1978 Cryptosystem Resists Quantum Attack

KentuckyFC writes "In 1978, the CalTech mathematician Robert McEliece developed a cryptosystem based on the (then) new idea of using asymmetric mathematical functions to create different keys for encrypting and decrypting information. The security of these systems relies on mathematical steps that are easy to make in one direction but hard to do in the other. Today, popular encryption systems such as the RSA algorithm use exactly this idea. But in 1994, the mathematician Peter Shor dreamt up a quantum algorithm that could factorise much faster than any classical counterpart and so can break these codes. As soon as the first decent-sized quantum computer is switched on, these codes will become breakable. Since then, cryptographers have been hunting for encryption systems that will be safe in the post quantum world. Now a group of mathematicians have shown that the McEliece encryption system is safe against attack by Shor's algorithm and all other known quantum algorithms. That's because it does not depend on factorisation but gets its security from another asymmetric conundrum known as the hidden subgroup problem which they show is immune to all known quantum attacks."

Good but not great

[alphatel]

Don't start feeling too secure about the so-called McEliece encryption system - a candidate for the security of Internet traffic in the age of the quantum computer (2008 article)

Re:Good but not great

[pushing-robot]

Feel secure again. Only a variant was broken.

Re:Good but not great

[alphatel]

Feel secure again. Only a variant was broken.

The date of your document July 2008 precedes the successful decryption in October 2008.

Re:Good but not great

[pushing-robot]

Which might be why it says:

This attack has been implemented and is now in progress.

Timeless saying applies here...

[Pojut]

If it can be engineered, it can be reverse-engineered.

Re:Timeless saying applies here...

[Jack9]

> If it can be engineered, it can be reverse-engineered.

How does that apply to this article, in any way?

Re:Timeless saying applies here...

[kalirion]

If it can be engineered, it can be reverse-engineered.

That only works for "security through obscurity" type of problems. A good encryption should not be "solvable" - it must be brute forced. The question is how expensive the brute force method is in processing power and time.

Re:Timeless saying applies here...

[da+cog]

It doesn't apply to this article. The way that one typically breaks a cryptosystem is not by reverse engineering (which is not even meaningful here, given that the algorithm is already completely open), but by finding a clever new way to solve the mathematics underlying the system using less information than the designers of the system had thought was needed.

Re:Timeless saying applies here...

Yes, and you crack public key encryption by reverse engineering its specific algorithm as parametrized by its key. It just takes you a while with any algorithm but Shor's.

Re:Timeless saying applies here...

[Frequency+Domain]

Actually, with really hard-core crypto systems there are three traditional ways to break them: 1) rubber hose; 2) dumpster diving; or 3) box of chocolates/bouquet of roses.

Re:Timeless saying applies here...

[Ancient123]

Mod parent up... It is surprising how true that is.

Re:Timeless saying applies here...

[ae1294]

Actually, with really hard-core crypto systems there are three traditional ways to break them: 1) rubber hose; 2) dumpster diving; or 3) box of chocolates/bouquet of roses.

What no wad of Cash xor hookers & blow?

Re:Timeless saying applies here...

[Hylandr]

It doesn't apply to this article. The way that one typically breaks a cryptosystem is not by reverse engineering (which is not even meaningful here, given that the algorithm is already completely open), but by finding a clever new way to solve the mathematics underlying the system using less information than the designers of the system had thought was needed.

So, you're saying 640k should be enough?

- Dan.

Re:Timeless saying applies here...

[sznupi]

W8, why both of them wouldn't work?

Re:Timeless saying applies here...

[treeves]

That falls under the generalization of (3).
(1) Threat/intimidation/violence
(2) Exploit a careless mistake
(3) Bribery/persuasion

I suppose (1) and (3) even could blur together into "influence" (negative and positive).

Re:Timeless saying applies here...

[shinzawai]

In the morning.

Re:Timeless saying applies here...

[CarpetShark]

If it can be engineered, it can be reverse-engineered.

How does that apply to this article, in any way?

I think he's saying that this article does not qualify for reverse-engineering ;)

Re:Timeless saying applies here...

[modmans2ndcoming]

I don't think XOR is the appropriate logic operator. cash is not mutually exclusive from hookers and dope as a bribe.

Re:Timeless saying applies here...

[modmans2ndcoming]

WTF... OK... I can deal with slashdot being overrun by morns who know little but act big, but now we have to put up with text-ese ? Can't the slashdot admins create a table of symbols to outlaw users from using? Please stick to classics....WTF, IANAL, ROFLMAO, STFU, RTFM, etc. none of this modern crap like W8, UR, et cetera.

Re:Timeless saying applies here...

[ae1294]

I don't think XOR is the appropriate logic operator. cash is not mutually exclusive from hookers and dope as a bribe.

True but when you mix the two something odd happens and all of the money gets overwritten with blow somewhere in the FIFO buffer...

Re:Timeless saying applies here...

[ae1294]

WTF... OK... I can deal with slashdot being overrun by morns who know little but act big, but now we have to put up with text-ese ?

His UID is lower than yours so shouldn't it be "I can deal with that slashdot was overrun by morns who knew little when I signed up. (eol)"

Re:Timeless saying applies here...

[jcwayne]

<3

Re:Timeless saying applies here...

[jcwayne]

Cash is actually the superposition of hookers and blow.

Re:Timeless saying applies here...

[ae1294]

I love you too... but it's a secret remember?

Re:Timeless saying applies here...

[human-cyborg]

I can engineer a dead flower by leaving a live flower on a table without water for a week. Can you reverse engineer a living flower from that dead flower?

Re:Timeless saying applies here...

[ae1294]

Cash is actually the superposition of hookers and blow.

I purpose we petition for a grant to study this theorem in extreme detail as it just might lead to a grand unifying theory with black jack.

Re:Timeless saying applies here...

This exchange is illustrated here:

http://imgs.xkcd.com/comics/security.png

Re:Timeless saying applies here...

[SageMusings]

and hookers. Okay, forget the Black Jack!

Re:Timeless saying applies here...

[modmans2ndcoming]

This is a newer ID. I have been on slashdot since '99

Re:Timeless saying applies here...

[McGiraf]

yes, take the seeds in it and plant them.

Easy,

Re:Timeless saying applies here...

[ae1294]

This is a newer ID. I have been on slashdot since '99

... yeah ...

Re:Timeless saying applies here...

[garyebickford]

It's worth noting that social engineering is quite often the cheapest method. I was at a conference back in 1999, where a Navy guy pointed out that in 'red team' testing, they'd found that the typical Systems Administrator would roll over for an average of $7000. No, I don't know how the details of how they conducted the test.

One could argue (or hope) that _most_ SysAdmins these days are more cognizant of the risks, so probably not as casual as they used to be.

Re:Timeless saying applies here...

[MareLooke]

There still being a flower means there will be no seeds (yet) though.

Re:Timeless saying applies here...

[Grygus]

It's worth noting that social engineering is quite often the cheapest method. I was at a conference back in 1999, where a Navy guy pointed out that in 'red team' testing, they'd found that the typical Systems Administrator would roll over for an average of $7000. No, I don't know how the details of how they conducted the test.

One could argue (or hope) that _most_ SysAdmins these days are more cognizant of the risks, so probably not as casual as they used to be.

Not disputing your point, but regarding the seemingly low number: the job market may have had an effect, too; 1999 was a very good time to be in IT. Quitting one job and picking up a couple months' salary in cash probably looked a lot better than it would for most people now.

