[Cryptography] WhatsApp: Why asymmetric key instead of symmetric keys?

Ray Dillinger bear at sonic.net
Fri Apr 29 02:40:28 EDT 2016 


On 04/28/2016 05:41 PM, grarpamp wrote:
> On 4/28/16, david wong <davidwong.crypto at gmail.com> wrote:
>> so as long as we don't discover a crazy breakthrough.
> 
> This "breakthrough" hasn't yet been further identified / described...
> https://www.wired.com/2012/03/ff_nsadatacenter


I keep hearing rumors about this "breakthrough." I don't
know how seriously to take them, but I suspect that if it
exists it's more likely to be deliberate sabotage at the
hardware/software/firmware level than it is to be the
often-implicated Quantum Supercomputer or major mathematical
insight.

I have no doubt that AT LEAST until very recently, and likely
through today, snoops have been able to get virtually
everything by systematically exploiting operating system,
protocol, application, and firmware vulnerabilities.  A
"major breakthrough" in those terms would just mean that
something that easy to exploit and very hard to detect or
secure came along.

Or something widespread was deliberately created that way.

It's hard to pick out which of the exploits security people
deal with are due to compromised hardware, or even know how
many of the crooks who've discovered security flaws have
discovered them by bribing, blackmailing, extorting, or
social-engineering the hypothetical SIGINT people responsible
for putting them there. Or, even of the crooks who haven't
done such things, how many of the flaws they've discovered
and exploited were deliberate.

But I keep hearing noises about a fundamental breakthrough
in cryptology, with the strong implication that it's some
kind of new cryptanalytic technique, mathematical insight,
or design principle for special-purpose custom hardware.
So let us look at the hypotheses.

Assuming they can get four orders of magnitude of hardware
efficiency for purpose-built AES cracking silicon, and back
it up with scores of billions of dollars per year investment
in constantly updating overwhelming volumes of this custom
hardware -- I still don't see anybody cracking AES-128 any
time soon without either a mathematical insight so profound
as to be completely unexpected, or a fundamentally new
computing technology like large scale Quantum Computers.
I mean, otherwise you'd have to pour enough raw electrical
power into the effort to boil an ocean, for even a tiny
chance of success.

If the QC threat is real (and recent guidance in ciphersuite
selection says to plan for the possibility) then we ought to
be using 256-bit keys for symmetric crypto.  And I don't have
a problem with doing that.  But most physicists are claiming
they consider it highly unlikely.

If the fundamental mathematical breakthrough is real, it's
very surprising that it hasn't leaked or been duplicated yet,
but in that case it's only a matter of time before one or the
other or both occur.  Speculating about the effect of a
fundamental mathematical breakthrough is at best hard to do
meaningfully; on the supposition that there are some things it
does and some things it doesn't apply to, maybe the best
insurance we can make against the day it becomes a widely
exploited attack is to superencrypt using multiple unrelated
encryption algorithms with independent keys.  But that
complicates protocol and application design and key management
in a way likely to create more vulnerabilities.  OTOH, doubling
key sizes - which we do *anyway* if we take QC attacks seriously
- is likely to de-fang most math breakthroughs as well. Even
the most serious have not been reducing security by the huge
orders of magnitude that would make up for doubling the key
size.

And if, as I consider more likely than either, the
"breakthrough" is  mostly just a way of getting ubiquitous
firmware and/or hardware installed that contains deliberate
flaws or trojan horse backdoors, then most likely the noise
about encryption breakthroughs is a ruse or misdirection and
they're bypassing people's attempts to encrypt all together.
In that case it's there for crooks and foreign intelligence
to discover and exploit, and they certainly will.  The
question is when, and what kind of damage control we'll need
to do when it happens.  And, if we take deliberate firmware
or hardware sabotage seriously as a threat, we need to be
worried first and foremost about the nations where the chips
and devices are manufactured rather than (or in addition to)
America's NSA.

Does anybody with better math chops than me have even any
potential speculation about what a math breakthrough could be
about?  People I trust with good knowledge of physics are very
doubtful about the scale of QC but can't completely rule it
out.  So doubling key size is the conservative move on the QC
front, and may (or may not) be effective against a hypothetical
math breakthrough as well.

But the protocols and software are notoriously difficult to get
right, and we have new flaws discovered every week.  And as for
the firmware and hardware, that's turtles all the way down and
most of it can't easily be inspected.  Flaws there, especially
if deliberately hidden or designed to avoid discovery, could go
undiscovered until an attack that causes MAJOR losses.  I can
easily think of a half-dozen types of sabotage that a "major
cryptological breakthrough" could be in terms of something in
the software/firmware/hardware stack where the behavior does
not match the expectation.  So here's how I break it down.

Physicists:
"A large-scale quantum supercomputer is very doubtful."

Mathematicians:
"A mathematical insight of such magnitude is very doubtful."

Engineers:
"Sabotage, or just plain mistakes, in software, firmware, or
hardware are EXTREMELY plausible."

On the physics or math front, doubling key sizes is the
conservative move and ought to be adequate protection in
most "imaginable" scenarios.  But those scenarios aren't
all that plausible.  If we keep hearing rumors about a
major cryptological breakthrough....  then IMO we should
be looking for firmware and hardware sabotage.

				Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160428/2a0f80a6/attachment.sig>

More information about the cryptography mailing list