[13193] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: my take on "PCP"

daemon@ATHENA.MIT.EDU (Ralf Senderek)
Sun May 4 11:31:58 2003

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 4 May 2003 17:17:35 +0200 (CEST)
From: Ralf Senderek <ralf@senderek.de>
To: <cryptography@metzdowd.com>
In-Reply-To: <871xzeer94.fsf@snark.piermont.com>

On 4 May 2003, Perry E. Metzger wrote:

> Ralf is very well meaning, but I think that anyone who invents their
> own hash functions and puts them into a program that is expected to be
> used by real people without first publishing them and subjecting them
> to real world analysis first should not be trusted.

I never tired to convince anyone to just trust the hash. Instead I
presented it to the list for criticism. Still I haven't got much
criticism with respect to the hash function. I thank all who replied
to the subject.


> They are in the
> same category as people giving just invented experimental drugs to
> humans without first testing them on other living things. No matter
> how well meaning, they are likely to cause serious damage.

The PCH does make sense (if any) only within PCP, I haven't released
the full code as it is in preview mode. I do not intend to advocate
the use of PCP without "real world analysis". But I had to produce
an implementation to see if it can be done and if it is not too slow.
(BTW it isn't). So I don't see that I am likely to cause harm and I
may reject your accusation.


> As for the motivation for not using a member of the SHA family or
> something similar, there is no excuse. You can know that an
> implementation of SHA-1 is correct, pretty trivially, by the fact that
> it interoperates. If it passes a test suite and others can duplicate
> what it does, it is almost certainly SHA-1. The damage if it failed --
> lack of interoperation -- would be immediately obvious to a user.

Seeing it work well does not mean that I can understand it.

> There is no security gain whatsoever in picking something with a
> "smaller implementation" in this instance. There is, however, a
> substantial risk that a brand new basement-brew hash function will be
> insecure.

I do see this risk as well. That's why I asked the list for expertise.
What the hell is wrong with that?

> Even if you had a proof of security,

I don't have any and I never claimed to have one.

> publication would be
> needed so others could check your proof -- "proven" security systems
> have been broken in the past following publication.
>
> If you do not recognize why all this is, you probably should not be
> writing security critical systems.

It's amazing to see what an amount of unfair imputation is caused by
just thinking in a different direction.

Ralf.



*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*
* Ralf Senderek  <ralf@senderek.de> http://senderek.de  * What is privacy *
* Sandstr. 60   D-41849 Wassenberg  +49 2432-3960       *     without     *
* PGP: AB 2C 85 AB DB D3 10 E7  CD A4 F8 AC 52 FC A9 ED *   Pure Crypto?  *
*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post