Slashdot Mirror
Interrogate Crypto Luminary Bruce Schneier
Most people who have any involvement with or interest in cryptography have heard of Bruce Schneier. If you haven't, check his online biography, check the home page for his consulting company, Counterpane Systems, or learn about his seminal book on the subject, Applied Cryptography (assuming you haven't already read it). Our usual interview rules apply: one question per post; moderators select their favorites; editors choose 10 - 15 of the highest-moderated questions and send them to Bruce on Tuesday; Bruce's answers appear on Friday.
1.Keys stored on the person (eg jewelry, implants, whatever)
2.Keys are encrypted/hidden behind some kind of biometric "lock" What about: 4. Keys are *IN* the person...(retinas, fingerprints,etc?)
insert the "im still having difficulty factoring small prime numbers" quip
I have developed a very simple and efficient factoring algorithm: Let n be the integer to
be fa
Do you think GnuPG is secure (against ECHELON snooping)? Is there any way to know?
Come on, if it was comprimised and we knew it, would we use it dumb ass!
...Just an etension of the main topic... I wonder if you could elaborate on what would be a quantum computably "Hard" problem? i.e. Factoring for standard computing machinery is a hard problem.. Are there such problems? Or will Quantum computing (assuming it was as prolific as a common PC) eliminate Cryptography all together?? If there are such problems could you give a ballpark Big O etc. for Normal and Quantum machines. -JD
The moderator can not POSSIBLY score this as 5.. There are several more worthy questions than challenging Bruce's competency simply for flare..
Bruce:
Are you really as smart as you come off as, or have you just written one of the few general-purpose books on cryptography?
Everybody knows that the really, really smart people in the crypto field work at academic institutions or the NSA, and publish papers that we "mere mortals" just plain don't grasp well.
You wouldn't happen to be, pray tell, a popular author more than anything else, would you?
Just was wondering.
Neal Stephenson worked at being a writer before he became a gadfly.
Of course, as any C Programmer who doesn't spend way too much time on Slashdot or Usenet will know, the expression cryptography != security is a question, not a declaration. Until it's evaluated, it's a meaningless assertion.
Why so many supposedly intelligent hackers use it as an assertion has confused me for quite some time. Maybe they flunked out of their C programming class, that's all I can think of as an explanation.
PKI products on the market seem to be increasing in popularity. What is your opinion of these off the shelf cryptosystems and the security they provide? For example, are they well designed? Well implemented? Easy to administer securely?
I don't really mean to nitpick (well, yes I do)but this statement is incorrect. The prime factorization of a large prime number is, of course, itself. What you mean to say is that it is difficult to factor composites of large primes.
If it can pass their muster, its good enough by definition.
Do you feel that Quantum Crypto or possibly Quantum Chaos Crypto have a reasonable chance of making ground breaking changes in current cryptography scemes (be it a code breaking or code making role) in the next 50 years? Is there a chance of a revolution or just a few new bells and whistles?
I've enjoyed your articles on how to tell "snake oil" crypto from the real stuff. So what do you think of current copy protection efforts like CSS (recently cracked), DTCP, SDMI, InterTrust, etc? Are they selling a false sense of security?
too lazy to get an account,
Wesley Felter
What if we define "unbreakable" as an algorithm for which we can prove the best technique is brute force? Is it vaguely possible that someone could come up with a sufficiently general form of cryptanalysis (much as Turing Machines are general forms of computers) that some algorithms could be shown to be immune to all attacks except brute force (I guess we'd have to exclude power and timing attacks from this domain, as they move in the physical realm)?
What's your opinion on the claim that Crypto-AG reduced the security of their encryption systems with prompting from the NSA?
http://jya.com/cryptoa2.htm
How would such tampering be prevented or detected?
Even open source encryption could be tampered with at the source - e.g. the AES contestants could always be given suggestions (e.g. add 3 more rounds), which may seem reasonable based on current public knowledge but have some flaws only known to the NSA. The NSA seem to have better knowledge of how many rounds to use- whereas some cryptographers just put in a bunch more "just to be safe".
Would it be better to have multiple AES to make such things harder? Tampering with more than one winner is going to be harder. Then by layering encryption we can balance performance with security for specific needs. It is far less likely for all to be cracked through together, especially with no headers provided.
Naturally for higher performance requirements we can stick with just one AES, but there are very many cases where performance is acceptable even with multiple layers.
The argument that there could be "interactions" seems very weak to me - I haven't heard of anyone trying to crack blowfish by encrypting it with DES first for example.
Current common cryptosystems are already able to support different algorithms albeit unlayered.
Cheerio,
Link.
recent optical computing theories published by dr. shamir and advances in quantum computing just around the corner (15-20 years before the men in black have this stuff in hand) appear to be able to create crypto-crackers which can solve problems whice used to theoretically require trillions of cpu-cycles over trillions of years to brute force. how will cryptographic algorithms change to defeat these new "multi-state computers"... will it require a quantum cpu to defeat a quantum cpu? should we give up and just go back to using plaintext now? other possibilities?
i would like to know why guys always post crypto code, but not their crypto BREAKING code? i have always read by the top guys that in order to write good crypto you gotta try and break it, which i attempt to do. why not put out some stuff, like index of coincidence filters, or other utilities so we can see from your code that our stuff works too... but then again many of us know you got the market cornered (and deservedly so) so why add to the skill level of the wannabees... m1ck f0l3y have a nice day
Okay, I'm no expert, but IIRC semetric block cryptography (such as twofish) is safe under quantum cryptanalysis. The reason RSA can be theoretically broken so easily with a quantum computer is that a quantum computer makes factoring RSA keys a trivial matter. RSA's security depends on the fact that factoring the product of two primes takes way too much computer time.
I hope this clears things up a bit.
-Alec C.
Not a Crypto genius.
How so? Please, tell us exactly where his grounding in the mathematics of crypto is deficient.
This guy is on the verge of landing the AES with TwoFish and you people have the nerve to tell him he doesn't know anything because he doesn't have a Ph.d.
If you actually had attended graduate school you would know how stupid your argument is.
I recently finished reading The Electronic Privacy Papers, as a counterpart to Applied Cryptography. I was left wondering now that it's been two years since you wrote that book, what political and technological actions do you feel are most vital for individuals to take with regard to cryptography?
