Slashdot Mirror
Cryptogram: AES Broken?
bcrowell writes "The latest CryptoGram reports
that AES (Rijndael) and Serpent may have been broken. The good news is that when cryptographers say 'broken' they don't necessarily mean broken in a way that is practical to exploit right now. Still, maybe we need to assume that any given type of crypto is only temporary. All of cryptography depends on a small number of problems that are believed to be hard. And all bets are definitely off when quantum computers arrive on the scene. Maybe someday we'll look back fondly on the golden age of privacy."
Wouldn't the same quantum computing that allows people to break today's crypto enable white hats to use increasingly complex algorithms and S-boxes to protect data? I mean, it's not as if crypto crackers are going to have these bad ass machines while the good guys sit around on 486's, right? Am I missing something?
Not even close, but isn't breaking encryption just a matter of throwing enough processor cycles at it until it finds a match?
He tried to kill me with a forklift!
And all bets are definitely off when quantum computers arrive on the scene.
couldn't these be described as "weapons of mass decryption"? [visions of 'sneakers' all over again]
try { do() || do_not(); } catch (JediException err) { yoda(err); }
I'm sure that quantum cryptography will be in everyday use long before quantum computers (it is much simpler concept, and there is number of experimental instalations), and quantum encrypted data are not breakable by any computers.
Seriously, once quantum computers arrive, and we all have to ditch our factored encryption, what are we left with?
;)
Is it really back to XORing our messages with random data known to both ends?
That sucks.
And the cry went up - make quantum computers illegal. Only terrorists want quantum computers...
Get your own free personal location tracker
It will continue to exist so long as the average hacker has a computer within 2 or 3 orders of magnitude of power of the government. Easy.
http://pcblues.com - Digits and Wood
Comment removed based on user account deletion
on the golden age of privacy
That is quite a funny statement. 99% of all email is being sent in clear text, often passing through gateways which have permanent wiretaps installed. Phone tapping is at an all time high in the west and there are cameras on nearly every street corner around where I live.
Privacy.... I had a lot more privacy 20 years ago, that is for certain.
Akvo.org - the open source for water and sanitation
There will be privacy as long as you have something to hide, and the patience to hide it. Any kind of obscurity based privacy can be broken as well, but when quantum computers come, this may be more protection than an encryption algorithm.
No. Sorry. No looking back. There was no golden age. Privacy has been replaced by security. We are shutting down your blog....
Everything possible to be believ'd is an Image of Truth - Wm. Blake
we can not assume that either side of the crypto equation will remain dormant, using only today's technologies. The next Bruce Schneier will happen along (or maybe the man himself) and we'll be dealing with the golden age of quantum cryptography.
Uhm. emm. EZ? :)
...I love the first line:
AES may have been broken. Serpent, too. Or maybe not. In either case, there's no need to panic. Yet. But there might be soon. Maybe.
Lovely summary, guys :-)
... jr pbhyq whfg nf jryy fvzcyl hfr EBG Guvegrra gura? :)
Beware: In C++, your friends can see your privates!
maybe we need to assume that any given type of crypto is only temporary
Maybe? Since when has any crypto been considered even remotely permanently unbreakable?
Everything I know in life I learnt from
The underlying idea of both symmetric abd asymmetric cryptography is that there exists operations that are very asymmetric. For example, multiplying two numbers together is extremely much faster than factoring them, and there are several other.
Quantum computing changes this balance. So your white hats won't be able to multiply a billion times faster even if the black hats can factor a billion times faster.
Kjella
Live today, because you never know what tomorrow brings
Well, we won't be looking fondly back in golden era of privacy, privacy will still remain, although there won't be a reason to crypt your data for a while after quantum puters has been released, developers need time to create even more stronger crypting methods... although, how much sooner goverments get these quantum computers? i bet years!
and well then goverment agencies can simply brute force your crypted document, so we will have many years without privacy, that sucks...
Pulsed Media Seedboxes
Consider, for a moment, the social changes that would imediately take place if privacy were nonexistant, in the sense that all cryptography could be broken with a trivial effort by anyone and their brother, using off-the-shelf hardware. International politics would be forever changed. The basis for personal freedom (now based on privacy) would have to shift to something as alien as mutual trust and maybe even respect.
