## Cryptogram: AES Broken? 277

Posted
by
chrisd

from the small-s-boxes-lead-to-weirdness dept.

from the small-s-boxes-lead-to-weirdness dept.

bcrowell writes

*"The latest CryptoGram reports that AES (Rijndael) and Serpent may have been broken. The good news is that when cryptographers say 'broken' they don't necessarily mean broken in a way that is practical to exploit right now. Still, maybe we need to assume that any given type of crypto is only temporary. All of cryptography depends on a small number of problems that are believed to be hard. And all bets are definitely off when quantum computers arrive on the scene. Maybe someday we'll look back fondly on the golden age of privacy."*
## Quantum computing for white hats (Score:3, Insightful)

## Re:Quantum computing for white hats (Score:2)

## Yes, you're missing something. (Score:2)

Quantum computing changes this balance. So your white hats won't be able to multiply a billion times faster even if the black hats can factor a billion times faster.

Kjella

## Re:Quantum computing for white hats (Score:3, Informative)

Slightly different quantum computation will do though, quantum crypto allows transmission of entirely secure messages, that is an unbreakable system. It isn't guarenteed by the hardness of a couple of mathematical challenges but by the actaul laws of physics themselves. Not only can a quantum crypto stream not be broken, but it can detect when somebody attempts to listen in. This has been demonstarted using both air and fibre as a transmission system (can't be arsed to google for a link but there should be plenty out there, it was textbook for our quantum computation course).

On the other hand, a quantum computer would break all the old cryptosystems quite easily (not sure about eliptic curves), however they are years away from being feasible and there are a lot of hard problems to solve first.

## Re:Quantum computing for white hats (Score:2)

More complex algorithms for encryption do not necessarily mean more security. If factoring, for example, is only linearly hard in the number of digits of the large pseudoprime, then you could theoretically generate absolutely massive pseudoprimes, but at some point the method becomes useless.

The problem is that our notion of "hard" and "one-way" problems is all based on the concept of NP-completeness. This concept is broken by quantum computation. We would need to find new problems that are QC-complete, in other words, problems that are hard (exponential time and # qubits) even with quantum computation, and base new encryption methods around such problems.

I'm not up to date on the literature of computational complexity, but I'm fairly sure such problems should be possible to find, a class of harder problems than NP-complete problems. But since functional QC is so far off, this is not really a practical issue yet, but I'm sure it's of theoretical interest to many.

## Re:Quantum computing for white hats (Score:2)

The theories that posit QC as the solution to P=NP tend to involve poorly-defined "oracle machines" based on QC hand-waving, rather than any actual well-defined algorithms. It is very much an open question whether QC has anything interesting to say about P=NP.

-Graham

## Re:Quantum computing for white hats (Score:2)

provento be NP hard or NP complete (dredging up CS knowledge from 4 or 5 years back here).However, you are not 100% correct either. Most practical experience does not suggest a polynomial time solution exists (with the exception of Shor's Algorithm and the quantum factoring algorithm - this does mean the problem is in BQP, the new class of bounded-error, quantum polynomial time). If you look up the modern definitions of P, it seems to refer only to deterministic sequential machines, and I don't think that includes quantum computers strictly speaking.

I guess this is a quibble, but a worthwhile one, since the whole point is that there is a class of problems that _seems_ to be made easier (i.e. polynomial) by quantum computing, though it's not clear that those same problems don't have non-quantum polynomial solutions, it certainly appears that way based on everything we know.

You seem to be correct though that there is no proof of anything about P=NP from QC (I just looked it up and I'll be damned if I could make any sense of the articles I found without some serious study).

## Re:Quantum computing for white hats (Score:2)

According to the cryptographer's panel at RSA quantum computing is much less of a threat than many assume. In the first place quantum computing tends not to be effective against symetric algorithms. Secondly RSA turns out to be based on a problem that is very very hard with conventional computing and very very easy with quantum computing. It is not clear that all possible public key algorithms are susceptable to attack using quantum techniques.

In other words don't get the idea that quantum computing immediately means the end of cryptography.

On the actual topic of AES I would not call this a 'break', in fact nothing less than breaking the cipher for real should count as a break. There are plenty of 'breaks' of DES but none of them are easier than brute force when applied in practice. What we have is a theoretical compromise that is way outside the capabilities of any current technology.

Or consider it this way, given the known problems with 3DES (limited block size, severe limitation on safe amount of ciphertext generation) I don't feel like sticking with 3DES as a result of the article.

## Re:Quantum computing for white hats (Score:2)

Quantum computing means that you can either tell what color somebody's hat is or how many hats they'r ewearing, but not both simultaneously :-)Quantum computing appears to allow the user to cheat, by picking the correct n-bit value out of 2**n bits, for a class of problems that mostly look like the factoring problems that make RSA public key crypto work.

This doesn't appear to make things faster for the white hats, because the white hats already knew what the correct bits were for data that was intended for them or data that they were trying to sign.## quantum computers (Score:2, Funny)

And all bets are definitely off when quantum computers arrive on the scene.couldn't these be described as "weapons of mass decryption"? [visions of 'sneakers' all over again]

## Quantum (Score:2, Interesting)

Is it really back to XORing our messages with random data known to both ends?

That sucks.

And the cry went up - make quantum computers illegal. Only terrorists want quantum computers...

## Golden Age of Privacy (Score:2)

## Quantum computing =/= no privacy (Score:3, Interesting)

That, is untrue. Yes, when quantum computers arrive, they will decode encryptions done today in polynomial time.

But arrival of quantum computers does not mean an end to privacy. "Quantum Cryptography" invokes the fundamental laws of QM to guarantee that there's absolutely no way to decode a message thus encoded (without alerting the sender of a "wiretap"). It stands to reason that by the time Quantum Computers arrive bigtime on the scene, Quantum Cryptography will arrive as well.

The theories of the two ideas are well worked out, but the tech remains in its infancy.

## Re:Quantum computing =/= no privacy (Score:5, Informative)

Quantum computing would break a range of encryption techniques, especially most public-key techniques, but nothing known today rules out new and more robust digital encryption technologies being developed that Quantum Computers could not break, and I imagine plenty of people are working on them.

## Addendum (Score:4, Informative)

(See here) [ibm.com]

## Re:Quantum computing =/= no privacy (Score:3, Insightful)

## Re:Quantum computing =/= no privacy (Score:4, Insightful)

on computational intractability rather than a

demonstrable computational impossibility will always

be open to some future innovation rendering it

trivial to crack. Elliptic curve crypto seems to

have the best prospects for the future right now,

and you can use it right now: El Gamal is

implemented in GPG.

