1024-bit RSA keys In Danger Of Compromise?

antiher0 writes "According to an email from Lucky Green that came across bugtraq yesterday, 1024-bit encryption should no longer be considered pristine. Bernstein released a proposal that outlines the creation of a machine capable of breaking 1024-bit crypto on the order of minutes or even seconds for the measly cost of ~$1B USD. For a more thorough discussion, check out the original email." Update: 03/26 03:16 GMT by T : And don't forget to revisit Bruce Schneier's analysis of Bernstein's claims, which cast doubt on the practicality of breaking such large keys anytime soon.

Billion

[brodiedreamyou.ca]

Ah whats a cool billion between friends

Re:Billion

[DEBEDb]

The point is, what's $1B to a major government?

Re:Billion

Or $.5B to someone will to wait another five minutes

Re:Billion

[spike+hay]

2,048 bit encryption!!!

Anyway, I think people are being too paranoid about the guvament.(pronounce in brain as paraniod Idahoan KKK heavily armed militia seperatist guy)

You think they would use a 1 billion dollar machine to see your internet credit card transaction to purchase a gay beastial midget pr0n website subscription?

No, they aren't going to use this on weirdo perverts like yourself. They will use this to decrypt important things, like Taliban and PLO communications and whatnot.

Anyway, its not like crackers, with malicious intent, would go buy themselves a 1 B dollar supa-puter to intercept your midget pr0n transaction.

So quit being paranoid, and go back to jacking off to your gay beastail midget pr0n. :-P

Re:Billion

[eg0n]

good one =)

$1Billion

[UnifiedTechs]

for the measly cost of ~$1B USD.

Is the company you work for hirring? God I wish I could call a billion dollars measly!!

Re:$1Billion

[Mittermeyer]

When carrier battle groups, air wings, army divisions and the fate of nations are on the line, $1 billion for total SIGINT access is cheap indeed.

Break out those one-time key pads and pigeons, boys, the government will own your electronic crytposouls before you know it.

Re:$1Billion

[joe90]

It *is* a measly sum - as the email says - how many government agencies have this sort of funding? More than just a couple of US agencies that's for sure.

Assuming the email is correct (and having read it, it does't seem to be that incredible) That $1B investment gets you the infrastructure, systems and processes to routinely break 1024 bit keys (and therefore the contents of the encrypted payload) in a fairly short order.

Since many people believe that a 1024-bit key is essentially uncrackable today, tomorrow and next century, 1024-bit keys are still going to be popular.

If an organisation can amortise the cost over 3-4 years (which is the likely life of short (1024 or smaller) keys). That gives you quite a return on investment.

If that $1B allows you to break one key every 5 minutes, over a 4 year period, you can break ~420,000 keys - which works out to a cost of less than $2500 per key. If you can intelligently target who's keys you wish to compromise, the benefits could be significant.

Re:$1Billion

[Mr.+Flibble]

It *is* a measly sum - as the email says - how many government agencies have this sort of funding? More than just a couple of US agencies that's for sure.

Exactly.

For those of you who would like a breakdown of how a system like this would work, you may want to read Cracking DES by the Electronic Frontier Foundation. (Note, this book is out of print, but the EFF has made versions available online.)

It discusses building a computer from scratch that can crack DES quite fast. This same principle can be applied to any brute-force technique. And if the cost is $1Billion now, it will be considerably less in a few years.

Re:$1Billion

That's still less than the cost of a single B2 bomber.

Re:$1Billion

[Gerdts]

Sounds like a business plan. Let's go find some VCs!

Re:$1Billion

[gmplague]

What I think people don't realize is that it is usually far easier to obtain the private key to these encrypted files than it is to crack them. While I agree this is quite a big feat, it is still easily imaginable if you ask me.

Re:$1Billion

[joe90]

Often it is easier to obtain the private key without resorting to a brute force or cracking mechanism.

But if the cost of brute forcing a key does come down to a couple of thousand dollars and a five minute turn-around time (computing-wise), then the brute-force method becomes the easiest method for gaining they key in question.

Re:$1Billion

[conradp]

If that $1B allows you to break one key every 5 minutes, over a 4 year period, you can break ~420,000 keys - which works out to a cost of less than $2500 per key. If you can intelligently target who's keys you wish to compromise, the benefits could be significant.

Now here's the scary part. Once they've made the $1B investment to break terrorist encryption, do you really think they'll have 420,000 encrypted messages from terrorists sitting around waiting to be cracked? No, but they're going to have to find something to crack with all those spare CPU cycles to justify their expenditure...

But it does appear that the claims have been exaggerated and that the ability to break 1024-bit encryption is still a long way off.

Re:$1Billion

[Shanep]

Or move to 4096bit.

Don't forget, every bit added, doubles the strength.

4096 != 1024*4

My HP 48GX says:
2^1024=1.79769313486E308
2^4096=9.99999999 999E499 (which it also says for 2^1661, which seems to be the overflow point).

4096 is 2^3072 times stronger

; )

Re:$1Billion

[ssimpson]

The NFS factoring algorithm is subexponential - adding a bit doesn't even nearly double the strength.

Re:$1Billion

I'm sure Curly would love to sell them $1 Billion worth of Marvels, although I'm equally sure that BG will do everything he can to stop it. Just think - financial independence for Compaq could be just a contract away, and it will probably never happen.

But, even with $100M worth of Marvels, a 1024-bit key would be an endangered species in no time at all.

Oh, well, trust Carly and Curly to fuck things up for the gummint by kowtowing to a convicted felon.

Walter was right!

Re:$1Billion

[Shanep]

Sorry, I was only speaking of bit depths in general for current variable or future algorithms that support those high bit depths.

I was thinking of adding "this assumes the algorithm can realise the full...blah blah"

Re:$1Billion

[ssimpson]

We are discussing the NFS as used to solve the DLP/ IFP. NFS in this situation for any "bit depths" (key lengths?) is subexponential.

Re:$1Billion

You were thinking that you knew what you were talking about, but you don't. Just admit it. You sound like a total dick otherwise.

Re:$1Billion

[mvdwege]

$1 billion for total SIGINT access

I never realised that pressing ^C was that expensive...

Mart

Re:$1Billion

[joe90]

Now here's the scary part. Once they've made the $1B investment to break terrorist encryption, do you really think they'll have 420,000 encrypted messages from terrorists sitting around waiting to be cracked?

It's actually scarier than that too - it's not 420,000 messages, it's 420,000 keys, which means that once they get a copy of the messages (can any one say echelon?), it's a trivial exersize to decrypt any intercepted messages using one of the 420,000 keys.

Additionally, the reason you use a large key is to protect your payload from prying eyes (or for trust) for the length of the time that the payload is of value or requires non-repudiation (in most commercial cases, this is seven years, for military or intelligence cases, I'd bet it is more like 30 - 50 years) -which is not necessarily the length of time that it is being transported from one location to the other.

But what's a measily $1B for a government agency?

[dongkiru]

And how much is Bill Gate worth now?

I'm sure I've heard this somewhere before...

[darkwiz]

Here?

Re:I'm sure I've heard this somewhere before...

[RollingThunder]

Not quite.

This is about professionals (Banking security) getting together and talking about the ramifications of DJB's idea.

It's not 100% new, but it's not 100% recycled either. Of note is the fact that $1B is not out of their league ($2B satellites are standard items), and that they would be irresponsible to NOT have done this already.

It's more data, take it or leave it as you will.

Re:I'm sure I've heard this somewhere before...

[darkwiz]

Well, I'll give you that, but that would make this a slashback, or something like that. The headline "1024-bit RSA keys In Danger Of Compromise?" is old news.

previously reported

[Roadmaster]

The basis for this story was on slashdot almost a month ago. A repeat? something derived from the previous story's information? the key point here is Bernstein's paper on factoring huge numbers, about which some people have commented, and which appears to "work out" on a mathematical level.

Re:previously reported

[bourne]

It seems to me that this story is hitting slashdot because, well, it hit slashdot.

The original was passed around a few small mailing lists, where it got some comment but nothing big. Then it hit slashdot a month ago, and the number of places I saw it popping up increased. I also saw a story about DJB cranking at some reporter for misunderstanding the exact nature of the information, which tells me that someone thought it was suddenly big enough to have a reporter look into.

And now, perhaps based on all this "publicity," Lucky Green or whoever is setting up discussion of it at some conference and revoking his old key. Note that he didn't do it a month ago, when the story was on all the crypto lists - presumably the more attention it got, the more real it became.

Maybe I'm off base here, but I think this is one of those examples of the media gestalt manipulating and being manipulated by the media consumers - the story had to get big before it could be taken seriously, and it had to be taken seriously before it could get big... and the slashdot story a month ago was probably one of the bigger steps along the way.

The slashdot effect... It isn't just for websites anymore!

a billion here, a billion there

[estes_grover]

for the measly cost of ~$1B USD.

Does this mean for $2B they could crack the 2048 bit key?

Re:a billion here, a billion there

[nneul]

No. for $2B it would work on a 1025 bit key. (Give or take, presuming there isn't any funky parallelism that yields more than a doubling in performance for a doubling in dollars.)

Re:a billion here, a billion there

[alphaseven]

Does this mean for $2B they could crack the 2048 bit key?

No, it's $1B for 1024-bit keys, $2B for 1025-bit keys. At least that's my guess.

Re:a billion here, a billion there

[nneul]

Actually, I guess that's not entirely true... it's not really a brute force keyspace, so you'd get more than 1 bit for the doubling in cpu, but you wouldn't get double the bits.

Re:a billion here, a billion there

Yup. Assuming it's linear, the machine to crack 2048 bit would cost $10^18, or a billion billion dollars.

Re:a billion here, a billion there

[doooras]

how many bits will they get for a shave and a haircut these days?

Re:a billion here, a billion there

[JesseL]

Wow! So if I only need to crack 128-bit keys I only need to spend something like $1.93831e-258! I can't wait to get started.

Re:a billion here, a billion there

right, if it was a symmetric algorithm that is. practically all public key algos are significantly easier to break. (though at the moment ec comes close, 2 bits more for doubling the effort. but that doesn't guarantee that there won't be any breakthroughs while it is quite easy to come up with practically uncryptanalyzable symmetric algo [just stacking all known ciphers after each other for example would make it quite hopeless])

Re:a billion here, a billion there

[psamuels]

Wow! So if I only need to crack 128-bit keys I only need to spend something like $1.93831e-258! I can't wait to get started.

<grin> Yeah, if you can find any 128-bit RSA keys you want to crack. When I first used PGP v2.x back in 1994 or so, the key lengths you could generate were 512, 768 (recommended for ordinary folk) and 1024 ("military-grade"). Not sure if PGP has ever supported or recommended a mere 128-bit private key....

Re:a billion here, a billion there

No no no no...that is not how it works.

You would need 1.e+9216 billion dollars. ;-)

I would of got first post......

[Swix]

but the FBI cracked the 1024 bit encrytion on my box and I was being questioned all day about me using decss to search for (using cat recogniation aligrims (sp?)) those single frame ads in popular movies convincing that "Microsoft is not an monopoly".

Re:I would of got first post......

You win the prize today for "Weirdest Troll"

Price depreciation

[raelitycheckbounced]

The 33mhz laptop I bough in 1991 cost $4000 now its worth about $10, my pentium celery cost $2000 when I firstgot it... 2 years later I could get them for less than $500 from my freindly backyard chinese junk dealer.

At this rate I think this machine should be afordable in around 5 years...

Re:Price depreciation

[jtra]

The 33mhz laptop I bough in 1991 cost $4000 now its worth about $10, my pentium celery cost $2000 when I firstgot it... 2 years later I could get them for less than $500 from my freindly backyard chinese junk dealer.

At this rate I think this machine should be afordable in around 5 years...

It is not that easy. This is not like PC market. This is not about economy of scale. There will be actually only few mashines built in 5 years. And since producing this at large quantities cannot be done and does not make sence, the price will be almost same as high as now is now (or the price guess, now).

However it is true that we should increase key length. (Imagine a beowulf cluster of these ... :-)

Re:Price depreciation

[Abreu]

Of course the whole idea of people actually having a computer in their homes is completely absurd.

There is a global market for around 5-6 computers.

((hint, hint, someone at IBM said something along these lines a few years ago))

Re:Price depreciation

[martyn+s]

He's not referring to the economies of scale effect of building many many 1B dollar computers. He's referring to Moore's Law, and what it states about the exponential growth in computing power per unit currency.

Re:Price depreciation

[arivanov]

In this case you would not.

What Schneider has overlooked that the machine in question is not a general purpose parallel machine. It is a specialised simple numerical unit matrix with flat memory architecture. Such beasts with up to 2^16 CPUs have already been designed and have been used for more then 10 years in processing of satellite data. All that is needed here is to up the numerical capabilities of the singele unit, up the number and up the memory interface bandwidth. It is something that can realistically be done in 3-5 years.

Still, it will remain a relatively specialised beast. The specialised 2^16 parallel hardware used for sat image processing has not depreciated over the last 10 years. Neither will this hardware because it will not become a commodity.

What is more worrying is that bernstein's model is close to the hardware model of the latest cray proposal (large number of CPUs on flat memory). And this is a commodity machine that money can buy now to be delivered tomorrow. It will not give you as much as the 1B price tag specialised hardware but it is sure worth a try.

Re:Price depreciation

[billstewart]

While it's not going to be on the same price curve as high-volume PC production, there are still Moore's Law effects here - the price/performance of FPGAs and ASICs keeps decreasing as technology improves, and the price of smaller-width chip design keeps improving. The real question is whether the development of this sort of machine can piggyback on other hardware development, plus how motivated is the NSA to build it as further research indicates whether or not it will be really useful...

It's funny, laugh. (IHNRTA)

That's okay.

I'm certain that qcrack will be poorly documented and require the addition of 5,000 users to whatever supercomputer it happens to operate properly on.

Then DJB will speak incessantly about how it differs from other encryption cracking techniques with its "modular design" (which is actually the application of many patches in order to obtain features found in most SMTP daemons, err cracking programs). Yeah.

(Disclaimer: I love qmail.)

Re:It's funny, laugh. (IHNRTA)

[suso]

(Disclaimer: I love qmail.)

That's probably because you haven't tried postfix yet. I thought qmail was the bomb too until I discovered postfix and realized how bad the logging is in qmail.

Re:It's funny, laugh. (IHNRTA)

[jeek]

QCrack? Isn't that the software used to crack the old Quake Shareware CD?

I have the plans...

Just need the cash.

Now, where to get a billion dollars.

Re:I have the plans...

ASk the bank?
Then virtual break into the bank with your nice new computer?

Extra!

[cethiesus]

This just in! Encryption not perfect!

(gasp)

Re:Extra!

Got a better idea?

Cheap.

[perdida]

You got a great machine to be built w/taxpayer dollars on the cheap and quick.

It is way easier for you to move up a few orders of magnitude of encryption than for them to build a machine that can crack it.

However, this will mean a bigger supercomputer for all kinds of numbering tasks - basic research and math, physics, and astronomy will eventually benefit.

Re:Cheap.

[Jmstuckman]

"However, this will mean a bigger supercomputer for all kinds of numbering tasks - basic research and math, physics, and astronomy will eventually benefit."

No it won't. If I remember correctly, the original paper was on building a factoring machine. We would have a huge factoring machine, not a general-purpose computer.

ummm, repost?

[pcgamez]

Isn't this related to http://slashdot.org/article.pl?sid=02/02/26/179206 &mode=thread

Maybe link it on the main page?

Swordfish

$1 billion to break RSA encryption in under a minute?

All you really need is a gun, a prostitute, and Hugh Jackman. ;)

Not just 1024 bit keys!

Eminet would have us believe that certain classes of much larger keys are vulnerable.

Break my crypto for $1B?

[brer_rabbit]

Don't waste your money. I'll sell my company's secrets for a fraction of that.

Re:Break my crypto for $1B?

[SuperCal]

Actually that's a very good point. At some point it does become more economical to buy off a person on the 'inside' of what ever organization you want to get secrets from... Hell I'd sell my personal secrets for a $1.50. Of course I don't have anything worth mentioning except my infatuation with girls with southern accents... oops well there's a freebie.

Re:Break my crypto for $1B?

[archen]

The flip side to that is that sometimes people won't reveal secrets because they'll end up very dead. So in other words if you can't do it the old fashoned way (and bribe the person), you'll actually have to work to get at those secrets. Dropping $1B on a dedicated cracking machine is a goverment level thing anyway (like they probably don't have one or two already...).

Re:Break my crypto for $1B?

[suso]

This would be an interesting Slashdot poll. "How much do you consider your most sensitive data to be worth?"

$1
$100
$1000
$10000
$100000
$100000000
Mo re than Cowboy Neil has.

Re:Break my crypto for $1B?

lol, man I wish I had mod points sometimes.. that's the funniest thing I have read all day.

Re:Break my crypto for $1B?

[Chicks_Hate_Me]

haha, I have the same infatuation with girls with southern accents. All the people I know think it's annoying, but I think it's pretty damn arousing (This is what Northern California does to a man...errr boy.)

Re:Break my crypto for $1B?

[a_n_d_e_r_s]

Think the last option should be

More than Cpwboy Neal i.e. $3.14.

It's more nerdish.

Re:Break my crypto for $1B?

[Sloppy]

For Slashdot, shouldn't it be "More then Cowboy Neil has"?

Been all over SecurityFocus Already.

[vkg]

Here's the link to their write up, commenting on Bruce Schneier's take No Big Deal .

Anyway, we all know they've been reading our sekrit kees by telepathy for years now, right?

RC5-64 challenge

How does it relate to the RC5-64 challenge? Hmmm. Millions of killowatt hours were donated to the RC5-64 cracking project. Now if that money were donated directly, a machine could have been built instead. RC5 is only 64 bits so it would be trivial to crack it with a dedicated machine.

Re:RC5-64 challenge

[damiam]

RC5 is not a public-key algorithm and has nothing to do with factoring, so this is irrelevent. Factoring is of importance only to RSA and similar algorithms.

3072 Bit for me!

[ImaLamer]

I felt like 4096 was too much so I went up to an almost weird number.

I hate to sound like an asshole

[Profane+Motherfucker]

But I generally try to get my news and 'forward looking statements' from someone whose name isn't "lucky green". But what the fuck? To each his own, eh?

Would this be a solution?