The program you're looking for is Strip (Secure Tool for Recalling Important Passwords). It is a GPLed program for the PalmOS that manages usernames and passwords. It stores all of its information in encrypted form, and you must enter the correct password un decrypt it for use. I'm currently using it to keep track of all of the users at the office, since I run of the network here.
--Phil (If only there were more GPLed Pilot apps...)
355/113 -- Not the famous irrational number PI, but an incredible simulation!
I was a little surprised and fascinated to learn and understand that authentication mechanisms can employ message digest algorithms ("hashes") instead of encryption algorithms.
I understand that this provides an opportunity for strong message authentication codes which are less restricted by cryptographic export controls. As I recall you covering such schemes as HMAC in your book, I was wondering how important you think these codes might become, given that they conceivably might see wider distribution.
-- Mike Greaves
Do you think a win in the Bernstein case will deregulate encryption export, or will the result just be more political dodging?
-- rot13 my email address for the real thing
Odds of being killed by lightning and winning the lottery in the same day: 1 in 2^55
Very few non-server systems seem to be built with crypto in mind. Cisco finally putting ssh on their routers is a good example. With the whole "smart appliances everywhere" right around the corner I find this disconcerting. What do you think it will take to put crypto on all devices esp consumer devices?
- Why is the ninja... so deadly?
Sorry... not mine. I can't even train my own hands to duplicate my own signature reliably. :)
--
Although I don't agree with the contents of the above post, I think it would make a good question to Mr. Schneier.
----
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Secure distribution of digital media depends, by definition, on tamper-proof hardware/software.
It is therefore not very interesting cryptographically.
----
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
You mention in your explanation of the Solitaire system that, if confronted by the Secret Police, one would have to explain the presence of jokers shuffled into the deck. Are there any games of solitaire that do make use of (both of) the jokers?
AFAIK factoring has not been proven
...
"hard" (as being np-complete or the like)
yet nor is it IMHO likely to be.
Regarding your question, I cannot say if there
are "quantum hard" problems that could be
used as a trapdoor or anything useful. But
there are hard problems even for quantum
computers. Hell, there are even UNcomputable
problems
-- NoWonder of WonderWorks/OmegaProject
The field of cryptography seems to be characterized both by steady progress and large upsets. Where do you think steady progress will take us in ten years, and what are some possible upsets that might occur during that time?
"Bugs are harder to cope with than features, because they are less well defined and less well designed."
"It may be remarked in passing that success is an ugly thing. Men are deceived by its false resemblences to merit."
Take a look on counterpane, there IS a cryptanalysis course there!
To my interested layman's point of view, the key issue in strong crypto is not (or rather is no longer) development and is now adoption. PGP was a big step in the right direction, but not enough. Now that we have practical strong crypto on the desktop, where do we go from here to insure its adoption as the expected way to do communications on networks?
Do you have any thoughts on projects such as FreeS/WAN which are strategically aimed in that direction?
--------
Bill Gates Is My Evil Twin.
With the major certificate authorities (like, say, Verisign) no longer issuing people anything but level 1 certificates, and the myriad difficulties in sending important/confidential/contractual data through PGP to stand up in court (who can prove that someone didn't change the computer's time/date, or even if the intended computer actually downloaded the files?), what's a guy to do?
PKI can provide security, but without some third-party post-office/FedEx like entity which can track documents, this is not an alternative for many professionals who require receipt-like assuredness.
My question is, how do you combine security and provability?
Returned Peace Corps IT Volunteer
I could really use a utility like this -- although first, I have to save up enough quarters to get a Palm machine -- but even if I had source code, I wouldn't be able to distinguish a good security implementation from a bad one.
send all spam to theotherwhitemeat@ropine.com
"MGWDD VCI YDDT C ODLWDM, FN MPX XN MGDV CWD JDCJ."
- EDZSCVFZ NWCZYQFZ
Sometimes I try my newspaper's crypto-quote - usually takes me 1/2 to 1 hr
I'm just wondering, ahem, if you can solve this one (and if you did, how long it took you & what combination of hardware/software you used)
Snake oil continues to be a big issue in the encryption industry and something that you write about frequently. As computers increasingly become consumer items and cryptography becomes something everybody does do you hold out hope that consumer watchdogs will move against companies making the more gratuitous claims ?
I've read before where you point out that cryptography != security, that is, you can't sprinkle the magic pixie dust of crypto over software and expect that the resulting system is therefore secure.
Now that everybody and their sister is connecting to the Internet, via dial-up or even 24x7 cable modem or DSL connections, what level of paranoia is appropriate, and where do you recommend beginning?
IANAE*, but I believe the one-time pad method is damn close to unbreakable.
[*] I Am Not An Expert
One-time pads are provably unbreakable, (and it's easy to prove).
Since the key is _random_ (and it has to be really random), you can get _anything_ out by changing the decryption key... So there's no way for an attacker to be sure they have guessed the right key when they get a message out that looks sensible.
IIRC, there are also ciphers for which breaking by means better than brute force would mean P != NP, but I don't remember the details on how they work.
Torrey (Azog)
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
Your algorithm TwoFish has already received a great deal of positive reactions and also in my opinion it is one of the best AES candidates (though I also really like Rijndael)
I wonder however what you think about the recent inclusion of TwoFish in popular products like SSH and GnuPG. Isn't this against the standard procedure in the cryptography world that algorithms should be tested and analyzed extensively before they are trusted and used?
To continue the question... as I understand it the impact of Quantum Computing is in its ability to factor immense numbers extremely quickly. Does all cryptography depend on factoring large numbers, or only a certain subset?
For a few years, back in the early nineties, we were being treated with a vision of the future in which all money would be anonymous tokens and monitoring commerce would become impossible. Tim May called this future "Crypto Anarchy."
Since you're still subscribed to one or two of the cypherpunks mailing lists, it appears as if you still consider this a possibility.
What effect do you see cryptography having on our wallets and on our financial institutions? Will anonymous commerce ever make it big?
When I moderate, I only use "-1, Overrated". That way, I never get meta-moderated!
FYI, he wrote an appendix to it, and consulted on part.
Do you have any ideas about where you can use cryptography to start a new business?
Knapsacks have been tossed by the wayside; quantum computing, if it'll work, is blasting away at factoring (if the NFS doesn't beat it into the ground all by itself); elliptic fields are being restrained by patents. What's the Next Big Thing for crypto gonna be?
