"empty gestures" hun? Care to back that up somehow?
They've been more or less continuously reducing gross (and even more so per captia) CO2 emission for years now. E.g. About 10% reduction in gross emission since 2005 (while growing both population and GDP).
According to the world bank data set here the US has reduced its gross C02 emissions to about 90.7% of its 2005 levels while Germany is at 90.3%. So Germany is marginally better but they are pretty comparable really in terms of achievments. China, on the hand, has about doubled their emissions in the same time frame.:-/
Whats more worrying though when comparing the US to Germany is that over the last year or two the trend in reduction is accelerating in Germany while in the US CO2 emissions are actually starting to increase! Plus the looking at the new white house administration I'd expect that will only get worse, not better.
For example, according to the world bank data they've reduced their gross CO2 emission by about 10% since 2005. (Meanwhile their population has grown by.7% and their GDP by around 21% over the same time span.) In my book thats not really "nothing to show".
You seem to be assuming that the US CO2 output trend under Obama's tenure will continue. Why does that seem plausible to you given the new administrations about-face on climate, the environment in general and the EPA in particular?
QKD is a heck of a lot more practical than any of the research prpgrams you mentioned... given the ever growing improtance of (and failures in) imfo sec. I was say developing better tools for that field is a pretty worthy goal.
Long term security comes to mind. A very comon use of DH protocols is to agree on a key for encrypting content. Suppose an attacker records the public keys used in the DH session as well as the subsequent encrypted content. If in 20 years they get there hands on a powerful enough quantum computer they could go back and break the DH part, redrive the encryption key and then decrypt all recorded content.
my question is why not use post-quantum (e.g. lattice based) key agreement instead of QKD... they r starting to b pretty practical for low bandwidth/high securoty applications but also (as far as we know) withstand quantum attacks. I guess with QKD the point is we know thay with our a complete revolution in physics past sessions will remain secure against whatever new classes of future computational devices we might create...
that's not really how QKD works. There is no seperat "alert system". Instead, by listening in the signal between end points is unavoidably altered so the end points trivially detect that a third party was eavesdropping during the key agreement protocol. That way they know not to use whatever key was produced in that QKD session. The laws of quantum mechanics guarantee that eaves dropping always causes the signal to be changed. (E.g. as far as I underatand any violation of that would contradict the no-cloning principle.)
China is at the for front of QKD research since sometime now. E.g. their collaboration with Zeilingers team have repeatedly produced world records in implementing QKD in practice.
Because of a combination of two reasons: 1) The protocol used by signal and their implementation are both open and well studied. 2) The Signal protocol (like many modern secure p2p-communication protocols such as Allo, Whatsapp, Wickr, etc.) uses end-to-end encryption and authentication. So the central server (along with the rest of the network infrastructure between end points) can do little more then deny service to uses.
Caveat: AFAIK beyond service denial, at worst the servers could do some traffic analysis (only the *encrypted* and padded data) and maybe swap the order in which messages are delivered to users in a given chatroom. (So could your ISP.) Of course traffic analysis can lead to non-trivial privacy breaches too but exposure to this threat is (currently) the price we all pay if we want messaging to work over an extremely asynchronous network with high churn & latency and low bandwidth & availability. In particular clients can message each other even when they (and in fact almost all other clients) are rarely and unevenly online with no guaranteed overlap time.
To be fair, any pair of distinct inputs to SHA1 that hash to the same value are a new collision. In general, being given one collision for a hash function doesnt make it automatically easy to find another. Its only because SHA1 is an iterated hash function (merkle-damgard) that this becomes true. (admittedly, almost all practical cryptographic hash functions are iterated constructions.)
If SHA1(x0) = SHA1(x1) then for any z SHA1(x0¦¦z) = SHA1(x1¦¦z). I'm guessing the collision generated by the Google-CWI team is on a pair x0 and x1 where xb is the beginning of a pdf document that basically encodes "of the next two sections in this pdf file display section b". Given that its easy to extend them to any colliding pdf documents one wants.
In my experience, within Europe it is a relatively widely held opinion that the EU (and its precursors) did indeed play a big role in supporting peace and prosperity on the continent. (Which does not at all negate the support of the US.)
But perhaps a clearer example than western European peace might be the Balkans. I believe that the prospect of entering the EU has played a non-trivial role in helping convince the Balkan states to finally bury the hatchet for real. (Similarly the prospect of entering the EU has been used to motivate modernizing the post-soviet European states to great effect.)
> The EU by contrast seems to be a source of constant turmoil.
I think the turmoil you speak of is generally on a completely different order of magnitude than violent conflict. (Of course one would be easily forgiven for miss-interpreting the severity of this turmoil given how Europeans do seem to so enjoy moaning and griping about their lots in life -- justified or not. In fact sometimes I feel like it is actually one of the more unifying traits in Europe cultures. Then again, maybe that's just humanity in general.)
You are not required to be affiliated with any particular religion. You only pay the tax if you choose to officially affiliate yourself with that particular religion.
You are making very strong assumptions about your AES256 implementation (or what ever other block cipher).
On a technical note you assume that whoever coded the implementation of AES did not chose to make it so that it only decrypts a ciphertext with a valid password and otherwise returns "fail". This is trivial to implement: to encrypt m as 0000...000|m. To decrypt, first decrypt then check if the result has 0000...000 as a prefix. If not output "fail" otherwise output m. This this could well be considered a "useful" feature of the implementation as it avoids higher level applications using AES from having to deal with bad passwords.
More formally, from a crypto stand point you also make un-realisable assumptions. A block cipher is essentially pseudo-random permutation. You are suggesting that selecting a random PRP p1 from the AES family (i.e. a random password), computing it in the forwards direction to get p1(m)=c, then selecting another (arbitrary!, not random) PRP p2 from the family and then inverting it to get p2^-1(c) = m' would give you a uniformly distributed m' that is independent of m and p1. No way. Formally you are assuming AES is a family of (invertible) random oracles! But it's trivial to see that random oracles can not be implemented by any poly-time algorithm. So regardless of how it is implemented this can not possibly be more then a heuristic.
Conclusion: don't assume decrypting with a bad password gives a random output independent of the message in the ciphertext. This is an extra (and formally a false) assumption on your implementation!
I was talking to a guy from telecomix on irc yesterday who was working on a pretty sweet project trying to get net and phones to people in egypt. Generally they seem to be organizing quite a few cool things. In this case the guy was gearing up to buy a bundle of phone lines (enough for about 2000) and hooking it up to a computer with SIP on the egypt side. The end goal was to setup what is essentially a new Dial-in ISP. But I didn't really have time/knowledge to understand the details. Anyway they're doing some pretty rad stuff so it's worth checking out.
Still, there really is only so much you can do given just a couple days notice and a country in the middest of an information lockdown (not to mention a general revolution).
Noor is the ISP for the stock exchange as well as for many major banks. That would suggest quite a few reasons as to why they were not shut down with the rest...
I've been following the situation quite closely now on twitter for several days and a surprising number of tweets coming from inside egypt are actually in english. Search for hashtags #jan25 and #feb1 to see what i mean. Even now with all ISPs down people are still finding ways round the blockade and tweeting. (Of course many of those tweets are not actually from inside egypt especially now. But still over the last few days many were.)
Also from the google blog post announcing the new service: "People can listen to the messages by dialing the same phone numbers or going to twitter.com/speak2tweet." So they do seem to provide a way to get information and not just give. Haven't tested it myself though.
NP-hardness tells us something about worst case complexity. for crypto we care about average case complexity. a problem must be hard on average not just in the worst case.
Given a public key for an asymetric cryptosystem (say a modulas n for RSA) it is easy to verify (i.e. in NP) that a candidate secret key (say primes p and q in the RSA case) match the public key. Paraphrasing heavily now: If P == NP then anything that is easy to verify if polytime is also easy to solve in polytime. In our case that means if i give you a public key you can now FIND a matching secret key in polytime. I.e. if i give you n which is an RSA public key you can factor it into primes p and q. But if you can find the secret key for any public key algorithm (including RSA) then no such algorithm can be a "secure" cryptosystem.
Heading off some misunderstanding: We do not know how to base security ONLY on P != NP. In fact that is considered one of the largest open problems in modern theory of crypto. While I just argued that P!=NP is a _necessary_ condition for all asymmetric (and most symmetric) crypto to be secure it is not known to be _sufficient_.
We're getting closer with some of the recent advances in Lattice based crypto but were are definitely not their yet. For the theory people out there: A fundamental problem here is that NP tells us something about worst case hardness but for crypto we need average case hardness (i.e. for a random secret key and random coins for the ciphertext). Bridging this gap is highly non-trivial. Recent work in lattices has shown such connections and how to use it for certain problems. However the choice of parameters we use for the resulting cryptosystems are not known to result in NP-hard underlying problems.
Indeed that would be the case. The data is not actually encrypted as claimed by the group, but rather just encoded. In other words there is no secret password required for recovering the data. Instead all you need is to know the scheme used to encode/decode the data.
By the same token ASCII would be an "encryption" of Roman alphabet (amoungst other symbols). Clearly that's just BS.
Slashdot Mirror
"empty gestures" hun? Care to back that up somehow?
They've been more or less continuously reducing gross (and even more so per captia) CO2 emission for years now. E.g. About 10% reduction in gross emission since 2005 (while growing both population and GDP).
Source.
According to the world bank data set here the US has reduced its gross C02 emissions to about 90.7% of its 2005 levels while Germany is at 90.3%. So Germany is marginally better but they are pretty comparable really in terms of achievments. China, on the hand, has about doubled their emissions in the same time frame. :-/
Whats more worrying though when comparing the US to Germany is that over the last year or two the trend in reduction is accelerating in Germany while in the US CO2 emissions are actually starting to increase! Plus the looking at the new white house administration I'd expect that will only get worse, not better.
Don't really agree with that sentiment.
For example, according to the world bank data they've reduced their gross CO2 emission by about 10% since 2005. (Meanwhile their population has grown by .7% and their GDP by around 21% over the same time span.) In my book thats not really "nothing to show".
You seem to be assuming that the US CO2 output trend under Obama's tenure will continue. Why does that seem plausible to you given the new administrations about-face on climate, the environment in general and the EPA in particular?
QKD is a heck of a lot more practical than any of the research prpgrams you mentioned... given the ever growing improtance of (and failures in) imfo sec. I was say developing better tools for that field is a pretty worthy goal.
Long term security comes to mind. A very comon use of DH protocols is to agree on a key for encrypting content. Suppose an attacker records the public keys used in the DH session as well as the subsequent encrypted content. If in 20 years they get there hands on a powerful enough quantum computer they could go back and break the DH part, redrive the encryption key and then decrypt all recorded content.
my question is why not use post-quantum (e.g. lattice based) key agreement instead of QKD... they r starting to b pretty practical for low bandwidth/high securoty applications but also (as far as we know) withstand quantum attacks. I guess with QKD the point is we know thay with our a complete revolution in physics past sessions will remain secure against whatever new classes of future computational devices we might create...
that's not really how QKD works. There is no seperat "alert system". Instead, by listening in the signal between end points is unavoidably altered so the end points trivially detect that a third party was eavesdropping during the key agreement protocol. That way they know not to use whatever key was produced in that QKD session. The laws of quantum mechanics guarantee that eaves dropping always causes the signal to be changed. (E.g. as far as I underatand any violation of that would contradict the no-cloning principle.)
Whats ur point? No secure communication system is ever going to be secure in those adversarial models... QKD or otherwise.
China is at the for front of QKD research since sometime now. E.g. their collaboration with Zeilingers team have repeatedly produced world records in implementing QKD in practice.
Because of a combination of two reasons:
1) The protocol used by signal and their implementation are both open and well studied.
2) The Signal protocol (like many modern secure p2p-communication protocols such as Allo, Whatsapp, Wickr, etc.) uses end-to-end encryption and authentication. So the central server (along with the rest of the network infrastructure between end points) can do little more then deny service to uses.
Caveat: AFAIK beyond service denial, at worst the servers could do some traffic analysis (only the *encrypted* and padded data) and maybe swap the order in which messages are delivered to users in a given chatroom. (So could your ISP.) Of course traffic analysis can lead to non-trivial privacy breaches too but exposure to this threat is (currently) the price we all pay if we want messaging to work over an extremely asynchronous network with high churn & latency and low bandwidth & availability. In particular clients can message each other even when they (and in fact almost all other clients) are rarely and unevenly online with no guaranteed overlap time.
To be fair, any pair of distinct inputs to SHA1 that hash to the same value are a new collision. In general, being given one collision for a hash function doesnt make it automatically easy to find another. Its only because SHA1 is an iterated hash function (merkle-damgard) that this becomes true. (admittedly, almost all practical cryptographic hash functions are iterated constructions.)
If SHA1(x0) = SHA1(x1) then for any z SHA1(x0¦¦z) = SHA1(x1¦¦z). I'm guessing the collision generated by the Google-CWI team is on a pair x0 and x1 where xb is the beginning of a pdf document that basically encodes "of the next two sections in this pdf file display section b". Given that its easy to extend them to any colliding pdf documents one wants.
In my experience, within Europe it is a relatively widely held opinion that the EU (and its precursors) did indeed play a big role in supporting peace and prosperity on the continent. (Which does not at all negate the support of the US.)
But perhaps a clearer example than western European peace might be the Balkans. I believe that the prospect of entering the EU has played a non-trivial role in helping convince the Balkan states to finally bury the hatchet for real. (Similarly the prospect of entering the EU has been used to motivate modernizing the post-soviet European states to great effect.)
> The EU by contrast seems to be a source of constant turmoil.
I think the turmoil you speak of is generally on a completely different order of magnitude than violent conflict. (Of course one would be easily forgiven for miss-interpreting the severity of this turmoil given how Europeans do seem to so enjoy moaning and griping about their lots in life -- justified or not. In fact sometimes I feel like it is actually one of the more unifying traits in Europe cultures. Then again, maybe that's just humanity in general.)
You are not required to be affiliated with any particular religion. You only pay the tax if you choose to officially affiliate yourself with that particular religion.
You are making very strong assumptions about your AES256 implementation (or what ever other block cipher).
On a technical note you assume that whoever coded the implementation of AES did not chose to make it so that it only decrypts a ciphertext with a valid password and otherwise returns "fail". This is trivial to implement: to encrypt m as 0000...000|m. To decrypt, first decrypt then check if the result has 0000...000 as a prefix. If not output "fail" otherwise output m. This this could well be considered a "useful" feature of the implementation as it avoids higher level applications using AES from having to deal with bad passwords.
More formally, from a crypto stand point you also make un-realisable assumptions. A block cipher is essentially pseudo-random permutation. You are suggesting that selecting a random PRP p1 from the AES family (i.e. a random password), computing it in the forwards direction to get p1(m)=c, then selecting another (arbitrary!, not random) PRP p2 from the family and then inverting it to get p2^-1(c) = m' would give you a uniformly distributed m' that is independent of m and p1. No way. Formally you are assuming AES is a family of (invertible) random oracles! But it's trivial to see that random oracles can not be implemented by any poly-time algorithm. So regardless of how it is implemented this can not possibly be more then a heuristic.
Conclusion: don't assume decrypting with a bad password gives a random output independent of the message in the ciphertext. This is an extra (and formally a false) assumption on your implementation!
Dude... seriously?
At least they SOMETHING to help the people in egypt. What do you want? a full scale google invasion?
And by the way a google employ (exec) was kidnapped by plain clothed security forces in cairo and is missing since several days. The arrest was caught on video. See around 1:11
Not quite so cushy after all.
Land lines that can call international numbers are not all that common in egypt and cost extra.
I was talking to a guy from telecomix on irc yesterday who was working on a pretty sweet project trying to get net and phones to people in egypt. Generally they seem to be organizing quite a few cool things. In this case the guy was gearing up to buy a bundle of phone lines (enough for about 2000) and hooking it up to a computer with SIP on the egypt side. The end goal was to setup what is essentially a new Dial-in ISP. But I didn't really have time/knowledge to understand the details. Anyway they're doing some pretty rad stuff so it's worth checking out.
Still, there really is only so much you can do given just a couple days notice and a country in the middest of an information lockdown (not to mention a general revolution).
that would make DDOS attacks a whole lot more dangerous now wouldn't it...
Noor is the ISP for the stock exchange as well as for many major banks. That would suggest quite a few reasons as to why they were not shut down with the rest...
Not everything is down. The IP block of the The Ministory of Communication is still up.
I've been following the situation quite closely now on twitter for several days and a surprising number of tweets coming from inside egypt are actually in english. Search for hashtags #jan25 and #feb1 to see what i mean. Even now with all ISPs down people are still finding ways round the blockade and tweeting. (Of course many of those tweets are not actually from inside egypt especially now. But still over the last few days many were.)
Also from the google blog post announcing the new service: "People can listen to the messages by dialing the same phone numbers or going to twitter.com/speak2tweet." So they do seem to provide a way to get information and not just give. Haven't tested it myself though.
NP-hardness tells us something about worst case complexity. for crypto we care about average case complexity. a problem must be hard on average not just in the worst case.
Here's your evidence:
Given a public key for an asymetric cryptosystem (say a modulas n for RSA) it is easy to verify (i.e. in NP) that a candidate secret key (say primes p and q in the RSA case) match the public key. Paraphrasing heavily now: If P == NP then anything that is easy to verify if polytime is also easy to solve in polytime. In our case that means if i give you a public key you can now FIND a matching secret key in polytime. I.e. if i give you n which is an RSA public key you can factor it into primes p and q. But if you can find the secret key for any public key algorithm (including RSA) then no such algorithm can be a "secure" cryptosystem.
Heading off some misunderstanding: We do not know how to base security ONLY on P != NP. In fact that is considered one of the largest open problems in modern theory of crypto. While I just argued that P!=NP is a _necessary_ condition for all asymmetric (and most symmetric) crypto to be secure it is not known to be _sufficient_.
We're getting closer with some of the recent advances in Lattice based crypto but were are definitely not their yet. For the theory people out there: A fundamental problem here is that NP tells us something about worst case hardness but for crypto we need average case hardness (i.e. for a random secret key and random coins for the ciphertext). Bridging this gap is highly non-trivial. Recent work in lattices has shown such connections and how to use it for certain problems. However the choice of parameters we use for the resulting cryptosystems are not known to result in NP-hard underlying problems.
I'm pretty sure factoring and discrete log are not known to be equivalent. This would be a huge result in theory of crypto if it could be shown.
Indeed that would be the case. The data is not actually encrypted as claimed by the group, but rather just encoded. In other words there is no secret password required for recovering the data. Instead all you need is to know the scheme used to encode/decode the data.
By the same token ASCII would be an "encryption" of Roman alphabet (amoungst other symbols). Clearly that's just BS.