256 bits is out of bounds for brute forcing for any realistic amount of hardware you throw at it. So either they have attacks on the actual algorithms that drastically cut down the complexity compared to a brute force attack, or this law doesn't do very much (other than perhaps pave the way for other laws).
I read about the NSA (I believe, or another TLA) having identified some weaknesses in encryption algorithms (RSA I think, though again, memoria fragilis est), that means they could just about break some cyphertexts.
The context was that, although the agency was committed (hmm) to making cybersecurity better for US citizens, and thus helping the cryptography community to improve security, they felt OK exploiting weaknesses, so long as they thought it would be too difficult for others to do so too.
Sorry it's so hand-wavy, I'd love to find the article for my own sake, but busy/hard to google.
"One of the consequences of the second law of thermodynamics is that a certain amount of energy is necessary to represent information. To record a single bit by changing the state of a system requires an amount of energy no less than kT, where T is the absolute temperature of the system and k is the Boltzman constant. (Stick with me; the physics lesson is almost over.)
Given that k = 1.38×10-16 erg/°Kelvin, and that the ambient temperature of the universe is 3.2°Kelvin, an ideal computer running at 3.2°K would consume 4.4×10-16 ergs every time it set or cleared a bit. To run a computer any colder than the cosmic background radiation would require extra energy to run a heat pump.
Now, the annual energy output of our sun is about 1.21×1041 ergs. This is enough to power about 2.7×1056 single bit changes on our ideal computer; enough state changes to put a 187-bit counter through all its values. If we built a Dyson sphere around the sun and captured all its energy for 32 years, without any loss, we could power a computer to count up to 2192. Of course, it wouldn’t have the energy left over to perform any useful calculations with this counter.
But that’s just one star, and a measly one at that. A typical supernova releases something like 1051 ergs. (About a hundred times as much energy would be released in the form of neutrinos, but let them go for now.) If all of this energy could be channeled into a single orgy of computation, a 219-bit counter could be cycled through all of its states.
These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space."[0]
It's worth noting that if those Dyson spheres were quantum computers (and we ignored light-speed delays even within single spheres) you'd only need to count up to 2^128, not 2^256 to brute-force a 256-bit key. Still well outside the realm of possibility for anything smaller than a Dyson sphere.
What budget? At 256 bits (and even far less) it's not a question of money. It's a question of energy. We don't have enough energy production to even execute a single repeating adding instruction that bit-flips 256 bits of data registers to just count up from 0 to 2^256-1, and even if we did we don't have computer setups capable of ingesting such energy. Never mind the fact that encryption rounds and result analysis increases the energy consumption some hundred orders of magnitude.
That was mainly my concern when I read the news. Its unlikely they are capable of doing that now, but they are certainly working hard on it, and people moving to 512 bit encryption before then will probably result in years of hard work down the drain. But it is still concerning that they even think that 256 bit encryption is crack-able in the foreseeable future.
It’s not that 256 bit encryption will be crackable soon. It’s that flaws in the implementation of the encryption algorithm will allow access to the partial key.
Of course not. If China could break modern encryption, that would be a state secret of the highest possible order, not something you'd piece together axiomatically on a message board from a policy pronouncement.
If they can frighten people into believing 256 bits isn't enough, interesting parties will self-select, by using stronger ciphers, aiding traffic analysis.
They probably realized that 256 bit is so ubiquitous already that it would be a major upheaval to all of a sudden regulate it. Seems like the intention could be forward looking to the future.
As others have pointed out this isn't practical on current hardware. However with quantum computers I've read that there are already algorithms which would make short work of it. What I'd be curious to know is whether the key length has any bearing on the speed of said algorithms.
My guess would be that key length scales the quantum algorithm time much less than it scales the possibilities. Like, as key length squares, execution time doubles.
I don't know. It's seems crazy that an algorithm wouldn't be affected at all by significant numerical increases.
Possibly yes, although it could also mean they are doing this now for the future. It makes sense because post-quantum symmetric encryption may need higher key lengths, although it is currently still believed that 256 bit keys should provide the equivalent of 128 bit classical keys.
Of course not - they are free, you don't need to import them.