But to say that QC will render effective crypto a

historical artifact is clearly mistaken. If it

were true, it would imply that there are *no*

hard problems any more, once QC techniques are

employed. All that QC can do is compute functions

over a finite field with effectively infinite

parallelism. It's unfortunate that most crypto

systems today rely upon functions over a finite

field, but there are plenty of hard problems that

are only valid over function spaces, for example.

## Re:Quantum computing =/= no privacy (Score:2)

## Re:Quantum computing =/= no privacy (Score:2, Funny)

when quantum computers arriveI have a Quantum hard drive, but I didn't know they were getting in the PC business.

Hmmm... now that I think about it, I thought they got bought out by Maxtor. I think you're just bluffing about "Quantum computers" and this power they will supposedly have.

## Re:Quantum computing =/= no privacy (Score:2)

No - Mix + Mash ciphers aren't automagically immune, see quote from Schneier:

"

While quantum computation can make problems such as factoring and discrete logarithms (which public-key cryptography are based on) easy, they can only reduce the complexity of any arbitrary computation by a square root. So, for example, if a 128-bit key length was long enough pre quantum computation, then a 256-bit key will be long enough post quantum computation."-- B.Schneier, 10th Oct 1998 posting to soc.history.what-if USENET group

E.g. 3DES will be pretty much toast, as will AES128.

## The end of privacy (Score:5, Insightful)

on the golden age of privacyThat is quite a funny statement. 99% of all email is being sent in clear text, often passing through gateways which have permanent wiretaps installed. Phone tapping is at an all time high in the west and there are cameras on nearly every street corner around where I live.

Privacy.... I had a lot more privacy 20 years ago, that is for certain.

## Re:The end of privacy (Score:2, Insightful)

## Re:The end of privacy (Score:2, Interesting)

Privacy.... I had a lot more privacy 20 years ago, that is for certain.I doubt that. 20 years ago, your neighbour, your baker and your butcher knew more about you than any mass e-mail marketing company does nowadays. The only difference is that they didn't send you spam, but for sure your butcher knew that you didn't know the difference between a normal and an excellent steak, and sold you the first one for the price of the second one. So you were f*cked even then, only you didn't know it.

In order to provide some on-topic content also: I thought the basis of all (public-key) encryption was based on one "hard to solve" problem only, namely the "factoring in prime numbers" problem -- are there any problems that I missed?

## Re:The end of privacy (Score:2)

## Re:The end of privacy (Score:2)

I doubt that. 20 years ago, your neighbour, your baker and your butcher knew more about you than any mass e-mail marketing company does nowadays.

Uhh... sorry to be literal, but 20 years ago I didn't know my butcher personally and I still don't. I buy mostly buy meat at the supermarket. I think it was more like 60 years ago that everyone bought meat from the local butcher.

On the other hand, my credit card issuer knows far more about me than any e-mail marketer. They know that I play golf once a week, how much I spend in the grocery store, when and where I go on vacation, etc. All the average e-mail marketer (thinks they) know about me is that I like rape pr0n.

-a

## Re:The end of privacy (Score:2)

are there any problems that I missed?RSA is based upon the Integer Factorization Problem (IFP) (*).

Elgamal / DH are based upon the Discrete Log Problem (*)

Eliptic Curves Cryptography is based upon, erm, Eliptic Curves.

(*) Note: there are no proofs that RSA or DH/Elgamal are actually as hard as the underlying IFP or DLP - e.g. they could be broken even if factoring is "hard".

## quantum crypto (Score:2)

we can not assume that either side of the crypto equation will remain dormant, using only today's technologies. The next Bruce Schneier [amazon.com] will happen along (or maybe the man himself) and we'll be dealing with the golden age of quantum cryptography.

## gross oversimplification (Score:3, Funny)

Basically, the attack works by trying to express the entire algorithm as multivariate quadratic polynomials, and then using an innovative technique to treat the terms of those polynomials as individual variables. This gives you a system of linear equations in a quadratically large number of variables, which you have to solve. There are a bunch of minimization techniques, and several other clever tricks you can use to make the solution easier. (This is a gross oversimplification of the paper; read it for more detail.)Uhm. emm. EZ? :)

## Re:gross oversimplification (Score:2)

## Re:gross oversimplification (Score:2)

The fact that my and your sense of humour did not intersect. :) To me, it seemed that the clip was like straight from Dilbert mission statement generator [dilbert.com]. Anyway, the description is very good, but to one like me, who does not use math terms actively, it takes some time to understand what it means in practise and how to use the information. And at first sight it seems like the recipe for Energy Bolt spell. But then again, I am mathematic moron :)

## Nice article... (Score:2, Funny)

...I love the first line:

AES may have been broken. Serpent, too. Or maybe not. In either case, there's no need to panic. Yet. But there might be soon. Maybe.Lovely summary, guys :-)

## Quantum Computing and Privacy (Score:4, Insightful)

The focus of international intelligence gathering would shift radically back to human intelligence (which is already happening for other reasons) and the new basis for security would become that of access cintrol through discontinuity - if you network is not connected to your neighbor's, then he can't get access to it regardless of his technical sophistocation.

The days of the NSA Sneaker-Net would return (picture NSA computer geeks running from one terminal to another with DLTs in order to keep the systems in communication, such that data could only flow in one direction.

Disclaimer: IANAF - I Am Not A Futurist

--CTH

## Re:Quantum Computing and Privacy (Score:5, Insightful)

Consider, for a moment, the social changes that would imediately take place if privacy were nonexistant, in the sense that all cryptography could be broken with a trivial effort by anyone and their brother, using off-the-shelf hardwareHow would this technology work against one-time pads? Besides, historically technologies have always tended to balance. Someone makes a better tank, then someone makes a better tank-killer, then the cycle repeats. If today's sophisticated encryption can in the future be defeated with cheap devices, then the crypto that this future society considers sophisticated would be well beyond ours. Consider the relative computational power of Bletchly Park and the sophistication of Engima of the early 40s and the power and sophistication of a 21st Century desktop PC.

International politics would be forever changed.Not really. It would simply switch from broadcast and ciphers to the diplomatic bag and codes - which is how it worked for centuries. Complexity in international affairs is nothing new.