Since something you know is limited to 7 +- 2 rule. Adding something you have can increase the entropy if done right. I think Dallas Semicondutcor has done just that with thier IButton
Here is an excerpt from their site
The iButton(TM) is a 16mm computer chip armored in a stainless steel can. Let's start with the package. Because of this unique, durable package, up-to-date information can travel with a person or object. The steel button is rugged enough to withstand harsh outdoor
environments; it is durable enough for a person to wear everyday on a digital accessory like
a ring, key fob, wallet, watch, metal card or badge.
2.Java(TM)-powered cryptographic iButton. A microprocessor and high-speed
arithmetic accelerator generate the large numbers needed to encrypt and decrypt
information. The Java-powered iButton adds its complete cryptographic circuitry to
a Java Virtual Machine (VM) that is Java Card(TM) 2.0-compliant, enabling the
world's large pool of Java programmers to tap into a powerful development tools to
get an application up and running quickly. The Java-powered iButton's greatest
promise lies in its capacity to interact with Internet applications to support strong
remote authentication and remotely authorized financial transactions. In practical
terms, that means you can jump into the age of electronic commerce with both feet:
your messages are sent over the Internet scrambled and can only be unscrambled at
the other end by someone with an authorized iButton. By establishing a means to
transmit and protect user identity, the iButton becomes the user's digital credential.
The problem with this, as I believe Bruce has said in a crypto-gram (which is available from the counterpane homepage), is that once a digital signature is forged it can be forged perfectly everytime by anyone who you share the secret with. Ink signatures on the other hand take some skill every time. The people with the skills to do such things are few. A broken digital signature can be used by any jamoke whose buddy gave him the info.
Most of the replies to this seem to be pointing out that not all crypto depends on factoring, but this is missing a more important point, i.e. that quantum computing can do more than just factor large numbers. Factoring is simply a very useful example to show the power of quantum computing.
Regardless of whether or not a given cryptographic algorithm works with products of large primes (and thus would take a breakthrough in factoring such primes to defeat), most cryptography (that is cryptography based on algorithms and not on the security of the physical channel) relies on trapdoor one-way functions. These functions have keys. The keys are the special bits of information that allow you to reverse the one way function, something that would normally be very difficult. The value of quantum computing is the ability to try every key in parallel, rather than sequentially.
So quantum computing can apply to virtually any crypto system.
Jherico
What can the average user can do to ensure his security? "Nothing, you're screwed"
In sci.crypt a while ago he said that although IDEA was still a good algorithm, he wasn't anywhere near as enamored of it as he was a few years ago.
Have we the public and our commerce taken the lead in cryptography? Will it hold? Or is the scene much more serious, have gov'ts broken most all of our ciphers and no longer fear what was once the empowering act or encryption?
Hi Bruce-
:), etc. Thanks.
I am currently a student and am taking a graduate class in Data Security (AC has helped me more than I can say here). I am very interested in this field, and was wondering what you would recommend a young person like myself do in order to gain experience in the field. For example, NSA internship, working for a software company, research assistant, working for you
-Andrew
:wq
It has recently been reported that Russian banks under criminal control modified their ATM machines to capture customer PINs, then used the PINs to withdraw money from the customer accounts. How severe do you consider this problem and what can be done about it? In particular are there any software only solutions or does it require some sort of hardware key?
Given the sad state of proprietary ciphers for use with cheap hardware (for example Cell Phones, whose ciphers seem to be broken every other week) if it were possible to use the [presumably] very thoroughly cryptanalysed AES wiiner, then this would be an immediate win.
In fact, if the cipher were key-size independent, then the manufacturers would be able to easily balance cost and security. Perhaps cell-phones only need 64 bit keys? (One popular system nowadays has 40 bit keys, but is severely broken, and can be cracked after 40 packets have been intercepted -- 1 second!) Not a problem. Better yet-- imagine phones with settable security (you want 128 bit security, then accept a lousy job of compression 'cause there's only so much this $2 CPU can do per packet)
So even if twofish isn't selected as AES, the fact that it has been very carefully and publically scrutinized gives Counterpane an excellent leg up on the embedded market. Now all they have to do is figure out how to sell it, as it is free. (perhaps auditing implementations?)
Johan
Could you (n2kiq, not bruce) expand on the compromise danger of 3DES layering, please?
I'm at a loss for seeing how that would occur.
this is currently modded to 4. I'm asking a moderator to please up it to 5. Best Q so far, w/o a doubt.
If you are referring to symmetric ciphers with a shorter key than message, then a provably unbreakable cipher would imply that P != NP.
Symmetric ciphers are in NP, as you can verify the correctness of a guess in P time, once you have guessed it. So by proving it unbreakable (ie not in P), then you prove them different.
Mind you this says nothing about the converse; ie if we hypothesise that indeed P !=NP, this does not imply that your cipher isn't in P.
Johan
Also, as it happens, I was investigating the interoperability of GnuPG with PGP and, therefore, had the occasion to download the latest free PGP (6.5.1, it appears) and that software does indeed recommend an algorithm other than RSA. This is one that, presumably, was patented well after RSA was or is patent pending now.
I have an interest, I've been waiting for The Patent to expire so that I can run certain pieces of software, and I was unsatisfied with the answers I saw on /., so I ask you: What will be the effect of the expiration of the RSA patent. In particular, are the people who currently license PGP going to be successful in moving people to a new algorithm? They seemed bound to try.
Have you tried decoding the CIA's sculpture, and have you made any further progress than the rest of the world on it?
Yeah I know, but I still want to know what he thought of it.
Vidi, vici, veni. (I saw, I conquered, I came)
It has been a theme in BS's writings for a long time that cryptanalysis is difficult, expertise is rare, and the process is long and expensive.
On the basis of that argument it would seem that one could make a good case to see a proliferation of diverse algorithms for niche purposes. This is not protection via obscurity, but rather a direct attack on one of Mallet's most limited resources: the number of good analysts he is able to employ.
The opposing side of the argument seems to be that it is difficult to construct a strong cypher. I've never understood this argument.
What is indeed difficult is to contruct a strong cypher within the parameters of the NIST guidelines: small, fast, and dense.
But what about a custom cypher with a 512 byte disk sector as the underlying block and no desire to run in all the fancy cypher block modes or error recovery properties? What about applying 16 circular rounds on 8-byte subblocks with a data-directed component somewhere in the middle? (The usually rejoiner is that the theory of data-directed methods is not well understood; but that's precisely the property I'm seeking).
