On 5/5/12 4:37 AM, Milo wrote: > This is futile. I'm reminding you that you are giving one example of > rarely used algo (so _niche_ and _out_of_mainsteam_) to back your > statement "that there is good amount of them".
"Rarely used" is not the same as "proof of concept." Your statement did not mention "out of the mainstream." No moving the goalposts, please. You were also arguing that QC would shred all or most asymmetric systems. It turns out that no, QC doesn't, can't, won't: it will only shred the discrete logarithm problem or problems isomorphic to it, such as integer factorization. Other systems, whether multivariate, lattice or Goppa code-based systems, won't be. (Well -- lattice systems might: right now they're only conjectured to be outside of BQP. But Goppa codes are well-known for being NP-hard.) If you're now claiming that I've only presented one system, well, that's because I wasn't aware you were looking for the kitchen sink. Do some reading on post-quantum cryptography. As I read the tea leaves the new hotness is in the lattice-based systems, but I think systems based on Goppa codes will continue to surprise us. > In context of this discussion your statement is ridiculous. At one point > you even agreed on using 256-bit symmetric cipher for 50+ years > confidentiality (not guaranteed but at least assumed or expected) and > now you are turning all things around. Not at all. If you're securing nuclear weapon release codes and you ask me, "is it okay if I use 256-bit crypto?", I will blink a few times and back away slowly from the thermonuclear weapon while nodding vigorously and making noises about how they must be secure for fifty years or more, oh and is that thing releasing radiation right now and where do you plan on storing this so I can live far away from it. If you're securing your recipe book and you ask me, "is it okay if I use 256-bit crypto?", I will smile and pleasantly explain that, really, past about 112 bits it's just an exercise in paranoia. Use whatever you like, but managing your keys will be a much more important task than deciding between 3DES and AES256. And if you're telling everyone that AES256 will give them a larger security margin than 3DES, well... at that point I'm going to start pointing and laughing. There is enough misinformation and half-truths floating around the crypto-hobbyist's world: I consider it to be a polite act towards the community to challenge this when I encounter it. > 3des is old Old software engineering joke: "legacy code (n): code that hasn't crashed in the last 40 years." You call 3DES old. I call it quite well tested in demanding production environments. More often than not when you swipe a credit card, 3DES is being used to secure the transaction at various critical points. > and it's providing something like 80-112 bits of security. The best attack against three-key 3DES requires almost 10^27 bytes of RAM. This is completely impractical, as even the inventor of the attack has said. To the best of our knowledge there is no effective way to reduce three-key 3DES, which is the only NIST-approved version, below 168 bits of key space. > It has ugly history of keying hacks and some aren't back compatible - ... I have absolutely no idea what you're talking about here. None. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
