brute force physics Was: cleversafe...

Alexander Klimov alserkli at inbox.ru
Thu Aug 13 05:54:37 EDT 2009 

Jerry Leichter wrote:

>> If current physical theories are even approximately correct,
>> there are limits to how many "bit flips" (which would
>> encompass all possible binary operations) can occur in
>> a fixed volume of space-time.

> The physical arguments to which I was referring say *nothing*
> about how the computation is done.  It can be a QM computation
> as well.

"Obvious" assumptions are hardest to trace: they assume that the
computation is done by bit flips which flip only constant number of
bits. QM computation is done with the whole state, that is a flip in
an N-qbit state simultaneously flips 2^N numbers describing this
state (if it were simulated by a classical computer).

I hope we agree that an exponential speed-up by QM computation *is*
possible (unless factoring is in P). That is why if we hear that (1) a
"physical limit" says that 2^N bit-flips cannot be done in a
one-light-year computer in a year, and we know that (2) the best
classical M-bit factoring requires 2^N bit-flips, and we know that (3)
this factoring can be done in few minutes on a QM computer, then we
must conclude that such "physical limits" are misleading.

David Wagner wrote:
> for a more nuanced and deep treatment of these issues,
> http://www.scottaaronson.com/papers/npcomplete.pdf

Thanks, it is great reading!

Whether NP is physically computable is an interesting topic, but its
applicability to our subject is quite limited: for cryptography it is
important to know that none of the puzzles created by a user can be
solved in some particular time given reasonable investment in
hardware, and thus the fact that hard instances exist as size tends to
infinity cannot console a practitioner.

Jerry Leichter wrote:
> >> All the protocols and standards out there calling for AES-256 - it's
> >> obviously "better" than AES-128 because after all 256 is *twice as
> >> large* as 128! - were just a bunch of nonsense.  And, perhaps,
> >> dangerous nonsense.
> >
> > I see the situation in the positive way: the recent AES attacks
> > stress the fact that the key management should be done
> > correctly, in particular, keys should be derived thru KDF (not
> > a simple xor) and must be authenticated. With this attack in
> > hand it is much easier for us now to say why one should not use
> > K to encrypt messages of one type and K+1 for another type, or
> > why it is a bad idea to encrypt a key in CTR mode and store the
> > result without a MAC. I doubt it is possible to find any
> > professionally designed protocol or standard that becomes weak
> > due to the recent discovery.
>
> That's a ... bizarre point of view.  :-)  Should freedom from
> related- key attacks be part of the definition of a "secure"
> encryption algorithm?  We should decide that on some rational basis,
> not on whether, with care, we can avoid such attacks.  Clearly, a
> system that *is* secure against such attacks is more robust.  Do we
> know how to build such a thing?  What's the cost of doing so?  But
> to say it's an *advantage* to have a weakness seems like some kind
> of odd moral argument:  If you're hurt by this it's because you
> *deserve* to be.

There is a set of rules in cryptographic design that are well
known to practitioners and are ignored by kibitzers. In many
cases it is much easier to do a normal design than to explain
why some proposed "improvements" are bad.

Consider a situation where some "smart" person comes to you and
say that for some reason (say, to save space) they want to use
CBC encryption, but keep IV constant; or they want to do CBC
encryption and CBC-MAC with the same key (as a bonus they get
encryption for free). What options you have once you manage to
stop the laughter?  In some cases it is enough to say: "No,
SP800-38a in Appendix C requires IV for CBC to be
unpredictable," but in other cases you also need to show
a plausible-looking attack against the "improvement". In this
situation it is clearly an advantage to have a known weakness of
ignoring rules of sane key management.

-- 
Regards,
ASK

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list