It seems to me that all the important criteria (bit diffusion, non-linearity, differential cryptanalysis) are easier to achieve given a larger mixing bowl (e.g. 512 bytes) with a much deeper chain length on the primitive cypher operations.
So why is it that the "large mixing bowl" approach, which seems to require much less expertise, is rarely seen in practice or commended for the advantage is appears to offer?
It seems to me that diversity is an unfair causualty in the war against obscurity by virtue of the exact reason why it should be desired: that cryptanalsysts just don't have the time to cope with it.
All cryptography does not depend on large factoring of large numbers. Most popular now is a protocol that is called public key cryptography. Simplified it is two keys, one is a private key which is very difficult to factor because it is composed of the product of two very large prime numbers. The other key is the public key which is best explained, imho, as a half key which only the private key can complete. The difficult factoring comes in trying to crack the private key which can be composed of the product of two 300+ digit prime numbers. Such protocol is evident in many algorithms such as RSA... if I left anything out please complete it, and for a more thorough covering of the topic try Mr. Schneier's book.. by the way _very_ nice work.
I'm thinking the whole key-length argument and
export laws are a big smoke screen.
Let's say it's legal to export 40-bit crypto, but
illegal to export 400-bit crypto algorithms
(for sake of easy numbers - although I appreciate
that there are endpoints of diminishing returns.)
I encrypt something with a 40-bit key, and then
re-encrypt the output with a different 40-bit
key, and repeat this until I've done it a total
of 10 times.
The person who decrypts it (with no other
knowlege) needs the equivalent of a 400-bit
unique key, right?
What if I use an unpredictable (not to the
receiver, but to the brute forcer) crypto
algorithm for each re-encryption step - have
I not made the permutations even more enormous?
So when it comes to key lengths, what's all the
hubbub, Bub? Algorithmically, we can absolutely
prove that the most economical way to gain access
to encrypted data is to get it before it is
encrypted or just after it is decrypted - chip
your keyboard, parasite your file system,
intercept radio, EM, or powerline frequency
fluctuations, compromise you (or someone close
enough to you) on a personal level, look over
your shoulder, or pull out your fingernails with needlenose pliers.
I may be Just Another Paranoid - but I think that
the mass of public "crypto gurus" are either
blissfully ignorant, seduced by the lure of
superfluous academic gunk, or are part of The
Game. If you deny any of the above, it's true.
If you admit to any of the above, it's true.
If you make jokes about any of the above, it's
true. Did I leave anything out - if I did, and
it sounds bad, it's probably true. Stop denying
it, and don't you dare admit it.
What _really_ makes me angry is that I can't think
of anything that I need to encrypt (as far as
you know.)
Baudtender
Good Lord, Man - Quantum Cryptography is the
easiest thing in the world to understand (unless
you own a cat, and keep it in a box.)
It makes perfect sense, as long as you aren't
looking at it. The decryption may or may not
be correct, depending on when you are observing
it - and if you are observing it, it can't
possibly be, so therefore, it has the same
potential as when you weren't observing it,
meaning, of course, that the encrypted message
has an equal potential of being the message
and you probably would have been better off
masturbating instead of trying to decrypt it
in the first place.
In other words, no matter what the encrypted
data is, the answer is equally likely to be:
1) Your wife is sleeping with another man.
2) You have 15 minutes until the Doomsday
Device goes off.
3) Your body hungers for more refried beans,
and this time, it's not a suggestion.
There are a few other possible answers, also.
I leave them to your mathemagic talents to
postulate.
Buy the book "Iris", read it on the toilet and
try to grok their "quantum scanner" device.
My prediction is that you'll enjoy the poo's
more than the book, but that's O.K.
Baudtender
Mr. Schneier:
What are your feelings as regards cryptography on networks where quick packet delivery is an issue? Do you feel that current technologies (e.g., IPSec) are a good solution, or not? If not, why?
Do you think it is very likely that the public at large will come to accept the use of encryption on a daily basis? Will the public ever be able to implement an encryption algorithm without know what they are doing (ie. like most computer users in our society)?
Computers can only simulate determinism. ~Hermetic.
I thought I heard that you were "helping" ZeroKnowledge systems with their "Freedom" project. Is this true (or am I thinking of somebody else, or was it just marketing)?
If true, what do you think about the potential of a system like Freedom to protect people's privacy? Will it have to expand out of proprietary control before it becomes ubiquitous?
One social barrier to common crypto usage is the lack of a secure yet informal key storage and retrieval mechanism. But just lately I've seen folks tackle this issue through distributed systems -- smart cards using dynamic networks, embedded systems plugged in to corba and jini backbones, etc. What do you envision for the future of distributed key management specifically, and the use of crypto on embedded devices in general? Do any particular protocols, languages, or vendors seem to hold special promise in this area?
Thanks, and best of luck with Twofish in the next AES round.
PS Neville
Keep up the excelent work...
B. Johannessen
Acts@core.mailboks.com Acrux@core.mailboks.com Adam@core.mailboks.com Adar@core.mailboks.com Ada@core.mailboks.com
It's clear that cryptography is becoming increasingly important, not just in the military-industrial world but in the very personal realms of privacy and political freedom. At the same time, it's become obvious that we cannot implicitly trust corporations to provide us with secure cryptographic products (Take the recent story of NSA backdoors in Lotus, Netscape, and Microsoft products e-mail products, for example).
Unfortunately, the rising tide of interest in cryptography comes in the midst of an absence of reliable commercial tools and a shortage of crypto materials comprehensible to non-mathematicians.
I devoured Applied Cryptography with great fervor, started scouring bookshelves physical and virtual for additional reading, and have even started poring over mathematical textbooks in an attempt to wrap my head around practical crypto. But my obsessive compulsion and dreams of building my own crypto software aside, I actually have little hope of acheiving more than an amateur's or hobbyist's understanding of cryptography.
Is it actually worth the effort? Are there any cryptographic resources available for the enlightenment of nonmath geeks? Must we leave cryptography to the professionals and hope that they're not on the NSA payroll?
Ruby on Rails resources and more at idolhands.com
Mr T already said:
"Thanks again for your wonderful books.
Any plans for AC 3rd edition?
Maybe with AES covered?"
I second the motion, and want to know if
you might cover elliptic crypto? If not
in AC3, can you recommend an on-line review?