[SClitheroe]

If you can come up with a brute force approach to common encryption schemes, could you not stay one step ahead of something like this by utilizing multiple layers of encryption, with differing methods of encryption at each level?

Give that a brute force attack is orders of magnitude more computationally intensive than the original encryption, would this allow you to stay ahead of the curve?

Also, although the papers seem to indicate that the proposed system could try multiple forms of attacks on the encrypted data, would modifying or customizing the encryption algorithm at each layer of encryption help? Computers are great at brute force attacks, but I highly doubt a system such as this proposed one can do much in the way of analysis or reverse engineering of the encryption algorithms used...at some point, you'd have to resort to good old (and slow) human deduction...

Re:Would this be a solution?

[wherley]

That's kindof the idea behind Triple-DES. Description here. DES was deemed too easy to break, so Triple-DES was born and is still used in some applications today. Used properly, it turns the effective 56-bit key length of DES into 168 bits in Triple-DES.

Re:Would this be a solution?

Computers are great at brute force attacks, but I highly doubt a system such as this proposed one can do much in the way of analysis or reverse engineering of the encryption algorithms used...

Granted, reverse-engineering a custom-made method could take an extra year, but why the effort if the brute force attack is gonna take 1e25 years to perform? You gotta learn what "exponential time" means someday.

Re:Would this be a solution?

[stuce]

Better than having more layers, just add more bits. Case and point: 2048 bit encryption is not twice as hard to break as 1024 (with twice as many bits). It's closer to 2^1024 times as hard (with 1024 more bits). Crypto can always keep ahead of brute force attacks by adding more bits. The real danger is some kind of algorithm that would make the brute force unnecessary..

Re:Would this be a solution?

[Why+Should+I]

Since "brute force attack" means trying every possible value, at the end of the day it doesn't matter how many different levels of techniques and algorithms you use to encrypt something. You still have to end up with a key that has a finite length.

That finite bit length determines the time it would take to brute force attack the system. So I don't think your uses of inderiction would help.

The only way to stay ahead of brute force attack is to pile on the bit length and so increase the number of values to be tried.

Re:Would this be a solution?

[frinsore]

Using multiple encryption on one message may not increase the difficulty and may even lower it. Encryption algorithms are mathmatical formula so this example will suffice even though it may be simplistic. Say you have two encryption algorithms F(x)=8x and G(x)=x*x*x. You may think that by combining the two would make it more difficult to find x but F(G(x))=(2x)*(2x)*(2x) or 2x cubed which is as difficult as G(x) by itself. But say instead of G(x) you used H(x)=x/8 which would simply decrypt x to it's original value. In short to be able to combine encryption algorithms you have to know what they do and even then there is no garuntee that you're not introducing new holes.

If you modify the encryption algorithm then you're probably introducing new holes into it or at the very least you have to distribure those modifications to whomever you want to decrypt it. In essance a type of one time pad. Either you have to create a new encryption algorithm for each message or group of messages that you send or choose one and stick with it. If you constantly change algorithms or modify you have to have some secure way of getting those modifications to whomever wants to decrypt it, which can be difficult. You could simply create or modify an algorithm and not tell anyone what it is except for the recipient but to do that you'd have to know alot about cryptography and hopefully know the benefits of peer review. The people that encrpt DVDs know the benefits of peer review, now, after they released DVDs using CSS. If your modified algorithm is broken you'd probably never know because who would tell you? The guys that are trying to read your encrypted data or the ones that don't want to read your email and don't have access to your modified algorithm?

The safest thing to do is either use a very long key or learn cryptography develop your own algorithm, get it peer reveiwed and then most likely use a very long key.

Re:Would this be a solution?

[mosch]

counterintuitively, it actually only takes 2^112 times to break 56 bit triple des. details available in Applied Cryptography.

Re:Would this be a solution?

[p2sam]

The 3DES key length should be 168 bits with effective key length of 112 bits.

Re:Would this be a solution?

[Jester99]

Unfortunately for your scheme, your friend who would be receiving this encrypted data isn't too good at raw binary data analysis either, I'm guessing. For that matter, neither are you.

If you have a function F(k,m) that takes a key and a message, and returns 'c', a cipher, then you always know c = F(k,m), and m = F'(k,c).

All you have to do is write down 'k' and keep it safe someplace.

However, if you do your algorithm trick, then you're simply applying F(), G(), and/or H() to your message. So now you've done F(k,G(k,H(k,G(k,m)))). Better write down "FGHG" and keep that secret too, or else have fun recovering your data!

Essentially, you've just made the algorithm the key. Keeping this a secret is just as important as keeping your key a secret.

If you're transmitting data to a friend,
you originally had to send c and k in order to recover m. (The danger is that someone may intercept k.) Now you need to send c, k, and the algorithm. If someone intercepts the algorithm, you're equally as screwed: they'll just use their attacks on that series of algorithms, which may have known exploitable weaknesses -- especially if you 'modify' the algorithms at each level: such modifications can definitely weaken your algorithm (as shown by the simple choice of the SBoxes in DES).

Re:Would this be a solution?

except in that sense you aren't gonna crack by brute-force anything even 128 bit in the next 20 years.

Re:Would this be a solution?

[Pussy+Is+Money]

Yeah, that can work. It is an approach with rather severe limitations, but as it turns out, many real world applications fit nicely within those constraints. Most people on Slashdot would shove this under the heading "security through obscurity" and tell you that it doesn't work, but that's not really true. It's more of the difference in viewpoint between the needs of the actual users of crypto, i.e. the people who have something to hide, and the people implementing or designing crypto, i.e. the locksmiths. Needless to say the locksmiths always peddle the biggest safe.

Re:Would this be a solution?

[0x0d0a]

I doubt that using multiple encryption on one message would lower the strength. I'm not a cryptographer, but if that were the case, the very first thing any attacker would do is encrypt the message again with the same encryption scheme and a random key, which is a relatively cheap operation.

Re:Would this be a solution?

[Rasta+Prefect]

It is however interesting to note that due to the way such Fiestel ciphers work, a double DES is easier to break than a single. Why? I don't remember, I'm not a math major, and don't feel like getting out my Crypto notes from last semester. :)

Re:Would this be a solution?

[billstewart]

Use a long key - yes. Develop your own algorithm - no. Even the GSM telephone people and DVD encryption, which were theoretically developed by trained professionals, were total crockery. GSM had no excuse - the DVD folks could at least argue that the problem they were trying to solve is inherently hard and they were using double protection - a cheapo algorithm and expensive lawyers to run the DVDCSS lawsuits. But the GSM folks were working in well-established territory for which there are straightforward commercial-quality solutions available.

Re:Would this be a solution?

[AME]

I doubt that using multiple encryption on one message would lower the strength. I'm not a cryptographer...

I guess that just about sums it up.

Re:Would this be a solution?

[billstewart]

Layering is fine, if you know what you're doing and implement it carefully enough to prevent some layers from giving away information about other layers. For instance, you could probably come up with a layering of elliptic-curve public-key encryption and RSA public-key encryption that doesn't violate any of the don't-reuse-stuff rules and is still relatively practical. The nice thing about elliptic curve is that the keys are short - the bad thing is that the math is hairy enough that nobody's quite sure that somebody won't find a way around the difficult part. By contrast, RSA uses simpler and better-explored math (and longer keys), and there's less chance of a major breakthrough making a radical change in the necessary keylength, though Bernstein's machine may turn out to be significant given further exploration.

The basic question is whether it's worth doing a two-or-three-algorithm solution as opposed to just making your keys longer. Depends a lot on your threat scenarios. Are you worried about the NSA cracking a key during your lifetime? Or are you running a bank and worried about bank robbers forging withdrawals? Or are you worrying about somebody forging your signature on an article on Slashdot? :-)

It turns out that it's easier to make signature systems use multiple algorithms than encryption systems - all you do is create a tuple of Sigalgo1(message,key1),Sigalgo2(message,key2)... as your signature (and use a representation that doesn't let the Bad Guy change how many bits of the signature string are interpreted as belonging to each algorithm) and there's none of this nesting business required that encryption systems use.

Computers, as proposed here *are* being used in conjunction with deep analysis - that's why the amount of computation required may have just dropped significantly. Reverse engineering doesn't really apply in this world, unless you're reverse engineering God's excellent job of making factoring difficult large numbers and interesting. :-) If you're doing some obscurity-based approach that requires reverse engineering, you've blown your chance at modern crypto work... Most of the public-key systems work by applying known hard algorithms in ways that let the work required to crack them be computationally infeasible, and it's understood that that's a shifting boundary - usually the crackers blow a dozen or so bits off the strength limits per year (some with faster computers, some with mathematical analysis), but the encryptors can add several hundred bits per year to the practical strength - doubling the number of key bits roughly quadruples the computation required, but you could do 512 bits conveniently enough on an 8086, so 2048 is no problem today, unless you've got packet size limitations which make that annoying, or unless you've got antique code that nobody wants to update for longer keys (particularly if the code is a silicon implementation of a bignum mulitplier), or unless you're running a web site that has to process a large number of connections per second, in which case this costs you actual money.

Re:Would this be a solution?

the key difference (no pun intended) is that you would be using the same key for different passes, not a different one. that said, you're right, if the algorithms are different enough it's very unlikely that they would undo each other.

Re:Would this be a solution?

[ssimpson]

Double DES isn't easier to break than DES. It's harder, in fact a lot harder, just not as strong as one would naively believe it would be.

Do a search for "meet in the middle attack" to find out why 2DES isn't as strong as 3DES.

Re:Would this be a solution?

[ssimpson]

Only under the assumption that an adversary has (2^56)*8 bytes of storage available...

524,288Tb of resilient storage is pretty infeasible...

Re:Would this be a solution?

[mosch]

524,288Tb of resiliant storage is only $1b at current prices, and that's dropping rapidly. If historical trends continue, it'll be $1m in about a decade, and it will be included standard in the PlayStation 9.

Re:Would this be a solution?

[ssimpson]

That's true. I would be the first to concede that 3des can be broken with 3 chosen plaintexts, 2^56 blocks of memory, 2^111 encryptions and 2^111 operations (e.g. table lookups).

At the moment however, that attack is clearly infeasible, so I continue to recommend 3DES as "the best we've got" (at least until AES has gained further confidence in the crypto community).

Re:Would this be a solution?

The whole point of cryptography (as I understand it) is to find algorithms such that encrypting the plaintext and decrypting the ciphertext (with the knowledge of the secret key) takes far less time than decrypting the ciphertext without knowledge of the secret key.

While layering secure algorithms on top of each other would make a brute force attack take a longer amount of time, encrypting and decrypting would also take a correspondingly longer time. For example, if you do 3 times as much work encrypting and decrypting you can force a brute force attacker to do 3 times as much work cracking the key.

The reason why increasing the key size is so much more efficient is that by increasing the key by only a single bit, you double the number of possible keys.

Re:Would this be a solution?

[PurpleBob]

It would have been helpful if you had challenged his point, and not him. Then again, that would be quite a bit more difficult, because his reasoning is sound.

Re:Would this be a solution?

[AME]

...because his reasoning is sound.

I can see how his reasoning would appear sound to someone with little experience in cryptographic methods.

In fact, cryptographic algorithms are designed to be strong by themselves. If re-cyphering with itself or another algorithm would likely make it stronger then the original algorithm would have included this already in order to maximize its effectiveness.

Since I apparently must point out the obvious: The reason one wouldn't re-cypher before trying to crack the code is that this is not guaranteed to make the solution any easier to find and therefore might be a waste of time. This, by the way, is the same reason that one would not want to re-cypher their secret message -- because doing so might compromise the strength of the encoding.

so....

[Lumpy]

a $1Billion dollar machine does not mean that it is broken.
Sorry but theories does not equate broken. Until they actually do it I dont think anyone shoud even care. Hell eventually 1gigabit encryption keys will be broken.. Me? I plan on using a 12 terabyte key to GPG sign all my email.

I certainly am getting sick of the "tabloid news style" that Slashdot is using lately.

Re:so....

[Surt]

The importance here is that if your company is guarding, say $10 billion worth of data using 1024 bit encryption, you should be worried whether there might be competitors capable of spending $1 billion to steal that $10 billion. There are drug companies, banks, and research organizations for whom this is not an imaginary threat.

Also, I think that putting a price tag on breaking 1024 bit encryption definitely qualifies as news for nerds. Who else would want to know?

Re:so....

[AsbestosRush]

12.01 TB Email message for "Let's do lunch!". :)

Re:so....

Until they actually do it I dont think anyone shoud even care.

And how, exactly, will you know when "they" have done it? How do you know "they" haven't already built the box? If you want to keep your chocolate chip cookie recipe safe, you have to stay well ahead of what the spooks will be able to do in the forseeable future.

Re:so....

[billstewart]

Your Visa number probably isn't worth spending a $1B to crack, so you don't need to worry. Visa, on the other hand, has to worry about millions of credit card numbers getting stolen, though it's still much easier to crack into most of the machines on the web that absorb credit card numbers, and if there's one master key that lets you steal all of Visa (I doubt there is), it's probably easier to find the people who have parts of that key and bribe them (if you're the Mafia), or subpoena them, if you're the sleazy bunch of thugs at the DoJ who just filed a "Go Fish" subpoena on Visa and American Express.

Re:so....

[actiondan]

Until they actually do it I dont think anyone shoud even care

How will you know when someone builds this machine and starts actually cracking the encryption? Do you really think 'they' will advertise the fact that they can factor keys in minutes? I find it more likely that 'they' will just quietly read the encrypted messages they want to read - from their point of view the longer people stick with key lengths they can crack, the better.

The general point is - the safest thing to assume is that once something is theoretically breakable in a practical timeframe, it is broken. Assuming that we will find out when a practical implementation is available seems a little naive.

Dan.

Re:so....

If it's possible the chances are someone at NSA has already thought of it (remeber NSA employs a significant number of some of the world's best mathemitians), and could even be building the machine right not.

The NSA does not put out a press release when they find a way to crack something. You only embarass yourself by saying something like: "Until they actually do it I dont think anyone shoud even care"

Re:But what's a measily $1B for a government agenc

i think he's plural

what would you do if you had a million dollars?

[jrs+1]

if you were a government agency with $1b to invest in some kind of anti-terrorist encryption breaking scheme, would you invest it in this or would you invest it in quantum computing research?

would it be worth going for the brute force attack or would it be worth finding a different solution? not to mention how much money you could win and how much cancer you could cure with the idle time.

Re:what would you do if you had a million dollars?

[Stonehand]

Neither. You'd want to put the billion into a combination of carrot and stick -- humanitarian aid, education, and investments into certain regions, tied to reforms and oversight where possible; plus substantial amounts into human intelligence and law enforcement, since some people aren't going to like you no matter how nice you play.

When it comes to terrorism, encryption really isn't the main problem. Identifying, isolating and eliminating causes (be they philosophies -- such as a desire for complete theocratic control -- or individual people) is.

Re:what would you do if you had a million dollars?

I'd buy you a green dress. But not a real green dress. That's cruel.

Re:what would you do if you had a million dollars?

I'd crack two algorithms at the same time!

Re:what would you do if you had a million dollars?

You're forgetting it's not really about terrorism, though. Sure, the government's favorite bad guy is "terrorism" now, but it used to be drugs, and before that it was communism, fascism, anarchism, socialism, or progressivism.

The real issue is control. Governments in general seek to expand their control, just look at how many laws we have now, compared to a few hundred years ago. The government can't control what it doesn't know about, thus it desires to know everything. The maddening thing is, some people have the audacity to encode their communication with a cypher that's very hard to break. The government knows there must be something interesting in those messages, but they don't know what. What's a billion dollars compared with the knowledge (and associated power) that comes from reading those tidbits.

Re:what would you do if you had a million dollars?

I would buy you a monkey. Haven't you always wanted a monkey?

Web forums.

[King+of+the+World]

For a time in writing my own webforum software I considered doing login passwords as a file upload of a key file. The problem here though is that you send them a file to decrypt and they can spend as long as they want pawing at the file, and eventually brute it out. It's the model of sending someone a file that they decrypt that's broken - not that key length.

Everyone needs to host their own email system. You send someone a response by hosting the response on your machine. In doing so you can prevent more than 100 attempts a day.

This method is flawed. It's strong, but as CPUs get faster you have to increase the keylength ever more and you're fucked, basically. Hosting messages yourself means you can control access in a far smarter and more fine grained way.

Let's see... at $5000 a night....

[vkg]

That would be roughly 200,000 nights of "Intimate Services"... and we're not talking about skanks, neither - not at those prices.

I think the Cryptic Seduction approach is looking pretty good, huh?

Nope

[Brigadoon]

1024 bit, of course, is 2^1024 (approx 1.797e308). If you add one more bit (2^1025), you double the possibility of the number of keys, which means you double the computation time... In theory. This assumes brute-forcing it, and that the time it takes equals the maximum theoretical time to break it.

2^2048 is 2^1024 times more than 2^1024 (that is, it's 2^1024 squared). Meaning that to crack 2^2048 - in theory - it would take roughly 1.797e308 times as long to crack.

More numbers: If this $1B computer could crack a 1024-bit key in one second (consistently), it would take 5.7e300 years to crack a 2048-bit. That's much longer than the life of the universe.

All this stuff is theoretical, of course. That's why you don't try to break the encryption, but rather look for holes in the software, or post-it notes on the monitor :)

-Xyphoid

Re:Nope

[nneul]

Right, but it's factoring. It's not like symmetric keys where you have to check every key, so it is a doubling in total keys, but you don't have to check all of them.

Re:Nope

[Zeinfeld]

2^2048 is 2^1024 times more than 2^1024 (that is, it's 2^1024 squared). Meaning that to crack 2^2048 - in theory - it would take roughly 1.797e308 times as long to crack.

Bzzt! Wrong

That would be the case if the fastest attack was brute force, in fact there are much better attacks. 1024 bit RSA is generally considered to be equivalent in strength to an 80 bit symmetric cipher. 2048 bit RSA is only equivalent to about 132 bits.

Even so, the issue has been known for some time and that is why the crypto world is in the middle of a transition to 2048 bit keys. Only it will take arround 5 years to complete the move. VeriSign has been distributing 2048 bit root keys for some time.

Re:Nope

dammit! I hate you fucking assholes who use "Bzzt! Wrong" in reply to posts. It's so fucking pretentious. Who the fuck do you think you are??? I don't care if the previous poster was wrong, show some fucking respect!

