Discrete Logarithm Problem Partly Solved -- Time To Drop Some Crypto Methods?

← Back to Stories (view on slashdot.org)

Discrete Logarithm Problem Partly Solved -- Time To Drop Some Crypto Methods?

Posted by Soulskill on Friday May 16, 2014 @04:16PM from the now-let's-be-paranoid-that-the-NSA-solved-it-years-ago dept.

An anonymous reader points out this Science Daily report: "Researchers ... have solved one aspect of the discrete logarithm problem. This is considered to be one of the 'holy grails' of algorithmic number theory, on which the security of many cryptographic systems used today is based. They have devised a new algorithm that calls into question the security of one variant of this problem, which has been closely studied since 1976. The result ... discredits several cryptographic systems that until now were assumed to provide sufficient security safeguards. Although this work is still theoretical, it is likely to have repercussions especially on the cryptographic applications of smart cards, RFID chips , etc."

114 comments

Min score:

Reason:

Sort:

Is Diffie Hellman at risk? by Sun · 2014-05-16 16:20 · Score: 5, Interesting

I really really skimmed the article, but I think it all boils to this one algorithm. If Diffie Hellman is at risk, then all of our "perfect forward security" reliance of SSL is gone.
Shachar
1. Re:Is Diffie Hellman at risk? by LordLimecat · 2014-05-16 16:39 · Score: 5, Insightful
  
  Seeing it on slashdot means nothing. Wait till a reputable source that DOESNT have a habit of blowing everything up into a crisis reports on this-- schneier's blog would be a good place to start.
2. Re:Is Diffie Hellman at risk? by houstonbofh · 2014-05-16 16:57 · Score: 4, Interesting
  
  If Diffie Hellman is at risk, then all of our "perfect forward security" reliance of SSL is gone.
  Shachar
  Really, it was gone already, many times. The key generation bug, the heartbleed bug... Even if it works, it is still probably easier to exploit coding mistakes, and we seem to have enough of them.
3. Re:Is Diffie Hellman at risk? by Sun · 2014-05-16 16:58 · Score: 5, Informative
  
  Posted it as a question there already.
  Here's the thing, however. From reading the article, it seems that DH was not, itself, broken. Here's the problem, however: DH is used for forward reference security. It is used to ensure that an adversary that captured the encrypted communication cannot be decrypted later, even if the RSA key is later compromised
  Which means that whether DH has already been broken is a moot question. The real question is whether it is likely to be broken in the near future (where what "near" means depends on what you're actually encrypting).
  Here is what Schneier usually has to say about that: Attacks always get better over time.
  Of course, the main problem with replacing DH is that we don't really have anything better on hand.
  Shachar
4. Re:Is Diffie Hellman at risk? by storkus · 2014-05-16 18:05 · Score: 1
  
  I'm guessing Schneier et al won't have a chance to analyze and reply until next week, but this is so important, who knows?
  It also occurred to me that, since the mess with the NSA broke out, I have not seen anything about Suite B being modified--everything in there is still officially supported for "State Secrets". I keep wondering if we're missing something there...
5. Re:Is Diffie Hellman at risk? by Anonymous Coward · 2014-05-16 18:15 · Score: 1
  
  What?
  I was told by a scientist friend 14 years ago that diffie hellman was a sort of knapsack problem - and thus solvable in polynomial time - and that it was therefore inherently weaker than RSA. :/ could it be that this has been known for decades but not widely spread?
  When I look the knapsack problem up wikipedia says it's NP hard but that many cases, including random cases are solvable in polynomial time, even though not all can.
  You know, that's how decision problems for circuit verification are. While, in theory problems with as many variables as they have shouldn't be solvable - actual circuits always seem to fall to pruning algorithms that are totally safe. So practical problems are solvable, and they don't know why.
6. Re:Is Diffie Hellman at risk? by Anonymous Coward · 2014-05-16 18:29 · Score: 0
  
  I'm thinking he was confused with Merkle–Hellman
7. Re:Is Diffie Hellman at risk? by Anonymous Coward · 2014-05-16 20:09 · Score: 0
  
  an adversary that captured the encrypted communication cannot be decrypted later
  Adversaries are encrypted now? Man, what will they think of next?
8. Re: Is Diffie Hellman at risk? by loufoque · 2014-05-16 21:18 · Score: 1
  
  Knapsack is NP-complete.
9. Re:Is Diffie Hellman at risk? by Kjella · 2014-05-16 23:30 · Score: 2
  
  Of course, the main problem with replacing DH is that we don't really have anything better on hand.
  Actually there is no need for DH, you can create a new throwaway RSA private/public key pair on both sides, sign it with your main key, use the throwaway keys to transfer the session key then wipe the throwaway keys. The problem with this approach is that generating a new RSA key pair for every session + transferring new key + extra round trips is a really slow process compared to DH.
  
  --
  Live today, because you never know what tomorrow brings
10. Re:Is Diffie Hellman at risk? by Anonymous Coward · 2014-05-17 00:48 · Score: 1
  
  It's like religion. It's not the theory, it's the implementation that's flawed.
11. Re:Is Diffie Hellman at risk? by Anonymous Coward · 2014-05-17 01:03 · Score: 0
  
  So in other words: There actually is a real need for this...
  As the alternatives are cumbersome and require more resources.
12. Re:Is Diffie Hellman at risk? by mellon · 2014-05-17 01:10 · Score: 1
  
  What this is is another argument for using long keys. The improvement doesn't appear to be sufficient to render Diffie-Hellman unusable.
13. Re:Is Diffie Hellman at risk? by mellon · 2014-05-17 01:15 · Score: 1
  
  Er, actually the above is half an answer, and turns out to be wrong in its explanation, although not in its conclusion. Math is hard.
14. Re:Is Diffie Hellman at risk? by CrimsonAvenger · 2014-05-17 01:45 · Score: 1
  
  It is used to ensure that an adversary that captured the encrypted communication cannot be decrypted later,
  So, why exactly would we want to decrypt the adversary that captured some encrypted communications?
  
