Cryptol, Language of Cryptography, Now Available To the Public

solweil writes to mention that Cryptol, a 'domain specific language for the design, implementation and verification of cryptographic algorithms,' is now available to the public. Cryptol was originally designed for the NSA. It allows for a quick evaluation and continued revisions, and is available for Linux, OS X, and Windows.

Re:Anonymous Coward.

[RichardJenkins]

Second Post!

Crack this!

[mugnyte]

  41R5T 3N6RI27ED P057 !

Re:Crack this!

L053r

Re:Crack this!

[Tubal-Cain]

41R5T 3N6RI27ED P057 ! >>>> I AM 16 LOL!!1!1one1

Re:Crack this!

[eosp]

H0+ 6RI72 ?

Re:Crack this!

[spazdor]

More like cryptLOL, amirite?

Re:Crack this!

[Dragonslicer]

41R5T 3N6RI27ED P057

Airst Engrrted Post? Yup, that's definitely a good encryption scheme.

Re:Crack this!

You must work for the NSA.

Re:Crack this!

[cyborch]

Funny, I read it as "airst engrizted post"...

Re:Crack this!

[2.7182]

4, 8, 15, 16, 23, 42 !! Crack that baby NSA !!

Kudos to NSA

[rindeee]

Having worked at the Agency I must say that the quality of the 'product' that they turn over to the public domain is second to none (well, except for that which they keep for themselves of course). They take a lot of heat at a leadership level, some warranted, some not. In the end, the caliber of the engineers, security professionals and JPG (just plain geeks) that work there is second to none. From SEL to crypto bake-offs to the submitter's topic, they've done a helluva lot of good for the community. Thanks guys! Now if they could just get 'Weed Man' to open an omelet shop out in town, all would be right with the world (inside joke, sorry).

Re:Kudos to NSA

I'm sorry, but you never worked at the Agency, unless we're talking about Volt Services. Please do not misrepresent yourself.

Re:Kudos to NSA

So, how DO you factor large semiprimes fast?

Re:Kudos to NSA

[larry+bagina]

Except for the ones in the white house.

Re:Kudos to NSA

[caramelcarrot]

That "M+" button on your calculator that no-one knows how to use. That's what it does.

Re:Kudos to NSA

[collinstocks]

Just a correction: Regardless of who developed this (there seems to be some disagreement), nobody turned it over to the public domain. Read the license agreement: it says that you are not allowed to even create derivative works, nor redistribute the program to multiple sources, nor use it for commercial purposes.

Re:Kudos to NSA

Not sure I have understood their license though. I am totally Ok with not using their binaries as I have no idea what they compiled in anyway, but does this mean I cannot implement my own Cryptol interpreter or compiler? From what I see it is awfully close to Haskell. Building your own converter should not be too hard.

Re:Kudos to NSA

is weed man that black guy that works at the grill and looks he's been smoking some weed? he does make some good omelets..

Re:Kudos to NSA

[morgan_greywolf]

but does this mean I cannot implement my own Cryptol interpreter or compiler?

First off, I'll just state that I'm not a laywer, this is not legal advice, and fucking with the NSA is liable to land you hot water in no time. But you probably could. My understanding is that for a programming language, the language itself would be the 'look and feel' and probably not subject to copyright or patent restrictions, but YMMV depending on your jurisdiction.

From a technical standpoint, though, it's not the language semantics itself that necessarily generates really fast binary code for cryptography, but more like the compiler itself -- how that source is translated into a binary. So while you could write your own Cryptol interpreter, compiler, JIT, VM, whatever, implementing the language only gets you halfway there. Maybe a little more. Having language semantics that are optimized for cyrptography certainly helps, but it's not the entire picture.

Re:Kudos to NSA

[morgan_greywolf]

FWIW, and for those whose interest was piqued by the parent post, (and note that I don't know anything about the GP's employment history), but I know that Volt Services is a staffing agency. They do a lot of IT contract placements to various government agencies, including NSA.

Basically, NSA employs a bunch of Ph.D's who layout all the theoretical work. They work with project managers who typically outsource all the coding.

I could tell you how I know all this, but I'd have to kill you. ;)

Re:Kudos to NSA

[v1]

So, how DO you factor large semiprimes fast?

can someone explain why this is hard to do? It seems like a straghtforward process since the number of primes is essentially fixed. (there are quite a few of them but we keep hearing announcements about a new ONE being found, so there can't be that many of them that are known, someone's got a book I'm sure)

Just a matter of looping through all known primes, seeing if x divides by it. That's order 1 since the number of primes is "fixed". If you don't find anything it divides by, it's a new prime (add it to your list) or its smallest factor is larger than your biggest known prime. Otherwise remember that factor, and start working on the dividend.

Why is this always considered such a hard thing to do? It looks like something that should go quick.

Heck with modern day processors I'd imagine you could fab a specialized chip that determines which of the "known primes" the provided number has as one of its divisors as a one-step (parallel) operation. Just hardcode it to those primes.

Re:Kudos to NSA

[ObsessiveMathsFreak]

Now, if only they had the ethical standards to match their technical ones.

Re:Kudos to NSA

I use that to store "5318008" in memory so I always have one on hand.

Re:Kudos to NSA

[Chyeld]

There are infinitely many prime numbers.

