Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Encryption Security

AES Announced as Federal Standard 267

Posted by michael from the government-gets-better-locks dept.
chekhov writes: "Today NIST has finally announced AES (Advanced Encryption Standard) as a Federal Standard after 4 years of development. See the press release. AES is the replacement of DES and is expected to be used in financial systems and secure networks for up to 20 years. More information on the AES homepage."
This discussion has been archived. No new comments can be posted.

AES Announced as Federal Standard More

AES Announced as Federal Standard

Comments Filter:

  • Rijndael (Score:3, Funny)

    by wildsurf ( 535389 ) on Wednesday December 05, 2001 @06:41AM (#2658862) Homepage
    In 20 years when the encryption is broken, will we then find out what "Rijndael" really means?
  • The article assures us that even though DES can now be (relatively easily) broken, AES would take umpteen quadrillion years to break (plus or minus).

    I can't help thinking that back when DES was new, they probably told us the same thing.

    Moore's law and all that stuff, but betcha in a decade or so AES is suddenly breakable...!!!!

    • Re:Completely unbreakable...? (Score:1, Informative)

      by Anonymous Coward
      I don't think Moore's law will have any effect
      on cracking AES. Conventional computers will run out of steam long before they get fast enough to crack AES. Quantum computers on the other hand might be a different story.

      However hopefully NIST will simplely issue a new standard if the AES becomes breakable. Like it did for DES.

    • Re:Completely unbreakable...? (Score:4, Interesting)

      by nyjx ( 523123 ) on Wednesday December 05, 2001 @07:06AM (#2658912) Homepage
      Er, The solve time is expondential in the length of the key so moores law won't help you very much. You can happily double your computational power every 18 months but still run out of time before the end of the universe.

      Your better bet is to work out how to solve NP hard problems (or any one) and map it back to the crypto algorithm. But of course you'll be able to do that easily once IBM releases it's first quantum computer....

      • Re:Completely unbreakable...? (Score:5, Insightful)

        by vscjoe ( 537452 ) on Wednesday December 05, 2001 @08:08AM (#2658988)
        Um. If you double compute speed every 18 months, compute power is growing exponentially as well, and you lose one bit of key security every 18 months. It takes years, not eons, to catch up.

        In addition, AES may have problems we don't even know yet. DES turned out not to require brute forcing.

        • DES did not turn out not to require brute forcing. DES turned out to require a search of slightly less than the whole keyspace, but thats still brute force by any reasonalb definition of the word.
        • IF computing speed can continue to double every 18 months, then today's 56 bit key will be roughly as strong as
          • a 128 bit key in 108 years
          • a 192 bit key in 204 years
          • a 256 bit key in 300 years

          But that is a huge "if".

          I recently did a study of future trends with regard to processors. Let me sum up ....

          Processing speeds are currently limited by charge dissipation (no pun intended). Charge dissipation is related to feature (transistor) size. It is a hard fact that feature size can only shrink at the Moore's Law rate for about another 12 years before we get transistors that are only a few molecules thick.

          I'm not saying that it will be impossible to continue with efficiency gains beyond that point. But who's going to pay for the research to continue at such a break-neck pace?

          Perhaps, I am being short-sighted, but I think we are starting to see a slowing of the demand for ever-faster technology.
          Graphics-intensive games are staying on store shelves for years, instead of months. Even Microsoft is having a hard time making software that is bloated enough to demand the latest hardware.

          Developing new processor technologies is horrendously expensive. Unless there is sufficient demand for faster processing speed, it will simply not be viable for companies to research the technology.

          Okay, I spoke my mind. Flame on!

          • I didn't make any claims about whether Moore's law holds. I simply pointed out that if it holds, it doesn't take until the "end of the universe" to catch up with larger key lengths because Moore's law is exponential, just like the thing it's trying to catch up with.

            As for whether Moore's law will actually fail in 12 years or not, that remains to be seen. Looking at current processor designs tells you nothing about that: current processor and systems designs should have been abandoned decades ago. The only reason we still stick with them is because it has been easier to push processes than design. I very much hope we'll hit the limit on processes soon so that we can then focus on getting better performance through better overall systems design.

        • In addition, AES may have problems we don't even know yet. DES turned out not to require brute forcing.

          True, although those were effectively solved with 3DES; hopefully a 3AES won't be needed for a long while.

      • Your better bet is to work out how to solve NP hard problems (or any one) and map it back to the crypto algorithm. But of course you'll be able to do that easily once IBM releases it's first quantum computer....

        Not with present theoretical work on quantum computing, as it's been reported. Yes, they can find factors very quickly, but factorisation is not NP-hard, and nor are any of the other (very few) problems that quantum computers have been demonstrated to be useful for.

        If I recall correctly from my computer security subject at uni, one of the other things that quantum computers can do is help brute-forcing cyphers, but not by nearly as much as you think. I was told it makes the problem equivalent to brute-forcing a key half the length , so brute-forcing a 256-bit key with a quantum computer would take round about the same amount of work as cracking a 128-bit key with a conventional computer. Brute-forcing 128-bit keys is computationally infeasible and will remain so for decades, at least.

        • I tought that the number of possible states in a quantum computer is something around 2 to the power of X, where X is the number of qbits.

          Does the computing power not increase in a similar way?

          If it does, then to brute force a bigger key one just has to use more qbits!!!

          Can anyone who really knows about this confirm or deny it????
          • Okay, so I've only had a couple of lectures on quantum computing, but the were in Prof. Rivest's Network Security class, so the focus was pretty relavent to your question.


            The basic idea with quantum computing is that you can do compuations on all of the possible inputs simultaneously. It appears that some of the problems we'd like to solve with quantum computers may not be able to be expressed efficiently with the quantum operations at our disposal. Someone mentioned in another post that quantum computers don't seem to be able to break block ciphers as efficiently as they can factor large numbers.



            If everything is working properly, the Qbits probably aren't exactly ones or zeroes until you look at them. (In the world of quantum mechanics, particles act differently when you look at them. Look up Schrodinger's Cat on Google if you're not familiar with the basic idea of quantum.) The state of each qbit is a pair of complex numbers, called amplitudes. The square of a magnitude (vector length squared for the spatial thinkers among you. The dot product of a vector and its complex conjugate for those of you that prefer linear algebra.) is a probability.


            The qbit is most likely not totally a 1 or a zero. The qbit is partially a one and partially a zero and these parts are represented as amplitudes. This indertiminant state is called a quantum superposition. In Ket notation we say a qbit is alpha |0> + beta |1> where alpha and beta are those complex amplitudes I mentioned earlier.


            Stay with me. I'm almost done with the stuff that makes your head swell.


            When you observe the qbit, it magically becomes exactly a one or exactly a zero, with probability determined by the amplitudes. Therefore, the sum of the squares of the magnitudes of alpha and beta always add up to one, sonce the probabilities of the qbit being observed as a zero or one must sum to 100%.


            So, what does this all mean? It means that all of your computations are done with the qbits being BOTH zero and one at the same time. (Okay, so you set come of the qbits to specific values in order to control the quantum gates.) This means that with n qbits, it's like doing computation on 2^n data points simultaneously. You set up your computations so that in the end when you look at your qbits, you have a high probability of seeing the correct answer.


            There's a big problem keeping very many qbits in quantum superposition for very long. A random neutrino or other minor disturbance has the same effect as looking at the qbits in mid computation.

      • Er, The solve time is expondential in the length of the key so moores law won't help you very much. You can happily double your computational power every 18 months but still run out of time before the end of the universe.

        Untrue.

        Each bit of key size doubles the computational cost of brute force attack. So AES is 2^(128-56) = 2^72 times harder to break than DES.

        If Moores law continues and computing power doubles every 18 months AES will be broken in precisely 105 years (it being 2 years since the DES cracks).

        I don't know about you, but I have no plans to use AES personally after 2075.

        In practice the quantum limits of silicon computing will be reached earlier, although it may prove possible to move from 2D slices to 3D systems...

    • Re:Completely untrue...! (Score:4, Informative)

      by coyote-san ( 38515 ) on Wednesday December 05, 2001 @12:55PM (#2660142)
      I think you're confused. RSA claimed, in their Scientific American article at least, that their 100-bit key would take millions of years to break. In fact, advances in factoring algorithms (and to a far less extent, raw computing power) lead to it being broken in less than 20 years. Now the minimal recommended key size is 400 bits longer, amd most of us use keys 900 bits longer.

      DES was never expected to have a lifetime longer than 25 years or so. The cryptanalysts who designed DES never heard of Moore's law, and wouldn't have cared about it if they had. They knew that the most important factor was algorithm efficiency, not the raw computing power.

      In fact, a study in Programming Pearls a while back compared the effects of improved algorithms vs. improved hardware speed for several historically hard problems. The results were clear - hardware is getting faster, but you could still run circles around the latest supercomputer running 1960s era algorithms with your PDA running current algorithms. (Okay, the original article compared Crays to TRS-80s, but kids today may not know what a trash-80 is.)

      The only reason computers seem slower is that they're used to solve far bigger problems. People tend to be willing to spend the same amount of time solving problems, and for a given time O(nlg(n)) has a far larger value of 'n' than O(n^3).
  • Who will be required to implement and use the AES?

