The problem is that the amount you need to teach someone in order to explain all the intricacies of a complex subject like cryptography means that it is otherwise completely impenetrable without making some inaccurate simplifications.There’s a similar problem in physics - schools still teach Newton’s laws, even though they are wrong - because they are a sufficient approximation for many uses.The problem is of course when people assume what they’ve learnt at that early level is sufficient to work with at a level that is above their knowledge - but I’m not sure what the solution to that is.

 I think there's a difference between simplifying and saying things that are wrong.You can teach people Newton's mechanics and say "this is a good approximation with a marginal error for most everyday examples, the correct way of calculating it involves very complex things."I feel the example I quoted regarding signatures is something that's not really a useful information anyway. That the RSA function works both ways for signatures and encryption is more of a fluke and not really someting you need to tell people when you explain the basics of public key crypto.
 Wow, I had never considered the conceptual difference between signing and encrypting.In the abstract 'encrypt with the private key' is a totally meaningless sentence for assymetric encryption. The entire point of a public key is decryption not encryption.I do however believe that textbook RSA signing is secure in the simplest model. It is incredibly malleable but (especially when modeling the hash as a PRF) prevents forged signatures. In that sense I'd equate calling it secure to newtonian mechanics without friction and with perfect elasticity. That is, it forms a simple teaching model, and can inform an intuition on how things work. However, no-one should build things based on the model and expect it to come out correctly.
 The problem is that RSA is somewhat unusual in that it does not really distinquish between public and private keys and the primitive operation is invertible by doing the same thing with the opposite key. That means that encrypt/decrypt/sign in the textbook aproach are essentialy the same primitive operation and verify is trivial extension.For most of other asymetric algorithms the primitive operation is DH-style key agreement function and the derived encryption and signature constructs are significantly more involved and in fact there isn't that much of an symetry between them. (and also the plain asymetric encryption operation gets somewhat pointless)
 If you want to keep things simple, then surely it is better to keep silent than to say things that are wrong.

Applications are open for YC Summer 2019

Search: