I'm suggesting they start at around 2^200, and go up from there. I found this handy little chart at certicom, so here we're looking at things more in the order of 2^400 and 2^500 as standard key sizes. Those should be quite safe for now.
I'm still curous to see the details of the attack anyway, an abstract doesn't tell you very much.
Not off the top of my head no. Actually maybe not - I've seen a system that used 2 neural networks sharing information to converge to a shared secret that an eavesdropper couldn't. I don't know of any specifically quantum computing algorithms to break that easily. Of course, I've seen some non-quantum computing based systems for breaking it easily enough. So basically, no, nothing of note.
Sorry but that's a bit naive. Do you really think the NSA isn't capable of publicly recommending encryption that it can break (but most governments can't) and privately using/recommending a really secure system.
I'm suggesting the requirement for the NSA to promote to the US government, military and US businesses a system that they are as certain as possible that other countries can't break is at least as significant as having other people se algorithms they can break. Please note that US business is part of that requirement, so they need to be public about it. If the NSA can break it, then they can reasonably expect that other people might be able to break it. That makes it useless for Information Assurance purposes, and promoting US businesses to use such thing runs contrary to their mandate.
Okay, maybe they have all manner of cunning schemes in perfect secrecy, and have all kinds of extra secret orders from the govenment that we don't know about - but at that point you're haring off in wild paranoia with about as much justfication as claiming Area 51 is stocked with aliens. We just don't know, but there's no good reason to believe it.
Remind me not to let you design any security systems. An additional weakness in a "secure" system is an additional weakness, regardless of what is was designed to do.
Given what was implemented, I think you're massively overreacting. Each chip had a secret key and an ID number. When the chip encrypted data it first encrypted its session key using its secret key and included that and the ID in the message. That meant the NSA had to look up the secret key for that ID chip, and then decrypt the session key. Is this a significant extra weakness? To be a weakness you either need: the NSA's ID/secret key table, or the ability to break the algorithm. If the NSA can't keep secrets, or the algorithm is breakable, then the whole question is moot. This is hardly a significant reduction in the strength of the system.
Yes, this system is weaker than a system that used purely session keys: if you want to spend the time you can break the secret key for a given chip, and then decrypt everything thereafter from the chip. That presumes it is at all feasible to break the algorithm - and I suspect the NSA is quite good at designing strong algorithms. In short the system was exactly as strong as the algorithm, and in fact SKIPJACK was declassified and is still considered a very strong algorithm.
SKIPJACK, as far as we know, is quite secure with no backdoors. What the NSA did do was keep the algorithm secret and only allow it to be implemented in hardware on chips that also implemented a key escrow system. They were up front that that was on the chip.
The point here is that they weren't foisting a weak algorithm on people - the algorithm is pretty strong. They were foisting hardware onto people that let NSA decrypt anything you encrypted with that hardware. The distinction is important because anyone (not just the NSA) can break a weak algorithm, but only the NSA can exploit hardware key escrow designed specifically for them.
If ECC was breakable by NSA that doesn't make it a good system to promote, because other countries could also have found the weaknesses. The point is that they do want to promote systems that are secure from other people, and pushing weak algorithms is a really bad way to do that.
It's not just this thread. In my experience pretty much every Slashdot thread involving an area in which I have any knowledge is filled with the kind of misinformed crap that you are complaining about.
True, I guess it is partly that many thread topics are pure opinion, so random spouting is expected, and there are fewer contradictory and false facts cited.
One presumes that any encryption standard the US is going to reccomend has in fact been broken by the NSA or other security organzation. The US has been very clear that it does nto want its citizens of anyone else in the world to use encyption that the US cannot break.