    The AES is now an approved encryption algorithm that can be used by U.S. government organizations to protect sensitive, unclassified information.

    ...

    Commercial and other non-federal organizations are invited-but not required-to adopt and implement the AES and NIST's other cryptographic standards.


    If I read this correctly, terrorist cells qualify as "other organizations". I couldn't find any mention of export limitations, civilian key strength limitations, or bans on use by criminal organizations.

    What have we done?
    • Absolutely nothing but choose a secure effective cryptographic scheme for important data and transactions. If you think that by imposing legal limitations on the use of cryptography that you will stop terrorists or other unauthorized users from encrypting their data then I would have to urge you to seriously consider your view. The algorithm chosen for AES is not the only secure encryption algorithm out there and it is somewhat trivial to implement a number of highly secure cyphers. Legislation against cryptography generally only means that law-abiding citizens must use insecure methods of protecting themselves.

    • Re:Terrorists? (Score:3, Insightful)

      by sql*kitten ( 1359 )
      If I read this correctly, terrorist cells qualify as "other organizations". I couldn't find any mention of export limitations, civilian key strength limitations, or bans on use by criminal organizations.

      This really is no big deal. There a many high-quality hard crypto techniques around. If al-Queda really want strong crypto they can just FTP it from ssh.com like anyone else. Or PGP. Or OpenBSD.

      But historically, they have relied on codes (as opposed to cyphers), trusted intermediaries and one time pads.

      Here's a free clue for you: terrorists and other criminals, by definition, don't obey laws. So what if there's a "civilian key strength limitation" when you can download the source, change a #define and type make. So what if there's a ban, that's trivial to people who destroy skyscrapers just to make a point. So what if the algorithm is a secret, the US govt. doesn't have a monopoly on talented mathematicians.

      This genie is already out of the bottle. Trying to put it back will only help the terrorists by disrupting and harming the commercial interests of the West further.

      <rant>
      The Feds never really had a chance of keeping crypto out of the hands of anyone, but they were too stupid to realize it, too busy banning metal cutlery in airports and nonsense like that. I am English, have you ever tried to eat a proper English breakfast with plastic cutlery?!
      </rant>

      • The Feds never really had a chance of keeping crypto out of the hands of anyone, but they were too stupid to realize it, too busy banning metal cutlery in airports and nonsense like that. I am English, have you ever tried to eat a proper English breakfast with plastic cutlery?!

        Nonsense. The Federal government accomplished as much as they could, within the constitutional limits by which they were constrained. They have successfully delayed mass-marked crypto to this day.

        Sure, a bad guy can download a crypto package. A bad-guy organization can download a dozen different cryptosystems in less time than it'll take me to write this.

        But my brother-in-law with Windows ME still doesn't use it. And neither does your mom, or your car salesman, or the guy who drives the gas tanker truck for BP.

        As long as 99+% of the worlds e-mail travels unencrypted, Echelon can watch it. Carnivore can watch it. And encrypted e-mail is still easily recognizable for what it is, so it stands out, making traffic analysis easier (which is also legal without a warrant under the PATRIOT act.)

        The DOJ and FBI have so far succeeded masterfully at accomplishing their common goal of preventing a global encryption infrastructure. IPSec, SSL, https:, PGP, etc. are all fine and secure products and protocols, but nothing today is all-pervasive. Encryption only happens on an ad-hoc basis, which has been their goal ever since the genie got let out of the bottle. They have very successfully kept encryption from protecting us to its fullest potential.

        John

      • This really is no big deal. There a many high-quality hard crypto techniques around. If al-Queda really want strong crypto they can just FTP it from ssh.com like anyone else. Or PGP. Or OpenBSD.

        Or code it themselves. Rijndael/AES is a fairly simple algorithm, and only relies on a few "magic numbers" (the 256-byte S-box is generated mathematically). It would be easy for someone with a math or electrical engineering background to memorize the algorithm, then implement it from scratch at a later date without any source code or reference material. It took me an evening to write an AES implementation based on the PDF specification on the NIST website, and it would be faster to re-do it now that I understand how the algorithm works. Does that now make me a "controlled munition"?

        There is no good way to control or restrict the *distribution* of strong crypto. All that can be done is to restrict the *use* of strong crypto, by widespread wiretapping combined with severe penalties for anyone sending messages that can't be cracked or don't correspond to the copy of your private key that you "voluntarily" registered with the government. The government doesn't have to be able to break a terrorist's message, if that encrypted message itself is sufficient cause to throw the "terrorist" in jail with no further communication to the outside world.

        Not that I approve of this, mind you, but it could be done. It might even work, in a theoretical world where law-enforcement officials were all 100% free from corruption or the possibility of bribery/blackmail.
  • I think that its interesting that the US goverment had the guts to thoose a european developed algorithm. Usually those thing goes to US based companies/scientists.