If you meant "Cisco VPN gateway" then yes, and I wonder if China is actually going to prevent import of cryptography hardware that's known to be broken or backdoored.
It's a legit concern given the Crypto AG gate that happened a while ago.
Where the so called reputation of swish neutrality was destroyed, if i'm not mistaken the German and American Intelligence agency had compromised the encryption hardware.
What makes you think that cost (or lack thereof) has anything to do with whether or not something is imported? The two things are completely orthogonal.
Nope, none of that uses symmetric keys >256 bits. Nothing does. The only reason to go >256 bits is if your crypto is getting attacked by an adversary with a Dyson Sphere-sized quantum computer, or an adversary that's found a way around the laws of thermodynamics. Either way, you have big problems.
Thought experiment: if I use 512-bit encryption from cleartext to intermediate blob, and then encrypt that with 256-bit encryption, is there a way to determine, by looking only at the final ciphertext, that 512-bit encryption keys were used in the intermediate step?
To avoid attracting their attention in the first place. They are not going to bother breaking every 256-bit-encrypted thing they see but as soon as they notice something obviously 512-bit-encrypted they go beat the key out of you.
I don't think you can with a decent crypt. In practice most encrypted containers come with metadata and a header describing the type of encryption since the assumption is that it can only be decrypted with a key anyway. If you forget encryption parameters, this can become difficult even if you have the key.
In cryptanalysis it is normally assumed that the attacker knows the algorithm and encryption parameters aside the key.
It's dead simple: «You used encrypted connection today. It's encrypted with 10000024 bit key, which is forbidden by China. You can send your key to us to prove that you are innocent, or go to jail.»
I would expect they are interested in me or don’t care. If they are interested, they routinely break all comms and notice 512. If they aren’t interested they won’t bother to break 8 bit.
I’m not interesting so not an issue for me, but I would also assume that they can break much more than this and wouldn’t actually reveal their limit in such a policy. Kind of like how your boss quadruples your time estimate. If their policy says nothing over 256, then they likely have capability for more.
But I’d expect that usually these pass phrases can be any length as they are all getting beaten out of us when needed.
> I would expect they are interested in me or don’t care.
There are several degrees of interest. Essentially they are interested in everyone trying to hide anything from them and they probably understand people of real danger to them will do their best to look ordinary and mediocre.
> If their policy says nothing over 256, then they likely have capability for more.
Sounds reasonable but breaking 512 obviously is much harder than 256 and will take significant time and resources they don't really want to waste. They will rather force you to reveal the key and only break 512+ if they can't easily reach you physically or identify you in the first place.
My interpretation as someone who is not an expert on cryptography:
The final cyphertext of an encryption system should be indistinguishable from noise - the less random the output looks, the more information an attacker gains.
The output of your 512-bit encryption should therefore look like noise already. Converting noise to noise should therefore result, predictably, in more noise. So I'm going to say "no, you can't tell".
Cryptography is specialized (and counterintuitive) enough that perhaps we should just let people who know what they're talking about respond rather than repeating or just making up what "feels right" to our lay interpretations of incredibly complex topics.
What we have been taught or what we understand about cryptography is just as important to discuss. What you said sounds a bit like "let the adults talk" and is condescending.
I can prove to you that you're seeing an encrypted message by giving you the decryption key, and I can prove to you that you're seeing compression by giving you the decompression algorithm.
However, there is no way to prove that random bytes are _really_ random.
Unless your "ciphertext" includes a header saying "this data in encrypted with 512-bit AES-cbc"
Instead of auditing the code/file format, it may be less error prone to just re-encrypt the entire file thereby hiding any metadata that the encryption program attaches.
In theory yes in practice crypto systems add additional data to assist in decryption and interoperability. Key size, algo, even key identifier are often added as meta data.
And that is before you get into less than perfect encryption.
They can reverse engineer the binary and see you do double encryption. If you care about this law, presumably at least one endpoint has physical presence in China.
Not necessarily. You can encrypt something twice with different keys. e.g. off the shelf zip archivers dont support 1024 bit keys, but who can stop you from writing a bash script that generates 10 keys using sha1 and a 'seed passphrase' and runs the zip archiver 10 times?
