61 comments

[ 3.5 ms ] story [ 117 ms ] thread
> The researchers, led by Dr. Tomislav Stankovski, created an encryption mechanism that can generate a truly unlimited number of keys, which they say vastly increases the security of the communication. To do so, they took inspiration from the anatomy of the human body.

Maybe this is just a problem of imprecise language and reporting, but when has the ability to generate an unlimited number of keys ever been the main problem? I always thought the problem was distributing/maintaining such a number of keys, and to a lesser extent, generating those keys in a reasonable amount of time.

Because wasn't "unbreakable" encryption invented a long time ago, and implemented successfully since? That is, one-time pads, which are theoretically unbreakable by anyone who is not omniscient? Of course, the problem of distributing and maintaining such keys gets in the way of popular implementation...

edit: I'm obviously not suggesting that one-time pads have solved much of anything...just that, why do researchers brag about creating an infinite number of keys, or even "unbreakable" encryption, when those don't seem to be much of a real-world problem...Maybe in this case it's just bad reporting and translation of researcher-speak. Now, extremely-unfeasible-to-break while feasible-to-use...that's clearly worth bragging about.

> why do researchers brag about creating an infinite number of keys, or even "unbreakable" encryption,

To generate some funding and impress gullible people? It is like unlimited energy or flying car projects.

(comment deleted)
For no encryption scheme is the key space unlimited.

For symmetric key ciphers, the keys are of a set length. AES accepts key lengths of 128, 192, and 256 bits.

For asymmetric ciphers, they vary even more. The RSA-XXXX designation refers to the length of n, which is the product of two primes (which must be kept secret) p and q. So for RSA-2048, p and q are roughly 1024-bit numbers. In addition, the secret exponent can frequently be quite large, although as it's calculated from the public key exponent and n its size is not guaranteed.

Ultimately however, all of these are designed so that the key spaces are too large to be feasibly brute-forced searched. The reason for the much larger size of the keys for the asymmetric ciphers is that their security is usually based on the difficulty of solving a problem (in RSA's case, factoring n into p and q, or the equally difficult problem of determining the totient of n) that gets more difficult as the keys get larger.

EDIT: And yes, one-time pads are theoretically unbreakable, however they can only be used once (as the name implies, but if they are used twice recovering the key is trivial), must rely on a sufficently good quality random number generator (which Matt Green recently had a very good article describing how hard it is to do: http://blog.cryptographyengineering.com/2014/03/how-do-you-k...) and they have the same issues that any symmetric key ciphers have, in terms of key distribution. They're useful when you have old women in Bletchley Park spinning bingo balls and carefully copying into two notebooks. Less so when you're trying to build a usable system for secure communication.

> I'm obviously not suggesting that one-time pads have solved much of anything

Well, they did. Think about various secret channels between governments, like the Washington D.C. - Moscow line.

http://en.wikipedia.org/wiki/One-time_pad#Historical_uses

I read a novel by a former SAS soldier about a former SAS soldier who's sent on deniable operations by the British government, and who uses what is clearly a one-time pad to communicate with his handlers. The detailed description of the precise method used, the fact that the term "one-time pad" is never used, and the narrator's apparent lack of understanding of how exactly it works (encryption/decryption is done via modulo-10 addition/subtraction, which the narrator derisively refers to as "spook maths") suggest that the author himself, or a contact of his in the same circles, has used a very similar system for real.
From just reading the linked to article, (I have not read the full paper) it appears that the researcher has conflated the size of the key space with whether or not the encryption algorithm is secure.

Size of the key space only really matters when the only known attacks have a time complexity proportional to the size of the key space, i.e. brute force.

If the algorithm itself is horribly broken then it doesn't matter much. For example, a monoalphabetic substitition cipher actually has a rather large key space (26!) but this doesn't really matter.

There's only one "unbreakable" encryption, and that's a pair of one time pads with truly random data as long as the message itself.

http://www.pro-technix.com/information/crypto/pages/vernam_b...

While this may seem like a tempting statement, it is not really an answer, since "unbreakable" is not really well-defined. Clearly, "truly random" is a bit of a tough one to define. And sending the message length is a bit of an information leak itself. But even putting those aside, there's a bigger flaw.

The biggest problem in this mechanism is how does the other party get their one-time pad? An upper bound on the unbreakableness of the entire scheme is the unbreakability of transmitting a one-time pad; and if you can do that, then why not just send the actual message via that mechanism?

"unbreakable" may be not well-defined, but perfect secrecy is[1].