Brought to you by the coalition to yell at "Bzzt! Wrong"ers

Re:Nope

Amen, brother!

Re:Nope

[Zeinfeld]

dammit! I hate you fucking assholes who use "Bzzt! Wrong" in reply to posts. It's so fucking pretentious. Who the fuck do you think you are??? I don't care if the previous poster was wrong, show some fucking respect!

OK, I am sooooo sorry, in future I'll say:

You are the weakest link goodbye...

I kinda find folk pontificating incorrectly about the strengths of cipher algorithms somewhat pretentious. Since you ask, I am one of the people who Lucky discussed his paper with before publication.

Re:Nope

How about "Ha, you were wrong and I called you on it. Please, give me this, it's the only source of happiness in my life. God, I'm a sad, pathetic little man."

Re:Nope

[CondeZer0]

Please, ignore him(them?)... somebody that writes like that don't
deserve to even be answered to... and he talks about showing
some respect... *sigh*

Your posts have been the most interesting I have read in
/. in a long time... it's nice to see that there are some
people here that know what they are talking about... thanks.

Best wishes

\\Uriel

Re:Nope

[MjDascombe]

It's interesting, just a shame it's utter bollocks. Which symetric algorithm? How could you have such a simple expression of compexity relation between two completely different (unspecified) functions?

Just goes to show ya

[pimpinmonk]

If you want something to be *really* secure, you gotta write it on a sticky note and hand it to the addressee.

Re:Just goes to show ya

[doooras]

nah... the tattoo on the head method is even better

Re:Just goes to show ya

[Iamthefallen]

Unless they crack your head...

imagine the potential...

[spir0]

of this machine being utilised by ILM, pixar, or even id software..

computers that could crunch number that hard have just GOT to have a viable future in the entertainment industry.

surely these people can pull together to build me one.. um, I mean, build one to produce nice things for us to look at and play with.

it's make a hell of a chess player too.

Re:imagine the potential...

[Stonehand]

What does factoring have to do with rendering, or, for that matter, chess?

Re:imagine the potential...

[spir0]

computational power.

Re:imagine the potential...

For the same reason you can't play Quake on IBM's chess playing computer, this machine will be useless for anything other than factoring the product of large primes.

Which part of application specific integrated circuit are you having problems with?

Re:imagine the potential...

just rip apart the gazillions of cheapo dsps designed for fast convolution and you can make realtime blurring :)

Re:imagine the potential...

[bofkentucky]

As I understand, this box is nothing but one big asic that is really good at factoring, not a general purpose CPU. Look at it like this the 80386 Intel CPU and 80387 Intel Floating Point Unit, 386 good cpu, 387 FPU useless on its own, eventually got put on-die with the 486 or first gen pentium.

Pay attention. Security = risk management.

[mib]

Don't any of you bozos pay attention to prior articles? Security is about risk management. If you have something to protect that is worth $1bn for someone to steal and the only protection you have on it is 1024-bit crypto, you deserve to have it stolen.

Your homework for today is to (re)read Secrets and Lies. There will be a quiz.

Measly?

[RyuuzakiTetsuya]

By the time this actually posts, it'd be redundant, but hell, it must be said.
"...the measley cost of ~$1B USD."
MEASLEY?!

Re:Measly?

[Stonehand]

Think of it as an investment. It's not like the machine will explode after its first success, so you can recoup the cost over time.

For instance, if a major government or other well-funded entity not averse to a little corporate espionage managed to intercept and decode information regarding, say, bids on major contracts, it could pay for itself very rapidly.

The US government has something like this

[WolfWithoutAClause]

The US government recently relaxed export regulation for public key cryptography to make it the same as the domestic restrictions. The reasonable implication that we can take from this is that they have a way to crack that length of key, or they know they can do it, if they really have to.

Either that, or the American government suddenly have benevolent feelings to the rest of mankind and a minority of their software community. Yeah right.

Re:The US government has something like this

[n3rd]

Interesting? Hardly.

I feel it's more likely they have finally realized what people on Slashdot have said hundereds of times in the past: Encryption above 128 bit is readily available to anyone who searches for it, export restrictions will not stop it.

What do you think?

Re:The US government has something like this

[billstewart]

It's been generally suspected that NSA has had the ability to break 512-bit RSA encryption for a while. Breaking 384-bit RSA is old hat, and breaking 512-bit has been doable even before Nicko's group made it easy on their machines, but this IS exponentially hard work - before Bernstein's hypothetical machine was hypothesized, the limit to current practice was believed to be in the low 600s. This suggests that 768-bit keys aren't trustable for more than casual work, but 1024-bit keys are still way fine.

The NSA has the advantage of occasionally being able to spend a billion dollars on chips or machine design, which says that building something like the EFF's DES $250K cracker was done at NSA long before the public got there (though "long before" has Moore's Law implications...). They also have some good mathematicians focusing on problems like this, not only because they like to crack other governments' codes but also because they need serious estimates of the strengths of the codes they use, but the general opinion in the crypto community is that they're no longer particularly far ahead of the open academic world, and in some ways they're behind because it's hard to get good peer review on secret algorithms, and it's hard to get and keep good mathematicians if you don't let them publish and don't pay them much money either. I don't believe they had the ability to crack 1024-bit RSA or Diffie-Hellman keys before Bernstein's paper came out - but they *do* have Bernstein's paper now :-)

Re:The US government has something like this

[Sircus]

The NSA's the world's largest employer of mathematicians. Obviously, I've no clue what stage they're at, but I'd say it's not that improbable that they already knew about these optimisations and possibly even the next set of optimisations too.

Re:The US government has something like this

[WolfWithoutAClause]

>I feel it's more likely they have finally realized what people on Slashdot have said hundereds of times
>in the past: Encryption above 128 bit is readily available to anyone who searches for it, export restrictions will not stop it.

Ok, in that case, why are there still limits on key length? If it was just encryption being easily available they would have removed all restrictions because it would make no difference. The ONLY explanation that makes any sense is that they have the capability to crack the length they've allowed.

Re:The US government has something like this

[WolfWithoutAClause]

The only question in my mind is whether RSA is still worth using at all. How big is safe? 8192 bits?

Re:The US government has something like this

[Sircus]

If your enemy is a major government and you don't have a very large budget yourself, you might as well give up now, IMHO. Not because I think they could factor 4096-bit RSA, but because I think they probably can get into your house without you knowing about it and tap your keyboard. The only time an attack like this wouldn't be called for is if the danger (to life, to diplomatic relations, whatever) of their being discovered is worth the money they'd have to spend on a more sophisticated attack.

Fortunately, most people's enemy (at least in the cryptographic sense we're on about here :-) isn't a major government. Unless you're planning on political overthrow of a G7 nation, the NSA doesn't really care what you write in your e-mails. Sure, there's the few Echelon stories about contracts won under dubious circumstances, but the important point is that this information was retrieved from unencrypted communications, via a near-zero-effort search.

I'm personally more than happy that 1024-bit RSA and 128-bit Blowfish (or 168/112 bit TripleDES) in an appropriate combination is enough to protect anything I'm doing against any of the possible enemies my actions are likely to throw up. The day I start trying to forment political revolution in one country or another, I'll look again at my crypto needs :-)

Re:The US government has something like this

[psamuels]

Ok, in that case, why are there still limits on key length? If it was just encryption being easily available they would have removed all restrictions because it would make no difference.

The US government sets limits on key length? What limits, and why have I never heard of them?

Re:The US government has something like this

[psamuels]

The only question in my mind is whether RSA is still worth using at all.

As opposed to what? Do you have a better public key system in mind? RSA is efficient and well-understood. AFAIK, it has no serious competition (ok there's DSA but it's horribly slow in comparison).

How big is safe? 8192 bits?

Yah, you do that. Or just add another 32 bits to the key. If it takes someone 1 minute to crack a 1024-bit key, it will take him a couple hundred years to crack a 1066-bit key.

Re:The US government has something like this

[ssimpson]

(Hi Bill),

"but this IS exponentially hard work"

NFS is sub-exponential...It's a "hard problem", but it's not exponential (erm, see e.g. here).

Re:The US government has something like this

[aziraphale]

The non-conspiracy argument that I've heard makes a lot of sense to me, at least. US government believes that E-Commerce is going to be big. US Government notes that US retailers can export lots of goods to other countries if e-commerce is enabled. US Government notes, exports==good. US Government realises, people outside the US need to be able to communicate securely with companies inside the states in order to perform such transactions. US Government allows export of strong crypto, giving US a world lead in e-commerce market.

Money is almost always a better explanation for the actions of Americans than malice.

Re:The US government has something like this

[WolfWithoutAClause]

32 bits isn't centuries; its about 45 years if Moore's law keep up, but RSA is much weaker than that in fact, so an extra 32 bit might only be 5-10 years.

This is getting ridiculous.

[AJWM]

I mean, it's getting to the point where the dang keys are gonna have to be longer than the message!

Re:This is getting ridiculous.

so? dfj45rijjiofjaij4ijnaf8wertuilkal;op4ipgrvoie489hr ui23huflaijiotura;dfgjhaoioaijeoijfijnoeajiawjerne iofaneioroi4niownafeno4inrit4

Re:This is getting ridiculous.

heheh

---
rgxJTY46Zfawyg7iC2A/k8qBcaJo81cH5lwqJ3iuRDF zXLgohN GNICR2rLrlfCw7
KWJB8yVNgvos+wpQn+juh9NVYcGYBANz8f vJvCFMGCgacb+hul Dr4F0Pl2NCsbyS
pVSZd/l9hpRTk0iqHhIFGVc2OKY3btblNw sKwYWWy2oEFlnUrS ETXO6pjkSSOagU
pvuzaIDleTX7A12YZeHK/k948pu3u0meh9 +jCUcwjjos7MdyEM aQtNKkCIM3Jn76
EgzHuol5xi2udy6K8SpOdYvDlCPrFXnJh2 1a+9IiZ2GKl7BPbd WJlVEX0wvsPc/F
MuReiQBGBBARAgAGBQI5qVS5AAoJEPlK/7 n/lNxvvvoAoNNYUW uz3Fao8aW0yT2P
zBsXYrrjAKCFIH2iPDclbCwW3tV0Ox0aDH p9uIkBHAQQAQEABg UCOalU2QAKCRCI
HBX3yeGy8aUDB/9nH6D2YqZ6Jt1muO+/AP fMxda48A0sa79N6j 0yT2SIQfmVYtqR
vVbf68LfdRe6mkTBHqwT1+NV+eXW33Yg1+ QiGhfLWzJ9AINr19 H9qvgYDogsRrEK
oBiacUlS2LybQ2CgQNa9gzWWPuAZwimVkR 6I90DlyED4DpvTeN c105biOXVv00OL
zOEIMuaG3FgjJYRui9+L5UeJckvCZCNlUk we/B+lxU1KCEKUua 0yPs4wNIGkCZjg
kRfsVPoItJfqMGiHvnjaK8R3qJ1sQSyI0j QSXHkP+9IhAimB9Z ukCY0k0aJKIxx5
IFivX578aC9ZMU+LLsm0oMDjdiXFeFuv0Z /RiEYEEBECAAYFAj ui4y4ACgkQZwJH
zybkSIykBgCfYZSLvCXsxNGk05eMiNs21H 0b5tkAoJEbjspZG7 3GGimnG/uKjmrK
a4LLiEYEEBECAAYFAjrb16wACgkQil7s04 84MKWQbgCfdqbPLM BdsRKxpb7w6GYR
dNVhE+MAoK83feX5ew+XiYeh9oKPEZbAgj g5iEYEKBECAAYFAj mOHrEACgkQ9dQ9
PDda2SRqrQCgurjcbkQhzbUA9jwJX4oEkd MpnkIAoMKUWUUH9K +OgrWw+ks84Xh/
vJeZiQBGBBARAgAGBQI8HciEAAoJEC2bUW 7S8rtMxQ8AnR3EUq sAl8w5j5KrTfxR
LeV2yxRmAKCmM8p3qcj+1jzmU3za3ZHtz2 E9H4kARgQQEQIABg UCPB3LhwAKCRDS
UouClLFScB9AAKDnLan0gSoMIkmDnsp/dQ lstxutegCePnfMYD IORSvEQgzPWl8L

Re:This is getting ridiculous.

Did you look at the signature block under the email?

Re:This is getting ridiculous.

No, just equal to. It's called the One Time Pad.

My Opinion

[kawaichan]

I think the government (mainly NSA) had always had the upper hands in terms of encryption no matter how good it is. 1024 is probably nothing for those supercomputers and holes in various OS.

That message made him out to be a bit of a putz

[brassman]

Why? For putting his revoked keys and new keys into his Bugtraq message. Okay, it's putting your money where your mouth is, in one sense... but it was also one damn big chunk of noise, much longer than his (reasonably long already) text.

Bad form. I'd expect more class from someone who's claiming to be clued.

Clearing up the deceptive intro

[Glorat]

1024-bit encryption should no longer be considered pristine

That intro is deceptive at best and is, well incorrect. Remember DES and other symmetric ciphers that currently use about 128-bit or so encryption are unaffected by this. Certainly, 1024-bit symmetric encryption (your typical secret password encryption) is going to be unbreakable for centuries based on current predictions. The intro should read asymmetric or public key encryption at 1024-bits

Secondly, the advances being talked about are in factoring large numbers into their prime factors using the Number Field Sieve (NFS). This algorithm is the most advanced known factoring algorithm and if you believe the article improvements show that factoring 1024-bit length primes is doable for 1 billion dollars or so. (It was only a few years ago this kind of cost was attached to building a DES cracking machine... today I could probably crack DES on my uni computers given the software. 1024-bit factoring is only a matter of time before it is easy). However, not all public key schemes rely on the difficulty of prime factoring. Elliptic curves rely on a different hard problem

Conclusion, the intro should read "1024-bit asymmetric encryption that relies on the difficulty of prime factoring (e.g RSA) should no longer be considered pristine"

Re:Clearing up the deceptive intro

[swordgeek]

So forgive me for pointing this out, but what part of "1024-bit RSA keys In Danger Of Compromise?" didn't you understand???

The title is part of the article, and makes the necessary limitations. If you are going to nitpick, then at least nitpick correctly.

Re:Clearing up the deceptive intro

[Omegalomaniac]

Certainly, 1024-bit symmetric encryption (your typical secret password encryption) is going to be unbreakable for centuries based on current predictions.

If I remember correctly, there is a section in Applied Cryptography where Schneier calculates that the sun going nova would not provide enough energy to flip through every combination of 256 bits, never mind actually testing them to see if they decrypt the message. So yes, 1024 bit symmetric encryption will be secure from brute force attack for quite some time, at least until we start building black hole powered computers and feed entire galaxies into them.

Re:Clearing up the deceptive intro

[Glorat]

You're accusing me of not reading the title but you obviously haven't read my title. I'll spell it out for you again... "Re:Clearing up the deceptive intro". It is the intro that is wrong. I even quoted the incorrect sentence: "1024-bit encryption should no longer be considered pristine".

Got it now?

Hypocrite.

Re:Clearing up the deceptive intro

[Glorat]

Oh yeah... forgot about that one =P
Each extra bit doubles the time for a brute force attack so going from current 56bit keys, that's a lot of time.

The other useful analogy (cos noone really gets big numbers into their head) is that at 256 bits, there are more key possibilities than electrons in the universe!

Safe

Re:Clearing up the deceptive intro

[Tom7]

...show that factoring 1024-bit length primes is doable for 1 billion dollars or so.

Oops, Mr. Smarty Pants! I can factor 1024-bit primes for $0!

Re:Clearing up the deceptive intro

OK, this is just silly. The original reply to you was correct--you are deliberately and obstinately taking this "intro" sentence out of context, for the sake of nitpicking (his word).

The title of the article establishes a context for the whole article. Anything that is mentioned after that (including your happy little intro sentence) is to be read as within the context of what has gone before it--the title, in this case. We've already determined, by the time that you read the intro, that we're talking explicitly about RSA keys. If you can't figure that out, then you're an idiot!

Re:Clearing up the deceptive intro

break des? for 2^26 tries per second per machine -> 2^30 machine-seconds -> 30-40 years -> ok. doable with a couple of hundred machines

Re:Clearing up the deceptive intro

[L-One-L-One]

NO ! RSA is not proved to rely on the difficulty of factoring

Indeed, since you insist on being precise, you should not write that RSA relies on the difficulty of factoring into primes because no one has ever proved that it's true.

The truth is that the best known attack on RSA is factoring, but that does not tell us that RSA and factoring are equivalent problems, though this is widely believed by many researchers.

On the other hand, the Rabin public key cryptosystem, which involves squaring with a RSA-type composite modulus has been proved to be equivalent to factoring.

Re:Clearing up the deceptive intro

[Glorat]

I think you've got your logic backwards there. Ahh... memories of my first ever uni maths lesson explaining the differences between "if" and "only if". RSA does (trivially) rely on the difficulty of factoring. If factoring was easy then RSA is dead hence RSA relies on the difficulty of factoring

What you are trying to say is that RSA does not *solely* rely on the difficulty of factoring which you would be correct in saying since currently it is surmised that factoring is the easiest break in point. And since factoring is NP-complete and I have a (groundless) belief that P!=NP, I feel RSA is safe from this point.

But logically, my original statements stands

Re:Clearing up the deceptive intro

[L-One-L-One]

No. I stand by my original point.The security of RSA has not been proved to rely on the difficulty of factoring. There may be an easier attack that is not known to us yet. If we could prove that breaking RSA is equivalent to factoring we could say that the security of RSA relies on factoring and that no easier attack exists, but this has never been proved.

I also encourage you to revise your "math" memories: factoring has never been proved to be NP-complete or even NP. To my best knowledge efficient factoring algorithms are sub-exponential and there is no strong indication that a polynomial factoring algorithm does not exist.

For further information I encourage you to read the Handbook of Applied Cryptography, by Menezes et al. It will describe the above points more in detail.

Re:Clearing up the deceptive intro

[ssimpson]

"Conclusion, the intro should read "1024-bit asymmetric encryption that relies on the difficulty of prime factoring (e.g RSA) should no longer be considered pristine"

This enhancement to the NFS can also be used against DLP based cryptosystems (e.g. Elgamal, DH, possibly DSS) - your intro is insufficient and vague.

Re:Clearing up the deceptive intro

[Glorat]

This isn't a question of maths or crypto but English. If you disagree with what I am about to say, I will leave it at that. The correct sentence should be The security of RSA has not been proved to rely solely on the difficulty of factoring. That would be correct.

You have stated the converse statement in effect. I am sure you agree with "If factoring is broken then RSA is broken". Hence RSA relies on the difficulty of factoring. (But, again, not *solely* on the difficulty of factoring).

Now, onto a different subject. How dare you say factoring is not NP?? That is ludicrous. Search for google for "NP complete factoring" and see what it comes up with. I am 100% sure it is NP and 95% sure it is NP-Complete (only 95% because I have no proof for it, only what I read and professors tell me). It is purely a matter of whether P=NP. I believe P!=NP (a groundless belief as I said) hence RSA is safe from brute force based factoring attacks in the long run

Re:Clearing up the deceptive intro

[Glorat]

Ignoring the flamebait... thank you, I was not aware of these other uses of the NFS. Would you happen to have references? Do you know if it can be applied to elliptic curve crypto?

Re:Clearing up the deceptive intro

[ssimpson]

Comment not meant as flamebait - just pointing out that your intro is as "insufficient and vague" as the previous posters was "deceptive and incorrect". Sorry for any offense.

Anyway, details of NFS being applicable to DLP can be found in e.g. pg 262 Applied Crypto 2nd Ed by Schneier, or in the crypto bible Handbook of Applied Cryptography by Menezes et al. A complete copy of this definitive text is available online in PDF format here. See pg 128/129.

NFS is not applicable to ECC at all....

Re:Clearing up the deceptive intro

[L-One-L-One]

I work in cryptography.

In cryptographic publications, when you write that the security of a cryptosystem C relies on a certain difficulty D it means that if you have a algorithm that breaks C then you can use it to solve C. If you translate this in the current case, it means that: if RSA relies on factoring than any algorithm that breaks RSA could be used to factor composite numbers. I insist: this reduction has never been proved. I know that a lot of people misunderstand this type of resonning but it is very common in cryptography and in complexity theory.
Again, if you don't believe me, feel free to open the Handbook of Applied Cryptography, or any other serious book on cryptography.

As I said before, it is interesting to see that the Rabin cryptosystem, which is based on "squaring modulo a composite" has been proved to rely on the difficulty of factoring and indeed, an algorithm which breaks Rabin can be used to factor large composites.

I use google often, however I don't rely on keyword search on a scientific method to find the truth :)

Recall that an NP-Complete problem A is called that way because there exists a polynomial time reduction between ALL NP problems and A. In fact if you simply find such a reduction between the factoring problem and any single known NP-Complete problem, you will become a famous man, because such a proof has never been found.

I agree that I went a little fast when I said that factoring was not NP, by abuse of langage. What I meant is that there is no proof that an efficient polynomial time algorithm does not exist, and moreover, finding such an polynonial algorithm would not yield P=NP.

As a side note, some recent work by D. Boneh at Stanford suggests that RSA MAY NOT BE EQUIVALENT TO FACTORING.

Worth a read...

Re:Clearing up the deceptive intro

[ssimpson]

"I am 100% sure it is NP and 95% sure it is NP-Complete"

Factoring is known to be NP but there is no proof of NP-Complete - see e.g. Bob Silvermans post - he suggests that the conses is that factoring != NP-Complete.

Re:Clearing up the deceptive intro

[Glorat]

Ok, gotcha on the NP-Completeness part. My new more informed conclusion is the factoring is maybe/probably NP-complete. Many have claimed it (and my prof didn't debunk me when I claimed it in a NPness project) but indeed I have seen no proof.

I still find the use of "relies" too weird for me.
If Kevin Tam "relies" on his health it means if my health is broken, I die. (RSA relies on factoring, if factoring is broken, RSA dies). Sounds correct for both sentences.

The converse (not so good analogy here, ignore this paragraph if it doesn't make sense): If Kevin Tam's understanding "relies" on google's truth then if my understanding is wrong, google is wrong too. That doesn't follow. (If RSA relies on factoring and RSA can be broken, then factoring can be broken easily)

That's why I disagree with the use of English you gave. If cryptographical publications rely on this kind of use, I'll avoid reading them as I'll just get confused no end!

Re:Clearing up the deceptive intro

Sorry :) Of course, I meant:

[...]
In cryptographic publications, when you write that the security of a cryptosystem C relies on a certain difficulty D it means that if you have a algorithm that breaks C then you can use it to solve D.
[...]

Re:Clearing up the deceptive intro

[Glorat]

I stand corrected

Re:Clearing up the deceptive intro

[Our+Man+In+Redmond]

Well, you should get in touch with Bill Gates, since he thinks this will be a big breakthrough.

Re:Clearing up the deceptive intro

[Nyarly]

If you translate this in the current case, it means that: if RSA relies on factoring than any algorithm that breaks RSA could be used to factor composite numbers.

I'm sorry, but could you just confirm your usage of "rely"? In normal English, if I say A relies on B, it implies If B fails then A will fail.

So, "RSA relies on the difficulty of factoring" implies "If factoring were easy, then RSA would be broken." It seem that you're insisting that the opposite conditional is true, that "If RSA were broken, then factoring would be easy." It seems that what you further seem to be saying is that Rabin PKE is equivalent to factoring, from which we can take both conditionals.

So, I don't think there's a disagreement about the fact that a polynomial time factoring algorithm would be applicable to RSA, and the the discovery of such would imply that RSA was broken. How would you phrase that more simply? It seems like a fairly important thing to say about an encryption system.

I guess the quick summary is that we informed laymen had never heard "rely" defined as "is equivalent to," and in fact had believed, from our previous work in maths that "rely" described a unidirectional implication, not an equivalence.

If this is not so, can you point us at references, or explain how to refer to the relationship we'd thought we were describing with "rely," or explain why the importance of the relationship is only "aparent" to the cryptographically niave?

Re:Clearing up the deceptive intro

No, you're just being a self-aggrandizing piece of shit. You want to spout off so that, what, a bunch of losers you've never met think you're l33t? You failed even at that.

Re:Clearing up the deceptive intro

[L-One-L-One]

I'll try to clarify my explanation.

I agree that if the difficulty of breaking RSA relies on the difficulty of factoring, then: if factoring is easy, RSA is broken.

However to prove that the difficulty of breaking RSA relies on the difficulty of factoring, you need to prove that breaking RSA will yield an efficient factoring algorithm. Such a proof does not exist yet.

Perhaps the difficulty of breaking RSA relies on a completely different property. It is entirely possible that, one day, someone can find a way to break the security of RSA without factoring the modulus. In that case, RSA will be broken but factoring might still be a difficult problem. Incidently, that would prove that the security of RSA does not rely on the difficulty of factoring.

Conclusion: though it's true that an efficient factoring algorithm would break RSA, we can not say -to this date- that the security of RSA relies on the difficulty of factoring.

I guess that in mathematical theorems, you will rarely find ambiguous terms such as "rely" but rather "is polynomialy reduced to" or the like.

Re:Clearing up the deceptive intro

[Nyarly]

I guess the core of the disagreement between Glorat and me and yourself is that our contention is that the relationship described by "rely" is unambiguously not bidirectional; it's the same as a logical conditional, while you contend that "rely" can describe an equivalence relationship.

I for one find this definition of "rely" entirely novel, and while I'm of an open mind about it, cannot find any definition that suggests that its meaning is ambiguous in this sense. Can you direct me to some other reference regarding this?

Because, after all, I read /. purely for educational purposes.

Re:Clearing up the deceptive intro

[L-One-L-One]

I really don't understand the problem here. I never said that "relies on" is an equivalence relationship.

When you say that [Property A] relies on [Property B], the understanding is that [Property B] implies [Property A]. This is clearly not a bi-directional relationship. You can consider "rely on" to be an implication relationship written backwards. For example let X be a random variable, if you write [Property X*X>0] relies on [Property X>2], it means that [Property X>2] implies [Property X*X>0]. The real ambiguity was correctly highlighted by Glorat, who noted that "relies on" is not necessarily understood as "relies solely on" in every day English. Nonetheless, in many cryptographic publications you will find sentences such as "the security of X relies on the difficulty of the DDHP (Decision Diffie Hellman Problem)", which means in fact that the hardness of the DDH implies the security of X.

When you write [RSA is secure] relies on [Factoring is hard], you are saying that [Factoring is hard] implies [RSA is secure]. This is equivalent to the contrapositive statement: NOT[RSA is secure] implies NOT[Factoring is hard] or if you prefer [RSA is breakable] implies [Factoring is easy]. To prove this, you have to show that breaking RSA gives you a factoring algorithm. Since such a proof does not exist, then you cannot say that [RSA is secure] relies on [Factoring is hard].

On the other hand it is well known that [Factoring is easy] implies [RSA is breakable]. Consequently if we could prove the unproved implication above, we would immediately have a equivalence between the two properties, but that's another story.

For the justification of the contrapositive statement above, you can look in any book on logic.

Re:Clearing up the deceptive intro

[Nyarly]

Okay, glad we can just jump right to straight logic.

While I agree that "RSA's security relies on the difficulty of factoring" is about the same as "If factoring is hard, then RSA is secure," on reflection I don't think I agree that it's equivalent to [Factoring is hard] -> [RSA is secure]. Consider: in the case that factoring is easy, and RSA is still secure, this statement is still true, since counterfactual conditionals are tautalogical (who'da thunk I'd remember that phrase for a decade?). However, this sense is clear counter what was intended by "RSA's security relies on factoring's difficulty."

So, although I realize I'm reversing myself, I think "relies on" can (at least in this case) be directly substituted by "implies" and have the statement keep its original sense.

In reagrds to "relies solely on," you could as correctly "is mutually dependent on," since sole reliance would suggest both conditionals, and thus an equivalence.

Oh, well...

[Moosifer]

Guess I'd better stop using IPSec and SSL, now. Seriously... What are the implications of this? This is certainly not meant to disuade people or organizations from using RSA based exchanges, but rather to encourage them to increase the key sizes. As difficult as it is for modern servers to deal with high-loads of 1024bit RSA, does anyone really thing that 1536 or 2048 is going to catch on anytime soon? Saying it will cost a billion USD to crack 1024bit RSA is not much more prohibitively out of reach than suggesting businesses move to bring-them-to-their-knees 2048bit RSA. In moderation, not a problem, for hundreds of thousands of transactions day - better grab a heaping handful of Broadcom 5821's.

One billion dollars?

[DavidJA]

I'll sell them my encrypted secrets for only 1 million dollars!

It's a win-win situation, I get a million dollars, and they save many many millions of dollars.

Re:But what's a measily $1B for a government agenc

[AJWM]

how much is Bill Gates worth now?

To whom?

DMCA?

Since this obviously could be used to circumvent existing encryption technologies, how long will it be before we're running a "Free Bernstein" campaign? And more importantly, if no trouble results for Dr. Bernstein, could that be taken as further evidence that the government is quite willing to ignore the provisions of the DMCA if it suits their needs?

Re:DMCA?

DMCA section 1201(e): LAW ENFORCEMENT, INTELLIGENCE, AND OTHER GOVERNMENT ACTIVITIES- This section does not prohibit any lawfully authorized investigative, protective, information security, or intelligence activity of an officer, agent, or employee of the United States, a State, or a political subdivision of a State, or a person acting pursuant to a contract with the United States, a State, or a political subdivision of a State. For purposes of this subsection, the term 'information security' means activities carried out in order to identify and address the vulnerabilities of a government computer, computer system, or computer network.

There is something new here

When it came up before, there was a significant question about whether the improvements would be seen in key sizes that we are using, or whether you needed larger numbers. The conclusion of Schneier etc was that it probably didn't affect factorization of numbers people are using, though it was good research.

What is new is that people have now gone out, implemented it, and found that it really does come up to a big factoring win in the ranges of numbers that are in use. Furthermore based on real factoring examples, 1024 bit keys are doable at costs within the reach of national security agencies.

There is a difference between theoretical improvements somewhere around a million bits, and demonstrated improvements at 512 and 1024.

Very long RSA keys

[Dratman]

Take a look at Lucky Green's new PGP public key at the end of his message. Geez, is that thing a key or a keystream? I have this funny feeling we may be taking a good idea too far...

Re:Would obscurity be a solution?

[Glorat]

Two issues going on here!

Ah... the old security through obscurity notion. Someone else can carry the debate here but trying to get security by trying to hide what layers of algorithms you are using is defeating the point of security research. A "secure algorithm" is basically one such that it does not matter whether the hacker has access to the algorithm or not. Cracking a "secure algorithm" should be as hard as cracking by brute force. If your security relies on obscurity, then you are asking for trouble in general

As for layering in general. Well it works for the most part (e.g 3DES) although there are caveats (2DES would not be safe). But the real point is that layering is slow. Doing 1024-bit RSA encryption is slow. And try generating a 2048-bit key instead of a 1024-bit key. It takes ages (possibly minutes on some computers). You may be increasing security but decreasing performance.

Now going back to the first point about a "secure algorithm", you are better of say doubling your key size and exponentially increasing the keyspace on your existing algorithm then either inventing your own layering scheme that may or may not work AND will be slow nad memory wasteful by using many algorithms. The short answer is, you don't need layering, just make larger keys.

Probably any key length is crackable

[rufusdufus]

People seem to be forgetting that there is a known algorithm for factoring in polynomial time. This is the Shor algorithm for quantum computers. The governent has put billions of dollars in to this research, it would be entirely prudent to assume they have working machines that can crack any key length.

Arbitrary costing = $1B

[Nathdot]

I can picture the scenario now:

<TELEPHONE CORRESPONDANCE>
SHADY GOVERNMENT OPERATIVE: So how much will this 1024 decryption system cost?
PIMPLY TEEN HACKER: $1B US dollars to be deposited into my secure off-shore bank account and safe passage to the Maldives.
SHADY GOVERNMENT OPERATIVE: Excellent. The money is being transferred as we speak. Begin work.
</TELEPHONE CORRESPONDANCE>

<PIMPLY TEEN HACKER INTERNAL MONOLOGUE>
Sweet! I've just charged the US government 1 billion dollars for a beowulf cluster of dreamcasts running home-brew linux.
</PIMPLY TEEN HACKER INTERNAL MONOLOGUE>

<SHADY GOVERNMENT OPERATIVE INTERNAL MONOLOGUE>
Sweet! We will retrieve the 1 billion dollars once we crack the secure off-shore bank account's 1024 bit encryption system
</SHADY GOVERNMENT OPERATIVE INTERNAL MONOLOGUE>

:)

Re:Arbitrary costing = $1B

almost entertaining, but I don't know why the hell people are so in love with dialogue delimited using XML-style tags... annoying if you ask me.

Re:But what's a measily $1B for a government agenc

[Kwikymart]

--cut an paste from a random joke site---

Q: How many Bill Gates' does it take to change a light bulb?

A: 15 to develop a bloated software prototype, 8 to write a horribly designed and overly complex non-contextual help system. 34 to author the help text, 122 to write the various SDKs and interfaces so that the lightbulb will work in conventional sockets, 67 to create demeaning adds that belittle other's bulb-screwing attempts, and 4 to write a lengthy book on the process.

Moore's Law

[AlgUSF]

Damn Moore's Law

Re:Moore's Law

It's not a law, it's a theorem. It's not a law unless it can be proven.

Then use another Public-Key Algo!

[dotderf]

There are plenty available. Diffie-Hellman, NTRU, El Gamal, Elliptic Curve Cryptography. Take your pick. While you're at it, use different symmetric key algos.

Terry Ritter, a really cool guy on sci.crypt, who happens to be a cryptographer suggests using a known algo along with a new algorithm. The tested algorithm (such as blowfish, or DES) provides security against known attacks. The new algo (such as the AES candidates, or something your best friend coded while he was drunk.. joking) can provide an extra layer to thwart cryptanalysis. Just use different keys for each step.

I love crypto, too bad I'm going to wind up as a crypto-narc one day.

Re:Then use another Public-Key Algo!

Hmm. Dicrete log (the one-way part of Diffie-Hellman, probably quite a few others too) is usually considered about as difficult a problem as factorization. Anyone know how easy it would be to change the machine to crack that too?

Re:Then use another Public-Key Algo!

[cravey]

Sounds like security throuch obscurity again. Why not just use stronger RSA keys? Or do you really mean something more like IPSEC? You do realize that RSA is not actually used to encrypt the data and is primarily just a key exchange algorithm for a symmetric encryption algorithm like rijndael and DES, right? I'm not trying to bash you yet, just trying to get a better understanding of what you're talking about.

Re:Then use another Public-Key Algo!

Doh. If RSA is the weakest link there (maybe right after stupid users) it's the one that gets attacked. When it's cracked you have the key that is used in rijndael or whatever near-impossible-to-crack and you don't need to break it.

Re:Then use another Public-Key Algo!

[billstewart]

Diffie-Hellman and El-Gamal are closely enough related to RSA that you don't get much diversity by picking them. Elliptic Curve is a nice possibility, though it's possible somebody will find the math to crack that. NTRU is a lot different - I don't know that any of the academic cryptographers are calling it really secure yet, but the people who've looked at it don't seem to be calling it "snake oil" either.

Re:Then use another Public-Key Algo!

[ssimpson]

Yes! The machine doesn't attack RSA per-se but is a speed up related to the more generic NFS algorithm. NFS similarly works against DLP based problems (e.g. Diffie-Hellman, Elgamal etc).

Re:Then use another Public-Key Algo!

[ssimpson]

Diffie-Hellman, El Gamal and other similar DLP based algorithms will also be affected by this NFS improvement.

Yeah, right

Yeah, very useful analogy.

I can't imagine how big 2^256 is, but somehow I can picture the number of electrons in the universe.

Teach this man a lesson......

And mod down this most un-funny post. Thats right its overrated at 1. I have wasted 10 second of my life reading it and another minute replying. Damn you, damn you to hell.

Laugh it's funny :-)

[lw54]

Bernstein released a proposal that outlines the creation of a machine capable of breaking 1024-bit crypto on the order of minutes or even seconds for the measly cost of ~$1B USD.

Okay, I've been hiding my idea, but who cares. I'm releasing it now and officialy proposing the creation of a machine capable of breaking 2048-bit crypto on the order of hours or even minutes for the measly cost of ~10B USD.

I'm currently soliciting offers from several major tech companies to fund this joint venture to be used only in the private sector.

Please call now.