And likewise the US has been very clear that it does not want its government, military, businesses using an encryption system that can be broken by other countries. The NSA has 2 roles, Signals Intelligence (which may involve breaking encryption) and Information Assurance (which involves providing secure computing to US government and business). ECC is out there and available, so pretending it doesn't exist just because they can't break it hardly helps them in stopping people using it. That means, from the Signals Intelligence perspective ECC is a moot questions, breakable or no. Export controls make little difference considering the company (Certicom) with all the patents on ECC (hundreds, literally) is Canadian. On the other hand, if it is good, strong, and secure, then it is entirely sensible for the Information Assurance arm to promote it as a standard for US business. Let's be honest, RSA has looked weak the last couple of years. You could just as easily claim that this announcement is an effort to move US government and business to a more secure system. Maybe this announcement means that the NSA knows how to break RSA, and figures other countries either know too, or will figure it out soon.
In short, there is no reason to expect that the NSA can break ECC, and to claim otherwise is just shotting your mouth off with absolutely zero basis. There are other perfectly good explanations, why not consoder them instead/as well?
The NSA has a budget larger than the CIA. Yes some of that money may involve some breaking of encryption, or maybe they spend 3 billion plus a year researching how to protect consumers credit card numbers.
The NSA are responsible for Foreign Signals Intelligence. That means intercepting, collecting, collating, and analysing foreign signals of interest. That is going to cost huge sums of money regardless of whether there is any encryption to crack along the way.
The other half of their job is providing secure computing and information systems to the US government and US companies. That includes analysing and advising on proposed cryptographic standards (like DES, AES, SHA-1), creating new cryptosystems, providing secure computing environments (SELinux was what they released to the general public as a demo of "how things should be done", they are undoubtedly doing a lot more themselves), providing secure communications for the US government etc. I expect that all of that doesn't come cheap either.
Given that neither I, nor you, have any idea at all as to how the NSA distributes their funding (though apparently you have very little idea what the NSA actually do), I think making unfounded assumptions about how much money and work goes to breakign encryption is a little silly. I expect they do spend a fair amount of time and money on it. I expect they also spend a fair amount of time and money on information assurance.
Shor's algorithm is indeed for factoring. There is another algorithm for the DLP. I don't know too much about it, as Quantum computing isn't my field. I just pay attention when told things like "DLP is not secure under Quantum Computing". Sorry I couldn't be more informative.
The NSA is in the business of breaking encryption, not providing unbreakable encryption.
How did this get modded insightful? The NSA is responsible for Signals Intelligence, which may involve some breaking of encryption, and Information Assurance which most certainly involves the provision of strong security, including encryption.
ECC is already widely available - Certicom, a Canadian company provides good implementations, and owns about 200 patents relating to it. If it is secure and the NSA can't break it, ignoring its existence isn't going to help them: it is already out there - it is too late for the Signals Intelligence people to worry about it. On the other hand, if there is a good secure encryption system available then promoting it to US government and US companies is a positive thing for the Information Assurance role to be engaged in.
The amount of uninformed, random, misinformation in this thread is astounding.
Perhaps does the gov't know of a "quick" way to do large prime factorization unknown to the rest of us? With RSA resting so heavily on big primes, it would be uniquely vulnerable to something like a new way to do factorization.
Actually factorization has been looking a little weak for the last couple of years. There hasn't been any big breakthrough, and 1024-bit (and up) RSA isn't exactly broken right now, but there have been a steady number of papers that have offered various improvements to the basic Number Field Sieve algorithm (such as Dan Bernstein's facorization circuit) that it is beginning to look as if it is merely a matter of time before at least 1024-but RSA is considered insecure.
Certainly if you have enough compute power the present NFS with improvements will be good enough to break RSA keys out. The NSA is not exactly lacking in potentially dedicated compute power.
There seems to be a lot of misinformation being moderated up in this thread. How exactly did this get moderated to +4 Insightful? This is about the fourth comment I've seen that's been moderated up for spouting what amounts to complete and utter drivel.
Someone further up provided a good link to the ECC page on Wikipedia. Perhaps a few of the mods could go and read that before using up their points. It might save us from swimming in uninformed bullshit.