1. http://en.wikipedia.org/wiki/One-time_pad#Perfect_secrecy

Perfect secrecy refers to the ability to determine any information about the plaintext without decoding it. Not having it can be very useful to an attacker, but that isn't always the case. RSA, for instance, doesn't have perfect secrecy, because it leaks the Jacobi symbol (https://en.wikipedia.org/wiki/Jacobi_symbol) of the plaintext. However, that information is of limited utility, and it can be shown that determining more useful facets, for instance the parity of the plaintext, requires solving more unfeasible problems.
Actually, perfect secrecy refers to the ability to determine any information about the plaintext at all, given arbitrary decoding power. It's quite simple -- it means that given a standard distribution of keys and an a priori distribution over the plain texts the best estimate of the plaintext given the ciphertext is simply the a priori distribution (no additional information). For the binary case, Y(any distribution)+X(uniform)=Z(uniform) (mod 2), so that this is satisfied for any prior.
> why not just send the actual message via that mechanism?

suppose you can transmit information securely only for some time. Exchange one time pads ahead of time, and use them later to communicate over insecure channel

By assumption, the only way to "transmit information securely" is by one-time pads. So...
That was not the assumption. The assumption (or assertion) was that one-time pads were the only unbreakable encryption. There are ways of securing things other than encryption (most obviously physical isolation).
Ach! I let myself get drawn into a semantic argument, and it earned me my first downvotes!

My only point was that talking about one-time-pads as "unbreakable" encryption is not a useful discussion, since "unbreakable" and "encryption" need to be better defined.

If we expand the definition of "encryption scheme" sufficiently to allow transmission of secrets outside of cryptographic channels, then OTP is not even close to the only unbreakable system.

Only by explicitly defining attack vectors can we really get a good framework for reasoning about cryptography, and even then we know that we can prove an encryption technique is bad. For "goodness", all we can do is increase our confidence, until the day the confidence drops to 0.

Anyway, with this last salvo, I'll retreat from this conversation; it's pretty clear to me that my inane ramblings about semantics are as annoying to the community here as they are to me when other people make them.

>My only point was that talking about one-time-pads as "unbreakable" encryption is not a useful discussion, since "unbreakable" and "encryption" need to be better defined.

No they don't. You are receiving negative feedback because you are trying to adjust definitions that have been well-defined by the crypto community. When talking about the security of an encryption algorithm, the key distribution has absolutely nothing to do with it. Stop conflating the two.

>If we expand the definition of "encryption scheme" sufficiently to allow transmission of secrets outside of cryptographic channels, then OTP is not even close to the only unbreakable system.

Would you care to share with us some of these other unbreakable systems? Remember, the keys are the only thing that can be transmitted outside of the channel and they cannot be based on the information being encrypted.

"If we expand the definition of "encryption scheme" sufficiently to allow transmission of secrets outside of cryptographic channels, then OTP is not even close to the only unbreakable system."

Any scheme which allows sharing arbitrary amounts of random information is less than or equally secure as an OTP (security defined per symbol) since OTP reveals no information per symbol; also, it uses the minimum amount shared information to do so, provided your symbols are equiprobable.

I agree, OTP is optimal, it's just not unique, even by a very broad definition of what an OTP is. Sending a Turing machine to the other party through a secondary channel, for example, would produce an equivalently (not more) secure mechanism. Or sending a normal real number as the key, and the ciphertext is an index into the base26 expansion.

Technically, either of these could be slightly more secure, in that they need not leak the length of the plaintext. For transmitting a single "yes" vs. "no" answer, that could be a fatal attack vector for a naive OTP.

You give each party a briefcase full of 4 TB hard drives full of random numbers generated from a USB attached atomic decay device.

Now for 1,2,10 years depending on your rate of communication you can communicate using the one time pad.

>why not just send the actual message via that mechanism?

The point is you only have to exchange pads periodically, not every time you communicate.

How do you encrypt the hard drives?

I wouldn't trust some keys that had been lying around on an unencrypted hard drive for 1,2,10 years!

If I was using one-time-pads I'd probably be using them because I didn't trust encryption, so "unencrypted" wouldn't matter here.

In real-world implementations I think the security is probably based around a large number of men with guns.

Exactly, men with guns secure the one time pad. The data sent using that pad is secure.

Nit: I would consider one time pad to be a method of encryption.

Nit: I would consider one time pad to be a method of encryption.

Ah, true. But the encryption algorithm is much simpler to implement than most :-)

I mean, what you're saying here is that in addition to one-time-pad based cryptography, there is a "give a briefcase to the person"-based cryptographic system. In reality, I think lot more briefcase-based transfers are "cracked", as it were, than SSL sessions.

My problem is just that the proposed mechanism relies on already having an even more perfect mechanism, and thus cannot be the "only one", but is in fact strictly weaker than this other mechanism. So we have a contradiction, and we can get rid of the notion that there exists such a thing as an "unbreakable" system (or, alternatively, that it is a useful concept)

No, the notion of the unbreakable one time pad is a great notion to have around.