  --
  
  "I do not agree with what you say, but I will defend to the death your right to say it"
15. Re:Is Diffie Hellman at risk? by houstonbofh · 2014-05-17 02:27 · Score: 1
  
  It's like religion. It's not the theory, it's the implementation that's flawed.
  I like that a lot.
16. Re:Is Diffie Hellman at risk? by houstonbofh · 2014-05-17 02:30 · Score: 1
  
  So in other words: There actually is a real need for this... As the alternatives are cumbersome and require more resources.
  Too bad computers are out of resources, and no more seem to be coming.
  I think generating a key pair is less load than modern window managers.
17. Re:Is Diffie Hellman at risk? by Fnord666 · 2014-05-17 03:32 · Score: 1
  
  Actually there is no need for DH, you can create a new throwaway RSA private/public key pair on both sides, sign it with your main key, use the throwaway keys to transfer the session key then wipe the throwaway keys. The problem with this approach is that generating a new RSA key pair for every session + transferring new key + extra round trips is a really slow process compared to DH.
  So how do you go about securely communicating one part of the throwaway keys to the other side so that the session key can be transferred?
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
18. Re:Is Diffie Hellman at risk? by russotto · 2014-05-17 03:56 · Score: 2
  
  Breaking the discrete logarithm problem breaks both DH and RSA; obtaining the private exponent from the RSA public key can be done by solving the discrete logarithm problem. However, this algorithm solves the discrete logarithm problem only for certain fields (Galois fields of small characteristic), and I don't believe those are the ones interesting for RSA or DH. (RSA uses a composite group; DH uses a prime field of large characteristic)
19. Re:Is Diffie Hellman at risk? by lister+king+of+smeg · 2014-05-17 04:30 · Score: 2
  
  A better way to handle this would probably be to have the client generate the session key and encrypt it with the servers public key, this would distribute the load for generating keys away form the server so they would not be as easily DOS'ed.
  
  --
  ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
20. Re:Is Diffie Hellman at risk? by Bill,+Shooter+of+Bul · 2014-05-17 04:59 · Score: 1
  
  No, this paper is explicitly stating that the theory is flawed. If this attack is expanded, SSL traffic will essentially be as secure as rot13. That's very different and much worse than heartbleed or any key generation issue. My applications were not affected by either of those coding mistakes, but they and everything else using the same algorithm would be by a break in DH.
  
  --
  Well.. maybe. Or Maybe not. But Definitely not sort of.
21. Re:Is Diffie Hellman at risk? by Anonymous Coward · 2014-05-17 05:18 · Score: 0
  
  that's ridiculous. it's free software. you could have disabled the heartbleed extension 4 years ago like fortress IT security did.
22. Re:Is Diffie Hellman at risk? by Kjella · 2014-05-17 07:03 · Score: 1
  
  So how do you go about securely communicating one part of the throwaway keys to the other side so that the session key can be transferred?
  Static RSA using the main keys. It won't have PFS, but it will only contain the public keys of the throwaway pair so recovering it later won't do you any good.
  As a step process:
  1. Static RSA with main keys, swap public throwaway keys.
  2. Static RSA with throwaway keys
  3. Negotiate session key
  4. Throw away private key used in 2. immediately
  5. Server is compromised, main key stolen
  6. Traffic in 1. is decrypted, public keys found
  7. Private keys for 2. is gone, session key can't be decrypted = perfect forward security
  
  --
  Live today, because you never know what tomorrow brings
23. Re: Is Diffie Hellman at risk? by Anonymous Coward · 2014-05-17 15:06 · Score: 0
  
  So the client can keep generating simple session keys over and over until it discovers the server's key? Sounds like a brilliant vulnerability. NSA, is that you?
24. Re:Is Diffie Hellman at risk? by maharvey · 2014-05-17 15:23 · Score: 2
  
  No of course not. Ignorance is considered irresponsible, foolish, and lazy unless you're a neophyte. And while faith is desirable, faith is best based on knowledge, experience, and reason. Faith which cannot be defended by reason or evidence is considered weak and shaky, but better than no faith at all. Sharing evidences of what you have faith in is a very popular activity and is considered healthy and encouraging for all.
  People seriously believe that?
25. Re:Is Diffie Hellman at risk? by Anonymous Coward · 2014-05-17 21:08 · Score: 0
  
  This paper was released as a preprint a year ago. Schneier's response can be found here.
26. Re: Is Diffie Hellman at risk? by lister+king+of+smeg · 2014-05-19 15:06 · Score: 1
  
  So the client can keep generating simple session keys over and over until it discovers the server's key? Sounds like a brilliant vulnerability. NSA, is that you?
  Except they can already throw data at a servers public key as it is public already
  
  --
  ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
27. Re:Is Diffie Hellman at risk? by Anonymous Coward · 2014-05-20 00:20 · Score: 0
  
  Replacing DH isn't hard. We have the elliptic curve variant of DH which attacks on regular DH do not necessarily translate to.
  If PFS is what you are after, you can get PFS via ephemeral-RSA (use your long term secrets to exchange a short lived RSA public key with the other end).
Almost first post! by Anonymous Coward · 2014-05-16 16:21 · Score: 2

However, someone intercepted the message, cracked slashdot's https rsa key, modified this message, then submitted it on my behalf.
1. Re:Almost first post! by Sun · 2014-05-16 16:31 · Score: 5, Interesting
  
  RSA does not rely on discrete log. It rather relies on discrete root.
  Dlog is the base, however, to almost any other public key algorithm out there which isn't elliptic curve. This includes Diffie Hellman, El-Gamal, DSA, Schnor and I'm sure others as well.
  My reading of the article is that those are not yet borken, per se (spelling mistake left in intentionally). Since Diffie Hellman is primarily used for forward reference security, however (i.e. - figuring out a session key that will not be compromised even if the private key later is), the question is not whether it is safe today. The question is whether it will remain safe for the foreseeable future.
  If attacks on dlog are beginning to become practical, the answer is "less and less".
  Shachar
2. Re:Almost first post! by Anonymous Coward · 2014-05-16 17:14 · Score: 0
  