## Re:Quantum Computing and Privacy (Score:2)

Not really. It would simply switch from broadcast and ciphers to the diplomatic bag and codesWhere of course, Numbers Stations [ibmpcug.co.uk] come in.

For all the advances in asymetric cryptography, Numbers Stations / OTP has remained the system of choice for many organizations. This says something about asymetric cryptography; either that it isnt trusted, that its impractical for espionage, or something else...

## Re:Quantum Computing and Privacy (Score:2)

Someone makes a better tank, then someone makes a better tank-killer, then the cycle repeats.Very true, but it bears pointing out that the direction of the advantage seems to be different.

In the battle between warhead and armor, the warhead tends to retain the lead most all of the time, because it's basically easier to blow holes in something than to withstand massive force.

In the battle between cipher and cryptanalyst, the ciphers have tended to retain the lead, which seems to imply that creating an algorithm that munges data in complex ways is basically easier than unraveling said munging. This is *not* to say that good cipher design is easy or that anyone can do it; it's fiendishly difficult, because the attackers are fiendishly clever. Still, over the last 50 years or so, history shows us that the ciphers have tended to stay ahead of the cryptanalysts. DES is a shining example, given that it has been the #1 target for 30 years and has stood essentially undamaged.

## Re:Quantum Computing and Privacy (Score:2)

So yes, I agree that DES is the granddaddy of Feistel network ciphers. Few of the cryptanalytic attacks work without ungodly amounts of chosen plaintext or artificially reduced round counts. But code breaks have generally occurred within months or years of implementation, not decades. As Gwido Langer, the chief of Poland's Biuro Szyfrow, said about breaking the German Enigma (when the British were unable to) "You don't have the same motivation as we do." Until after World War II, most code systems were broken during the same wars they were supposed to be protecting, and for that same reason.

The wartime and/or government codebreakers also have one more advantage: they don't typically announce their breaks to their enemies du jour. The recently released Venona papers show how Soviet spies who were given (faulty) one-time pads in 1942-1946 had them broken between 1948 and 1980.

Yes, it's a constant struggle. Yes, DES looks pretty good. But I wouldn't want to trust ALL of the national eggs to any single one of the currently commercially-available baskets.

## Re:Quantum Computing and Privacy (Score:2)

It has been known for some time that there are many weak keys in DES.Depending on your definition of "many", this is true. The complementation property of DES is a small weakness as well. These issues reduce the strength of DES by a miniscule amount.

Near this time, I recall seeing a paper claiming to reduce DES to a 2^48 problem, but I'm unable to find a citation tonight.You're probably thinking of Matsui's Linear Cryptanalysis.

In 1998, Wiener's machine was built by the Paul Kocher and EFF for about $250,000, and it breaks DES keys in about three days, on average.The DES key size was always too small, but that was what the NSA wanted. Remember that the original cipher (Lucifer) had a 128-bit key. 3DES addresses this problem handily, if not elegantly.

Also, if you'll permit me to pick nits, Deep Crack recovers a key in about 5 days, on average.

Overall, though, all of the concerted effort focused on DES has reduced its effective key size very little. That effective key size was too small to begin with, but 3DES has an effective key size that is adequate for a few years yet, particularly since linear and differential attacks cannot be used to speed up the "meet-in-the-middle" attack.

This is a pretty impressive record, in my opinion.

## Re:Quantum Computing and Privacy (Score:2)

Yes, that is the tradition. But the mind and effect of man is finite. Eventually we will end up with "The Answer" -- and no further cycle.Only if there is a "The Answer". It's certainly not clear that there will be such an answer in the case of either the warhead/armor evolution or the cryptographer/cryptanalyst evolution, mainly because what often happens to allow one side to take the lead over the other is a changing of the rules.

To use some examples from the armor/warhead debate, consider that the debate started as armor vs. blade, progressed to armor vs. projectile, then to armor vs. explosive warhead, then to armor vs. shaped charge, then to armor vs. ultradense projectile backed by shaped charge. Further consider that armor changed radically a few times along the way as well, changing materials, thickness and composition (especially lately, with highly-engineered composites). Not only that but armor has even acquired the ability to actively "fight back" -- reactive armor. In tanks it takes the form of explosives attached to the tank's armor plate that explode to slow penetrators and distort shaped charges. In naval warfare, you can even view anti-missile defensive systems as part of the "armor". A set of Aegis-equipped ships with high-speed data links and layered missile defensive systems creates a sort of a "virtual" armor that encloses all of the ships. Now consider how far removed that is from a bronze sword hitting a boiled leather cuirass, and tell me that man's imagination is limited.

Things like quantum computing are based on the fundimental physics of the universe. While I can't say if they are, or are not, the end-game cycle -- they're surely isn't much left to work with.Which does not mean that quantum computers will be able to solved all problems. In fact, there are already plenty of problems known that quantum computers will not be able to solve, and there is only a tiny set of problems for which it's clear that quantum computers will be any help at all.

Plus, QM does not give us a "fundamental" understanding of the universe; it has numerous well-known flaws (mainly in terms of what it does not explain), and who knows what else we may be able to do given a deeper understanding of How Things Work.

## AC is Troll or Clueless on OTP vs QC (Score:2)

In normal public/private hybrid systems, you use the public-key algorithm to encrypt a random secret session key, and then use the session key with a symmetric-key algorithm to encrypt the message. For some popular categories of factoring-based public-key algorithms, a hypothetical QC can instantly factor the key, and you can do the polynomial-time validation to show that the decryption key you've pulled out of the quanta matches the public encryption key. (OTPs don't let you do that.) You can then use the session key to crank the symmetric-key algorithm. The lead article that this discussion is about deals with weaknesses in the new symmetric-key algorithms that all of us were hoping we could use to replace Triple-DES, which appears to be very strong but is slow and clumsy (and neither 3DES nor AES appears to be attackable using QCs.)

Since widespread use of OTPs means a return to lots of couriers with briefcases attached to their arms, I suppose there are some non-mathematical ways to use QC to attack OTPs - hit the courier on the head with the QC, and then use the liquid helium from the qc to help shatter the handcuff chain, or offer the courier a Quantum Computer as bribe, or whatever :-) ## Re:Quantum Computing and Privacy (Score:2)

## Do not fear the Quantum Age (Score:2)

Quantum computing is a *good* thing.

## Strictly Speaking (Score:2, Insightful)

All of cryptography depends on a small number of problems that are believed to be hard.This is not true; The "One Time Pad" does not rely on a difficult problem like factoring for its basis.