It is the good standard for crypto systems. Yes it's unworkable in practice but that's exactly why nobody really uses it. It is useful for teaching and making comparisons.

Governments use it all the time. (Men with handcuffed briefcases and armed guards..)

Before you send your submarine to sea for example, you can provide them with many gigabytes of one time pad. They can then use this for their most secret communication.

No, this is a a breifcase full of one time pad. If you could fit 32 4 TB hard drives full of pad in the brief case that would allow you to send 128 TB in the future securely using something like an XOR one time pad. Assuming you are just sending ASCII and compress it before sending/XORing you could send a lot more then 128 TB of ASCII.

This is pretty powerful. It means that organization which and periodically move physical assets securely can send information in a manner that is secure even if quantum computers reach their full potential.

Was "128 GB" a typo for "128 TB"?

Incidentally, the mechanism for sharing the pad doesn't have to be 100% secure, as long as you can reliably detect any compromises. If someone opens the briefcase while it's in transit, you just generate new pads and send another briefcase. To compromise the system, an adversary has to compromise the pad in transit without being detected.

> I think lot more briefcase-based transfers are "cracked", as it were, than SSL sessions.

Lots of SSL sessions are going on right now. It only takes a vulnerability like CVE-2014-0160 to change the score by 100 or so.

Briefcases: 1 in the last day

SSL sessions: 100 in the last day

Edit: if only CVE-2014-0160 had some evocative name.

> why not just send the actual message via that mechanism?

If you can, then there's no real need for using a one-time pad. But there's a benefit that comes from a fact that exchanging the random data is a completely separate process in time and space from sending the messages. You can do it once, spending all your resources to secure it. Imagine e.g. two governments establishing a secret emergency line by generating a few terabytes of random data in one physical place and then escorting each copy in armoured trucks to proper communication factilities.

BTW. exchanging physical "XOR's" for one-time pad communication is a plot point of Vernor Vinge's "A Fire Upon the Deep".

You do not actually have to define "truly random". You do have to trust that the mechanism you are using to generate keys (radioactive decay or rolling dice, for example) is unpredictable.

There is a more general point here, that sometimes seems to be lost in philosophical arguments: reality doesn't pay any attention to the meaning of words. If "unbreakable" is not well-defined (I am not sure that is so), then it is a problem within the domain of language, not cryptography.

Unpredictable and unbiased
> And sending the message length is a bit of an information leak itself.

The known solution to this is to pad messages to some fixed length. The obvious drawback is that you have to choose the fixed length message to be as long as the longest message you may wish to transmit, which could result in having to transmit rather a lot of padding.

The equivalent of this for real-time communications is to transmit continually at a fixed bit rate regardless of whether you have any data to send at any given time.

Congratulations, you just reinvinted numbers stations.

Send random data that is probably meaningless, until which point you send real data. Let everyone listen in to the gibberish for 50 years, in the end, only the person with the key knows the message.

When you transmit the pads may not correspond with when you want the message sent.

For example I may be able to send you a one-time pad securely today, but the message I need to tell you ("buy GM stock at 37.82") I won't know until next week -- at which point I may not be able to expediently send you the one-time pad securely.

And even this is in practice a problem: How do you distribute and secure the pads?

A lot of problems in cryptosystems stem from implementation details - think side-channel attacks, exploits, ...

Well that's exactly the reason the one-time pad isn't used anywhere. It's perfectly secure but basically impossible to actually implement securely because of key distribution.
"I know! I'll use a PRNG to create the one-time pad on the fly!"
This singular, provable fact is the basis of the modern Internet.

...we're not on the modern Internet. I'm looking forward to it; it'll be a better place.

This was actually broken in practice once, by (you guessed it) NSA. They managed to break into part of Soviet VENONA since the demand of OTP keymat during WWII was such that someone took a shortcut and reprinted pages of random numbers.

Don't ask me how Cold War-era NSA discovered that without Cray supercomputers everywhere, but even this scheme is difficult to pull off in practice.

Technically a TTP is not a OTP.
Yes, that's why I referenced in practice vs. in theory.
There are two known unbreakable encryption schemes, the other one is Shamir's Secret Sharing.
I believe you misrepresented that algorithm. While it is true that Shamir's Secret Sharing is unbreakable if you split the actual clear text among participants, it is not used that way. The actual use is to use SSS to encrypt and distribute the key used to encrypt the clear text.
I think you are describing a larger encryption scheme that uses SSS as a component. I am talking about SSS itself, which is unbreakable, from an information theoretic standpoint. You can use SSS to split the clear text among all participants, even if most people don't use it that way to construct larger systems.
I love these two lines from Shneier's earlier article, the one he links to at the end:

"The 'best cryptographers around' break a lot of ciphers. The academic literature is littered with the carcasses of ciphers broken by their analyses."