  Many number theorists believe the problem of discrete logarithms and factoring are somehow linked, and historically advance in one has led to advance in other. However, this particular breakhrough was first published nearly a year ago, and also currently only relevant for small to medium prime fields...
3. Re: Almost first post! by Anonymous Coward · 2014-05-16 17:37 · Score: 0
  
  Finding a RSA private key exponent is a discrete logarithm problem. Moreover, there is a polynomial time algorithm for factoring the modulus given a public/private key pair.
4. Re:Almost first post! by Anonymous Coward · 2014-05-16 18:48 · Score: 1
  
  However, someone intercepted the message, cracked slashdot's https rsa key, modified this message, then submitted it on my behalf.
  You are aware Slashdot has an in-house analytics database that can easily correlate any AC to IP addresses, corresponding MAC addresses, logins (if any) and locations. If push comes to shove, the police can be given your ID, most likely without the need for a warrant. Just a lowly peon that never registered; not a problem, if your comments are serious enough for the labor.
5. Re:Almost first post! by Anonymous Coward · 2014-05-16 19:44 · Score: 0
  
  Preliminaries from Alfred Menezes:
  "Menezes says his analysis also shows the algorithm only becomes effective as the parameters of a cryptosystem, essentially the key size, grow asymptotically large. It may not be efficient; in fact, it may be slower than other algorithms against systems of small key size. Also, it is not effective against RSA and other non-pairing-based systems."
6. Re:Almost first post! by Anonymous Coward · 2014-05-16 20:59 · Score: 0
  
  The ids stored by slash along the posts are just the md5sum of the ip as can be seen in it's soruce code.
  If you have a ipv4 it's trivial to reverse, ipv6 not so much. Of course still there are access logs and NSA sniffers all over the pipes.
7. Re:Almost first post! by caluml · 2014-05-16 22:48 · Score: 1
  
  Your MAC address isn't visible outside your local subnet. Slashdot has no way of knowing your MAC address. (Unless perhaps you're using IPv6 without privacy extensions enabled, but I'm guessing Slashdot is years away from IPv6.)
  
  --
  Get your own free personal location tracker
8. Re:Almost first post! by TeknoHog · 2014-05-17 00:12 · Score: 2
  
  RSA does not rely on discrete log. It rather relies on discrete root.
  Dlog is the base, however, to almost any other public key algorithm out there which isn't elliptic curve. This includes Diffie Hellman, El-Gamal, DSA, Schnor and I'm sure others as well.
  Discrete log is certainly being used with elliptic curves. EC isn't really an algorithm, but an alternative "number system" that is well suited for crypto (the common alternative is finite/Galois fields).
  
  --
  Escher was the first MC and Giger invented the HR department.
9. Re:Almost first post! by DarwinSurvivor · 2014-05-17 00:27 · Score: 1
  
  Or you post using a machine on the same subnet as the server. It's 11:00, do you know where your VPNs are?
10. Re:Almost first post! by Anonymous Coward · 2014-05-17 00:44 · Score: 0
  
  So THAT is why my posts are always ignored! Guess I offended /. a long time ago ...
11. Re: Almost first post! by Anonymous Coward · 2014-05-17 01:26 · Score: 0
  
  Or you allow JavaScript from dice(y) to run on your machine. Duh.
12. Re: Almost first post! by caluml · 2014-05-17 02:56 · Score: 1
  
  I didn't think this was possible (as I run NoScript, Firefox and Linux), but apparently it might be, under IE on Windows, with WMI.
  
  var locator = new ActiveXObject("WbemScripting.SWbemLocator"); var service = locator.ConnectServer("."); // Get the info var properties = service.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration"); var e = new Enumerator (properties);
  Jesus, that looks horrible. I would hope that you have to add sites to your Local Intranet zone or whatever it's called these days before it'll work.
  
  --
  Get your own free personal location tracker
13. Re:Almost first post! by russotto · 2014-05-17 04:11 · Score: 1
  
  RSA does not rely on discrete log. It rather relies on discrete root.
  RSA private key is p,q,d where p and q are large primes and d is the private exponent.
  RSA public key is n, e where n = pq and e is the public exponent. The private exponent d was chosen such that (m^e)^d (mod n) = m for any m (message) 0 m n.
  RSA encryption is c = m^e (mod n)
  RSA decryption is m = c^d (mod n)
  Suppose I have an RSA public key n, e. I pick an arbitrary m and calculate
  c = m ^ e (mod n)
  Now I need to find d such that
  m = c ^ d (mod n)
  This is the discrete logarithm problem.
  Being able to solve discrete root would ALSO break RSA; if you could figure out the eth root of c (mod n), you could get the message without having the private key.
  And for completeness, solving integer factorization breaks RSA because with p and q you can calculate d.
  Elliptic curve encryption also relies on a discrete logarithm problem being hard, but it's a discrete logarithm over an elliptic curve, which is believed to be harder.
14. Re:Almost first post! by swillden · 2014-05-17 10:50 · Score: 1
  
  Dlog is the base, however, to almost any other public key algorithm out there which isn't elliptic curve.
  EC algorithms (ECDH, ECDSA, ECIES) are also based ultimately on the discrete log problem. So, this news is a potential threat to essentially all of the major asymmetric crypto algorithms, excepting only RSA.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
15. Re:Almost first post! by jrumney · 2014-05-17 15:31 · Score: 1
  
  If push comes to shove, the police can be given your ID, most likely without the need for a warrant.
  When push comes to beta, your ID will be pushed directly to the police using JSON, most likely without the need for a cookie.
16. Re: Almost first post! by Anonymous Coward · 2014-05-17 20:35 · Score: 0
  