The oldest known proof for the statement that there are infinitely many prime numbers is given by the Greek mathematician Euclid in his Elements (Book IX, Proposition 20). Euclid states the result as "there are more than any given [finite] number of primes", and his proof is essentially the following:

Consider any finite set of primes. Multiply all of them together and add 1 (see Euclid number). The resulting number is not divisible by any of the primes in the finite set we considered, because dividing by any of these would give a remainder of 1. Because all non-prime numbers can be decomposed into a product of underlying primes, then either this resultant number is prime itself, or there is a prime number or prime numbers which the resultant number could be decomposed into but are not in the original finite set of primes. Either way, there is at least one more prime that was not in the finite set we started with. This argument applies no matter what finite set we began with. So there are more primes than any given finite number.

Re:Kudos to NSA

Part of the problem is that we don't have all of the primes. The primes you keep hearing about have properties like being a set of twin primes.

You can google prime generation and you'll find that the moethods are fairly slow to come up with 1, much less a whole range of them.

Re:Kudos to NSA

[cromar]

Interesting question. You always hear that it's because of "prime factorization" or something, and to tell the truth I hadn't thought about what that actually meant. The article on RSA at Wikipedia seems informative:

The RSA problem is defined as the task of taking eth roots modulo a composite n: recovering a value m such that c=me mod n, where (n, e) is an RSA public key and c is an RSA ciphertext.

Keep in mind these are typically 1024-bit (or more) numbers -- 2 ^ 1024 possible numbers to factor. Also, the world's record for factorization at the moment is for factoring a 668-bit number that took "several months of computer time using the combined power of 80 AMD Opteron CPUs."

Re:Kudos to NSA

[pointsofdata]

While I am no expert in the area, nor do I know a huge amount about mathematics, wikipedia says that there are:2,220,819,602,560,918,840 primes below 10^20, which is 20 digits long. Considering that the largest known prime is almost 13 million digits long,and most of these numbers are unimaginably vast, it appears that it is not trivial to find the prime factors of a number. For instance, If a computer can test 10 billion primes a second (which is more than a consumer grade computer can (I think)), then it would take ~2 billion seconds to go test all the primes from 2 to the 10^20. While this would be far faster on a supercomputer, if all primes up to 2^(43,112,609) â' 1 are taken into account, it is not hard to appreciate that this will take a huge amount of time.

Re:Kudos to NSA

[644bd346996]

It's not so hard to factor a 32-bit number with a 64-bit computer. It is very hard to efficiently factor a 2048-bit number with a 64-bit computer. Even if you had a list of all prime numbers that can be expressed in 2k or fewer bits, streaming all that data to your CPU would take a lot of bandwidth.

Re:Kudos to NSA

I don't get how this is true; "or there is a prime number or prime numbers which the resultant number could be decomposed into but are not in the original finite set of primes." What's the proof for that statement?

Re:Kudos to NSA

That's from the definition of a prime number. Take any natural number N. Either (1) N is prime, or (2) N is divisible by a prime number (it's not prime, i.e. it's composite: the product of two or more prime numbers).

Euclid is using this fact to show that the original finite set does not contain all primes, because either that original set did not contain N, or it did not contain a prime factor of N. Hence, no matter how many primes you find, there will always be more primes.

Re:Kudos to NSA

[poopdeville]

It follows from the prime decomposition theorem -- that every number is a product of primes. (Or, more-or-less equivalently, Euclid's algorithm)

The proof is essentially a "counting proof". Collect any finite list of primes, and one can construct a number that is not divisble by any of them.

For example, if p_1 ... p_n are prime, N = (p_1 x ... x p_n) + 1 isn't divisble by any of them. Which means that it is prime, or there is a prime number (that isn't in the list) that does divide your new number N.

Re:Kudos to NSA

[jd]

Far as I can see, it's a very trimmed-down formal language and not a whole lot more. Yes, a lot of the work is in the compiler, but there are plenty of well-developed compilers for languages just as well-designed, and a fair few are Open Source, not proprietary or with absurd conditions. And even those which are proprietary, such as Intel or Green Hills, the trial version is full-blown and not a toy edition. Re-implementing Cryptol as a front-end to an existing high-quality compiler, or as a translator (the cryptol-to-something equivalent of f2c) should not be overly difficult. Certainly not as hard as writing a Cryptol compiler from scratch of equal calibre.

As far as whether it would infringe on IP, I doubt it. Microsoft got walloped by Sun over using a trademarked name, not over the language per-se, which is why they could get away with just renaming it. But Microsoft couldn't take action against Mono or any of the Open Source .Net reimplementations because that's not something that can be protected. In this case, the worst that can happen is someone abseils down from a helicopter in the dead of night and sends you on a guided tour of Afghanistan. That's all. They can't sue you.

Re:Kudos to NSA

[akaariai]

The short answer is that there is just too many primes to list. There is about x/log(x) prime numbers smaller than x. If you have a 512 bit number then you have about sqrt(2^512) / log(sqrt(2^512)) numbers to check. So, there is 1.5 * 10^75 numbers you need to list. This is simply impossible. Moore's law will not help here, as adding one bit to the number to check about doubles the search space. That is, after a year of you can check a number that is just one bit larger!