    Heads up for choosing the best solution from a cryptography viewpoint!
    • I think the fact that it's academic (ie from the open peer-reviewed world, well discussed and attacked), plus the fact that nobody in Europe has anything the size of the NSA would helps.
      • Hmmm.. Who broke the german Enigma under WWII, US or England/Poland ? :-)
        • Good man. Someone who gives credit to the Poles as well as the UK for breaking Enigma. So often the Brits get all the credit - Much credit is of course due, but to Brits and Poles.
        • It isn't the 40's anymore. Due credit to the UKs wartime effort, and GCHQ's discovery of PK, but they aren't the size of the NSA - nor should they be.

          I dont know about Poland, but I think it's safe to assume they don't have anything bigger than the NSA either!
          • So size matter ?-)

            Ofcause they are smaller, but the important thing to is to be able to mount the effort when its needed. NSA on the other hand is just "Yet another US goverment office out of control" or in selfcontrol - but out of reach from gov.hill. Nobody in the US goverment dare to touch NSA. Both the NSA and the CIA failed completely 11.sep.
            So what do they need NSA for when cryptography is retreived in Europe, creating secure Linux distributions?
            • So size matter ?-)
              Basically - yes - that is with "all other things being equal". Even if the NSA is "Yet another US goverment office out of control", I don't see (for example) that GCHQ would be any different - except for being smaller ;-)

              Both the NSA and the CIA failed completely 11.sep.
              That's true. However, it's not like GCHQ knew exactly what was going on but didn't bother telling the Americans is it?! Everybody failed.
              • Yeah, but if size matter the failure should be measured in budget fonds and the CIA+NSA gets more money than anyother intelligence organisation in the world.

                But what are we discussion? My primary point was the its nice that the algorithm was thoosing for its design/features rather than what country it was from. One of the analysts (cant remember who) said that no matter who got choosen (from round 2) they would all be a excellent AES, but Rijndael would be the bold choice based on its pure/simple matematical base.
            • Both the NSA and the CIA failed completely 11.sep.

              I think both agencies have successfully delayed or prevented similar activities more times than we can count. Because one set of fucking psychos slipped through shouldn't lessen our appreciation for the other schemes they've stopped so far.

              Not that I'm going to let them take PGP away from me, mind you... :-)

              John

        • Re:European Technology (Score:5, Informative)

          by onion2k ( 203094 ) on Wednesday December 05, 2001 @07:04AM (#2658909) Homepage
          Poland got there first, but when the Germans invaded completely ran out of resources and handed all their research over to England. A lot of work further down the line, and we (I'm English) were breaking the 3 wheel standard Enigma within hours of getting the first encrypted transmissions, thanks to Turing's 'bombes' (electro mechanical decrypting devices).

          However, when it came to the German naval Enigma, the 4 wheel version, we ground to a halt. We didn't have the resources to build enough hardware to break the crypts within any time that the info would have helped. So we called in the US to help build more gear.. It was a big team effort.

          Note however, that the 3rd Reich trusted Enigma utterly. They fell into the trap of thinking they were completely secure, and that was the downfall of Enigma, as it would be of any trusted encryption. Encryption by definition is breakable in a certain length of time. The problem with Enigma was that there were backdoors, such as the fact it never encrypted any letter as itself. The security of AES is currently being hailed as the fact it has a key field 10 to the 21 times larger than 56bit DES. Great. Only an idiot would try to brute force it though, so the number of keys is somewhat arbitrary.

          • Re:European Technology (Score:5, Interesting)

            by dimitri_k ( 106607 ) on Wednesday December 05, 2001 @08:01AM (#2658976)

            The security of AES is currently being hailed as the fact it has a key field 10 to the 21 times larger than 56bit DES. Great. Only an idiot would try to brute force it though, so the number of keys is somewhat arbitrary.

            Key length is, of course, vitally important. Understand the Rijndael spec. [nist.gov] before you continue your speculation. Also, many "idiots" try to brute force it [distributed.net]. Effort required to force a key is proportional to the cipher's weakness.

            Less generally, by employing lack of symmetry and a non-linear layer in the cipher, AES pretty much gurantees that you'll simply be searching the key-space at random. If you can come up with a way to do better than a brute force, you should quit your current job.

            The 2^255 Rijandel iterations required to force a 32 byte key is certainly sufficiently secure by todays standards, but historically consistent increases in computing power coupled with increased distributed processing ability due to networked computer proliferation means that keys will have to keep growing to stay resonably secure.