Re:Timeless saying applies here...

[garyebickford]

A fair point, but I would say that the number is at least one, maybe two orders of magnitude too low. $7000 is pocket change, probably less than the red team paid to fly there (wherever 'there' was). It says that a sysadmin would sell out what must be viewed as a multimillion dollar asset (not to mention their self-respect) for pennies on the dollar. To me it means that the sysadmins had no respect for their jobs, their profession, their responsibilities. If you're going to be a sleazebag crook, at least do it for what it's worth. If you steal a Mercedes you don't sell it for $100.

Re:Timeless saying applies here...

[JSlope]

Although I'm working with cryptography, I must admit there are a lot of technical ways to circumvent it, the cryptography will only help to rise the cost of those technical ways. And to be really secure, you must have special computers in special rooms in addition to using cryptography.

Re:Timeless saying applies here...

[Thanshin]

How does that apply to this article, in any way?

I don't think you'd be surprised by how many upmods you could get by replying with old saying to just about any topic.

You can even pick one at random, post it in the next news item without even readin it and you'll have big chances of at least a +1 (insightful) among all the offtopics.

Re:Timeless saying applies here...

He will reanimate the dead flower as an undead minion and order it to infect other plants with the curse of unlife!

Re:Timeless saying applies here...

[garyebickford]

Back in the day (1980) where I worked we were trying to get some computer graphics terminals 'TEMPEST' certified. For those not familiar, this was a standard for minimal leakage of EMI, such that folks outside the building could pick up the noise and figure out what you were typing on your keyboard, or what direction and speed the plotter pen was moving, or even (I suppose) the memory addresses put on the bus - and certainly the large EMI coming off the high voltage guns for the display tubes, which could tell you what was on the screen.

The interesting thing was that the standard was classified. We would send our equipment for testing, and they would send it back and say only 'nope, not yet' - no clue to how it failed. We would then have to try to figure out what to do to improve it.

It was totally understandable - knowing the standard would provide information on how to defeat it. But it was a very puzzling way to work.

Interestingly, I see that according to the Wikipedia article TEMPEST is still valid terminology, and the standards are still mostly classified.

Re:Timeless saying applies here...

[ichthus]

Still a young'n. Heh, n00b!

Re:Timeless saying applies here...

[teridon]

I guess you think "2ndcoming" is nothing like "W8"

Re:Timeless saying applies here...

[Jack9]

> How does that apply to this article, in any way?

I don't think you'd be surprised by how many upmods you could get by replying with old saying to just about any topic.

Now that makes sense.

Re:Timeless saying applies here...

[TemporalBeing]

A fair point, but I would say that the number is at least one, maybe two orders of magnitude too low. $7000 is pocket change, probably less than the red team paid to fly there (wherever 'there' was). It says that a sysadmin would sell out what must be viewed as a multimillion dollar asset (not to mention their self-respect) for pennies on the dollar. To me it means that the sysadmins had no respect for their jobs, their profession, their responsibilities. If you're going to be a sleazebag crook, at least do it for what it's worth. If you steal a Mercedes you don't sell it for $100.

Or that those sys-admins feel like Peter Gibbons in office-space so they see it as an opportunity to cash in.

Just saying...and there are a lot of thieves that would sell the Mercedes for $100 if it means easy out of the situation.

Hidden subgroup problem is under active research

[da+cog]

It is worth noting that solving hidden subgroup problem is a subfield of quantum computing that has been active for a while. Although we can't figure out how to solve it in general, we can solve specific instances of it; for example, I think that factorizing is one such instance.

Thus, I suspect that we will eventually figure out a way to break this encryption. Even if we do, though, these mathematicians still get credit for giving us a new instance of the hidden subgroup problem to try and solve, which may give us additional insight into the extent to which the general problem can be solved by a quantum computer.

Oh

[Ryanrule]

I see

ElGamal??

[neiko]

Would ElGamal also be immune since it's based on Discrete Logarithms?

Re:ElGamal??

[mrnobo1024]

No - both prime factorization and discrete logarithms can be done in polynomial time with a quantum computer.

Re:ElGamal??

[Narksos]

Would ElGamal also be immune since it's based on Discrete Logarithms?

No, Shor solved the discrete logarithm problem in quantum-polynomial time too.

Re:ElGamal??

[evilviper]

No, but Merkle trees + Lamport signatures are: http://en.wikipedia.org/wiki/Lamport_signature

Re:ElGamal??

[Fnord666]

No - both prime factorization and discrete logarithms can be done in polynomial time with a quantum computer.

Interesting. I wonder if this extends to elliptic curves as well?

Re:ElGamal??

[nhaehnle]

To the best of my knowledge, yes. The whole term "elliptic curve cryptography" is quite misleading. All it means is that the groups you are using come from elliptic curves instead of from (e.g.) modular arithmetic. The attacks against discrete logarithms are, as far as I know, generic in the sense that the only requirement is that you implement the group multiplication in your quantum computer. So any kind of discrete logarithm-based cryptography can be broken using quantum computers, independent of the underlying group.

Can be broken?

"Can be broken" is a red herring. It is a simple matter to design log-in systems that prevent iterative attempts to test passwords that have been "broken".

The simplest form of security, "security by obscurity" remains effective despite quantum computers and server farms.

It is a mathematical exercise to determine time to "decrypt" a secure area or volume based on iterative password tests.

Even something as crude as a visual word input prior to a Slashdot anon post serves even this hacker-rich community.

Just anon, not coward.

Re:Can be broken?

[Reason58]

This is not a brute-force attack. The article refers to a method of deriving the private key from the public key (which is available for anyone to download).

conspiracy theory

[craftycoder]

I wonder if "THEY" already have one of these quantum computers and are keeping a lid on it so they can snoop on the PGP of our enemies. Would it be possible to develop one of these in secrecy?

Re:conspiracy theory

No. Nothing to see here.

Re:conspiracy theory

[Sarten-X]

Possible, yes. Within the realm of imaginable possibility, no.

Re:conspiracy theory

[debile]

-----BEGIN PGP PUBLIC MESSAE BLOCK-----

mQENBExW0NkBC ADvqmg39Grmq7Yf2WQrbcJdOyHPNg/dmh mVLmXjGtQzdf5GvRMa
9Z5CzKtJR/eZCXRUQYpkBaQ25 ZrGWe+qGO6yUTFUKciaRqw3 REvTp35RwM7fQJdk
5o9powG2nQLG uj55F390hprx6Gc8RTyN QrejU3IOt0gsQ3PUnSM9bSvJ8ZX3k+c2

-----END PGP PUBLIC MESSAE BLOCK-----

With the crypted Echelon IP I just published, if NSA has a way to decrypt the message and want to track me, Slashdot will be offline in 5, 4, 3...2......1

Re:conspiracy theory

[MagicM]

Within the realm of imaginable possibility, yes. Within the realm of possible possibility, no.

Re:conspiracy theory

[woolpert]

I wonder if "THEY" already have one of these quantum computers and are keeping a lid on it so they can snoop on the PGP of our enemies. Would it be possible to develop one of these in secrecy?

Simplistically:
If THEY bought out 50% of the researchers in the field, without arousing suspicion amongst those who turned down the offer, THEY would only have a 50% chance of having one first.

More realistically,
If THEY bought out a significant percentage of the researchers in the field, without arousing suspicion amongst those who turned down the offer, THEY would likely only be a few months / years (at best) ahead.
And since the outlook on the QC front is rather bleak (in terms of a functional QC with any real power) the odds are strongly in favor of THEY not having squat.