The focus of international intelligence gathering would shift radically back to human intelligence (which is already happening for other reasons) and the new basis for security would become that of access cintrol through discontinuity - if you network is not connected to your neighbor's, then he can't get access to it regardless of his technical sophistocation.
The days of the NSA Sneaker-Net would return (picture NSA computer geeks running from one terminal to another with DLTs in order to keep the systems in communication, such that data could only flow in one direction.
Disclaimer: IANAF - I Am Not A Futurist
--CTH
--Got Lists? | Top 95 Star Wars Line
http://www.newsfactor.com/perl/story/13468.html
Quantum computing is a *good* thing.
Before the arrival of useful quantum computers we will probably see the advent of quantum cryptography. Quantum cryptography should by the laws of nature as we believe them to be today be uncrackable. Quantum cryptography would also make wiretapping without being detected impossible.
Quantum Computing and Quantum Cryptography are unrelated technologoies. Quantum crypto is indeed "unbreakable", but requires a single physical channel connecting source and destination. It will not carry over routers and absolutely cannot be used for normal internet email for instance.
Quantum computing would break a range of encryption techniques, especially most public-key techniques, but nothing known today rules out new and more robust digital encryption technologies being developed that Quantum Computers could not break, and I imagine plenty of people are working on them.
n/t
Well, there is always the one-time-pad, which is theoretically unbreakable......... but then there's the security of the one-time-pad......... snail-mail for security, anyone?
All of cryptography depends on a small number of problems that are believed to be hard.
This is not true; The "One Time Pad" does not rely on a difficult problem like factoring for its basis.
And all bets are definitely off when quantum computers arrive on the scene. Maybe someday we'll look back fondly on the golden age of privacy.
OTP is unbreakable, and so "the golden age of privacy" will not end because of quantum computers.
Now legislation ending the golden age of privacy is another matter entirely.
ATH0 Bitcoin: 1DnwFLXczVZV8kLJbMYoheUrpqHesjxrSi
Well that's a serious problem if you ever, ever thought cryptography had any sort of permanence!
For one thing, an encrypted message is of no use to the receiver if they can't DE-crypt it, *poof* crypto is not permanent.
I'd recommend reading "The Code Book" by Simon Singh as the first two-thirds of the book are a history lesson that demonstates to me how cryptography endagers the lives/way of life of those who rely on it to protect themselves (in particular, Mary Queen of Scots and Enigma).
Height: 38U, Weight: 0 Newtons, Eyes: #0000FF, OS: Gray Matter 1.0 (Alpha)
Maybe it's talking about asymmetric crypto - then the statement is true. It's not really any news that symmetric crypto can be unbreakable.
Imagine some black hat just archived all encrypted data he could get (bank transactions, private conversations, you name it) then decrypts them in 10 years when he can buy his brand new quantum computer. All this old data may prove very valuable for him.
Perhaps very sensitive data shouldn't even transit on the net because you can't tell if it'll be decryptable in the future.
I'm sure a lot of /. readers have read Singh's (sp?) book about cryptography, and quantum cryptography is coming along faster than quantum computing. The first quantum crypto message was sent about 6-7 years ago across about 2 feet, and I think someone had it up to 5 km in the air a couple years ago. Shouldn't be too long (before quantum computing) that there'll be wires running everywhere for this type of data transfer (or just send it via airwaves)
Once you have the list of numbers, get the list of words and phrases to encode. Put one random number next to each word or phrase (watch for duplicate codes here!)
Put the pad on a cd, send it to whoever you want to communicate with. Doing this last part is the only large potential insecurity, plus it's inefficient. But the one time pad is theoretically unbreakable.
Best Slashdot Co
Broken to a cryptographer means anything easier than brute-force. So in theory, this methed requires throwing less processor cycles at it than just totally random throwing, but it's still "just throwing processor cycles at it" in a sense. Broken to an engineer means something that is reasonable to do that cracks the code. That this is not (yet).
it's why AES was chosen in the first place. The NSA checked the competing cyphers and picked one that was looked good to the crowd yet was hard but not impossible to break. Did you really think they would have picked one they couldn't handle? That's why TwoFish didn't get the gig.