The good thing about elliptic curve methods for cryptology is that they have a completely different "hard" function to our current cryptographic methods.
I'm not sure what you mean here. ECC protocols and standard Diffie-Hellman both rely on the hardness of solving the Discrete Log Problem over a finite group. All ECC buys you over standard Diffie-Hellman is a different group (the group formed by the set of points of the curve over some finite field), for which known methods for the discrete log problem are extremely (maximally, in theory) inefficient.
It is that there is an alternative cryptographic method out there, that should quantum computers be invented tomorrow, we would still have an effective method of cryptography.
Not true in the least. The protocols in Suite B are Elliptic Curve Diffie-Hellman, and Elliptic Curve Menezes-Qu-Vanstone (which is essentially a extended/more complicated version of Diffie-Hellman). Both are entirely useless in a situation where the Discrete Log Problem is easy. As there exists a quantum computing algorithm than solves DLP incredibly efficiently it is safe to say that in the advent of Quantum Computing these protocols will be rendered completely useless.
While marking work as a tutor at my university, I was lucky enough to be marking with somebody who has written a thesis on the subject.
I think perhaps he's been having some fun at your expense.
As it isn't included in the Wikipedia article, and I had to look up the details myself:
Menezes-Qu-Vanstone key agreement is essentially a varation/extension of Diffie-Hellman using a combination of a "static" and "ephemeral" public keys to compute the shared secret. The extra wrinkles in the procedure eliminate the possibility of a couple of subtle man in the middle attacks that can be made against EC Diffie-Hellman for certain parameters.
Of course, if you had actually opened AC's link, you would have seen a paper describing a weakness in ECMQV. Elliptic curves aren't the best objects on which to base an encryption scheme, as they have far too much structure.
What, may I ask, do you intend to use instead? Elliptic curves are an excellent choice under the circumstances: implementing a Diffie-Hellman (or, in the case of Menezes-Qu-Vanstone, a more complicated variation of Diffie-Hellman) key exchange over a group other than integers mod p. Elliptic curve groups maximise the difficulty of the known algrithms for solving the discrete log problem (breaking Diffie-Hellman).
Besides, with elliptic curve systms you have the benefit of choosing a random curve, and hence, within constraints, a random group, which means structures of the group are a lot harder to predict - beyond very basic elliptic curve group structures.
I would be very interested to hear what you are suggesting should be used instead. Is there a cryptosystem using semi-groups that I've never heard of?
ECMQV has been partially broken -- I'd be wary of using it in any standards.
Would any cryptographers here care to comment?
The paper itself isn't online, so I can only judge from the abstract. It does sound like a reasonable approach (on a completely cursory inspection), but there are a lot of details there, and I am a little unfamiliar with some of the stuff they reference.
As to how severe the break is: they claim they've reduced the complexity from O(q^{1/2}) down to O(q^{1/4}). Now I presume that q here is referring to the characteristic of the finite field that the curve group is over (I'm guessing, I would have to read the paper to know for sure - they don't say - but this is the logical choice). That is, of course, in cryptographic terms fairly significant. In practical terms most serious ECC implementations are using q in the order of 2^200 or more, so it doesn't necessarily represent a serious compromise.
As I say, with only the abstract to go on I really can't comment much. It does look interesting, but I would have to see more.
If you really want to read anything meaningful into NSA Information Assurance people throwing their weight behind Elliptic Curve Cryptography, you should consider that maybe that means they consider RSA and standard Diffie-Hellman public key systems to be weak and potentially borken some time in the near future. Now RSA has been looking shaky for the last year or two - it hasn't been broken for key sizes in use, but various improvement and speedups for the Number Field Sieve have made it look a lot more vulnerable. Ordinary Diffie-Hellman possibly being judged a little weak is more interesting.
So the question remains: Have they found a successful attach on ecliptic curves, or have they finally seen the light and realized that strong encryption is good for society?
Technically fully half the NSA's job is Information Assurance, which is to say providing strong crypto and information security solutions to US governemnt and US companies. It was the Information Assurance people that provided us with SELinux as a demo of how a secure system could easily be achieved just working from a commodity OS. They are supposed to believe that strong encryption is good for society - US society anyway.
So the assumption then is that Microsoft knows more about the hardware and its functions and how best to write driver for that than the company that made the hardware? Sounds silly. Of course Microsoft knows far more about how to actually interface nicely with the kernel, so maybe that's why MS drivers are better. But then that sounds pretty silly too: Windows is sufficiently closed and driver level APIs sufficiently obscured that only Microsoft can write good drivers. What the hell?
You might want to read those carefully. Several of them were quite correct. One seemd to be looking at server deployment, for which, indeed, Linux has passed a tipping point. Another was about the tipping point for Linux over Windows when migrating off old UNIX systems which, again, is quite a valid assertion: Linux is doing well in that market. The last one is simply about Open Source not Linux and cites things likes Apache reaching the tipping point. Nor is it predicting an imminent switch over the Open Source, but rather a continuing march toward tipping points in various scattered markets.
My girlfriend assures me that they have "Hello Kitty" washing machines (and other household appliances) in Japan - now _that_ is disturbing.
How about a Hello Kitty toaster that toasts the image of Hello Kitty onto all your slices of toast for you. Just what every discerning person needs.
This is part of their rather cunning business plan though: they have a billion different ideas for weird ass Hello Kitty products, but they drip feed them onto the market rather than just saturating it with everything they can think of. They also pull huge amounts of stuff after only a few months. Basically that means there's an ever going churn of Hello Kitty products, providing washing machines and toasters one month, cell phone faceplates and DVD players the next.
No I don't, nor will I ever, understand the facination with Hello Kitty. It's hard to deny the company their success though: they just keep on trucking along.
It is precisely this ability to adapt while managing to somehow retain the core image that "Hello Kitty" has been so good at though, and was precisely my point.
Barbie has been around for 45 years, produced by Mattel, a publicly traded US corporation.
Indeed it has. Notice that I was talking about current US CEOs. In the past long term planning was far better. You may note the general decline of Barbie as a successful brand (relatively speaking) over the last 10 years under more "modern" management of Mattel.
I am not complaining about the US, merely the recent trend amongst Western (the US simply being the worst example at present) CEOs to focus almost solely on short term profits, often to the detriment of long term viability.
If I recall rightly HPs market cap went up by 2 billion dollars the day she left. In other words (if we're going to justify everything by share price as many CEOs like Ms. Fiorina do) she was worth negative $2 billion to HP. Do they get to bill her for damage done? Nope, they pay her a nice $20 million leaving bonus. Why would anyone hire someone who managed to decrease a companies worth by $2 billion? I'm at a loss. Her career should be over (and with a $20 million dollar bonus to walk away with, it's not like she'll ever have to work again if she doesn't care to). Bizarre.
A lot of Japanese companies try and have a 10 year outlook. Yes, they worry about profits in the short term - it still matters - but they also try to have a long term 10 year plan, and are willing to take short term lack of growth if it positions them better in their 10 year plan.
Want a really odd example? Consider "Hello Kitty". It's a silly fad right? Except they've actually been around, continuously, producing "Hello Kitty" products for over 30 years! That's some surprising staying power, and is in a large part due to long term planning to keep the brand relevant in a changing world. Were a similar operation being run by a current US CEO it would have unbelievable growth for 3 quarters, saturate the market, fall out of favour, and be dead 2 years.
Never underestimate the power of long term planning.
Slashdot Mirror
I'm suggesting they start at around 2^200, and go up from there. I found this handy little chart at certicom, so here we're looking at things more in the order of 2^400 and 2^500 as standard key sizes. Those should be quite safe for now.
I'm still curous to see the details of the attack anyway, an abstract doesn't tell you very much.