          • Re:European Technology (Score:2, Interesting)

            by Anonymous Coward
            As I understand it, the majority of the Enigma encryptions weren't broken mathematically. GCHQ noted that Enigma was being used for repetitive messages (example: every morning at 6AM a particular transmitter broadcasts an encrypted message, and the plaintext of that message always begins "Aviation weather report 0600 . . . "). Frequently, Turing's bombes were used to rapidly confirm a key derived by working backwards from an assumed plaintext. Additional assistance came from harried Enigma operators who re-used keys, substituted girlfriends' initials for keys, etc.

            The German Navy, on the other hand, was notably more disciplined in the use Enigma. That, more than any other single factor, made it harder to read naval intercepts.

            Useful lesson, in my humble opinion; the encryption method (DES, AES, PGP, Enigma, whatever) is less of a vulnerability than the habits of the person using the method. If my messages always begin with "Dear Mom," and always end with my name, I've introduced an exploitable flaw.

          • Re:European Technology (Score:2, Interesting)

            by Anonymous Coward
            Turing Didn't invent the concept of the bombes, he just took Rejewski's design and made it work on another level. Even so, Turing does deserve most of the credit for cracking the Enigma. Everyone else was just exploiting implementation flaws in the Enigma code, while Turing kept looking for a more permanent solution. The Poles passed the torch to Britain because they could no longer crack the messages with their budget. This was because the Germans gave every Enigma operator two new scramblers (total of 5), and thus it would have required more bombes than they could afford to build.

            The German naval Enigma machines were the most secure, yes, but they had eight scramblers, not four. Also, the navy machines' reflectors could change position, unlike other Enigma boxen. The German navy basically had their shit together where the Enigma machine was concerned. They probably took it more seriously than the other branches, since it was their one and only secure link to the Reich while they were out to sea.

            However, when it came to the German naval Enigma, the 4 wheel version, we ground to a halt. We didn't have the resources to build enough hardware to break the crypts within any time that the info would have helped. So we called in the US to help build more gear.. It was a big team effort.

            This is plain not true. The German naval ciphers were cracked by continually stealing the code books. Right up to the end of the war, the cryptanalysts at Bletchley Park were completely dependent on codebooks to make sense of the Kriegsmarine messages. That was the only Enigma implementation that wasn't "cracked."

            Yes, Enigma had backdoors. But it was only after Enigma had already been cracked due to poor message construction and not enough scrambler wheels that this was discovered. So that wasn't why Enigma was initially cracked. It was initially cracked thanks to the cryptanalytic genius of Marian Rejewski, a name that is unknown even in many crypto circles.

            Only an idiot would try to brute force it though,

            It WAS Martin Hellman who said "God rewards fools."

  • The other pages... (Score:3, Informative)

    by Mike Connell ( 81274 ) on Wednesday December 05, 2001 @06:46AM (#2658873) Homepage
    AES is Rijndael (ie the name of the cipher selected selected as AES is "Rijndael").

    Find out all about it (including how to say it ;-) here [kuleuven.ac.be] and here [rijndael.com]
  • The latest take on HushMail, called CryptoHeaven, is using AES/Rijndael, this was discussed here.

    It seems to be open, and acceptable to alot of people. More information on the cipher is to be found here [kuleuven.ac.be].

  • Standard ? (Score:3, Interesting)

    by mirko ( 198274 ) on Wednesday December 05, 2001 @06:55AM (#2658890) Journal
    There a big ambiguity that I couldn't really sort out while reading these web pages: Is this an Open standard or a Commercial standard ?

    Will I have to pay royalties if I intend to write AES-compliant programs then sell related services?

    I actually read in the facts page that the "public" helped building the algorithm and specs but in which way is that AES thing public?

    • Re:Standard ? (Score:5, Informative)

      by Stackster ( 454159 ) on Wednesday December 05, 2001 @07:25AM (#2658927) Journal
      > There a big ambiguity that I couldn't really sort out while reading these web pages : Is this an Open standard or a Commercial standard ?

      It's a US government standard, meaning that all government-related (whatever that means) should use it (or something like that). It's just another algorithm instead of DES/3DES to be used as The Official US Government Encryption Standard.
      Some pieces-o'-software, both free and commercial, use Rijndael, but it's not a standard (ISO or ANSI or whatever).

      > Will I have to pay royalties if I intend to write AES-compliant programs then sell related services ?

      Probably not. There are plenty of free implementations of the Rijndael algorithm, and from what I can figure out, there doesn't seem do be any restrictions to it. From the authour's page [kuleuven.ac.be]:
      Rijndael is available for free. You can use it for whatever purposes you want, irrespective of whether it is accepted as AES or not.

      Even if the US government puts some kind of export restriction on software using it, it's still very available (in several free (of some kind) implementations) outside US.
      NIST too [nist.gov], provide their own reference implementation [nist.gov].