Whenever you encounter data that you suspect is encrypted and you want to attempt to break that encryption you need to investigate and gather intelligence on the algorithms and data format used. You can't just hit in the dark at random.
This can be done covertly or overtly, the former being plain old spying, the latter may be as simple as detaining the people involved and seizing computers (especially in China...).
I don't think you even need the 256-bit encryption step? Unless you add metadata the cyphertext shouldn't reveal anything about the encryption method and should (ideally) look indistinguishable from random noise.
Presumely, the 256-bit limit was chosen because a 256-bit key can easily be bruteforced. So if authorities find out that any possible 256-bit key only yields garbage, they should know something is fishy.
The data won't give it away, at least as long as the noise is sufficiently hidden with steganography and not just a mystery blob. But the tooling setup you use to access the cleartext with your passphrase, without starting from first principles each time, that setup might very much give it away if the system comes under serious scrutiny.
Note that there's a huge difference between "until proven guilty" and "until considered suspect": suddenly obscurity cannot be shrugged off at all, quite the opposite.
The title on HN is a bit misleading. You should use the original title of the article. According to the article, what requires an import permit is the "foreign 'data encryption technology employing a key length greater than 256 bits'". In reality, the encryption standards (SM1, SM2, SM3, SM4, etc) in China allows strong encryption. I don't see any clues stating that China forbids encryption technology with a key greater than 256 bits.
So... in other words, encryption with a key greater than 256 bits is forbidden unless you use one of the state-sanctioned (read: backdoored) algorithms. Neat.
That is not a correct paraphrase of what chenzhekl wrote.
Perhaps there is a rule that prevents someone in China from implementing any algorithm they want to implement with any number of bits they want to use, but that rule would hardly be an "import control", which is what the linked article is about.
Or it may just be, that anyone (currently) caring about >256 bits of symmetric key is likely not knowledgeable enough to avoid snake-oil salesmen (usually are annoying, but in crypto are outright dangerous).
Is there any well-defined, well-implemented cipher with a keysize of >256. AFAIR the AES is either 128 or 256.
That seems more (rightfully) careful than draconian..
No not really. FIPS specifies minimum encryption levels and forces certain things to not be used that are considered insecure. However it doesn't cap the maximum key length that is possible to be used.
Also FIPS 140-2 is outdated, please see FIPS 140-3.
While FB have many customers in China (much as Google do), I don't believe that they have any actual data centres, and they certainly don't have any (official) users.
RISC-V has some extension instructions dedicated to them. The extension was ratified very recently, so it isn't clear which chips will actually support them.
I tentatively conclude from this news that they have a Quantum Computer that can break symmetric key encryption with 256 bit keys or lower, or hope to have one soon, and that they don't have to worry about this domestically because they have enough control over the endpoints.
On a side note, my own encryption software is now prohibited in China, but that hardly matters. I don't recall having any customer in China anyway.
They effectively half the size of symmetric encryption keys (via Grover). They aren't considered as "breaking" them because doubling key size is pretty cheap. 256 bit symmetric is generally considered relatively safe vs quantum since a 128 bit key is still quite strong. That said, transitioning to 512 bits wouldn't be bad, since that would pretty much completely nullify quantum assisted breaks.
128-bit is still absolutely impractical to brute force now or in the foreseeable future. Even 96-bit is questionable, though likely achievable after some time by someone with a lot of money who is able to create a huge farm full of ASICs for the task.
A QC large and stable enough to run Grover's Algorithm would be a problem for symmetric keys and hashes smaller than about 192 bits. Most cryptographers recommend 256-bit or larger for a good margin of safety.
Yes, a thousand times. The vast majority of compromises happen because of software exploits or social engineering.
This is not an argument for using shitty cryptography, but it is IMHO an argument for being more afraid of the implementation and the human beings using it than the crypto.
Does anyone know how this interacts with the AES-256 break from a while back? Something to do with, they didn't use enough rounds so the security is really only about equivalent to AES-128. And then nobody cared because having the security of AES-128 isn't a practical break.
Unless we get quantum computers. Then what happens with AES-256?
As I recall it was about the key schedule. But, same outcome. Some people, idiotically, use 256 bit AES anyway, because it reassures less literate customers. Sort of like the patdowns at airports: security theater.
I haven't heard anything about not using enough rounds, so it's possible that my information is just out of date. My understanding is that AES-128 was chosen to be resistant against classical attacks, and AES-256 was chosen to achieve the same level of security as AES-128 against attacks that incorporate quantum computers and Grover's algorithm.
They basically half the symmetric keyspace (but there could be better, more specialized quantum algorithms), and the next smallest keysize is usually 128 bit. So that's what most foreign encryption will use after this new law. A brute-force search of a 64 bit keyspace is no problem for a nation state like China.
> According to the article, what requires an import permit is the "foreign 'data encryption technology employing a key length greater than 256 bits'". In reality, the encryption standards (SM1, SM2, SM3, SM4, etc) in China allows strong encryption. I don't see any clues stating that China forbids encryption technology with a key greater than 256 bits.
I guess that's a nit against the post title, but I don't think it really clarifies much.
So they have domestic >256bit ciphers, and this restricts foreign equipment that uses >256bit ciphers. China also has an extensive domestic surveillance system, has lots of weird "national security" regulations (e.g. they use an obfuscated coordinate system for public maps, and IIRC it's illegal to use a GPS receiver for anything resembling mapping), and is also pretty protectionist.
What's the purpose of these regulations? Is it...
1. To further strengthen domestic surveillance by encouraging the use of (possibly compromised) domestic encryption equipment, or...
2. protect domestic industry by making certain technology imports difficult, or encourage foreign entities to buy Chinese technology for interoperability reasons, or...
3. discourage the domestic use of foreign equipment on national security grounds (e.g. foreign backdoors), or use interoperability or market-access concerns to weaken foreign equipment, or...
> In reality, the encryption standards (SM1, SM2, SM3, SM4, etc) in China allows strong encryption.
Those are not strong encryption standards. They have dual key escrow such that the government can backdoor the connection with their own key. Those are China made encryption standards for use primarily with government products but they are attempting to also force them on the general public.
> I don't see any clues stating that China forbids encryption technology with a key greater than 256 bits.
That is exactly what this results in, because your choice is either a government backdoored encryption method (which basically means it isn't encrypted at all) or a non-backdoored encryption method that is limited to a key size no greater than 256 bits.
I will note, with this over reliance on dual key escrow. If a foreign government were to steal that key through espionage without China's knowledge, it would let say the US government to backdoor China's own government communications.
> I will note, with this over reliance on dual key escrow. If a foreign government were to steal that key through espionage without China's knowledge, it would let say the US government to backdoor China's own government communications.
Why would a government use key escrow for its own internal encryption (for actual important communications, as opposed to "retail" business functions like running garbage pickup operations)?
Your question presumes a Western, liberal paradigm of how govts should function. Most of the answer rests in different levels of institutional mistrust. Authoritarian govts are necessarily always operating under a siege mentality, so they must check on each other. Noting that, at the highest level the Chinese govt is wholly controlled by the Chinese Communists and the Communists correctly note the existential threat their bureaucrats pose. And it cascades down from there. There’s an illustrative proverb that goes “Heaven is high and the emperor is far away.” This idea justifies doing something you know is wrong, but is unlikely to be punished.
So to answer the question, the govt is not using key escrow for its own internal communications. Because it isn’t a monolith, and it’s not internal. The different fiefs need to be watched as much as anyone else.
> Why would a government use key escrow for its own internal encryption (for actual important communications, as opposed to "retail" business functions like running garbage pickup operations)?
Because governments (especially dictatorships) are most scared of their own members who can possibly seize power.
Ok, we've changed the title back to the article original - except with s/MOFCOM/China/.
Submitted title was "China forbids data encryption using a key greater than 256 bits". Submitters: please follow the site guidelines, which ask "Please use the original title, unless it is misleading or linkbait; don't editorialize."
If you want to say what you think is important about an article, that's fine, but do it by adding a comment to the thread. Then your view will be on a level playing field with everyone else's: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...
The original title is "MOFCOM Issues New Encryption Import Control Effective Immediately". It's pretty standard to replace the name of a government agency with the name of the government or country, especially if the former is an obscure name that most of the audience won't recognize.
It's probably too much data to record absolutely everything, but any intelligence agency worth it's salt is certainly doing it with important traffic like embassies coms, enemy military signals etc.
