If we had 85% of the population that would put us at about what we had in 1400 AD. Definitely a time of peace and prosperity, where there were no wars over resources or land. Oh wait...
That is specifically and only for disk encryption, because you have the convenient property that your disk is always the same size regardless of how much data you are actually storing on it. You can hide extra encrypted data in the "free" space. That doesn't apply for 99% of encrypted data which is not disk encryption but rather stuff like TLS.
If you read between the lines I think this information is to contrast this situation with the FBI-Apple conflict last year, where they were trying to unlock the iPhone of that terrorist shooter. That phone had the enclave chip which is why it was so hard to break into, and why the FBI made such a stink about needing Apple's help. Here, none of that applies.
If you want to be really pedantic, it is possibly a false statement but as of yet there is no proof that it is false. Every person that tried the vaccine is Ebola free. Maybe it actually is 100% effective? Who knows? Not you.
Pretty sure this is just a classic science journalism mistranslation. The actual scientific study says that the estimated efficacy from the experimental results, to a 95% confidence interval, is 100%. Because no one in the trial got the disease. That is not the same as the colloquial version of "100% effectiveness" that you are thinking of.
Run away? Sorry, I already answered your comment at least twice on this article responding to other people before you "challenged" me (go look if you don't believe it). I was just tired of responding to your arrogant uninformed bullshit. Quantum attacks reduce the security of all block ciphers by half due to grovers algorithm. AES-256 would still have 128 bits of effective security which is more than enough. Your comment about physical security is also ill informed btw google Software Guard Extensions and learn how modern systems can be secure even against physical compromise and root kits.
Lol ok. What pretension? I literally have a PhD in cryptography. I've just realized that you are proud of your ignorance and it's not worth talking to you any more. I've gotten like 30 +informative upvotes on this article. Some people learned something. You are a lost cause. I read somewhere recently... I can't remember where... "I've decided to stop wasting my time responding." Have a good day bro.
The problem with this is that almost all encryption and decryption is done locally by an individual client. If the bad guy has the message, it is just inert data. The only person enforcing any kind of time constraints on him would be his self so he will just not do it. Moreover, if you are trying to use a password to login to a server (I think this is the problem you are trying to solve) then there is no need to do anything fancy like this because there are already existing zero-knowledge password protocols that are not vulnerable to quantum attacks.
Yes let us now compare the packed files you have seen personally vs the entire volume of HTTPS traffic that goes across the internet every day. I am betting that the second one is a teensy bit bigger. And yes TrueCrypt and VeraCrypt don't use enclave chips, but only a handful of enthusiasts use those programs. You know what programs do use enclaves and therefore uniformly random keys? iOS encryption (over 1 billion iOS devices), Android encryption (lots of those too), Microsoft BitLocker, Apple Filevault. The problem is that you think the stuff you use is the main problem when in reality it is not. It is the mainstream stuff, and surprise billion dollar companies like Google, Apple and Microsoft don't rely on offline password security. And if the stuff you use is broken, that is YOUR fault. Make a better version of TrueCrypt that doesn't rely on password security. It is not the fault of the encryption scheme.
Also, the one-time pad is conceptually a very large password that both parties know. If you assume that you can get a long one-time pad, then you could have just as easily made a good password in the first place. It is intellectually dishonest to pretend otherwise. The ONLY reason you would ever use the one-time pad is if you do not trust the core security of symmetric encryption schemes.
No, the "rules" are fine you just don't properly understand them. It is not about quantum computers being faster than classical computers it is about them literally being different computational machines that have different properties with respect to complexity theory. It just so happens that certain complexity assumptions we base modern cryptography on are not true in the quantum world. Fortunately there are other assumptions that still hold. It is not a "race" against faster computers, it is incorporating an additional tool into our toolbox and designing a scheme which is secure against that tool. You are spouting a bunch of uninformed nonsense that you think is profound but is actually meaningless. Congratulations on beating a rudimentary chess game, that doesn't make you a cryptographer.
1) Because of Grover's algorithm, even encryption which is "secure" against quantum computers still needs twice the key length to have the same level of security as against classical computers. This is because Grover's algorithm lets you brute force a space of N possibilities in time O(sqrt(N)) instead of O(N). So if 90 bits is secure today, you would want 180 bits to be secure against quantum attacks.
2) They can. AES goes up to 256 bits and there is no reason we couldn't make larger block ciphers if we needed to. Currently AES-256 would be secure even against a fully-functioning quantum computer.