It's Christmas everyday with BitTorrent.
If I'm not mistaken, this is rule #1 of cryptography. Doesn't really matter what algorithm you use or how secure everyone or anyone thinks it is, they're always able to be cracked. Which cryptosystem you use is more a measure of reasonable security -- do you want your messages secured for years, decades, etc., with an assumed increase of computing power?
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
Serpent and Rijndael are vulnerable to this attack - it seems Twofish isn't - damn government should have chosen Twofish for AES instead...
Seriously, though - any approach that manages to reduce the difficulty of cracking these algorithms by a factor of 2^100 is impressive, and Schneier at least simplifies it enough that us folks with very rusty number theory can appreciate the achievement.
His comment later in Cryptogram about his name appearing on a list of banned words is much, much scarier - looks like he's upset someone in the content censorship Gestapo. That same content filter would deny access to today's Slashdot front page - nasty.
oh brave new world, that has such people in it!
Contrary to what appears to be a prevailing belief on slashdot that it's difficult to factor large primes, with current advances in parallel computation and quantum computing this is actually quite an easy task. I present to you the following 1024 bit prime:
6 65 33122260611723888664118831927114653575316547424879 67054992318167167095961043128510261482045202676936 47431644268978597959467064464952515251208388024556 04572811477056415455786097885500638657240210061581 08559815836672945846673382320520984676311151395887 519279703
6 65 33122260611723888664118831927114653575316547424879 67054992318167167095961043128510261482045202676936 47431644268978597959467064464952515251208388024556 04572811477056415455786097885500638657240210061581 08559815836672945846673382320520984676311151395887 519279703 * 1 = 11196101758632245023844192896470191898640653514665 33122260611723888664118831927114653575316547424879 67054992318167167095961043128510261482045202676936 47431644268978597959467064464952515251208388024556 04572811477056415455786097885500638657240210061581 08559815836672945846673382320520984676311151395887 519279703
11196101758632245023844192896470191898640653514
Now we have to factor it. We step up to the main terminal of our quantum computer beowulf cluster and type in the question, "Of which numbers is this the product?". Qubits flip, waveforms collapse, a cat in a box somewhere dies (of radiation poisoning, strangely, or charmingly), and out pops the statement:
11196101758632245023844192896470191898640653514
real crypto can be near impossible to be broken, but it can never be uncrackable or unbreakable. I can take any easily broken crypto scheme and make it ultra secure by placing several techniques used in 1920's and the 1940's on top of it. How about adding some obscurity? Padding? one time ciphers? How about making sure the data has no predictable components? (sending it as a Word file or Zipped and then encrypt it... pure stupidity!) I can think of at least 2 dozen ways to make sure you cant decrypt that one message fast enough for it to be useful to you. hell I have a $9.95 book on cryptology that has some super basic encryption techniques that the best cryptologists out there couldnt break it for at least a year.. maybe 10 if I screw with it a bit. (how about reversing the entire text before encryption?)
basically if you really have a need to communicate secretely you will be able to do it without much worry.. this only affects daily-mundane things that really dont matter except to keep honest people honest, or at least to make the criminal have 1/2 a brain.
Do not look at laser with remaining good eye.
Mix and mash ciphers are immune to quantum cryptograpy. AES, DES, just about all symmetric block ciphers will not be any easier to break with it.
There is a theorem of cryptography that states that that more powerful computers can crack codes generated by less powerful computers faster and easier, but if everybody has more powerful computers, the scene will be the same, am I wrong? ... as long that everybody has more powerfull computers.
------- The last Sig. got fired.
It IS vulnerable to man in the middle attacks, if you manage to cut both the quantum connection and the "public" connection between the two parties and put yourself in between you have 2 completely functional communication channels "protected" by quantum cryptography to both parties.
The only way for them to distinguish you from the party they actually want to converse with is good old classical cryptography.
It's probably worth noting that IBM has already demonstrated a quantum computer running a factoring algorithm:
(See here)
In fact elyptic curves appear to be immune to quantum techniques that have so far been postulated. This does not mean that a fast method will not be found to break EC's simply that there is not yet any knowledge of a technique that significantly weakens EC's.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
You may be able to create something that you can't crack, but then you are a lame arsehole, not a professional codebreaker.
Fucking troll.
Basicly, it's just a delay mechanism that will let you transfer messages securely at a later time assuming you've transmitted equally much information securely already. So the question is, why don't you use the secure medium in the first place? Ok granted, you can send an agent out on a mission with an OTP and he can communicate securely with home base, but I mean for everyday use?
The typical idea about cryptography is to use a secure medium to provide the key, while using the insecure medium to send the data, because the insecure medium is much faster/better/easier to use. So I can meet you in person and get the key, or call you on the phone and verify your PGP (or GPG if you please) fingerprint (assuming you're not being wiretapped as well), and then use the Internet as a medium from then on.
The OTP "solution" would be to say a random sequence of 1s and 0s, then use those to decrypt the irc converation later, not really an option. You'd "run out" of pad rather quickly. Oh, and quantum computing does as far as I know not affect encryptions based on elliptic integrals (which by theorem can't be solved analytically, but I suppose there could be approximations).
Kjella
Kjella
Live today, because you never know what tomorrow brings
My fear is that we could see optimizations of the XSL attack breaking AES with a 2^80-ish complexity, in which case things starts to get dicey about ten years from now. (emphasis added by me)
So, ten years or more. Heck, at that point, shouldn't quantum computers be breaking this stuff anyhow?
"Sometimes a woman is a kind of religion, she can save your soul & set you free from all your sins" - Bad Examples
If you number individual words and phrases, then you can only use each word or phrase once, otherwise it's not a one-time pad anymore. Think about it... how long would it take a cryptanalyst to figure out the code for "the" or "you"?
The pad should simply be a chunk of random bits, and both sides need to keep track of which bits have been used. Then encrypt your messages by xoring them with an unused stretch of bits.
There are only a finite number of characters in the ascii character set and a finite 'length' to the pass-phrase/key.
At the end of the day, encrypted data is only as safe as the key used to protect it. Maybe we can start encrypting data with our genetic information, or a particular wavelength of light.
e.g. It takes a finite amount of time to reverse engineer the key.
Point is, cryptography should make the decryption of information more costly than the value of the data! If it meets that requirment then surely it has succeeded.
I wonder how many clock cycles have been assigned to the task of 'cracking that email' only to find that the email contained trivial information!!!
The local coster used to live at Coney Island till it was torn down, shiped half way around the world and set up again to scrare Aussies. That was sometime before 1920.
Worlds of fun in Kansas City used to have one of the 1st loop costers. Once they opened the new four looper, you could sit on the old one for a good half hour before they made you go back through the line. I didn't the like new new one so much, it had a much rougher ride. I think it may have dumped a few people as well or maybe that was its replacemet.
It has been shown that quantum computers do not have the same effect on symmetric encryption that they do on public key encryption. They only cut the number of symmetric bits in half. Public key encryption however is changed to a polynomial problem.
About 90% of all postings I have read demonstrate the ignorance of the posters quite well.
Facts:
- AES,Serpent,DES, etc are SYMMETRIC algorithms.
- There is no known technique to break symmetric algorithms with quantum computers.
- Shor's algorithm can be used on quantum computers to factor large numbers quickly. Thus public-key cryptography systems based on "hardness" of factorisation such as RSA are at risk.
The Cryptonomicon.Net BLOG seems to imply that Mr. Schneier is doing a disservice to the community by limiting his dissing of algorithms only to the ones that competed with TwoFish... The blog author goes on to say that existing weaknesses in RC4 are probably more important than weaknesses in AES and asks the question, why didn't Bruce jump up and down about exploitable weaknesses found in RC4 over the last couple of years... It does sound a little like sour grapes...
The XSL attack is highly subjective.
c rypt
All you "so is GPG broken?" put your pants back on.
Summary of attack:
XSL stands for three of the basic operations in Rijndael and Serpent. The reason why this attack works is because the substitution layer of Rijndael/AES and Serpent can be expressed very neatly as the same domain as the Linear layers.
Now when I say 'neatly' I mean 'it would be possible' not no one's shown us this monster set of equations relatnig the (128+128/192/256) bit inputs to the 128 bit outputs. The Rijndael/AES and Serpent ciphers may be what we call "over defined".