Jedidiah.
Not off the top of my head no. Actually maybe not - I've seen a system that used 2 neural networks sharing information to converge to a shared secret that an eavesdropper couldn't. I don't know of any specifically quantum computing algorithms to break that easily. Of course, I've seen some non-quantum computing based systems for breaking it easily enough. So basically, no, nothing of note.
Jedidiah.
Sorry but that's a bit naive. Do you really think the NSA isn't capable of publicly recommending encryption that it can break (but most governments can't) and privately using/recommending a really secure system.
I'm suggesting the requirement for the NSA to promote to the US government, military and US businesses a system that they are as certain as possible that other countries can't break is at least as significant as having other people se algorithms they can break. Please note that US business is part of that requirement, so they need to be public about it. If the NSA can break it, then they can reasonably expect that other people might be able to break it. That makes it useless for Information Assurance purposes, and promoting US businesses to use such thing runs contrary to their mandate.
Okay, maybe they have all manner of cunning schemes in perfect secrecy, and have all kinds of extra secret orders from the govenment that we don't know about - but at that point you're haring off in wild paranoia with about as much justfication as claiming Area 51 is stocked with aliens. We just don't know, but there's no good reason to believe it.
Jedidiah.
Remind me not to let you design any security systems. An additional weakness in a "secure" system is an additional weakness, regardless of what is was designed to do.
Given what was implemented, I think you're massively overreacting. Each chip had a secret key and an ID number. When the chip encrypted data it first encrypted its session key using its secret key and included that and the ID in the message. That meant the NSA had to look up the secret key for that ID chip, and then decrypt the session key. Is this a significant extra weakness? To be a weakness you either need: the NSA's ID/secret key table, or the ability to break the algorithm. If the NSA can't keep secrets, or the algorithm is breakable, then the whole question is moot. This is hardly a significant reduction in the strength of the system.
Yes, this system is weaker than a system that used purely session keys: if you want to spend the time you can break the secret key for a given chip, and then decrypt everything thereafter from the chip. That presumes it is at all feasible to break the algorithm - and I suspect the NSA is quite good at designing strong algorithms. In short the system was exactly as strong as the algorithm, and in fact SKIPJACK was declassified and is still considered a very strong algorithm.
Jedidiah.
SKIPJACK, as far as we know, is quite secure with no backdoors. What the NSA did do was keep the algorithm secret and only allow it to be implemented in hardware on chips that also implemented a key escrow system. They were up front that that was on the chip.
The point here is that they weren't foisting a weak algorithm on people - the algorithm is pretty strong. They were foisting hardware onto people that let NSA decrypt anything you encrypted with that hardware. The distinction is important because anyone (not just the NSA) can break a weak algorithm, but only the NSA can exploit hardware key escrow designed specifically for them.
If ECC was breakable by NSA that doesn't make it a good system to promote, because other countries could also have found the weaknesses. The point is that they do want to promote systems that are secure from other people, and pushing weak algorithms is a really bad way to do that.
Jedidiah.
It's not just this thread. In my experience pretty much every Slashdot thread involving an area in which I have any knowledge is filled with the kind of misinformed crap that you are complaining about.
True, I guess it is partly that many thread topics are pure opinion, so random spouting is expected, and there are fewer contradictory and false facts cited.
Jedidiah.
One presumes that any encryption standard the US is going to reccomend has in fact been broken by the NSA or other security organzation. The US has been very clear that it does nto want its citizens of anyone else in the world to use encyption that the US cannot break.
And likewise the US has been very clear that it does not want its government, military, businesses using an encryption system that can be broken by other countries. The NSA has 2 roles, Signals Intelligence (which may involve breaking encryption) and Information Assurance (which involves providing secure computing to US government and business). ECC is out there and available, so pretending it doesn't exist just because they can't break it hardly helps them in stopping people using it. That means, from the Signals Intelligence perspective ECC is a moot questions, breakable or no. Export controls make little difference considering the company (Certicom) with all the patents on ECC (hundreds, literally) is Canadian. On the other hand, if it is good, strong, and secure, then it is entirely sensible for the Information Assurance arm to promote it as a standard for US business. Let's be honest, RSA has looked weak the last couple of years. You could just as easily claim that this announcement is an effort to move US government and business to a more secure system. Maybe this announcement means that the NSA knows how to break RSA, and figures other countries either know too, or will figure it out soon.
In short, there is no reason to expect that the NSA can break ECC, and to claim otherwise is just shotting your mouth off with absolutely zero basis. There are other perfectly good explanations, why not consoder them instead/as well?
Jedidiah.
The NSA has a budget larger than the CIA. Yes some of that money may involve some breaking of encryption, or maybe they spend 3 billion plus a year researching how to protect consumers credit card numbers.
The NSA are responsible for Foreign Signals Intelligence. That means intercepting, collecting, collating, and analysing foreign signals of interest. That is going to cost huge sums of money regardless of whether there is any encryption to crack along the way.
The other half of their job is providing secure computing and information systems to the US government and US companies. That includes analysing and advising on proposed cryptographic standards (like DES, AES, SHA-1), creating new cryptosystems, providing secure computing environments (SELinux was what they released to the general public as a demo of "how things should be done", they are undoubtedly doing a lot more themselves), providing secure communications for the US government etc. I expect that all of that doesn't come cheap either.
Given that neither I, nor you, have any idea at all as to how the NSA distributes their funding (though apparently you have very little idea what the NSA actually do), I think making unfounded assumptions about how much money and work goes to breakign encryption is a little silly. I expect they do spend a fair amount of time and money on it. I expect they also spend a fair amount of time and money on information assurance.
Jedidiah.
Shor's algorithm is indeed for factoring. There is another algorithm for the DLP. I don't know too much about it, as Quantum computing isn't my field. I just pay attention when told things like "DLP is not secure under Quantum Computing". Sorry I couldn't be more informative.
Jedidiah.
The NSA is in the business of breaking encryption, not providing unbreakable encryption.
How did this get modded insightful? The NSA is responsible for Signals Intelligence, which may involve some breaking of encryption, and Information Assurance which most certainly involves the provision of strong security, including encryption.
ECC is already widely available - Certicom, a Canadian company provides good implementations, and owns about 200 patents relating to it. If it is secure and the NSA can't break it, ignoring its existence isn't going to help them: it is already out there - it is too late for the Signals Intelligence people to worry about it. On the other hand, if there is a good secure encryption system available then promoting it to US government and US companies is a positive thing for the Information Assurance role to be engaged in.
The amount of uninformed, random, misinformation in this thread is astounding.
Jedidiah.
Jedidiah.
Perhaps does the gov't know of a "quick" way to do large prime factorization unknown to the rest of us? With RSA resting so heavily on big primes, it would be uniquely vulnerable to something like a new way to do factorization.
Actually factorization has been looking a little weak for the last couple of years. There hasn't been any big breakthrough, and 1024-bit (and up) RSA isn't exactly broken right now, but there have been a steady number of papers that have offered various improvements to the basic Number Field Sieve algorithm (such as Dan Bernstein's facorization circuit) that it is beginning to look as if it is merely a matter of time before at least 1024-but RSA is considered insecure.
Certainly if you have enough compute power the present NFS with improvements will be good enough to break RSA keys out. The NSA is not exactly lacking in potentially dedicated compute power.
Jedidiah.
There seems to be a lot of misinformation being moderated up in this thread. How exactly did this get moderated to +4 Insightful? This is about the fourth comment I've seen that's been moderated up for spouting what amounts to complete and utter drivel.
Someone further up provided a good link to the ECC page on Wikipedia. Perhaps a few of the mods could go and read that before using up their points. It might save us from swimming in uninformed bullshit.