  Jesus, that looks horrible. I would hope that you have to add sites to your Local Intranet zone or whatever it's called these days before it'll work.
  Not even that'll do it. You have to turn on the option in the advanced security settings labelled "use ActiveX controls not marked as safe for scripting", which is by default disabled for all remote zones and set to pop up a warning box for pages on the local computer (assuming you've turned scripts on on the local computer at all, that is).
Springer Verlag says by Mister+Liberty · 2014-05-16 16:30 · Score: 2

All your Logs are belong to us.
Probably known already by Animats · 2014-05-16 16:40 · Score: 2

If this is just being publicly announced now, it was probably known to NSA, the GRU, and the MSS years ago. The superpower security agencies put substantial resources into cryptanalytic number theory.
Early public key cryptosystems used the knapsack problem. That turned out to have reasonably easy solutions. Factoring products of two big primes may be all we have left. That's believed to be hard, but there's no proof of a lower bound on it.
1. Re:Probably known already by Strider- · 2014-05-16 17:00 · Score: 1
  
  If this is just being publicly announced now, it was probably known to NSA, the GRU, and the MSS years ago. The superpower security agencies put substantial resources into cryptanalytic number theory.
  I think that many people forget the NSA's other mission: securing US Government communications. The easiest way to figure out how secure an algorithm is, is to take a look at what level of information it's authorized for. Despite everything that all the folks here say, the NSA and other agencies aren't stupid. They know full well that if they can break the algorithm, somebody else can as well.
  
  --
  ...si hoc legere nimium eruditionis habes...
2. Re:Probably known already by Anonymous Coward · 2014-05-16 17:27 · Score: 2, Interesting
  
  Unless they are keeping keys to the algorithm that no one else has, and which cannot be determined after the fact. This is essentially the issue that they were accused of in regards to the elliptic curve random number generator they had put forward as a standard.
3. Re:Probably known already by marcello_dl · 2014-05-16 18:30 · Score: 1, Insightful
  
  There are many other methods to send info, one time pads (number stations), steganography (lots of side channels for noise to be tampered with), couriers, stuff...
  And BTW you still have to prove that NSA and all the other agencies are working for their own nation against the other nations. It may hold true at lower levels, but they don't answer to anyone by design, and it's apparent that we live in a global system where politics are a diversion.
  
  --
  ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
4. Re:Probably known already by x0ra · 2014-05-16 19:09 · Score: 0
  
  Do you mean like the DES S-box "controversy" ?
5. Re:Probably known already by evilviper · 2014-05-16 20:08 · Score: 1
  
  Factoring products of two big primes may be all we have left.
  Factoring primes is popular, but not at all the ONLY method:
  https://en.wikipedia.org/wiki/...
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
6. Re:Probably known already by vadim_t · 2014-05-16 20:10 · Score: 4, Insightful
  
  No, like the [Dual EC DRBG](http://en.wikipedia.org/wiki/Dual_EC_DRBG) controversy.
  I love it how people (shills?) keep bringing up DES S-boxes, as if they had anything to do with anything. The thing with DES was in 1975. Almost 40 years ago. Since then the NSA went through 10 directors, and the US through 8 presidents. And most of the staff in high positions died or retired.
  It's ridiculous to try to pretend that something nice a completely different NSA did 40 years ago has the slightest relevance to today's completely different environment and politics.
7. Re:Probably known already by Kjella · 2014-05-16 21:05 · Score: 1
  
  There are many other methods to send info, one time pads (number stations), steganography (lots of side channels for noise to be tampered with), couriers, stuff...
  OTP needs a secure side channel the same size as the data meaning you can't just call/text/mail someone and verify a fingerprint, which makes it extremely impractical, steganography with no or weak encryption is just security by obscurity, couriers depend on the security of the courier which is just like trusting the Internet - it too is a third party courier. Without regular PKI it wouldn't be practically feasible, fortunately the basic building blocks like RSA for signing/verifying in certificates and PGP messages, Diffie-Hellman for ephemeral keys and any symmetric cipher like AES for bulk transport still seem pretty unthreatened. The problem is the implementation, which is far from trivial to do right.
  
  --
  Live today, because you never know what tomorrow brings
8. Re:Probably known already by Anonymous Coward · 2014-05-16 23:44 · Score: 1
  
  Key distribution for one time pads is a nightmare. It's possible for a giovernment to send tapes of one time pads through diplomatic baggage to their embassies in advance. But it's completely useless for anyone else.
9. Re:Probably known already by Anonymous Coward · 2014-05-17 01:41 · Score: 1
  
  > If this is just being publicly announced now, it was probably known to NSA, the GRU, and the MSS years ago.
  I don't know about that. One thing that has become clear after Snowden's revelations is that the NSA has troubles with properly implemented cryptography. Whereas they no doubt have one or two tricks up their sleeve, they don't seem to be in possession of any revolutionary mathematical knowledge. They used to be years ahead of academia in cryptography, when academia was barely looking into it. That ended about 40 years ago.
10. Re:Probably known already by houstonbofh · 2014-05-17 02:38 · Score: 1
  
  Key distribution for one time pads is a nightmare. It's possible for a government to send tapes of one time pads through diplomatic baggage to their embassies in advance. But it's completely useless for anyone else.
  Yeah... Mailing a flash drive is beyond the abilities of most people.
11. Re:Probably known already by Electricity+Likes+Me · 2014-05-17 04:32 · Score: 1
  
  Yes except no one's been able to show that they actually do have the keys, or even a smoking gun of "this algorithm is always active".
  What they are doing is the same wailing and knashing of teeth that happened 40 years ago.
  Meanwhile it seems far more obvious that the NSA instead just relies on the CIAs direct intercept and tampering with targeted bits of hardware, rather then depending on people using a specific algorithm, with a specific set of constants, somewhere that's interesting to them and not one where the documentation for its specifications explains exactly how to generate new constants which would eliminate any baked in security hole.
12. Re:Probably known already by Anonymous Coward · 2014-05-17 05:47 · Score: 0
  