Re:Laugh it's funny :-)

[daemonslayer]

a machine capable of breaking 2048-bit crypto on the order of hours or even minutes for the measly cost of ~10B USD

assuming it scales linearly, $10B will only crack a 1027 bit key in the same timeframe

Re:Laugh it's funny :-)

[TheLink]

Factoring difficulty doesn't scale that way because brute force isn't the easiest method. One additional bit doesn't make it twice as hard.

Read the Paper!

[gweihir]

Actually Bernstein says that he does not expect his factoring device to have any significant speed advantage over other factoring techniques for "short" keys, "short" being significantly more than 1024 bits.

The reason is that the speed up is asymptotic with a suspected slow convergence.

But I agree that for security critical application 1024 bits is too short, even if only because there is not enough safety margin.

Find the paper by D.J. Bernstein here.

Ah...

[Tetrad69]

So THAT's what we've been imagining all those beowulf clusters of machines to do...

Illegal?

In overviewing many US laws isn't 128bit encryption the highest encrytion that can be used legally?

Re:Illegal?

I don't believe so. Items over 40 bit awhile ago and perhaps over 128 bit today, are covered by ITAR regulations.

I'll tell you what I'd do, man

...I'd do two chicks at the same time, man...I've always wanted to do that.

Re:I'll tell you what I'd do, man

[jrs+1]

at least someone got the reference.

(office space, of course)

And the point of spending this money is...

[bruns]

like the topic says... Shouldn't we be spending the money on more useful things rather then trying to prove 1024bit keys can be cracked? We know they can with enough horesepower.

Maybe I'm missing something...

[jpellino]

OK -
SUPPOSE there's a US Govt agency with $1B
SUPPOSE that $ is in a black budget
SUPPOSE they built this thing.
So...
Exactly WHAT is an agency of the US Gov going to crack
that will allow it to gain exactly WHAT money
to amortize it's $1B
that won't be missed?

Re:Maybe I'm missing something...

[rcw-home]

Exactly WHAT is an agency of the US Gov going to crack that will allow it to gain exactly WHAT money to amortize it's $1B that won't be missed?

If you've been properly trained in US politics, the phrases "Won't someone please think of the children" and "National Security" should pop into your head immediately.

Why are we worrying about one billion dollars when having the capability to factor 1024-bit RSA keys could save children's lives?!

Re:Maybe I'm missing something...

[joe90]

Hmm, economic warfare, industrial espionage, forgery, electronic wiretapping, electronic property theft.

Just to name a few very real benefits to an organisation, agency or government.

Some of these translate directly into dollars, some of them translate into indirect benefits, such as improved competitiveness.

Re:Maybe I'm missing something...

[nathanm]

First, it's not that the gov't is cracking encryption of bank systems so they can steal money. The cost of cracking encrypted messages from terrorists, countries they don't like, etc. using this technology would be less than the cost of other intel methods, i.e. getting someone on the inside, not to mention the intangible cost of a human life if an agent were compromised.

Second, if you'd read the e-mail on Security Focus, the estimated price range is several hundred million dollars to about 1 billion dollars, lower if they have access to a chip fab. It also mentions that the NSA and several other countries' intelligence agencies have their own fabs. So it's not as prohibitively expensive as it sounds. The e-mail's author goes as far as saying The NSA would have to be derelict of duty to not already have built such a decryption device.

Re:Maybe I'm missing something...

The government happily issued a press release bragging about how they cracked the W2K export crypto used by someone in Afganistan to hide their secret plans. The conclusion should be that these guys aren't using export crypto anymore.

Re:Maybe I'm missing something...

[blang]

First, it's not that the gov't is cracking encryption of bank systems so they can steal money.

And why ever not? You really think the men in black don't need money, or that all activities will be disclosed to congress committees?

Sometimes they need a huge pile of money for a project they know that congress would kill if they knew about it. The most recent example would be the Iran-Contras scandal.

I bet many a money launderer has seen his booty disappear like a puff of smoke. The proceedings allow the spooks to run operations that show up on no budgets.

Right now the spooks are too busy working on everything that can be labeled terrorism, but when Bush or the press has had enough of wars, the spooks can go back to playing God with the banana republics. And for that they need money. Weapons trade turned out to be a risky business, so I bet the most likely source for secret funding now must be stealing from the criminals.

Re:Maybe I'm missing something...

[dvdeug]

SUPPOSE there's a US Govt agency with $1B

The Department of Defense gets $303B a year.
See the official budget of the United States Government for 2003.

Exactly WHAT is an agency of the US Gov going to crack
that will allow it to gain exactly WHAT money
to amortize it's $1B
that won't be missed?

IIRC, each Stealth bomber costs about a billion dollars. Given the tradeoff between buying a new Stealth fighter, and knowing where to put my current Stealth fighters before my opponent has got a chance to move his armies, I'd pick the latter.

Re:Maybe I'm missing something...

They could call it Operation Swordfish!

Re:Maybe I'm missing something...

make up your mind- stealth bomber or stealth fighter? a stealth bomber does cost about $1B, but only cause congress renigged on the amount it promised to purchase, so the per unit price went up. a stealth fighter costs much less than $1B. and did you know we only have a couple dozen stealth bombers?

Guess what else is in danger of compromise??

[Tom7]

Hey, I've got a much worse problem to report: Most people don't use encryption!!! Right now, we're all browsing slashdot, our credentials sent in plaintext, our sessions open for anybody to see! Almost everybody sends unencrypted e-mail!

Rather than freak out about the NSA being able to crack 1024-bit keys, maybe we should be doing more to actually get encryption used by people?

Only a billion dollars?

[Futurepower(tm)]

Only a billion dollars of the taxpayer's money to read other people's mail? The U.S. government will take 10.

If you read the letter .....

[taniwha]

he sais that the article referenced by slashdot has caused him to re-examine the CUMULATIVE effects of a number different recent development, not just the Bernstein paper

Yet another slashdot mis-heading

[tomstdenis]

Maybe the slashdot editors should do more reading?

Just because some dude makes a PROPOSAL for a RESEARCH GRANT doesn't mean its at all completed or conclusive.

These stupid headers are just another vain attempt to get people to post. Now shuddup about hypocracy.

Tom

Re:Yet another slashdot mis-heading

These stupid headers are just another vain attempt to get people to post.

• Glad to see it worked...

Haha fools!!!

[NoMoreNicksLeft]

This is why I use 1025 bits. Suckers.

huh?

[ZaneMcAuley]

You mean the Google distributed computation feature enhancement to the search toolbar can do all that?

You know this wouldn't have happened

..if you all had used the inbreakable base encryption in the first place.

greetings to cga crackpot of the year.

OK... Could Somebody Clue Me In?

[istartedi]

According to an email from Lucky Green

That key of his seems awfully long. Sure enough, when I pasted it into a text file it was 46 kilobytes!!!

There must be something else in there besides the 2048-bit key, but what? Is the first part the public key, and the rest the encrypted message?

Re:OK... Could Somebody Clue Me In?

[istartedi]

OK... I'm malfunctioning. I just realized he attached multiple keys. Time to catch some sleep.

Re:OK... Could Somebody Clue Me In?

[Fruny]

The block contains his revoked keys as well as his new key.

Re:OK... Could Somebody Clue Me In?

[Isao]

It's his key, with signatures, trusts, and probably an alias or two. Import it into your keyring if you are so inclined.

Now for those of us that STARTED with 4096 bits several years ago...

Just because you're paranoid doesn't mean they're not out to get you.

Re:But what's a measily $1B for a government agenc

[compwizrd]

Where's the one that tells you to flip the light switch off and on a few times?

2...

[packeteer]

BILLION... well if you really want a 1025 bit haircut... 90K-140K which is about 2^16 soooooo your hair can be considered 16 bit... this means that your hair can be given a haircut in .0000000000000387142 of a second... btw that doesn't include the shave...

Factoring can be used to attack Elliptic Curves

isn't it provable that all these hard problems can essentially be transformed into each other?

Or Something like that

Re:Factoring can be used to attack Elliptic Curves

[ajna]

Prime factorization, last I checked, is not proven to be NP-complete. Thus, it is not known if it, along with elliptic curves (a whole different class of problems that I know just about nothing about) are reducible to each other.

NB: prime factorization has had algorithms published (Shor) which are polynomial time, with the caveat being that a quantum computer must be used.

Re:Factoring can be used to attack Elliptic Curves

no.
np-complete problems map to each other but no-one has proven that factoring is one of those. (perhaps because it, like, ain't? why everyone keeps thinking it is is beyond me)

Re:But what's a measily $1B for a government agenc

[mosch]

$67 billion

Shades of Sneakers!

[constantnormal]

For all you people who thought the plot of Sneakers (1992) was just silly and impossible... well, not so silly now is it?

Re:Shades of Sneakers!

No, its still pretty silly and ridiculous.

If it had been a machine that could crack ciphertext encrypted with a particular algortihm (even if they made up the name!) instantly, it would have been much more reasonable.

But that's expecting a bit much from hollywood.

Most people...

[DaCool42]

unless you count those that order things online, use ssh, run encrypted VPNs...

Sauce for the goose...

[BlueFall]

Why do people use small sized keys? Because encrypting with them is faster. Presumably, this ability to break small keys comes in part because of cheaper hardware. Well, guess what? Normal consumers (without a billion dollar budget) can buy faster computers for less money now too! Make bigger keys - it won't take so long now...

Applied Cryptography

[Zule_Boy]

Before people go crazy like "Ooh my gosh, I need to use 8192 bit keys" you should read "Applied Cryptography: Protocols, Algorithms, and Source Code in C" It is hands-down the best book on the topic I have very found. Here is a link to it on amazon:
[here]

But can you prove that they are prime?

[yerricde]

Oops, Mr. Smarty Pants! I can factor 1024-bit primes for $0!

But can you prove that they are prime?

Re:But can you prove that they are prime?

[ajna]

Yes. Use Euler's Theorem, with the extensions by Miller and Rabin. Sorry for being so humorless today.

Re:But can you prove that they are prime?

[cperciva]

MR does not prove primality. If you assume GRH, then by running MR O((log n)^2) times you can prove primality, but that is impractically slow even for 1024-bit primes.

All large provable primes are constructed in special forms in order to allow use of one of several fast proving algorithms.

Re:But can you prove that they are prime?

[bluGill]

Yes I can prove they are prime. Well, I can prove they are Newton primes anyway. Meaning if I say it is prime, I'm right most of the time. When I wrong, it won't affect the quality of my encryption (that we know of, though someone that is newton prime, but not prime is belived the reduce security, nobody has proved that to my knowledge)

Re:But can you prove that they are prime?

D'oh, my bad.

Ha, Ha.

[sanermind]

"I believed that users' desires
for keys larger than 1024-bits were mostly driven by a vague feeling
that "larger must be better" in some cases, and by downright paranoia in
other cases. I was mistaken."

Extra caution never hurts, does it. Esepcially when using a 4096 bit keys only takes an extra few seconds of computer time these days. If it isn't painfull to use, then the stronger the crypto the better.

So, Just try and get people to use Encryption.

[Zapdos]

Everyone here uses gpg or equiv for your email right?
As a member of several mailing list most people do not even have gpg signatures, those that do never upload their public keys.
Breaking 1024 bit encrytpion isnt that big of a deal for most people.

I guess they like running naked through public parks.

Re:So, Just try and get people to use Encryption.

Hey, *I* like running naked through public parks :-)

But realistically, not only do lots of people not upload their keys to the public servers, they don't get them signed by people who know them, and they're not well-connected. The public key-servers are only conveniences for publishing and retrieving keys - they're not particularly an authentication system, and you still need to check signatures on keys before trusting them.

Not so fast..

[Sloppy]

The person who builds this machine may still underbid you. The machine doesn't just crack your secrets -- it's reusable. When you amortize the gigabuck over all the different people who need to be spied on, it may yet work out to be less than your minimum bribe.

Re:Not so fast..

[telstar]

Or you could look at it the other way. With every secret it cracks, the value of each previously cracked secret depreciates.

Re:Not so fast..

The machine doesn't just crack your secrets -- it's reusable
Oh bummer now I have to offer extra to verisign and thalte employees, and you know how much they charge for regular service so imagene how much the "sign any key you ask without checking your id" service would cost....

Re:Not so fast..

[56ker]

Even if true - the people with a billion USD really don't have to bother cracking encryption codes! That leaves only governments - which wouldn't be able to justify such a huge expense! So yet again its all just fiction - even the actual method has questions raised over it. I mean look at the RSA challenge - the 576 bit, 640 bit, 704 bit, 768 bit, 896 bit and 1024 bit challenges are yet to be actually solved by anyone. The prize money for solving those (assuming someone had built the thing) is only $285,000 - still a very poor return on your investment.

sadly...

sadly, few things have as much inherant(sp?) parallelism as factoring numbers.
(aka. you wouldnt be able to take advantage of this power doing many things. esp the kind of stuff Id would do...)

Threat Assesment

[the+eric+conspiracy]

One thing to consider is that rigorous threat assesment is based on CAPABILITY, not INTENT. Clearly it seems that there now many organizations that may have the capability seriously compromise a significant and growing part of the world economy.

Re:Pay attention. Security = risk management.

[Sloppy]

It doesn't cost the bad guys a billion dollars to steal your secret. It costs them a billion dollars to steal the secrets of everyone who uses the type of key the machine can crack. Your share might only be worth $10000 and it could conceivably still be worth their effort to buy/build the machine. Then you lose.

Your argument only makes sense if they have to dedicate their billion dollars to just cracking one key.

A bit expensive, imagine that...

[SILIZIUMM]

- Sir ! We finally decrypted the enemy message using our brand new machine that costed $1B USD and can decode 1024-bit encrypted messages !
- Good work agent ! Now, what did the message says ?
- Well it's.. *cough* a chocolate cake recipe *cough* ...

Well, a pricy recipe though... $1B USD for.. oh well.. :)

Re:Pay attention. Security = risk management.

Don't any of you bozos pay attention to the article you're replying to? The machine takes $1B to build one time, after which it is theoretically able to break any 1024 bit keys in seconds or minutes.

Your argument is like saying no one is going to mug someone at gunpoint for $20, because a gun costs more than $20.

Re:Pay attention. Security = risk management.

[Emugamer]

but if 1024 bit crypto only takes a minute to crack then theoretically during the 3 year life of this 200million to billion dollar machine.
$2e11 to 1e12 / 3 years / 365 days / 24 hrs /60 minutes

This means that all of your assets between 124,000 (if machine costs 200 million) and 634,000(for 1 billion) and above are all worthwhile "investments" of this machine's time.

Thank god I'm poor

Re:But what's a measily $1B for a government agenc

[SILIZIUMM]

Didn't he created his own proprietary version of the light socket and tries to make it "standard" as well as the light itself ?

Real Issue with encryption

[lamj]

We are facing some big challenges right now. Due to the crazy growth of computing power (despite the fact that new methods of calculation - factoring large number and stuff are constant being developed) Encryption standard are being obsolete faster than we can adapt to it.

Think about how long the US government will take to adopt AES.... Same encryption are going to get weaker and weaker as times goes by, we have to adapt to the rate it fades out. But apparently, encryption standards takes time to develop and get accepted. We are very likely going to change standards every 5-10 years. Government agencies, are you coming along?

Re:Pay attention. Security = risk management.

[The+Pim]

Don't any of you bozos pay attention to prior articles? Security is about risk management.

What do you see in the post that is inconsistent with this view? It claims that the cost of breaking 1024 bit keys is lower than previously believed. This means that risks must be reassessed.

If you have something to protect that is worth $1bn for someone to steal and the only protection you have on it is 1024-bit crypto, you deserve to have it stolen.

Guarding a $1B asset with a 1024 bit key would be foolish, with or without this finding. (For starters, the enemy doesn't necessarily have to build a cracker, they just have to rent time on one.) But who says we were talking about a $1B asset? Trivially, there exists some scenario in which 1024 bits was a good risk prior to this finding, but is no longer. So this finding is entirely relevant to a risk management approach.

2048 bit

[MWright]

Correct me if I'm wrong, but:

Each bit that you add roughly doubles the amount of time it takes to crack. 2048-bit encryption, although slow, is possible.

What this means is that, assuming that a 1024-bit key can be factored in 1 second, it would take roughly
570044753571256946895391042233962688235025678254 15 606695024759372695\
54661513856010042759935388366 819543382606540822975 572640467047641318\
57219835840434659197037569423 594829671728507799344 387665269701556798\
84895284385512012411993557037 643680409952827613949 299430678049923879\
77103579392323212688873973370
years to crack 2048 bit encryption. I'm not all that worried.

Re:2048 bit

if your logic was right, consider this: how long does it take to break 512 bit encryption? a second? how much more is 2^1024?

Re:2048 bit

[prakashj79]

A brute force decryption attempt would take roughly twice as much time for every extra bit in the key. No naive decryption scheme will work even if the key size is as low as 128 bits.

The problem has to be tackled at a more fundamental level - maybe by finding an inherent weakness in the algorithm, which can be used to decrypt the message without having to go through all possible key values.
For example, if a few (plain text, encrypted text) pairs are known, we can search for a pattern, apply the pattern in reverse to an encrypted message, and get back the original plain text message.

Re:2048 bit

[jessohyes]

IIRC every 10 bits doubles the amount of work requred to break RSA. The reason for this is there are factoring algorithms which can do better than straight brute force.

The best general-purpose factoring algorithm today is the Number Field Sieve (NFS) [BLP94] [BLZ94], which runs in time approximately O(e1.9(lnn)1/3(lnlnn)2/3). Previously, the most widely used general-purpose algorithm was the Multiple Polynomial Quadratic Sieve (MPQS) [Sil87], which has running time O(e(lnn)1/2(lnlnn)1/2).

Re:2048 bit

[MWright]

This is what happens when I post when I'm too tired :) Thanks for the correction.

MPU!

This is very on-topic. He pointed out that the grandparent made a stupid rant.
Christ! If such a thing had actually been built, you would probably expect them to rush around and yell everyone about it?

Re:Would obscurity be a solution?

[sigwinch]

A "secure algorithm" is basically one such that it does not matter whether the hacker has access to the algorithm or not.

The point of layering is not to keep the algorithm secret, it's to protect against cryptanalytical breakthroughs. Even if the cryptanalyst gets very lucky (or is very smart) and completely breaks one of the subciphers, the other subciphers still protect your data.