To be clear, the article states that such tech is not forbidden, but that is requires an import permit. Certainly the process of getting a permit opens things up to political interference, but nothing in the article talks about anything that "forbids" the imports, so this headline is not accurate, and does not match the article.
There must be something I'm missing here. As far as I know, the state of the art is to use 256 bits for encryption keys, both for symmetric (AES-256, Chacha20) and asymmetric (Curve25519, the 256-bit NIST curves), and they are considered both fast and safe. Are they trying to ban some kind of post-quantum cryptography which uses larger keys?
For TLS much larger keys are typically used, "The recommended minimum key length is 1024 bits, with 2048 bits preferred, but this is up to a thousand times more computationally intensive than symmetric keys of equivalent strength (e.g. a 2048-bit asymmetric key is approximately equivalent to a 112-bit symmetric key) and makes asymmetric encryption too slow for many purposes."
This is wrong at least as a response to the original comment, which is correct about the state of the art (TLS is also moving to elliptic curves where shorter keys are used).
TLS isn't encrypting data with those longer keys. That's used for auth and connection bring up before switching to a symmetric encryption scheme to actually encrypt data.
Curve448 also exists, which uses ~448-bit keys. Although with that, it only offers 224 bits of security (Compared to Curve25519's 128). And NIST-P521 exists, with similar properties. I wonder whether this legislation strictly applies to the bits-of-security, or bits-of-key-length.
IIUC, AES-256 will be fine for the forseeable future, even with quantum computers. However, Curve25519 could fall relatively soon, depending on how rapidly quantum computing advances.
Yeah, because that worked out extremely well. I don't see how they plan to actually enforce this. Sure some commercial projects may get a "China - no import restriction" version, but realistically all open source software will continue as normal, and commercial products will just get the permit.
I think this is about being able to target political dissidents for using encryption.
The title is misleading, but it gave me a good time. Imagine all companies are sending sensitive documents encrypted with 256-bit keys. Oh, shit, that's a true gold mine. Park near a corporate HQ, scoop up some WiFi traffic, decrypt, and profit.
For anyone not familiar with this, 256-bit ECDSA is considered to have the same security as 3072-bit RSA. A lot of large shops use 2048-bit keys, and GPG folks think 4096 is "unnecessary"[1]. So 3072 is a more-than-decent strength by today's standards.
I take this is a form of propaganda. To make opposing nations consider the possibility that they have technology to break "data encryption using a key greater than 256 bits".
I think that if China has technology to break any [1] encryption with 256 bit key, they should have technology [2] to break encryption with longer keys.
[1] Article does not specify encryption algorithms, so we should assume "any encryption algorithm can be broken" here.
[2] Contemporary SAT (CDCL) solvers accumulate constraints derived from problem being solved and it has been shown (proven, even) to exponentially speed up search process. Resulting algorithm is still exponential (2^O(N)), but exponentially faster than brute force (different constants).
121 comments
[ 1.9 ms ] story [ 203 ms ] threadThe context was that, although the agency was committed (hmm) to making cybersecurity better for US citizens, and thus helping the cryptography community to improve security, they felt OK exploiting weaknesses, so long as they thought it would be too difficult for others to do so too.
Sorry it's so hand-wavy, I'd love to find the article for my own sake, but busy/hard to google.
"One of the consequences of the second law of thermodynamics is that a certain amount of energy is necessary to represent information. To record a single bit by changing the state of a system requires an amount of energy no less than kT, where T is the absolute temperature of the system and k is the Boltzman constant. (Stick with me; the physics lesson is almost over.)
Given that k = 1.38×10-16 erg/°Kelvin, and that the ambient temperature of the universe is 3.2°Kelvin, an ideal computer running at 3.2°K would consume 4.4×10-16 ergs every time it set or cleared a bit. To run a computer any colder than the cosmic background radiation would require extra energy to run a heat pump.
Now, the annual energy output of our sun is about 1.21×1041 ergs. This is enough to power about 2.7×1056 single bit changes on our ideal computer; enough state changes to put a 187-bit counter through all its values. If we built a Dyson sphere around the sun and captured all its energy for 32 years, without any loss, we could power a computer to count up to 2192. Of course, it wouldn’t have the energy left over to perform any useful calculations with this counter.