  Yes except no one's been able to show that they actually do have the keys, or even a smoking gun of "this algorithm is always active".
  Showing the NSA actually has the keys would require one to either infiltrate the NSA (kind of hard) or have top secret clearance (in which case you wouldn't be allowed to release the information). Someone at the NSA has the numbers (whether or not the organization as a whole does) fo break Dual EC DRBG, which means it is broken period.
  As to the grandparent, the NSA improving DES's S-boxes wasn't even a nice thing by the NSA. If you've read up on the history of DES, the NSA improved the S-boxes with the understanding NIST would not make the algorithm public! They never intended for any of it to become public knowledge.
13. Re:Probably known already by evilviper · 2014-05-17 06:19 · Score: 1
  
  It's ridiculous to try to pretend that something nice a completely different NSA did 40 years ago has the slightest relevance to today's completely different environment and politics.
  It's not relevant for judging the character of the NSA, of course, but it's HIGHLY relevant as a bit of context, when people are acting paranoid, and throwing around accusations with no evidence.
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
14. Re:Probably known already by marcello_dl · 2014-05-17 10:03 · Score: 1
  
  OTP needs a secure side channel the same size as the data meaning you can't just call/text/mail someone and verify a fingerprint, which makes it extremely impractical
  Well that's a problem if your are already under the radar but otherwise? What if you just apply a salted hash to blocks of innocent files that you share with your pal and use them as the OTP? We all already share innocent files provably identical, the updates. Linux users routinely download compressed and signed packages those mega if not gigabytes can stay on the HD for the life of the PC. Windows updates are probably the same, thanks god I dunno and don't care. All I need to use OTP with a pal is the salt, and the hash function, and an optional way to say I "have been compromised". A rookie programmer can whip up the encoding and decoding function script without even saving it on the hd.
  Steganography, what about patching an online game client? It appears I am gaming while I am trasmitting and raise no suspicion. I mean all network hardware sold could already have the capability to encode data masked as jitter, for what we know.
  And these are the first things off my mind, what about people who do this for a living?
  
  --
  ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
15. Re:Probably known already by Anonymous Coward · 2014-05-17 10:15 · Score: 0
  
  No, but mailing hundreds of them and keeping track of all of them and which should be renewed is. Besides, mail can be intercepted without your knowledge.
16. Re:Probably known already by Anonymous Coward · 2014-05-17 20:38 · Score: 0
  
  It's ridiculous to try to pretend that something nice a completely different NSA did 40 years ago has the slightest relevance to today's completely different environment and politics.
  No, it isn't, because they have the same motivation today that they had then: they don't want US government employees to believe that a cryptosystem is secure when it could be easily broken by anyone who has made the same conceptual breakthrough that they have. They assume that if they know something, someone else either already knows it or will know it soon.
17. Re:Probably known already by cryptizard · 2014-05-18 00:37 · Score: 1
  
  Maybe read the article or, I dunno, some of the other comments before making yourself look stupid. This does not break any crypto systems that are currently in use because it only solves the discrete log problem in some specific finite fields with very low characteristic, i.e. not ones used by DH. You might say, oh that is just the first step to breaking DH, but there is no proof of that. Different finite fields have very different properties and there is no evidence at all that results like this can or will be generalized. There are many groups in which the Diffie Hellman problem is not hard for instance, but that doesn't mean that there aren't some groups where it is.
  
  Additionally, RSA is also reducible to discrete log since you can find the decryption exponent via a single discrete log operation, so there is that.
What the hell? by Anonymous Coward · 2014-05-16 16:42 · Score: 0

discredits several cryptographic systems that until now were assumed to provide sufficient security safeguards. Although this work is still theoretical, it is likely to have repercussions especially on the cryptographic applications of smart cards, RFID chips , etc.
This is slashdot. We get cut and paste third rate analysis in the summary? No description of which cryptographic systems?
1. Re: What the hell? by Anonymous Coward · 2014-05-17 07:17 · Score: 0
  
  Analysis shows that not even the people involved in this "disclosure" are certain about in what regard their contribution really contributed to solving this problem!
  Oh and "discretion" is adviced, but imho this is just another stupid attempt by the newops of this site to get som additional revenue from ad sales.
  Google this. EVERYTHING links back here.
  I guess the point is invalid, which must mean my hair is a bird! .. SlashRot did it again
arXiv link (to the technical paper) by l2718 · 2014-05-16 16:46 · Score: 5, Informative

TFA links to the published version on SpringerLink, which is paywalled. A free preprint is available on the arXiv.
1. Re:arXiv link (to the technical paper) by Anonymous Coward · 2014-05-16 16:56 · Score: 0
  
  from a year ago...
2. Re:arXiv link (to the technical paper) by l2718 · 2014-05-16 17:04 · Score: 2
  
  Yes; the preprint was posted to arXiv when the research was completed. Obviously Science Magazine (the source for the slashdot posting) prefers to write about results when the journal article comes out later, because otherwise the magazine would to check the preprints for correctness on its own, which it can't be expected to do.
3. Re:arXiv link (to the technical paper) by Anonymous Coward · 2014-05-17 05:22 · Score: 0
  
  plus, how would it get it's kickbacks from douchebag.com
Somewhat by l2718 · 2014-05-16 17:01 · Score: 5, Interesting

Reading the paper, the most notable feature is that their algorithm is efficiency for constant characteristic, including the common case of fields of characteristic 2. It's also okay for the characteristic to grow somewhat with the size of the field, but not very fast.
This is not at all relevant to most implementations of DH, which use prime fields of large characteristic. For example, DSA depends on discrete log modulu a large prime p. In particular, I wouldn't worry about forward secrecy of current internet traffic.
1. Re:Somewhat by Fnord666 · 2014-05-17 04:10 · Score: 1
  
  This is not at all relevant to most implementations of DH, which use prime fields of large characteristic.
  Exactly. Probably more interesting is that their solution is applicable to a wider range of finite fields than recent improvements.
  From the paper:
  
