Re: [tor-talk] NSA supercomputer

[Andreas Bader]

You can't say how long they need to decrypt anything as long as you don't know 
which hardware and supercomputers the NSA exactly uses. And we will never know 
more than gossip.
-Original Message-
From: Christopher Walters 
Date: Thu, 4 Apr 2013 20:25:17 
To: 
Subject: Re: [tor-talk] NSA supercomputer


On Wed, 03 Apr 2013 23:38:40 -0400
cmeclax  wrote:

> http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all/1
> If the NSA intercepted all Tor traffic, how fast could they decrypt
> it? What are they up against when trying to break Tor?

Wouldn't this question be more appropriate for a crypto specific
mailing list?  Of course you may find that crypto experts may not be
experts on TOR, though they can give you an idea of how long it would
take to brute force an encrypted stream or file, given what resources,
etc.  

As for the NSA, they closely guard how many supercomputers they have
and how many they use for decryption.  However, if you are on their
list (the NSA or any government entity), it does not matter how strong
the cryptography is, you can and will be brought in and "convinced" to
divulge anything and everything they want to know.

CW
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] NSA supercomputer

[Eugen Leitl]

On Thu, Apr 04, 2013 at 01:55:40PM -0400, Gregory Disney wrote:
> Just saying TOR was created by the Naval Research Laboratory a part of

The name's Tor, not TOR.

> DARPA. Since it's inception they could index, spider and track the dark
> net.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] NSA supercomputer

[Andrew F]

I would love to see an analysis of a 128 bit AES encryption VS a 10 exoflop
computer. How long to crack it?  Anyone got the math on this?

Andreas, your absolutely right, However we can do some estimating.
Just keep in mind... garbage in, garbage out.. but  this is a pretty good
guess.

So the fastest super computers use general cpus and Nvidia k20s. This is
important to note because they scale in a linear fashion based on available
space.   Now we know that Oak ridge national labs has about an acre of
space, 43,560 Sq. Feet,  for its super computer, the Cray XK7 Named Titan.
Which runs at 17.59 Pentaflops.  (yes PENTAFLOPS)
http://www.top500.org/lists/2012/11/

According to a Cray press release Titan can scale up to 50 Pentaflops.

Now the new facility in Utah will have over 200,000 sq. feet dedicated to
its super computer.

(
http://www.forbes.com/sites/andygreenberg/2012/03/16/nsas-new-data-center-and-ultra-fast-supercomputer-aim-to-crack-worlds-strongest-crypto/)


So If we assume, the a linear relationship between Square footage and
computing power then we can calculate that Utah will have 4.59  time more
space then Oak Ridge, so they will have room for at least 80.73
pentaflops.

Several articles have stated that the center is designed to house an
Exoflop computer.  Thats a fast computer. Thats 10 followed by 18 zeros. Or
1000 petaflops.

There is more.  Lets look at our growth rate.   4.5 years ago Roadrunner
was the first super computer to brake the pentaflop barrier. Today we have
titan at 17.59 pentaflops. So if we can assume a growth rate of 380% per
year.  And that the center will be up graded with each new version of GPU
from Nvidia and CPUs from Intel, We can assume that we will hit one Exoflop
in about three years or 2015.

The power production at the new facility supports these numbers.

So what does this mean?   Any article that suggest that brute forcing
present day encryption is not possible should be taken with a grain of
salt.  While the article may be correct today, come September 2012, Utah
goes on line and we will be stepping into a world that will lead to exaflop
computers and may challenges to our present day encryptions.

AES is safe for a longtime, but other encryptions should be of concern in
the coming years.Don't forget about tracking and fingerprinting
possibilities with these massive systems.

I would love to see an analysis of a 128 bit AES encryption VS a 10 exoflop
computer. How long to crack it?  Anyone got the math on this?

The good news, no one is going to care about your stuff... unless your
making waves.   Then the only safe encryption is a non mathematical method,
such as a  library code run on a system that does not go on the net.


On Fri, Apr 5, 2013 at 8:00 AM, Eugen Leitl  wrote:

> On Thu, Apr 04, 2013 at 01:55:40PM -0400, Gregory Disney wrote:
> > Just saying TOR was created by the Naval Research Laboratory a part of
>
> The name's Tor, not TOR.
>
> > DARPA. Since it's inception they could index, spider and track the dark
> > net.
> ___
> tor-talk mailing list
> tor-talk@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] NSA supercomputer

[Andrew F]

I saw a lecture a while back, I think it was given by Whitfield Diffie of
public/ private  key fame although it was quite a while ago... , The
speaker said that the gov was storing encrypted messages that have been
intercepted from critical sources in hopes that quantum computing will
allow them to crack the encryptions eventually.

Basically he said that with quantum computing all bets are off and every
cipher today will likely be cracked. Quantum computing will require new
kinds of ciphers and only those with Qcomputers will be able to decrypt the
messages.

So a new class of people / government will emerge.   One class will be able
to decrypt or crack all messages sent with encryption.  And the other class
of people, those without Qcomputers, will only be able to decrypt ciphers
that they can encrypt. One class can only view messages they create,
the other class can see everything.

I am guessing that the cost of Qcomputer technology will keep these
machines out of the hands of Joe public for decades to come...?


