Forgot your password?
typodupeerror
Security Encryption

NSA Announces New Crypto Standards 220

Posted by Zonk
from the less-tasty-crackers dept.
Proaxiom writes "This week the NSA announced the new US government standard for key agreement and digital signatures, called Suite B. Suite B uses Elliptic Curve Diffie-Hellman (ECDH) and Elliptic Curve Menezes-Qu-Vanstone (ECMQV) for key agreement, and Elliptic Curve Digital Signature Algorithm (ECDSA) for signature generation/verification. This shouldn't be too surprising given that the NSA licensed Certicom's EC patents for $25 million last year. ECMQV is patented by Certicom. ECDH and ECDSA appear to be generally unencumbered."
This discussion has been archived. No new comments can be posted.

NSA Announces New Crypto Standards

Comments Filter:
  • WTF? (Score:5, Funny)

    by Kesh (65890) on Sunday March 06, 2005 @05:55PM (#11861151)
    That's a helluva lot of acronyms. Talk about encoding!
    • Re:WTF? (Score:3, Funny)

      by Kesh (65890)
      ... I got first post and it got modded 5, Funny?

      I need a life. n.n

    • With names like ECDH, ECMQV, and ECDSA, the NSA must be taking naming cues from Mxyzptlk.

      Frankly, I don't think these algorithms will really catch on, their names aren't near as sexy as "RSA" or "SHA".
  • ECMQV broken (Score:5, Interesting)

    by Anonymous Coward on Sunday March 06, 2005 @05:56PM (#11861163)
    ECMQV has been partially broken [bris.ac.uk] -- I'd be wary of using it in any standards.

    Would any cryptographers here care to comment?

    • Re:ECMQV broken (Score:5, Insightful)

      by Anonymous Coward on Sunday March 06, 2005 @06:19PM (#11861326)
      One presumes that any encryption standard the US is going to reccomend has in fact been broken by the NSA or other security organzation. The US has been very clear that it does nto want its citizens of anyone else in the world to use encyption that the US cannot break.

      So i would posit that the standard has already been broken by someone, and, if need be, can be decrypted as needed. Perhaps it won't be cheap, but it will be possible.

      • Re:ECMQV broken (Score:5, Interesting)

        by bluGill (862) on Sunday March 06, 2005 @07:45PM (#11861833)

        You would presume that. However it is important to recall that the NSA made changes to the original DES standard that made it more resistant to differential attacks, something that the rest of the cryptography world wouldn't "invent" for 15 years or so.

        I know for a fact that several government agencies (Those three letter names before homeland security) used DES encryption for a lot of stuff 10 years ago, because I worked for a company selling it. (We couldn't tell you who they were, but there are only so many places where you can tell someone what city you are going to but not what organization[1]) I also can't tell you what level of security our products were trusted to.

        Course the NSA also shortened the key to 56 bits. So this isn't a clear case of them helping against their interests.

        [1]Not the IRS, we sold the IRS some stuff too, but AFAIK no encryption. Several engineers "regretted" not putting a backdoor in after they learned the IRS was sending tax data with our equipment.

        • Re:ECMQV broken (Score:3, Informative)

          by cynic10508 (785816)

          You would presume that. However it is important to recall that the NSA made changes to the original DES standard that made it more resistant to differential attacks, something that the rest of the cryptography world wouldn't "invent" for 15 years or so. Course the NSA also shortened the key to 56 bits. So this isn't a clear case of them helping against their interests.

          Well, yes and no. The actual key is 56 but the entire length is 64 with the 8 bits of parity. That parity was important back in the day

          • Re:ECMQV broken (Score:4, Insightful)

            by Martin Blank (154261) on Sunday March 06, 2005 @10:08PM (#11862561) Journal
            No, they bring in the musicians for the social graces.

            This is an eternal quandary, though. If the NSA can't break it easily, then it's considered good. But if the NSA says they approve of it, then it's considered suspicious at best. However, the NSA has to approve of most (all?) of the encryption standards used within the government, and much of the government cannot be trusted to not open their yap at some point, so they have to provide a list of algorithms that they not only approve of, but which are theoretically extremely difficult or impossible to break, even by allies, some of whom have their own incredibly gifted cryptography labs.