Bruce, Cryptography, to the non-technical person (and to a lot of technical people), is almost like magic. It also seems like there aren't many companies out there that sport cryptography APIs that are cheaply available. I feel that these factors contribute to companies avoiding integrating secure communications into their applications. This limited use also stops companies from trying to make cryptography more "User Friendly" Do you see a way that encryption can be presented that makes it easy for people to use it, as well as easier for developers to integrate it into their systems, so it becomes an inherent part of any application?
/* * It has to start somewhere, it has to start sometime * What better place than here, what better time than now?
With all the noise recently of modern computers being able to brute force commercially used software (DES for example), a quick look around shows lots of old and weak systems in widespread use. What do you predict the field of cryptography will look like in the medium term (5-10 years) both in terms of available technology and what's likely to be in widespread commercial use?
The NSA does more than simply throw resources at the pronlem when they're developing a new algorithm.
They do allow for some peer review, with civilians with security clearances.
I had a friend who attended Georgeotown, and one of his professors was one of many civilian people allowed to review skipjack.
Ignore Alien Orders
How can we keep data secure in the long term? It seems that even the strongest crypto isn't viable for keeping data secure in the long term (say 50 to 100 years), because computers get faster (exponentially if one believe's Moore's law), advances in computation break existing crypto schemes, flaws in the algorithms are found, etc.
How do you feel about violating reverse-engineering agreements in order to discover implementation problems in a commercial package that proclaims security of data as a selling feature? Do you feel that there is an imperative to disassemble and understand the code? Or perhaps that by purchasing a "license," a user gains the manifest right to inspect her purchase?
Caezar
Seen James Bell's Assassination Politics? He proposes the Thomas More Utopian style of conflict.
How do you feel that improvements in encryption will affect the way the internet develops? Do you feel that stronger encryption will help the public embrace electronic commerce and online transactions? Do you feel it will help small businesses and large corporations alike form tighter extranets to allow strategic business partners to more efficiently manage their transactions in real-time?
Schneier has mentioned in sci.crypt that he's less enamored by IDEA than he used to be.
-- rage, rage against the dying of the light
Can we trust hardware crypto chips just by validating enough output sequences against software implementations; or would it be possible to hide a trigger in such a chip to switch it into an 'unsafe' mode ?
I've recently been hearing a lot about the use of elliptic curves in cryptography as a new type of public key algorithm. Do you see this as a potential alternative to RSA?
Do you think that if technology were devolped which would (seem) to secure communications once and for all such as quantum encryption, that the Fed's would attempt to block it as they did satalite phones? Not to sound paranoid but is it possible the private sector would never benifit from its' creation?
"There is a holy mistaken zeal in politics and religion, by convincing others we convince ourselves" -Junius
You tell me how good they are. DES was not publicly reviewed before it was released. How long did it take the rest of the world to find diffrential cryptanalisis (why IBM and the NSA knew about it when DES was invented)?
The "requirment" was introduced by Bruce and his friends in his twofish proposal. I have not found a trace of this requirment in the original AES requirments.
On page 14 of the TwoFish proposal, titled "Language, Compiler, and Processor Choice", they say "It is clear that the Borland C 5.0 compiler chosen as the standard AES reference is not the best optimizing compiler."...
Optimizing for small hardware was introduced by Bruce and friends, perhaps to distinguish their submission from other submissions?
With general-purpose microprocessors getting faster and faster, what kind of market do you think the future holds for dedicated (ASIC or custom IC) crypto hardware? Will people be interested in a 750MHz AES engine, or will they be satisfied with software implementations running on Intel's latest offering?
From what I've read, and further extrapolated, even-numbered layers of crypto (2DES, 6DES, 8-Blowfish, etc...) are (or may be) vulnerable to meet-in-the-middle attacks that take only a little more time than (N-1)Algorithm and maybe 2{Algorithm}. I don't know if this makes the risk terribly significant for [468..]DES/Blowfish since I'm not a crypto expert.
http://www.inet-one.com/cypherpunks/dir.95.10.25-9 5.10.31/msg00136.html has a little bit about MITM and 2DES.
The FreeS/WAN project has a more explicit explanation: http://www.xs4all.nl/~freeswan/freeswan_trees/free swan-1.00/doc/glossary.html#meet on MITM attacks and what it entails.
-Paul
Recently, the most widely deployed algorithms have depended on the difficulty of the factoring problem N=(A * B) in the case where N is large and A and B are relatively close to each other. Most solutions to this problem have hinged on the idea that if N = T^2 - S^2, then N=(T+S)(T-S). The most successful sieves have used the modular representation of this: T^2 % N = S^2 % N, and most other representations of the equations have been ignored. Do you think that this is the only viable representation that works with the modern computational model, or is there undiscovered gold in one of the other representations, such as N = SUM(s,t,2k-1), or the geometric representation (right triangle with hypotenuse T, and legs S, N^.5)?
It may not be just, but it is fair, and that is more important.
Is there any evidence to suggest that simply using strong encryption across the Internet itself generates a red flag in some agency(ie's) database(s), perhaps leading to an investigation? Would using "pretty strong" encryption lessen the red-flag possibility while maintaining privacy? Pretty strong meaning less-than 4k bit PGP key, etc.
Your book E-mail Security offers an analysis of some of the more popular commercial e-mail systems at the date of publication. What, in your eyes, are the most dangerous potential problems with current non-commercial e-mail systems and their likely direction of development?
How is this process going?
What ciphers have been eliminated due to successful, critical attacks? (Successfully attacking a couple rounds worth of a Feistel-like cipher obviously being less critical than providing cryptanalysis for "all 16"...)
If you're not part of the solution, you're part of the precipitate.
What's your gut feeling on this -- is cryptography as a field in danger of wiping itself out, or do you feel encryption has a secure long-term future?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Does the possibility exist for an unbreakable code or is this a 'Holy Grail' of sorts?
----------------
"Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein
Co-founder and designer at Music Nearby: http://musicnearby.com
First, I note that quantum computers haven't factored jack (yet, anyhow) :)
:)
All cryptography that's not one-time pad depends on some one-way function to produce its results -- the idea being that the attacker has to go back the other way, which is hard.
Factoring is certainly an excellent example of such a "trapdoor" function. But not that much in cryptography depends on factoring. The only symmetric cypher I know of that depends exactly on factoring is Blum squaring -- though there are certainly others that are equally un-well known.
RSA really depends on the Euler Phi function, which has yet to be proved equivalent to factoring.