Re:Kudos to NSA

[spazdor]

C'mon, be fair. It's a Coke Man in the white house.

Re:Kudos to NSA

[Chyeld]

Start with a small set to see the logic if you need to.

Say just (2, 3, and 5). All prime numbers.

Now the product of 2, 3, and 5 is 30. Add 1 to this and you get 31.

31 is not divisable by 2. The closest you can get to 31 in mulitples of two is 30 (which is 3 times 5 times... you guessed it 2.) and you have 1 left over.

31 is not divisable by 3. It's the same as 2. The closest you get is 30 (2 times 5 times... 3!) and you have 1 left over.

The same goes for 5. Because you are adding 1 to the product of all three, you can't divide into the result cleanly.

This is going to be the same for any group of prime numbers you pick. By adding 1 to their product, the result can't be broken down cleanly as a product of those numbers. You'll always be 1 away (because you actually took their product and added 1).

Now the definition of a prime number is a number that can only be cleanly divided by two numbers. Itself and 1. Every other number has more possible divisors. As a result of this, every number out there is either a prime, because you can't divide something into it, or a product of primes.

31 therefore is either a prime number itself, or it can be broken down into a product of prime numbers.

But we've shown that the prime numbers in our list can't be the primes that do that, since none of them can divide into our result cleanly.

That means, by default, our group of numbers can't contain all the prime numbers. Either they are missing our result (and btw, 31 is a prime) or they are missing the prime factors of our result. And since this works for any group of prime numbers you can put together, effectively you've just proven that the actual set of prime numbers itself is infinite.

Re:Kudos to NSA

[Profane+MuthaFucka]

I have never worked at the agency, but I was once in an orgy with Bob, Eve, and Alice.

Re:Kudos to NSA

Is there anything that little button can't do? I have a feeling "M+" stands for "More magic".

Re:Kudos to NSA

There's something worth pointing out here, the license which they wish to provide it under might actually be invalid since the M$ binary they provide is statically linked against the GNU Multiple Precision Arithmetic Library which is licensed under the LGPL, but I would bet that some would consider this a combined works and therefore possibly making it GPL.

Re:Kudos to NSA

[Raenex]

But Microsoft couldn't take action against Mono or any of the Open Source .Net reimplementations because that's not something that can be protected.

Yes they can, via patents.

Re:Kudos to NSA

[jd]

You can't patent interfaces, only implementations. A language is not an implementation and therefore is inherently unpatentable. Well, except in the US, where apparently icons for data files can be patented. Ok, in theory languages cannot be patented. They don't define a process, they don't describe a mechanism, they merely codify the syntax and semantics of the building-blocks that can be used to build mechanisms or processes.

Re:Kudos to NSA

[MichaelSmith]

There are infinitely many prime numbers.

The GP said the number of primes is essentially fixed which is consistent with the number of primes being infinite, I suppose.

Re:Kudos to NSA

[Repossessed]

The primes you want are around 300 digits long. And I'm guessing that even at ultra high numbers primes occur every google or so....

Re:Kudos to NSA

[Repossessed]

It's ln not log.

Re:Kudos to NSA

[Raenex]

they merely codify the syntax and semantics

It's the semantics that are patentable, at least in the United States.

Re:Kudos to NSA

[holdenholden]

Every non-prime is a product of primes. Here we have a number A that is not divisible by any of the numbers in a set of primes. There are two options: 1) The number A is prime. 2) The number A is composite, and the set of primes is missing one prime. In either case we have one more prime.

Re:Kudos to NSA

This is going to be the same for any group of prime numbers you pick.

Counter-example: I pick 3 and 5. 3x5+1 is 16 which is not prime. The demonstration is only valid is you pick all the first N prime numbers.

Re:Kudos to NSA

[Jeremi]

It's not so hard to factor a 32-bit number with a 64-bit computer. It is very hard to efficiently factor a 2048-bit number with a 64-bit computer.

Hmm, that raises the question... has anyone tried to build a 2048-bit computer?

Sounds like it might be fun project for the right TLA with a multi-billion dollar budget...

Re:Kudos to NSA

[jd]

The implementation of a business method or algorithm is patentable, but the semantics fall short of a full implementation. Also, patents are not supposed to include those things which are "obvious". You could not patent the AND operator, for example, even if there was no prior art. (Ok, the USPO gets muddled on what is "obvious", which is why the one-click patent may or may not actually be valid.) For the most part, instructions in a language are "obvious" and also have oodles of prior art. It would be very hard to invent a computer language in which an instruction has syntax and semantics different from a conventional programming language in some non-trivial way and in which the instruction is still useful. Even then, interfaces are generally ruled unpatentable for the reason stated at the start - they're not an implementation, they merely describe in a highly abstract way what the end result of any member of the entire class of implementations would be. That's too vague. You can't patent ranges of inventions, only a specific invention.

In this case, the language is based on Haskell, so prior art immediately applies. A patent that attempts to cover a pre-existing method (obvious or not) should - if the judge is sober - be thrown out of court so fast it reaches escape velocity. Preferably along with any USPO clerk that allowed it. Since most crypto operations are likely to be simple boolean operands, power functions or modulo, and since these all exist in pretty well nearly all programming languages, anything not Haskell-specific is going to be prior art from somewhere else.