But that’s just one star, and a measly one at that. A typical supernova releases something like 1051 ergs. (About a hundred times as much energy would be released in the form of neutrinos, but let them go for now.) If all of this energy could be channeled into a single orgy of computation, a 219-bit counter could be cycled through all of its states.
These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space."[0]
[0]https://www.schneier.com/blog/archives/2009/09/the_doghouse_...
It's worth noting that if those Dyson spheres were quantum computers (and we ignored light-speed delays even within single spheres) you'd only need to count up to 2^128, not 2^256 to brute-force a 256-bit key. Still well outside the realm of possibility for anything smaller than a Dyson sphere.
So 256 can become 128.
What makes you say that, and what new information would indicate when "unlikely" had turned to "likely"?
I don't know. It's seems crazy that an algorithm wouldn't be affected at all by significant numerical increases.
ssh also would need permission?
If you meant "Cisco VPN gateway" then yes, and I wonder if China is actually going to prevent import of cryptography hardware that's known to be broken or backdoored.
Added: A bit of searching revealed that this policy has been oversimplified to the point of nonsense in the linked article. A relevant article:
* https://www.hldataprotection.com/files/2019/11/The-Grand-Fin...
This seems to be more about checking to see if imported stuff that might affect national security has any backdoors.
In cryptanalysis it is normally assumed that the attacker knows the algorithm and encryption parameters aside the key.
I’m not interesting so not an issue for me, but I would also assume that they can break much more than this and wouldn’t actually reveal their limit in such a policy. Kind of like how your boss quadruples your time estimate. If their policy says nothing over 256, then they likely have capability for more.
But I’d expect that usually these pass phrases can be any length as they are all getting beaten out of us when needed.
There are several degrees of interest. Essentially they are interested in everyone trying to hide anything from them and they probably understand people of real danger to them will do their best to look ordinary and mediocre.
> If their policy says nothing over 256, then they likely have capability for more.
Sounds reasonable but breaking 512 obviously is much harder than 256 and will take significant time and resources they don't really want to waste. They will rather force you to reveal the key and only break 512+ if they can't easily reach you physically or identify you in the first place.
The final cyphertext of an encryption system should be indistinguishable from noise - the less random the output looks, the more information an attacker gains.
The output of your 512-bit encryption should therefore look like noise already. Converting noise to noise should therefore result, predictably, in more noise. So I'm going to say "no, you can't tell".
Proper encryption, maximum compression, and random bytes are all indistinguishable, as they have maximum entropy.
I only failed 9th grade three times, so feel free to correct me.
without additional information!
I can prove to you that you're seeing an encrypted message by giving you the decryption key, and I can prove to you that you're seeing compression by giving you the decompression algorithm.
However, there is no way to prove that random bytes are _really_ random.
well of course, because the opposite is true, any string of bytes can by XOR'd to something meaningful.
https://en.wikipedia.org/wiki/One-time_pad
Instead of auditing the code/file format, it may be less error prone to just re-encrypt the entire file thereby hiding any metadata that the encryption program attaches.
And that is before you get into less than perfect encryption.
Things are banned, implicitly, only if you get caught, so I don't think this is a philosophical argument.
This can be done covertly or overtly, the former being plain old spying, the latter may be as simple as detaining the people involved and seizing computers (especially in China...).
Note that there's a huge difference between "until proven guilty" and "until considered suspect": suddenly obscurity cannot be shrugged off at all, quite the opposite.
Perhaps there is a rule that prevents someone in China from implementing any algorithm they want to implement with any number of bits they want to use, but that rule would hardly be an "import control", which is what the linked article is about.
Is there any well-defined, well-implemented cipher with a keysize of >256. AFAIR the AES is either 128 or 256.
That seems more (rightfully) careful than draconian..
https://en.m.wikipedia.org/wiki/FIPS_140-2
Also FIPS 140-2 is outdated, please see FIPS 140-3.
https://en.wikipedia.org/wiki/FIPS_140-3
While FB have many customers in China (much as Google do), I don't believe that they have any actual data centres, and they certainly don't have any (official) users.
