Slashdot Mirror
Optical Cryptography
chill writes: "In Cryptonomicon, Neil Stephenson wrote about Bell Labs' research into using static, or chaotic signals to mask communications. A message would be generated, then the signal masked in noise. Someone on the other end would subtract out the noise to get the signal. Works great if both ends have the exact same noise. Now, Jia-ming Liu, professor of electrical engineering at UCLA, is giving a presentation on doing essentially the same thing using OC-48 (2.5 Gbps) optical circuits. The presentation will be at the upcoming Optical Fiber Communications Conference and Exhibit. There is an article covering this and some other nice advances in optical over in Wired."
You could also image doing this with regular any noise and random observations. Like solar observations, for instance or other space observations. Could even be based on traffic to specific web sites....
-Sean
If you're interested in how they syncronize the noisy lasers, here is a shortcut to the non-linear faq... a bit of easy evening reading for your enjoyment.
so how is this any different than steg
where a message is hidden in noise (the image) then when the image (noise) is subtracted the message appears.
are we still trying to re-invent the wheel here or am i missing something ?
Maybe I'm completely off here, but if you're using noise interference, wouldn't that be sort of wasting bandwidth? This is a cool technology, I wonder if there would be a way to mask a signal and at the same time run multiple signals, so you could essentially split the information through a long pipe (like the laser) using the chaotic noise, and each would be able to be filtered out (at some sort of router) and sent to various places accordingly. Seems it would be much more efficient to carry information that way.
You could also image doing this with regular any noise and random observations. Like solar observations, for instance or other space observations. Could even be based on traffic to specific web sites....
The trick to all noise-masking techniques is for YOU and YOUR PARTNER to have the same set of noise and NOBODY ELSE to have it.
Use a well-known public noise source and a link to that source becomes the key which decrypts all your traffic.
Oops!
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Is it just me, or can almost any post on ./ be linked eventually to _Cryptonomicon_? Anything, for that matter?
Or is it just that I'm studying World War II?
TANSTAAFI: There Ain't No Such Thing As A Free iPod.
Cryptonomicon was an amazing book, on par with Neuromancer. Hopefully though, testing will migrate from OC48 to something a wee bit cheaper, as most of us don't have $100 an hour to spend on that sort of connection. Cryptography is cool. IT has always been at the forefront of both theoretical mathematics and computer science.
Sig (appended to the end of comments you post, 120 chars)
a One Time Pad?
OTP: person a adds agreed upon random noise to the plaintext. person b subtracts the same random noise from the cyphertext.
This: person a adds agreed upon random noise to the singal. person b subtracts the same random noise from the encrypted signal.
Seems the only difference is what level of the stack you apply the OTP.
This is essentially a one-time pad cipher where the pad is the length of the message and then (in the digital world) they XOR the pad with the message and send them both. For fiber optics, they probably do a similar transform, but instead of XOR they probably just a straight add, modulo some appropriate number.
--sam
--sam
Any technology distinguishable from magic is insufficiently advanced.
When talking about a digital signal, how is "noise" going to be the medium of "encryption". I mean reguardless of what "analog" noise you shove down the pipe, the digital signal still gets there right? Or are we talking about some other method?
Sig rhymes with Fig
This laser encryption technique is certainly cool, and it will likely be outlawed as a possible terrorist weapon.
The thing I've been thinking about lately is the march of technology. What has happened in the past couple years that has been especially noteworthy? Not much. Maybe digital photography, but everything else has simply been refinements of existing technologies (like this encryption scheme mentioned in the article).
Sure, everything gets better. But what is new? We seem to have stepped into a technological black hole where all we seem to discuss is the legalities of software construction and have stopped creating cool new technologies.
The internet is new. Digital photography is cool. I'm sure you could name a couple more things that you feel is really cool. However, how much more of the latest and greatest is merely just old but improved?
Are we at the the end of this technology branch?
But that does bring up what I think would be an advantage to a system like this in that the bad guy doesn't have to know when you're getting your message and and is able to intercept it. If you can only recognize the message after dycrypting it than you can make it by having scheduled messages sent and only you and your partner know when and where they are. The bad guy is left with his special decoder ring and about a zillion random letters.