  Although we insist on the case of finite fields of small characteristic, where quasi-polynomial complexity is obtained, our new algorithm improves the com- plexity of discrete logarithm computations in a much larger range of finite fields.
  I see no good basis for the ScienceDaily author's leap from the paper's results to his conclusion that
  
  Since solving this variant of the discrete logarithm is now within the capacity of current computers, relying on its difficulty for cryptographic applications is therefore no longer an option. This work is still at a theoretical stage and the algorithm still needs to be refined before it is possible to provide a practical demonstration of the weakness of this variant of the discrete logarithm. Nonetheless, these results reveal a flaw in cryptographic security and open the way to additional research. For instance, the algorithm could be adapted in order to test the robustness of other cryptographic applications.
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Not much to see here. by Anonymous Coward · 2014-05-16 17:14 · Score: 1

The new algorithm is for small characteristics. Small characteristics have been suspect for some time and are no longer used. In fact: cryptographers are moving away from finite fields altogether in favor of elliptic curves, now that most of the relevant patents in that subject have either expired or been rendered toothlesss. No subexponential algorithm is known for the Discrete Logarithm Problem over elliptic curves.
1. Re:Not much to see here. by TechyImmigrant · 2014-05-16 17:53 · Score: 1
  
  >are moving away from finite fields altogether in favor of elliptic curves
  Umm, what about all the elliptic curves in finite fields?
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
2. Re:Not much to see here. by jopsen · 2014-05-16 18:43 · Score: 1
  
  >are moving away from finite fields altogether in favor of elliptic curves Umm, what about all the elliptic curves in finite fields?
  It may have been 6 years since I played with the discrete logarithm problem over elliptic curves, but aren't all the fields finite?
3. Re:Not much to see here. by l2718 · 2014-05-16 19:34 · Score: 1
  
  The fields of rational, real, and complex numbers are certainly not finite.
4. Re:Not much to see here. by l2718 · 2014-05-16 19:37 · Score: 2
  
  Yes, these elliptic curves address defined over a finite field, but there's no known connection between the discrete log problem for the field and for the elliptic curve.
5. Re:Not much to see here. by SuricouRaven · 2014-05-16 20:44 · Score: 2
  
  Until you try to impliment them on hardware that can exist in the real world.
6. Re:Not much to see here. by TechyImmigrant · 2014-05-17 09:25 · Score: 2
  
  Unless you're talking about the Dual EC DRBG.
  Prime fields are safer, but they are inconvenient. Elements in a GF(2**n) field map nicely to n bits.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
It's still NP. by mark-t · 2014-05-16 17:28 · Score: 4, Informative

As I understand it, they've simplified the problem to a compiexity of O(n^log(n))... this is still non-polynomial time... but the rate of complexity growth is effectively polynomial. If I understand correctly, that means that the additional security that was formerly thought to be obtained by merely doubling cryptographic key length must now be obtained by squaring it.

--
File under 'M' for 'Manic ranting'
1. Re:It's still NP. by Anonymous Coward · 2014-05-16 18:33 · Score: 0
  
  NP doesn't stand for non-polynomial and indeed everything in P is also in NP. NP stands for non-deterministically polynomial.
2. Re:It's still NP. by WoOS · 2014-05-16 19:22 · Score: 1, Informative
  
  Please note that the algortihm is not O(n^log(n)) but n^O(log(n)). This puts the constant factor in the exponent which is a bit worse.
3. Re:It's still NP. by Anonymous Coward · 2014-05-16 19:22 · Score: 0
  
  NP indeed doesn't stand for non-polynomial, but his point was that O(n^log(n)) is non-polynomial. He never even mentioned NP!
4. Re:It's still NP. by l2718 · 2014-05-16 19:32 · Score: 3, Informative
  
  Squaring key lengths would be entirely impractical. That said, the improvements only apply to a case of discrete log which isn't actually in use. Cryptographic algorithms generally depend on hardness of discrete log mod p (p a large prime), not in the field with p^k (p fixed, k large).
5. Re:It's still NP. by Anonymous Coward · 2014-05-16 22:29 · Score: 1
  
  n^log(n):
  F(2^2) = 2^4 = you can probably solve it with pen and paper
  F(2^3) = 2^9 = you could probably still solve it by hand if your life depended on it.
  F(2^4) = 2^16 = too hard to solve by hand, but a PC could do it in less than a microsecond.
  F(2^5) = 2^25 = solved in millisecond or so on a PC
  F(2^6) = 2^36 = solved in a few minutes on a PC
  F(2^7) = 2^49 = a little difficult to brute force, but still easily solved in half a day on a GPU.
  F(2^8) = 2^64 = a server farm can solve this in a day.
  F(2^9) = 2^81 = the top supercomputer in the world would take decades to solve this.
  F(2^10) = 2^100 = our solar system won't exist long enough for you to get the answer.
  ...
  F(2^16) = 2^256 = nothing in the known universe will ever solve this before the big fizzle.
  From the above, you can see that squaring the key size isn't necessary unless the problem is already trivial to solve.
6. Re:It's still NP. by Twinbee · 2014-05-17 02:59 · Score: 1
  
  Why would squaring key lengths be impractical?
  
  --
  Why OpalCalc is the best Windows calc
7. Re:It's still NP. by ShadowRangerRIT · 2014-05-17 04:23 · Score: 2, Insightful
  
  That's not how big-O notation works. O() is not a function, you can't just rearrange the components. There isn't even a constant factor involved in either version of what you wrote. Who modded this informative?
  
  --
  $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
8. Re:It's still NP. by ShadowRangerRIT · 2014-05-17 04:29 · Score: 1
  
  A short key right now is 512 bits (0.5 KB). A longish key right now is 4096 bits (4 KB); many sites use shorter keys because high traffic sites can't afford the bandwidth and CPU required to transmit and process even a 4096 bit key for thousands of connections per second. Squaring even the short end of that range would produce a 262144 bit key (256KB). That's a ridiculous amount of data overhead just to initiate a connection, and performing math in a space that large would tax the CPU of individual computers; if a web server is performing that much math for every connection, you'd dramatically increase the overhead to serve web pages.
  TL;DR: Squaring key length make math hard, hurt computer.
  