Paranoid

[el_flynn]

Did anyone notice this: if you open up the original email linked in the post, then scroll down your browser really fast until the end of his PGP key block, you can make out the word I AM PARANOID -in his PGP key block- ??

Don't forget...

[Taliban+Lecher]

..., folks, to re encrypt yer private files, that floated around the net for years with larger keys, before they....

doh!

Huh???

[TheLink]

And how do you propose the recipient reads it from the sender's machine?

Send the message to the recipient in plain HTTP?

Get the recipient to walk all the way to your hosting site?

Your self host solution doesn't solve that problem. Or is incomplete at best.

Re:Huh???

[King+of+the+World]

Yes yes, the http connection would have to be encrypted. To get the encypted file you follow a link in an email and you must provide the decryption key. The point is that I can put limits upon this such as only allowing 10 attempts a day.

This is an addional layer of security. It's proven, kinda, and zixmail.net do something rather close.

Re:Huh???

[King+of+the+World]

Just to be clear,

1. Get an email saying you have an encrypted message and you follow the link

2. Verify that it's you by providing some password. As you're querying a remote server they can limit the number of tries per day, etc.

3. If you get in you get the encrypted file.

This gives you far more control over your encrypted files than handing them out to be bruted.

Re:Huh???

[TheLink]

That does make things a bit harder, BUT my point is there is not really much difference between an encrypted file or an encrypted connection, once you get access to either ( Unless you're talking about quantum cryptography).

Attackers can still eavesdrop and brute force the captured encrypted connection data to get the user's sent password AND the corresponding downloaded file.

More things to do, but _if_ brute forcing an encrypted file is possible then what I say would be possible right?

Cheerio,
Link.

Most of us are safe

[mikec]

Suppose some agency actually did build a machine that could crack 1024-bit RSA. How would they use it? The answer is, they would keep it very secret and use it only on very important stuff---nuclear threats, etc. They would certainly not risk revealing it's existence to crack small cases.

Re:Most of us are safe

[perlyking]

You havent thought this through have you. How will they know whether to decrypt a message or not. How would they know to check terrorist (or communist - choose your fake enemy) cells talking about plans?
Nah they cant risk that, for the children and for national security they will read everyones, they probably allready are.

a slightly-less-Amerocentric thought...

[Simon+Garlick]

How many tyrants and dictators around the world would think NOTHING of squeezing their own countries $1B harder in order to crack the communications of dissidents, opposing political parties, and oppressed ethnic minorities?

ObDisclaimer: this isn't some pinko commie "FUCK YOU AMERIKKKA!" post... it's just an observation that I haven't yet seen made by another poster in the thread. I see a lot of people talking about the NSA, and breaking into banks, etc etc... but middle-class white male citizens of post-industrial western economies aren't the only people who have good reasons to use crypto, you know?

Take a look at the size of the key in the original

[gmplague]

Take a look at the size of the key in the original e-mail! 46080 bits by my count (no, i didn't actually count, perl did). But if that isn't subtle irony, I don't know what is.

ha-HA!

Re:Would obscurity be a solution?

point is, you can still crack public-key ciphers one at the time which doesn't give you much more security. however, for secret-key stuff it's a completely different issue as you need to break all of them at once.

Re:Pay attention. Security = risk management.

[alec314159]

Anyone can afford a 1 minute time share on a $1B.

Shit

[loraksus]

I'll just pay Guido to torture your ass for $10,000. There are other ways of extracting information . . . ironically brute force is an option in both umm professions. . .
Sort of off topic, but honestly, the investment (for the machine) isn't worth it unless you plan on doing this a lot of times, and if somebody was going to do this on a case by case basis, it would be cheaper to hire one of Pol-pot's henchmen to do the job.

Ian Goldberg isn't worried

[SiliconEntity]

One of the people to whom Lucky Green attributes the calculation that Bernstein's machine is practical is cryptographer Ian Goldberg. Ian is well known in the crypto community and has broken a number of publicly fielded cryptosystems.

However, in a follow-up post to the cypherpunks mailing list, Ian said that he did not agree with the calculations.

In fact he says that the physical properties of the factoring machine seem "implausible", and that there is no reason to believe that the result applies to "real" key lengths like 1024 bit keys.

$1Billion wasted

[0x0d0a]

The depressing thing is that probably a few goverments seriously would like to spend $1 billion to try to read something in an RSA encrypted format.

Yet despite all that money and zillions of man-years being blown on reading stuff in such a format, no one has managed to go out, and no one is willing to spend the money to try to crack .DOC and produce software capable of reading it. A much, much easier problem but one that hasn't been done completely.

There are so many *smarter* things to blow money on than cryptography that it blows the mind. Cryptography is a fun mind game, but frankly when this much money is being spent on it it's just ridiculous.

You can bribe the people involved for less than $1 billion. Heck, buy up a private army and take over the building that has the information that you want.

Just think about what they've been doing for years

[Ececheira]

It is generally regarded that the NSA and the military have technology that is about 20 years, yes 20, ahead of what is publicly known.

The NSA has the budget to hire the best and brightest mathematicians money can buy. Whose to say that the NSA hasn't know about this for years? Sure, Bernstein could have simply "rediscovered" what the NSA has known for years.

There have long been rumrors of a $2-3B machine that the NSA has for breaking encryption. Taking time into account, that translates to that $1B machine now.

The NSA has likely been able to break these keys for years.

Re:Would obscurity be a solution?

[abulafia]

No, both you and the respondees are wrong.

The reason that 3DES works is that DES is not a group. That's a mathematical notion. I cannot explain it here. Read up on the lit. (Schneier, Applied Crypto is a really good start.)

Basically, most dumb encryption methods are additive - you cannot expect that encrypting once, and then again with a different method means the attacker will need to reverse the process. Many times, it is simple to defeat both in the same process. CF, again, why DES is not a group.

There are many methods that are _not_ additive, and still are a group. That is, you're not saved by making sure you're not a conjuction of mathematical ejaculate.

Crypto is _hard_. Really hard. Get used to it.

-j

1024-bit RSA is in no danger. Not yet, anyway.

[swillden]

Even Bernstein's original paper is clear to point out that while his mathematical results are correct, and that his proposal does allow RSA keys of size n bits to be factored in the time we currently think it takes to crack keys of size n/~3.009, he proved this to be true *only in the asymptotic case*!!

This means that for very, very large n Bernstein's results are known to hold. His paper is actually a grant proposal requesting funding so that he can spend the next few years finding out if it's possible to apply the same techniques to practical-sized keys. As I understand it, what Bernstein wants to study will still be purely theoretical. He wants to calculate what the savings factor is for smaller keys. The reduction factor for smaller keys may be as large as 3, or it may be smaller but still worthwhile, or it may be negligible.

Even after Bernstein has done his calculations for smaller keys (which will take years) the results will still be purely theoretical, and there will likely remain a great number of practical challenges in building the rather unique kind of hardware Bernstein is proposing. It's possible that even if the theory holds for smaller keys, building a real machine may still be impractical.

For more detailed discussion than you're likely to be able to digest, go read sci.crypt.

From what I've read, I would say that if you have secrets you need to keep for more than 5 years, you might consider using a 2048-bit RSA key, or switching from RSA to ECC.

Woah!

[Proc6]

Afraid that the government might be able to steal my encrypted s3cr3ts, I re-encrypted all of my data with 4096 bit keys, then re-encrypted that data with another algorithm, 5 more times in a row. I ended up with a garbled mess that NO ONE could ever decipher.

Then I looked at it with Wordpad, and realized I generated the source code to Microsoft Windows!

Re:Pay attention. Security = risk management.

[quintessent]

Heh. You thought I was buying this to get your secrets. No, that's just the icing on the cake. This baby's for LAN parties. Nothing plays Quake quite like it.

And there's the occasional corporate secrets to bust into once in a while. Ahhh.

Did I mention Pac Man?

Re:What do you have to hide?

According to your reasoning, every man who wears underwear and pants has an inadequatly sized reproductive organ.

Or maybe their reproducive organs are something that is just private to them.

So I encourage you sir, to be naked from now on. That is unless of course, you have something to hide. :-)

Re:2048 bit ... WRONG

[catch23]

Please see this posting:

http://slashdot.org/comments.pl?sid=30026&cid=32 25 829


(or scroll down and read it)

Goof off

[kindbud]

I wish that bum would get back to work and finish Qmail 2.0!!

Misleading article

[Llanfairpwllgwyngyll]

I'm afraid that this story is altogether misleading.

When the paper first came to prominence, yes, it looked worrying.

However... the speedup factor appears only to apply to LARGE numbers, not necessarily to smaller ones. Exactly how much advantage one gets for smaller ones is unclear.

Note that this paper is a "research proposal", not a finished item of research. It's a very interesting read, nevertheless :-)

However, if you're worried then you should be using 2048-bit original-style RSA PGP keys anyway (or 3072 or even 4096 bit new-style RSA keys). You might want to avoid the DH/DSS keys since the signature part cannot exceed 1024 bit....

Re:Misleading article

[pclminion]

However, if you're worried then you should be using 2048-bit original-style RSA PGP keys anyway (or 3072 or even 4096 bit new-style RSA keys). You might want to avoid the DH/DSS keys since the signature part cannot exceed 1024 bit....

DSS uses a method similar to ElGamal, which is NOT based on the difficulty of factorization. ElGamal (and DSS) are based on the difficulty of the discrete logarithm problem. Discrete logarithm systems are not affected by this "breakthrough," even if it is one.

Re:Misleading article

[Llanfairpwllgwyngyll]

Sure, that's true. However, my dislike of DSS is not related to the factoring - it's because the size is limited by the standard, and because the covert channel is "unusually large" in DSS (see Schneier's Applied Cryptography).

The covert channel is in fact big enough to leak up to 10% of the private key per signature if the software is suitably written. Unlike other ways of leaking keys (trojans etc) this leakage is impossible to detect without the numbers chosen to fit the algorithm (ok, yes, you could reverse engineer the code...). Unlike many other ways of leaking information, this one *doesn't* break the interoperability. Sneaky eh?

Thus, if you are using, say GnuPG, fine - use the published code and it's likely that any such devious mechansim would be noticed. However, if you are using, say PGP "wot no source code available now?" then you cannot be sure.

As ever, it's all a balancing act - working out which is the greatest risk and dealing with it on a case by case basis....

in the news for public people?

[ciryon]

This is the kind of story that could get huge exposure in "normal" news if there's nothing better to show. Just imagine the headlines: "Internet banking no longer safe"" "Anyone can steal your money when you shop online!" And noone would have an idea what's really going on.

Ciryon

Re:Pay attention. Security = risk management.

[tpv]

I think you need to check your maths.

At: $124,000 per secret.
In one hour I can crack 60 of those.
That's $7.4million worth of secrets each hour.
In a day I can crack 24 of those.
That's $178,560,000 worth in a day.
At your prices, the machine pays for itself in a little over a day.

The key to your problem is that $200 million is not $2e11 - it's $2e8

By my calculations, a $200 million machine could pay for itself in 3 years, if each secret was worth $126.

I'm poor - but I'm not that poor.

Quantum Computers aren't real yet

[billstewart]

There have been a few quantum computers developed, able to get a few bits of resolution (They've done 3 bits, and maybe they're close to 7.) This stuff is still undeveloped rocket-science. It's possible that the Feds have put billions of black-budget dollars into it, but I'd be surprised - it's probably more like small millions of dollars on open research in universities. As with computers, there are some things you can do better in secret, but usually the scale of the open market's research outruns it.

It'll really be interesting when they start to get to ~64-bits of resolution (at least if they don't run into Heisenberg uncertainty problems when the resolution approaches Planck's constant.) Will the resolution of this technology scale that far? But things don't get interesting for public-key crypto until you're at ~512 bits.

Also, there are some problems that quantum computers can accelerate and some that it can't. For instance, factoring is tractable, if you've got enough resolution, and there's a quantum computer that was able to factor the number 15 into 5 and 3. So RSA and Diffie-Hellman are toast, at least for 4-bit keys :-) Perhaps for much longer keys, if QC can be developed, but perhaps not. It's not clear whether elliptic curves can be cracked by quantum computers, but then, it's not clear that they can't be cracked by better mathematics.

Basically, if They can crack everything using public-key technology, you're back to private-key methodology like Kerberos, or traditional methods like one-time pads and guys with Kevlar briefcases handcuffed to their wrists.

Just a quick question

[Godwin+O'Hitler]

Is there any special reason all these key lengths are always powers of two? Does it have some sort of inherent advantage or is it just people's being geeky?

Re:Just a quick question

[psamuels]

Is there any special reason all these key lengths are always powers of two? Does it have some sort of inherent advantage or is it just people's being geeky?

You mean like 56-bit DES? Or 168-bit Rijndael? Or 768-bit RSA?

I think it is just people being geeky. Working with bytes in groups of 8 or 16 is often useful - blocks larger than that don't seem to figure all that much into crypto algorithms.

(IANAC.)

Ah - that's why...

[rainer_d]

the commercial version of PGP (8.x something) defaults to 2048-bit keys.
What a coincidence.

Re:Just think about what they've been doing for ye

[nagora]

An interesting point about these theories is that they all assume that the NSA is a competent organisation. There seems to me to be a fair bit of evidence that they are in fact a bunch of self-politicised, bureaucratic, clueless idiots who spend their time and money talking to contractors whose only interest in life is to divest the government of as much money for as little work as possible, usually to a high level of success. 20 years behind sounds more realistic.

Just a thought.

TWW

This is a DoS attack

[Florian+Weimer]

This is an attack on the web of trust. The author is spreading FUD to fool people into revoking their keys. If everybody follows his advice, the web of trust is gone, and it will take quite some time to reconstruct it. In the end, revoking keys based on such unsubstantiated threats will water the meaning of key revocation as a whole.

Re:Would obscurity be a solution?

[XMunkki]

Actually, if the set and order of cryptology algorythms are chosen on the basis of the passphrase (like calculating a MD5 out of it and getting the info out of the number), it is not obscurity rather than a top level ordering algo.

Just a thought..

Re:Would obscurity be a solution?

[Sircus]

Another handy side-effect is that it may make the cracks themselves more difficult. It doesn't apply to breaking RSA (which is just factoring), but many of the best attacks for symmetric ciphers rely on having known plaintext - a file header, or whatever. Since the plaintext in this case would in fact be (hopefully) random ciphertext, the attacker's got a lot less to work with.

There are disadvantages, of course - you don't know that the two algorithms together are secure, and when considered as a whole, the chances are that they're not more secure. You're relying to a certain extent on the attacker sticking to the rules and considering the supciphers as subciphers, instead of just trying to cryptanalyse the whole mess. The other difficulty is that the more layers you add, the more key material you need - at a certain point, you begin to have trouble getting enough truly random data.

Re:Would obscurity be a solution?

[Shiny+Metal+S.]

As for layering in general. Well it works for the most part (e.g 3DES) although there are caveats (2DES would not be safe).

That's correct. Once I wanted to make ROT13 stronger, so I decided to encrypt the message twice, but I discovered that 2ROT13 was actually less safe than ROT13. I finally used 3ROT13 and even 5ROT13 for the most sensitive data, however I'm not sure how much more secure is 5ROT13 than 3ROT13, but what the hell, the overhead is not very high.

Slashdot already ran this story!

[phr2]

See the archive.

Re:Just think about what they've been doing for ye

The NSA has the budget to hire the best and brightest mathematicians money can buy

And most Evil Terrorists have the money to pay chemists well to make explosives, and most Marketing Droids have the money to pay psychologists well to influence buying habits.

Maybe it's the case in America, but where I come from, a (highly skilled) man needs more than money as incentive to work somewhere...

Re:Would obscurity be a solution?

[Glorat]

I'll follow on although you sound like you know about the subject already. Firstly the cryptanalyst may well have more luck breaking the combined layered cipher than trying to break both individually The layered cipher may well be weaker! There is no law that says that if you perform two strong encryptions over a plaintext it is at least as hard as each encryption. This unknown is one reason against. (In practice, layering is "probably safe")

The next thing is that I strongly doubt that even DES will be "broken" ever. It has been under scrutiny for too long and the only successful attacks are based on brute force and require vast amounts of data for a known-plaintext attack. Brute force... what does that mean? 56-bit breakable today. 128-bit breakable tomorrow. 256-bit breakable... when there are more than 2^256 electrons in the universe! Which there aren't

Huh? Very Dead?

How can you be very dead? Death is boolean, you're either dead or not dead.

Re:Huh? Very Dead?

[Pii]

Obligatory Princess Bride Dialog:

MIRACLE MAX - Look who knows so much. Well, it just so happens that your friend here is only mostly dead. There's a big difference between mostly dead and all dead. Please open his mouth.

[Inigo does. Max inserts the bellows in Westley's mouth and starts to pump.]

MIRACLE MAX - Now, mostly dead is slightly alive. Now, all dead...well, with all dead, there's usually only one thing that you can do.

INIGO - What's that?

[He stops pumping.] MIRACLE MAX - Go through his clothes and look for loose change.

No need for analysis at all

[armb]

can do much in the way of analysis or reverse engineering of the encryption algorithms used.

We're talking about RSA here. RSA is a public key algorithm. One where you can give out your public key, keep your private key secret, and anybody can send encrypted messages to you, but only you can decrypt. If you keep your algorithm secret, it becomes totally pointless.

In general, layering can help, but doesn't always, and can make things worse if you are careless about it. But keeping the layering scheme secret doesn't help much - it's probably equivalent to only a few bits of key, and if it is cracked changing schemes is much tedious than changing keys (and that assumes you _know_ it has been cracked). Making up your own crypto is almost always a really bad idea.

" source for secret funding now must be stealing"

..."from criminals".

Good idea.
Only marginally more respectable than dealing in weapons (Contras) or Drugs (Chile)...

And much, much, much more less dangerous... :)

Also, it's only a short term plan.

I mean, if the politician allow secret services to finance themselves on criminals, who is going to give them money when election time comes again ?

No, wrong point

The conclusion is that Export Crypto in MS windows only meant opening your pc to the world, US spy agencies first.

So, if it's critical, please don't use Windows.

better then encryption: invent a language

[nalfeshnee]

i thought of putting this in 'ask slashdot' to be honest, but here goes ... what kind of effort is required to invent a reasonably efficient language which of course only you and your confederates would be able to use. esperanto, es an example, required a mere *eight* years.

the advantage with this is that it requires practically no encryption, if any.