I stole this Sig
Isn't this an analouge to the way quantum encryption works? i.e. the forces that be in between source and destination interfere with the stream.
Is this quantum encryption's working model?
SIGERR: laziness exceeds quota
Great... now the RIAA/MPAA will be breathing down our necks for bypassing "noise-based-encryption" protection schemes every time we shield an audio or network cable...
This just looks like another way to hide a needle in a haystack. I believe there would be a couple ways to get around this:
The voice module for some of the high end (25+ CD) Pioneer CD changers is able to hear your voice even if the music is blasting. It does this by taking the music that's playing and mixing it into the microphone preamp 180 degrees out of phase, cancelling out most of the music. This isn't perfect, but I've seen it work, and I'm sure it can be adapted to do the same thing here. In fact, any imperfections may even help, due to the fact that you can (probably) tune it and pick up the real signal out of the mess.
Brute force. How random is this random noise? If you can create a similar noise generator, all you have to do is filter out 80% of the crap, and you'll be able to grab the signal. It's like picking out the flashlight from a group of strobes. It's a PITA, but once you cover most of the strobes, you can see the flashlight.
Get a life!
This is called traffic masking, and is a useful, known tool. However, it can also be viewed as security through obscurity, typically a bad thing. (tm)
However, if the source for the private key is hard enough to guess, you have a very good approximation to a random signal. There is no algorithm that can be broken using mathematical or computational means.
(The private key can be formed from the number of characters in each of the small ads in The London Times, the rainfall in selected countries, etc.)
Of course the safest way is always to use a truly random sequence of numbers known only to the sender and recipient, but the problem is that the sender and recipient then have to exchange keys through some other secure channel.
I think that's a very good idea, quantaman (making cracking attempts harder by sending a lot of fake messages).
;)
Of course, it wastes bandwidth, and somebody may be downloading the messages with a modem...
Right. And as soon as I get an OC-48 connection, I'll implement this.
Isn't this a bit like 2048-bit encryption? Sure it's a good idea, but the technology requirements are a bit excessive.
-raph
The encryption in cryptonomicon was a one time pad. The pad was implemented as a record, but the concept was the same. The fact that the conversation could only last as long as the record and each record was only used once is indicative.
But then, perhaps the lasers could be considered an infinite one-time pad? Of course, if anyone else is listening to the synchronisation codes, couldn't they themselves end up with a synched laser too?
As a form of encryption, this doesn't appear (to me) to be incredibly useful to the average person. It doesn't secure the communication, only the physical connection between the two points. However, it would work for keeping snooping foreign governments from listening in on international traffic on submarine cables. Or nasty pirates from splicing themselves into the cable TV network...
Where are the keys in this proposal?
:-( )
And if they'll stay synchronised, doesn't that mean they're not chaotic? (or all the butterflys are dead
So, barring everyone having a nice radioactive source and Geiger counter on a serial connection, why not just use some shit like public key encryption, which is a rather clever way of (to steal from the mantra) exchanging secure data over an insecure channel?
This is One Time Pad and the similar story seems to be submitted almost every month on Slashdot. The idea is decades long, inpractical and safe.
Maybe someone should educate the people that choose story submissions so that they will start ignoring these stories about old things.
This form of chaotic synchronizing communication works by a dynamical systems property. It seems like magic but it is not really.
It relies on the effect of chaotic synchronization. That sort of amazing fact that even though you can have a dynamical system that is continuously unstable in 'some degrees of freedom' making up the chaotic system the combination system of transmitter and receiver can still be stable in the 'transverse' direciton to the synchronization manifold.
All communication systems work by synchronization whether implicitly or explicitly. Here you will explicitly have chaotic oscillators as both transmitters and receivers. Yes, radio is like this too, you have a linear oscillator in the transmitting tower and an oscillator in your RF circuit in your receiver and their electric fields will synchronize the receiver's oscillator to the transmitter.
The trick is how to add in modulation and demodulation that does not destabilize the system and still permit reconstruction of the transmitted information.
All chaotic systems essentially have some sort of nonlinear feedback. The trick that seems to work very frequently with optical dynamics is to mix in some of the transmitted signal coming over the channel with the self-regenerated system at the receiver. In previous work with fiber optic ring laser it really was literally mixing optical signals, in the thing I did it was mixing in electro-optic electrical feedback signals; more like mixing intensities.