  --
  $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
9. Re:It's still NP. by Anubis+IV · 2014-05-17 04:51 · Score: 1
  
  He never even mentioned NP!
  Au contraire, he started with it in his title for the comment: "It's still NP."
10. Re:It's still NP. by fph+il+quozientatore · 2014-05-17 04:57 · Score: 1
  
  What WoOS writes seems ok to me. He's not rearranging the components, he's pointing out that the correct formula is a different one. There's a constant involved in the most common definition of the big-O notation --- look at line 3 of the wikipedia page that you linked to.
  
  --
  My first program:
  Hell Segmentation fault
11. Re:It's still NP. by Anonymous Coward · 2014-05-17 05:03 · Score: 0
  
  By n^O(log(n)) one means that it is bounded by something of the form n^(f(x)) where f(x) is in O(log(n)), which is different from saying O(n^(log(n))) which would imply that we are bounded by a multiple of n^(log(n)). See the multiple usages part of the article you linked for a similar example with O(1). And the point of the GP's post is that you can't rearrange the terms. The paper states n^(O(log(n))), also see the following https://en.wikipedia.org/wiki/Quasi-polynomial_time#Quasi-polynomial_time. Also by constant factor one means that the O(f(x)) notation means we are bounded by a multiple (constant factor) of f(x).
12. Re:It's still NP. by Carewolf · 2014-05-17 09:26 · Score: 1
  
  Yes, that is how I read it too. (posting to undo accidental wrong mod)
Looks like this is specific to finite fields by Anonymous Coward · 2014-05-16 17:38 · Score: 0

I've basically only read the abstract and first section of the actual paper, but it looks like this is only demonstrating a weakness in the discrete log problem on finite fields. Specificaly fields of small characteristic. If you were using a large prime field, I suspect this isn't much of an issue. I'm also guessing this doesn't affect general elliptic curves. I'll be scared if they find a powerful algorithm to attack the general discrete log problem for groups.
I'm also wondering if this result will lead to a more efficient algorithm for factoring large integers. It has been my understanding these problems are related, unless it's more like discrete log on prime fields is related to integer factorization. But again, I haven't read the entire paper yet.
Don't put Dlog to sleep so soon by iceco2 · 2014-05-16 17:39 · Score: 5, Insightful

The result is on for fields with small characteristic, but the most commonly used finite fields in this context are the Zp for some prime p which have characteristic p.
So though this is a very interesting result, I am not tossing out all my crypto suit yet.
we should be cautiously seeking better alternatives, but the worst thing we can do is to panic and ditch well studied algorithms and implementations every time some progress is made on their cryptanalysis.
1. Re:Don't put Dlog to sleep so soon by Anonymous Coward · 2014-05-16 18:24 · Score: 1
  
  Fields with small characteristic have been known weaker for eons— (including by the author of this paper's prior work). In general, its well know that prime fields have the best security story.
2. Re:Don't put Dlog to sleep so soon by garryknight · 2014-05-16 22:17 · Score: 1
  
  I am not tossing out all my crypto suit yet.
  
  You might want to hold onto it. While not as cool as a cloak of invisibility, a crypto suit is still a pretty good disguise...
  
  --
  Garry Knight
Repercussion on SmartCards? by brainnolo · 2014-05-16 18:47 · Score: 3, Interesting

SmartCards actually mostly rely on symmetric algorithms for most applications. The only commonly used public key algorithm is RSA, which is not based on discrete logarithm. This leaves DSA, among the relatively common algorithms, but that is rarely used on SmartCards. What would be interesting to know, is how EC-DSA is affected, since it is slowly replacing RSA because of the reduced key size.
1. Re:Repercussion on SmartCards? by L-One-L-One · 2014-05-16 19:28 · Score: 1
  
  Do you know what PFS is or how it works? Clearly the answer is "NO" but you should educate yourself.
  The OP is right: smartcards mostly rely on symmetric algorithms. In fact the OP never said anything about PFS, and bank cards for example, which use RSA, do not implement PFS, because it is not needed in that context.
  Do you know what a smart card is and how it works? Clearly the answer is "NO" but you should educate yourself ;-)
2. Re:Repercussion on SmartCards? by swillden · 2014-05-17 11:00 · Score: 1
  
  Were all of the asymmetric cryptosystems invalidated, smart cards would probably become dramatically more important. Everything we do with asymmetric crypto can be done with symmetric crypto (and in many cases with liberal use of trusted third parties), but key distribution becomes a much harder problem. Smart cards provide a cost-effective and reasonably-secure mechanism for key distribution.
  As long as we have one secure, general-purpose asymmetric algorithm, though, I don't see much of an impact. Well, except that if everything else were to fall, I think everyone would look askance at the remaining algorithm, wondering if its time is just about to come as well.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Hold the horses by WoOS · 2014-05-16 19:43 · Score: 2
Even though I didn't really understood the math, two important points stick out from their description:
1. a) Complexity is still n^O(log(n)). This is better than O(e^n) but still worse than O(n^c) for any fixed c.
2. b) It is a heuristic and I couldn't find in their paper a statement how well this heuristics work, i.e. in how many cases it will find its (optimal/only) result and in how many not or only in a much more time.
As far as I understood they empirically showed their approach to work on one example. A study showing the general feasibility of the heuristics would be more convincing (yeah, that's the engineer speaking not the mathematician).
It should also be noted that the authors themselves write in their conclusion:
"Compared to existing approaches, and in particular to the line of recent works [15,10], the practical relevance of our algorithm is not clear, and will be explored by further work."
So, before running to conclusions maybe we should wait for the "further work".
better late than never? by Anonymous Coward · 2014-05-16 20:28 · Score: 0