      > I actually read in the facts page that the "public" helped building the algorithm and specs but in which way is that AES thing public ?

      The algorithm was invented by "the public" (two guys in Belgium), not by NIST or the US government. NIST just selected the one algorithm they considered the most appropriate from the whole lot of available encryption algorithms out there.

      • Re:Standard ? (Score:2, Informative)

        by psamuels ( 64397 )
        > Will I have to pay royalties if I intend to write AES-compliant programs then sell related services ?

        Probably not.

        Definitely not. This was an important consideration for defining the standard. NIST only accepted unencumbered submissions - meaning:

        1. no patent restrictions
        2. no restrictions the sample code provided (every submission had to come with working C code, IIRC).

        So - not only can you use the algorithm, you can even use their implementation, no questions asked. They actually released two implementations, a "basic" and an "optimised" one. I don't remember whether having two versions was a NIST requirement.

  • Goverment Sponsored Attacks (Score:5, Interesting)

    by ukryule ( 186826 ) <slashdot@@@yule...org> on Wednesday December 05, 2001 @06:58AM (#2658894) Homepage
    From the press release:
    After the field was narrowed down to five in April 1999, NIST asked for intensified attacks and scrutiny on the finalists.

    Interesting that the US government was busy asking people to try to crack an encryption standard, while at the same time upholding a law [slashdot.org] to make breaking encryption illegal.

    So, now that this encryption method is officially accepted, will it be illegal to try to crack it?

  • 340 undecillion (Score:3, Interesting)

    by ukryule ( 186826 ) <slashdot@@@yule...org> on Wednesday December 05, 2001 @07:05AM (#2658910) Homepage
    Each of the algorithms submitted for the AES competition was required to support key sizes of 128, 192 and 256 bits. For a 128-bit key size, there are approximately 340 undecillion (340 followed by 36 zeros) possible keys.

    One of the perks of cryptography seems to be the chance to make up words for big numbers! 1 undecillion = 10^36 ... anyone know what other numbers have been defined?

    10^3 = Thousand
    10^6 = Million
    10^9 = Billion
    10^12 = Trillion
    10^15 = Zillion(?)
    ...
    I seem to remeber Douglas Adams invented a 'grillion' but don't know how big that was supposed to be :-)

    • Re:340 undecillion (Score:2, Interesting)

      by Anonymous Coward
      The system we use for numbers is based on the same system we use for polyhedrons. pity i dont know the name... each advances by 3 zeroes its in latin

      10^6 million
      10^9 billion (bi=2)
      10^12 trillion (tri=3)
      10^15 quadrillion (quad=4)
      10^18 quintillion (5)
      10^21 hex/sextillion (6)
      10^24 hept/septillion (7)
      10^27 octillion (8)
      10^30 nonillion (nona = 9)
      10^33 decillion (deca = latin for 10)
      10^36 undecillion
      (undec=latin for one and ten = 11)
      10^39 dodecillion (12, do and deca = 2+10 = 12)

      see? it works. centillion is biiig. by simple math 3 * 100 + 3 (thousand = "0") = 10^303
      sextillion is my favourite (though im sure its really hextillion)
      mod up the AC! :)... cmon this has gotta be "informative" at least

      my math may be wrong. ditto with the latin. but the naming convention is right.
      • Unless you live outside the US, where
        10^6 million
        10^9 milliard
        10^12 billion
        10^15 billiard
        10^18 trillion
        10^21 trilliard
    • See John Conway and Richard Guy's excellent book "The Book of Numbers" on p 14, where they define two systems of "illion" names for all powers of 1000. In their system, for instance,

      four millinillitrillion and 14 is 4*10^{3000012} + 14 (American) and 4*10^{6000018} + 15 (British).
    • While there are two different approaches (the US "billion" is a British "millard"), they both follow the convention of the Latin (or is it Greek?) "combining form" for a number followed by "illion." So 1, 2, 3, 4 -- "mil-, bi-, tri-, quad-" -- becomes "million," "billion," "trillion" and quadrillion.

      If we use our familiar SI prefixes:

      deca: decillion: 1e30

      hecto: hectillion: 1e300

      kilo: kilillion: 1e3000

      mega: megillion: 1e3000000

      giga: gigillion: 1e3000000000

      tera: terillion: 1e3000000000000

      exa: exillion: 1e3000000000000000

      and so forth. (In other words, what comes after exa-?)

      And never forget

      triskadillion: 1e39
      • Oops, all of those exponents should be bumped by three. I'm from an alternate reality where all of this was rationalized years ago..., yeah, that's it!

