Re: Collage

[M.R.]

... appears to be real: Collage
(http://..uses-twitter-flickr-to-let-dissidents-send-secret-messages/),
developed by a group at Georgia Tech...


Whenever I hear of an academic institution announcing to the world
a cryptographic product or component with phrases such as "dissidents
in China" and "oppressive regimes", I strongly suspect that the
product is meant to help in attracting research grants, much more
than it is meant to help dissidents in China or subjects of the
oppressive regimes.

MakRober

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: 2048-bit RSA keys

[Matt Crawford]

On Aug 17, 2010, at 10:25 PM, John Gilmore wrote:

> (Given their prediction that they won't be done with a 1024-bit number
> within 5 years, but they will be done "well within the next decade",
> which 1024-bit number are they starting to factor now?  I hope it's a
> major key that certifies big chunks of the Internet for https today,
> rather than one of those silly challenge keys.)

If they announced which key they were working on, I would completely expect 
someone to demand a very amusing injunction against the performing of 
arithmetical operations.

"When mathematics is outlawed ..."

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Haystack

[Steve Weis]

I emailed the author Austin Heap again yesterday to ask for some
technical details. He responded and declined to provide any
information.

At this point, I have seen no evidence that Haystack exists.

On Tue, Aug 17, 2010 at 8:10 PM,   wrote:
>  > Based on those statements, I'm going to speculate that the client
>  > connects to a static list of innocuous-looking proxies and that they
>  > are relying on keeping those proxies secret.
>
> Hmm, what is the chance that the static ones redirect to
> other proxies (some of which might even be unwitting)?
>
> Probably too out there.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Collage

[Jerry Leichter]

Yesterday I asked about Haystack, an anti-censorship system that  
appears to exist mainly as newspaper articles.  So today I ran across  
another system, which appears to be real:  Collage (http://gigaom.com/2010/07/12/software-uses-twitter-flickr-to-let-dissidents-send-secret-messages/ 
), developed by a group at Georgia Tech and to be presented at  
Usenix.  On a crypto level, unlike Haystack, Collage is nothing new:   
It uses steganographic techniques to hide text in photos.  What it  
contributes is easy to use software for both embedding and extracting  
the data, integrated with Flickr.


   -- Jerry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: 2048-bit RSA keys

[John Gilmore]

> It's worth a quote from the paper at CRYPTO '10 on factorization of a
> 768-bit number:

A good paper by top academics.

> Another conclusion from
> our work is that we can confidently say that if we restrict ourselves to
> an open community, academic effort such as ours and unless something
> dramatic happens in factoring, we will not be able to factor a 1024-bit
> RSA modulus within the next five years [27]. After that, all bets are off.

The 768-bit team started crunching in early 2007 and completed three
years later in December 2009.  They used fewer than a thousand
commercially available unspecialized computers, connected by
commercially available interconnects.  Their intermediate results fit
on less than a dozen $150 2TB disk drives.  And one of their results
is that it's better to scale up the part of the process that scales
linearly with minimal communication (sieving), to reduce the complexity
of the nonlinear parts.

(Given their prediction that they won't be done with a 1024-bit number
within 5 years, but they will be done "well within the next decade",
which 1024-bit number are they starting to factor now?  I hope it's a
major key that certifies big chunks of the Internet for https today,
rather than one of those silly challenge keys.)

Their reported time and difficulty results are great lower bounds
on the capabilities of the covert or criminal -- but don't mistake
them for upper bounds!

No open-community academic has ever designed, built and deployed
special-purpose hardware for factoring numbers of this size.  Yet they
have published designs that claim order-of-magnitude speedups or
better on time-consuming parts of the process.  EFF read similar
published paper designs for DES cracking.  When a few years later we
built the actual device, we discovered that the basic structure of the
academics' designs really did work.  There are good reasons to believe
that the covert community *has* built RSA cracking hardware as good or
better than what's been publicly designed.  And in some places covert
agencies and organized crime are partners, thus merely stealing large
amounts of money, as opposed to military objectives, might motivate a
covert key crack.

Here is Europe's consensus report on recommended key sizes, also
co-authored by Lenstra: 

  ECRYPT2 Yearly Report on Algorithms and Keysizes (2010).
  http://www.ecrypt.eu.org/documents/D.SPA.13.pdf

  For RSA, "we recommend |N| >= 1024 for legacy systems and |N| >= 2432
  for new systems."

A more accessible table of ECRYPT2-2010 recommendations:

  http://www.keylength.com/en/3/

  RSA
  Bits  Security level
  --
  1008:  Short-term protection against medium organizations,
 medium-term protection against small organizations
  1248:  Very short-term protection against agencies,
 long-term protection against small organizations
 Smallest general-purpose level,
  1776:  Legacy standard level
  2432:  Medium-term protection
  3248:  Long-term protection
 Generic application-independent recommendation,
 protection from 2009 to 2040
  15424:  "Foreseeable future"
  Good protection against quantum computers,
  unless Shor's algorithm applies

John

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Haystack

[dan]

 > 
 > Based on those statements, I'm going to speculate that the client
 > connects to a static list of innocuous-looking proxies and that they
 > are relying on keeping those proxies secret.
 > 

Hmm, what is the chance that the static ones redirect to
other proxies (some of which might even be unwitting)?

Probably too out there.

--dan

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com