            What do you do? What do you do?
        • Re:ECMQV broken (Score:5, Insightful)

          by Simon Garlick (104721) on Sunday March 06, 2005 @10:00PM (#11862513)
          As Schneier said,

          "Algorithms from the NSA are considered a sort of alien technology: they come from a superior race with no explanations."
      • Re:ECMQV broken (Score:5, Insightful)

        by Coryoth (254751) on Sunday March 06, 2005 @08:15PM (#11862031) Homepage Journal
        One presumes that any encryption standard the US is going to reccomend has in fact been broken by the NSA or other security organzation. The US has been very clear that it does nto want its citizens of anyone else in the world to use encyption that the US cannot break.

        And likewise the US has been very clear that it does not want its government, military, businesses using an encryption system that can be broken by other countries. The NSA has 2 roles, Signals Intelligence (which may involve breaking encryption) and Information Assurance (which involves providing secure computing to US government and business). ECC is out there and available, so pretending it doesn't exist just because they can't break it hardly helps them in stopping people using it. That means, from the Signals Intelligence perspective ECC is a moot questions, breakable or no. Export controls make little difference considering the company (Certicom) with all the patents on ECC (hundreds, literally) is Canadian. On the other hand, if it is good, strong, and secure, then it is entirely sensible for the Information Assurance arm to promote it as a standard for US business. Let's be honest, RSA has looked weak the last couple of years. You could just as easily claim that this announcement is an effort to move US government and business to a more secure system. Maybe this announcement means that the NSA knows how to break RSA, and figures other countries either know too, or will figure it out soon.

        In short, there is no reason to expect that the NSA can break ECC, and to claim otherwise is just shotting your mouth off with absolutely zero basis. There are other perfectly good explanations, why not consoder them instead/as well?

        Jedidiah.
      • We're not talking about black boxes, are we? We're talking about algorithms which can be analysed and all backdoors may be brought to light by independent researchers.
    • Re:ECMQV broken (Score:5, Interesting)

      by Coryoth (254751) on Sunday March 06, 2005 @06:27PM (#11861381) Homepage Journal
      ECMQV has been partially broken -- I'd be wary of using it in any standards.

      Would any cryptographers here care to comment?


      The paper itself isn't online, so I can only judge from the abstract. It does sound like a reasonable approach (on a completely cursory inspection), but there are a lot of details there, and I am a little unfamiliar with some of the stuff they reference.

      As to how severe the break is: they claim they've reduced the complexity from O(q^{1/2}) down to O(q^{1/4}). Now I presume that q here is referring to the characteristic of the finite field that the curve group is over (I'm guessing, I would have to read the paper to know for sure - they don't say - but this is the logical choice). That is, of course, in cryptographic terms fairly significant. In practical terms most serious ECC implementations are using q in the order of 2^200 or more, so it doesn't necessarily represent a serious compromise.

      As I say, with only the abstract to go on I really can't comment much. It does look interesting, but I would have to see more.

      Jedidiah.
      • Where you say "characteristic", I take it you mean "order"? These curves are usually built over a field of characteristic 2.

        Wish I could get hold of the paper. I'm astonished that the NSA would approve a standard that didn't have a tight reduction to the underlying problem though.
    • by Anonymous Coward
      If someone with the resources to break ECMQV really wants my info, they probably also have the resources to Abugharab and get me to give them my keys through other means. Having encryption just hard enough that my ISP can't spy; but weak enough that anyone really powerful can still break it _enhanses_ my safety -- because anyone who breaks it will see I have nothing significant to hide anyway.
      • by Dwonis (52652) * on Sunday March 06, 2005 @06:49PM (#11861533)
        Are you aware that any above-average worm-writing criminal has more computational resources at his/her disposal than an an average government agency? Criminals are able to leverage the computing power of zillions of vulnerable Windows machines to break your data. White-hats and spooks typically aren't.
        • General purpose CPUs are generally not very good at decryption. What is required is a large vector unit. The NSA runs specialist hardware containing large arrays of 1024-bit vector processors. This kind of thing is orders of magnitude more powerful than a bot-net for cyptographic tasts.
  • Huh? (Score:3, Funny)

    by FiReaNGeL (312636) <fireang3l@nOsPAM.hotmail.com> on Sunday March 06, 2005 @05:57PM (#11861167) Homepage
    Does this mean that we're more secure? Or our data? Or theirs? Or something? Does it means anything at all? Do we really exist? What will I eat for supper?

    I JUST DON'T KNOW!

    • Re:Huh? (Score:2, Informative)

      by nkh (750837)
      Your data will be OK (well, I hope). But the article forgot to say that SHA and AES were also included in this "Suite B."
    • Re:Huh? (Score:5, Insightful)

      by Coryoth (254751) on Sunday March 06, 2005 @06:16PM (#11861304) Homepage Journal
      If you really want to read anything meaningful into NSA Information Assurance people throwing their weight behind Elliptic Curve Cryptography, you should consider that maybe that means they consider RSA and standard Diffie-Hellman public key systems to be weak and potentially borken some time in the near future. Now RSA has been looking shaky for the last year or two - it hasn't been broken for key sizes in use, but various improvement and speedups for the Number Field Sieve have made it look a lot more vulnerable. Ordinary Diffie-Hellman possibly being judged a little weak is more interesting.

      Jedidiah.
    • Re:Huh? (Score:5, Funny)

      by bcmm (768152) on Sunday March 06, 2005 @06:23PM (#11861350)
      The NSA is secure. You are not secure, the NSA ()\/\/|\|Z your computer, and possibly your mind. I exist, but I can't prove it. You might not exist, you might be a highly unlikely bug in Slashcode. My advice to you, if you exist, or even if you are just a bug, is to eat lots of cheese for supper, possibly in a pizza, unless you are lactose intolerant.

      I hope life makes more sense now. I can hear digeredoo music.

      I just re-read that. I need sleep.
  • Wow... (Score:5, Funny)

    by nuclear305 (674185) * on Sunday March 06, 2005 @05:57PM (#11861168)
    "ECDH and ECDSA appear to be generally unencumbered."

    Except for their names, of course...
  • by mg2 (823681) on Sunday March 06, 2005 @05:57PM (#11861169)
    All elliptical curve math, unfortunately, falls under Microsoft's patent on all things curvy or mildly resembling a circle. =\
  • Wait, what? (Score:3, Interesting)

    by FireballX301 (766274) on Sunday March 06, 2005 @06:00PM (#11861198) Journal
    AES and Secure Hashing Algorithm also are included in Suite B.

    Weren't the SHA algorithms broken? Or, at least, SHA-1?
    • Re:Wait, what? (Score:5, Informative)

      by clap_hands (320732) on Sunday March 06, 2005 @06:17PM (#11861313) Homepage
      You can find collisions for SHA-0 faster than expected, and it's claimed that you can do the same for SHA-1 (the attack hasn't yet been published, but it's pretty certain to be genuine). The SHA-2 algorithms (that is, any of SHA-224, SHA-256, SHA-384, or SHA-512) remain uncompromised. See: SHA article on Wikipedia [wikipedia.org].
    • by Sycraft-fu (314770) on Sunday March 06, 2005 @06:36PM (#11861440)
      People keep using the term "broken", as though SHA is no longer useful, that's not the case. SHA-0 and 1 are still perfectly useful hashing systems. The fact that there are collisions means nothing, that is a known property of hashes.

      Finding a hash collision, is a bitch however. Hash functions, by their nature, aren't reversable, so that means that you have to sit and try and brute force a collision. You take the value you want, and just keep hashing data until finally after a number of tries that needs exponential notation to express, you find a collision.

      What has happened is that a group has shown how to find a collision in the hash faster than just by brute force for SHA 0 (and also 1 they claim). So it takes a lot less work to find a collision. Now that's a relitive term, it's still a ton of processing time. What's more, just finding a collision does you no good in most cases, a bunch of random garbage won't be mistaken for a genuine message even if the hashes match. You need to generate a message that has the same hash, and is also a plausable replacement. That's a hell of a lot harder to do and requires a LOT more computation.

