Re: Collage
... appears to be real: Collage (http://..uses-twitter-flickr-to-let-dissidents-send-secret-messages/), developed by a group at Georgia Tech... Whenever I hear of an academic institution announcing to the world a cryptographic product or component with phrases such as "dissidents in China" and "oppressive regimes", I strongly suspect that the product is meant to help in attracting research grants, much more than it is meant to help dissidents in China or subjects of the oppressive regimes. MakRober - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: 2048-bit RSA keys
On Aug 17, 2010, at 10:25 PM, John Gilmore wrote: > (Given their prediction that they won't be done with a 1024-bit number > within 5 years, but they will be done "well within the next decade", > which 1024-bit number are they starting to factor now? I hope it's a > major key that certifies big chunks of the Internet for https today, > rather than one of those silly challenge keys.) If they announced which key they were working on, I would completely expect someone to demand a very amusing injunction against the performing of arithmetical operations. "When mathematics is outlawed ..." - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Haystack
I emailed the author Austin Heap again yesterday to ask for some technical details. He responded and declined to provide any information. At this point, I have seen no evidence that Haystack exists. On Tue, Aug 17, 2010 at 8:10 PM, wrote: > > Based on those statements, I'm going to speculate that the client > > connects to a static list of innocuous-looking proxies and that they > > are relying on keeping those proxies secret. > > Hmm, what is the chance that the static ones redirect to > other proxies (some of which might even be unwitting)? > > Probably too out there. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Collage
Yesterday I asked about Haystack, an anti-censorship system that appears to exist mainly as newspaper articles. So today I ran across another system, which appears to be real: Collage (http://gigaom.com/2010/07/12/software-uses-twitter-flickr-to-let-dissidents-send-secret-messages/ ), developed by a group at Georgia Tech and to be presented at Usenix. On a crypto level, unlike Haystack, Collage is nothing new: It uses steganographic techniques to hide text in photos. What it contributes is easy to use software for both embedding and extracting the data, integrated with Flickr. -- Jerry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: 2048-bit RSA keys
> It's worth a quote from the paper at CRYPTO '10 on factorization of a > 768-bit number: A good paper by top academics. > Another conclusion from > our work is that we can confidently say that if we restrict ourselves to > an open community, academic effort such as ours and unless something > dramatic happens in factoring, we will not be able to factor a 1024-bit > RSA modulus within the next five years [27]. After that, all bets are off. The 768-bit team started crunching in early 2007 and completed three years later in December 2009. They used fewer than a thousand commercially available unspecialized computers, connected by commercially available interconnects. Their intermediate results fit on less than a dozen $150 2TB disk drives. And one of their results is that it's better to scale up the part of the process that scales linearly with minimal communication (sieving), to reduce the complexity of the nonlinear parts. (Given their prediction that they won't be done with a 1024-bit number within 5 years, but they will be done "well within the next decade", which 1024-bit number are they starting to factor now? I hope it's a major key that certifies big chunks of the Internet for https today, rather than one of those silly challenge keys.) Their reported time and difficulty results are great lower bounds on the capabilities of the covert or criminal -- but don't mistake them for upper bounds! No open-community academic has ever designed, built and deployed special-purpose hardware for factoring numbers of this size. Yet they have published designs that claim order-of-magnitude speedups or better on time-consuming parts of the process. EFF read similar published paper designs for DES cracking. When a few years later we built the actual device, we discovered that the basic structure of the academics' designs really did work. There are good reasons to believe that the covert community *has* built RSA cracking hardware as good or better than what's been publicly designed. And in some places covert agencies and organized crime are partners, thus merely stealing large amounts of money, as opposed to military objectives, might motivate a covert key crack. Here is Europe's consensus report on recommended key sizes, also co-authored by Lenstra: ECRYPT2 Yearly Report on Algorithms and Keysizes (2010). http://www.ecrypt.eu.org/documents/D.SPA.13.pdf For RSA, "we recommend |N| >= 1024 for legacy systems and |N| >= 2432 for new systems." A more accessible table of ECRYPT2-2010 recommendations: http://www.keylength.com/en/3/ RSA Bits Security level -- 1008: Short-term protection against medium organizations, medium-term protection against small organizations 1248: Very short-term protection against agencies, long-term protection against small organizations Smallest general-purpose level, 1776: Legacy standard level 2432: Medium-term protection 3248: Long-term protection Generic application-independent recommendation, protection from 2009 to 2040 15424: "Foreseeable future" Good protection against quantum computers, unless Shor's algorithm applies John - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Haystack
> > Based on those statements, I'm going to speculate that the client > connects to a static list of innocuous-looking proxies and that they > are relying on keeping those proxies secret. > Hmm, what is the chance that the static ones redirect to other proxies (some of which might even be unwitting)? Probably too out there. --dan - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com