NSA _likes_ strong crypto?
Tim May
tcmay at got.net
Thu May 15 12:58:52 PDT 1997
At 11:07 AM -0800 5/15/97, Thomas Porter wrote:
>At 09:32 AM 5/15/97 -0700, Bill Frantz thoughtfully expounded thus:
>
>>
>>During a hall discussion at CFP, I heard that people at NSA are changing
>>their opinions about the use of strong crypto in the general community.
>>The reason is the threat of InfoWar and the need for strong crypto in
>>general use to secure the US information infrastructure.
>
>
>I realize I may catch it for my numerical ignorance here, but a more
>paranoid type might think that any acquiescence on the part of NSA might be
>due to more relative ease of breaking important traffic than they might
>have possessed in the past.
I was at the same CFP aisle discussion Bill Frantz is referring to, or at
least heard the same thing in a similar discussion. Clint Brooks of the NSA
(or one of its cutouts), Stuart Baker, Jim Bidzos, and seveeral of us were
talking about the overall crypto situation. Attacks on U.S. interests had
just been covered by a couple of panels, so "infowar" was in the air.
Brooks admitted that NSA was rethinking its opposition to strong crypto, as
they realized (duh) that weak crypto, e.g., <50 bits today, <60 bits in a
few years, etc., could allow attacks on financial and other institutions.
Left as an exercise is whether subsequent policy actions by NSA and D.C. in
general are consistent with this "Crypto Perestroika" (tm).
>Does any one on the list have any ideas on what the Intel mega-pentium
>parallel processor (touted for nuclear explosion and weather simulations a
>few months back, and noticeably missing any mention of NSA application)
>does to the time estimates for cracking "strong" crypto keys? I am being
>purposefully vague in my definitions of strong crypto, but I would present
>as my test cases PGP ascii-armor traffic of 2048 key length or plain files
>encrypted with pgp -c option; ie. typical crypto-criminal/narco-terrorist
>fodder.
Please see the usual discussion in Schneier of work factos for breaking
various key length systems. See also the study by the "Distinguished
Cryptographers Panel" (don't have an URL handy, but a search on Schneier,
Blaze, Rivest should turn it up).
Bottom line: work factor grows exponentially in key length. Processor power
has been growing much more slowly, and even a 1000-processor parallel
computer is good for only about 10 bits. Ditto for the processors
themselves, with Intel's latest Pentium II good for "only" a few bits over
the Pentium, which itself was good for only a few bits over the 486, and so
on.
Left as another exercise: How many bits are needed in a key before
exhaustive search (the attack being assumed...if a "clever" attack exists,
then of course it could almost cerainly be done on an abacus) of the
keyspace needs all the processors in the world running for a thousand
years? How many bits before converting the Earth into nanocomputers is not
enough to search the keyspace in the age of the Earth? And so on. The
answers may surprise you.
And using longer keys is "easy" to do. Breaking longer keys is "hard."
Strong crypto wins out very quickly.
This is why there is no "middle ground" on crypto...it's either strong or
its weak, with nothing in between.
--Tim May
There's something wrong when I'm a felon under an increasing number of laws.
Only one response to the key grabbers is warranted: "Death to Tyrants!"
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May | Crypto Anarchy: encryption, digital money,
tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets,
Higher Power: 2^1398269 | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."
More information about the cypherpunks-legacy
mailing list