Jedidiah.
The good thing about elliptic curve methods for cryptology is that they have a completely different "hard" function to our current cryptographic methods.
I'm not sure what you mean here. ECC protocols and standard Diffie-Hellman both rely on the hardness of solving the Discrete Log Problem over a finite group. All ECC buys you over standard Diffie-Hellman is a different group (the group formed by the set of points of the curve over some finite field), for which known methods for the discrete log problem are extremely (maximally, in theory) inefficient.
It is that there is an alternative cryptographic method out there, that should quantum computers be invented tomorrow, we would still have an effective method of cryptography.
Not true in the least. The protocols in Suite B are Elliptic Curve Diffie-Hellman, and Elliptic Curve Menezes-Qu-Vanstone (which is essentially a extended/more complicated version of Diffie-Hellman). Both are entirely useless in a situation where the Discrete Log Problem is easy. As there exists a quantum computing algorithm than solves DLP incredibly efficiently it is safe to say that in the advent of Quantum Computing these protocols will be rendered completely useless.
While marking work as a tutor at my university, I was lucky enough to be marking with somebody who has written a thesis on the subject.
I think perhaps he's been having some fun at your expense.
Jedidiah.
As it isn't included in the Wikipedia article, and I had to look up the details myself:
Menezes-Qu-Vanstone key agreement is essentially a varation/extension of Diffie-Hellman using a combination of a "static" and "ephemeral" public keys to compute the shared secret. The extra wrinkles in the procedure eliminate the possibility of a couple of subtle man in the middle attacks that can be made against EC Diffie-Hellman for certain parameters.
Jedidiah.
Of course, if you had actually opened AC's link, you would have seen a paper describing a weakness in ECMQV. Elliptic curves aren't the best objects on which to base an encryption scheme, as they have far too much structure.
What, may I ask, do you intend to use instead? Elliptic curves are an excellent choice under the circumstances: implementing a Diffie-Hellman (or, in the case of Menezes-Qu-Vanstone, a more complicated variation of Diffie-Hellman) key exchange over a group other than integers mod p. Elliptic curve groups maximise the difficulty of the known algrithms for solving the discrete log problem (breaking Diffie-Hellman).
Besides, with elliptic curve systms you have the benefit of choosing a random curve, and hence, within constraints, a random group, which means structures of the group are a lot harder to predict - beyond very basic elliptic curve group structures.
I would be very interested to hear what you are suggesting should be used instead. Is there a cryptosystem using semi-groups that I've never heard of?
Jedidiah.
ECMQV has been partially broken -- I'd be wary of using it in any standards.
Would any cryptographers here care to comment?
The paper itself isn't online, so I can only judge from the abstract. It does sound like a reasonable approach (on a completely cursory inspection), but there are a lot of details there, and I am a little unfamiliar with some of the stuff they reference.
As to how severe the break is: they claim they've reduced the complexity from O(q^{1/2}) down to O(q^{1/4}). Now I presume that q here is referring to the characteristic of the finite field that the curve group is over (I'm guessing, I would have to read the paper to know for sure - they don't say - but this is the logical choice). That is, of course, in cryptographic terms fairly significant. In practical terms most serious ECC implementations are using q in the order of 2^200 or more, so it doesn't necessarily represent a serious compromise.
As I say, with only the abstract to go on I really can't comment much. It does look interesting, but I would have to see more.
Jedidiah.
If you really want to read anything meaningful into NSA Information Assurance people throwing their weight behind Elliptic Curve Cryptography, you should consider that maybe that means they consider RSA and standard Diffie-Hellman public key systems to be weak and potentially borken some time in the near future. Now RSA has been looking shaky for the last year or two - it hasn't been broken for key sizes in use, but various improvement and speedups for the Number Field Sieve have made it look a lot more vulnerable. Ordinary Diffie-Hellman possibly being judged a little weak is more interesting.
Jedidiah.