"jan? khlaz tuirt'kah dar gangan Mbou!"

any idea what it means? nope, me either. and if you want an example of how strong this kind of 'encryption' is, simply take a look at the puzzles linguistics has tried to crack over the years: Linear B, (Linear A is still a mystery), hieroglyphics, etc., etc. For an example of something which is *still in plaintext and not deciphered*, check out the Voynich Manuscript.

OK, I'm not saying that one can simply go off and invent a perfect language in a coupla weeks, but look at the pseudo-languages like Elvish, Klingon and whatnot. Ideas, criticisms, reactions??

Plus of course, if someone is holding a cattleprod to your crown jewels and you're standing in a bucket of water, it doesn't *really* matter whether u used gazillion-bit keys anyway...

nalfy

Re:better then encryption: invent a language

[aiabx]

The problem with invented languages is the same problem you get with real languages. When Navajo was used for communications in WWII, one of its limitations was that the Navajo language was missing a lot of military terminology and distinctive words for pacific geography (Guadalcanal is the same in Navajo and English). The solution for this was to "spell" the words using codewords for letters, but this makes the code more vulnerable to cracking. Trying to describe the latest chip-fabrication technique in Elvish will lead to the same difficulty.
-aiabx

Re:better then encryption: invent a language

[flonker]

There is another problem with this idea. Namely, languages are easier to analyze than mathematical cryptosystems, for a number of reasons.

• Languages are believed to have "deep structures", which are common to all languages. This would mean that you could figure out the nouns and verbs and such in the language with a bit of work.
• Even without these deep structures, you will eventually come up with a list of words, and you can then use conventional information theory to attach meanings to those words. (ie. you notice some words occur more often just before some action.)

There are other ways to analyze a language, but IANAL (linguist), and I don't have any books readily available ATM.

Re:better then encryption: invent a language

[nalfeshnee]

true, i remember reading something on these lines a while back - 'big bird' for plane etc. you end up with a decent encoding but everything takes nine times as long since it has to be first translated into babyspeak.

as for chip-fabrication technique, that's at least relatively simple: you just need to adapt the account of the creation of the Silmarils to the subject-matter at hand :P

do check out the voynich link though: it's a beautiful-sounding script, just no-one knows what the hell they were on about.

cheers,

nalfy

What's the upper bound ?

[billcopc]

We keep 'discovering' that 56, 128, 1024bit encryption is 'not enough'. Well why don't we just go right on up to 16 megabit encryption and buy ourselves a few years of leeway before the US gov't finds enough money to catch up ?

What's wrong with you people?

Don't you know the difference between flamebait & a troll?

Spot on.

Also, don't forget to add Moore's Law into the mix. The cost will just keep falling exponentially.

Re:Pay attention. Security = risk management.

Interesting theory. But it assumes that every key cracked is one of value. I'd see the "low value secret" approach only being usable in a "trawl" of communications over public links - satelite, broadcast, IP peering points, etc - as opposed to targeted attacks. So you've got analysis overhead, encrypted ssh sessions ferrying porn, SSL of standard web traffic of no value, etc, to deal with. Knocking up your secret value; but in that untargeted scenario the value of your secret is irrelevant. Its about if you're lucky enough to avoid being caught and analysed.

Now, if you have something worth protecting and someones going out of their way to target you the cost just got higher; the process of targeting a particular stream is much more complex and expensive than just having the data materialise out of thin air within the system.

But yeah; if you're talking aerospace contracts or finance or any other industry that employs a lot of citizens and provides wealth for vested interests this should be deemed significant.

Not a problem for me...

[42forty-two42]

I use triple-4096 bit keys :)

Layering

[signifying+nothing]

Firstly the cryptanalyst may well have more luck breaking the combined layered cipher than trying to break both individually The layered cipher may well be weaker!

So, if I'm trying to decipher something, I might well find it easier if I ran it through DES with an unknown key first? Why have I never seen that it any code-breakers handbook? (Of course, if the keys are non-indpendent, extra encrpytion may reduce security.)

Re:Layering

[Glorat]

I don't quite understand your question there (running through DES with unknown key... extra encryption reducing security) but I'll try to say something helpful

Ok, I'd better disclaim IANACE (crytography expert). I've studied the subject at university level so I know the defintions and have read the facts but have done no analysis myself.

Cracking DES-64 is "easy". Now which is harder to break of these two? DES-64 performed twice with two different keys or DES-128? As it turns out, both are using 128bits worth of key. I would rather use DES-128 on principle since 2^128 is a big key space and current DES breaking difficulty is in the order of brute force as far as I know.

Now what about DES-64 twice? Well, as it turns you might be safe with DES (because I think some people have found it is not a group) BUT suppose we weren't using DES but a symmetric algorithm that *is* a group. Then the hacker could just do a brute force attack on your code with a *64* bit key.

The thing is, I am just touching the surface here. In this case, I have showed that layering using the same cipher that is a group is BAD. Now you could argue, different ciphers etc. etc. but that *may* introduce weaknesses. To know, you would need to analyse it! But why bother when DES and the like have already been analysed to death so you can be fairly sure you are safe at larger key lengths

You *assholes*

[tqbf]

Don't any of you read sci.crypt?

Dan Bernstein has been yelling for the past few weeks since he published nfscircuit that his work does not yet apply to 1024 bit keys (or other "realistically" small key sizes).

In spite of that, stories like this one keep popping up, forcing him to defend himself from idiots who construct bogus straw-man analyses against points that he hasn't even made.

I would rather see Bernstein continue this work, and have knowledgeable people peer-review it, rather than see people waste their time discussing whether solar cells cost more money than AC power (an argument DJB had to get involved in on sci.crypt) and other such lunacy.

Re:Pay attention. Security = risk management.

[Lobsang]

Correct!

Also, if you think your privacy is worth $1B, just upgrade your key size :).

Regards

Re:Would obscurity be a solution?

[hymie3]

If you wanted to mask the fact that you were using 5ROT13 instead of 3ROT13, you could XOR the message after each application of ROT13. How would you write that?
5XORROT13?
Looks like something my old admin would have thought was a swell password....

Re:Would obscurity be a solution?

But here we go into the debate about security by obscurity vs. sec. against brute force.
Say that you reveal your encryption (eg. in a header field), regardless if it's 3DES, 5ROT13 or 9ROT13^XOR, you reveal how to brute force it. If you on the other hand don't reveal your encryption technique, then it will take brute force to analyze the encrypted data and if discovery is made, brute force again to decrypt the data. In this sense obscurity does indeed seem like a much more secure way of hiding data than advertising the technique used. On the other hand, for your encrypted data to be useful in a distributed environement (such as encrypted e-mail), then a lot of people will need the decryption software, and thus security goes out the window as anyone will now be able to reverse the decryption code and get a hold of the algorithms used and their orders (if multiples are applied on top of each other).

Re:Would obscurity be a solution?

[sigwinch]

Firstly the cryptanalyst may well have more luck breaking the combined layered cipher than trying to break both individually The layered cipher may well be weaker!

If the subciphers are independently keyed, the overall cipher is at least as strong as the weakest subcipher.

Brute force... what does that mean? 56-bit breakable today. 128-bit breakable tomorrow. 256-bit breakable... when there are more than 2^256 electrons in the universe!

Key length means nothing if you can find analytical attacks. A primary worry is automated theorem provers, which can pull structure out of provably chaotic systems--witness the equation that calculates an arbitrary binary digit of pi without calculating any other digits. If strong AIs are developed, who knows what could be analyzed...

I think it's likely that vulnerabilities will be discovered in some ciphers as better analytical tools become available. Layering ciphers can mitigate this problem, and it doesn't cost much.

Re:Would obscurity be a solution?

[Glorat]

If the subciphers are independently keyed, the overall cipher is at least as strong as the weakest subcipher
In almost all cases, yes. But not if the two ciphers are a group, for example.

Key length means nothing if you can find analytical attacks.
True also but one could just as well find an analytical attack in the combined layered cipher if a "poor" choice in ciphers is chosen

Basically, if I had to choose what cipher to use, I think it is more likely that I would make a mistake in choosing a poor combination of ciphers to layer than I would someone finding an analytical attack in a cipher that has been analysed for decades.

The fact is, both layering and key-growing are both valid and are both used. I just happen to prefer one over the other ;)

Gah, that public key is 10x longer than...

[timecop]

the post of that guy.
Screw this 31337bit encryption, 10-line PGP keys are annoying enough, but imagine getting this shit in every email!

Re:Would obscurity be a solution?

[ipfwadm]

5XORROT13

Damn... that's the combination on my luggage!

blabler

[Bill+Ashley]

