Re: [Cryptography] Perfection versus Forward Secrecy
On Thu, Sep 12, 2013 at 11:08 PM, Eugen Leitl eu...@leitl.org wrote: I do not think that the spooks are too far away from open research in QC hardware. It does not seem likely that we'll be getting real QC any time soon, if ever. I don't think the spooks are ahead of the public either, and I really doubt the NSA has a large quantum computer. We still haven't seen quantum computers built yet which can truly rival their conventional electronic brethren, especially if you look at it from a cost perspective. DWave computers are interesting from a novelty perspective, but not really ready to replace existing computers, even for highly specialized tasks like running Shor's algorithm. Nevertheless, if you've been following the trends in quantum computers over the last few years, they are getting larger, and DWave is an example of them moving out of the labs and turning into something you can buy. I wouldn't be surprised to see a large quantum computer built in the next two decades. -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Perfection versus Forward Secrecy
On Thu, Sep 12, 2013 at 09:33:34AM -0700, Tony Arcieri wrote: What's really bothered me about the phrase perfect forward secrecy is it's being applied to public key algorithms we know will be broken as soon as a large quantum computer has been built (in e.g. a decade or two). I do not think that the spooks are too far away from open research in QC hardware. It does not seem likely that we'll be getting real QC any time soon, if ever. The paranoid nuclear option remains: one time pads. There is obviously a continuum for XORing with output very large state PRNGs and XORing with one time pads. It should be possible to build families of such which resist reverse-engineering the state. While juggling around several MByte or GByte keys is inconvenient, some applications are well worth it. Why e.g. SWIFT is not running on one time pads is beyond me. Meanwhile people seem to think that it's some sort of technique that will render messages unbreakable forever. signature.asc Description: Digital signature ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Perfection versus Forward Secrecy
I wouldn't mind if it had been called Pretty Good Forward Secrecy instead, but it really is a lot better than regular public key. My point was that the name is misleading and causes people to look for more than is there. There doesn't seem to be much downside to just calling it Forward Secrecy rather than Perfect Forward Secrecy. We all seem to agree that it isn't perfect, and that it is a step forward in security, at a moderate cost in latency and performance. John ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Perfection versus Forward Secrecy
On Wed, Sep 11, 2013 at 8:00 PM, John Gilmore g...@toad.com wrote: There doesn't seem to be much downside to just calling it Forward Secrecy rather than Perfect Forward Secrecy. We all seem to agree that it isn't perfect, and that it is a step forward in security, at a moderate cost in latency and performance. What's really bothered me about the phrase perfect forward secrecy is it's being applied to public key algorithms we know will be broken as soon as a large quantum computer has been built (in e.g. a decade or two). Meanwhile people seem to think that it's some sort of technique that will render messages unbreakable forever. -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography