|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Mon, 10 Aug 2009 12:14:00 -0500
In-Reply-To: <C1E06B9C-506C-4F95-9C6F-236C941E2E61@zooko.com>
From: "Jason Resch" <jresch@cleversafe.com>
To: "Zooko Wilcox-O'Hearn" <zooko@zooko.com>,
"Ben Laurie" <ben@links.org>
Cc: "Cryptography List" <cryptography@metzdowd.com>
Zooko Wilcox-O'Hearn wrote:
>
> [dropping tahoe-dev from Cc:]
>
> On Thursday,2009-08-06, at 2:52 , Ben Laurie wrote:
>
> > Zooko Wilcox-O'Hearn wrote:
> >> I don't think there is any basis to the claims that Cleversafe=20
> >> makes that their erasure-coding ("Information Dispersal")-based=20
> >> system is fundamentally safer
> ...
> > Surely this is fundamental to threshold secret sharing - until you=20
> > reach the threshold, you have not reduced the cost of an attack?
>
> I'm sorry, I don't understand your sentence. Cleversafe isn't using=20
> threshold secret sharing -- it is using All-Or-Nothing-Transform=20
> (built out of AES-256) followed by Reed-Solomon erasure-coding.
I would define that combination as a threshold secret sharing scheme. =
Noting of course what you said below in that it is a =
computationally-secure as opposed to Shamir's information theoretically =
secure scheme.
> The=20
> resulting combination is a computationally-secure (not information-
> theoretically-secure) secret-sharing scheme. The Cleversafe=20
> documentation doesn't use these terms and is not precise about this,=20
> but it seems to claim that their scheme has security that is somehow=20
> better than the mere computational security that encryption typically=20
> offers.
>
> Oh wait, now I understand your sentence. "You" in your sentence is=20
> the attacker. Yes, an information-theoretically-secure secret-
> sharing scheme does have that property. Cleversafe's scheme hasn't.
>
Recalling what the original poster said:
"Surely this is fundamental to threshold secret sharing - until you=20
reach the threshold, you have not reduced the cost of an attack?"
Cleversafe's method does have this property, the difficulty in breaking =
the random transformation key does not decrease with the number of =
slices an attacker gets. Though the difficulty is not infinite, (as is =
the case with an information theoretically secure scheme) it does remain =
fixed until a threshold is reached.
Jason
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |