Is that really true though? There are tons of open source crypto projects which I am sure do not register with the government. I am a grad student with several crypto publications and I have never asked for permission before submitting them. If those rules really do exist, they must not be enforced because nobody in my lab has ever bothered to do any registering.
Think about a widely known encryption with a large enough key (>64 bits) that was "broken" in the last thirty years. It hasn't happened. There have been weaknesses discovered, but the only major encryptions to be broken are DES and A5 which were known to have a short key length even when they were released. They weren't even broken by cryptanalysis but just lots of computation. 3DES (to extend the key length) is still considered secure today. For the NSA to have broken not just one, but every major cipher is just preposterously unlikely.
Except people from back then would be legally retarded now (i.e. the Flynn Effect). Students are expected to learn more, quicker than ever before. As you say, we are spending more money per student than anyone and it just isn't working. I would actually say that teaching methods haven't changed that much in the past hundred years. Maybe the answer is to get kind of extreme and start from scratch.
You are so right. Who needs newfangled things like cars and cell phones. People got around just fine in biblical times I say. For that matter, who needs vaccines or medicine? Living past 30 is overrated.
Oh man because 3rd graders are going to love all those word you just said. They're for sure understand that right away because you are the best educational mind of our generation.
I don't know if it was their idea from the start, but MSR is hugely different from other companies' R&D. They operate more like a university. Researchers are free to work on anything they want, without consideration to whether it will directly effect a Microsoft product or not. It is one of the few places left outside academia where researchers can do basic research in computer science.
Good point. The only symmetric cipher I know of that was completely "broken" is DES, but that is because the key length was chosen to be too short. Even at the time it was released people said it was too short.
On the one hand I would like to believe that, if there was a flaw, we would have found it by now. On the other hand, I think people vastly overestimate the reliability of "top cryptanalysts". The unfortunate fact is that only probably 20-30 people in the entire (public) world really, deeply understand what goes into cryptanalyzing a modern block cipher. That is not really a lot of eyes when you think about it.
The one thing the NSA, and other intelligence agencies, have going for them is they can afford to hire and train groups of people specifically for one particular task. In academia nobody wants to work on cryptanalyzing AES, it would be career suicide. In the very best case it would take you years to come up with anything, and in the worst case you would spend all that time and get nothing.
Yes, this is the part that I can't believe. To think that the NSA, probably some of the most paranoid people in the world, would be arrogant enough to standardize government security on broken cryptographic primitives is just not believable. There are important classified documents encrypted with suite B algorithms.
I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.
I'm not going to say that is impossible, but to believe it would require some serious high level paranoia. It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science. Considering how inefficient and incompetent the rest of the government is (even the DoD, i.e. unencrypted drones) I just cannot believe that is the case. They don't have that many smart people working there, in comparison with ALL of the rest of the world.
I've replied sooo many times to uninformed people... please just read the original slides. The two modes they are including are 256-bit and 512-bit OUTPUT, which each have half that many bits in collision resistance. Security will be equivalent to the two main versions of AES. All they are doing is removing the 224 and 384 bit versions because they are rather pointless.
Yes, the slides that are actually in question (and linked by the summary). They are very very specific, the two modes are 256-bit output and 512-bit output, with 128-bits and 256-bits of "AES equivalent" security respectively. The reason they changed the sizes at all was to make it analogous to the existing modes of AES. All the changes are in the slides and they do not invalidate the cryptanalysis done so far. Don't you think we would have heard about it already if real cryptographers had a problem with it? The presentation was at CHES in the middle of August, in front of hundreds of the world's best cryptographers. What really happened is this is a mostly non-story and some uninformed armchair cryptographers picked it up and freaked out. If you are as knowledgable as you say you are, I would recommend going to the original source instead of trusting a bunch of stupid people talking about things they don't understand.
Jesus fucking christ you are stupid. I know exactly what the birthday paradox is. NIST is proposing a 256 bit and 512 bit version, exactly like you suggest. Maybe read the article or even the comment that YOU ARE REPLYING TO and you would know that.
That isn't a collision, it is a second preimage. Collision resistance has a very specific meaning for hash functions and what you are saying is not it.
Can you not read? The two modes being suggested have 128 and 256 bit SECURITY, exactly like you are suggesting. Nothing has 64 bits of security. They are using the original specification except they are removing the redundant 224 and 384 bit versions for simplicity. The 512 bit version has 256 bits of collision resistance and the 256 bit version has 128 bits of collision resistance.
Why did you get modded down for this? You are exactly right. All they did was get rid of the 224 and the 384 because they seemed kind of redundant. You still have the 256 and 512, which have equivalent security to SHA-256 and SHA-512. Another thing that people miss in this whole discussion is that the sponge construction was chosen specifically because it is different from the Merkle-Damgard construction used in the previous SHA hash functions. We now have a standard which we believe will be resistant to any attacks which are developed against SHA-2 because it is so vastly different.
Just an FYI, breaking RSA is probably not equivalent to factoring. If you can factor you can certainly break RSA, but no one has proven that you cannot break RSA without factoring. The problem that is actually equivalent to breaking RSA is finding Nth roots in a composite group, which has not been studied for hundreds of years.
You could have a million times all the computers in the world and it would not be enough to factor a 2048-bit RSA key. Considering no public researcher in the world has been able to make a quantum computer with more than a handful of qubits, I don't think the quantum computer thing is reasonable either.
That... doesn't sound right. Using fast exponentiation, you have to do a number of multiplications on the order of the number of bits. That's one n. Each multiplication costs n log(n) with an FFT multiplier. So it is n^2 log(n) which is much closer to n^2 than n^3.
Slashdot Mirror
Is that really true though? There are tons of open source crypto projects which I am sure do not register with the government. I am a grad student with several crypto publications and I have never asked for permission before submitting them. If those rules really do exist, they must not be enforced because nobody in my lab has ever bothered to do any registering.
You are so right, this is where we should apply that old American motto: "sounds hard, lets just give up."
Think about a widely known encryption with a large enough key (>64 bits) that was "broken" in the last thirty years. It hasn't happened. There have been weaknesses discovered, but the only major encryptions to be broken are DES and A5 which were known to have a short key length even when they were released. They weren't even broken by cryptanalysis but just lots of computation. 3DES (to extend the key length) is still considered secure today. For the NSA to have broken not just one, but every major cipher is just preposterously unlikely.
Except people from back then would be legally retarded now (i.e. the Flynn Effect). Students are expected to learn more, quicker than ever before. As you say, we are spending more money per student than anyone and it just isn't working. I would actually say that teaching methods haven't changed that much in the past hundred years. Maybe the answer is to get kind of extreme and start from scratch.
You are so right. Who needs newfangled things like cars and cell phones. People got around just fine in biblical times I say. For that matter, who needs vaccines or medicine? Living past 30 is overrated.
Oh man because 3rd graders are going to love all those word you just said. They're for sure understand that right away because you are the best educational mind of our generation.
Seems a little harsh from someone who admits that they used to be one of those parasites.
Oh yeah because extreme load on a new website never manifests as error messages
Of course, that's why I said one of the only places left.
I don't know if it was their idea from the start, but MSR is hugely different from other companies' R&D. They operate more like a university. Researchers are free to work on anything they want, without consideration to whether it will directly effect a Microsoft product or not. It is one of the few places left outside academia where researchers can do basic research in computer science.
Good point. The only symmetric cipher I know of that was completely "broken" is DES, but that is because the key length was chosen to be too short. Even at the time it was released people said it was too short.
On the one hand I would like to believe that, if there was a flaw, we would have found it by now. On the other hand, I think people vastly overestimate the reliability of "top cryptanalysts". The unfortunate fact is that only probably 20-30 people in the entire (public) world really, deeply understand what goes into cryptanalyzing a modern block cipher. That is not really a lot of eyes when you think about it.
The one thing the NSA, and other intelligence agencies, have going for them is they can afford to hire and train groups of people specifically for one particular task. In academia nobody wants to work on cryptanalyzing AES, it would be career suicide. In the very best case it would take you years to come up with anything, and in the worst case you would spend all that time and get nothing.
Yes, this is the part that I can't believe. To think that the NSA, probably some of the most paranoid people in the world, would be arrogant enough to standardize government security on broken cryptographic primitives is just not believable. There are important classified documents encrypted with suite B algorithms.
I suspect that there is probably not much of anything - certainly nothing on the open market - that the NSA would not already have cracked anyway.
I'm not going to say that is impossible, but to believe it would require some serious high level paranoia. It would imply that the NSA is decades ahead of academia in not only cryptography but almost every area of computer science. Considering how inefficient and incompetent the rest of the government is (even the DoD, i.e. unencrypted drones) I just cannot believe that is the case. They don't have that many smart people working there, in comparison with ALL of the rest of the world.
I've replied sooo many times to uninformed people... please just read the original slides. The two modes they are including are 256-bit and 512-bit OUTPUT, which each have half that many bits in collision resistance. Security will be equivalent to the two main versions of AES. All they are doing is removing the 224 and 384 bit versions because they are rather pointless.
Yes, the slides that are actually in question (and linked by the summary). They are very very specific, the two modes are 256-bit output and 512-bit output, with 128-bits and 256-bits of "AES equivalent" security respectively. The reason they changed the sizes at all was to make it analogous to the existing modes of AES. All the changes are in the slides and they do not invalidate the cryptanalysis done so far. Don't you think we would have heard about it already if real cryptographers had a problem with it? The presentation was at CHES in the middle of August, in front of hundreds of the world's best cryptographers. What really happened is this is a mostly non-story and some uninformed armchair cryptographers picked it up and freaked out. If you are as knowledgable as you say you are, I would recommend going to the original source instead of trusting a bunch of stupid people talking about things they don't understand.
Jesus fucking christ you are stupid. I know exactly what the birthday paradox is. NIST is proposing a 256 bit and 512 bit version, exactly like you suggest. Maybe read the article or even the comment that YOU ARE REPLYING TO and you would know that.
That isn't a collision, it is a second preimage. Collision resistance has a very specific meaning for hash functions and what you are saying is not it.
Can you not read? The two modes being suggested have 128 and 256 bit SECURITY, exactly like you are suggesting. Nothing has 64 bits of security. They are using the original specification except they are removing the redundant 224 and 384 bit versions for simplicity. The 512 bit version has 256 bits of collision resistance and the 256 bit version has 128 bits of collision resistance.
That's stupid, it has 256 bits of security because of the birthday attack. It is well known and in the slides linked with the article.
Why did you get modded down for this? You are exactly right. All they did was get rid of the 224 and the 384 because they seemed kind of redundant. You still have the 256 and 512, which have equivalent security to SHA-256 and SHA-512. Another thing that people miss in this whole discussion is that the sponge construction was chosen specifically because it is different from the Merkle-Damgard construction used in the previous SHA hash functions. We now have a standard which we believe will be resistant to any attacks which are developed against SHA-2 because it is so vastly different.
Just an FYI, breaking RSA is probably not equivalent to factoring. If you can factor you can certainly break RSA, but no one has proven that you cannot break RSA without factoring. The problem that is actually equivalent to breaking RSA is finding Nth roots in a composite group, which has not been studied for hundreds of years.
You could have a million times all the computers in the world and it would not be enough to factor a 2048-bit RSA key. Considering no public researcher in the world has been able to make a quantum computer with more than a handful of qubits, I don't think the quantum computer thing is reasonable either.
Try this one http://www.cs.nyu.edu/~dodis/ps/rng.pdf
That... doesn't sound right. Using fast exponentiation, you have to do a number of multiplications on the order of the number of bits. That's one n. Each multiplication costs n log(n) with an FFT multiplier. So it is n^2 log(n) which is much closer to n^2 than n^3.