Think back to high school when you have N liniearly independent linear equations and N-1 unknowns. You had an infinate number of posibilities for solutions. If you had N eqns and N unkn's you had 1 sol'n. If you had N eqns and N+1 unkn's you were in a funny place.
The authors suggest Rijndael/AES Serpent is in the latter catagory of the differential nature (and not the linear nature you learned in high school).
So what does this mean? The possibility HAS NOT BE EXCLUDED that this attack is possible. It really proves demostrates nothing that it's at all possible. Which is best anyone's been able to do in the past 6 years.
JLC
See sci.crypt thread:
http://groups.google.ca/groups?q=XSL+group%3Asci.
Giving up a bit of privacy for the sake of society is good so long as people are given the freedom to make their own choices. This is in contrast to how it works now -- privacy is slowly being eroded while at the same time, our freedom to do our own thing is being taken away.
Holland, is a perfect example of a society where privacy and freedom somewhat more well balanced than here in North America. They are very tolerant with each other -- basically, you can do as you please as long as you dont hurt or piss anyone else off. At the same time, they are very open in their actions -- for example, walk around a neighbourhood at night anywhere in Holland. You will find tha most people do not close their curtains. You can peer right in and see them going about their lives clothed, unclothed, sober, drunk, stoned, whatever. They basically have taken the attitude that they have nothing to hide, even in their own homes.
Yes, I know I have oversimplified the whole issue and there are many holes in my logic but I still think Holland is going in the right direction.
Uh, I was afraid that my boss would fire me tomorrow, because I have chosen the wrong algorithm. But wait, no, he have to wait until at least 2^80-ish days ...
Why can't we just get some sharks with some freaking lasers on their heads?
I have a Quantum hard drive, but I didn't know they were getting in the PC business.
Hmmm... now that I think about it, I thought they got bought out by Maxtor. I think you're just bluffing about "Quantum computers" and this power they will supposedly have.
Sleep is just a poor substitute for caffeine, anyway. -Bob Lehmann
And all bets are definitely off when quantum computers arrive on the scene.
should read
And all bets were paid when quantum computers arrived on the scene.
The would be last year when the US cracked quantum computing and opened up >40bit keys for the rest of the world
All of cryptography depends on a small number of problems that are believed to be hard.
This is really only true of public key cryptography. Symmetric ciphers (like AES, Twofish, Serpent and DES) depend upon really complex applications of transposition and substitution, not on mathematical problems hoped to be NP-hard (when recast as a decision problem, blah, blah, blah).
The breakthrough in the mentioned papers is just a collection of techniques used to try to create usable mathematical models of these complex mishmashes of operations, thereby allowing them to be analyzed and attacked. This is fundamentally different from public key encryption algorithms which are very simple and trivially easy to model, but reduce to models of (we hope) intractable problems.
Whether or not it is possible to create a symmetric cipher of sufficient complexity and non-linearity that it is impossible to cryptanalyze is, of course, an open question that will probably never be fully answered. In the arms race between cipher designers and cryptanalysts the top cipher designers have always managed to stay substantially ahead of the top cryptanalysts, however. Witness the fact that DES has withstood 30 years of concerted attack, without a significant attack being found (other than the built-in small key size, of course).
Speaking of DES, what I'm most interesting in knowing right now is if these new attacks can be applied to it. 3DES is still the most important cipher in the real world and will be for some time.
And all bets are definitely off when quantum computers arrive on the scene.
Again, bcrowell doesn't know the difference between symmetric and asymmetric ciphers. No one has devised a way to use quantum computers to attack symmetric ciphers. That's not to say it won't happen, but, as I understand it (not much), modelling complex problems in a QC is very, very difficult. QCs are good at simple problems with a large solution space.
Maybe someday we'll look back fondly on the golden age of privacy.
If we lose all of our privacy it will be because we choose to, not because of any lack of technological tools.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
on computational intractability rather than a
demonstrable computational impossibility will always
be open to some future innovation rendering it
trivial to crack. Elliptic curve crypto seems to
have the best prospects for the future right now,
and you can use it right now: El Gamal is
implemented in GPG.