        So a gigillion is 1e3000000003, etc.
    • The word "grillion" was coined in the third installment of Douglas Adams' Hitchhiker's Guide to the Galaxy, named Life, the Universe, and Everything. References are stated below, although no further quantification was given in the series. Enjoy.

      --- Reference 1, located 45% into the book ---

      "And how many guys zilched out?"

      "Two grillion, m'lud." The Clerk sat down. A hydrospectic photo of him at this point would have revealed that he was steaming slightly.

      ---

      --- Reference 2, located 84% into the book ---

      "Which means, I suppose," said Marvin, requiring only one ten thousand million billion trillion grillionth part of his mental powers to make this particular logical leap, "that you're not going to release me or anything like that."

      ---

  • serpant is more secure IMHO (Score:3, Interesting)

    by johnjones ( 14274 ) on Wednesday December 05, 2001 @07:05AM (#2658911) Homepage Journal
    personally I am a fan of serpant Ross Anderson work [cam.ac.uk] because I understand it and after some conversations with people who know both I think its better than AES

    the sooner AES is used widely the better though

    regards
    john 'keys ? no sir I forget things' jones
    • There was some discussion on sci.crypt after the AES announcment. A fair number of people liked serpent - I think it is very "conventional" - a very good thing for a cipher. It didn't perform as well as some of the others though (especially in hardware IIRC). Serpent would have been a very secure choice, but I think Rijndael won out as a good "All round" contender.
    • Security wasn't the only consideration in choosing an algorithm for AES. Another major factor was how efficient the candidate was. The winner had to be not only secure, but also fast on very low-end devices and able to scale up to very powerful machines. You can expect to see AES used on emmbedded microcontrollers, smart cards, and appliances (music players, phones, etc.) and also on hulking encryption "mainframes" dedicated to doing huge amounts of cryptographic operations very, very fast.

      I'd guess that Rijndael was more efficient on more types of devices than serpent and that led to its being accepted as the standard.

      IMO, that doesn't take anything away from the other top five candidates in terms of their usefullness at hiding information.
  • I can't see any info about AES being adopted in the PGP [pgpi.org] framework. Anyone knows how this work is progressing? (or has even started..)

    • Re:used in PGP? (Score:5, Informative)

      by ssimpson ( 133662 ) <slashdot@@@samsimpson...com> on Wednesday December 05, 2001 @08:42AM (#2659038) Homepage

      RFC2440 [gnupg.org], which defines the OpenPGP standard, already reserves 3 AES keys sizes (128, 192, 256-bit).

      Gnupg [gnupg.org] already supports AES in all 3 block sizes and so does 'official' PGP v7.0x [pgp.com].

      PGP since v7.x hasn't been open source, so you won't find any details at www.pgpi.org. The best way to add AES support to previous 'open source' versions is to use the CKT builds [ipgpp.com] by Imad. These are still based upon the v6.58 code base but contains dozens of fixes and improvements.


      • Oh great. Here's a site that calls itself "I mad".

        Poll: Would you use software from a site called "I mad"?

    • Re:used in PGP? (Score:3, Interesting)

      by psamuels ( 64397 )
      I can't see any info about AES being adopted in the PGP framework. Anyone knows how this work is progressing?

      You still use crypto software you have to pay for? [Yes, this was a joke, maybe you only use crypto "for personal use".]

      GnuPG [gnupg.org], on the other hand, developed AES capability less than 2 days after NIST originally approved Rijndael last year. The next public release wasn't for a week or two, but still.... (Well, NIST officially "approved" it just now, but they "recommended it for approval" just over a year ago.) I remember seeing a message from the GnuPG development list about an hour after the NIST announcement saying "I'm working on it."

      GnuPG is similar to the command-line version of PGP and supports the same file formats / protocols, but is free for all uses and isn't affiliated with Phil Zimmerman or Computer Associates. I don't know if it has the same depth of plugin support for third-party apps, but hey, it's supported by all the Linux apps I need it for.

  • Coming in OpenSSL soon... (Score:4, Informative)

    by imrdkl ( 302224 ) on Wednesday December 05, 2001 @07:40AM (#2658940) Homepage Journal
    I found several notes on the openssl users list which seem to indicate that AES/Rijndael support will be available in OpenSSL 0.9.7. This has not been released yet, but is reportedly available in the CVS area.

  • [Nitpick] AES isn't 100% of Rijndael (Score:3, Informative)

    by jon_eaves ( 22962 ) on Wednesday December 05, 2001 @07:41AM (#2658944) Homepage
    Rijndael is a variable key length, variable block length cipher. The keys and blocks can be 128, 192 or 256 bits long. This gives a total of 9 different variants that could be specified to use the particular algorithm.