On Fri, Apr 5, 2013 at 5:19 PM, Andreas Bader wrote:

> Some days ago I read that the first usable Quantumcomputing System is on
> the market. Can some estimate how this possibly influences the decryption
> of different ciphers?
>
> Andreas
> -Original Message-
> From: Andrew F 
> Date: Fri, 5 Apr 2013 13:51:06
> To: 
> Subject: Re: [tor-talk] NSA supercomputer
>
>
> I would love to see an analysis of a 128 bit AES encryption VS a 10 exoflop
> computer. How long to crack it?  Anyone got the math on this?
>
> Andreas, your absolutely right, However we can do some estimating.
> Just keep in mind... garbage in, garbage out.. but  this is a pretty good
> guess.
>
> So the fastest super computers use general cpus and Nvidia k20s. This is
> important to note because they scale in a linear fashion based on available
> space.   Now we know that Oak ridge national labs has about an acre of
> space, 43,560 Sq. Feet,  for its super computer, the Cray XK7 Named Titan.
> Which runs at 17.59 Pentaflops.  (yes PENTAFLOPS)
> http://www.top500.org/lists/2012/11/
>
> According to a Cray press release Titan can scale up to 50 Pentaflops.
>
> Now the new facility in Utah will have over 200,000 sq. feet dedicated to
> its super computer.
>
> (
>
> http://www.forbes.com/sites/andygreenberg/2012/03/16/nsas-new-data-center-and-ultra-fast-supercomputer-aim-to-crack-worlds-strongest-crypto/
> )
>
>
> So If we assume, the a linear relationship between Square footage and
> computing power then we can calculate that Utah will have 4.59  time more
> space then Oak Ridge, so they will have room for at least 80.73
> pentaflops.
>
> Several articles have stated that the center is designed to house an
> Exoflop computer.  Thats a fast computer. Thats 10 followed by 18 zeros. Or
> 1000 petaflops.
>
> There is more.  Lets look at our growth rate.   4.5 years ago Roadrunner
> was the first super computer to brake the pentaflop barrier. Today we have
> titan at 17.59 pentaflops. So if we can assume a growth rate of 380% per
> year.  And that the center will be up graded with each new version of GPU
> from Nvidia and CPUs from Intel, We can assume that we will hit one Exoflop
> in about three years or 2015.
>
> The power production at the new facility supports these numbers.
>
> So what does this mean?   Any article that suggest that brute forcing
> present day encryption is not possible should be taken with a grain of
> salt.  While the article may be correct today, come September 2012, Utah
> goes on line and we will be stepping into a world that will lead to exaflop
> computers and may challenges to our present day encryptions.
>
> AES is safe for a longtime, but other encryptions should be of concern in
> the coming years.Don't forget about tracking and fingerprinting
> possibilities with these massive systems.
>
> I would love to see an analysis of a 128 bit AES encryption VS a 10 exoflop
> computer. How long to crack it?  Anyone got the math on this?
>
> The good news, no one is going to care about your stuff... unless your
> making waves.   Then the only safe encryption is a non mathematical method,
> such as a  library code run on a system that does not go on the net.
>
>
> On Fri, Apr 5, 2013 at 8:00 AM, Eugen Leitl  wrote:
>
> > On Thu, Apr 04, 2013 at 01:55:40PM -0400, Gregory Disney wrote:
> > > Just saying TOR was created by the Naval Research Laboratory a part of
> >
> > The name's Tor, not TOR.
> >
> > > DARPA. Since it's inception they could index, spider and track the dark
> > > net.
> > ___
> > tor-talk mailing list
> > tor-talk@lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> >
> ___
> tor-talk mailing list
> tor-talk@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> ___
> tor-talk mailing 

Re: [tor-talk] NSA supercomputer

[Andreas Bader]

Some days ago I read that the first usable Quantumcomputing System is on the 
market. Can some estimate how this possibly influences the decryption of 
different ciphers?

Andreas
-Original Message-
From: Andrew F 
Date: Fri, 5 Apr 2013 13:51:06 
To: 
Subject: Re: [tor-talk] NSA supercomputer


I would love to see an analysis of a 128 bit AES encryption VS a 10 exoflop
computer. How long to crack it?  Anyone got the math on this?

Andreas, your absolutely right, However we can do some estimating.
Just keep in mind... garbage in, garbage out.. but  this is a pretty good
guess.

So the fastest super computers use general cpus and Nvidia k20s. This is
important to note because they scale in a linear fashion based on available
space.   Now we know that Oak ridge national labs has about an acre of
space, 43,560 Sq. Feet,  for its super computer, the Cray XK7 Named Titan.
Which runs at 17.59 Pentaflops.  (yes PENTAFLOPS)
http://www.top500.org/lists/2012/11/

According to a Cray press release Titan can scale up to 50 Pentaflops.

Now the new facility in Utah will have over 200,000 sq. feet dedicated to
its super computer.

(
http://www.forbes.com/sites/andygreenberg/2012/03/16/nsas-new-data-center-and-ultra-fast-supercomputer-aim-to-crack-worlds-strongest-crypto/)


So If we assume, the a linear relationship between Square footage and
computing power then we can calculate that Utah will have 4.59  time more
space then Oak Ridge, so they will have room for at least 80.73
pentaflops.

Several articles have stated that the center is designed to house an
Exoflop computer.  Thats a fast computer. Thats 10 followed by 18 zeros. Or
1000 petaflops.

There is more.  Lets look at our growth rate.   4.5 years ago Roadrunner
was the first super computer to brake the pentaflop barrier. Today we have
titan at 17.59 pentaflops. So if we can assume a growth rate of 380% per
year.  And that the center will be up graded with each new version of GPU
from Nvidia and CPUs from Intel, We can assume that we will hit one Exoflop
in about three years or 2015.

