> I propose new C-JPEG format, which consists of regular JPEG which is
> encrypted with a public RSA key (as of Sep 24), N times with the
> same key, and the private part of the key is prepended to the file in
> plain, unprotected with the passphrase.
>
> N is chosen so that machine 10 times faster than the fastest on the
> market (so today it would be a 10 GHz something) takes at least 1
> second to decrypt the data (remeber, it's not PGP - the whole image is
> encrypted with RSA).
>
> The average consumer waits 20 secs for viewing.
>
> Massive scanning of all traffic becomes impossible.
Not a bad idea, ignoring the fact that nobody will do anything with
it...
Another way to do the same thing is to just use DES to encrypt the data,
and reveal all but 20 or 30 or 40 bits of the key. The decryptor now must
do an exhaustive search of all those bits before he finds the right key.
The number of bits can be chosen to make it take as long as needed.
This way the sender has the advantage that he doesn't have to grind
through the calculation. His work is practically nil.
A variant is to use the Time Release Crypto concept of Rivest et al.
http://theory.lcs.mit.edu/~rivest/lcs35-puzzle-description.txt. This is
similar in that the sender has a shortcut that lets him calculate the
result quickly, while the receiver has to run a long calculation.
The difference is that the calculation is designed to be hard to
parallelize. The attacker will have to run it sequentially and can't
speed it up by throwing a bunch of machines at it.
This however is not that much of an advantage for the goal of thwarting
traffic scanners, because that problem already has high intrinsic
parallelism simply in that there are a large number of streams that the
eavesdroppers might want to monitor. Rivest's trick forces them to use
at most one machine per stream, but if they already had more streams
than machines, it doesn't buy much.