And all bets are definitely off when quantum computers arrive on the scene. Maybe someday we'll look back fondly on the golden age of privacy.OTP is unbreakable, and so "the golden age of privacy" will not end because of quantum computers.

Now

legislationending the golden age of privacy is another matter entirely.## Re:Strictly Speaking (Score:2)

OTP is unbreakable, and so "the golden age of privacy" will not end because of quantum computers.Only if your pad is truly random. There's a scene in Cryptonomicon in which they realize the vicar's wife is looking at the letters as she draws them out of the tombola used to randomize; being a native English speaker she is subconsciously biased to prefer certain letters over others, and this is enough to open a chink in the armor.

## Re:Strictly Speaking (Score:2)

It would be a little crazy to say "OTP, when it is deployed improperly, cannot be broken", now wouldnt it?

## Re:Strictly Speaking (Score:2)

The big problem is that once you've encrypted something with an OTP, the security (and secrecy) of the OTP is *everything*. If anyone gets the OTP, your encryption is done for.

So, managing the OTPs becomes the biggest challenge in using them. First, you have to have an OTP about the same size as the file you're encrypting, to ensure that no statistical games can be played to re-build the key, and you have to have a seperate OTP for every message you encrypt. Also, getting an OTP to someone else you want to encrypt a message to is not an easy matter. You have to be sure that no one else can see the transaction that shares the OTP, since that would immediately destroy the security of the system.

Compare this to any symmetric-key system: Yeah, you've also got a key that's central to the cipher. But, the key does not need to be approximately the same size as the file encrypted (as is the case with OTPs), which, for big files, is a huge deal.

Basically, there's a reason we like symmetric-key algorithms, and it's mostly to do with usability. If an encryption system is such a pain in the ass that no one uses it, then its impact in the real world will be zero.

## Re:Strictly Speaking (Score:2)

Basically, there's a reason we like symmetric-key algorithms, and it's mostly to do with usability. If an encryption system is such a pain in the ass that no one uses it, then its impact in the real world will be zero.I totally agree with you about OTP being a pain in the ass to manage, but as far as its impact in the real world, you could not be more wrong.

Numbers Stations [ibmpcug.co.uk] have relied on OTP for decades, and continue to do so till today.

Like anything, it depends how much you want a to protect your communications. If OTP is going to save your life, as in espionage, it becomes much less of a pain in the ass. If you want to encrypt your daily email with the 20 people in your Mozilla address book, then things get very messy very quickly, and of course, you can forget stuff like ecommerce, which instantly become "unwieldly" to put it mildly.

## Re:Strictly Speaking (Score:2, Informative)

OTP is unbreakable, and so "the golden age of privacy" will not end because of quantum computers.OTP is not unbreakable.

While the algorithm itself isn't breakable, the strenght of a OTP based solution will still depend on several weak points, like the random number source.

There's plenty of room for trying to attack it, using statistical analysis and estimates to try to be able to break it.

## Re:Strictly Speaking (Score:2)

OTP is not unbreakable.OTP *is* unbreakable. [std.com]

This is a well established fact. Like I said elewhere in this thread, its clear that I mean "when it is implimented correctly", as it would make absolutely no sense to imply "OTP is unbreakable when it is implimented poorly".

## Well... yeah! (Score:2)

...maybe we need to assume that any given type of crypto is only temporary.Well that's a serious problem if you ever, ever thought cryptography had any sort of permanence!

For one thing, an encrypted message is of no use to the receiver if they can't DE-crypt it, *poof* crypto is not permanent.

I'd recommend reading "The Code Book" by Simon Singh as the first two-thirds of the book are a history lesson that demonstates to me how cryptography endagers the lives/way of life of those who rely on it to protect themselves (in particular, Mary Queen of Scots and Enigma).

## Old data is the problem (Score:5, Insightful)

Imagine some black hat just archived all encrypted data he could get (bank transactions, private conversations, you name it) then decrypts them in 10 years when he can buy his brand new quantum computer. All this old data may prove very valuable for him.

Perhaps very sensitive data shouldn't even transit on the net because you can't tell if it'll be decryptable in the future.

## So use one-time pads (Score:2, Insightful)

Once you have the list of numbers, get the list of words and phrases to encode. Put one random number next to each word or phrase (watch for duplicate codes here!)

Put the pad on a cd, send it to whoever you want to communicate with. Doing this last part is the only large potential insecurity, plus it's inefficient. But the one time pad is theoretically unbreakable.

## Re:So use one-time pads (Score:2, Informative)

Here it's fitting to note the words of Steve Bellowin:

In operation, there are many 'gotchas' to watch out for,

neverreuse a pad for example.Google for 'Venona' and 'one time pad' for a good example of even the experts (KGB et al) getting one time pads wrong.

## That's the wrong way to use them. (Score:2, Informative)

If you number individual words and phrases, then you can only use each word or phrase once, otherwise it's not a

one-timepad anymore. Think about it... how long would it take a cryptanalyst to figure out the code for "the" or "you"?The pad should simply be a chunk of random bits, and both sides need to keep track of which bits have been used. Then encrypt your messages by xoring them with an unused stretch of bits.

## 'the' or 'you' (Score:2)

I used one time pads in the army. You wouldn't use one to transmit War and Peace. But you would use it to send "Attack is Tomorrow, sell IBM". Or to send "Name of agent in NSA is CowboyNeal."

Those would be encoded as the phrases "attack is tomorrow", "sell IBM", "name of agent","in NSA". The word "is" could be encoded, or dropped (the sentence would be parseable without it.) Only "CowboyNeal" might have to be encoded letter by letter. Or it could be encoded as "cowboy"+"n"+"e"+"a"+"l".

Generally, using a one time pad to encode letter by letter is a bad idea. Done only when there is no alternative.

## Re:'the' or 'you' (Score:3, Insightful)

## Re:'the' or 'you' (Score:2)

I would say that he is correct: in practice, you would want to drop unnecessary or redundant info out of the message. Since OTPs rely so heavily on securely sharing the pad, you want to maximize the use you can get out of the pad you have without re-use. This means dropping redundant words. In common computer practice, we'd just zip the damn thing before sending it, hopefully greatly increasing the entropy (and decreasing the length) of the message before even bothering to encrypt it, but that's a whole other topic for discussion.

## Re:'the' or 'you' (Score:2)

## Re:'the' or 'you' (Score:2)

And as for XOR; you're right. However, it's almost always used because you need a reversible bitwise function. I can only think of four, two of which are trivial, leaving only XOR and (not XOR) as your possibilities. If you do operations on chunks larger than bits, you have more options, though.

## Different implementations (Score:2)

The Army still uses one time pads that way.

## Re:Different implementations (Score:2)

## Re:Different implementations (Score:2)

They're worth a read.Thank you for your condescension. I've read plenty of crypto books. The one-time pad protocol is 100%, provably secure. Period. The only weaknesses don't have to do with the protocol itself. Flawed implementations (insecure pad; non-random generator of pad, etc.) will ruin any cryptosystem. And if you're objecting to my use of the term "cryptosystem" instead of "protocol" in the previous comment, you obviously know what I meant, so why the fuss?## Re:So use one-time pads (Score:2)

## Re:So use one-time pads (Score:2)

## Re:So use one-time pads (Score:2)

-l

## MAYBE? (Score:2, Insightful)

maybe we need to assume that any given type of crypto is only temporaryIf I'm not mistaken, this is rule #1 of cryptography. Doesn't really matter what algorithm you use or how secure everyone or anyone thinks it is, they're always able to be cracked. Which cryptosystem you use is more a measure of reasonable security -- do you want your messages secured for years, decades, etc., with an assumed increase of computing power?

## What Schneier really meant to say... (Score:4, Interesting)

Seriously, though - any approach that manages to reduce the difficulty of cracking these algorithms by a factor of 2^100 is impressive, and Schneier at least simplifies it enough that us folks with very rusty number theory can appreciate the achievement.

His comment later in Cryptogram about his name appearing on a list of banned words is much, much scarier - looks like he's upset someone in the content censorship Gestapo. That same content filter would deny access to today's Slashdot front page - nasty.

## Re:What Schneier really meant to say... (Score:2)

Also note:It seems that the XSL might break AES 256 bits, but it is not certain. There is little chance however that it will break the most used AES 128 bits.. Funny, i would have gone with bigger keys, but they seem to get less secure.Recall that "breaking" an algorithm means finding a method of attack with a work factor less than 2^k where k is the key length in bits. "Breaking" in this context doesn't mean recovering plaintext of encrypted communications. Since they have demonstrated an attack with a work factor of 2^200, that means that 256-bit AES was "broken" but 128-bit AES was not.

## One Time Pad != Encryption (Score:4, Insightful)

The typical idea about cryptography is to use a secure medium to provide the key, while using the insecure medium to send the data, because the insecure medium is much faster/better/easier to use. So I can meet you in person and get the key, or call you on the phone and verify your PGP (or GPG if you please) fingerprint (assuming you're not being wiretapped as well), and then use the Internet as a medium from then on.

The OTP "solution" would be to say a random sequence of 1s and 0s, then use those to decrypt the irc converation later, not really an option. You'd "run out" of pad rather quickly. Oh, and quantum computing does as far as I know not affect encryptions based on elliptic integrals (which by theorem can't be solved analytically, but I suppose there could be approximations).

Kjella

Kjella

## Re:One Time Pad != Encryption (Score:2)

You get a source of random data, there are plenty available and prepare a harddrive or harddrives that contain that data. Being that harddrive capacities are now in the 200GB range, you can get quite a lot of data. You then duplicate the drives once and only once. A secure, trusted courier then takes the drives to the other location where they are installed. You now have a good OTP system setup. Your encrypting/decrypting stations just need to be physically secure and keep track of what part of the pad has been used. When it's all used up, you destroy the drives.

Now I can't think of anything that needs this level of security today, but it's not so impratical that a company couldn't or wouldn't do it if there was a reason. Under this system you just have an encryption channel that will give you X total GB of data (half duplex) transfer before it has to be refreshed. This would give you teh capacity to use this to secure a company intranet or something, but it wouldn't be unreasonab;e to get a years worth of small messages that require the utmost secearcy to be transfered this way.

## Re:One Time Pad != Encryption (Score:2)

So the question is, why don't you use the secure medium in the first place?Because I only get to see my brother once a year in Cuba. And he has a problem carrying back CD-Rs of random pad material through customs.

verify your PGP (or GPG if you please) fingerprint (assuming you're not being wiretapped as well),Passive evesdropping (aka wiretapping) does not interefere while verifing a public key fingerprint. So you can verify fingerprints of a public key in a public place.

OTP has other problems, beyond the typical key distribution problem. If a non-random source is used for generating the key material, or if the key pad is accidential reused, then trouble stikes, like it did with Venoma [nsa.gov].

OTP also lacks message integerity, so if an attack could cut and paste blocks of encrypted ciphertext, Bob would not be able to detect the altered message if the decrypted text make sense (deposit $1000 to account #1233335632 rather than the modified message of deposit $4950292.95 to #1233335632)

encryptions based on elliptic integrals (which by theorem can't be solved analytically, but I suppose there could be approximations).Now what methods are you referring to here? Elliptic Curve Cryptography [certicom.ca] normally is used as a faster version of the Discrete Logarithm Problem [rsasecurity.com] (DLP) where it is faster and easier to Exponentiate (x^y) than it is to calculate its discrete logarithm (x such that g^x = h) which is the inverse operation and is much harder to calculate.

So I would be interested in this method of using elliptic integrals.

Quantum computing changes the games of cryptography, but it does

notend the struggle of cryptographer vs. cryptanalysis. AES when used with a 256-bit key is expected to withstand a bruce force key search using quantum computing within the near future (less than 10-20 years). Of course quantum computing being a young field there is a chance that a radical discovery may ruin our present best estimates for future capabilitities.## Re:One Time Pad != Encryption (Score:2)

1 personal meeting yields a lifetime of secure communication.

## Re:One Time Pad != Encryption (Score:3, Insightful)

The definitive text on cryptography, The Handbook of Applied Cryptography [uwaterloo.ca], defines the OTP as a type of encryption...I know this is Slashdot but I don't think your arbitrary definitions help here.

Sending a CD worth of random data via a secure channel in advance and then sending an encrypted message with the knowledge that it will be unbreakable is sometimes worth prior thought. Sure, it may not be usefull for the masses who require this kind of security or don't know their going to communicate in the future but to claim that this cipher "isn't encryption" is bull.