The power production at the new facility supports these numbers.

So what does this mean?   Any article that suggest that brute forcing
present day encryption is not possible should be taken with a grain of
salt.  While the article may be correct today, come September 2012, Utah
goes on line and we will be stepping into a world that will lead to exaflop
computers and may challenges to our present day encryptions.

AES is safe for a longtime, but other encryptions should be of concern in
the coming years.    Don't forget about tracking and fingerprinting
possibilities with these massive systems.

I would love to see an analysis of a 128 bit AES encryption VS a 10 exoflop
computer. How long to crack it?  Anyone got the math on this?

The good news, no one is going to care about your stuff... unless your
making waves.   Then the only safe encryption is a non mathematical method,
such as a  library code run on a system that does not go on the net.


On Fri, Apr 5, 2013 at 8:00 AM, Eugen Leitl  wrote:

> On Thu, Apr 04, 2013 at 01:55:40PM -0400, Gregory Disney wrote:
> > Just saying TOR was created by the Naval Research Laboratory a part of
>
> The name's Tor, not TOR.
>
> > DARPA. Since it's inception they could index, spider and track the dark
> > net.
> ___
> tor-talk mailing list
> tor-talk@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] NSA supercomputer

[Griffin Boyce]

Gregory Disney  wrote:

> Just saying TOR was created by the Naval Research Laboratory a part of
> DARPA. Since it's inception they could index, spider and track the dark
> net.


The Naval Research Lab didn't "create" Tor, unless you think that grant
money is physically capable of writing code.

Roger Dingledine created Tor with Nick Matthewson. Since then it's been
expanded upon greatly by a *huge* number of computer scientists.

So. Yeah.

~Griffin

-- 
Please note that I do not have PGP access at this time.
OTR: sa...@jabber.ccc.de / fonta...@jabber.ccc.de
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] NSA supercomputer

[Bernard Tyers - ei8fdb]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 5 Apr 2013, at 19:01, Andrew F wrote:

> The
> speaker said that the gov was storing encrypted messages that have been
> intercepted from critical sources in hopes that quantum computing will
> allow them to crack the encryptions eventually.

But by then (presuming it took more than X months) would the information 
contained inthe encrypted messages not be "worthless/little?". Or is it the 
"the more data we have the better" approach?

- --
Bernard / bluboxthief / ei8fdb

IO91XM / www.ei8fdb.org

-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJRXyk9AAoJENsz1IO7MIrreLgH/2xwkR0PIYFFACPtrNXZYOXN
z1lZ7/5NFbIbQlZph7c38O7KonwPWcQtSgFqPZ6y3G3SkUNtrpmCR5S3ZXGmGAU3
j7FDvqWccKB+gmKA0Gb/1UmKkXeQyPM4DwXnKrEDhDDkf3v2Rw1KDhOpQIxWc1iT
+ydUyPP0yRh5QWZ7UfqqtrytV+6buXt9BetcdJ1dKJgSREg6DHYnIgx2YTtlBM2u
prXYMGcP11Ekj6kZbPPHbZrH0FS0aVtjbVaMS+txtmhPiEpjgHejzvXa5aS89ZCl
MtndzsgM9XPCSzo98FKmk3zzeEE3EYnqW/3v71Tiw7IUicuFXtHfPSUFHYPKZ3g=
=yRWC
-END PGP SIGNATURE-
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] NSA supercomputer

[mirimir]

On 04/05/2013 06:01 PM, Andrew F wrote:
> I saw a lecture a while back, I think it was given by Whitfield Diffie of
> public/ private  key fame although it was quite a while ago... , The
> speaker said that the gov was storing encrypted messages that have been
> intercepted from critical sources in hopes that quantum computing will
> allow them to crack the encryptions eventually.
> 
> Basically he said that with quantum computing all bets are off and every
> cipher today will likely be cracked. Quantum computing will require new
> kinds of ciphers and only those with Qcomputers will be able to decrypt the
> messages.
> 
> So a new class of people / government will emerge.   One class will be able
> to decrypt or crack all messages sent with encryption.  And the other class
> of people, those without Qcomputers, will only be able to decrypt ciphers
> that they can encrypt. One class can only view messages they create,
> the other class can see everything.

Even without Qcomputers, there are simple strategies that might prevent
decryption. Fundamentally, one would first encrypt a file. Then one
would split it into N pieces, and encrypt each piece, using a different
public key (and perhaps using a different one for each piece). Then one
would upload the pieces to various sharing sites, with each one in
multiple places, but only 20%-50% of the pieces on any one site. One
would spread the uploads and downloads over several days, or more.

The weakness, of course, is the storage plan. But that could be
negotiated in advance, privately, and not retained locally by any party
to the distribution.

How about that?

> I am guessing that the cost of Qcomputer technology will keep these
> machines out of the hands of Joe public for decades to come...?

That seems likely.

> On Fri, Apr 5, 2013 at 5:19 PM, Andreas Bader wrote:
> 
>> Some days ago I read that the first usable Quantumcomputing System is on
>> the market. Can some estimate how this possibly influences the decryption
>> of different ciphers?
>>
>> Andreas
>> -Original Message-
>> From: Andrew F 
>> Date: Fri, 5 Apr 2013 13:51:06
>> To: 
>> Subject: Re: [tor-talk] NSA supercomputer
>>
>>
>> I would love to see an analysis of a 128 bit AES encryption VS a 10 exoflop
>> computer. How long to crack it?  Anyone got the math on this?
>>
>> Andreas, your absolutely right, However we can do some estimating.
>> Just keep in mind... garbage in, garbage out.. but  this is a pretty good
>> guess.
>>
>> So the fastest super computers use general cpus and Nvidia k20s. This is
>> important to note because they scale in a linear fashion based on available
>> space.   Now we know that Oak ridge national labs has about an acre of
>> space, 43,560 Sq. Feet,  for its super computer, the Cray XK7 Named Titan.
>> Which runs at 17.59 Pentaflops.  (yes PENTAFLOPS)
>> http://www.top500.org/lists/2012/11/
>>
>> According to a Cray press release Titan can scale up to 50 Pentaflops.
>>
>> Now the new facility in Utah will have over 200,000 sq. feet dedicated to
>> its super computer.
>>
>> (
>>
>> http://www.forbes.com/sites/andygreenberg/2012/03/16/nsas-new-data-center-and-ultra-fast-supercomputer-aim-to-crack-worlds-strongest-crypto/
>> )
>>
>>
>> So If we assume, the a linear relationship between Square footage and
>> computing power then we can calculate that Utah will have 4.59  time more
>> space then Oak Ridge, so they will have room for at least 80.73
>> pentaflops.
>>
>> Several articles have stated that the center is designed to house an
>> Exoflop computer.  Thats a fast computer. Thats 10 followed by 18 zeros. Or
>> 1000 petaflops.
>>
>> There is more.  Lets look at our growth rate.   4.5 years ago Roadrunner
>> was the first super computer to brake the pentaflop barrier. Today we have
>> titan at 17.59 pentaflops. So if we can assume a growth rate of 380% per
>> year.  And that the center will be up graded with each new version of GPU
>> from Nvidia and CPUs from Intel, We can assume that we will hit one Exoflop
>> in about three years or 2015.
>>
>> The power production at the new facility supports these numbers.
>>
>> So what does this mean?   Any article that suggest that brute forcing
>> present day encryption is not possible should be taken with a grain of
>> salt.  While the article may be correct today, come September 2012, Utah
>> goes on line and we will be stepping into a world that will lead to exaflop
>> computers and may challenges to our present day encryptions.
>>
>> AES is safe for a longtime, but other encryptions should be of concern in
>> the coming years.Don't forget about tracking and fingerprinting
>> possibilities with these massive systems.
>>
>> I would love to see an analysis of a 128 bit AES encryption VS a 10 exoflop
>> computer. How long to crack it?  Anyone got the math on this?
>>
>> The good news, no one is going to care about your stuff... unless your
>> making waves.   Then the only safe encryption is a non mathematical m

Re: [tor-talk] secure and simple network time (hack)

[Gregory Disney]

It's related to Linux NTP and SRTP.


On Fri, Apr 5, 2013 at 4:26 PM, intrigeri  wrote:

> Hi,
>
> Jacob Appelbaum wrote (19 Jul 2012 23:48:48 GMT) :
> > intrigeri:
> >> So, Jake tells me that ChromeOS will use tlsdate by default, and that
> >> this should solve the fingerprinting issue. Therefore, I assume this
> >> implicitly answer the (half-rhetorical, I admit) question I asked in
> >> March, and I assume there is indeed some fingerprinting issue. So, in
> >> the following I'll assume it's relatively easy, for a close network
> >> adversary (say, my ISP) to detect that I'm using tlsdate.
> >>
>
> > It isn't shipping yet, so we'll see what happens.
>
> I'm told ChromeOS ships it nowadays, so I'm excited at the idea to
> learn more about it, so that we can move forward a bit about the
> fingerprinting issue.
>
> I was not able to find any authoritative information about how they
> run it. Their time sources [1] design doc is quite clearly outdated.
> Where can I find up-to-date information on this topic? I assume one of
> the dozens of Chromius Git repositories [2], but which one?
>
> [1] http://www.chromium.org/developers/design-documents/time-sources
> [2] http://git.chromium.org/gitweb/
>
> Cheers,
> --
>   intrigeri
>   | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
>   | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
> ___
> tor-talk mailing list
> tor-talk@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] secure and simple network time (hack)

[intrigeri]

Hi,

Jacob Appelbaum wrote (19 Jul 2012 23:48:48 GMT) :
> intrigeri:
>> So, Jake tells me that ChromeOS will use tlsdate by default, and that
>> this should solve the fingerprinting issue. Therefore, I assume this
>> implicitly answer the (half-rhetorical, I admit) question I asked in
>> March, and I assume there is indeed some fingerprinting issue. So, in
>> the following I'll assume it's relatively easy, for a close network
>> adversary (say, my ISP) to detect that I'm using tlsdate.
>> 

> It isn't shipping yet, so we'll see what happens.

I'm told ChromeOS ships it nowadays, so I'm excited at the idea to
learn more about it, so that we can move forward a bit about the
fingerprinting issue.

I was not able to find any authoritative information about how they
run it. Their time sources [1] design doc is quite clearly outdated.
Where can I find up-to-date information on this topic? I assume one of
the dozens of Chromius Git repositories [2], but which one?

