On Thu, Sep 12, 2013 at 1:11 PM, Nico Williams n...@cryptonector.comwrote:
- Life will look a bit bleak for a while once we get to quantum machine
cryptopocalypse...
Why? We already have NTRU. We also have Lamport Signatures. djb is working
on McBits. I'd say there's already many options
zooko zo...@zooko.com writes:
I agree that randomness-reuse is a major issue. Recently about 55 Bitcoin
were stolen by exploiting this, for example:
http://emboss.github.io/blog/2013/08/21/openssl-prng-is-not-really-fork-safe/
Was that the change that was required by FIPS 140, or a different
I agree that randomness-reuse is a major issue. Recently about 55 Bitcoin were
stolen by exploiting this, for example:
http://emboss.github.io/blog/2013/08/21/openssl-prng-is-not-really-fork-safe/
However, it is quite straightforward to make yourself safe from re-used nonces
in (EC)DSA, like
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I am certainly not going to advocate Internet-scale KDC. But what
if the application does not need to scale more than a network of
friends?
A thousand times yes.
There is however a little fly in that particular ointment. Sure, we can develop
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Just to throw in my two cents...
In the early 1990’s I wanted to roll out an encrypted e-mail solution
for the MIT Community (I was the Network Manager and responsible for
the mail system). We already had our Kerberos Authentication system
(of which
On Sep 7, 2013, at 3:25 PM, Christian Huitema huit...@huitema.net wrote:
Another argument is “minimal dependency.” If you use public key, you depend
on both the public key algorithm, to establish the key, and the symmetric key
algorithm, to protect the session. If you just use symmetric
Pairwise shared secrets are just about the only thing that scales worse than
public key distribution by way of PGP key fingerprints on business cards.
The equivalent of CAs in an all-symmetric world is KDCs. Instead of having
the power to enable an active attack on you today, KDCs have
Public key depends on high level math. That math has some asymetric
property that we can use to achieve the public-private key relationships.
The problem is that the discovery of smarter math can invalidate the
asymetry and make it more symetrical. This has to do with P=NP, which is
also less
On Sat, Sep 07, 2013 at 08:45:34PM -0400, Perry E. Metzger wrote:
I'm unaware of an ECC equivalent of the Shor algorithm. Could you
enlighten me on that?
Shor's algorithm is a Fourier transform, essentially. It can find periods of
a function you can implement as a quantum circuit with only
On 09/07/2013 07:51 PM, John Kelsey wrote:
Pairwise shared secrets are just about the only thing that scales
worse than public key distribution by way of PGP key fingerprints on
business cards.
If we want secure crypto that can be used by everyone, with minimal
trust, public key is the
Symetric cryptography does a much easier thing. It combines data and some
mysterious data (key) in a way that you cannot extract data without the
mysterious data from the result. It's like a + b = c. Given c you need b to
find a. The tricks that are involved are mostly about sufficiently
On Sep 7, 2013, at 11:06 PM, Christian Huitema wrote:
Pairwise shared secrets are just about the only thing that scales worse than
public key distribution by way of PGP key fingerprints on business cards.
The equivalent of CAs in an all-symmetric world is KDCs If we want
secure
On Sep 8, 2013, at 10:45 AM, Ray Dillinger wrote:
Pairwise shared secrets are just about the only thing that scales
worse than public key distribution by way of PGP key fingerprints on
business cards.
If we want secure crypto that can be used by everyone, with minimal
trust, public key
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/7/13 9:06 PM, Christian Huitema wrote:
Pairwise shared secrets are just about the only thing that
scales worse than public key distribution by way of PGP key
fingerprints on business cards. The equivalent of CAs in an
all-symmetric world is
Public-key cryptography is less well-understood than symmetric-key
cryptography. It is also tetchier than symmetric-key crypto, and if you pay
attention to us talking about issues with nonces, counters, IVs, chaining
modes, and all that, you see that saying that it's tetchier than that is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sep 6, 2013, at 11:05 PM, Jaap-Henk Hoepman j...@cs.ru.nl wrote:
Public-key cryptography is less well-understood than symmetric-key
cryptography. It is also tetchier than symmetric-key crypto, and if you pay
attention to us talking about
On 7/09/13 09:05 AM, Jaap-Henk Hoepman wrote:
Public-key cryptography is less well-understood than symmetric-key
cryptography. It is also tetchier than symmetric-key crypto, and if you pay
attention to us talking about issues with nonces, counters, IVs, chaining
modes, and all that, you see
I have also, in debate with Jerry, opined that public-key cryptography is a
powerful thing that can't be replaced with symmetric-key cryptography. That's
something that I firmly believe. At its most fundamental, public-key crypto
allows one to encrypt something to someone whom one does not
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sat, Sep 07, 2013 at 10:57:07AM +0300, ianG wrote:
It's a big picture thing. At the end of the day, symmetric crypto
is something that good software engineers can master, and relatively
well, in a black box sense. Public key crypto not so
it boils down to this: symmetric crypto is much faster than asymmetric
crypto. Asymmetric crypto should only be used to exchange symmetric keys
and signing.
On Sat, Sep 7, 2013 at 11:10 AM, Jaap-Henk Hoepman j...@cs.ru.nl wrote:
I have also, in debate with Jerry, opined that public-key
On 7/09/13 09:05 AM, Jaap-Henk Hoepman wrote:
Public-key cryptography is less well-understood than symmetric-key
cryptography. It is also tetchier than symmetric-key crypto, and
if you pay attention to us talking about issues with nonces,
counters, IVs, chaining modes, and all that, you see
On Sep 6, 2013, at 11:51 PM, Marcus D. Leech mle...@ripnet.com wrote:
The other thing that I find to be a dirty little secret in PK systems is
revocation. OCSP makes things, in some ways, better than CRLs, but I still
find them to be a kind of swept under the rug problem when people are
On Sat, Sep 7, 2013 at 1:01 PM, Ray Dillinger b...@sonic.net wrote:
And IIRC, pretty much every asymmetric ciphersuite (including all public-
key crypto) is vulnerable to some transformation of Shor's algorithm that
is in fact practical to implement on such a machine.
Lattice-based (NTRU) or
On Sat, 07 Sep 2013 13:01:53 -0700
Ray Dillinger b...@sonic.net wrote:
I think we can no longer rule out the possibility that some attacker
somewhere (it's easy to point a finger at the NSA but it could be
just as likely pointed at GCHQ or the IDF or Interpol) may have
secretly developed a
On Sat, 7 Sep 2013 13:06:14 -0700
Tony Arcieri basc...@gmail.com wrote:
In order to beat quantum computers, we need to use public key systems
with no (known) quantum attacks, such as lattice-based (NTRU) or
code-based (McEliece/McBits) algorithms. ECC and RSA will no longer
be useful.
I'm
On Sat, 7 Sep 2013 20:43:39 -0400 I wrote:
To my knowledge, there is no ECC analog of Shor's algorithm.
...and it appears I was completely wrong on that.
See, for example: http://arxiv.org/abs/quantph/0301141
Senility gets the best of us.
Perry
___
On Sep 6, 2013, at 6:13 AM, Jaap-Henk Hoepman j...@cs.ru.nl wrote:
In this oped in the Guardian
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
Bruce Schneier writes: Prefer symmetric cryptography over public-key
cryptography. The only reason I can
The magic of public key crypto is that it gets rid of the key
management problem -- if I'm going to communicate with you with
symmetric crypto, how do I get the keys to you? The pain of it is that
it replaces it with a new set of problems. Those problems include that
the amazing power of
28 matches
Mail list logo
