Slashdot Mirror
U.S. Government Encryption Irony
Bruce Lane writes "Given the US Government's hype and paranoia about not allowing strong encryption out of the country, I find it particularly ironic that they should choose, as finalists competing for the next federally-blessed encryption standard, a couple of schemes developed outside the country altogether. The full story is here. Enjoy!"
What the government is _really_ trying to do is promote better quality international encryption. "We _know_ your encryption is better than ours, so we won't inflict any of our suck encryption on you."
It might really be a step in the right direction. If they adopt algorithms developed in foreign nations, they might realize how silly it is to try to stop exportation of strong crypto. It is also a good decision in that they realize that the encryptions they've been using are going to rapidly start becoming less trustworthy as faster and larger computers as well as distributed computing become more and more common.
Speaking of distributed computing, does anyone know if distributed.net has plans to add a new contest for these encryption schemes?
It seems pretty apparent to me that people in other countries, who have no particular disadvantage compared to americans in writing software and certainly not in doing math, would be able to come up with their own encryption algorithms. The US always is always attempting to take away the liberties of their own citizens under the pretext of 'protecting from terrorists', which they claim is one reason for the encryption restrictions. Since they give that reason for many other laws and restrictions where it is clear that they have other motives, i wonder exactly what they are thinking. Perhaps they will wise up about encryption restriction now, and release it, or at least tell us their real reason for restriction?
Juln
One would hope that these facts might convince some of the Congress-critters and the FBI's Louis Freeh of the absurdity of their position against encryption, but I wouldn't bet on it.
The revolution will NOT be televised.
-=DaveHowe=-
In particular, check out Rijndael. A real sweet algorithm: fast, secure, portable. A very very nice design.
And completely developed outside the US.
[
There's an added irony that this story hasn't pointed out - the disparity in import and export laws on cryptography.
In the US there are restrictions on EXPORTing cryptography, but no restrictions on IMPORTing cryptography. Getting good quality cryptography here isn't easy, but for some things it's mandatory.
Right now I'm designing and coding an e-commerce solution. The target customers are mostly here in the US, but one is in Canada, and who knows when someone will come on board to make it international?
So the solution to where to get cryptography packages? Off-shore! Obtain it outside the US, import it into the US, and that's it. No applying for export licenses, no restrictions or background checks on customers, no having them fill out nasty looking legal disclaimers. The worst we'd have to do is make each on-US customer "import" the package on his/her own to make it legal (So we wouldn't be 'exporting' anything - even something we imported already. I'm not sure on that point - anyone?)
There are Open Source cryptography packages available for Import. The only problem with them: I can't help! (being in the US, this might 'taint' their legal stance)
Want strong encryption not hampered by our silly laws? Go get some! (Yes, Virginia, there really are mathemeticians outside the US.)
340 to the 35th keys by itself does not provide something "far more robust" than 256 bit keys. In fact, 340 to the 35th is equivalent to 294 bits. "according to sources" anyway...
This will be excellent fodder for the vote on the SAFE bill (see http://www.computerprivacy.org) which is coming up for a vote, most likely in September.
Being able to point to foreign crypto that's good enough to be considered for new standards will help our jobs immensely in convincing Congress to pass SAFE and quit limiting the export of encryption.
-S
that one part of the government is trying to support strong crypto and provide it to the people, while another part is trying to limit the spread of ANY crypto whatsoever, and wants to limit not only the export of cryptography but its distribution and use withing the United States.
Figures.
Yeah, Rijndael appears to have a good chance at becoming the AES.
Check out NIST's Round 1 Report (PDF) for the raw details if you haven't already.
Of the five that made it to round 2, Mars and RC6 can probably be counted out right away. Mars is too complicated and RC6 doesn't have a large security margin. And both are highly platform-dependant for their speed.
Serpent (one of the non-US ones) will probably be counted out because of it's slow speed, although the high security margin might still save it. One could argue that as CPUs get faster speed becomes a non-issue compared to security. Just look at the popularity of Triple-DES even today.
Rijndael (the other non-US one) and Twofish appear to be the favorites. The report listed no real complaints about Rijndael. Twofish is kinda complicated, but has some space/time tradeoff options that might be worth it for low-memory systems.
Rijndael has a structure that can be parallelized. This could be a very good thing if processing goes that way. Considering that AES is expected to serve for decades, performance on future processors could be very important, though entirely speculative.
Just don't hold your breath. It'll probably be years before we see a winner.
Read the report. HPC does have a serious weakness (equivalent keys, IIRC). And CAST-256 was eliminated because of it's mediocre performance.
Mars, RC6 and Twofish have NOT had any real weaknesses discovered. Any "weeknesses" are really just interesting observations, and can't be used to reduce the workfactor. It is still 2**128 or 2**256 (or 2**192, or other) possibilities.
I think every finalist should have moved to Cuba. Just so not only would the US have had to import the encryption, but from Cuba to boot!
(Clinton: "Oh, and hey, could you guys bring up some cigars with you as well? Thanks.")
"Old man yells at systemd"
Government beurocrats and lawmakers always have had a strong tendency for cluelessness, especially where technology is involved.
It has always been the case that it is possible for an American to download some freeware source code from a foreign site that contains encryption, modify an aspect of the application that has nothing to do with the encryption (translate the output text to English, perhaps), then if he re-uploads the program, he has committed a federal felony!
Don't expect our lawmakers to actually be swift enough to see the irony in this, they're far to stupid for that.
Sometimes I wonder if anything would really change if we just trained chimpanzees to be our senators and congressmen...