On a side note, my own encryption software is now prohibited in China, but that hardly matters. I don't recall having any customer in China anyway.
A QC large and stable enough to run Grover's Algorithm would be a problem for symmetric keys and hashes smaller than about 192 bits. Most cryptographers recommend 256-bit or larger for a good margin of safety.
Asymmetric crypto is more complex story.
Sure log4j might have been recently patched, but it's not unrealistic to think that a nation-state has access to similar exploits.
This is not an argument for using shitty cryptography, but it is IMHO an argument for being more afraid of the implementation and the human beings using it than the crypto.
Unless we get quantum computers. Then what happens with AES-256?
I guess that's a nit against the post title, but I don't think it really clarifies much.
So they have domestic >256bit ciphers, and this restricts foreign equipment that uses >256bit ciphers. China also has an extensive domestic surveillance system, has lots of weird "national security" regulations (e.g. they use an obfuscated coordinate system for public maps, and IIRC it's illegal to use a GPS receiver for anything resembling mapping), and is also pretty protectionist.
What's the purpose of these regulations? Is it...
1. To further strengthen domestic surveillance by encouraging the use of (possibly compromised) domestic encryption equipment, or...
2. protect domestic industry by making certain technology imports difficult, or encourage foreign entities to buy Chinese technology for interoperability reasons, or...
3. discourage the domestic use of foreign equipment on national security grounds (e.g. foreign backdoors), or use interoperability or market-access concerns to weaken foreign equipment, or...
4. all of the above?
Those are not strong encryption standards. They have dual key escrow such that the government can backdoor the connection with their own key. Those are China made encryption standards for use primarily with government products but they are attempting to also force them on the general public.
> I don't see any clues stating that China forbids encryption technology with a key greater than 256 bits.
That is exactly what this results in, because your choice is either a government backdoored encryption method (which basically means it isn't encrypted at all) or a non-backdoored encryption method that is limited to a key size no greater than 256 bits.
I will note, with this over reliance on dual key escrow. If a foreign government were to steal that key through espionage without China's knowledge, it would let say the US government to backdoor China's own government communications.
Why would a government use key escrow for its own internal encryption (for actual important communications, as opposed to "retail" business functions like running garbage pickup operations)?
So to answer the question, the govt is not using key escrow for its own internal communications. Because it isn’t a monolith, and it’s not internal. The different fiefs need to be watched as much as anyone else.
Because governments (especially dictatorships) are most scared of their own members who can possibly seize power.
Submitted title was "China forbids data encryption using a key greater than 256 bits". Submitters: please follow the site guidelines, which ask "Please use the original title, unless it is misleading or linkbait; don't editorialize."
https://news.ycombinator.com/newsguidelines.html
If you want to say what you think is important about an article, that's fine, but do it by adding a comment to the thread. Then your view will be on a level playing field with everyone else's: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...
https://www.bankinfosecurity.com/report-china-to-target-encr...
... this is why forward secrecy is so important!
[0] https://en.m.wikipedia.org/wiki/Utah_Data_Center
Or put differently would 10x even have a noticeable performance / UI wise hit?
To save a click, relevant part from the PDF:
65 软件和信息技术服务业
Next HN frontpage news idea: "China bans Deepfake"Source: https://www.internetsociety.org/deploy360/tls/basics/
IIUC, AES-256 will be fine for the forseeable future, even with quantum computers. However, Curve25519 could fall relatively soon, depending on how rapidly quantum computing advances.
I think this is about being able to target political dissidents for using encryption.
For anyone not familiar with this, 256-bit ECDSA is considered to have the same security as 3072-bit RSA. A lot of large shops use 2048-bit keys, and GPG folks think 4096 is "unnecessary"[1]. So 3072 is a more-than-decent strength by today's standards.
[1]: https://gnupg.org/faq/gnupg-faq.html#not_a_bad_idea_just_unn...
[1] Article does not specify encryption algorithms, so we should assume "any encryption algorithm can be broken" here.
[2] Contemporary SAT (CDCL) solvers accumulate constraints derived from problem being solved and it has been shown (proven, even) to exponentially speed up search process. Resulting algorithm is still exponential (2^O(N)), but exponentially faster than brute force (different constants).