      So SHA hasn't been broken in that it's not usable, it's just been shown to be not as strong as previously thought, you can find a collision faster than by straight brute force. It still takes a long time, it's just not as long as you'd predict based on hash size.

      However, in this case, they are talking about the new SHA-2 standards, which remain unbroken.
      • SHA-0 and SHA-1 may be useful for your non-cryptographic application. However, it's hard to see that there's any cryptographic purpose you'd recommend them for.

        For a lot of purposes, we rely on our hash functions having basically no "interesting" properties at all. An algorithm for finding collisions faster than brute force can only exist if the hash function has "interesting" properties. This violates our assumptions about what we can do with the hash function. There aren't many cryptographic applicat
  • Good encryption? (Score:4, Interesting)

    by Husgaard (858362) on Sunday March 06, 2005 @06:00PM (#11861200)
    What they are now recommending is believed to be state-of-the-art, and practically unbreakable.

    If this really is the case, this would cause them problems eavesdropping.

    So the question remains: Have they found a successful attach on ecliptic curves, or have they finally seen the light and realized that strong encryption is good for society?

    • by OverlordQ (264228)
      OK seriously enough of this tinfoil/conspiracy theorist crap. If the NSA wanted info from Group Foo, they'd say "Hey group foo, we need some info about bar" instead of "Hey group foo, implent algo quux for your security. *waits for how long it gets them to implement*, *waits for important info to get transmitted* *waits even more time to crack cipher*"
      • OK seriously enough of this tinfoil/conspiracy theorist crap.

        I don't think that somebody deserves this label just because they are realizing that the interests of a government agency is different from the interests of the general public.

        Think about the past of NSA.

        They kept recommending DES until somebody else (amateurs in this regard) demonstrated that it was possible - and relatively cheap - to break DES by brute force.

        And their intent to be able to eavesdrop was even more obvious with the Cli

    • Re:Good encryption? (Score:5, Informative)

      by Coryoth (254751) on Sunday March 06, 2005 @06:11PM (#11861271) Homepage Journal
      So the question remains: Have they found a successful attach on ecliptic curves, or have they finally seen the light and realized that strong encryption is good for society?

      Technically fully half the NSA's job is Information Assurance, which is to say providing strong crypto and information security solutions to US governemnt and US companies. It was the Information Assurance people that provided us with SELinux as a demo of how a secure system could easily be achieved just working from a commodity OS. They are supposed to believe that strong encryption is good for society - US society anyway.

      Jedidiah.
    • Re:Good encryption? (Score:5, Informative)

      by Alsee (515537) on Sunday March 06, 2005 @06:29PM (#11861397) Homepage
      I'm generally about the last person who would say "trust the government", but the NSA has a proven track record of giving GOOD encryption advice in their public announcements. They have recommended minor changes to encryption and hashing algorithm standards that, several years later, were discovered to make them signifigantly harder to crack.

      -
      • the NSA has a proven track record of giving GOOD encryption advice in their public announcements

        [tinfoil] But that's just what they want us to believe... [/tinfoil]

    • by Sycraft-fu (314770) on Sunday March 06, 2005 @07:44PM (#11861819)
      Well offically and apparantly, the NSA gave up on trying to keep good crypto out of the hands of the public some time ago. The US government even changed offical policy allowing for stronger crypto exports, since you could get the same crypto from non US sources anyhow.

      I wouldn't say you should really trust them more than any other crypto group, but look at it this way: These alogrithms are public and known. The NSA, though a big employer, doesn't even begin to have all the math and crypto people in the world. These things get looked at by people from all across the world, and the findings are published.

      Basically, I trust that these are strong, because the international crypto community says so. If the NSA also throws in on it, great, I regard their opinon up there with a major university with good researchers in this field.

      I mean I suppose it's theoretically possible that the NSA has discovered a break that no one else has, and it's obscure enough they believe that no one ever will discover it. Remember for it to be of value it has to be broken, but people have to think it's not. If someone discovered a break the NSA knew about people would stop using the crypto, and the NSA would take a major reputation hit. So while that's possible, I guess, it's pretty far fetched and sounds like pure AFDB land to me.