It turns out that a fairly generic form of dynamics often seems to work.
I worked on this project from a theoretical modeling level with Jia-Ming Liu's group at UCLA.
(We're at UCSD not UCLA).
I'm not sure what this new work is about but in the version that I did there was no significant role for the dynamics or properties of the fiber optics in the creation of the chaos or the demodulation.
It will a very significant amount of engineering to make this fully practical and find all the good properties but that's true for every advance.
Hm... I don't think it's any more "security through obscurity" than PGP is.
Yes, public key encryption is the best solution, unless you work for a security agency (or are so paranoid you believe you are :).
Oh yeah...Johnny Mnemonic! Yeah, when he was picking random images for the data to encrypt it. I find it strange that something from such a mediocre movie gets to actually be applied as technology. (Then again, the whole point of the movie was its neat ideas.)
Why didn't somebody think of this before?
Zodiac Survey
I would like to bring to the attention of my fellow Slashdot readers some troubling news: Linux is being used by Al Qaeda, Abu Sayyaf, and other terrorist organizations with equally cool sounding names as an affordable and powerful tool for purposes of recruitment, passing coded messages regarding planned terrorist operations, and other insidious purposes. I will attempt to show some of the more obvious proofs I have discovered to back up my arguments.
references to the WTC buildings, again in the Linux kernel source code (in the drivers/scsi directory).
commit suicide bombings.
I am sure I have only scratched the surface of this disturbing conspiracy. I strongly urge the Slashdot readership to support American companies such as Microsoft who only hire patriotic American citizens and to boycott any company which is involved with Linux (as they are directly supporting terrorists). I sincerely hope the CIA or FBI can look into the actions of
open source developers. People like Linus Torvalds should be taken into custody and have all assets seized.
Act now before it is too late!
Really, all encryption is open to decryption. What one thing is unique to any object? Its location. Say you incorporate a unique location key, and specify your destination's unique location key, a message key, and a confirmation key. You send your message... recipient is validated by GPS and given access to message key to generate request for confirmation key via satellite. Sure, nothing is 100%, but this type of system would likely be way, way less hackable than typical internet trasnmission.
Just a thought.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
You can still see Churchill's phone at the Cabinet War Rooms in London. I don't know if Roosevelt's phone is in a museum or not.
Was this the thing mentioned in Cryptonomicon? I can't remember.
That is very interesting, mbkennel.
So you mean there is a chaotic system A at the sender's end, and another chaotic system B at the receiver's end, of the same type?
And that they would diverge if left to themselves, but are continously synchronized with each other, so both A and B generate approximately the same signal (the same "sequence of encryption keys", if this had been digital encryption).
And that an eavesdropper, with his own chaotic system C, cannot synchronize it with A and B?
Hmmm, how bout instead of using optical cryptography how bout using the photons for quantum cryptography?
We had a link with the British in the War that would use a disk of noise to overlay a signal on top of communications that would be un scrambled on the other side by the same wheel running on at the same time. The more things change, the more they stay the same.
Check out the NSA's explanation
Previous Slashdot Story
How would this compare to quantum crypto? It seems like if you know the circuits, you could build another and then try to sync it, so it probably isn't near as strong the quantum stuff.
If Mr. Edison had thought smarter he wouldn't sweat as much. --Nikola Tesla
How does one hide messages in reandom noise, though? Would it work to LZ-compress them, to make them appear random?
LZ+Huffman (i.e. deflate, the core of gzip and pkzip) works, but you get more compression in a Burrows-Wheeler based scheme such as bzip2. More compression => more entropy per coded symbol => more resistance to known plaintext attacks.
Will I retire or break 10K?
Taco will be in a very difficult situation at his work if they remove unrestricted internet access...
Computer Science is no more about computers than astronomy is about telescopes. --E. W. Dijkstra
You are correct in that the records were one time pads containing random noise, but Sigsaly was digital, not analog.