But to say that QC will render effective crypto a
historical artifact is clearly mistaken. If it
were true, it would imply that there are *no*
hard problems any more, once QC techniques are
employed. All that QC can do is compute functions
over a finite field with effectively infinite
parallelism. It's unfortunate that most crypto
systems today rely upon functions over a finite
field, but there are plenty of hard problems that
are only valid over function spaces, for example.
-I like my women like I like my tea: green-
The more we come up with ways with cryptology, inevitably we will come up with better cryptanalysis. Quantum computers will just introduce a need for more complex algorithms.. and not only that, but just because there's a quantum computer, that doesn't mean that current encryption protocols are laid bare like a prom-night virgin. Some of them will still perservere, if they're complex enough, past the advent of these machines.
And nothing will ever beat the age-old crypto of arranged signals.
... if anyone _ever_ comes up with a quantum hydroelecthrodynamic geck that will break
let foo = mkrandom(length(bits(content)));
xor(foo, content);
save(foo, "mellon.key");
save(content, "encrypted.out");
deposit(0.02$, "/dev/null");
<grub> Reading
I'm a Ph.D student at Harvard. I've done cryptography research in the past. So listen up people.
As for public key cryptography, most but not all public key cryptosystems are completely broken by quantum computers. Luckily we still have some public key cryptosystems that have not yet been broken using quantum algorithms. Elliptic curve discrete log is one such example.
I've seen a lot of mis-statements by various /.ers that I'd like to clarify:
- ElGamal is not an elliptic curve algorithm. Its a classical public key encryption system based on the discrete logarithm problem. Most DL problems can be refactored as elliptic curve problems though, so perhaps the poster was referring to a possible EC ElGamal. At any rate, I'm pretty sure GPG uses classical ElGamal.
- Symmetric ciphers are rarely broken by raw computational power (brute force). In fact, algorithms above about 80 bits are impossible to break by brute force due to the laws of physics.
- Quantum Cryptography today involves means of transmitting data at very low bitrates over a channel in which eavesdropping is impossible. QC is pretty much only useful for exchanging keys for symmetric algorihms (like AES, Twofish) securely, as the data rate is to slow to be practical for anything else.
- Assymetric Cryptography (public key) is based on several hard problems. The two that are used widely today:
* The prime factoring problem (RSA)
* The Discrete Logarithm problem (DSA, ElGamal)
One will become widely available soon:
* The elliptic curve problem
- Yes, OTP is still perfectly secure, but its still perfectly useless, as w/ OTP you just shift the security to two other areas; truely random pad generation, and secure distribution of the pads.
Here here!
Although, the time factor should be mentioned. We must assume (and good cryptographers do) that any cryptosystem can be broken given enough time and/or enough effort. So one must consider two things:
1) How valuable is this secret? This translates into how much computing power (read: money) a cracker is willing to invest in its decryption.
2) How long does this need to remain a secret? What is infeasible to crack now will not (I say WILL NOT) be infeasble to crack in some number of years.
The secrets encrypted by the Enigma, for the quintessential example, were extremely valuable. They did not have much computing power then, but they were willing to invest a lot of effort to crack these messages. Now they can be cracked quite easily on a PC.
Why do I mention this? Sure, there may be an attack against AES that works better than brute force, but that is probably not a reason to stop using it now. It would appear that it would still require an large amount or resources to crack an AES message. Even so, assuming your keys are exchanged using asymmetric crytpgraphy, only one message gets cracked. If you want your secret to remain secret forever, you shouldn't be using an open channel to begin with.
> get tea
No Tea: dropped.
I used one time pads in the army. You wouldn't use one to transmit War and Peace. But you would use it to send "Attack is Tomorrow, sell IBM". Or to send "Name of agent in NSA is CowboyNeal."
Those would be encoded as the phrases "attack is tomorrow", "sell IBM", "name of agent","in NSA". The word "is" could be encoded, or dropped (the sentence would be parseable without it.) Only "CowboyNeal" might have to be encoded letter by letter. Or it could be encoded as "cowboy"+"n"+"e"+"a"+"l".
Generally, using a one time pad to encode letter by letter is a bad idea. Done only when there is no alternative.
Best Slashdot Co
It will not carry over routers and absolutely cannot be used for normal internet email for instance.