[1] http://www.chromium.org/developers/design-documents/time-sources
[2] http://git.chromium.org/gitweb/

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] NSA supercomputer

[Andrew F]

George, thank for posting. And perhaps you should read a little closer
before you get critical
I posted this question at the top of my post because I was looking for
someone like you, (well a little nicer) to help us with the math.
Also, I was only restating lectures that I have heard over the last two
years.

I think it is important to distinguish between Brute forcing the complete
cipher in a true sense, or as you say using an
"interesting attack".   You are correct new methods will be found and  many
of those methods will use Brute force as a component on some of the
variables in the attack.  So gobs of computing power + clever attack
strategies, will reveal new methiods.

So lets look at this from another view.   How fast does a computer have to
be to fully bruit force a 64,128,256 key?  ZettaFlops?  YottaFlops?
http://en.wikipedia.org/wiki/Flops   Lets assume a classical
computer.

George, crankup that abacus of yours and let us know.  I for one would be
very interested.
Or anyone else with big fat calculator?  My is the wimpy drugstore kind...

Thanks for the calculations above.
Andrew




On Fri, Apr 5, 2013 at 8:57 PM, Gregory Maxwell  wrote:

> On Fri, Apr 5, 2013 at 6:51 AM, Andrew F 
> wrote:
> > I would love to see an analysis of a 128 bit AES encryption VS a 10
> exoflop
> > computer. How long to crack it?  Anyone got the math on this?
> [...]
> > So what does this mean?   Any article that suggest that brute forcing
> > present day encryption is not possible should be taken with a grain of
> > salt.  While the article may be correct today, come September 2012, Utah
> [...]
> > I would love to see an analysis of a 128 bit AES encryption VS a 10
> exoflop
> > computer. How long to crack it?  Anyone got the math on this?
>
> You really should take just a _moment_ to do a little figuring before
> posting to a public list and consuming the time of hundreds or
> thousands of people.
>
> Lets assume that decrypting with a key and checking the result is one
> "Floating point operation" (since you're asking us to reason about
> apples and oranges, I'll just grant you that one apple stands for all
> the required oranges).
>
> To search a 128 bit keyspace on a classical computer you would expect
> that on average the solution will be found in 2^127 operations.
>
> 2^127 'flops' / 10 exaflop/s =  2^127 flops / 10*10^18 flops/second =
> 17014118346046923173 seconds = 539,152,256,819 years.
>
> ...Or, about 39x the currently believed age of the universe.
>
> Surely with a lot of computing power there are many very interesting
> attacks— particularly in the domain of traffic analysis, weak user
> provided keys, discovering new faster than brute force attacks, etc.
> But to suggest that they're going to classically brute force a 128 bit
> block cipher is laughable, even with very generous thinking.
> Honestly, these other things are arguably far more worrisome but
> they're all just handwaving... which is all any of this discussion
> is...
> ___
> tor-talk mailing list
> tor-talk@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] NSA supercomputer

[Anthony Papillion]

On 04/05/2013 01:01 PM, Andrew F wrote:
> 
> Basically he said that with quantum computing all bets are off and every
> cipher today will likely be cracked. Quantum computing will require new
> kinds of ciphers and only those with Qcomputers will be able to decrypt the
> messages.

Not entirely correct, as I understand it. Granted, quantum computing
will shred most (all?) of the ciphers we currently use. But that's
mostly because they will be able to do massively efficient prime
factorization using something like Shor's algorithm
(https://en.wikipedia.org/wiki/Shor%27s_algorithm). If I understand
correctly, resisting such technology doesn't require creating a cipher
that takes a quantum computer to decrypt but one that is resistant to
efficient factorization.


Just my $0.02,
Anthony
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] NSA supercomputer

[Gregory Maxwell]

On Fri, Apr 5, 2013 at 6:51 AM, Andrew F  wrote:
> I would love to see an analysis of a 128 bit AES encryption VS a 10 exoflop
> computer. How long to crack it?  Anyone got the math on this?
[...]
> So what does this mean?   Any article that suggest that brute forcing
> present day encryption is not possible should be taken with a grain of
> salt.  While the article may be correct today, come September 2012, Utah
[...]
> I would love to see an analysis of a 128 bit AES encryption VS a 10 exoflop
> computer. How long to crack it?  Anyone got the math on this?

You really should take just a _moment_ to do a little figuring before
posting to a public list and consuming the time of hundreds or
thousands of people.

Lets assume that decrypting with a key and checking the result is one
"Floating point operation" (since you're asking us to reason about
apples and oranges, I'll just grant you that one apple stands for all
the required oranges).

To search a 128 bit keyspace on a classical computer you would expect
that on average the solution will be found in 2^127 operations.

2^127 'flops' / 10 exaflop/s =  2^127 flops / 10*10^18 flops/second =
17014118346046923173 seconds = 539,152,256,819 years.

...Or, about 39x the currently believed age of the universe.

Surely with a lot of computing power there are many very interesting
attacks— particularly in the domain of traffic analysis, weak user
provided keys, discovering new faster than brute force attacks, etc.
But to suggest that they're going to classically brute force a 128 bit
block cipher is laughable, even with very generous thinking.
Honestly, these other things are arguably far more worrisome but
they're all just handwaving... which is all any of this discussion
is...
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] NSA supercomputer

[Andrew F]

Anthony, good point.  And worth a lot more then $0.02


Thanks Seth excellent write up.  I will have to brake out the sci
calculator and run some number.
I know the flops issue is a big one, but thats the only measure I could
find for the big system in Utah.
However, your point is well taken.  No way to really know without testing.
How about a road trip... we could knock on the the door and ask for 10
minutes of computer time?
Knock knock... "hello Mr NSA, can we use your super secret spy computer for
10 minutes?"
And Yes, My next post after asking that question will be from sunny
Guantánamo Bay.  As I am sure I will get an all expense paid trip
 from our friends in the (*Redacted *).