Standard DES and the AES candidates are less secure than that, even, since they trade off speed for a measure of security.
I can't remember how closely Diffie-Helman depends on factoring, but I think it's pretty close. Someone correct me if I'm wrong.
Someone want to add some other cipher types?
We're implementing an Enigma machine on our FPGAs in Fundamentals of CE (18-240)...that's definitely not as secure as factoring
Unfortunately, they won't be practical for widespread use for another 10-20 years, when the patents encumbering them expire.
Berlin-- http://www.berlin-consortium.org
DNA just wants to be free...
What do you think of the upcoming Freedom package by Zero Knowledge Systems?
Have you seen Ironstayn vs Supergovernment yet?
Do you think that the many existing (and future) patents on cryptographic protocols and algorithms will stand in the way of widespread adoption of cryptography?
--
bgphints - internet routing news, hints and ti
With IPSec starting to gain some momentum as well as the current VPN craze (which seems to ignore the traditional encryption boundary issue completely), do you see a role in the testing and certification of vendor implementations to include checksumming of binary-only closed-source products and services?
Given that we'll soon see more Voice over IP, and we're currently seeing IPSec in routers, is there any other way the international community can be sure that a particular implementation hasn't been (legally or illegally) trojaned by a manufacturer or that they can gain a high level of trust in their vendors' implementation?
So long, and thanks for all the fish!
Paul
http://www.pauldrobertson.com
Bruce,
I would like to hear your thoughts on the expiration of the RSA patent next September. Do you think that RSA will finally be free, or will RSADSI tangle it up in some type of legal mess?
I have heard that quantum cryptanalysis will only help crack certain forms of crypto, such as RSA. What makes a cryptographic system resistant to quantum cryptanalysis, and is twofish such a system?
- The unexamined life is not worth leading -
Currently almost all digital signatures (and by extension, crypto in general) are based on the fact that large prime numbers are currently difficult to factor.
Currently almost all ink signatures (and by extension legal documents in general) are based on the fact that signatures are currently difficult to duplicate.
I would trust a digital signature FAR more than a "real" signature. I can train a plotter to duplicate your "real" signature in under an hour.
Possibilities I can think of right now are:
Any thoughts?
DES and papers by Don Coppersmith show that the NSA and at least a few private researchers have known about some techniques, like differential cryptanalysis for over a decade before the general public learned of them. With the current boom in interest in cryptography and judging by the designs of current ciphers like Coppersmith's SEAL and skipjack, it seems plausible to assume that the gap has been closed substantially. How big do you think the gap is between the NSA and the public and what hurdles to you see in closing it if you believe that the NSA still knows vastly more than the public about cryptography?
(I mean the cryptographer public when I say "public," not the masses.)
Thanks again for your wonderful books. Any plans for AC 3rd edition? Maybe with AES covered?
This is my signature. There are many signatures like it but this one is mine..
How do you feel about your ongoing association with internationally famous super-hackers, cDc? Judging by our last meeting, I would suggest that you are perfectly content, but we like to keep our friends happy, so let us know.
obscure images/cDc obscure@cultdeadcow.com www.cultdeadcow.com
What are the emerging technologies from the last few years which most affect cryptography? How important are:
The IP Security (IPSEC) standard has been around for several years, yet it hasn't taken off as expected. What do you see as the future of IPSEC?
Zero-Knowledge proofs were discovered/invented over 15 years ago and are now usually covered in most studies of this science (Although I, unfortunately, haven't had time to go through your book).
Considering that now a days we implicitely trust ATMs or resellers not to tinker with credit card readers or not remember our PIN numbers, since this relatively new field offers incomparable advantages for identification protocols (such as the inability to replicate a session) that could be used in these situations and that the litterature is, by now, relatively well developped (with work from Jacques Stern for example),
a) Would you tend to agree that this would be an interesting addition to the privacy protection of customers ?
b) Do you know of any real world implementation for the general customer ?
c) What do you believe it would take for large banks and Credit Card compagnies to decide to implement these schemes ?
There are a great many cryptographic libraries available, but many of them suffer from poor documentation, cluttered APIs, bad interfaces, or unwise addition of platform-specific code (Counterpane, Inc., isn't immune, either -- your Yarrow code is strictly MSVC++ and hence, Win32 only).
Would the cause of secure algorithms be furthered by the construction of a cross-platform crypto toolkit, open sourced, peer reviewed, clean and well-documented, which could be reused across different platforms and projects? Or would this create hindrances, since each project may need ever-so-slightly different features from its cryptographic infrastructure?
(And if anyone's got a clean, standalone El Gamal library, *please* EMail me at the above address. The El Gamal code in GPG is just plain frightening.)
What do you predict will be happening to cryptography techniques over the next year? 5 years? 10 years?
---
I hope you're not pretending to be evil while secretly being good. That would be dishonest.
Do you think that "bio" technologies for authentication -- fingerprints, retinal scans and the like -- are really feasible for widespread use?
Always keep a sapphire in your mind
Don't worry about consolidation of the CA structure into one or two "elite" trees. If you are running Internet Exploder, you can see quite easily that there is no such threat. Tools|Internet Options|Content|Certificates Click on the tab that says Trusted Root Certification Authorities. You'll see that there are about four other CA's in the root store that ships with Windows. Since everyone under Windows has those root certs, there is nothing to prevent those CA's from becoming just as powerful as Verisign or Thawte save capitalistic competition. Now, you could legitimately disparage Verisign for distributing certs in such a promiscuous fashion (their "30 day trial" keys), but hopefully as consumers become savvier, they will not reward such behavior.
-konstant
-konstant
Yes! We are all individuals! I'm not!
Do you think PGP has been compromised, and is there any way to really know?
I think what many people are wondering including mysef is:
1) Is there any ongoing effort to build another encryption algorithm as we speak?
2) The plausibility of a security breach on the Blowfish Algorithm, tho is not very likely at this time, are you planning on strengthening it any way in nearby future? thats mostly question of those self-called... paranoid...like myslef ;)
Thanks,
----====___SUBLIME___OR___NOTHING___====----
Do you believe that an effective Client/Server encryption model can exist, at the current stage of progress, without a trusted 3rd party? If no, what is your opinion on what this 3rd party should be? What other alternatives do you see?
Peter Pawlowski
Given that the administration and congress appear unable to refrain from placing absurd restrictions on how we do math, how optimistic are you that the courts will consistently act sensibly in this matter? Much like CDA could only be defeated through legal challenge, should free crypto activists be turning their attention to the Judicial branch? What do you feel our chances are in this arena and who shall carry the torch?