Err, thats not strictly true, take a look at the top link in Google
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
Very interesting. Thanks for the link. Still a long way from implementation though.
attacks on AES
Going from our 'digital' encryption schemes to quantum encryption will most likely be like the leap between analog to digital (multi band-pass filters for example don't make any sense in the digital world - at least not the way they were implemented for analog).
In the same way, the tools will most likely change radically when it comes to security. And I don't know if they'll even be called encryption at that point... maybe more like 'Eisenbergification'...
There was an interesting article a while back about a mathematician who proposed that if we could generate a constant stream of truly random bits (quantum helps here), and have that stream be broadcast around the world (in synch to everyone), that it would be possible to have unbreakably encrypted communications (basically the "throw-away pad" idea on a mass scale). (sorry, I don't have time to look up the link)
So bottom line is, probably current technology will become obsolete, but that thing those nerdy scientists are cooking up in all of those 'hoakey'
25 dimension universes called abstract/pure physics/math will probably generate some brilliant ideas.
"Maybe someday we'll look back fondly on the golden age of privacy."
When quantum computers come around, it'll be easy for them to break, say, 1024 bit RSA encryption, but by then, we'll all be using 1024 Terabit encryption (or something gross like that). As long as we (as individuals) have access to computing power within a few orders of magnitude of those trying to break our encryption, everything will work out fine
I've always wondered about the possibility of a symmetric cipher whose number of rounds is a function of the intermediate state of the cipher.
What I mean is this: imagine a Feistel cipher-- classic Feistel, just two sub-blocks L and R, an "F" function, and a swap.
Make sure that the key scheduling algorithm is non-periodic, even for ABSURD numbers of rounds (for instance, if we did 32768 rounds, we wouldn't have a repeated sub-key).
Now we determine a number N, which represents the minimum number of rounds required to make the algorithm immune from current attack methods.
To encrypt data, run the algorithm, noting the least significant bit of R. When R toggles between 1 and 0 N times, encryption is finished. Decryption should work similarly (remember, one neat thing about Feistel ciphers is that the encryption and decryption wind up with the same intermediate states).
It would seem to me that a quantum computer would have trouble with such an algorithm, because the determination of when to stop requires a measurement of the intermediate state.
I hope somebody sets me straight on this, I'm trying to learn what I can about quantum computing, but I'm still hopelessly lost. The above idea is based on a very limited and incomplete understanding of the subject of QC, so I'd appreciate an education in why I might be wrong.
Something that REALLY needs to be put on Crypto-Gram: the current guesstimated safety ratings of crypto algorithms, ranked safest-first.
Yeah I know this can never be guaranteed, but it's a damn sight better than making uneducated guesses. Because, eventually, ya gotta pick one when developing/choosing crypto based stuff. If the mathematicians won't say, Jow Blow has to guess and hope.
And all bets are definitely off when quantum computers arrive on the scene.
Well, except for quantum crypto, which IIRC is actualy as secure as one time pad.
autopr0n is like, down and stuff.
No - Mix + Mash ciphers aren't automagically immune, see quote from Schneier:
"While quantum computation can make problems such as factoring and discrete logarithms (which public-key cryptography are based on) easy, they can only reduce the complexity of any arbitrary computation by a square root. So, for example, if a 128-bit key length was long enough pre quantum computation, then a 256-bit key will be long enough post quantum computation."
-- B.Schneier, 10th Oct 1998 posting to soc.history.what-if USENET group
E.g. 3DES will be pretty much toast, as will AES128.
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
One time pads are not secure against quantum computers!. The whole point of a quantum computer is that it can efficiently simulate a non-deterministic Turing machine. Thus it can generate all possible one time pads for an instance of cipher-text and then with complete parallelness do the polynomial time computation to determine whether a particular guess'd pad is actually correct.
I know there are languages (i.e. computational problems) out there that are harder than NP (and thus quantum computers), but I'm not sure if an efficient cryptographic system can be built around them.
The Army still uses one time pads that way.
Best Slashdot Co
Schneier was informed about the TTM method years ago, and the attacks themselves are over a year old. It was clear that the same attacks applied to AES, perhaps if Schneier had taken the time and trouble to understand TTM when he first had the opportunity he would have been sounding the "alarm" earlier. Now maybe the attacks are news because AES is much better known than TTM. And perhaps one cannot increase the complexity of AES to increase the number of operations necessary for reasonable security (and 2^100 security, the numbers Scheier notes in his newsletter, will last for at over 10 years, no problem).