3) You are confusing NIST and the NSA, and also AES with DES. The S-box for DES was recommended by the NSA because they had advanced knowledge of differential cryptanalysis that was not widely known at the time. It was not a backdoor. And they had no input into the design of AES, which was proposed by Belgian cryptographers and vetted in a mult-year open contest between academics. The Dual_EC_DRBG scheme with the backdoor that you are referencing was entirely designed by the NSA, not NIST, and academics were immediately suspicious of it. The open contests that NIST has done, including AES and SHA-3, have been widely lauded as the "right" way to do standardization and have had significant buy in from academics, in contrast to the top-down approach that lead to weak standards like Dual_EC_DRBG.
The number of key bits is still the metric for quantum resistant encryption. You just need to base your scheme on a problem that is not solvable in polynomial time by a quantum computer. There are no great ways to do this except to find a problem that seems like it is hard for a quantum computer, conjecture that it is hard, and then wait for people to try to break your conjecture. You cannot prove that something is hard to solve because we still don't know if P = NP, maybe all problems are easy and we just don't know it.
There are a few encryption schemes that seem like they are not vulnerable to quantum attacks, chief among them being NTRU and other lattice-based encryption schemes. They have been of independent interest lately because they incidentally also allow for homomorphic encryption, so people are starting to get a good idea of what parameters to use and how much security the schemes have with different key sizes.
I think you are thinking of the D-Wave computer, which is not actually a quantum computer in the most general sense. The great thing about quantum computers is that they actually break some complexity barriers that exist for classical computers, factoring being one of them. If we ever get a quantum computer that can handle a few hundred qubits then it would be able to instantly factor existing RSA moduli, compared to hundreds or thousands of years for a classical computer. Right now I think the record is only something like 12 qubits, but it seems like the number of qubits we can work with is also increasing at a pretty good rate if you look at timelines of these things.
That is not to say that next year all RSA will be broken, but it is prudent to plan for a world in which that may be the case. Especially since we already have public key encryption schemes which are quantum-resistant, it is just a matter of studying and standardizing them.
The one-time pad DOES NOT replace Diffie-Hellman though. It replaces symmetric encryption, for which we have perfectly good existing solutions. AES is not vulnerable to quantum attacks. Any discussion of the one-time pad in relation to quantum-secure encryption is pointless. We need new asymmetric encryption schemes like lattice-based encryption, not some half-cocked one-time pad bullshit.
Your argument is not internally consistent. You are assuming that AES ciphertext will be encrypted with a password-derived key but DES will use a uniformly random one. That's not a fair comparison. Anyways, your whole premise is flawed for two reasons:
1) Password security is an orthogonal issue to encryption. You can have the strongest encryption in the world and if you use a weak password to derive a key you will not get the full benefit of that strength. Attacking a ciphertext you break either the password or the encryption, whichever is weaker. Furthermore, there are techniques like password stretching and memory-hard hash functions that make password cracking harder. Again, an orthogonal issue.
2) 99.9% of AES encrypted ciphertext is not encrypted using a password derived key. All encrypted internet traffic, for instance, and most full-disk encryption (on devices that have an enclave chip) use uniformly random keys. For this traffic, there is no password to break. You can only attack the cipher itself, attacks which AES has withstood for many years now.
You obviously didn't read even the summary then because they are looking for replacements to asymmetric encryption schemes dude. Sorry for assuming that you read the paragraphs following the headline my bad.
The one-time pad replaces a symmetric encryption scheme. We have AES which was invented by academic cryptographers unaffiliated with any government organization and has been vetted for over 15 years by academic and industrial cryptographers with no substantial weaknesses found. It would take all the energy in the universe to brute force one AES-256 key. You are replacing something that works and is secure with something much more cumbersome for no appreciable reason except that you read somewhere the one-time pad is the only unbreakable encryption.
This is called deniable encryption and there are information theoretic lower bounds on what you can actually accomplish with this unfortunately. Each ciphertext has to be carefully coded with full knowledge of what "domain" it comes from in order to produce other, plausible messages. It is incredibly cumbersome and not usable for real-world applications. For simple "spy games" it could be useful, but given the incredibly diversity of data that is encrypted on an average persons computer it is not practical.
Slashdot Mirror
Good thing all the highest consuming countries have sub-replacement fertility rates, so that problem will naturally fix itself in a few decades.
If we had 85% of the population that would put us at about what we had in 1400 AD. Definitely a time of peace and prosperity, where there were no wars over resources or land. Oh wait...