The result is that there is absolutely nothing in Cryptol that can be protected, save the specific implementation provided and there's so far bugger all evidence that their implementation is any more interesting than anyone else's.

Re:Kudos to NSA

[Raenex]

Kodak wins Java patent suit

"Eastman Kodak has won a controversial lawsuit in which it claimed Sun Microsystems had infringed several of its patents with its Java programming language."

Re:Kudos to NSA

[644bd346996]

I don't think that a 2kbit architecture would be particularly useful. Sure, it might work well for factoring large numbers, but for many other cryptography-related tasks, the lack of granularity would make it rather inefficient. If you're going to build a computer for factoring large numbers, you might as well build TWIRL.

Re:Kudos to NSA

Just a matter of looping through all known primes, seeing if x divides by it. That's order 1 since the number of primes is "fixed".

It's actually order of N, where N=1... it takes constant time to check each number in the input, and you are stating the problem as checking a single number as the input.

But!

There is the small matter of the constant. O(1) means a problem executes in constant time, but says nothing about how big the constant is. In most problems, the constant is small enough to be negligible for O(N) and N=1. In this case, the constant is really damn fucking huge. Doing ANYTHING with a 2048-bit number takes a while, and checking against all primes that can be multiplied to make a 2048-bit number is just crazy.

Re:Kudos to NSA

The procedure given in the proof does not necessarily produce a prime number (that is a special case). It always produces a number that requires a prime outside your set of primes to factor. In your example, 16 is only divisible by the prime number 2, which is outside your set of {3,5}.

Re:Kudos to NSA

[RedWizzard]

This is going to be the same for any group of prime numbers you pick.

Counter-example: I pick 3 and 5. 3x5+1 is 16 which is not prime. The demonstration is only valid is you pick all the first N prime numbers.

No, that's covered in the proof: "... or there is a prime number or prime numbers which the resultant number could be decomposed into but are not in the original finite set of primes." The resultant number (16) is divisible by a prime that is not in your set (2). Therefore there are more primes than are in your set.

Re:Kudos to NSA

[jd]

I could be wrong, but take a look at the following extract from the linked article:

"These patents--numbers 5,206,951, 5,421,012, and 5,226,161--referred to the integration of data between object managers, and between data managers, and to the integration of different programs that were manipulating data of different types."

To me, this sounds like an implementation of Java issue, not an issue with Java as a language. You could implement all kinds of mechanisms in the JVM that did the same thing but were not covered by those patents.

Re:Kudos to NSA

[Raenex]

The point is if the specified semantics are essentially patented, you can be sued. Whether you can find an acceptable workaround ($92 million after the fact) is another matter. You may or may not be able to, depending.

This is the whole issue with .NET and Mono, which is why I took exception to your comment: "But Microsoft couldn't take action against Mono or any of the Open Source .Net reimplementations because that's not something that can be protected."

Re:Kudos to NSA

[againjj]

This is going to be the same for any group of prime numbers you pick.

Counter-example: I pick 3 and 5. 3x5+1 is 16 which is not prime. The demonstration is only valid is you pick all the first N prime numbers.

Read the post again:

31 therefore is either a prime number itself, or it can be broken down into a product of prime numbers.

But we've shown that the prime numbers in our list can't be the primes that do that, since none of them can divide into our result cleanly.

So, 16 is either a prime number itself, or it can be broken down into a product of prime numbers, and the the prime numbers in your list can't be the primes that do that. In particular, the prime you are looking for is 2.

Re:Kudos to NSA

[Secret+Rabbit]

There are an infinite number of primes. Any elementary book on number theory will have the proof of that in it.

There's *a lot* of literature out there on how to factor integers. If you want something more readable, then look up the quadratic sieve. It's the second fastest algorithm out there. That being said, it *is* a general algorithm so its speed will likely be improved by making some modifications due to crypto using almost primes. But, that gets somewhat convoluted. Just stick to the quadratic sieve for now.

Also, it's considered a hard thing to do because thousands of years have gone by without anyone solving the problem of the quickness. Yes, it goes back that far. You also don't seem to understand the shear magnitude of the numbers that are being dealt with. Check out the RSA challenge numbers. Your opinion will change after you see the size of them.

Just because something might look simple, doesn't mean it is.

Re:Kudos to NSA

[Tony+Stark]

"It seems like a straghtforward process since the number of primes is essentially fixed." Only in the sense that infinity is a fixed number.

Re:Kudos to NSA

[Alphasite]

You are right, the number of primes lower than a given number is fixed... the thing is, even being fixed, there are still A LOT of prime numbers for the numbers we're taling about.

If we use a 1024 RSA Key we are talking about 2^1024 and that's ... well, a lot, so let's say (and this is just a guess, could be more or less, I have no idea), that one every 16 million consecutive number is a prime, and let's say 16 million is 2^24... then you have to test with 2^1000 primes ... which is the hell of a loop...

So, yeah, the number of primes below a given number is fixed but fixed doesn't mean few...

really?

[gclef]

So, wait, the NSA just released math?

Re:really?

[BitZtream]

Math 2.0

Re:really?

[Anpheus]

Unlike New Coke and New Math, Math 2.0 is really, truly the future. For reals this time.

Cryptol?

[larry+bagina]

Sounds more like a drug than a programming language.