## As Bruce says, relax...for now. (Score:2)

My fear is that we could see optimizations of the XSL attack breaking AES with a 2^80-ish complexity, in which case things starts to get dicey about(emphasis added by me)ten years from now.So, ten years

or more. Heck, at that point, shouldn't quantum computers be breaking this stuff anyhow?## The XSL attack (Score:2, Interesting)

All you "so is GPG broken?" put your pants back on.

Summary of attack:

XSL stands for three of the basic operations in Rijndael and Serpent. The reason why this attack works is because the substitution layer of Rijndael/AES and Serpent can be expressed very neatly as the same domain as the Linear layers.

Now when I say 'neatly' I mean 'it would be possible' not no one's shown us this monster set of equations relatnig the (128+128/192/256) bit inputs to the 128 bit outputs. The Rijndael/AES and Serpent ciphers may be what we call "over defined".

Think back to high school when you have N liniearly independent linear equations and N-1 unknowns. You had an infinate number of posibilities for solutions. If you had N eqns and N unkn's you had 1 sol'n. If you had N eqns and N+1 unkn's you were in a funny place.

The authors suggest Rijndael/AES Serpent is in the latter catagory of the differential nature (and not the linear nature you learned in high school).

So what does this mean? The possibility HAS NOT BE EXCLUDED that this attack is possible. It really proves demostrates nothing that it's at all possible. Which is best anyone's been able to do in the past 6 years.

JLC

See sci.crypt thread:

http://groups.google.ca/groups?q=XSL+group%3Asci.

## Bruce Schneier on the subject (Score:2)

## Some corrections to the article (Score:2)

All of cryptography depends on a small number of problems that are believed to be hard.This is really only true of public key cryptography. Symmetric ciphers (like AES, Twofish, Serpent and DES) depend upon really complex applications of transposition and substitution, not on mathematical problems hoped to be NP-hard (when recast as a decision problem, blah, blah, blah).

The breakthrough in the mentioned papers is just a collection of techniques used to try to create usable mathematical models of these complex mishmashes of operations, thereby allowing them to be analyzed and attacked. This is fundamentally different from public key encryption algorithms which are very simple and trivially easy to model, but reduce to models of (we hope) intractable problems.

Whether or not it is possible to create a symmetric cipher of sufficient complexity and non-linearity that it is impossible to cryptanalyze is, of course, an open question that will probably never be fully answered. In the arms race between cipher designers and cryptanalysts the top cipher designers have always managed to stay substantially ahead of the top cryptanalysts, however. Witness the fact that DES has withstood 30 years of concerted attack, without a significant attack being found (other than the built-in small key size, of course).

Speaking of DES, what I'm most interesting in knowing right now is if these new attacks can be applied to it. 3DES is still the most important cipher in the real world and will be for some time.

And all bets are definitely off when quantum computers arrive on the scene.Again, bcrowell doesn't know the difference between symmetric and asymmetric ciphers. No one has devised a way to use quantum computers to attack symmetric ciphers. That's not to say it won't happen, but, as I understand it (not much), modelling complex problems in a QC is very, very difficult. QCs are good at simple problems with a large solution space.

Maybe someday we'll look back fondly on the golden age of privacy.If we lose all of our privacy it will be because we choose to, not because of any lack of technological tools.

## Re:Some corrections to the article (Score:2)

"Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer"

http://epubs.siam.org/sam-bin/dbq/arti

Given that all modern crypto protocols use some variant of asymmetric crypto to transmit their symmetric key, a break in the asymmetry eventually breaks the symmetry too.

That being said, I'm personally suspicious of quantum computing. Naive students learning about lossless compression algorithms inevitably believe they can apply the same algorithm multiple times, each time shrinking the data further and further. This actually works for some algorithms, for one or two runs. Eventually Shannon takes hold; the system refuses to compress below the level of entropy in the data (indeed, it starts to expand).

I suspect there's an analogous limit on the quantum scale, past which entropic capacity will prevent computation at high qubit levels. I could be wrong, and I'll be suitably impressed when the hardware shows up on my doorstep. But computationally relevant quantum logic hasn't been shown yet, and we shouldn't act like "it's only a matter of time".

It'll be something to be excited about if quantum computing proves feasible. I'd hate to see that achievement spoiled by "We've known it was possible for a decade."

Of course, I'm just being mildly cranky. I ain't a fan of quantum crypto either -- entanglement and crypto don't work too well in the same conceptual universe. A little skepticism is useful

Yours Truly,

Dan Kaminsky

DoxPara Research

http://www.doxpara.com

## Re:Some corrections to the article (Score:2)

Given that all modern crypto protocols use some variant of asymmetric crypto to transmit their symmetric key, a break in the asymmetry eventually breaks the symmetry too.Actually, this is not always true.

It is true of most protocols used on the net, but other areas of secure computing rely pretty much exclusively on symmetric algorithms. For example, my work is primarily in security for systems involving smart cards. Given that:

...symmetric crypto makes more sense. Similarly, the banking system relies almost entirely on 3DES, more because of inertia than any security reasoning but, still, PK is rare.

In many, many real-world security scenarios, key distribution can be solved without PK, and in many cases the result is simpler and therefore more secure (complexity being the enemy of security).

I suspect there's an analogous limit on the quantum scale, past which entropic capacity will prevent computation at high qubit levels.I'm not qualified to comment, but the more far-out claims for QC, even from those who understand it, seem much too good to be true.

Of course, I'm just being mildly cranky. I ain't a fan of quantum crypto either -- entanglement and crypto don't work too well in the same conceptual universe. A little skepticism is useful :-)Certainly is :-)

I see quantum crypto as an interesting idea, but in practice I don't think it offers very much over what can be accomplished with standard cryptography. Sure, it's nicer to have a theory that allows you to say "I *know* no one is tapping this line", but unless your attacker is a major world government, a good symmetric stream cipher with a decent automatic rekeying system, plus some strong message authentication codes, is perfectly adequate. Actually, it's almost certainly adequate even if your attacker *is* a major world governnment.

## Where my cryptogram? (Score:3)

## quantum computing & one time pads (Score:5, Informative)

I'm a Ph.D student at Harvard. I've done cryptography research in the past. So listen up people.

