God 1900

More information about the Gnupg-users mailing list