      I'm betting that yes, it really is good crypto. The NSA and US government seem to have acnowledged the fact that there are smart people all over the world, and they'll develop and distribute good crypto. Nothing the NSA can do to stop it, so they might as well get with the program, make use of it, and recommend it to help protect American assets.

      Other countires (which are what the NSA is concerned about, they are for foreign spying, not domestic) will get good crypto, like it or not. So they just have to deal with that, and they might as well make sure Americans have it as well. The answer to dealing with it then comes from the CIA and human intelligence. The NSA captures the encrypted data, the CIA supplies the key.
      • I wouldn't say you should really trust them more than any other crypto group, but look at it this way: These alogrithms are public and known. The NSA, though a big employer, doesn't even begin to have all the math and crypto people in the world. These things get looked at by people from all across the world, and the findings are published.

        This is why it's so good to have algorithms like these published: they can be examined by others, tested by others, and their security (or lack thereof) can be establi

    • Who god damn moderator mods these clueless looneys up?
      Go read a book on crypto.

      Suggested: Applied Cryptography. Everything explained so that anyone with opposable thumbs can get the gist.

      Answer is: Neither
      They just have seen that it's pointless to fight against the windmills. (I don't now if they actually want their recommendations to be public, but it seems they pretty much have no choice.)
  • by Brock Lee (648954) on Sunday March 06, 2005 @06:02PM (#11861216)
  • Goverment is slow (Score:2, Informative)

    It's about time, the Government is so slow to announce standards. Suite B has been in the works for years now. ECDH and ECMQV were invented and refined in the 90's. Maybe they were waiting on the ECDSA? Certicom licensed it to the NSA last year, but they waited this long to ratify the standard. Now that they have the standard how long will it be before they employ the technology.
  • by MrAsstastic (851637) on Sunday March 06, 2005 @06:03PM (#11861224)
    "In a surprise announcement the RNC has announced it is bankrupt, but not everyone is going begging. Greenpeace, The United Negro College Fund, Amnesty International, and other charities announced *record* earnings this week. Due mostly to large, anonymous donations." NO MORE SECRETS
  • ECC: What and Why? (Score:5, Informative)

    by clap_hands (320732) on Sunday March 06, 2005 @06:09PM (#11861258) Homepage
    Elliptic curve cryptography [wikipedia.org] is (if you squint your eyes) a translation of older crypto techniques onto slightly more exotic mathematical objects. Rather than (say) integers modulo a prime, ECC uses a group of an elliptic curve [wikipedia.org] over some finite field. But the new techniques are analogous to the old: Diffie-Hellman, ElGamal, DSA. The advantage is meant to be that keys can be a lot smaller for an equivalent level of security.
  • And I was just getting the kinks out of a usb powered enigma machine to provide encryption for online banking. I mean damn? Who could ever crack enigma?
  • HAH! (Score:2, Funny)

    by Tufriast (824996)
    1. Steal half-broken encryption process that has an impossibly hard name to say. 2. ???? 3. Profit!
  • Makes you wonder... (Score:3, Interesting)

    by chill (34294) on Sunday March 06, 2005 @06:29PM (#11861394) Journal
    Perhaps does the gov't know of a "quick" way to do large prime factorization unknown to the rest of us? With RSA resting so heavily on big primes, it would be uniquely vulnerable to something like a new way to do factorization.

    -Charles
    • either they know a new way, or they have some CPU cluster hard wired to be Really Freaking Good(TM) at prime factorization.
      • I'd guess the latter (Score:3, Interesting)

        by Lifewish (724999)
        If I recall correctly (please, someone tell me if I'm wrong), easy prime factorisation is a problem of a specific class - the P=NP problems.

        Basically, the P=NP conjecture says that, if it's easy to prove, it's easy to solve. So, for example, it's easy to check that a jigsaw has been completed correctly, but jigsaws seem hard to solve. A proof of the conjecture would imply that there is in fact an easy (mathematically speaking) way of solving jigsaws.