short summary, 1 billion can easily be justified in the eyes of law enforcement legwork. However privacy issues involved cause a hamper. This is the US antitrust against the world. They feel they have things to protect at the cost of going against other wishes. They are clearly saying how they feel and it comes across as US. The long still wanna know what a troll is... its not that ugly fur ball creature that falls into the water in willow and turns into that huge monster thingie that spits fire "Taliban and PLO communications and whatnot" but what are they going to use it on after they do a couple more holly wars... huh? who's next next thing you know its gonna be your grandmothers nursing home then they'll start the stiknine(so I spelt it wrong) injection you know first enemies then less enemies then less freinds then then .. you yes you could be next... but half a billion can't they just say.. you have brown hair lets send a bomb to your house...? are they really that clueless... thats what scares me that they have to buy a .5 billion or 1billion dollar decryption machine can't they just use those satalites and really good scented dogs?,, or just use the lightposts as fiberoptic sensors.. oh too late.. but what if they are decrypting some stuff always won't they get not bad people stuff too isn't that invasion of privacy??? not to mention in the case of cross nationalities and stuff thats like war stuff isn't it.. not only this but they're gonna get bored eventually... I suggest giving the billion to the plo taliban people yup.. then all of them won't have a reason to fight... their standards of living will all go up and then they won't have a clue what to do .. well not really but What exactly is till 1billion dollars is quite abit of money.. you could probably bribe god with that type of capital.. the catholic church does it right so why can't the goverment do it too... that price tag seems offully high though.. ... bad taste but they got insurance money don't they ..eh well 1 billion thats allot of money.. that is allot of money. and where are they getting these messages to decrypt... my guess is if they have the messages then they know who the bad people are and if they know who the bad poeple are why can't they just drug them to hell and get the information out of them the old fasioned way... playing truth or dare.. I dare you to walk down the middle of that highway naked.. ok .. I did it now I dare you to tell me all your secret plans for world domination.. its fair in love..and war.. truth and dare same diff... but I guess you are talking about saving live.. not to mentino trying out a really cool thingie.. comon imagine the guy behind that thing... he would probably feel like well ...me.. but think of all the neat things you could do with processing power like that.. you could make really really neat techno tracks.. techno track.. decode world plot to assasinate world leader.. techno track world leader.. eh the world leaders can wait lets make the techno track.. ok so its not funny I found it funny and thats all that matters... frankly I think 1 billion is a huge price tag considering that decryption will not happen to any message intended to be unreadable except by the chosen person.. the reason I know this is because I'm not that smart and I feel I could make sure a message couldn't be decrypted even by god himself... it's wasted money in my books the good part of it is the stuff that comes off of it though like the technology development and skilled thinkers out of it.. but if they have 1 billion sitting around I'm sure there is lots of well in africa to be drilled or universities that can be set up in the middle east etc... the key to safety is knowledge and not the hoarding of it but educating others educated people relize the futility of war and of killing.. also huge anger management course.. just think where the world would be if hitler or stalin was enroled in anger management courses.. ok not funny once again I find it funny and thats all that matters... can't they just use like a desktop or something.. intel should be coming out will 44ghrtz in time for next christmas shouldn't they... 1024 bit encryption... they invented encryption didn't they make the decryption at the same time like some crackpots would in bad taste say like the hiv virus.. ok eh... I gotto stop doing that.. get it all out of my system now.. ok 1024 encryption ... this note could ... can't they just guess.. if they get it right then their ment to get the message.. no.. just an idea.. I guess they can just scrap building like one destroyer or something to make up the money.. what scares me is that .. hmmm... " Anyway, its not like crackers, with malicious intent, would go buy themselves a 1 B dollar supa-puter to intercept your midget pr0n transaction. So quit being paranoid, and go back to jacking off to your gay beastail midget pr0n. :-P" but what your forgetting is that my gay beastail midget pron is my code... duh.. like I need the pron to jack off to... I got my imagination... "Anyone wanna take out Hillary Rosen? That RIAA bitch needs to go!" we must remember hillary is not a bitch.. bill is... bad taste again.. must remember not to do that oh well.. .. can't blame em... well sure you can.. ok blame him but dont hold it against him.. sure you can... ok hold it against him blame him but don't do anything about it.. sounds good. hmm people are only human. hmm whatever "When carrier battle groups, air wings, army divisions and the fate of nations are on the line, $1 billion for total SIGINT access is cheap indeed. Break out those one-time key pads and pigeons, boys, the government will own your electronic crytposouls before you know it." imposible.. it's the other way around. They break the law they are accountable. No one is above the law. They will be held accountable for any wrong they do against humanity even their warped veiw of humanity. decrypting some elses mail is not nice to do.. if they wanted you to read it they would send it to you.. that's prejudgment of guilt or innocence.. which is not a nice thing to do. How can they expect someone else to be nice if they arn't. They who create the seeds of ill fall prey to it.. as always humans fall prey to their thoughts and imaginations if not now when least they expect it. It's funny if your expecting people to know your secrect and everything why not make it as distastefull and boring as posible... but... lets... not .... be ... too ... boring.... wasting peoples time is plainly not a nice..... ... thing to do... why not teach whylst.. you bore... wait....I think it's lack of trust that is really not nice.. once again how are you suppose to trust if they have no trust.. having a little trust yes I can understand.. but having no trust.. that is something else entirely different// thats almost as bad as..well anyway "It *is* a measly sum - as the email says - how many government agencies have this sort of funding? More than just a couple of US agencies that's for sure." must be mircosoft.. ... so much bad taste so little room.. ok must be dod or some other liek oh this isn't getting posted... "Now here's the scary part. Once they've made the $1B investment to break terrorist encryption, do you really think they'll have 420,000 encrypted messages from terrorists sitting around waiting to be cracked? No, but they're going to have to find something to crack with all those spare CPU cycles to justify their expenditure..." ok now it makes sense... it will be made by the RIAA!!!! to stop software&music and other such copyright enfringments... if say there was 420,000 hotmail or pgp or whatever then you would probably.. uhmm no not getting posted. "I'm sure Curly would love to sell them $1 Billion worth of Marvels, although I'm equally sure that BG will do everything he can to stop it. Just think - financial independence for Compaq could be just a contract away, and it will probably never happ " hey that's an idea.. buy a bunch of comics or cards..hold them for a year.. then sell themm.. then that agency can buy the magic decryptor ring for free..... eh.. that's almost right up there with like investing a billion in the stock market but with comics you can almost gaurenty a investment return... ... I just think this idea is a really good one because it lets me imaging a bunch of people with rifles and uniforms putting comics into plastic sleaves with sterile gloves... ... you could even make a documentary out of it and air it on fox... that might even get a few more dollars... you could even call it project swordfish2 ... I could see it... yah I could see it... "At this rate I think this machine should be afordable in around 5 years..." hmm ...that made me think less costly countries ... when they get the technology if they don't already have it... what how much does it cost to make really good sand... ... or why not just have cell phones always connected to the networks and use them as processors... since everyone and their mother has a cell phone.. start up a save the nation cell campaign.. huh.. ... yah I can see it. so their might be some battery issues... or why not just buy up old computers.. and use them not only can they be sent to underprivelaged places but you could also have them backup as decryptors... or even buy somputers for all you shcools and during nighthours have them used... hmm humans sleep for how long.. how long do computers sleep... really how many unused computers are their.. how many us goverment computers sit unused how many funny... I don't mind others adding tomy music.. anyway.. why not use the investments you already have.. or integrating cost into use for more than regular use.. like lots of stuff I can think off but why not let you think about it. First of all is there a need....? Or is it the cross effects that are benificial... where is it going... 1billion super computer.. would be odd if it just sat on top of some guys desk... its probably going to need like a corner or something and you would probably have to move a fax machine or something.. so really I'm thinking you would need a facility and if you have a new facility.. it would probably either be under a shopping mall accessed through sewers or need some type of gaurd or something... so that some kid doesn't try to play quake on it. Actually you could probably get some nice multy playergames off a processor like that.. but back on topic.. the machine itself is not the only cost to consider so I would hope that they also took into account this in the pricetag... but 1 billion.. must be cause that is allot of money... like I get a $10 a week allowance and 1 billion is like... allot more than $10. theres like 00000000 more zeros... thats allot of money... actually 1000000000 it doesn't look that big when I type it out...1000000000 but still anyway... I think that lifecycle cost taken into account 1 billion works out to 10000 or less scientist salaries or doctors or others.. research generated from these professionals would... doesn't the us have like some huge national debt or something.. I know its some type of issue or something here. .so if they have a debt thats like me going out and buying new car when I have all this alamonie(so I spelt it wrong) to pay ... I had this friend who owed me like over $100 for over a year it really sucked... just another thought... hmm "While it's not going to be on the same price curve as high-volume PC production, there are still Moore's Law effects here - the price/performance of FPGAs and ASICs keeps decreasing as technology improves, and the price of smaller-width chip design keeps improving. The real question is whether the development of this sort of machine can piggyback on other hardware development, plus how motivated is the NSA to build it as further research indicates whether or not it will be really useful..." what about spending 1billion on a computer that will design a 1billion computer.... instead of spending the it was a good idea originally.. like the intel computers that make the chips why not funnel the billion in economic computers for next year or whatever.. and then use that older computer for olderstuff while the newer computer actually does it... ... personally I am more of a direct research type person that spending money to get people to think is a good if not better investment that getting what you know you can already have... I am also a firm beleiver in anything I can think someone can think better.. and in this case that means that well if this system is designed solely for decryption you better hope there are allot of stupid terrorist.. if there are allot of stupid terrorist then... well its not a funny matter but its almost like saying ok try better its like training them .. its like some cruel game to up stakes... its like well... people are blowing themselves to peices for their ideals.. don't you think its time to talk or something rather than just get ready to see more people die. The other thing is if well not to give ideas but I would think that any ring would already have set operating procedure and any smart ring I would think would have a rule for time in messages.. only trust in person and don't time delay your messages type policy.. the thing once agian I would hope that professionals would actually have a better system... but it seems pure off topic to this system .. I think its good they want to spend 1 billion on this but I can't see it being effectively used for decryption of sensitive messages.. I would hope that well hope not but that any sensitive data is not held in conventional methods of decryption even if it is time consuming methods. .. oh well... like I could only see this used on really stupid people... and these are the last people that I would want to see locked up because stupid people myself included are the most har...it would be more like this person is using 1024 bit encryption ok this will be fun... if you know its a message its even funnier.. its like we know this guy is sending encoded messages.. hmmmmmm... I would be more concerned with where the message is going.. and who is receiveing it.. and seeing if those people use the same anyplace that is using private messages you know wants to hide something anyone that wants to hide something is potentially an enemy.. thats my simple logic.. or rather is trying to protect something.. if it is not obvious what that is then that is when you have an issue.. when you know obviously that there is something they should be hidding then either that person or orgianzation should be very much your friend or you should have very much your friend high up... otherwise well ... or even why not start a program to get desktops worth 1 billion to welfare and other such poeple throw in tutorials etc.. for training.. hook up highspeed lines and use the systems as extra processing power for a central system.. ... not only do you get skills training but you also get a secondary use plus you get lots of other stuff.. really I gues power cost is one thing.. but that wouldn't be an issue if people just implemented my wire the world and solar powering programms... "How can you be very dead? Death is boolean, you're either dead or not dead." I have a firm beleif I can't acutally die... other wise why live.... one day you may find out this not to be true but always I will believe this.. it goes along with the belief you truely know nothing other than your own existance.. of course testing this theory goes against the belif.. don't fuck yourself up too much.. More than Cowboy Neil has but if I were to really tell you I would say $1 plainly what I know only I know... what everyone else knows its the same story but in my case well ... no one ever listens to me anyway.. but no I don't think that I could ever trust someone trying to buy my information.. it would have to be a mental symbiosis really I can't put a value on something that someone can just shoot me afterword for its sort of senseless... there is no reall price .. what I don't like is all the invisble technolies being used like the robotic spider that was crawling phased on my ceiling and the invislbe men watching me.. but really.. I still wondering about that odd spider.. the organic one not the machine one thats been hanging around my house for the last couple months.. its pretty nice though and likes my coffee too well I don't actually know if it likes the coffee but I think it tired it out.. but what could someone want to buy off me they couldn't go to a few years in university for.. or less.. like highschool or even like well hmm.. all I have to say is who I am now is not who I was two years ago.. and who I am now is what matters to me and where I continue from... anyone that would actually consider buying my information would be responisble for divedends off intellectual properties if any income was garnered of 10% of net profit they would also be responsible for putting me on salary aswell as responisble for 1% net profit of any of their intellectual property. If it was a one time thing I think that it would depend but the answer would be how much are you offering.. and then yes or no... "Anyway, we all know they've been reading our sekrit kees by telepathy for years now, right?" but what about counter telepaths?? how are they suppose to read their keys??? "when there are more than 2^256 electrons in the universe! Which there aren't" huh????? I think that the only somewhat safe encryption is that not understood by anyone else other than those that need to know sorta like signlanguage.. well not really but you get the idea "If strong AIs are developed, who knows what could be analyzed... " If ,,, although the ai would still be dependant upon processor type and power..i.e. either neural structuring or traditional stucturing.. going back to that thing about revealing my most secret secret.. I have to say that I couldn't tell you anything that I promised someone I wouldn't... foriegn war as a means to say we rule local domestic don't even try something. "except in that sense you aren't gonna crack by brute-force anything even 128 bit in the next 20 years" huh?? I would hope you have greater expectations for yourself 20 years from now.. especially with all those brain steroids and cybernetic memory plants... not to mention 98th demension gates... think more get less get more than less "Using multiple encryption on one message may not increase the difficulty and may even lower it. Encryption algorithms are mathmatical formula so this example will suffice even though it may be simplistic. Say you have two encryption algorithms F(x)=8x and G(x)=x*x*x. You may think that by combining the two would make it more difficult to find x but F(G(x))=(2x)*(2x)*(2x) or 2x cubed which is as difficult as G(x) by itself. But say instead of G(x) you used H(x)=x/8 which would simply decrypt x to it's original value. In short to be able to combine encryption algorithms you have to know what they do and even then there is no garuntee that you're not introducing new holes" whats H's value... I don't know about you but my simple math skills say that you can't find a numeric value if there are more than one non numeric value you would still have... hold on.. really the values can represent a bunch of things... but none is prooveable simple algebra is simple regardless all it is is isolation.... nevermind... ok here's a new hole non logical coding... or exclusive keys that are not based upon binary representations such as hyroglphics or the like iconography and only having one instance each esentially a new language for each message but each language has traits of previous languages and the key to traits lays with well boring stuff but anything that can be encountered in many cases but there are probably better systems.. I personally think seperate languages.. like those secret hand jestures the president use.. but say like military training for instance having a 1 or two year course for groups that use their own specialized language like learning spanish... but having spanish german etc.. so developement of new language groups for specialized that way even if the simple logics of breaking codes exist then you still have to break the cultural context... etc.. etc.. which is just the tip of the iceberg for a truely secretive society.. but why... why hide ideas we all have the same goal. and it would be so much easier reached together in cooperation.... I guess ultimately it will be cooperation regardless just not necisarilily conventional slashdot teaches you so much stuff that if you went nowhere else on the net you would learn stuff from elsewhere on the net(a compliment intended) "Making up your own crypto is almost always a really bad idea." for who? "The reason why increasing the key size is so much more efficient is that by increasing the key by only a single bit, you double the number of possible keys." wouldn't you more than double? "I certainly am getting sick of the "tabloid news style" that Slashdot is using lately." Arn't all the tabloids telling the truth? I thought they were... I'll tell you if I'm just kidding around.. as far as tabloids I see slashdot as informative yet not boring as hell(minus myself of course)j/k.... hmmm I'll have to convert each post to an essay aswell ..j/k....(j/k) "$10 billion worth of data " better not be web accessable hell better not be accesable... security is so simple how can there honestly be a threat.. security=secure... secure=non-accessable non-accessable=secure "...lets you steal all of Visa " how many slots are there.... how many names are their?.... when was registry for numberslots of type... what are registry dates etc... carding I would think would be a simple task but its not a nice thing to do. but honestly I don't know how to myself I just want to know who owns the damn phase mechanic spider "if you were a government agency with $1b to invest in some kind of anti-terrorist encryption breaking scheme, would you invest it in this or would you invest it in quantum computing research?" ever heard the phrase don't put all your eggs in one basket... I wouldn't buy the basket.... but I woudn't drop the eggs either I would probably make an omlet or just scambled eggs or if I was feeling really nice I would probably give the eggs to other people if they were hungry... both or neither honestly if it works it works if they both get your desired result then what advantages does one have over another.. from what I know about quantum computing it sounds like it can handle complex mathematics on a much faster basis than conventional systems.. I don't know the limits of quantum computing or the limits of what is available for 1billion... honestly I don't think that using a 1billion dollar system for one use exclusively is a good idea but I would say no clue.. whatever works best... I personally don't think I could design the system they are planning for either the quantum or the regular... so I have no clue... whatever does the most for technology progression ease of use and other stuff like facility size personel required building time cost trust issues etc.. I don't think that the system is needed for terrorist*.... reasons though. just politely ask.. are you plotting to kill so and so or .. bomb so and so.. or smugle this and such.. if they don't tell you .. then well you can't hold it against them.. if they do something then... I guess they did it...I guess thats against the whole national security thing though.. then again I'm not employed by the NSA so.. I would consider upgradeability etc.. and use after lifespan.. what is the point.. either they have well I guess there is the whole toy philosophy aswell ... I guess do as much as you can ... but the whole idea of the volume of messages to be sorted... the only way I could see it humanly posible is to actually use keywords etc.. which could miss huge chunks of data... I guess this is pestimistic but it would seem that either your going to be able to get information through simple means or the people will be using advanced means... the whole thing is like putting reinforced doors on the aircraft... it just makes it that much more difficult.. it can still be done and anyone wanting to plan it can plan it.. so I guess the whole concept to this system would be cutting out lower rings etc.. while the more advanced rings minus corperate ones would be reduced to military oposition... and it would be difficult to hide them unless they were extremely well engineered... so the 1billion investment would be to threaten ... they would get their money out of it..... either system whicheverone works .... "When it comes to terrorism, encryption really isn't the main problem. Identifying, isolating and eliminating causes (be they philosophies -- such as a desire for complete theocratic control -- or individual people) is." i.e. reverse social engineering.... "The real issue is control. Governments in general seek to expand their control, just look at how many laws we have now, compared to a few hundred years ago. The government can't control what it doesn't know about, thus it desires to know everything. The maddening thing is, some people have the audacity to encode their communication with a cypher that's very hard to break. The government knows there must be something interesting in those messages, but they don't know what. What's a billion dollars compared with the knowledge (and associated power) that comes from reading those tidbits." This goes back to the philosophy that if they wanted you to know they would tell you... how rude.. it's not like I'm innocent of never snooping through someone else stuff.. for instance the end result of years of snooping resulted in my skull being accidentally smashed into a door being kicked down... resulting concosive force cause my nose to bleed and my skull to warp.. life hasn't been the same since.. my skull is still dented but what I am trying to say is... don't bite the no thats not it.. why not just ask and if not respect their wishes... I don't like the idea of my protector being my watcher too.. or rather that reminds me more of say a dictatorship.. holdon... oh yah don't piss of the people that run the world.. must remember this.. *elitist state* coug coug... but what the hell can you do right... just be a good little boy and everything will be ok...but in my eyes the goverment already does a terible job at representing the wide populas and for the most part is non-visioned and to conflicted.. basically it's not doing an effective job... but hell I'm not the one hell I'm a bum... what the hell do I know... oh well "For a time in writing my own webforum software I considered doing login passwords as a file upload of a key file. The problem here though is that you send them a file to decrypt and they can spend as long as they want pawing at the file, and eventually brute it out. It's the model of sending someone a file that they decrypt that's broken - not that key length" set a limit for logins.... just like this message will self destruct.. or time encoding.. but I got no clue how that would be done.. what I do know is anything I can think can be done though... sorta like the attempts at one time downloading etc... of the RIAA type stuff thingies.. reall the RIAA is interesting to see what they come up with... huh? "Unless they crack your head..." my head is dented or cracked in two places that I know off.. yes more useless information peole don't need to know What does factoring have to do with rendering, or, for that matter, chess? factoring could have representaions into processing strength.. I think anyway... with software on board a processor or utilasation in processor based network intellegence designes you could have fast reponses... thats a way I tie it in... when you think solving algorythms I think speed when I think speed I think processing.. just because this one would be specific... anyway thats how I see it...I havn't looked at how factoring works on a system outside of regular processing... sure I'll read something about it sometime soon.. "If you have something to protect that is worth $1bn for someone to steal and the only protection you have on it is 1024-bit crypto, you deserve to have it stolen. " stealing is not a nice thing to do. "I feel it's more likely they have finally realized what people on Slashdot have said hundereds of times in the past: Encryption above 128 bit is readily available to anyone who searches for it, export restrictions will not stop it. What do you think?" I think a human can get anything it knows exists if it wants to.. its just how bad they want it.. interesting my monitor is acting... "If your enemy is a major government and you don't have a very large budget yourself, you might as well give up now, IMHO. Not because I think they could factor 4096-bit RSA, but because I think they probably can get into your house without you knowing about it and tap your keyboard. The only time an attack like this wouldn't be called for is if the danger (to life, to diplomatic relations, whatever) of their being discovered is worth the money they'd have to spend on a more sophisticated attack." that would be b&e and that is not nice. Not nice people must deal with their not niceties... and if I was to attack a goverment agency they wouldn't know it... their concealment by the ultra obvious and their is the reversal for all time.. people are people... I feel I understand logical existance I feel I understand science.. since I understand these two things I am able to account for all logical posibilities and because of this know that anything is posible... "32 bits isn't centuries; its about 45 years if Moore's law keep up, but RSA is much weaker than that in fact, so an extra 32 bit might only be 5-10 years." what about ashley's law.. anything you know about someone else has probably already made and if not.. well maybe I'm just missing something but what's so hard about brute forcing a large key.. the complexity doesn't seem there how many pobilities how many systems.. how many attempts... but I guess there is something I'm missing.. "The non-conspiracy argument that I've heard makes a lot of sense to me, at least. US government believes that E-Commerce is going to be big. US Government notes that US retailers can export lots of goods to other countries if e-commerce is enabled. US Government notes, exports==good. US Government realises, people outside the US need to be able to communicate securely with companies inside the states in order to perform such transactions. US Government allows export of strong crypto, giving US a world lead in e-commerce market. Money is almost always a better explanation for the actions of Americans than malice." it's not posible. atleast as far as conventional logic states... you can cut out the amount of people that can do it but you cannot erase it... no technology that can be created is uncounterable... the difficulty is a different matter.. but even when dealing with say forgery and impersonation.. with skill such as voice alteration surgeries etc... aswell as advanced set ups and skilled individuals anything is posible but off course your talking about skilled groups... with personal resource.. of course ties in the whole technology push verses maintaing training etc... we are holding ourselves back but in fear.. I guess its just cause I'm mad and have already got to concensus in my life that I feel I will always be because I cannot account for the logic in ending so because of this I can only place hope in that all things will be good in the end. I can only hope that everyone else feels this way sometime other wise I could be very lonely. The other way just doesn't matter. "If I remember correctly, there is a section in Applied Cryptography where Schneier calculates that the sun going nova would not provide enough energy to flip through every combination of 256 bits, never mind actually testing them to see if they decrypt the message. So yes, 1024 bit symmetric encryption will be secure from brute force attack for quite some time, at least until we start building black hole powered computers and feed entire galaxies into them." does the blackhole contain more energy than a supernova? I thought that a blackhole was the result of the destuction of many stars or rather colistion... so it would be spent energy forming a lactice of negative forces orrather a tear in the regular .. well baiscally highly dense concentration of base matter... or maybe it is an alien camo.. ... the thing though if my concept on inverse realities or opostion realities exists then you can have any amount of energy needed as long as it is reversed in the oposition reality it would still hold things at a balance but I'm not a physisict(hell I can't even spell it) "polynomial factoring algorithm does not exist." You got to be kidding, whats so difficult about polyniminal factoring? "Of course, your love letters are copyrighted by you, so... Yeah, NSA will be liable to you for the market value of your love letters." The market value is not predetermined. The potential for profit from anything is altered by any action that comprimises that copyright... so the love letters etc.. Deemed priceless would hold the NSA liable for well... everything. Plainly they may think they have buisness snooping but really they don't but who am I hell I'm not even american. I guess I just believe all things will be accounted for in the end. People have to live with all their choices forever. I guess people have this whole power thing going on. There appears to be bad guys etc.. But I take things on a person to person basis. WTF is up with this world. "like the topic says... Shouldn't we be spending the money on more useful things rather then trying to prove 1024bit keys can be cracked? We know they can with enough horesepower." Hell thats what shearbear and napster are for arn't they? I just write like this no one would waste all their time reading this I hope.. So if I write one little thing on one page in war & peace... "This is the kind of story that could get huge exposure in "normal" news if there's nothing better to show. Just imagine the headlines: "Internet banking no longer safe"" "Anyone can steal your money when you shop online!" And noone would have an idea what's really going on. " yet another reason why the capitalist system is flawed. ""jan? khlaz tuirt'kah dar gangan Mbou!"" "third door to the left make sure you flush after using,:" OK, I'm not saying that one can simply go off and invent a perfect language in a coupla weeks, but look at the pseudo-languages like Elvish, Klingon and whatnot. Ideas, criticisms, reactions?? I had this same idea if you read earlier.. But what you are forgetting is if in the case of privacy you must no stick to known course say for instance if I were to use musical scales and frequecy ranges etc.. To send messages as a language unless you have the score first you would have to have an ear or proper mesuring devices etc... for instance morse code is rythmic dots and dashes etc.. You could apply one type of messaging to one instrament sound or frequecny it would get to the point instead of being a visual representation it would be a audio representation although it would be a highly advance language... anyway I like the idea but I think it would take some time I think you have the right idea... of course spoken languages can be picked up by other people that are able to learn... its definately a way of keeping people out of the loop I was over at this dutch families place some years back.. I sware dutch hurts if you only speak english and try to follow a conversation. "Plus of course, if someone is holding a cattleprod to your crown jewels and you're standing in a bucket of water, it doesn't *really* matter whether u used gazillion-bit keys anyway..." Sure it does cause you can tell them anything you want.. And there is no way of them nowing unless they can crack the code... but I did find it funny "There is another problem with this idea. Namely, languages are easier to analyze than mathematical cryptosystems, for a number of reasons. Languages are believed to have "deep structures", which are common to all languages. This would mean that you could figure out the nouns and verbs and such in the language with a bit of work. Even without these deep structures, you will eventually come up with a list of words, and you can then use conventional information theory to attach meanings to those words. (ie. you notice some words occur more often just before some action.) " so now you know what not to do if you are making your own :"secret language.. Now you just need to use alien thought .. Thats not hard now is it... but as far as words etc.. What about using mathematical scientific etc.. Meaning size descriptions changes in reality representations... so this far this way etc.. Within 3d space having each demension in represnetion forces vibration sound smell etc.. The emotion envolved is a separate issue and would be conveyed in the actual representation of the language....

Re: Not true

[Beliskner]

524,288Tb of resiliant storage is only $1b at current prices, and that's dropping rapidly. If historical trends continue, it'll be $1m in about a decade, and it will be included standard in the PlayStation 9.

Buddy, don't forget about the dot-com crash. Property in London, England is now more expensive than in Tokyo, Japan, a few years ago this would have been unthinkable. So the pace of storage systems advancement has decreased. If you saturate an ADSL download pipe, then you can't fill a hard drive. 120Megabytes/hour ADSL download * 24 * 365 * 2 = 2,100,000 Megabytes if you constantly download for 2 years. So 2100 Gigs is the maximum hard drive size anyone would need unless there is an advance in technology and holographic 3D videos start to come to market, or ADSL speeds increase massively, which with Telcos screwed as they currently are and for the next few years with loads of dark fibre, and less than 1 percent of homes taking up high speed internet seems very unlikely.