/. story
NSA Paper
This technique is actually very old, though it wasn't used bit by bit. You're inserting null terms into the cypher stream. Prior to modern cryptological methods nulls were fairly popular, but the technique has fallen into disuse because of its increasing the message size, and because 1:1 stream cyphers are SO much more convenient. Besides, the new cryptosystems are unbreakable, right? Right?
Even having a small multiple of nulls to significant elements increases the complexity of calculation exponentially. For example, a 1:1 proportion of null bits in 512-bit blocks. The result is a 1024-bit blocked key stream. You can't do any sort of intelligent analysis of the stream unless you can figure out which bits are significant, and there are 2^512 possible permutations of significant and garbage bits for each block.
> The result is a 1024-bit blocked key stream.
Key stream? Duhhhhh... data stream.
If I understand what you are saying, there wouldn't be a key at all with this form of encryption but instead the noise generated by the hardware would mask the communications, unless the reciever had the same hardware. However, isn't this essentially security by obscurity? If an attacker was able to figure out how your hardware worked, either by some sort of sophisticated analysis or by stealing the information, he would be able to decrypt all of your communications.
It would seem to me that this encryption is less useful then schemes which use one-way algorithms, such as public key cryptography. While these can be attacked by brute force, it is easy to make the encryption strong enough that brute-force is impractical even for a government. This leaves them vulnerable only to key-stealing which can be guarded against by regularly generating new keys.
So all in all, I am not sure I see the use in this. It might be useful for ubiquitous encryption because it adds no lag to the process do to it's unique relience on hardware, but I am not sure why ubiquitous encryption on the network level is useful, anyway. It might be useful for governments, but I doubt it for the reasons I gave above. I can't see any way it would be useful to cypherpunks and the like...
Anybody care to explain to me in more detail what this is useful for?
Yes, the actual encryption being performed is similar to a OTP. That's not the news here, though. The problem with OTPs has always been how to generate and distribute the pads. Typically, this requires transmission via some separate secure link (for instance, a courier), and leaves you with a limited amount of pad-- once you run out, you need to go through the whole rigamarole again.
This is a technique by which a key can be generated and distributed without that messy step. In the end, the data's basically being put through the same encryption process as one would use with a OTP, but it's being done with a random signal that's being generated on the fly over a wire between two geographically separated points, but is (ideally) still secure even if somebody eavesdrops.
Quantum cryptography is another example of a nifty concept that (in the end) relies on the old OTP technique. A random signal is generated and measured in two different places by measuring quantum characteristics of entangled particles. This is the cool part. Then that signal, which is truly random, can't be intercepted, and doesn't require a courier to deliver, is used as a OTP, which is the bread-and-butter part.
You might as well criticize a story on the development of fusion powered cars because the car still rests on old-fashioned wheels... which've been around for sooo many years.
That's close enough for slashdot!
For communication it is one-way synchronization with unidirectional coupling, not the mutual coupling which is more well known in math and physics.
The important point is that the chaos and the 'keys' and the message can all be combined nonlinearly.
Eavesdropper C would need the same chaotic system with the same settings up to some tolerance. Notice that robustness to attack is thus inversely proportional to tolerance to mismatch.
The issue of security is not directly addressed by chaotic communication.
Chaos may be an opportunity to do things other than classical encipherment. It may be like CDMA spreading a signal over a wider frequency band. It may allow you to use cheaper devices or those running past their "normal" tolerance bounds if the requirement for linearity is no longer a factor. It may mean lots of different things; the general point is a greatly increased flexibility and the potential to try widely different kinds of transmission methods. Linear signal transmission is kind of boring, there's AM, FM and minor variations upon those.
However, it may be that some digital ciphers have properties similar to chaotic systems and people are starting to investigate this connection at a different level. that is more mathematics now than communications engineering.
Yes, some variant of Lempel Ziv compression is "universal".
It doesn't mean that it is superior for finite length data sets, and it may be that BWT and subsequent coding is also universal.
And yes, there are other compression schemes that are essentially better. Lempel-ziv has a certain approach to the entropy rate for certain reasonable classes of sources, markov models.
That rate is not as good as it could be---there is a theoretical limit (Rissanen) that says how good any estimator could get.
There *ARE* compression algorithms that do achieve that limit, and LZ does not, and they are proven to be universal too. (Context Tree Weighting).
