[IP] on crypto systems from CTO PGP

Brad Templeton btm at templetons.com
Mon Jul 10 12:06:08 PDT 2006

On Mon, Jul 10, 2006 at 06:04:17AM -0400, David Farber wrote:
>Modern cryptographic systems are essentially unbreakable,
>particularly if an adversary is restricted to intercepts. We have
>argued for, designed, and built systems with 128 bits of security
>If you want to brute-force a key, it literally takes a planet-ful of
>They could know something we don't. They could know some fundamental
>truth about mathematics (like how to factor really fast), some
>effective form of symmetric cryptanalysis, or something else. They
>could know about quantum computers, DNA computers, systems based upon

While it is also a non-scientific statement, this history of
"unbreakable" cryptography is checkered.   Significant numbers of
systems judged unbreakable using the thinking of the day have ended up
having flaws.   Some claims of unbreakability also fell victim to
the unexpected push of Moore's law (such as DES, which we at the EFF
demonstrated the crackability of many years ago.)

One of my favourite charts at a crypto conference did a graph between
the predicted lifetime of cryptosystems (often expressed, in terms of
tens of thousands of years, or now lifetimes of the universe) and the
actual lifetime under unanticipated cryptanalysis techniques.  It was
meant to be an amusement but it looked like a real trend.

2^128 will not be readily brute-forced with the technology we envision
today.   The point is that most of these systems were not broken with
the technology (and other aspects of cryptanalysis) we know today.
Each flaw found in a cryptosystem makes our next system stronger, of
but it's very risky to say we've found the last flaw, discovered the
last breakthrough in cryptanalysis.

As for quantum computing, a classmate of mine has endowed a center
for quantum computing at Waterloo, using his RIM money.  I asked him
recently how many q-bits they could do, he told me they had classified
the answer.   That could mean they are being overly paranoid in their
classifications (quite likely) or that they have classified it because
they wonder if the future answer will be military level, or if they
have classified it just to keep people wondering.  But one can't help
but wonder.

All this said, I feel pretty confident in our modern systems.  But
not enough to say essentially unbreakable.

You are subscribed as eugen at leitl.org
To manage your subscription, go to

Archives at: http://www.interesting-people.org/archives/interesting-people/

----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820            http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

More information about the cypherpunks-legacy mailing list