Especially in today's world it isn't like top researchers are fragmented and isolated. In the past it was possible for a governmental organization to use its greater vision to collect isolated researchers and be the first to introduce them to each other, magnifying their individual efforts. Today everybody who is anybody in these fields is at least aware of the others, if not following closely.

Re:conspiracy theory

[Anubis+IV]

Of course, your point doesn't consider the fact that the information sharing only goes one way. If THEY come up with something new, it's not always put back out into the field where it can be worked on by others and built upon. If THEY then find something new, THEY can be the first and only ones building upon it, and THEY do not have to sacrifice the ability to build on everything else that is coming out in the field as well. If that something new is a breakthrough concept, then THEY may be able to build a lead of years or decades. Of course, as you pointed out, researchers tend to be much more aware of what is going on these days than in the past, due to the speed and ease of communication, which reduces both the likelihood of THEM getting a breakthrough first and also reduces the time that THEY will likely be the only ones exclusively holding that knowledge. Despite that, I seem to recall hearing stories of various encryption ideas the NSA developed in the '70s and '80s which weren't developed in the open until the late '90s and early 2000s (sorry, no citation).

Re:conspiracy theory

[Hawke666]

"MESSAE BLOCK"?

Re:conspiracy theory

Especially in today's world it isn't like top researchers are fragmented and isolated.

There are researchers, and then there are classified government researchers - i.e. the NSA. The latter are still generally estimated to be 20 years ahead of the civilian world when it comes to encryption research.

Re:conspiracy theory

[metacell]

Of course we don't have any of the quantum computers the grey aliens ga... eh, I mean, we haven't come that far yet.

Re:conspiracy theory

-= "MESSAE BLOCK"?

You've broken the encryption!

Re:conspiracy theory

[metacell]

Damn! They got to him before he posted!

Re:conspiracy theory

[AliasMarlowe]

I wonder if "THEY" already have one of these quantum computers

Pardon my lack of paranoia. It's because "they" are out to get you, not me.

Re:conspiracy theory

[euxneks]

Simplistically: If THEY bought out 50% of the researchers in the field, without arousing suspicion amongst those who turned down the offer, THEY would only have a 50% chance of having one first.

Unfortunately, that same 50% chance collapsed to a more stable 0 once observed.

Re:conspiracy theory

[gringer]

With the crypted Echelon IP I just published, if NSA has a way to decrypt the message and want to track me, Slashdot will be offline in 5, 4, 3...2......1

127.0.0.1? Why am I able to log into that with my current username and password?

Re:conspiracy theory

[mrops]

So what you are saying is that both the possibilities exist but we won't know until the cat is out of the box, where did I hear this before?

Re:conspiracy theory

[rahvin112]

Real World:

The NSA creates a front company called Quantum Research and funds it with black project money.

DARPA creates a front company called Skynet Research Ltd and again funds it with black project money which is unreported to congress or the public.

Both companies then hire CEO's from the public sector and give them no knowledge who they really work for. Quantum Research then gets "VC Money" from Skynet Research and goes on a hiring spree to develop quantum computers and hires and provides grants to 50% of the quantum research field. After successfully creating a quantum computer and producing a few "prototypes" said company declares to their employers that the cash has run out and they are going into liquidation. Said prototypes appears to disappear into liquidation and are never "seen" again.

And because everyone thought the companies were legitimate businesses not government research no one is the wiser to what has occurred.

This is standard operating procedure for the spy agencies and research branches like DARPA. DARPA seeds the educational community across many apparently unrelated disciplines. The NSA then creates front companies with access to the DARPA research, drives the company like an innovative startup, once innovation or invention occurs the company is folded and the assets or inventions are sequestered to the NSA with a few key employees that all along knew they were working for the NSA who then take the prototypes, enchance them and working with defense contractors replicate and expand the computers.

Just FYI the NSA is building a 50,000+ square foot computer complex in Utah on a millitary base (Camp Williams) that is going to use so much power they have to build a power plant to power it.

Re:conspiracy theory

[garyebickford]

So the top five people in QC go to the international conference in Hawaii. Two of them have cooperated on a revolutionary new method, but since it's so new they have made some hints, but haven't been able to share any of the details with their colleagues but they will be doing a short intro at the conference.

While they are in Hawaii they all 'happen to' all be winners of a conference-provided free sightseeing helicopter ride around Kauai. The tourists on the cliffs see that the helo, instead of staying close to the island, seems to be having some trouble and warps out of sight of land into a cloud layer, and is never heard from again. Some wreckage is found, but it's impossible to search the deep water. After a few days, all hope is lost and the world mourns the loss of this important cadre of leaders in the field, and progress in QC is set back ten years.

Meanwhile, one of the Navy's subs departs Pearl Harbor for a routine cruise, but an accident on board requires it to return to the highly secure Bremerton sub base for repairs. At the base, some injured personnel are lifted out of the sub inside protective hazmat suits, and whisked away to an unknown location for 'decontamination'. A few days later a minor press release reports that the personnel (who can't be named for privacy reasons) are all OK.

I've been reading too much Tom Clancy! :D

Re:conspiracy theory

[Omnifarious]

Despite that, I seem to recall hearing stories of various encryption ideas the NSA developed in the '70s and '80s which weren't developed in the open until the late '90s and early 2000s (sorry, no citation).

Of course, the late 90s and early 2000s were also when the serious speed and ease of communication issues were really addressed for the majority of researchers. So this fact, if anything, decreases the probability that a major player has managed a serious breakthrough that it's successfully kept hidden.

Re:conspiracy theory

[garyebickford]

Only 50,000 sq. ft.? Times have changed, computers are getting smaller as they get bigger. Back in the day, that was a mid-size corporate server farm. Of course now, that's a lot more computing power.

As for power, most secure computing facilities have their own power generation capability - if nothing else then just a motor-generator to assure clean power all the time. An old Army base's power system is not likely to be up to the standards of today for this purpose.

There's a facility in the wilds east of Bend OR that was built in the 1980s as a backup government facility in case of nuclear war - this is where the Western governors and such were going to hang out till the radiation in the big cities got down to a reasonable level. It has about 40,000 sq. ft. of raised floor, plus a couple of acres worth of space for people, with food and everything you need for 150 people for a year, four hidden satellite dish platforms, four diesel generators each the size of a large room, and a fuel supply the size of an Olympic swimming pool.

Re:conspiracy theory

i believe Echelon has long since changed it's name to Candlejack. it is one of these agents that hits the "post" button fo

Re:conspiracy theory

It would be rather hard to get the researchers to co-operate if they are required to suddenly sever all ties to their families and friends with no warning. Even if you don't care about co-operation, there's the problem that as a security system it is not reliable: you can't count on catching all problematic presentations in time - and if you put in a huge effort to check out all potentially compromising presentations, you are going to have to talk to people and some of them will leak the discussions. In any case, after a few decades of shenanigans like you describe, the people on the field will notice that their colleagues keep disappearing before conferences.

In other words, the "Tom Clancy" approach might work once or twice but it isn't a good long-term strategy that would guarantee staying ahead of civilian research.

Re:conspiracy theory

[Nursie]

They are estimated to be 20 years ahead of the civilian world in when it comes to encryption research in the opinion of AC posters on slashdot.

It seems to be some sort of hero-worship of the US government that's prevalent here. I'm sure they do a lot, and we know that they find weaknesses in some stuff before others do, but I do not believe for one second that they have access to hardware types that are not even in the experimental prototype stage yet.

Re:conspiracy theory

[gtall]

Alright, damnit! You caught us, us being they. Our representatives will be contacting you shortly to see about how you came by this wonder.

Re:conspiracy theory

Do you live in a free country? Then you are your government's enemy.

Re:conspiracy theory

Of course, if you were one of THEM, you WOULD say that...

Yeah, but...

Quantum computing needs exponential space. :)

If you want to test it

[Atmchicago]

Send a bunch of encrypted e-mails containing questionable content and see if anyone comes knocking at your door. And be sure to not send any questionable content unencrypted, or to give any other reasons for them to show up.

Re:If you want to test it

[fishexe]

Send a bunch of encrypted e-mails containing questionable content and see if anyone comes knocking at your door. And be sure to not send any questionable content unencrypted, or to give any other reasons for them to show up.

But how will I know they're not just knocking at my door out of a desire to make my acquaintance?

Re:If you want to test it

Even then, they would probably spend a long time creating other circumstances in which to pick you up that would give plausible deniability as to how they caught on.

One can google one's own references as I'm sort of lazy today, but a good example: the British had thoroughly broken Enigma during WWII, and at one point in the war knew where -every- German U-boat was. This created a dilemma for them: should they act on this information, and if so, how to do it without tipping their hand? If they just went and rounded up every single one, it would be pretty obvious that the code had been broken.

What they did, according to the stories, is send out disinformation that a) they had ramped up production of a bunch of new long-range sea-spotting planes (they didn't, they only had the resources for a few); and b) these planes would fly near where they already -knew- the U-boat was, and 'spot it' (making sure it was obvious they'd been seen by the U-boat itself before flying back). The British were also careful not to find too many U-boats -- only the ones that they needed out of the way for critical operations. The Germans were convinced they just had really bad luck and were the victim of a very expensive and thorough patrol system by the British.

If the guys in dark suits can crack PGP, Blowfish, etc. easily, they won't obviously act on it until they first get dirt on you via other means. :p

Re:If you want to test it

[superdave80]

That's a great idea. However, I'm not sure what you mean by 'questionable content'. Would you mind emailing me a few examples?

Re:If you want to test it

[c6gunner]

But how will I know they're not just knocking at my door out of a desire to make my acquaintance?

Easy. If they use your door knocker, they want to make your acquaintance. If they bring their own, they're coming for more than tea and crumpets.

Re:If you want to test it

Unless you emailed a credible threat of something calamitous, say a nuke hidden in a city about to go off, they would not ( actually could not) act on it without giving away the farm.

Re:If you want to test it

[Gaffod]

If they just went and rounded up every single one, it would be pretty obvious that the code had been broken.

If they rounded up every single U-Boat, I don't think it would matter whether the Germans know if it is broken- seeing as how they wouldn't have any U-boats left to send secret messages to.

Re:If you want to test it

[aiht]

Things like this: Questionable Content. (Should be SFW - only the text is questionable in this one).

Re:If you want to test it

Surely they used Enigma for other critical long-distance communications as well!

Re:If you want to test it

[julesh]

Surely they used Enigma for other critical long-distance communications as well!

Indeed. It was also used to communicate with the Luftwaffe, hence the widespread myth that decrypting Enigma meant that the devastating attack on Coventry could have been prevented (it couldn't: the Germans used a defence-in-depth system that used codewords to identify particular targets; that a massive attack was planned was known, the identity of the target was not).

Re:If you want to test it

[Calinous]

The U-Boats (for most of the war) were under orders to report contacts (via Enigma machines). Doubts about broken encryption would have been enough to put them into "communicate only if attack is impossible" - which would have been a huge problem, considering there weren't enough patrols to cover everything.

Re:If you want to test it

[geggo98]

Better yet: The Brittish military created an urban legend, still famous today. They spread the word that eating carrots would improve vision and this would help them to spot submarines more easily. Although this was not done to cover that they broke Enigma, but to hide the fact that they invented radard. (Source)

But the fact remains: To hide an invetion they used misinformation. And they did it so well, that it is still effective today.

Re:If you want to test it

[mr_mischief]

Yes, please have jam and marmalade.

Re:If you want to test it

Radar was used in WWII to spot the periscopes and snorkels of Uboats. Once spotted, they'd call in a spotter plane to 'find' the sub and then engage it. The Germans eventually figured out that radar was involved and developed the first stealth treatment: ~1/4" glass with graphite layers on both sides as the outer coating of the periscopes lead to a massive reduction of RCS.

Re:If you want to test it

One of the countermeasures that the Germans could have used would have been to inflate the fleet. Create 3-4 times the number of virtual submarines.

Donitz didn't believe that naval Enigma was broken, nor did he know about radar. He aslo micro-managed the fleet, which required extensive communication.

Early convoy hits were done by U-boats attacking on the surface at night. Their surface speed was greater than convoy speed.

I wonder what the results would have been if:

* In normal operation submarines never broadcast.
* If the Germans had built drones that were cheap, and appeared to be a slowly moving periscope+ snorkle.
* Alternately, a metal floating object that had radar reflectivity similar to sail. (Would not have to be very big if they used a corner reflector.
* Active anti-sonar: British sonar used a directional beam and listened for the echo. Streaming a noise maker that chirped on the same frequency behind the U-boat would add confusion. Once the timing of the sonar operator is known, chirping loudly when on the edge of the beam could indicate that you were to the left or right of the actual location. In particular with wolf-pack tactics adding a raft of false signals would decrease everyone's chances of being hit.

***

Anyway, side story.

The real point of this would be that as people trying to hide stuff from national agencies, we should create a lot of encrypted traffic that is meaningless. If for every legitimate "Attack at Dawn" message there are several thousand messages encoding /dev/random, it increases the problem of the code breakers.

Would be an interesting use of a botnet.

Re:If you want to test it

[steelfood]

It's pretty simple. Unless you're distributing some kind of information that they don't want you to (copyrighted material, classified information, trade secrets, etc.), you have to eventually come out of your shell and put to action those plans you and your conspirators have been working so hard to perfect while keeping secret.

It's then pretty easy to nab you right as you're putting those plans into action, or as you're about to put the final piece into its place.

But any mastermind coordinating some kind of nefarious plan over the internet deserves to be nabbed.

Re:If you want to test it

[Gaffod]

I don't think you have read the post you replied to. The point was, "if you neutralize every element of the enemy's fleet by cracking their codes, the enemy will indeed become aware that the code is compromised. This will not matter because they will not have left any elements in their fleet to act upon the knowledge with".

You know, like how if you siege and capture a castle, it will become apparent that your intent was to attack the castle. Except, who cares, because, you know. You already captured the castle.

Re:If you want to test it

[KDR_11k]

Except it wasn't only the submarines that used the encryption so sinking them all would still leave other troops alerted.

Re:If you want to test it

[Gaffod]

Except it wouldn't matter, because the Germany would have no naval presence left.

Re:If you want to test it

[KDR_11k]

Let's not forget that this is WW2 technology, unmanned drones aren't that simple. The V1 was pretty much pre-programmed and the Goliath used a wired remote control. Dummy subs wouldn't be able to keep moving over the timespans you need to place them and then get away.

New assymetric algorithms needed?

[mlts]

Symmetric algorithms are at least in their second generation (DES/Lucifer now AES) of production use, with decades of study and close analysis by a lot of good minds.