Indeed. Related advice, also from Schneier: "Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break. It's not even hard."
Seems like quite a good idea to me.
"Truly unlimited number of keys"

What data type would you use to store such a key? My guess is that it wouldn't be much bigger than 2048 bits after being implemented. Besides, key length is a terrible metric for measuring security.

It's typical for crypto algorithms to generate an endless (or extremely large) "keystream" by permutating a much shorter secret key with other data somehow.

The fact they're not using the term "keystream" for this concept is a bit of a warning that they might've reinvented something every cipher algo already does, but more inefficient (from skimming through the paper).

Just guessing though. Not judging. I'm not a cryptographer, I just read about crypto as a hobby (and to know what I'm doing while using someone else's crypto primitives in my code).

It could be bigger. The 'keys' are just arbitrary sytems of equations, this is where 'unbounded keyspace' comes from. Any implementation would wind up being bounded by some practical constraint.

Whether this is any improvement on existing ciphers (which you can also design to have any size key you desire), is less clear, but I would bet on 'no'.

Theoretical cryptographers -- those who come up with new encryption schemes like the classics we rely on, e.g RSA and DH -- will take the following perspective:

Every encryption scheme is based on the assumption "X is not solvable in polynomial time", for some problem X. Don't start by wasting time with details of the scheme. Start by telling me X.

Common examples of X are factoring and discrete log. More exotic ones include e.g. [1], the types of assumptions underlying fully homomorphic encryption. In the case of this bio paper, cryptographers won't care unless the authors can succinctly describe:

1. The computational problem that needs to be solved to break their scheme.

2. The relationship of this computational problem to well-known ones (can it be reduced to factoring? To computing some difficult integral?).

3. Evidence to suggest this problem is difficult (can factoring be reduced to it? Or some other hard problem?).

[1] http://en.wikipedia.org/wiki/Lattice-based_cryptography

Although one-time pads are indeed unbreakable in a mathematical sense, in the real world everything is theoretically decipherable, in the end, using rubber-hose cryptanalysis and good timing.

http://xkcd.com/538/

Possible defenses against rubber hose cryptanalysis on your one time pads include:

Perfect forward secrecy and plausible deniability

Hidden hard drives within hard drives within hard drives http://www.truecrypt.org/

Being dead http://www.cracked.com/article_20110_5-secret-languages-that...

Quantum mechanics http://en.m.wikipedia.org/wiki/Quantum_key_distribution

In the referenced article (https://www.schneier.com/crypto-gram-9810.html#cipherdesign), he says:

> Algorithms posted to Internet newsgroups by unknowns won't get a second glance.

It seems to me this would not be true of Bitcoin.

Bitcoin isn't a new crypto algorithm. It's a distributed ledger algorithm that uses well known crypto protocols. It didn't invent its own magical hashing algorithm or anything of the sort.
If anything is shown from BitCoin - specialized hardware/application to solve encryption problems, its just a matter of specific application and time with any level of encryption.
It's always kind of cute to see ridiculous headlines roll through.

Taking a look at the paper and a stream of thought about it.

- Researchers are affiliated with a university they aren't kooks

- These are physicists. They speak a different language. That will make decoding this paper difficult. It may have useful insight, but it is obscured by the jargon of a different discipline. Typically I haven't see continuous diffeq in crypto. >.>

- Essentially I believe this is a two-directional stream cipher, with prior clear?crypt?text from both sides feeding into the input.

- I'm not sure what unbounded precisely is being meant here with their coupling function.

- Almost zero crypto papers cited (I counted two, and they sounded fringe-y by title and were also published in physics journals).

Several key aspects have been neglected by the authors:

- Lack of citation of the current state of crypto- they betray nearly no understanding of the terminology of crypto nor present the contribution to the field in relation to the field.

- No analysis of the information-theoretic leakage of the communication system.

- No analysis of keyspaces, expected break time for chosen|known ciphertext, etc.

My take on it is that it's a well-intentioned but largely useless paper by non-experts. If they took the time to understand the field, it might have some valuable insights.

I would guess the coupling function as an idea results in a system design that leaks information like a sieve about both Alice and Bob. It might be a restatement of something like switching keys periodically, but I lack the vocab to interpret.

I think by unbounded they meant 'you can stick any number of arbitrarily complicated functions here'. I'm not sure whether this is any different in practice from just upping the key size on a cipher (since any implementation will be limited by at least memory used to represent the functions).
This axiom of Schneier's (I think it's his) can't be repeated often enough:

anyone can create a cryptosystem that he himself cannot break

It's amazing how many times a lack of knowing this axiom becomes a problem / surprise.