You know, if anyone has an Nvidia Xk20 and an AMD 16 core working together,
we could test on a small scale and then extrapolate from there, get an
estimate of efficiency per second and do the calculations.  If anyone wants
to mess around with it and has the hardware...  :-)  I'll buy the pizza and
beer. In fact, It would be a fun article to write."So just how fast is
the NSA supercomputer?"

Ok, everyone, have a good weekend.








On Fri, Apr 5, 2013 at 9:33 PM, Anthony Papillion wrote:

> On 04/05/2013 01:01 PM, Andrew F wrote:
> >
> > Basically he said that with quantum computing all bets are off and every
> > cipher today will likely be cracked. Quantum computing will require new
> > kinds of ciphers and only those with Qcomputers will be able to decrypt
> the
> > messages.
>
> Not entirely correct, as I understand it. Granted, quantum computing
> will shred most (all?) of the ciphers we currently use. But that's
> mostly because they will be able to do massively efficient prime
> factorization using something like Shor's algorithm
> (https://en.wikipedia.org/wiki/Shor%27s_algorithm). If I understand
> correctly, resisting such technology doesn't require creating a cipher
> that takes a quantum computer to decrypt but one that is resistant to
> efficient factorization.
>
>
> Just my $0.02,
> Anthony
> ___
> tor-talk mailing list
> tor-talk@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] NSA supercomputer

[Seth David Schoen]

Andrew F writes:

> So lets look at this from another view.   How fast does a computer have to
> be to fully bruit force a 64,128,256 key?  ZettaFlops?  YottaFlops?
> http://en.wikipedia.org/wiki/Flops   Lets assume a classical
> computer.
> 
> George, crankup that abacus of yours and let us know.  I for one would be
> very interested.
> Or anyone else with big fat calculator?  My is the wimpy drugstore kind...

As Gregory pointed out, "flops" is not the right measurement here
because cryptographic operations are not floating-point operations.
Checking a candidate key doesn't involve any floating-point math,
but rather something like a block cipher decryption, which is a
different sort of computation.

The calculations to figure out brute-force speeds are really about
simple multiplication and division.

Just as the distance traveled by a moving object is given by

distance = speed × elapsed time

the number of decryptions attempted by a brute force search is given
by

decryptions = speed × elapsed time

For example, if you have a 128-bit symmetric key, and you want to
talk about a situation in which every possible key value has been
checked, the relationship is

2¹²⁸ = speed × elapsed time

or, if you prefer,

340282366920938463463374607431768211456 = speed × elapsed time

If you want the time, just divide 2¹²⁸ by the speed.  If you want
the requisite speed to finish in a specified time, just divide 2¹²⁸
by that time.  You just need to use consistent units, like measuring
speed in trial decryptions per second and measuring elapsed time in
seconds.

In 1998 EFF built a brute-force cracking machine

https://en.wikipedia.org/wiki/EFF_DES_cracker

which "was capable of testing over 90 billion keys per second",
against the DES system which used 56-bit keys.  To find the time
it would take that machine to be sure of testing every possible
key, just divide 2⁵⁶ by 90 billion; the answer is given in seconds.

(To convert seconds to days, divide by 86400.)

-- 
Seth Schoen  
Senior Staff Technologist   https://www.eff.org/
Electronic Frontier Foundation  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109   +1 415 436 9333 x107
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] NSA supercomputer

[Seth David Schoen]

Seth David Schoen writes:

> the number of decryptions attempted by a brute force search is given by
> 
> decryptions = speed × elapsed time

More generally,

things = things/moment × moments

-- 
Seth Schoen  
Senior Staff Technologist   https://www.eff.org/
Electronic Frontier Foundation  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109   +1 415 436 9333 x107
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor transparent proxy leaks?

[adrelanos]

Gregory Disney:
> Lol use a VPN with tor

With respect, I don't think this kind of answers are helpful for anyone,
sir.

___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] NSA supercomputer

[Fosforo]

> Guys, if you are in trouble with NSA, or other US governmentals agency,
> you're screwed. Physically. Don't mind your electronical com'.

totally agree.

http://www.theregister.co.uk/2013/03/29/fbi_stingray_mobile_tracking/


--
[]s Fosforo
-
"Se eu tiver oito horas pra cortar uma arvore, passarei seis afiando meu
machado."
-Abraham Lincoln
-


On Thu, Apr 4, 2013 at 12:15 PM, Alexandre Guillioud <
guillioud.alexan...@gmail.com> wrote:

> Why not using some exotic scramble of keys/method to encrypt the whole
> message ?
>
> The only way to hide/protect us from something we don't know, is putting a
> mess in protocols. A big mess.
> The point is : How can we unscramble it at the end without revealing the
> secret necessary to scramble it ?
>
> Guys, if you are in trouble with NSA, or other US governmentals agency,
> you're screwed. Physically. Don't mind your electronical com'.
>
>
> 2013/4/5 george torwell 
>
> >
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > i wasnt going to, but now i have to...
> > i dont know what tech or knowledge they have.
> > but i imagine that if you angered them, and they wanted your keys, they
> > would come and get them.
> > physically or electronically.
> > 
> > so lets not speculate :)
> >
> > i have a lot of faith in the developers, but if you feel that they are
> > missing something, please find a way to contribute that knowledge to the
> > project. that way we all benefit.
> >
> > On 04/04/2013 08:23 AM, Tim wrote:
> > > Those at the root of the NSA have technology that is far faster and
> more
> > vast than you imagine it
> > currently to be. To decrypt keys, It does not take what you might
> > otherwise expect.
> > >
> > > I'm sure one or more of the developers are either in denial or part of
> > the "security" apparatus or both. I would not hold your breath.
> > >
> > > Be well.
> > >
> > > On Thu, Apr 4, 2013 at 11:55 AM, George Torwell  > > wrote:
> > >
> > > i may be wrong but:
> > > - we are talking about keys of every node along the path. how can
> you
> > > increase that just locally?
> > > - keep in mind that we dont know if factoring such a key is
> > likely, if i
> > > remember correctly that talk mentioned huge amounts of computation
> > power
> > > and electricity.
> > > something like a year for a 40 mega watt consuming data center
> > per 1024
> > > bit key.  expensive.>
> > > on the other hand its rumored that the utah data center will
> > have 65
> > > mega watts from its own power station.
> > > im pretty sure that the developers will move us safely from these
> > keys as
> > > soon as its needed :)
> > >
> > >
> > > On 4 April 2013 13:54, Bernard Tyers  > > wrote:
> > >
> > > > That's what I was thinking, I just didn't know if there was
> another
> > > > reasons.
> > > >
> > > > I guess the key size is configured on the Tor node? I haven't
> > found it
> > > > anywhere in the configuration (I'm using TBB on OS X).
> > > >
> > > > Is it possible to increase the size of the key, if say I've got
> > a big
> > > > server running as a node?
> > > >
> > > > If there are nodes using different length keys, is the security
> > relying on
> > > > the node with the smallest key length?
> > > >
> > > > Thanks.
> > > >
> > > > Bernard
> > > >
> > > > 
> > > > Written on my small electric gadget. Please excuse brevity and
> > (possible)
> > > > misspelling.
> > > >
> > > > Alexandre Guillioud  > > wrote:
> > > >
> > > > >The bigger the key is, the longer (cpu cycle) it take to
> > encrypt/decrypt ?
> > > > >
> > > > >Le jeudi 4 avril 2013, Bernard Tyers a écrit :
> > > > >
> > > > >> Hi,
> > > > >>
> > > > >> Is there a reason 1024 bit keys, instead of something higher
> > is not
> > > > used?
> > > > >> Do higher bit keys affect host performance, or network
> latency?
> > > > >>
> > > > >>
> > > > >> Thanks,
> > > > >> Bernard
> > > > >>
> > > > >>
> > > > >> 
> > > > >> Written on my small electric gadget. Please excuse brevity and
> > > > (probable)
> > > > >> misspelling.
> > > > >>
> > > > >> George Torwell  >  > wrote:
> > > > >>
> > > > >> a second guess would be going after 1024 bit keys.
> > > > >> there is also a video on youtube from a recent con about the
> > > > feasibility of
> > > > >> factoring them, <"fast hacks" or something like that> at the
> > end, jacob
> > > > >> applebaum asks about it and they advise him to use longer keys
> > or
> > > > elliptic
> > > > >> curves crypto.
> > > > >>
> > > > >> __

Re: [tor-talk] NSA supercomputer

[Andrea Shepard]

On Fri, Apr 05, 2013 at 04:45:57PM -0700, Andrea Shepard wrote:
> [1] Since you can test whether a key is correct in polynomial time using two
> blocks of ciphertext, search for keys is in NP and being able to rigorously
> prove security for a block cipher would imply P != NP as a corollary.

Apologies; I have slightly mis-spoken here.  This implication would only
hold if the problem were NP-complete, which I do not believe is known to
be the case for any cipher.  Proving such lower bounds is still, however,
beyond the capabilities of present mathematics.

-- 
Andrea Shepard

PGP fingerprint: 3611 95A4 0740 ED1B 7EA5  DF7E 4191 13D9 D0CF BDA5


pgpm7u5Hpr2Em.pgp
Description: PGP signature
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] NSA supercomputer

[Seth David Schoen]

Andrew F writes:

> You know, if anyone has an Nvidia Xk20 and an AMD 16 core working together,
> we could test on a small scale and then extrapolate from there, get an
> estimate of efficiency per second and do the calculations.  If anyone wants
> to mess around with it and has the hardware...  :-)  I'll buy the pizza and
> beer. In fact, It would be a fun article to write."So just how fast is
> the NSA supercomputer?"

I don't think that consumer hardware not intended for cryptographic use
is a great basis to estimate cracking speeds of specialized cryptoanalytic
devices.  If you think about bitcoin hash rates, custom hardware is already
clobbering GPUs, not only in overall speed, but also in cost-effectiveness
(hashing speed per dollar).  The same was true when EFF built the DES
cracker back in 1998 -- custom hardware was significantly more cost-effective
for fast DES cracking relative to ordinary desktop CPUs.

In fact (just following Wikipedia's figures, not my own recollections of the
_Cracking DES_ book), the EFF machine was about 90,000 times faster than a
desktop computer at the same time -- but probably only around 100 times the
cost.