Asymmetric algorithms are still essentially the first generation. Take RSA. It has been out for so long that its patent has expired more than 15 years ago. Even elliptic curve cryptography has been out at least 20 years, because the NeXT had it in NeXTStep 3.0 (and ended up getting pulled out of the OS due to ITAR).

Even cryptographic hashes have been through a number of iterations. We had MD4, then MD5, then SHA-1, then SHA-256, now are looking for something to replace SHA, similar to how Rijndael replaced 3DES and DES.

Maybe it is time to have a contest to have a standard asymmetric algorithm to replace RSA, DSS, and ElGamal? Something fundamentally designed to resist quantum computer attack as well as other threats.

Re:New assymetric algorithms needed?

Why not just use quantum key exchange and one-time pads and never have to worry about theoretical future brute-force attacks ever again?

Re:New assymetric algorithms needed?

The difference here is that DES had to be replaced. Its very slow, and has too small a key length and block length. MD4, MD5 are completely broken, SHA1 is showing serious weaknesses, and by extension SHA2 probably has similar weaknesses.

RSA and ECC have not shown any sign of weakness yet aside from theoretical attacks and numerical attacks that can be countered with longer keys.

Re:New assymetric algorithms needed?

[mlts]

Three reasons:

1: Public keys are not just used for real time exchanges. Public keys are sometimes used for data archiving where the private keys are held in an offline area. Same with keys that sign programs to detect tampering.

2: Quantum links are really, really slow. Instead of a one time pad, realistically you want to generate a key through the secure channel via a Diffie-Hellman handshake that is used for some time then chucked (like for a transaction or for a chunk of data.) Then send the bulk data through a standard link.

3: Quantum key exchanges have had some issues that could allow an attacker to get knowledge of the key.

4: One would have to drop parallel pipes everywhere that supported quantum channels. It is hard to get ISPs to drop one chunk of fiber, much less the fiber needed to interconnect for the secure quantum channels and the partial photons.

5: There is the issue of trust. You can set up a quantum exchange with another machine and come up with a key that you know hasn't been touched... but is that really your bank, or is it some site in Elbonia that is patched in? Quantum key selection won't help you here in knowing that you are talking to the right host.

Regardless, even if we had secure point to point connections via quantum key generation and bulk tunnels, public key cryptography is still an important part of life, even if it to sign documents and ensure they won't be tampered with.

Re:New assymetric algorithms needed?

[Timothy+Brownawell]

Because for a lot of uses, that would be solving the wrong problem.

Re:New assymetric algorithms needed?

In other words you're asking for a problem in NP that is not in either of BQP and P. Should be simple enough, we'll get right on it.

Re:New assymetric algorithms needed?

That's easy - 3SAT. The hard part is making a decent encryption algorithm out of it.

Re:New assymetric algorithms needed?

Quantum key exchange and one-time pads are completely different options. One would use one or the other, but not both.

Re:New assymetric algorithms needed?

[Kjella]

If we had a fundamental understanding of problems that aren't solvable by quantum computing, some insight into whether P != NP or not then maybe. But we don't and until then, RSA has a lot going for it - for one it's extremely simple. So simple we went through and did examples on paper, of course with reduced bits. People have been trying to find an algorithm to factor integers for the last 2000 years, it's not a trivial task using conventional computers.

Shor's algorithm is impressive but it needs registers of q qubits where N^2 < 2^q < 2N^2, and N is 2048 bits which makes N^2 4096 bits so you need ~4096 qubits. So far the top public scientists are having huge issues getting more than a handful of qubits working together in a coherent state, and the problems only grows worse the more bits you add to the mix. Of course someone is going to suggest the possibility that the NSA might have overcome all that, but if so they're way, way ahead of the state of the art, and I don't mean in maths but more in physics and engineering. To put it this way, if they're that far ahead of the game we should ask them for the plans for the space elevator...

Re:New assymetric algorithms needed?

[FrangoAssado]

What you're describing is a NP-complete problem -- assuming P != BQP != NP. But I'm guessing that you already know that :)

Still, it's still very hard to build a cryptosystem that exploits the hardness of solving NP-complete problems. The main problem is, NP-completeness only guarantees that some instance of the problem is hard, it says nothing about a specific instance. So, for instance, if you have a specific 3-SAT formula, there's no guarantee someone can't come up with a solution for it in polynomial time.

That being said, there are some candidates for a cryptosystem based on NP-completeness. Check for example the McEliece cryptosystem.

Re:New assymetric algorithms needed?

Don't forget other non-quantum machines that can factor RSA-1024, such as TWIRL and TWINKLE, that can easily factor up to RSA-1024 in a decent amount of time.

RSA needs replaced by something made this century somehow.

Re:New assymetric algorithms needed?

[daveime]

Umm, TWIRL and TWINKLE are essentially flashing lights in cardboard tubes, and an awful lot of handwaving by the "inventor".

I know one instance of RSA-768 that was broken using NFS, but hadn't heard anything more recent than that, certainly nothing using a glorified kaleidoscope.

Re:New assymetric algorithms needed?

[julesh]

5: There is the issue of trust. You can set up a quantum exchange with another machine and come up with a key that you know hasn't been touched... but is that really your bank, or is it some site in Elbonia that is patched in? Quantum key selection won't help you here in knowing that you are talking to the right host.

Actually, yes it does. You'll need a shared secret, but that shouldn't be too hard to arrange with your bank, right? It doesn't even need to be particularly secure, as there's no practical brute force attack to attempt to discover it. You could use your ATM card PIN and you'd be perfectly secure.

Re:New assymetric algorithms needed?

I was being sarcastic but I guess that's lost on most readers... Even proving that such a thing exists would be a ginormously major result.

I was not necessarily talking about NP-complete, just NP-P. One-way functions (if indeed they exist) should be just that - easy to verify (source->hash computation in P), hard to reverse (hash->source not in P).

Re:New assymetric algorithms needed?

[Kjella]

Umm, TWIRL and TWINKLE are essentially flashing lights in cardboard tubes, and an awful lot of handwaving by the "inventor".

Yup. Though I'd consider it possible that the NSA can brute force a 1024 bit key, given enough interest. However, that's no reason to abandon the algorithm as you can just increase key length to 2048 or 4096 bit. It's essentially just the same as increasing a symmetric key from 64 to 128 or 256 bit, huge difference in security.

Re:New assymetric algorithms needed?

[mlts]

With my bank, yes, there is a shared secret. However, what if I'm buying a new vend-a-goat machine from a bovine supply house's website, some place where I have had no previous dealings, so establishing a shared secret, even a 4 digit PIN is not possible? My only other avenue would be to find the bovine supply house's phone number and set up a preshared secret over the phone. However, if the only info about the phone number's location is on the Web, then that becomes pointless.

Of course, we could get into trusted parties, but some CAs are barely trustable with telling you that a key is actually belonging to the claimed party, much less knowing symmetric keys in a conversation.

Public key encryption solves a lot of problems. Without it, it will be hack beyond hack to try to get symmetric keys working between people who don't know each other, not to mention the sheer amount of storage of private nonces.

Another example: Say 1000 people want to have encrypted communication with each other. If they have a WoT, all one would need is the private key of a trusted introducer who signed that the 999 other people are legit. Otherwise, they would need 1000 symmetric keys. To boot, a public key doesn't have to be kept hidden, while the 1000 symmetric keys would cause a lot of damage if they were divulged.