So the question remains: Have they found a successful attach on ecliptic curves, or have they finally seen the light and realized that strong encryption is good for society?
Technically fully half the NSA's job is Information Assurance, which is to say providing strong crypto and information security solutions to US governemnt and US companies. It was the Information Assurance people that provided us with SELinux as a demo of how a secure system could easily be achieved just working from a commodity OS. They are supposed to believe that strong encryption is good for society - US society anyway.
Jedidiah.
So the assumption then is that Microsoft knows more about the hardware and its functions and how best to write driver for that than the company that made the hardware? Sounds silly. Of course Microsoft knows far more about how to actually interface nicely with the kernel, so maybe that's why MS drivers are better. But then that sounds pretty silly too: Windows is sufficiently closed and driver level APIs sufficiently obscured that only Microsoft can write good drivers. What the hell?
Jedidiah.
You might want to read those carefully. Several of them were quite correct. One seemd to be looking at server deployment, for which, indeed, Linux has passed a tipping point. Another was about the tipping point for Linux over Windows when migrating off old UNIX systems which, again, is quite a valid assertion: Linux is doing well in that market. The last one is simply about Open Source not Linux and cites things likes Apache reaching the tipping point. Nor is it predicting an imminent switch over the Open Source, but rather a continuing march toward tipping points in various scattered markets.
Jedidiah.
My girlfriend assures me that they have "Hello Kitty" washing machines (and other household appliances) in Japan - now _that_ is disturbing.
How about a Hello Kitty toaster that toasts the image of Hello Kitty onto all your slices of toast for you. Just what every discerning person needs.
This is part of their rather cunning business plan though: they have a billion different ideas for weird ass Hello Kitty products, but they drip feed them onto the market rather than just saturating it with everything they can think of. They also pull huge amounts of stuff after only a few months. Basically that means there's an ever going churn of Hello Kitty products, providing washing machines and toasters one month, cell phone faceplates and DVD players the next.
No I don't, nor will I ever, understand the facination with Hello Kitty. It's hard to deny the company their success though: they just keep on trucking along.
Jedidiah.
It is precisely this ability to adapt while managing to somehow retain the core image that "Hello Kitty" has been so good at though, and was precisely my point.
Jedidiah.
Barbie has been around for 45 years, produced by Mattel, a publicly traded US corporation.
Indeed it has. Notice that I was talking about current US CEOs. In the past long term planning was far better. You may note the general decline of Barbie as a successful brand (relatively speaking) over the last 10 years under more "modern" management of Mattel.
I am not complaining about the US, merely the recent trend amongst Western (the US simply being the worst example at present) CEOs to focus almost solely on short term profits, often to the detriment of long term viability.
Jedidiah.
If I recall rightly HPs market cap went up by 2 billion dollars the day she left. In other words (if we're going to justify everything by share price as many CEOs like Ms. Fiorina do) she was worth negative $2 billion to HP. Do they get to bill her for damage done? Nope, they pay her a nice $20 million leaving bonus. Why would anyone hire someone who managed to decrease a companies worth by $2 billion? I'm at a loss. Her career should be over (and with a $20 million dollar bonus to walk away with, it's not like she'll ever have to work again if she doesn't care to). Bizarre.
Jedidiah.
A lot of Japanese companies try and have a 10 year outlook. Yes, they worry about profits in the short term - it still matters - but they also try to have a long term 10 year plan, and are willing to take short term lack of growth if it positions them better in their 10 year plan.
Want a really odd example? Consider "Hello Kitty". It's a silly fad right? Except they've actually been around, continuously, producing "Hello Kitty" products for over 30 years! That's some surprising staying power, and is in a large part due to long term planning to keep the brand relevant in a changing world. Were a similar operation being run by a current US CEO it would have unbelievable growth for 3 quarters, saturate the market, fall out of favour, and be dead 2 years.
Never underestimate the power of long term planning.
Jedidiah.