Re:Cryptol?

Sounds more like a drug than a programming language.

I thought it was Superman's dog's name.

Re:Cryptol?

[jd]

Kittehs hab been uzing cryptlol for yeers.

Re:Cryptol?

[gzipped_tar]

When I saw the name for the first time, I thought about thinkpol. Maybe I'll release a programming language that is *actually* named "thinkpol" in the future.

Re:Cryptol?

Cryptol Math

Re:Cryptol?

[b4dc0d3r]

Blue flag hanging from the left side, yeah that's the Cryptol side.

Re:Cryptol?

Heh, it took me a while to figure out why that was modded funny.

Why the precision?

Available To the Public on Friday December 26, @02:44PM

Is there something intrinsic to cryptographic protocols that requires a timed release?

Re:Why the precision?

[Gori]

Well, clearly it is. They would not have bothered otherwise...

You would like to know the moment you booted cryptoSkyNet :)

Re:Why the precision?

--@02:44PM

And why does a secret government agency use an inferior time system?

Re:Why the precision?

[FlyingBishop]

That's misdirection. Internally, they use Unix time directly - but obviously for a press release they're gonna run it through strftime().

Re:Why the precision?

[Chyeld]

More to the point, wouldn't you like to know why they released it at 2:44pm instead of 2:45pm?

What do they know that we don't?

Who is lurking in the shadows outside your window?

Was that thump just a wild varmit messing around outside, or...

BOOOO!

Re:Why the precision?

[VE3MTM]

Steganography?

Using an NSA tool..

[TechForensics]

Doesn't it seem probable that anything created with an NSA tool will be more reversible with other NSA tools?

Re:Using an NSA tool..

Watch out. SELinux is made by NSA.

Re:Using an NSA tool..

LOL

Re:Using an NSA tool..

Hey! I'm a homosexual, you insensitive clod!

Re:Using an NSA tool..

[j1m+5n0w]

As I understand it, cryptol was developed by Galois, a private company, and not by the NSA. Whether you find this reassuring or not is up to you. However, if a tool for developing cryptographic protocols were to, say, substitute a weak algorithm in place of a strong one, in many cases it would simply fail to interoperate with any reference implementation not developed using cryptol.

Re:Using an NSA tool..

[Dun+Malg]

Doesn't it seem probable that anything created with an NSA tool will be more reversible with other NSA tools?

How do you "back door" math?

Re:Using an NSA tool..

What ASSHOLE modded this "redundant"? Abuse of mod points, clear and simple. The parent is right on, and since it has not been said in this thread, IT IS NOT REDUNDENT. Jackass. Moron. Masturbator. Homosexual.

If the poster is in fact what (s)he is claimed to be, it would seem abuse of mod points is probably the least of it.

Re:Using an NSA tool..

better math :-)
(i.e flawed methods or keeping faster algorithms to them selves, so that your unbreakable crypto is bruteforced in minutes)

Is part of the stummary encrypted?

SRC="http://ad.doubleclick.net/adj/N763.no_url_specifiedOX2531/B3272816.16;sz=336x280;click=http://ad.doubleclick.net/click%3Bh=v8/37a2/3/0/%2a/z%3B210347091%3B0-0%3B1%3B13358338%3B255-0/0%3B29593640/29611519/1%3B%3B%7Eokv%3D%3Bpg%3Darticle%3Blogged_in%3D1%3Bdcopt%3Dist%3Btile%3D1%3Btpc%3Dit%3Btpc%3Ddevelopers%3Btpc%3Dprogramming%3Btpc%3Dsecurity%3Btpc%3Dtechnology%3B%7Esscs%3D%3f;ord=6242438?">

Re:Is part of the stummary encrypted?

no, you're just a moron is all

Re:minus 3, Troll)

[lejflo]

Looks like the Technocrat 'creeps' are already migrating to /.:

http://news.slashdot.org/article.pl?sid=08/12/26/1126256

Interesting for discrite math.

[Animats]

Neat. There's some similarity to Matlab, and some to Renderman, and some of the syntax is borrowed from Haskell. The language is compilable to VHDL, so it's possible to generate hardware from the spec. The language is recursive and doesn't support iteration (there's no "for" statement) to make proof of correctness work easier.

This language might also be useful as a way to express compression algorithms. Reference implementations of the various "zip" algorithms in Cryptol would be useful, and ones for JPEG and MPEG compression, which are often implemented in hardware, even more useful. It's not clear how well Cryptol deals with memory-heavy problems like motion recognition or Hamming table building for compression, though.

Re:Interesting for discrite math.

[Jeremi]

Neat. There's some similarity to Matlab, and some to Renderman, and some of the syntax is borrowed from Haskell.

Sure, but the real fun is trying to find the cleverly concealed back door so that will allow the NSA to trivially bypass any "secure" algorithm you develop. Don't look for it in the reference implementation, as that would be too obvious and easy to work around. No, it will be somewhere in the language specification itself...

(adjusts tinfoil hat)

Re:minus 3, Troll)

[larry+bagina]

Bruce Perens posts as an AC?!?!

Wait... what?

[Vertana]

Why would they release this? Don't get me wrong, I, personally, am all for donating to the community and further advancing technology as a species; however, why would the NSA deliver something to the public that would, in the long run, possibly make life harder on themselves by possibly furthering the advances of private encryption? I'm not trying to play Devil's Advocate, I just genuinely don't understand why they would (possibly) make life harder for themselves.

Re:Wait... what?

[Bazzargh]

Why would they release this? Don't get me wrong, I, personally, am all for donating to the community and further advancing technology as a species; however, why would the NSA deliver something to the public that would, in the long run, possibly make life harder on themselves by possibly furthering the advances of private encryption? I'm not trying to play Devil's Advocate, I just genuinely don't understand why they would (possibly) make life harder for themselves.

Yes, why? This is as dangerous as releasing a dictionary - possibly allowing wildly speculative internet postings with less spelling mistakes.

Down with that sort of thing! Careful Now.

- Father ted.

Re:Wait... what?

[Garridan]

Because building hardware & software is profitable for very many companies; and getting something certified as secure enough for the NSA is pretty hard work. If they release the toolchain, it's one less thing to worry about leaking from the developer, and they have more access to better software.

Re:Wait... what?

[bhima]

There is no such thing as trusted private encryption. Effective secure encryption is astoundingly complicated and you can not devise effective encryption in a vacuum. Lots of companies show us ineffective untrustworthy encryption which they develop in secret and which fail in short order... like CSS which is used on DVDs or the DRM in popular games and other digital media. Haven't you read folks on Slashdot mocking them for it?

So the best way is do everything out in the open and have people find the weakness in it before it goes into production. Because once it goes into production you don't need to be code breaker to enjoy the stunning stupidity of the fools that rely on private encryption... you only need to be able to find the app with google and download it.

Have a look at look at the ongoing contest for SHA-3. It's been reported here I think. Or you could the about how they came up with AES.

Here's the zoo: http://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo

As a side note: Contests and prizes are remarkably effective method of spending the public's money for public good... as long as the results are open and patent free.

Re:Wait... what?

[Vertana]

Ok, in that capacity it makes sense. I'm not sure why that didn't occur to me earlier. Thank you, Garridan.

Re:Wait... what?

[Vertana]

I actually didn't mean private in a "security through obscurity" sense, I meant in the private sector. It just seemed that in modern times, the United States government wouldn't want to give anything to the community in terms of improving security for individuals. (These were just the thoughts at the time, I can see why now... just thought I'd throw it out there)

Re:Wait... what?

[j1m+5n0w]

Firstly, cryptol is being released by Galois, a private company, and not the NSA directly. I don't know the details of Galois' relationship with the NSA, but my understanding is that cryptol was developed by Galois, and it's quite likely that the NSA doesn't have any say in whether cryptol is released or not.

Secondly, there are a lot of social benefits to widespread access to good cryptography. Bad security is a constant drain on the economy, in the form of stolen credit card numbers and the like.

Thirdly (and as someone else pointed out), the NSA has to work with a lot of private companies, and if those companies have access to better tools, they can more easily supply the NSA with the products they need.

For a history of the (often antagonistic) relationship between the NSA and those who would promote "crytographic anarchy", I'd recommend reading "Crypto" by Steven Levy. I don't know what the current ideology is within the NSA, but ten or twenty years ago they would likely have been very much opposed to widespread public access to cryptographic tools.

Re:Wait... what?

[wkk2]

Hopefully they have a lint like process to look for known but secret deficiencies once the design is specified in this language.

Re:Wait... what?

... postings with fewer spelling mistakes.

Moral: Practice what you preach.

Re:Wait... what?

[Naturalis+Philosopho]

He spelled "less" correctly. His was a grammar, not a spelling error. Oh, and they released this to subtly remind us that they can break (or think that they can break) any crypto out there and so don't have to worry about people using math. Hey, at least now people may be more able to use it correctly.

Finally!

[tobiasly]

At last, we now have a programming language that implements rot13() natively! Now my website's login authentication system will really fly...

Lack of Functionality

[burning-toast]

FTFA:
"The open version does not compile to VHDL, C/C++, or Haskell, and does not produce the formal models used for equivalence checking."

So does this mean the open version (trial version) which we might have access to does not do much of what it is touted to be good for?

Just another advertisement for a commercial product methinks. Maybe cool, but still a slashvertisement.

- Toast

Re:Lack of Functionality

[Dun+Malg]

FTFA: "The open version does not compile to VHDL, C/C++, or Haskell, and does not produce the formal models used for equivalence checking."

So does this mean the open version (trial version) which we might have access to does not do much of what it is touted to be good for?

Just another advertisement for a commercial product methinks. Maybe cool, but still a slashvertisement.

- Toast

Yep. Two lines down from the above quote it states:

"Contact Galois to obtain a full-featured version for evaluation."

It's classic crippleware. Free version doesn't do anything useful, and the "full-featured" version costs money and uses a dongle or something.

Re:Lack of Functionality

[j1m+5n0w]

From the download page:

This free trial version lets you explore the Cryptol language. It compiles and interprets Cryptol specifications but does not translate the specification into an implementation and only QuickCheck verification is enabled. The download includes the documentation suite and many examples.

So, they're providing a compiler and an interpreter. It sounds like there's enough restrictions that it would be hard to use anything cryptol-derived as part of a commercial product (or even an open-source project) without paying for the full version. However, one might implement a new cryptographic algorithm first in cryptol and then in some other language like C.

Presumably, the cryptol implementation would be easier to reason about then the C implementation. (I haven't tried cryptol myself, but I understand this is one of its main selling points.) One could then feed both algorithms a lot of random input and see if they both come up with the answers every time. So, the cryptol version could serve as the reference implementation for the final released version.

This is obviously less interesting than if Galois had just released the whole thing for free, but it's still better than nothing. I was kind of surprised to see this made its way to the front page of slashdot after seeing the announcement first on the haskell-cafe a few days ago. It seemed like good news, just not the sort of thing that very many people are likely to be interested in.

What Galois has been doing that does deserve a lot of credit (in my opinion) is they've been actively supporting the haskell community. I may be somewhat biased to think favorably of the company since a few of my friends work there, but as a haskell user it does seem like the language has benefited a lot from some of the work done at Galois.

Re:Lack of Functionality

[delphi125]

and the "full-featured" version costs money and uses a dongle or something.

Yes, a 1048576-node supercomputer, 1 billion wire taps, and root access to the internet.

Re:Lack of Functionality

[deblau]

"Contact Galois to obtain a full-featured version for evaluation."

Now there's a problem. Galois has been dead for over 175 years.

Keep your kitchen clean:

Use Cryptol + AJAX!

Re:Kudos to Galois

[j1m+5n0w]

Clarification:

Cryptol, as I understand it, was developed by Galois (who, for some reason, is not mentioned in the summary) and not by the NSA. It would be interesting to know whether it was a joint decision between Galois and the NSA to release cryptol, or just Galois' decision alone.

Public Funds

[nurb432]

Considering we paid for its development with public funds, it best not be 'commercially' released.

Can Cryptol programs be Free Software?

[Krishnoid]

So if someone used Galois to release a binary, and released the Cryptol source under the GPL, would the resulting binary be considered Free Software per the FSF's definition?

Re:Can Cryptol programs be Free Software?

Sure. Unfortunately the source would not be useful in gNewSense or Debian main. It could go into Debian contrib though.

Not NSA?

[bhima]

A casual perusal did not really confirm the connection between Galois.com and the NSA.

Google did not really help either:

http://www.google.com/search?hl=en&as_q=NSA&as_epq=&as_oq=&as_eq=&num=10&lr=&as_filetype=&ft=i&as_sitesearch=www.galois.com&as_qdr=all&as_rights=&as_occt=any&cr=&as_nlo=&as_nhi=&safe=on

http://www.google.com/search?q=NSA+Galois

Re:Not NSA?

[sibilance_spooner]

If you *had* been able to find evidence on Google of a connection between Galois and the NSA, then that would have been a strong hint that there was no such connection.

Re:Kudos to Galois

[poopdeville]

Galois does high assurance computation for the NSA, and others. (Which is to say, the NSA expects Galois to do theorem proving on their code)

Does anybody have any good information about Cryptol? Is it a Haskell subset/extension? Most of what I know about Galois is in relation to Haskell.

You're off on your orders there

[MarkusQ]

Just a matter of looping through all known primes, seeing if x divides by it. That's order 1 since the number of primes is "fixed". If you don't find anything it divides by, it's a new prime (add it to your list) or its smallest factor is larger than your biggest known prime. Otherwise remember that factor, and start working on the dividend.

Check yourself there. It takes longer to perform division on larger numbers (say O(ln(N)^2), though a lot of this depends on the algorithm). If you plan to do the sieve of eratosthenes as you describe (the hard way), that's going to be another O(n*ln(ln(N)) for a total of O(n*ln(N)^2*ln(ln(n))) for each factor.

The sort of numbers you are thinking about when you say that testing via division is O(1) with hardware are 64 bit integers. The sort of semi-primes used in cryptography are on the order of 512 bits, and so (by the formula above) would take roughly 147, 184, 841, 669, 860, 395, 336, 238, 071, 097, 320, 918, 206, 612, 375, 539, 181, 907, 207, 001, 765, 334, 079, 455, 842, 963, 079, 473, 553, 687, 769, 537, 122, 026, 054, 410, 625, 268, 901, 031, 540, 756, 829, 794, 467, 840, 000 times as long.

So if your computer took a nanosecond to solve a 64 bit case (making it faster than the fastest consumer system presently available), and you had a million of them, and all 6 billion people on Earth were your friends, and each of them had a million of these uber boxes as well, and you had a way to collaborate on the problem with no overhead, it would still take you roughly 1, 920, 658, 729, 429, 876, 148, 289, 055, 386, 140, 718, 898, 913, 520, 422, 922, 263, 604, 244, 594, 006, 798, 154, 722, 944, 671, 495, 344, 450, 391, 916, 549, 249, 431, 238 times the age of the universe to factor one such number.

That's why nobody does it that way, and why it's considered a hard problem even though it might sound easy.

-- MarkusQ

Re:You're off on your orders there

[Tolkien]

[...]all 6 billion people on Earth were your friends[...]

Can 3 billion of them be "with benefits"?

Re:You're off on your orders there

[MarkusQ]

[...]all 6 billion people on Earth were your friends[...]

Can 3 billion of them be "with benefits"?

I'll pass by the obvious "your mama" joke and just note that it's nice to see that someone with your obvious self confidence and ambition is so unpicky.