Good thing that every high school show already stars actors in their mid 20s playing teens.
https://en.wikipedia.org/wiki/...
If that sounds a bit vague, well, you complained about terms to clarify being flamebait... so fuck off.
I'm sorry, was this sentence meant to convey something? Because it is incomprehensible.
Because he used "leftist" and "millennial" like 30 times as derogatory terms. That is the flamebait.
That is specifically and only for disk encryption, because you have the convenient property that your disk is always the same size regardless of how much data you are actually storing on it. You can hide extra encrypted data in the "free" space. That doesn't apply for 99% of encrypted data which is not disk encryption but rather stuff like TLS.
If you read between the lines I think this information is to contrast this situation with the FBI-Apple conflict last year, where they were trying to unlock the iPhone of that terrorist shooter. That phone had the enclave chip which is why it was so hard to break into, and why the FBI made such a stink about needing Apple's help. Here, none of that applies.
If you want to be really pedantic, it is possibly a false statement but as of yet there is no proof that it is false. Every person that tried the vaccine is Ebola free. Maybe it actually is 100% effective? Who knows? Not you.
I'm not defending or attacking anyone, just explaining what happened. Chill out dude.
Pretty sure this is just a classic science journalism mistranslation. The actual scientific study says that the estimated efficacy from the experimental results, to a 95% confidence interval, is 100%. Because no one in the trial got the disease. That is not the same as the colloquial version of "100% effectiveness" that you are thinking of.
Run away? Sorry, I already answered your comment at least twice on this article responding to other people before you "challenged" me (go look if you don't believe it). I was just tired of responding to your arrogant uninformed bullshit. Quantum attacks reduce the security of all block ciphers by half due to grovers algorithm. AES-256 would still have 128 bits of effective security which is more than enough. Your comment about physical security is also ill informed btw google Software Guard Extensions and learn how modern systems can be secure even against physical compromise and root kits.
Lol ok. What pretension? I literally have a PhD in cryptography. I've just realized that you are proud of your ignorance and it's not worth talking to you any more. I've gotten like 30 +informative upvotes on this article. Some people learned something. You are a lost cause. I read somewhere recently... I can't remember where... "I've decided to stop wasting my time responding." Have a good day bro.
Cool story bro.
The problem with this is that almost all encryption and decryption is done locally by an individual client. If the bad guy has the message, it is just inert data. The only person enforcing any kind of time constraints on him would be his self so he will just not do it. Moreover, if you are trying to use a password to login to a server (I think this is the problem you are trying to solve) then there is no need to do anything fancy like this because there are already existing zero-knowledge password protocols that are not vulnerable to quantum attacks.
Yes let us now compare the packed files you have seen personally vs the entire volume of HTTPS traffic that goes across the internet every day. I am betting that the second one is a teensy bit bigger. And yes TrueCrypt and VeraCrypt don't use enclave chips, but only a handful of enthusiasts use those programs. You know what programs do use enclaves and therefore uniformly random keys? iOS encryption (over 1 billion iOS devices), Android encryption (lots of those too), Microsoft BitLocker, Apple Filevault. The problem is that you think the stuff you use is the main problem when in reality it is not. It is the mainstream stuff, and surprise billion dollar companies like Google, Apple and Microsoft don't rely on offline password security. And if the stuff you use is broken, that is YOUR fault. Make a better version of TrueCrypt that doesn't rely on password security. It is not the fault of the encryption scheme.
Also, the one-time pad is conceptually a very large password that both parties know. If you assume that you can get a long one-time pad, then you could have just as easily made a good password in the first place. It is intellectually dishonest to pretend otherwise. The ONLY reason you would ever use the one-time pad is if you do not trust the core security of symmetric encryption schemes.
No, the "rules" are fine you just don't properly understand them. It is not about quantum computers being faster than classical computers it is about them literally being different computational machines that have different properties with respect to complexity theory. It just so happens that certain complexity assumptions we base modern cryptography on are not true in the quantum world. Fortunately there are other assumptions that still hold. It is not a "race" against faster computers, it is incorporating an additional tool into our toolbox and designing a scheme which is secure against that tool. You are spouting a bunch of uninformed nonsense that you think is profound but is actually meaningless. Congratulations on beating a rudimentary chess game, that doesn't make you a cryptographer.
1) Because of Grover's algorithm, even encryption which is "secure" against quantum computers still needs twice the key length to have the same level of security as against classical computers. This is because Grover's algorithm lets you brute force a space of N possibilities in time O(sqrt(N)) instead of O(N). So if 90 bits is secure today, you would want 180 bits to be secure against quantum attacks.