Quantum computing does not destroy cryptography as we know it.It is important to realize exactly what quantum computing does and does not do. For symmetric ciphers, quantum computers reduce the cost of brute force search by a square root. So AES goes down from a 2^256 cipher to a 2^128 cipher. But 2^128 is still quite safe. And even if AES were to fall, it would not be an insurmountable problem to design something better.As for public key cryptography,

most but not allpublic key cryptosystems are completely broken by quantum computers. Luckily we still have some public key cryptosystems that have not yet been broken using quantum algorithms. Elliptic curve discrete log is one such example.One time pads are not the answer.Yes the security of one time pads has been proven but this proof relies on a stronger-than-you-think collection of assumptions that is almost never realized in real life. One time pads are very useful in certain situations but completely unsuitable for cryptography as most people use it.## Some Clarifications (Score:3, Informative)

- ElGamal is not an elliptic curve algorithm. Its a classical public key encryption system based on the discrete logarithm problem. Most DL problems can be refactored as elliptic curve problems though, so perhaps the poster was referring to a possible EC ElGamal. At any rate, I'm pretty sure GPG uses classical ElGamal.

- Symmetric ciphers are rarely broken by raw computational power (brute force). In fact, algorithms above about 80 bits are impossible to break by brute force due to the laws of physics.

- Quantum Cryptography today involves means of transmitting data at very low bitrates over a channel in which eavesdropping is impossible. QC is pretty much only useful for exchanging keys for symmetric algorihms (like AES, Twofish) securely, as the data rate is to slow to be practical for anything else.

- Assymetric Cryptography (public key) is based on several hard problems. The two that are used widely today:

* The prime factoring problem (RSA)

* The Discrete Logarithm problem (DSA, ElGamal)

One will become widely available soon:

* The elliptic curve problem

- Yes, OTP is still perfectly secure, but its still perfectly useless, as w/ OTP you just shift the security to two other areas; truely random pad generation, and secure distribution of the pads.

## Not exactly... (Score:2)

And all bets are definitely off when quantum computers arrive on the scene.Well, except for quantum crypto, which IIRC is actualy as secure as one time pad.

## Rijndael variant which should foil this attack (Score:2)

In fact, the Rijndael designers were considering changing Rijndael's S-box during the AES process. NIST, however, for not entirely known reasons, did not allow the Rijndael designers to do this.

Now, as it turns out, the Rijndael designers have designed some other ciphers after Rijndael. These ciphers have different S-Boxes. In fact, the Rijndael designers revised ("tweaked" as they call it) each cipher to have a representation which is easy to implement in hardware; most of the die space used when implementing Rijndael on an ASIC is implementing the S-box.

The ciphers in question are Whirlpool [terra.com.br] and Anubis [terra.com.br] (Anubis uses an involutional S-box which might possibly make it weaker). In fact, my software project [maradns.org] does not use Rijndael proper as a psudo-random-number-generator; it uses a Rijndael variant with the "tweaked" Whirlpool S-box.

- Sam

P.S. I should also mention Khazad [terra.com.br], named after the bridge Gandalf fights balrog at, which uses Anubis' S-box.

## Re:I'm no mathematician, (Score:2)

## Re:I'm no mathematician, (Score:2)

Not even close, but isn't breaking encryption just a matter of throwing enough processor cycles at it until it finds a match?This is correct. But if you can show that a massively parallel computer the size of the Earth would take billions of years to crack your code, then you can feel reasonably secure. Factorisation of large primes is a task that (probably) falls into this category -- it hasn't yet been shown to be easier.

If, on the other hand, you're talking about trying every message against the encrypted text, then that doesn't work either, because (a) it takes even longer than cracking the code, and (b) any message is potentially the plain text.

## Factorisation of large primes is easy (Score:5, Funny)

11196101758632245023844192896470191898640653514

Now we have to factor it. We step up to the main terminal of our quantum computer beowulf cluster and type in the question, "Of which numbers is this the product?". Qubits flip, waveforms collapse, a cat in a box somewhere dies (of radiation poisoning, strangely, or charmingly), and out pops the statement:

11196101758632245023844192896470191898640653514

## Definition of "Broken" (Score:2, Informative)

## Re:I'm no mathematician, (Score:2)

Breaking an encryption method is a different thing. This is done by analyzing the method in order to try to find a better method for breaking encrypted documents than the best method previously known. If this is sucessful, it means that all of the encryption that has been done with that method so far is weaker than had been thought. Of course, the initial method is just trying all possible keys, and it may actually be somewhat foolish to think that there is any cryptosystem which doesn't have a better method; that would mean that all of the key contributes to strength, rather than any of it being weak but necessary to get the algorithm to work. And, from the perspective of what you should use, even the strongest attack so far (if it even works) on AES is harder than brute force on triple DES.

## ... but crypto is mathematical (Score:2)

The way you crack these algorithms is to throw mathematicians at them until some of them stick. Once you've done that, if there's anything left to bother with, then you can figure out how many processor cycles you'd need to throw at the problem to break it, and decide whether that's feasible.

If your conclusion is that it's not feasible to break, then you need to decide whether to use rubber-hose cryptanalysis to get the key, or steal the target's computer where they saved the unencrypted version, or look for the yellow sticky notes next to their desk, or put a camera in their ceiling to watch them type in their keys.

## Re:Maybe? (Score:3, Informative)

Since when has any crypto been considered even remotely permanently unbreakable?Since the one-time pad [std.com], that's when. This has been mathematically proven, as well, as early as 1910 or 1920, if I remember well.

OTOH, it is true that a one-time pad is

symmetric(sp?) crypto. modern crypto, such as AES, DES, Serpent and others mentioned in Cryptogram are assymetric, and, as such, more susceptible to cracking methods.## Re:Maybe? (Score:2, Informative)

modern crypto, such as AES, DES, Serpent and others mentioned in Cryptogram are assymetricAES and DES are symmetric. Serpent probably is too, inasmuch as it was an AES finalist.

## Re:Maybe? (Score:3, Informative)

## Re:Maybe? (Score:3, Interesting)

Since these are all symmetric, key distribution must either happen over another channel, or through a public key exchange method, all of which (AFAIK) use asymmetric algorithms. I don't know that I'd say that asymmetric algorithms are more susceptible, though. The biggest disadvantage to those algorithms is that they tend to require a lot more computing power, and one of the goals of the NIST AES contest was to provide an algorithm that would be implementable on really small platforms, such as embedded devices and smart cards. In fact, one of the best traits of Rijndael is that it seemed just as secure as the other entries while remaining very simple. It has been implemented on a few small 8-bit microcontrollers, and, when optimized, can take as little as 32 bytes of state (RAM).