Or, I suppose, desperate.

--MarkusQ

Re:You're off on your orders there

[Shadowruni]

I wish there was a schooled tag....

Re:Kudos to Galois

[j1m+5n0w]

There's some documentation on Galois' web page. I looked at it once awhile back, and it seemed a lot like Haskell, but with extra syntax for doing common cryptographic operations.

Chapter 8 of the programming guide has example cryptol implementations of DES, RC5, and AES.

Re:Kudos to Galois

Galois.com: "Page not found." Cute. Yuk, yuk, I get it. No Such Company(tm).

Cryptol/Signali

As someone that's worked with Cryptol, I can tell you that it is indeed a very cool language. You can generate very efficient hardware off of a Cryptol spec, prove logical equivalence between two versions of an algorithm, and play with your specification interactively from a command line. There's even a startup called Signali that's been founded to expand the usage of Cryptol to the commercial sector and algorithms other than cryptography.

"Available to the public"? I don't think so...

[courcoul]

Ok, so Galois has decided that, given the depressed economy, a few extra potential customers might be a good idea. Cause what you get is just the concept of the language. Whatever your bright mind may decide to do with it will remain bottled up until you pay for the full COMMERCIAL product, since what you download for free just lets you see that "gee, whiz, this might work in the Real World when I pay for the whole shebang...". And, given the origins of the product, I'm pretty sure there will be a lot of caveats as to who's on the DOD/NSA/CIA worthy-of-using-cryptol list.

Re:Kudos to Galois

[j1m+5n0w]

That wasn't intentional. I think I must not have enclosed the "a href" tag properly. Here, let me try again.

I assure you that there really is such a company; I have visited their offices on several occasions.

Free But Shacked - The Java Trap

[jbn-o]

Yes, that program would be free but see "Free But Shackled - The Java Trap" for more on why this situation is not desirable.

Re:Free But Shacked - The Java Trap

[MulluskO]

RMS is a nutter.

Re:Free But Shacked - The Java Trap

[ion.simon.c]

*sigh*
I wish that I had mod points for you. :/

Re:Free But Shacked - The Java Trap

you do know java is open source GPL now, right ?

Re:Free But Shacked - The Java Trap

[jbn-o]

Try reading the headnote of the article I linked to. The issue persists even if it will no longer apply to a dependency Sun's Java software.

New Coke and New Meth

Unlike New Coke and New Math, Math 2.0 is really, truly the future. For reals this time.

At first I thought that read New Coke and New Meth... that would be interesting. :)

Fedora 9: libedit.so is needed by cryptol-academic

[Rick+Richardson]

$ root yum install libedit
Loaded plugins: refresh-packagekit
Setting up Install Process
Parsing package install arguments
Package libedit-2.11-1.20080712cvs.fc9.i386 already installed and latest version
Nothing to do

$ root rpm -i cryptol-academic-1.8.1-0.i386.rpm
error: Failed dependencies:
                libedit.so is needed by cryptol-academic-1.8.1-0.i386

$ cat /etc/issue
Fedora release 9 (Sulphur)
Kernel \r on an \m (\l)

Next...

Re:Kudos to Galois

It's a commercial product. They want to cash in on it. Source and full implementation are not freely available.

Why? Doesn't this seem odd?

[fygment]

IANAC (I am not a cryptographer.) but wouldn't this be a useful tool for criminals and terrorists? It would seem the height of folly to give such a tool away to them ... unless there was a way of mitigating it's usefulness.

There is no free lunch.

Not public domain, available against conditions

[owlstead]

Ok, there still seems to be confusion on it being "publicly" available. This is payware with a limited trial version. The headline is about that this advanced suite (I presume, I haven't used it myself) has become available *at all*. Previously, I presume, you could not just buy it. Of course, I also presume you could freely download it from some hacking site, but that's beside the point. Law only counts for law abiding citicens.

Let's be civil and reasonable in disagreement.

[jbn-o]

How sad that you choose to engage in name-calling instead of spelling out your apparent disagreement respectfully. Before you get into that, should you choose to explain your earlier statement, you should keep in mind the remarkable history of achievement and prescience Stallman shares with us. I don't seek perfection in anyone but I can't think of too many people who have given us all so much practical useful stuff and wisdom to think about. Specifcally, it's not every hacker who writes wildly popular licenses (GPL, LGPL), lots of software which is still immeasurably useful today (GDB, GCC, GNU Emacs, and so much more), and encourages us to keep in mind our freedoms to share and modify so that we can work with each other cooperatively and without foreseeable exploitation which pits us against our own work. Short-term and long-term that's impressive work even if you don't like his politics. Is it really that hard to be civil while expressing contrary views?

Re:Let's be civil and reasonable in disagreement.

[MulluskO]

I don't think nutter is a particularly harsh term. Have you heard him sing?

Java is not a trap. Never was. Something like Java could have contributed to a world in which Linux on the desktop might have been more useful to more people. Java pre-installs on Windows fizzled because of legal issues, and on Linux fizzled because of unfounded fears.

Now the only de-facto universal platform is web+flash. Stallman will tell you that's a trap too.

Waste of time

You don't need a crypto-language;
You can program encryption in everything from Assembly to Ruby.