Recommended key length is a topic that's seen fairly extensive study, often
based on speculating about an adversary's costs.

http://www.keylength.com/en/

I think there was a summary paper in the last couple of years trying to
estimate the cost of modern custom hardware to break keys of various sizes,
but I haven't been able to find it again.  The COPACOBANA hardware cracker
is a major milestone using readily-available commercial technology.  I
don't know what their current-generation machines do, but they roughly
matched EFF's cracker for about $10,000 in 2006 and I assume it's quite
a lot better now.  They use Xilinx FPGA chips, which is still not the most
cost-effective option for an organization like NSA which could have its
own microchip fabrication facilities.

-- 
Seth Schoen  
Senior Staff Technologist   https://www.eff.org/
Electronic Frontier Foundation  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109   +1 415 436 9333 x107
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] NSA supercomputer

[Andrea Shepard]

On Fri, Apr 05, 2013 at 01:51:06PM +, Andrew F wrote:
> I would love to see an analysis of a 128 bit AES encryption VS a 10 exoflop
> computer. How long to crack it?  Anyone got the math on this?
> 
> Andreas, your absolutely right, However we can do some estimating.
> Just keep in mind... garbage in, garbage out.. but  this is a pretty good
> guess.
> 
> So the fastest super computers use general cpus and Nvidia k20s. This is
> important to note because they scale in a linear fashion based on available
> space.   Now we know that Oak ridge national labs has about an acre of
> space, 43,560 Sq. Feet,  for its super computer, the Cray XK7 Named Titan.
> Which runs at 17.59 Pentaflops.  (yes PENTAFLOPS)
> http://www.top500.org/lists/2012/11/
> 
> According to a Cray press release Titan can scale up to 50 Pentaflops.
> 
> Now the new facility in Utah will have over 200,000 sq. feet dedicated to
> its super computer.
> 
> (
> http://www.forbes.com/sites/andygreenberg/2012/03/16/nsas-new-data-center-and-ultra-fast-supercomputer-aim-to-crack-worlds-strongest-crypto/)
> 
> 
> So If we assume, the a linear relationship between Square footage and
> computing power then we can calculate that Utah will have 4.59  time more
> space then Oak Ridge, so they will have room for at least 80.73
> pentaflops.
> 
> Several articles have stated that the center is designed to house an
> Exoflop computer.  Thats a fast computer. Thats 10 followed by 18 zeros. Or
> 1000 petaflops.
> 
> There is more.  Lets look at our growth rate.   4.5 years ago Roadrunner
> was the first super computer to brake the pentaflop barrier. Today we have
> titan at 17.59 pentaflops. So if we can assume a growth rate of 380% per
> year.  And that the center will be up graded with each new version of GPU
> from Nvidia and CPUs from Intel, We can assume that we will hit one Exoflop
> in about three years or 2015.
> 
> The power production at the new facility supports these numbers.
> 
> So what does this mean?   Any article that suggest that brute forcing
> present day encryption is not possible should be taken with a grain of
> salt.  While the article may be correct today, come September 2012, Utah
> goes on line and we will be stepping into a world that will lead to exaflop
> computers and may challenges to our present day encryptions.
> 
> AES is safe for a longtime, but other encryptions should be of concern in
> the coming years.Don't forget about tracking and fingerprinting
> possibilities with these massive systems.
> 
> I would love to see an analysis of a 128 bit AES encryption VS a 10 exoflop
> computer. How long to crack it?  Anyone got the math on this?
> 
> The good news, no one is going to care about your stuff... unless your
> making waves.   Then the only safe encryption is a non mathematical method,
> such as a  library code run on a system that does not go on the net.

This is all just wrong.  It's wildly implausible that *any* amount of
computational power the NSA will *ever* have will attack such large
key spaces by brute force.  On average, you have to search half the key
space, so 2^127 keys, to break the cipher.  Let's be insanely overgenerous
by a factor of at least a few thousand and suppose 1 'operation' == 1 key
tested, so your 10 exaflop machine can test 10^19 keys/second.  Then it
needs (2^127)/(10^19) seconds on average to brute force a 128-bit key, or
twice that in the worst case.  That's 539 billion years.  The sun will reach
its red giant phase and engulf the Earth before it gets through even one
percent of the keyspace.

Furthermore, thermodynamic constraints apply: for every bit of non-reversible
computation output, one must expend energy 4*k*T, where k is Boltzmann's
constant and T is the absolute temperature.  The lowest you can plausibly
take T is equilibrium with the cosmic microwave background (2.73 K), since
you would need to expend more energy for cooling to maintain a lower
temperature.  Thus, every non-reversible bit of output needs at least 1.51 *
10^-22 J of input energy.  Forget cryptography for the moment; consider just
cycling a 128-bit counter through all of its possible values.  Adding one to
a number always changes 1 bit, changes another half of the time, and so on,
so we have 2^0 + 2^-1 + ... + 2^-128 = 2 * (1 - 2^-129) irreversible bit
outputs per counter value, times 2^128 values gives us 2^129 - 1 bits expended,
or 1.03 * 10^17 J.  Not a totally implausible amount of energy, but a rather
large one, roughly one day's worth of output for all the power plants in the
world - actually doing crypto ops that many times would need thousands of
times more, and current hardware is many orders of magnitude away from being
able to even approach fundamental physical limits on computational efficiency.
It also nicely demonstrates that 128-bits is about as far is it goes for
brute force even being theoretically possible within the known laws of physics;
brute-forcing a 256-bit key would consume far more e