        The interesting thing about the conjecture is that a pro
        • by LnxAddct (679316)
          In the 1970's it was estimated that the NSA is at a lower bound 50 years more advanced in mathematics then society and 200 years for an upper bound. This notion was reinforced when they protected DSA from differential attacks 15 years before anyone even knew such a thing existed. There were other algorithmic changes made that people still haven't found the significance of.
          Regards,
          Steve
    • Perhaps does the gov't know of a "quick" way to do large prime factorization unknown to the rest of us? With RSA resting so heavily on big primes, it would be uniquely vulnerable to something like a new way to do factorization.

      Yeah I can do large prime factorization in my head. But I'm sure as hell not telling anyone else how to do it.

    • by Coryoth (254751) on Sunday March 06, 2005 @07:12PM (#11861667) Homepage Journal
      Perhaps does the gov't know of a "quick" way to do large prime factorization unknown to the rest of us? With RSA resting so heavily on big primes, it would be uniquely vulnerable to something like a new way to do factorization.

      Actually factorization has been looking a little weak for the last couple of years. There hasn't been any big breakthrough, and 1024-bit (and up) RSA isn't exactly broken right now, but there have been a steady number of papers that have offered various improvements to the basic Number Field Sieve algorithm (such as Dan Bernstein's facorization circuit [cr.yp.to]) that it is beginning to look as if it is merely a matter of time before at least 1024-but RSA is considered insecure.

      Certainly if you have enough compute power the present NFS with improvements will be good enough to break RSA keys out. The NSA is not exactly lacking in potentially dedicated compute power.

      Jedidiah.
  • This is good news (Score:4, Insightful)

    by NemesisStar (619232) on Sunday March 06, 2005 @06:40PM (#11861460)
    While marking work as a tutor at my university, I was lucky enough to be marking with somebody who has written a thesis on the subject.

    The good thing about elliptic curve methods for cryptology is that they have a completely different "hard" function to our current cryptographic methods. Instead of using discrete logarithms, elliptic curves use the fact that you need to know three things to be able to get a curve. Two points in space and formula that describes the curve in reference to these points.

    The most important thing about these standards being made official is not that they are unbreakable. It is that there is an alternative cryptographic method out there, that should quantum computers be invented tomorrow, we would still have an effective method of cryptography. (Quantum computers will be very good at solving discrete logarithms)
    • Re:This is good news (Score:5, Interesting)

      by Coryoth (254751) on Sunday March 06, 2005 @06:57PM (#11861585) Homepage Journal
      The good thing about elliptic curve methods for cryptology is that they have a completely different "hard" function to our current cryptographic methods.

      I'm not sure what you mean here. ECC protocols and standard Diffie-Hellman both rely on the hardness of solving the Discrete Log Problem over a finite group. All ECC buys you over standard Diffie-Hellman is a different group (the group formed by the set of points of the curve over some finite field), for which known methods for the discrete log problem are extremely (maximally, in theory) inefficient.

      It is that there is an alternative cryptographic method out there, that should quantum computers be invented tomorrow, we would still have an effective method of cryptography.

      Not true in the least. The protocols in Suite B are Elliptic Curve Diffie-Hellman, and Elliptic Curve Menezes-Qu-Vanstone (which is essentially a extended/more complicated version of Diffie-Hellman). Both are entirely useless in a situation where the Discrete Log Problem is easy. As there exists a quantum computing algorithm than solves DLP incredibly efficiently it is safe to say that in the advent of Quantum Computing these protocols will be rendered completely useless.

      While marking work as a tutor at my university, I was lucky enough to be marking with somebody who has written a thesis on the subject.

      I think perhaps he's been having some fun at your expense.

      Jedidiah.
      • It's been a while since I've read up on quantum computing. You mentioned that there is a 'quantum computing algorithm that solves DLP incredibly efficiently.' Is this Shor's algorithm? My gut instinct was that Shor's algorithm factors integers quickly, but I never thought of it as a DLP solver. Or is this just a case of mapping factoring to a DLP problem?
        • Shor's algorithm is indeed for factoring. There is another algorithm for the DLP. I don't know too much about it, as Quantum computing isn't my field. I just pay attention when told things like "DLP is not secure under Quantum Computing". Sorry I couldn't be more informative.