Actually, whoever wrote that probably isn't American-centric, but just not very good at writing clear sentances. "but one is in Canada" separates out Canada as non-U.S., but then that last part contradicts it. I think the author was referring to the fact that it is a lot easier to export crypto to Canada than to other countries, so it would take another foriegn country to make a problem.
In fact, doesn't NAFTA basically say that you can't set up restrictions to trade between Canada, the US, and Mexico? How's that fit in with ITAR? Is ITAR even applicable when exporting to Canada?
If not, would all you Canadians please get rid off all (if any) crypto export restrictions so us oppressed Americans can just route everything through. I at least would be eternally grateful.
Actually "exporting" crypto to Canada is perfectly legal, so in that sense Canada is a "state".
Anyway, you'd probably only "P off" 30 people. Most Canadians say "sorry" when *you* step om their foot.
D'accord, back intos mon igloo.
...for the better
Please, learn a little more about the subject before spreading FUD. All of these ciphers are fine.
The result against MARS is an equivalent-key attack, for keys *over 1024 bits long*. AES-standard keys (128,192,256-bit) are fine, it's just a wee problem with some extended functionality that the AES doesn't require. And the "tweak" against MARS for a more smartcard-friendly key schedule fixes even this.
The result for Twofish is even weaker: not all subkeys are possible. However, the subkey entropy is quite sufficient to ensure the security of the cipher, and it doesn't lead to a break. See the paper on the subject on the Twofish home page.
And there's nothing listed for RC6 at all!
HPC is big and slow and complex and impossible to analyse; it would be a terrible mistake to bring it into Round 2. CAST-256 was rejected because everything it does, Serpent does better.
I'm happy with the choices NIST made and the reasoning they give. And like everyone else, I think that the final battle will be between Rijndael and Twofish. It's interesting to note that neither of these excellent ciphers are patent-encumbered.
Oh, and it's not 2^128, it's 2^128 + 2^192 + 2^256, a 78-digit number
--
Xenu loves you!
A similiar letter from Janet Reno was sent to Germany's federal minister of justice Hertha Däubler-Gmelin too.
Read that letter here and the background story here.
The only explanation that makes sense to me is that the U.S. government indeed is able to gather a lot of useful information under present communication habits.
And what nature is this information - fighting drug dealers, organized crime or terrorists?
Nope. It seems to be mostly economical espionage. Some cases that became public:
- European Union / U.S. economic treaty negotiations - the EU delegation was eavesdropped by the U.S. who had easy play knowing the others strategy and goals
- A solar energy company from north germany suddenly found their invention patented by a U.S. company
- During the bidding for a train system, the german led ICE consortium lost to the french TGV because the French were able to eavesdrop the ICE faxes
Another interesting item is that even the german armed forces use Lotus Notes, despite it's weak encryption..The result against RC6 isn't listed in the body, only the header. And AFAICT it's pretty bad for RC6: its security margin just got much lower. It's a twenty round cipher; this attack breaks a 15 round version, and may well be amenable to extension.
I don't think RC6 can survive this. This makes it even more sure that only Twofish and Rijndael can win.
--
Xenu loves you!
I suspect that Reno and company would just as soon we didn't seal our envelopes before we put them in the mail either.
The news is that the crime rate in the U.S. has been declining. Guess if your job is catching bad guys and there's fewer of them around, you find a way to make more people out to be bad guys.
I can't say who I'd vote for in the 2000 elections but I'm afraid of Gore winning as he might decide to keep Reno on board. (Uuugggh!)
CUR ALLOC 20195.....5804M
If there are no rules on importing cryptography, all cryptographers should move to like Ontario, Canada where they welecome it. Then there won't be any stupid laws about importing and exporting cryptography imposed on the stuff developed there. You can still import it to the US market just fine. Now doesn't everything all peachy work out? The US Government just seems so fucked up. Even with the Microsoft DOJ thing, as much as we hate Microsoft.
~~~NO CARRIER~~~
"The news is that the crime rate in the U.S. has been declining. Guess if your job is catching bad guys and there's fewer of them around, you find a way to make more people out to be bad guys."
Exactly! Now that every last little dealer of soft drugs is in jail, the U.S. is going to need some new 'laws' to catch 'criminals' and keep the jail-building business a growth industry.
Mike van Lammeren
It will challenge your head, your brain, and your mind.
The US always is always attempting to take away the liberties of their own citizens under the pretext of 'protecting from terrorists', which they claim is one reason for the encryption restrictions.
I wonder - can they show as much as a single terrorist that used real encryption? (Not simple codes like "the show starts friday...") Many of them use guns though, which isn't prevented. So why bother with encryption?
because americans have the inalienable right to keep and arm bears ... or something along those lines.
no taxation without representation!
I doubt there will ever be a contest for any of these ciphers, and if there is, it will run indefinately. The 128-bit key-space is simply too huge to brute-force search it.
Quoting Schneier, if you channel all the energy of the Sun into counting through the key-space, you will be able to count about 2^182 keys per year. This is without doing anything at all to the keys you cycle through, no energy wasted in your system and acess to all the energy of the Sun,collected in a huge sphere built around it.
Logi - I can do anything, but not everything.
In Canada, we can import American encryption. However, just like when an American obtains it, we have to agree not to re-distribute it to somebody we're not supposed to. So routing it out of the States through Canada doesn't work :-).
On the other hand, encryption software written in Canada can be happily exported all over the world. (I believe OpenBSD is based out of Canada, for example.)
\\'