In order to perform DRoot, you need Euler's Phi, and in order to get that, you need to factor the public key. This is, of course, unless someone finds a better way.
The point is, that someone may find a way to do DRoot, and bypass the factoring, as well as Euler's Phi, problem.
I think we can conclude that factoring complexity >= finding Phi >= finding DRoot.
As for Diffie-Helman, it is based on the difficulty of DLog. The base modulo for DH is a prime number itself. Factoring, therefor, does not enter into it at all.
In the field of cryptology, i think there have been many major advances like
+ fiestel networks
+ combining operators (like in IDEA)
+ data dependent rotations (like in RC)
Do you believe that quantum cyrptography is the next foreseable step.
What do you believe the effect quantum computers will have on cryptanalysis, and the development of cryptology.
If you can generate a one time pad through quantum cryptology, you only need xor, as that is secure as its otp.
I understand, that quantum compuetrs would be able to solve "very hard" problems, like solving discreet logarithms in a fine field.
What major algorithms would be deemed insecure, when quantum computers came about.
Many entries to the AES are essentially fiestel networks, do you foresee this system ever being broken (I know you think that giving dates is stupid)
Also, what AES submission did you least expect to be dropped for round 2. And apart from your submission, what do you think has the most chance of becoming the aes.
Many people are finding ways around the key escrow policies, and the export policies. Like the private doorbell system. Do you think that these embargos on freedom will ever be lifted, or will the us government remain as privicy envading, and paranoid as ever.
Do you see people using stenography instead of encryption. Especially for file systems ?
Do you think deniable encryption would stand up in court ? (E.g using rivest's chaffing and winnowing system)
Is it possible to have a deniable and probablicstic crypto system ?
And what do you feel is the most secure algorithm, and hash function now, as before in your book it was idea, but now wiht the aes systems ? which is the most secure?
I have recently started to question the wisdom of using multiple encryption algorithms over a communications channel.
SSH and HTTPS (for example) have become staples for secure administration and E-commerce. With expanding use of IPSEC for company access from home, what are the dangers behind using SSH over a VPN?
I understand there is a potential for compromise when layering two 3DES channels, one each for SSH and IPSEC; has any analysis been done of the security of a Blowfish (TwoFish/CAST/etc...) and 3DES combination?
Bruce, what is your view of what many have said is the governments relaxation of export controls on commercial cryptography? In particular are there any actual dangers to the requirement that the algorithms and code be submitted for review? My personal feeling is that rather than protecting the consumer the review process is more likely to be to ensure that any cryptography is sufficiently weak to please the government. So maybe crypto for credit card transactions is somewhat safe since the businesses involved can be subpoenaed, but crypto for obsfucating personal communications is less secure since there may be more chance of evidence being withheld.
Currently almost all digital signatures (and by extension, crypto in general) are based on the fact that large prime numbers are currently difficult to factor.
Based on these two facts, do you think legally binding digital signatures are secure; why?
--
You have stated, time and again, that while picking a good cryptographic algorithm with an adequate key length is important to security, it is only one link in the chain. There are numerous examples of this, including the attacks on Netscape's PRNG's and attacks against smart cards that measure power consumption, timing, etc. to determine the key. Any one of these methods can effectively render the rest of the system useless.
Now for the question: what do you think is the most overlooked aspect of designing a secure system? For example, PRNGs, ineffective key management, mismanaged trust, bad authentication, etc... What can people writing software do (aside from peer review, which is a *must*) to reduce the risks of common problems?
Thanks!
Back in the "good old days" of cryptography, the algorithms used were understandable by non-mathematicians. Most modern cryptographic systems in use are still mathematically "simple". By this I mean that once you understand the complexities of the algorithm, the mathematical basis is understandable to someone who has, say, a college degree in mathematics or physics.
The cryptographic systems being developed today are often based on much more sophisticated mathematical ideas. Elliptic and hyper-elliptic curves spring to mind. The algorithms may be understandable, but the mathematical basis may be complicated enough that it takes a PhD in mathematics to understand.
These systems are the future generation of cryptography. Some have suggested that their security is based more on mathematical obscurity than anything else (i.e. the number of people able to even understand what the algorithm is doing is very small). Do you think this is accurate? Do you see cryptography moving exclusively into the domain of mathematicians, so that it is totally inaccessible to motivated non-mathematicians (such as yourself)?
I am in the midst of reading Applied Cryptography (1st edition). Amazing book so far, thanks for all the hard work you obviously put into it.
Here's my question: Your short timeline at the beginning of AC notes that public research in cryptography didn't really get under way until 1976 but that the NSA (and it's predecessors) started during WWII. What far ahead do you think the NSA (or whoever) is? In particular, do you have any reason to believe they have cracking algorigthms for some of today's hardest problems (NP-completeness, etc)?
---
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Most of the discussions I hear and work I see is towards makeing algorithms safer. On the other hand a lot of security gets compromised by a large number of protocol violations, human errors (like dictionary passwords, pet names etc) and other means like reading electromagnetic emissions, bugging or bribing. Where do you see the optimal division of effort?
I have read your papers on Yarrow and was impressed both with the algorithm and your discussions of the importance/vulnerablities of Pseudorandom Number Generators. It seems to me that PRNGs can be just as important a component of a protocol as the algorithm or keys themselves. How important do feel they are? Do you see this role increasing/decreasing in the future with new technologies and developments (Quantum Computing/Encryption)? What do you see as their future?
thanks
When Applied Cryptography was published, CAST was looking very promising but was still very new. How IYO has CAST held up since then?
Always keep a sapphire in your mind
What did you think of Neal Stephenson's Cryptomonicom ?
Vidi, vici, veni. (I saw, I conquered, I came)
I know that you have done a lot of work in the area of A. But what about B? Specifically, what do you think it will take, to get people to use cryptography with their email on a regular basis? Most of us here agree that it should be as standard as putting your letter in an envelope instead of using a postcard.
However, even I don't regularly use encryption. I have tried encryption packages and they are easy to use, but I can't seem to be able to convince my friends an family to go through the trouble. Because the people that I communicate with, don't use encryption, it seems that I can't either.
Because of its inclusion with web browsers, some level of encryption is now used for much of e-commerce. Most people just know that their transaction is somehow secured and know nothing of the details. But the same hasn't happened for other mediums.
