At 11:07 AM -0800 5/15/97, Thomas Porter wrote:
At 09:32 AM 5/15/97 -0700, Bill Frantz thoughtfully expounded thus:
During a hall discussion at CFP, I heard that people at NSA are changing their opinions about the use of strong crypto in the general community. The reason is the threat of InfoWar and the need for strong crypto in general use to secure the US information infrastructure.
I realize I may catch it for my numerical ignorance here, but a more paranoid type might think that any acquiescence on the part of NSA might be due to more relative ease of breaking important traffic than they might have possessed in the past.
I was at the same CFP aisle discussion Bill Frantz is referring to, or at least heard the same thing in a similar discussion. Clint Brooks of the NSA (or one of its cutouts), Stuart Baker, Jim Bidzos, and seveeral of us were talking about the overall crypto situation. Attacks on U.S. interests had just been covered by a couple of panels, so "infowar" was in the air. Brooks admitted that NSA was rethinking its opposition to strong crypto, as they realized (duh) that weak crypto, e.g., <50 bits today, <60 bits in a few years, etc., could allow attacks on financial and other institutions. Left as an exercise is whether subsequent policy actions by NSA and D.C. in general are consistent with this "Crypto Perestroika" (tm).
Does any one on the list have any ideas on what the Intel mega-pentium parallel processor (touted for nuclear explosion and weather simulations a few months back, and noticeably missing any mention of NSA application) does to the time estimates for cracking "strong" crypto keys? I am being purposefully vague in my definitions of strong crypto, but I would present as my test cases PGP ascii-armor traffic of 2048 key length or plain files encrypted with pgp -c option; ie. typical crypto-criminal/narco-terrorist fodder.
Please see the usual discussion in Schneier of work factos for breaking various key length systems. See also the study by the "Distinguished Cryptographers Panel" (don't have an URL handy, but a search on Schneier, Blaze, Rivest should turn it up). Bottom line: work factor grows exponentially in key length. Processor power has been growing much more slowly, and even a 1000-processor parallel computer is good for only about 10 bits. Ditto for the processors themselves, with Intel's latest Pentium II good for "only" a few bits over the Pentium, which itself was good for only a few bits over the 486, and so on. Left as another exercise: How many bits are needed in a key before exhaustive search (the attack being assumed...if a "clever" attack exists, then of course it could almost cerainly be done on an abacus) of the keyspace needs all the processors in the world running for a thousand years? How many bits before converting the Earth into nanocomputers is not enough to search the keyspace in the age of the Earth? And so on. The answers may surprise you. And using longer keys is "easy" to do. Breaking longer keys is "hard." Strong crypto wins out very quickly. This is why there is no "middle ground" on crypto...it's either strong or its weak, with nothing in between. --Tim May There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."