They are not used in commonly available hacker-tool programs because they run slower than gzip or bzip2 right now. But the professionals know about them.
One of the classic mistakes is creating your own cryptographic algorithm when perfectly good ones will suffice.
AES/Rijndael is FAST in hardware, a $10 FPGA can do counter mode encryption, fully key agile, at 1.3 Gbps. Why create an algorithm dependant on chaotic laser behavior when you know that you can get cheap encryption which is secure in available hardware.
Test your net with Netalyzr
There's a couple things to be aware of in this system. First, it does not increase the amount of information sent. Here's an example:
Here's the message: 0 1 1 0 1 0 0 1
Here's the noise : 1 0 1 1 0 1 0 0
Then XOR them : 1 1 0 1 1 1 0 1
Notice that the message does not get any longer by encrypting it. As long as you know the noise, then you can take the XORed result and find the original message.
Another problem is that a lot of noise isn't really random. If the noise isn't random, then the message can be decrypted. For example, if there is a tendency for the noise to have a pattern or there are long series of 0's, the original message can be decripted without the "noise key". Very few physical processes are actually random (not hits on a website, not sunspots). One of them that is random is radioactive decay.
It stands to reason that if some data needs to be transfered from point A to point B to get the synchronization started, then that data needs to be secured. How do you secure that without a SECOND set of codes, which also need to be secured, ad infinitum. Of course, you could just physically deliver the codes, but if you are doing that, you could just physically deliver the secret messages you wanted to send in the first place, right? As cool as I think this is, it still doesn't seem to be enough.
"Your superior intellect is no match for our puny weapons!"
Really, it's just a One-time-pad. If you want to create one time pad security without all the hassle, you use a high-order Linear Feedback Shift Registers.
Just change the ModeLines line in your XF86Config to a series of random numbers...
rr
Quidquid latine dictum sit, altum videtur.
PRNG stream cyhpers use a Pseudo-Random Number Generator to generate a stream of noisy data to obscure the plaintext. How is this technique any different? You still have to communicate the initial state of the noise source before you can communicate, just like PRNG stream cyphers. There's no real difference; this reminds me of what Jeff Goldblum's character in Jurassic Park said, "I'm not a mathematician, I'm a CHAOTICIAN!".
If they can figure out how your hardware worked, this wouldn't necessarily let them decrypt your communications. If they can figure out the settings, well, you are screwed as much as if you left your keys somewhere insecure. However, it seems the only time they are vulnerable to that getting nicked is during the brief synch phase and it is not possible after that.
This isn't quite my bag, but it seems this is essentially a OTP of possibly infinite length which doesn't require you to send the entire pad to the other guy. The only way to break a OTP(if it is truly random) is to have the OTP and the only way to get the OTP is steal it from one of the parties or if they reuse it. If the pad is infinite and random, all you can do is hope they have to resynch sometime and be waiting for it.
Yes, you can read all about it right here.
A double encryption scheme. Both parties mask the data with the 'noise' of a Vanilla iCE CD. Crypto 1: Noise Crypto 2: Any potential hackers are so annoyed by the music, they give up!
But OC48s are still kinda expensive, even though their cheaper cousin, Gigabit Ethernet, has come down to $150 for a PCI board.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The main similarity is that you need to have a dedicated fiber just to talk encrypted to somebody, which makes both methods impractical for real applications. But quantum crypto gives you a guarantee about whether somebody's able to read your bits or not, and this method doesn't.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
By contrast, a theoretical one-time pad is theoretically provably uncrackable - if you really do have uncorrelated random bits for your pad, and you really only use them once, it's perfectly secure, and even knowing N-1 bits of a message tells you nothing about the other bit. In practice, source of random numbers aren't always perfect, and sometimes people cheat and reuse pads - the NSA's "Venona" crack of Soviet crypto primarily succeeded due to rampant reuse of pads by sloppy crypto users, though I think they also found some non-randomness in the pads that they could exploit a bit. But this optical system guarantees that if you know the initial conditions, you can use the first N-1 bits of a message to predict the next one, and sometimes you may be able to deduce those initial conditions closely enough to crack the system.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
mbkennel's posting has some good discussion on it. Chaotic crypto has usually been cracked any time anybody's seriously attacked an implementation of it, and this approach sounds like it's designed to be *easier* to crack than the average chaotic system, but it's still interesting stuff.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
What is new about this?
It just replaces the pseudo random number generator with a some hardware. Like that hasn't been done before.
Anal sex! It's what's for dinner.
using a truely random source of data is not like using a chaotic system. Chaotic systems are vulnerable to having their initial starting positions quessed by brute force methods, once the algorythm used to generate the chaotic system is found.
If something were random and mutually obserable, then a message could be passed between two points mixed with the random noise and unmixed on the receiving side then it would look like random noise all the time.
You wouldn't even know when a signal was being transmitted through the line.
This is exactly how a one time pad works and has all the limitations of that method.
i.e. If the enemy finds out the source of the random noise then you are screwed. Same as if they find a book of your one time pads laying around.
This sounds like Direct Sequence Spread Spectrum over a wire. Essentially you XOR a pseudo-random sequence with the signal. In DSSS the signal rate is much lower than the PRS. The PRS can be as random seeming as you like, even cryptographically generated i would imagine, but it cannot be truly random unless you have an out of band way to communicate the randomness. Usually the spreading is accomplished with a linear feedback shift register sequence that will repeat at regular intervals.
One useful side effect is that you can use two or more different sequences on the same band (or wire) the two underlying signals do not interfere with each other (or not to a great extent).
Anyway it looks like this professor has managed to create the optical equivalent of a linear feedback shift register with two matching lasers.
Prof Alan Shore has done some work simmilar to this at Bangor university
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
Holy moose! Give me your time!
This sounds a lot like the method that GPS satellites use to be able to all transmit on the same frequency. As I understand it, each uses pseudo-random noise as a carrier. The GPS unit knows the algoritms and parameters behind each of the satellites' noise, and is thus able to filter out the signals, which all share the same frequency range.
-me
Love many, trust a few, do harm to none.
This technique is very simmilar to the one know as "spectrum widening", only that this new technique saves a lot of bandwith. Of course, there's a big problem: how do both sides get the same noise signal?
Spectrum widening consists on "dissoluting" the original signal (i.e. a 1 MHz signal) into a larger one (i.e. a 100 MHz signal). This way, information is distributed thru the whole 100 MHz spectrum and you get shielding against noise and big resistance to spyers.
The first name of the cyberpunk writer Stephenson is
--
If you moderate this, then your children will be next.
I'm puzzled....why does a security firm need something else?
"Someone on the other end would subtract out the noise to get the signal. Works great if both ends have the exact same noise."
I know some older folks who think that two people with "Metallica - Injustice for All" have the same noise. Is this what they are referring to here? &^}
But seriously, if two people have 'the same noise' and use it to decrypt, it can't possibly be considered noise. It become a signal. No two ways about it. Think people
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
If anyone's interested, there's a pretty good sci-fi novel called Signal to Noise by Eric S. Nylund that deals, in part, with this same subject. I'd recommend it. It's a bit dense, much like Neuromancer, but worth the read.
-- Hobbits suck!
Any of you use a cellular phone? A CDMA one? Your phone uses the same technology. It's called Direct Sequence Spread Spectrum.
The problem with cryptography 40 years ago, as I understand it, is that when you wanted to talk to someone else you had to send them your key. This key had to be kept absolutely secure because anyone who had access to it could read your messages.
The wonder of asymmetric encryption meant that (public) keys could be sent by normal mail, email, or even posted on a big billboard on your house just so long as it got distributed.
"Noise" encryption means that both sender and receiver have to have the same type of noise, otherwise they can't subtract it. So this noise (the key) has to be given by the sender to the receiver. Bang! Asymmetric encryption. And once you've used it once, you may as well carry on using it because if it's weak, you've broken the security, and if it's strong, it's.... strong.
There's the additional problem that the noise has to be as long as the cypher (lengthy keys) or repeated (insecure).
But anyway. IANASE.
It sounds like you're describing CDMA, which is a commercial technology for cell-phones, from qualcom.
No, I didn't mean "security firm". I meant a security agency like CIA or MOSAD.
128-bit public key encryption might not be enough for their secret messages.