What do you think it will take? An personal electronic Pearl Harbor in which many people have their secrets spread throughout the world? Inclusion of crypto with the most popular free email clients? Or maybe people just don't care and they will never encrypt their email?
Many government officials are opposed to encryption on the grounds that it will somehow impede investigation and prevent prosecution.
I beleive this is the same feint magicians use to misdirect the audience from the real action. Currently, prosecutors must only provide phone records as evidence, and not a tape of the actual phone call. The evidence that something transpired, and not the actual "what" is all that's required. Records of wire transfers are acceptable, even if you can't seize the actual money. The classic tenets of motive and opportunity suffice, without someone having to provide a videotape of the crime. In other words, I think you can prosecute, and convict, even if you can't decrypt.
So, first, any idea what the Feds are really worried about? (It's got to be more than just Eschelon.) And second, how do we present the privacy issues to the public so that the average citizen understands what's at stake? (e.g. encryption = privacy = good thing)
I've heard you say many times that unless a particular crypto alg. has undergone lots of public review, it should not be considered safe. Unless possibly it's from the NSA. (Excluding, of course, the NSA stuff that is INTENTIONALLY backdoored.)
The implication there is that the NSA has applied some many resources to the crypto problems,that they are as good as the rest of the cryptographers put together.
My question is: Do you really think that a private process, no matter how many resources applied, can equal the public process?
One would think that cryptographers, who study the mathematical means for controling information (not just secrecy, but also signatures, zero knowledge proofs etc) would be the least inclined to support the articial limits to information set up by our legal system, and yet the field is littered with patents (probably more so than any other field of mathematics).
You, on the other hand, have been very generous with your algorithms and cryptos. Is there a political, ideological, or practical reason behind this?
-
Bruce,
in a recent cryptogram, you write that most symmetric ciphers need more entropy than people can remember and hence supply. Even with bio-metrics adding more bits, it is not really worth the effort to construct ciphers with more than 128 bits of entropy in the key, because people won't give them more than that much entropy in the pass phrase.
However, social and technological pressures make longer and longer keys a necessity. What promising approaches do you see for making remembering and entering -- even though I have long passages of text memorised, I don't want to type them in for each email I want to send -- usefully long passphrases?
Ie, to paraphrase, would you discuss the state of the art of cipher/human interaction, as it pertains to key management.
Johan
What impact do you think your science studies have on your current career? I suspect the high mathematical background of physics prepared you for cryptology, but what other aspects of a science degree come into play in your line of work? Would you call your B.S. in Physics an advantage or a disadvantage?
"Knowledge = Power = Energy = Mass"
Bruce, thanks very much for making cryptography so much more accessible to us all.
You wrote in Applied Cryptography that IDEA was your "favorite" symmetric cipher at the time. Is that still true today?
Always keep a sapphire in your mind
Your book describes a slew of interesting applications for crypto protocols, including electronic money orders, digital time-stamping, and secure multi-party computation. What are the remaining crypto problems of interest to the general public which have not been solved? (secure distribution of digital media comes to mind -- can you sell someone a music file, allow them to use the file anywhere, but make sure no one else can use it?)
OK, hypothetical question. You rub a magic lamp, and a genie comes out. Specifically, a cryptographic protocol genie. He can come up with an effecient, secure protocol for any activity you want (assuming a protocol is possible, of course). What would you pick, and more importantly, why?
Quantum physics seems to be the "magical" form of physics, and its application to cryptography even more magical. I don't think I properly understand "quantum cryptography," and I don't think that most of the people that have made public comment on it understand it terribly well either.
Could you comment on the present state of Quantum cryptography, and its probable relevance in public matters short term (which appears nonexistent), medium term (where the research of today may be in 5-10 years), and longer term?
If you're not part of the solution, you're part of the precipitate.
Scott McNealy claims we've already fought and lost the war for personal privacy. Do you agree with him or not, and why?
"The invisible and the non-existent look very much alike." -- Delos B. McKown
Given that most cryptographic algorithms are well known and understood worldwide, can governments control their use effectively by legal means? Do you think legal restrictions on cryptography are likely to become more or less strict over the coming years?
"The invisible and the non-existent look very much alike." -- Delos B. McKown
Bruce --
As many know, your twofish algorithm is one of the (many) submissions to become the AES standard. The goal for these algorithms is to be able to implement them extremely cheaply in hardware -- say on a 6800 with 256 bytes of RAM. In other words, cheaply enough to put on a smart card.
But IBM's team alleges that any algorithm that simple can be fairly easily cracked by doing a power usage analysis on the chip (by watching fluctuations in the electrical contacts with the reader) and that the necessary equipment to protect against power analysis would be equivalent to a much more complex processor -- so much so you might as well just implement a different and more complex (and hopefully power-random) algorithm. Of course IBM suggests their own implementation.
What do you think? Is there a way to build a simple smart card so that power analysis isn't a problem? Perhaps the whole question will become irrelevant since we'll be carrying around so much processing power in our PDAs that we'll just use them?
In the forward, you describe how you got interested in cryptography, and that you had no background or training in the field, but you thought it was interesting. Also, several times throughout the book you caution people not to trust cryptosystems from amateurs.
Clearly you have become well versed in the history and application of cryptography, your book makes all other descriptions of the state of the art invisible by comparison. Still, it appears to me that cryptosystem design and analysis requires fairly extreme mathematical proficiency, which I do not believe that you have.
Now, of course, Twofish is published in detail, and the best people in the world have attempted to crack it (and I think that the competitive process that the US Gov't has promoted is a spectacular way to get the best people to attack each other's ciphers). But, I remain somewhat worried that at the foundations of Twofish...is there something missing that a PhD in mathematics and number theory would have seen?
The winner of this competition will likely be the next DES, and will provide security for a fairly large percentage of the planet. The stakes are high. I'm sure that you have an answer to this criticism, and I'm eager to hear it.
thad
I love Mondays. On a Monday, anything is possible.
What are your thoughts on the recent reports of quantum computing and its effects on encryption?
---
I hope you're not pretending to be evil while secretly being good. That would be dishonest.
Thanks again,
PS Neville
As one of the stronger voices behind the proposition that only peer reviewed, open, and thoroughly tested algorithms can be trusted you've widely disseminated several algorithms, Solitaire and Yarrow among them. What attacks or interesting analyses have surfaced since their release?