## Re:Maybe? (Score:2)

OTOH, it is true that a one-time pad is symmetric (sp?) crypto. modern crypto, such as AES, DES, Serpent and others mentioned in Cryptogram are assymetric, and, as such, more susceptible to cracking methods.In theory it may appear that asymmetric ciphers are easier to break, because the attacker has more information -- the public key, which has a known mathematical relationship with the private key. However, the relationships between the keys are based on hard problems in math. In most cases, finding a way to determine the private key from the public key would constitute a major advance in mathematics, and one that has defeated mathematicians for centuries.

Symmetric algorithms, on the other hand, are not based on unsolved math problems, but rather on piling up carefully-chosen linear and non-linear operations until the result is too complicated to unravel. The papers referenced describe some new tools for modeling such complex structures, and claim that the new tools can unravel them far enough to produce a better-than brute force attack with very few known plaintext/ciphertext pairs.

To sum up: asymmetric crypto systems rely on the fact that we have no known method of solving the mathematical problems on which they are based. Symmetric crypto systems rely on the fact that we have no mathematical tools known to be capable of unraveling such complex sequences of simple operations.

In both cases, the ciphers can fall to new mathematics, and there's really no reason to think one is more likely to fall than the other.

## Re:Maybe? (Score:2)

Beyond that, all crypto is considered breakable - the question is the amount of computational effort required. A "perfect" cypher will require each possible key to be checked and each with have an equal chance of being correct (and of being wrong). A "broken" cypher allows a considerable shortcut in the process of discovering what it has been used to encrypt. This shortcut may cut the time required in half, it might make it happen only 5% faster. The question to be asked is: is the person who wrote the paper stating an insecurity correct? How much of a risk is it?

According to CryptoGram, this attack is expected to take a large nominal amount of known plaintext, and hence might not be that risky after all. I personally like Blowfish better anyway :)

## Re:Quantum cryptography (Score:2)

key distribution problemIf we get quantum computers and quantum cryptography, it will be the end of public key cryptography. We will need to exchange the initial keys face to face. The keys will not be used for encryption but rather integrity, which is a requirement for quantum cryptography to work. Obviously we will need to use unconditionally secure message-authentication-codes on our messages. Luckily the key needed for integrity does not grow linearly with the key size like keys needed for confidentiality.

This means that once we have exchanged the initial keys, we can just append new key material to our messages whenever we send quantum encrypted data. This will provide us with a key for integrity the next time we need to communicate.

To be very secure, I would not like to use a fixed key size for all future communication. I'd rather increase the key size by a few bits whenever a message is being exchanged. With a fixed key size, the chance of breaking the system will converge toward 100% as the number of attempts converges toward infinity. With a growing key size, the chance of every breaking the system will converge toward a small number, that is exponentially small as a function of the initial key size.

This still leaves the DoS problem. An attacker might just keep messing up the messages until we run out of key material for signing messages. I see no solution other than keeping a lot of key material ready for the future, and not keep trying too many times in a short period of time if we keep seeing false signatures.

Even though we have no public keys, we can still build up trust networks. If Alice has already exchanged keys with Bob and Charlie, Alice can do the key exchange for Bob and Charlie. Of course this will only work if Bob and Charlie trust Alice. But if Bob and Charlie has exchanged keys with different middlemen, they can once send messages signed with all their keys. Unless all middlemen are corrupt, Bob and Charlie will discover any invalid key.

## Re:Quantum cryptography (Score:2)

Even if he only has some of your messages ... say for example he is missing a message where 8 bits are added to the key. He knows your 160-bit key but needs your 168-bit key. Guess what? He only has to break an 8-bit key, which can be done on the Atari 2600 in his basement.You missed the point.

Adding bits does help. And breaking the system is not about just trying the possible combinations. You cannot decrypt the quantum encrypted data, your only chance of breaking the system is forging a message from one of the two parties during the communication. You cannot just try all possible keys, you have only one try. If you send an invalid message, it will be discovered.

And when talking about adding a few bits every time, I talk about a few bits larger key. All the bits in the new key are brand new random bits. So basically you will have to start all over again every time you try. And every time you try, your chance of breaking the system is smaller than last time you tried.

## Re:This was completely predicable because... (Score:4, Informative)

Umm... you might be a little confused as to how AES was selected. AES selection criteria were public, as were discussions on the strengths (and weaknesses) of finalist algorithms. In addition, I know two of the AES conference program committee personally, and believe that had the NSA attempted any shinanigans, they would have been resisted and/or reported loudly.

These knee-jerk reactions to the NSA being evil really are counter-productive. Of course there are evil people in the US Government; there are evil people in every walk of life. I just don't think there are enough evil people in the NSA to conspire against the "good" people in the NSA.

You might be too young to remember, but back in the 70's there was a big commotion about the NSA modifying IBM's original S-Boxes. Many people at that time claimed very loudly that the NSA was inserting a back door into the algorithm. The NSA was pretty tight-lipped about why they made these changes; I think they still are, BTW. As it turns out, the original IBM S-Boxes were more succeptable to differential cryptanalysis than the ones the NSA reccomended for use with DES.

Remember that the NSA has a dual mandate. First, it is supposed to intercept, decode, and/or decrypt foreign elint intercepts. This is one of the reasons why they're one of the largest employers of foreign language specialists. Second, they are supposed to develop technologies to protect US national interests. The two missions sometimes conflict, but ever since Herb Lin at the National Academy of Sciences published his report on why it is in the US' national interest to allow widespread use of strong crypto for domestic applications, most (if not all) of the NSA types I've encountered have supported the development and use of strong crypto.

Of course, there are federal groups that like to sneak into people's homes and install keyboard sniffers. But, if that is going to be your law-enforcement surveilance technique of choice, why bother forcing bad crypto on the populous?

## Re:Sounds like sour grapes... (Score:3, Insightful)

I was in contact with the Twofish team during their candidacy concerning some work I had done on an improved instruction sequencing. One member of the team told me they figured rinjy was the most elegant proposal and that they would be very happy to see it prevail. Sure, they wanted to win. But more than that, they wanted the security industry to adopt a solid foundation.

There are times when Bruce has struck me as shrill or biased, but this isn't one of those times. What he's dealing with here is the very deep theme about whether the world's cryptographic fraternity is capable of sensing the right turn more often than not. If the wise men can't lead us to paradise, who can?

I'd say that's an issue worth talking about.

## Re:Well... If AES isn't sufficient... (Score:2)

I suppose some of you *cough*the moderators*cough* didn't get it?