The article agrees with you

[fishexe]

Thus, I suspect that we will eventually figure out a way to break this encryption. Even if we do, though, these mathematicians still get credit for giving us a new instance of the hidden subgroup problem to try and solve, which may give us additional insight into the extent to which the general problem can be solved by a quantum computer.

From TFA:

However, it's worth pointing out that while the new work guanratees safety against all known quantum attacks, it does nothing of the sort for future quantum attacks. It's perfectly possible that somebody will develop a quantum algorithm that will tear it apart as easily as Shor's can with the RSA algorithm. "Our results do not rule out other quantum (or classical) attacks," says Dinh and co.

Re:The article agrees with you

[DarkKnightRadick]

You read the article?!

Re:The article agrees with you

[fishexe]

You read the article?!

No, I used my quantum computation abilities to tell me what must be in it.

Re:The article agrees with you

You can read?!?!?!?

Re:The article agrees with you

The article has changed since they measured ... er ... read it.

It's "Caltech", not "CalTech" or "Cal Tech"

[3.1415926535]

Seriously, Slashdot gets it wrong EVERY TIME. Next time, would it kill the editor to go to http://www.caltech.edu/ and, you know, read any of the words on the page?

Re:It's "Caltech", not "CalTech" or "Cal Tech"

Thank you! I studied there, and it's always annoying to see it spelled incorrectly as "Cal Tech".

On the other hand, it helps differentiate know who actually went there and who didn't.

DEI, FEIF.

Re:It's "Caltech", not "CalTech" or "Cal Tech"

Pidantic much? {sic}

Re:It's "Caltech", not "CalTech" or "Cal Tech"

Seriously, Slashdot gets it wrong EVERY TIME. Next time, would it kill the editor to go to http://www.caltech.edu/ and, you know, read any of the words on the page?

who gives a shit? Only pedantic Slashdotters, thats who!

Re:It's "Caltech", not "CalTech" or "Cal Tech"

[lgw]

Slashdot has editors? You do realize that the guys who post stories on the front page aren't editors in the classic sense, right? They have only the "content controller" role, and don't do the sort of editing one associates with "edited prose". Your UID is low enough that none of this should be news to you.

Also, no one cares how you spell Cal Tech.

Re:It's "Caltech", not "CalTech" or "Cal Tech"

The way I was taught, it should be "Cal. Tech."

Of course, they probably trademarked Caltech, so that trumps any grammar rules.

Re:It's "Caltech", not "CalTech" or "Cal Tech"

[WillDraven]

Well, they sure as hell have changed around the wording for every story I've ever had accepted. If that's not editing, what the hell is it?

Re:It's "Caltech", not "CalTech" or "Cal Tech"

It's properly spelled "Pasadena City College", thankyouverymuch.

Re:It's "Caltech", not "CalTech" or "Cal Tech"

[lgw]

Entropy.

Optimist

[cowboy76Spain]

I think you are too optimistic. I do not mean that "THEY" have one (I do not know/not answer). The issue is that the statement should read:

I wonder if "THEY" already have one of these quantum computers and are keeping a lid on it so they can snoop on the PGP of their enemies.

After all, why limit it to only "ours" enemies after spending so much on it?

Its callled a "one-time" page

[crovira]

torn off of a "one time" pad.

Anyone can transmit the page ID age the encrypted text in the clear and be assured of totally secure communication between the two parties who have both the encryption key and the decryption keys.

The algorithm consists of something non-computable.

In my case my the WEP2 key on my wireless LAN consists of my own unique way with keys (like I was going to tell you my idiosyncratic keying algorithm,) and an entire paragraph from a book on my shelf of selections from my favorite author (like I was going to tell you who that really was.)

Now extent that of a whole pad of keys...

Unbreakable is a phrase that comes unbidden to my lips.

Re:Its callled a "one-time" page

[supradave]

Of course, that presumes a purely random one-time pad.

Re:Its callled a "one-time" page

[blueg3]

And a secure system for transmitting this pad from the sender to the receiver.

Re:Its callled a "one-time" page

[Sir_Lewk]

1) I think (hope) you mean WPA2, not WEP2...
2) The proof for the perfect security of OTPs only applies if the pad is random. Not pseudo-random. You seem to be describing what amounts to a very primitive psuedo-random number generator, using pages of books as seeds. If you are not using random information, it is incorrect to call it a one time pad.

Re:Its callled a "one-time" page

We can transmit it using another one-time pad!

Re:Its callled a "one-time" page

[HeckRuler]

Wow you're ignorant. Or a very subtle form of funny.
Randomly generated one-time pads are definitely unbreakable. But the problems are generating the key and getting the key to the target as the key is as big as the text. So if you're using this to encrypt a connection, you need to split a 1Gig key, physically hand it to the target, and then you have 1Gig of communication before you need to hand him another stack of pads. It's good for sending code-words and like, emergency e-mails or something, but not constant communication channels.

Wait... you're using a pad for the key to a WEP2 encryption? And you're using books to generate the pads... that's... wow dude. Just wow.

Re:Its callled a "one-time" page

I don't know much at all about cryptography or network protocols. But you're correct. Wow. I mean, wow. I know just enough to pray he's joking.

Re:Its callled a "one-time" page

Randomness is a property of the process producing the pad, not of the pad itself. A true random source generates every N-bit pad with equal probability. But once you have the pad, there's no telling whether or not it came from a true RNG.
I'm sure the easiest way to to read crovira's wifi traffic is through rubber hose cryptanalysis.

Re:Its callled a "one-time" page

[Sir_Lewk]

Regardless of whether or not his method is "good enough" (it probably is), it's not a OTP unless it uses actually random pads. By definition. If it's using a PRNG instead of a RNG, it is called a stream cipher.

'One time pad' is a term of art. In technical discussions about cryptography is should only be used where technically correct.

HAHHAHA

[Schnoogs]

Another article that is over the head of 90% of the people who post here but that won't stop them from acting like they know something

Just ask Herr Jobs

*pfft* I just broke the McEliece encryption on my iPad. There's an app on iTunes called iDecrypt...

Re:Just ask Herr Jobs

[daveime]

There was an app named iGnore, which was rumoured to hide Apple stories from the Slashdot website.

Unfortunately, anyone who used it only saw a blank screen and assumed it was broken.

Anonymous Coward

this is not really news worthy.

quantum computers will kill cryptography (as they are now) because of the ability to perform many computations at the same time. Factoring and algorithms to "break" a crypto system is about finding a shortcut, so that brute force can be avoided. But with quantum computers, brute force will be a more viable method.

especially, as with most computers and tech, the speed of quantum computers will only increase exponentially (once the first working one is stable and commerical), thus making brute force more and more viable. Increasing the key size will not be a viable solution unless we are willing to increase the key size exponentially as well.

so once quantum computers come out and get more refined, no pure mathematical crypto system will be safe.

Re:Anonymous Coward

You need to submit your name in order to receive a grant.

We have yet to see a real working quantum machine able to compute even an easy kids' version of RSA. The machines that have been built in the real world have done operations that a real computer does in a fraction of the time.

There is nothing to say if they are viable. Once an encryption breaking QC is built we may find that it indeed is able to calculate all the answers at the same time, but extracting the correct one takes 2^n or worse tries or some other unfeasable logistical problem. IMO, QCs are too much like the computing equivalent of perpetual motion not to be suspect.

Re:Anonymous Coward

[geekgirlandrea]

Quantum computers only provide a quadratic speedup for search problems like brute-forcing cryptography. Current secret key algorithms are safe.