    The AES has selected the variable key lengths of 128, 192, 256 to be used with a 128 bit block

    BouncyCastle [bouncycastle.org] has had a full implementation of Rijndael since 1.0 beta 4 (now at 1.10)

    Disclaimer: I'm a BouncyCastle author.


    • BouncyCastle.

      It amazes me how often open source authors pick self-destructive names. A serious effort should not be limited by a humorous or trick name.

      A name like BouncyCastle will limit the number of people who adopt the software. People are afraid there is a hidden joke they don't understand.

      There are times when it is appropriate to be 100 percent serious.

      I am NOT saying anything negative about the software. The ONLY negative thing I am saying about the authors is that they are obviously not professional communicators.

      Open Source Software needs marketing communication like any product that wants to reach a large number of people.
      • A name like BouncyCastle will limit the number of people who adopt the software. People are afraid there is a hidden joke they don't understand.

        Says you, but why the hell should I believe a bloke called FuturePower?

        • Power for the Future

          At least it is not a joke. Back before IBM sold PCs, I was selling Morrow Microdecision PCs, that ran the CP/M operating system. Back then it was unusual that someone would own a computer. 4.77 Megahertz for $2,300. No hard drive, 13 inch monochrome monitor.

          I chose that trademark to signify exactly what it says.
  • Bruce Schneier pointed out that Rijndael was less secure than it could have been because it specified fewer rounds than he thought it should. I seem to recall that a plausible attack on an only slightly reduced-round variant was presented.

    Points for whoever can produce the explanation why the apparent weakness doesn't matter, and why we shouldn't be jimmying our Rijndaels to do a few more rounds, and calling the variant "RWS" (for Rijndael With Suspenders) or something.

    Remember that it was the suspenders added to MD4 to make MD5 that made the cracking of MD4 something other than a disaster.

  • Why bother.. (Score:3, Funny)

    by Cave Dweller ( 470644 ) on Wednesday December 05, 2001 @08:12AM (#2658989)
    ...developing it, when you can ROT-13 anything and slap anyone who decodes with a copy of the DMCA? :P

  • In other news, AG Ashcroft jailed all 857 employes (Score:5, Funny)

    by sphealey ( 2855 ) on Wednesday December 05, 2001 @11:23AM (#2659657)
    In other news, Attorney General John Ashcroft "detained" all 857 employees of the NIST as "suspected terrorists". They are being held incommunicado at an undisclosed location, awaiting execution by a miliary tribunal. "We can't just have people releasing encryption algorithms whenever they feel like it, even if they are employees of the US Government," said Ashcroft. When it was pointed out to him that bin Laden avoids technical means of communication in favor of face-to-ear whispers among trusted family members, Ashcroft replied: "That's OK. Better to execute 857 innocent geeks than allow one terrorist to slip through."

    sPh

  • What is almost never mentioned in discussions of cryptography is that brute force or most mathematical attacks require that the method of encryption be known.

    If the method of encryption is not known, then it can be impossible to decrypt a message. For example, if several kinds of strong encryption are used, and the kinds and order are not known, then brute force or mathematical attacks don't work. (Using several methods of encryption together is called "chaining".)

    This is of limited use since, in many cases, it is impossible or impractical or difficult to keep the methods of encryption secret.

    Nevertheless, software that used several encryption methods and varied the methods depending on the passphrase would have value in some cases where there is plenty of computing power.

    --
    Links to respected news sources show how U.S. government policy contributed to terrorism: What should be the Response to Violence? [hevanet.com]

  • How To Write A Press Release (Score:4, Funny)

    by Captain Chad ( 102831 ) on Wednesday December 05, 2001 @01:03PM (#2660194) Homepage
    From the press release:
    • The new standard contains a sophisticated mathematical formula known as an algorithm.
    Did anyone else find this to be hilarious? I can see a manager saying something like, "We need to write this at a 6th-grade level of comprehension. Be sure to define the word 'algorithm'."

  • 149 trillion years? and it's not good enough for.. (Score:3, Interesting)

    by Lawmeister ( 201552 ) on Wednesday December 05, 2001 @01:08PM (#2660227) Homepage
    US Government classified information? What the heck are they using for classified info crypto? From the article:

    Q: What is the chance that someone could use the "DES Cracker"-like hardware to crack an AES key?
    In the late 1990s, specialized "DES Cracker" machines were built that could recover a DES key after a few hours. In other words, by trying possible key values, the hardware could determine which key was used to encrypt a message.

    A: Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old.


    snip...
    The Advanced Encryption Standard (AES) will be a new Federal Information Processing Standard (FIPS) Publication that will specify a cryptographic algorithm for use by U.S. Government organizations to protect sensitive (unclassified) information.

Slashdot Top Deals

"An ounce of prevention is worth a ton of code." -- an anonymous programmer

Close