It amuses me that no one has mentioned the one time pad. Granted, because the Key is as long or longer than the message being transmitted it is very, very rarely useful in practice, but it is a conventional cryptosystem which is unbreakable even with quantumn computing.
t ml
http://world.std.com/~franl/crypto/one-time-pad.h
Could you (briefly) elaborate on this collection of assumptions? I have been interested in OTPs for some time and would like to know what I'm missing. If you have truly random noise and don't re-use the pad, what can go wrong?
In fact, the Rijndael designers were considering changing Rijndael's S-box during the AES process. NIST, however, for not entirely known reasons, did not allow the Rijndael designers to do this.
Now, as it turns out, the Rijndael designers have designed some other ciphers after Rijndael. These ciphers have different S-Boxes. In fact, the Rijndael designers revised ("tweaked" as they call it) each cipher to have a representation which is easy to implement in hardware; most of the die space used when implementing Rijndael on an ASIC is implementing the S-box.
The ciphers in question are Whirlpool and Anubis (Anubis uses an involutional S-box which might possibly make it weaker). In fact, my software project does not use Rijndael proper as a psudo-random-number-generator; it uses a Rijndael variant with the "tweaked" Whirlpool S-box.
- Sam
P.S. I should also mention Khazad, named after the bridge Gandalf fights balrog at, which uses Anubis' S-box.
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
Maybe we'll look back to a time when mathematicians were better than machines
In normal public/private hybrid systems, you use the public-key algorithm to encrypt a random secret session key, and then use the session key with a symmetric-key algorithm to encrypt the message. For some popular categories of factoring-based public-key algorithms, a hypothetical QC can instantly factor the key, and you can do the polynomial-time validation to show that the decryption key you've pulled out of the quanta matches the public encryption key. (OTPs don't let you do that.) You can then use the session key to crank the symmetric-key algorithm. The lead article that this discussion is about deals with weaknesses in the new symmetric-key algorithms that all of us were hoping we could use to replace Triple-DES, which appears to be very strong but is slow and clumsy (and neither 3DES nor AES appears to be attackable using QCs.)
Since widespread use of OTPs means a return to lots of couriers with briefcases attached to their arms, I suppose there are some non-mathematical ways to use QC to attack OTPs - hit the courier on the head with the QC, and then use the liquid helium from the qc to help shatter the handcuff chain, or offer the courier a Quantum Computer as bribe, or whatever :-)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The way you crack these algorithms is to throw mathematicians at them until some of them stick. Once you've done that, if there's anything left to bother with, then you can figure out how many processor cycles you'd need to throw at the problem to break it, and decide whether that's feasible.
If your conclusion is that it's not feasible to break, then you need to decide whether to use rubber-hose cryptanalysis to get the key, or steal the target's computer where they saved the unencrypted version, or look for the yellow sticky notes next to their desk, or put a camera in their ceiling to watch them type in their keys.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I believe you hit the point right on. Cryptography based on finite calculations (no matter how difficult) can at some point be broken. As long as the cardinality of the solution space is finite, it will eventually be cracked. However, should we switch to using a completely new system, with a solution space of cardinality of at least Aleph Null, many problems would be solved. However, this is far more difficult than it sounds. Most of the work going on in L2 and infinite dimensional hilbert spaces (and any other infinite dimensional spaces) is not being applied to cryptography. This is not to say that it can't be used for cryptographic purposes, it's just that much of the mathematics that goes on in these areas is very different than what the current cryptographers, discreet mathematicians, are doing.
There's no sig like SIGSEG
I have developed a completely unbreakable one-time pad.
Here it is:
3289743289702349802 872378238732879 238732870932098732 34278324890324 7832487923809723 23870945457 301208701912 012071203 4309873432 6210789216 320934246932 120107630128732 050 4044354543 0 207023501324 402307420 213078430 073240324
Use it as often as you wish!
Those who sacrifice security to condemn liberty deserve to repeat history or something. - Benjamin Santayana