Early connection?

[steve_bryan]

A sociological observation is that Shor was an undergrad at Caltech when McEliece was a professor there formulating the cryptosystem that would resist the quantum algorithm that Shor would develop years later. I wonder if knew each other.

Secure encryption

[SnarfQuest]

The only encryption method I've heard about that has not been found to be breakable is the one time pad. This method has the problem of exchanging the pads beforehand.

All of the major encryption machines used during WWII appear to have been broken. The new encryption methods are currently much harder to break, but the spooks are likely to discover some innovative method to break such algorithms.

Current methods using large prime numbers sounds like they are soon (next few decades) to be broken. If we got into a war where breaking these methods became important, I'm sure that quantum computers would soon become available, if they aren't already. Even if quantum algorithms aren't available, someone might come up with a way to calculate prime factors using a bacteria colony through DNA molecules. A method may cost a million dollars per factor found, but sometimes that is small change for the information gained.

I'm sure that there are groups looking for the next level of encryption. Something that isn't compatible with quantum methods, or requires it to reverse the encrypted data. Making it take longer and be more expensive to break is the goal of encryption.

Re:Secure encryption

The only encryption method I've heard about that has not been found to be breakable is the one time pad. This method has the problem of exchanging the pads beforehand.

And the problem of pad entropy, and the problem of keeping the pads secure once exchanged. And the problem of not being very practical for most purposes.

Re:Secure encryption

[cowscows]

I'm not convinced that all these major breakthroughs in computing are just sitting right out of reach, waiting for a little war funding to make it happen. Computer technology has been moving so quickly the past couple of decades, and there's so much money to be made in these various fields, I'm sure the best and brightest are already working plenty hard on it.

Re:Secure encryption

[SnarfQuest]

Not saying they wouldn't be developed, just saying that if you put a manhatton type wartime budget/manpower behind it, that it would probably be developed faster.

No

I wonder if "THEY" already have one of these quantum computers and are keeping a lid on it so they can snoop

I happen to work at [CENSORED] and I must assure you that there's no need to worry, our research clearly indicates that making such computers is impossible.

Hey, you know that girlfriend of yours that sends you those pictures? She's hot!

Re:No

[joemck]

I call shenanigans. No hot girl sends pictures to someone who posts on Slashdot.

Re:No

Of course she does. She is asking whether the outfit is hot enough to wear for her boyfriend.

I'm sorry, I'm an idiot-

[way2trivial]

In the simplest of terms

I thought the whole point of the quantum computer was was it did the equivalent of brute forcing every single possible answer simultaneously

instead of checking a password say from

a
b
c ..z
aa
ab
ac ..az
ba
bb
bc ..bz

so a one letter password (normal computer) can be checked in 26 steps, and a 2 letter password in 676 steps..
each once then proceeding,

and on a quantum computer, I thought it threw the equivalent of the OED (all possible answers, all possible combinations) at the same time.

but only responding with the correct answer

will someone please tell me where my basis is way off?

Re:I'm sorry, I'm an idiot-

[PvtVoid]

will someone please tell me where my basis is way off?

... and how do you get the answer to a particular choice of password out of the quantum computer?

Re:I'm sorry, I'm an idiot-

[NonSequor]

No, it doesn't brute force every possible combination. You can perform an operation on a superposition of all possible k-bit strings, but you can't actually get all of the 2^k outcomes of that operation. If you measure the result, you'll get one of the 2^k outcomes at random.

Basically you start from that superposition of k-bit strings, then you apply some operations to that state so that all of the the correct answers are in phase with each other and constructively interfere. Effectively, you can only apply this kind of speed-up if you can exploit the numerical properties of the problem to ensure that this happens.

Re:I'm sorry, I'm an idiot-

[julesh]

Simplistically: there are only certain algorithms it can perform such a search over. One of them is factorization (Shor's algorithm), and this can be applied to most current asymmetric ciphers because they're essentially isomorphic to one another.

Feed him some cat food

[A+nonymous+Coward]

Maybe he did, maybe he didn't.

There's an xkcd for that.

[Kaenneth]

http://www.xkcd.com/773/

$300 says...

$300 says that there's a quantum computer at Y-12 National Security Complex.

Introduction to post-quantum cryptography

There is an old paper, written by DJB, which gives a quick introduction to some (this and) other quantum computer resistant encryption methods: Introduction to post-quantum cryptography

Arxiv paper

[da+cog]

Here is a link to the paper on the arxiv:

http://arxiv.org/abs/1008.2390

Reading through the abstract, I see that a significant feature of this cryptosystem is that it cannot be solved by "strong Fourier sampling", which makes the situation more interesting because it is only a slight exaggeration to say that quantum Fourier transforms are the only trick we know of that lets us get exponential speed-ups in quantum algorithms.

This doesn't rule out other methods

[JoshuaZ]

This doesn't rule out other methods of speeding up using quantum tricks. Also, keep in mind that this may all be for naught since no work of this form can rule out the existence of a fast classical algorithm for handling the problem. Thus, implicitly, all these sorts of results are interesting primarily if one assumes that these sorts of problems don't lie in P. The good news is that the hidden subgroup problem is very likely not in P.

Let's just back up a moment.

[fyngyrz]

A good encryption should not be "solvable" - it must be brute forced.

How do you brute force (or solve) a one-time pad, where the pad was created from random atmospheric noise or any other truly random source?

[...]

...that's what I thought. You can (a) beat the message out of the sender or receiver, (b) sweet-talk the message out of the sender or receiver, or (c) steal the pad ahead of time (proper use of OTPs requires they be destroyed when used.) But you can't brute-force it or solve it. It's unbreakable. Properly implemented, you can't even determine the symbol size. And it's *easy* to implement; any PDA or phone has the horsepower to encode using OTPs to any size message these days, and what's more, to stick it nicely inside a JPG or PNG or MPEG or something as a LS-bitstream and fire it off, at the same time destroying the source OTP and *any* hope an interceptor has of breaking it.

The only downside (and it's really not much of a downside) of OTP technique is that you need the pads before you need the message. However, I actually can't think of a situation where that would seriously inconvenience modern users of the technique.

Oh, and how do you unbreakably update OTPs in the field? Easy: You encrypt them with the last/reserved OTP the other end has. Cyclic encryption of truly random numbers? Incomprehensible. It's just another 100% opaque data stream. Done deal.

Re:Let's just back up a moment.

You post, while factually correct, is completely retarded in context. You attack the parent poster as if he said something he didn't, and then go on a long rant about something somewhat related.

Well played.

Re:Let's just back up a moment.

[EsbenMoseHansen]

One-time passwords are a variation off the pre-shared key methods, where the sender and receiver have agreed on a set of keys on some presumed secure channel. Used as a method of identification, this method is exactly as secure as the pad (and its copies) are. However, the system does not have the advantages of asymetric encryption, in that whoever has the other copy of the preshared key (the bank, e.g.) can impersonate you, while with asymetric keys nobody can impersonate you (provided the channel where the public key is distributed is secured, like in the OTP example).

Re:Let's just back up a moment.

[Notch]

Your post was great up until the final paragraph where you suggest reusing one time pads. That will not work. Rot 13, for example, is a reused one time pad of size 1.

Re:Let's just back up a moment.

Oh, and how do you unbreakably update OTPs in the field? Easy: You encrypt them with the last/reserved OTP the other end has. Cyclic encryption of truly random numbers? Incomprehensible. It's just another 100% opaque data stream. Done deal.

