Re: Crypto Mini-FAQ
From: Roger Schlafly (rogersc_at_mindspring.com)
Date: 04/30/03
- Next message: Terry Ritter: "Re: Knowledge of Initialization vectors"
- Previous message: Paul Schlyter: "Re: Cohen's paper on byte order"
- In reply to: jsavard_at_ecn.ab.ca: "Re: Crypto Mini-FAQ"
- Next in thread: Douglas A. Gwyn: "Re: Crypto Mini-FAQ"
- Reply: Douglas A. Gwyn: "Re: Crypto Mini-FAQ"
- Reply: jsavard_at_ecn.ab.ca: "Re: Crypto Mini-FAQ"
- Reply: Andrew Swallow: "Re: Crypto Mini-FAQ"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Apr 2003 07:09:24 GMT
<jsavard@ecn.ab.ca> wrote
> : Q: Has the govt put secret backdoors in any of these algorithms?
> : No. Some US govt crypto policies have been controversial, but there
> : is no evidence of secret backdoors or anything like that.
> I don't think they've done that either, but it must be admitted that
> absence of evidence is not evidence of absence. Thus, "Almost certainly
> not." would be better than "No." as an answer.
I am satisfied that the answer is No. I think the next sentence spells
it out well enough. I could write a couple of pages on how I came to
that conclusion, but I don't think it is necessary.
> : Q: How large should my keys be?
> : A panel of experts recommended 90-bit cipher keys in 1996 as being
> : sufficient for the next 20 years.
> : ftp://ftp.research.att.com/dist/mab/keylength.txt
> Even if they're right, why would one want to use a 90-bit cipher key? What
> significant savings can be effected as a result?
It might matter to some people. I cite that paper because it is an
independent opinion, is widely cited favorably, and has some key length
analysis in it.
> : AES keys can be 128, 192, or 256 bits. AES-128 should be secure
> : for the foreseeable future. Triple-DES uses 168 bit keys, but is
> : probably less secure than AES-128.
> It's certainly much less efficient. And the block size could lend itself
> to a codebook attack in some situations. Except for that, I wasn't aware
> that there was any basis for comparing their security, except that both
> are believed to have a security close to that of a perfect block cipher
> against which only the brute-force attack is possible.
Besides the blocksize problem, I am assuming that there is an attack
on TDES that is better than 2^168, and maybe better than 2^128.
But I could be wrong. At any rate, I have the impression that people
trust AES-128 more than TDES.
> : Furthermore, the random
> : key stream is usually simulated with a pseudo-random number generator,
> : and all security properties are lost if that PRNG is weak.
> No, the random key stream in a one-time-pad is _never_ simulated with a
> pseudo-random number generator except by deluded snake oil salesmen.
> However, there certainly are such things as "stream ciphers" in which the
> same mathematical operations take place, but they are not one-time pads.
We seem to have a terminology hangup. I'd say that a stream cipher is
a one-time pad with the key stream simulated by a PRNG.
> : Computational complexity theory is just not good enough to prove that
> : DES or RSA encryption is secure. The academic literature has lots of
> : theorems that prove that certain constructions have certain properties
> : provided that factoring is hard, or under some similar assumption.
> I suppose you _could_ say that it is closer to being good enough to say
> useful things about RSA than it is about DES.
Is that true? News to me.
> Quantum cryptography has nothing to do with quantum computing...
Not much, except that quantum cryptography needs a quantum
computer in every repeater and router.
> : Quantum computers threaten the future of RSA in about the same way
> : that cold fusion threatens to solve the world's energy problems. It
> : would require huge theoretical and practical breakthroughs. Even if
> : that happens, people could just shift to AES-256 and other algorithms.
> : In the meantime, Moore's Law is a bigger threat to RSA.
> *This* is the paragraph that got me a bit steamed up.
> Cold fusion turned out - despite some continuing Japanese work with nickel
> instead of palladium - not to be real.
> Quantum computing, though, _is_ real and legitimate.
I don't see much difference. Cold fusion and quantum computing are both
just ideas. In both cases, the physics says that it might be possible, but
no
one has figured out how to do it. Neither is likely in our lifetimes. If I
had
to bet on one or the other, I am not sure which I would pick.
I'd like to hear more comments on this point.
- Next message: Terry Ritter: "Re: Knowledge of Initialization vectors"
- Previous message: Paul Schlyter: "Re: Cohen's paper on byte order"
- In reply to: jsavard_at_ecn.ab.ca: "Re: Crypto Mini-FAQ"
- Next in thread: Douglas A. Gwyn: "Re: Crypto Mini-FAQ"
- Reply: Douglas A. Gwyn: "Re: Crypto Mini-FAQ"
- Reply: jsavard_at_ecn.ab.ca: "Re: Crypto Mini-FAQ"
- Reply: Andrew Swallow: "Re: Crypto Mini-FAQ"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