          Jedidiah.
    • There seems to be a lot of misinformation being moderated up in this thread. How exactly did this get moderated to +4 Insightful? This is about the fourth comment I've seen that's been moderated up for spouting what amounts to complete and utter drivel.

      Someone further up provided a good link to the ECC page on Wikipedia. Perhaps a few of the mods could go and read that before using up their points. It might save us from swimming in uninformed bullshit.

      Jedidiah.
  • by Anonymous Coward on Sunday March 06, 2005 @07:12PM (#11861666)
    When I was an undergrad at the University of Waterloo (located in Waterloo, Ontario [Canada]), I had the benefit of having both Alfred and Scott as professors.

    Alfred [uwaterloo.ca] taught C&O 487, which is Applied Crytography. He is an excellent lecturer and actively involved in the crypto community. His level of intelligence, professionalism, and kindness never cease to amaze me.

    Scott "taught" C&O 331, which is Coding Theory. He's a down-to-Earth kind of guy, who really didn't know how to teach a class, but boy did he sure know how to simplify tough concepts. His trademark is that he's what we called a "celebrity professor". He never used his office (located at St. Jerome's on campus) to the point where if you looked through his window, you'd never see him there, and everything would be packed up in boxes. His computer was never hooked up and chairs were stacked up such that no one could actually sit down with him and have a conversation :).

    He was a celebrity professor because he worked at Certicom, and was one the company's original founders [certicom.com]. He was paid the highest amount out of any C&O professor at the University, and barely ever made it to teach class. He'd spend the day at Certicom instead, and send one of his grad students over from Toronto to Waterloo (despite the weather, since Coding Theory is only available in the Winter term) to teach the class. Sometimes, when there were no grads available to do his teaching duties, he'd ask Alfred (who wrote his PhD under the supervision of Mr. Vanstone) to fill in. Whenever Alfred taught the class I learned 200% more than if Scott were to teach the exact same material.

    All that aside, it's nice to see these two fellows get their name in bright lights after all of their hard work throughout the years.
  • by ca1v1n (135902) <snookNO@SPAMguanotronic.com> on Sunday March 06, 2005 @08:57PM (#11862221)
    The obvious conclusion to draw from this is that the NSA is capable of very fast (maybe near-polynomial) factoring. Think about it. They changed the sboxes in DES, and decades later an attack was found against everything but a small class. They rolled out SHA-1 to replace SHA-0, and decades later SHA-0 was found to be very easy to generate collisions for, much more so than SHA-1 is. Now they're pushing elliptic curves for asymmetric crypto, though they've been resisting pushing RSA for a long time. An alternative explanation is that RSA alone is insecure, but if that were the case, they'd probably have suggested an improvement by now.
  • Key agreement (Score:5, Informative)

    by ebvwfbw (864834) on Sunday March 06, 2005 @11:29PM (#11862957)
    Everyone, what is proposed is the key agreement algorythm. Please don't confuse this with the encryption method. I see a lot of messages that are misleading on what this is.

    WTH is it? When a key needs to be exchanged between two machines (like two routers for example), a mutually agreed upon key must exist no matter which encryption you use - blowfish, aes, des, and on and on. The idea is that only the two machines would know what the real key is and it is done automatically.

    Diffy-helman has been used for decades (Patent expired in 1997) for this and can be found as close as your nearest cisco router that has encryption enabled. The new algorithm adds a few new twists to it. Those twists may make the key easier to crack, however. Buyer beware, don't bet your life on a mutually agreed upon key like that. Be sure your keys are very secure. This goes for the so called quantum encryption channel as well. I don't think it is as secure as they say it is.

    However for most all of us in the world this is perfectly safe for digital signature encrypted data. If you have a need to be absolutely sure a signature is valid, don't use the network. Get it on paper.

"Never ascribe to malice that which is caused by greed and ignorance." -- Cal Keegan

Working...