That's not updating. instead of my original OTP, I now have a new OTP of exactly the same length.
Of course, you could do something else, basically try to expand the randomness of your original OTP (eg. use it to send two OTPs).
Guess what? Not as secure.

One should use an OTP like a shared key as long as the encrypted message. Do things differently, and you reduce security (or waste potential of the OTP).

Re:Let's just back up a moment.

[mr_mischief]

I missed the part about reusing pads, even after rereading. "You encrypt them with the last/reserved OTP the other end has." is mistaken in the idea that you can use a bitstring longer than the pad itself. It's not really a suggestion to reuse a pad that's already been used, though. It's a suggestion that the new pad be encrypted with the last pad bits not used from the old pad source.

One could chain-block a partial pad out to cover a larger cleartext, but then you're not really utilizing a full one-time pad.

Re:Let's just back up a moment.

[Notch]

Still, it would be possible to end each message with a textual representation on how to generate the next pad. "Generate the next 1000 byte pad from the GPS coordinates of the next 100 earthquakes, as reported by site.org.example.net" Or even easier, "hey, drive over here and pick up a HD full of the next 2 tb of OTP"

Re:Let's just back up a moment.

[fyngyrz]

That's not updating. instead of my original OTP, I now have a new OTP of exactly the same length.

Yes, exactly. So... in what sense is this not an updated OTP? Are you saying that because it is limited to the length of the reserved original OTP (which I absolutely agree with, btw) that it's not new? It'll be different, will it not? And it is every bit as secure as the original reserve, is it not? And it serves as yet another completely incomprehensible stream of X to burn useless cycles on decrypt attempts, does it not? Maybe you're using "updated" in a way I don't understand, or as a synonym for "OTP of equal length", which is not something I meant to imply.

Re:Let's just back up a moment.

[fyngyrz]

I think you failed to comprehend what the original poster said, actually. I wasn't attacking him, I was just pointing out that a good encryption - in this case OTP encryptions - don't respond to brute force. At all. There's no amount of force that is sufficient or appropriate. Nor are they solvable. They are not only "good encryptions", they are *awesome* encryptions.

But thanks for playing: HDCUTWSVZPXYAZZC.

Let me know when you brute force that. :)

Re:Let's just back up a moment.

[fyngyrz]

Impersonation is an entirely different problem, and it may or may not be an advantage: for instance, when the endpoints are (or must be) trusted, it's irrelevant. And I should point out that if the endpoints aren't trusted, you shouldn't be talking to them at all.

Re:Let's just back up a moment.

[fyngyrz]

is mistaken in the idea that you can use a bitstring longer than the pad itself

I didn't mean to suggest that. I can see how it could be read that way, "cyclic" was poor wording on my part (I meant new random against old random, not reusing a short pad against a long message), I'm entirely on board with the updated OTP having to be the same (or lesser) length than the reserved OTP. Otherwise the repeated presence of the short OTP provides an analytical hook.

Re:Let's just back up a moment.

[Unequivocal]

Huh? If the new OTP is the same length as the reserved elements of the old OTP, why not just use the old OTP? I'm not following along.

I had always thought that you could not update "keys" for new OTP's via already exchanged OTP's b/c of this problem about length (you need an existing OTP of the same length as the new OTP you wish to transfer). You always have to exchange keys out-of-band (physically or whatever).

Let me know if this is not correct please.

Re:Let's just back up a moment.

[fyngyrz]

If the new OTP is the same length as the reserved elements of the old OTP, why not just use the old OTP?

Each exchanged OTP introduces another incomprehensible message to the channel which, for almost no effort on your part, can consume opposition decryption resources (to no effect) as it is not distinguishable from a real message, while it also buries actual messages in between. Confusion to the enemy is rarely a bad way to go. It's trite, but it is none the less true.

Re:Let's just back up a moment.

[EsbenMoseHansen]

There are lots of endpoints where I need to identify myself, but which I don't necessarily trust. Slashdot is one example. My bank is another, the people adminstering this countries registry of citizens a third. This is done by different means today (preshared passwordhash, certificate+password and OTP respectively, but practically assymetric id+encryption would be able to solve this annoying problem once and for all. Only, it isn't happening.

Re:Let's just back up a moment.

The problem with encrypting the pads with their last pad is that you can only securely encrypt as much information as you originally provided pads for. Even doubling up once easily cuts the protection by 99%. This means you could give them ONE new pad by using ONE of theirs, not useful at all.

Re:Let's just back up a moment.

Each exchanged OTP introduces another incomprehensible message to the channel which, for almost no effort on your part, can consume opposition decryption resources (to no effect) as it is not distinguishable from a real message, while it also buries actual messages in between. Confusion to the enemy is rarely a bad way to go. It's trite, but it is none the less true.

This still rests on the assumption that the opposition can't distinguish the new pad from a real message. Depending on how or when you transmit it, this might not be the case. They might even be able to brute force things.

The bottom line is that regardless of how well your scheme is implemented, it still introduces a chink in the armour- however miniscule- of a true one-time pad's provably unbreakable encryption. And that's the whole point of a one-time pad.

Re:Let's just back up a moment.

[fyngyrz]

This still rests on the assumption that the opposition can't distinguish the new pad from a real message.

The only way to break a message - or a pad - encrypted with a OTP, is to have the OTP that was used to encrypt it. And the opposition doesn't have that. Nor is that pad re-used. So no one is going to be breaking the new pad that is in transit. It doesn't even *matter* if they know it's a pad (by length, for instance, if you're really naive about your messaging), because *they can't know what's in it*. Consequently there are no chinks, other than the usual endpoitn compromises - steal the pad, or get the message from the principles (beat it out of them or sweet-talk it out of them.) You simply can't break OTP messages if the encode/decode OTP is used properly and the OTP is truly random, as of course it must be. There are no exceptions.

Re:Let's just back up a moment.

[fyngyrz]

Read the thread, please. Asked and answered.

Re:Let's just back up a moment.

Sorry, I misunderstood what you were originally proposing. I thought you were suggesting a scheme to transmit a new key *without* using up an equivalent length of the original OTP by somehow "sneaking" it into the encoded message- either unencoded or by using part of the OTP more than once.

We'll both agree that- regardless of how cleverly one does this- such a scheme would break the *absolute* theoretical security of an OTP.

What you actually proposed- AFAICT- was solely to cause confusion, in which case, fair enough. Though this does assume that your opponent doesn't know you're using a OTP, since they wouldn't bother otherwise.

And of course, while they might not be able to break the message content per se, they might still be able to (e.g.) use the timing and length- and possibly location- of transmissions to gain some insight into what you're up to. I suppose one could ensure that all transmissions were regular and of fixed length though.

Quantum computing is a pipe dream

Wake me up when non-imaginary quantum computers can factor integers larger than 15. Every year we hear about breakthroughs in quantum computing, but nobody seems to be able to make one that actually does anything.

Anyway, good luck breaking RSA-4096 with your imaginary quantum computer. When your quantum computer can finally break RSA-4096 in the year 2510, we'll have moved on to RSA-16777216 thanks to our quantum computers, and you'll be just as fucked, since it'll take your quantum computer the same amount of time to break that as it takes modern computers to break RSA-4096.

Quantul coputers ?

[Yvanhoe]

I thought it had been proven that quantum computation was a pipe dream (you can't physically compute 2^N operations with less than 2^N atoms). Is the hypothesis still considered plausible ?