Apparently, these findings were already being discussed in UCI Cryptography Seminars back in spring 2013.
Solved in Sneakers, 1992 by breadlord · 2014-05-16 21:52 · Score: 1

Great hacker flick if nothing else : While the number-field sieve is the best method currently known... ...there exists an intriguing possibility for a far more elegant approach. ...over the rationals, and hence contained in a single cyclotomic field. Using the Artin map, we might induce homomorphisms... It would be a breakthrough of Gaussian proportions... ...and allow us to acquire... ...the solution in a dramatically more efficient manner. Such an approach is purely theoretical. So far, no one has been able... ...to accomplish such constructions... ...yet. The numbers are so unbelievably big... ...all the computers in the world could not break them down. But maybe, just maybe... ...there's a shortcut. Numbers themselves may be our best tools... ...may be able to see things in other numbers that we can't.
1. Re:Solved in Sneakers, 1992 by Anonymous Coward · 2014-05-17 10:13 · Score: 0
  
  While the number-field sieve is the best method currently known...
  
  If the first number starting each row in Pascal's triangle is used as an exponent of 2 and all of the other numbers in that row divide it without giving a remainder (modulo 0) then the exponent is prime. A modulo 1 or greater indicates the exponent is composite. Granted, it gets immediately large almost from the start, but an alternative solution to the Eratosthenes Sieve does exist.
Comment removed by account_deleted · 2014-05-16 23:35 · Score: 1

Comment removed based on user account deletion
multiple encryptions by Anonymous Coward · 2014-05-17 02:28 · Score: 0

It occurs to me that all the discussions seem to assume that something is encrypted only once. What happens if you take your document and encrypt it multiple times, using multiple techniques. Only the recipient knows the sequence and how many times each is run. I would think this would make it nigh onto impossible to decrypt. What am I missing?
1. Re:multiple encryptions by mark-t · 2014-05-17 03:31 · Score: 1
  
  How does the recipient know the sequence of how many times each is run? Obviously, this requires a secure exchange of something that must be kept secret.... so how do you go about ensuring that what you want to exchange with the recipient, nobody else will view? Obviously, you encrypt that information... I trust you can see the recursive nature of your proposed solution.
  
  --
  File under 'M' for 'Manic ranting'
Hype by Anonymous Coward · 2014-05-17 04:18 · Score: 2, Interesting

I'm a cryptographer and the paper didn't even catch my eye when I was glancing this year's Eurocrypt papers. I also haven't heard anyone talk about it at work and this is despite all my coworkers working on crypto which would break if someone came up with a fast dlog algorithm in groups used in practice. The algorithm is purely for fields of small characteristic, which means that it's totally irrelevant for most practical applications, since typically one will work over subgroup of invertible elements for the finite field F_p, where the characteristic p is of the order of the security parameter (meaning it's huge).
To me this looks like hype stemming from a popularizing science paper misunderstanding something (or misunderstanding it on purpose).
1. Re:Hype by cryptizard · 2014-05-18 00:43 · Score: 1
  
  Correct. The authors made no claim about breaking anything, it just got distorted somewhere along the line by the press. Also the algorithm is only quasi polynomial (n^O(log n)), which still makes it impractical for even moderately large sized fields.
No threat to DH, RSA, DSA; also repost. by Anonymous Coward · 2014-05-17 05:36 · Score: 0

I can't read the article behind Springer's paywall past the first couple of pages, but it appears to be the published version of this 2013 preprint which, if I'm not mistaken, was already slashdotted last year.
There would seem to be basically no chance of making this strategy work over the finite field with p elements, which is what it would take to break Diffie-Hellman and DSA as currently implemented; such fields are never going to have sparse medium subfield representations beause they don't have, you know, any subfields.
It's true that similar sieving strategies often apply to factoring as to the DLP - but again, the analogy is to prime field DLPs, so there' s no way that this is going to help break RSA directly. so I don't see any reason for the FUD. We're still a couple of major research ideas away from that.
Diffie Hellman is not Knapsack by billstewart · 2014-05-17 17:15 · Score: 1

As somebody else pointed out, either you or the person you were talking to was thinking of Merkle-Hellman, not Diffie-Hellman.
NP-hard problems are attractive, because they take polynomial time to verify if you know the right piece of data (i.e. the key) and exponentialish time if you don't. But it turns out that there are a lot of them that either can't be usefully turned into an encryption algorithm, or usually aren't more than polynomially hard if you do, because the version of the problem that got you public-key encryption is either some subset problem that isn't exponentially hard, or is only hard sometimes but not always, or else because turning the problem from a decision system into an encryption system took you exponential amounts of work (i.e. wasn't useful.)
So far Discrete Logarithm (over various groups, including modulo-prime arithmetic and elliptic curves) and factoring have been the most useful problems, giving us Diffie-Hellman and RSA and a few signature systems.

--

Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
why not use multiple by Anonymous Coward · 2014-05-18 04:41 · Score: 0

I've always been baffled by the apparent overconfidence in this field. Why in the world would any system only use one encryption method in the first place? No encryption algorithm has been proved secure yet, so the obvious answer in the face of such uncertainty is to pick the several most likely best algorithms and chain them together. "Weakest link in the chain" is not a valid metaphor for this situation. Cracking one of the encryption algorithms does nothing to break the total.
The only reason I can think of is speed, and of course that is a legit reason. But I think I can live with some extra latency when accessing my bank if it means not having my account stolen.
"until now" by mr_mischief · 2014-05-19 01:44 · Score: 1

Even if this problem is actually solved, the cryptographic methods using it were sufficient "until now" if this is actually the first party solving it. Saying that they were presumed sufficient until now misses the point of cryptography. It's never impossible to recover the plaintext. The whole point is to make it take unfeasibly long with current methods except for those with the proper key. If a new method comes along to break a scheme, that means the scheme is no longer sufficient going forward. It doesn't mean it was insufficient in the past.