2) They can. AES goes up to 256 bits and there is no reason we couldn't make larger block ciphers if we needed to. Currently AES-256 would be secure even against a fully-functioning quantum computer.
3) You are confusing NIST and the NSA, and also AES with DES. The S-box for DES was recommended by the NSA because they had advanced knowledge of differential cryptanalysis that was not widely known at the time. It was not a backdoor. And they had no input into the design of AES, which was proposed by Belgian cryptographers and vetted in a mult-year open contest between academics. The Dual_EC_DRBG scheme with the backdoor that you are referencing was entirely designed by the NSA, not NIST, and academics were immediately suspicious of it. The open contests that NIST has done, including AES and SHA-3, have been widely lauded as the "right" way to do standardization and have had significant buy in from academics, in contrast to the top-down approach that lead to weak standards like Dual_EC_DRBG.
The number of key bits is still the metric for quantum resistant encryption. You just need to base your scheme on a problem that is not solvable in polynomial time by a quantum computer. There are no great ways to do this except to find a problem that seems like it is hard for a quantum computer, conjecture that it is hard, and then wait for people to try to break your conjecture. You cannot prove that something is hard to solve because we still don't know if P = NP, maybe all problems are easy and we just don't know it.
There are a few encryption schemes that seem like they are not vulnerable to quantum attacks, chief among them being NTRU and other lattice-based encryption schemes. They have been of independent interest lately because they incidentally also allow for homomorphic encryption, so people are starting to get a good idea of what parameters to use and how much security the schemes have with different key sizes.
I think you are thinking of the D-Wave computer, which is not actually a quantum computer in the most general sense. The great thing about quantum computers is that they actually break some complexity barriers that exist for classical computers, factoring being one of them. If we ever get a quantum computer that can handle a few hundred qubits then it would be able to instantly factor existing RSA moduli, compared to hundreds or thousands of years for a classical computer. Right now I think the record is only something like 12 qubits, but it seems like the number of qubits we can work with is also increasing at a pretty good rate if you look at timelines of these things.
That is not to say that next year all RSA will be broken, but it is prudent to plan for a world in which that may be the case. Especially since we already have public key encryption schemes which are quantum-resistant, it is just a matter of studying and standardizing them.
The one-time pad DOES NOT replace Diffie-Hellman though. It replaces symmetric encryption, for which we have perfectly good existing solutions. AES is not vulnerable to quantum attacks. Any discussion of the one-time pad in relation to quantum-secure encryption is pointless. We need new asymmetric encryption schemes like lattice-based encryption, not some half-cocked one-time pad bullshit.
Your argument is not internally consistent. You are assuming that AES ciphertext will be encrypted with a password-derived key but DES will use a uniformly random one. That's not a fair comparison. Anyways, your whole premise is flawed for two reasons:
1) Password security is an orthogonal issue to encryption. You can have the strongest encryption in the world and if you use a weak password to derive a key you will not get the full benefit of that strength. Attacking a ciphertext you break either the password or the encryption, whichever is weaker. Furthermore, there are techniques like password stretching and memory-hard hash functions that make password cracking harder. Again, an orthogonal issue.
2) 99.9% of AES encrypted ciphertext is not encrypted using a password derived key. All encrypted internet traffic, for instance, and most full-disk encryption (on devices that have an enclave chip) use uniformly random keys. For this traffic, there is no password to break. You can only attack the cipher itself, attacks which AES has withstood for many years now.
You obviously didn't read even the summary then because they are looking for replacements to asymmetric encryption schemes dude. Sorry for assuming that you read the paragraphs following the headline my bad.
The one-time pad replaces a symmetric encryption scheme. We have AES which was invented by academic cryptographers unaffiliated with any government organization and has been vetted for over 15 years by academic and industrial cryptographers with no substantial weaknesses found. It would take all the energy in the universe to brute force one AES-256 key. You are replacing something that works and is secure with something much more cumbersome for no appreciable reason except that you read somewhere the one-time pad is the only unbreakable encryption.
This is called deniable encryption and there are information theoretic lower bounds on what you can actually accomplish with this unfortunately. Each ciphertext has to be carefully coded with full knowledge of what "domain" it comes from in order to produce other, plausible messages. It is incredibly cumbersome and not usable for real-world applications. For simple "spy games" it could be useful, but given the incredibly diversity of data that is encrypted on an average persons computer it is not practical.