Topic: SHA-256 is designed by the NSA - do they have a backdoor? - page 2. (Read 27805 times)

Then the USA and a small group of shadow people would take control over the next standard currency by holding 1MBTC

Wait...! What ?

What if satoshi nakamoto works at nsa

Why just? I've been a member of this forum for months and my site has been up for most of that time. Also there's a dedicated thread for Pakistan in the other forum.

Bitcoin Pakistan... holy $hit.

Something tells me NSA's computers just went off the charts, LOL

Bitcoin is one big worry after another.

You seem to have your systems quite in order sir   Do you mind while we stray somewhat off topic if I ask, how you authenticate your recipients public key?

hehe

More like, if you have to ask, you are trying to divert us from looking at secp256k1.

If you have to ask, you already know the answer.

The real world has no relevance on the internet.

I know several companies that still work with 10 year old XP (SP3) machines. Get's the job done and still runs everything new out there, just a little bit slower.

1. Not likely. Email composed and encrypted offline. Also got tools for this, GMER, etc.
2. Not likely. Faraday cage and all that.
3. Not likely. All insects don't get past the door and air filters.

Of course, it's still possible. Just not likely.

@gmaxwell, nice post. I almost understood everything. hehehe.

Kill all the mosquitoes at sight and you should be safe 

I'm living under constant fear that this happens day in and day out, how do I keep going?

Yes Captain everything is under control, nothing special to report.
http://www.gizmodo.com.au/2013/09/nsa-chiefs-former-war-room-was-modeled-after-the-starship-enterprise/

Or, they were reading the email as you typed it using

1) Rootkit
2) Tempest
3) Robotic mosquito flying behind your head

Well, careful, symmetric ciphers depend on the existence of one way functions. If P happened to practically equal NP, then one way functions couldn't exist and I could solve for the symmetric keys that turns your ciphertext into ascii (there is probably only one).

NOT. BLOODLY. LIKELY.  (kinda sadly, there would be a lot of other befits to such a world)

It's possible to construct public key signature systems that depend only on the existence of one way functions.  (Lamport!)

The soundness assumptions in error correcting code crypto-systems are also generally pretty solid (well, we keep breaking them trying to make their overheads tolerable…)  (solving for random linear codes is NP-HARD ... the only question is can the attacker turn your public key back into an easy linear code)

Considering that for encrypted messages overhead is mostly immaterial I'm surprised that no one has created a stone soup protocol that just takes "one from each column":

NIST-521 bit ECDH, just in case the NSA made it stronger
1024 bit ECDH with parameters selected the best known public art techniques (e.g. like the brainpool curves)
Supersingular isogenies key agreement
Wrapped up inside an error correcting code public key encryption
And that encrypted with a symmetric key which is from the recipient, a starter one is in the public key.. though thats not very useful.
Feed it to a pair of orthogonal strong KDFs which then feed separate passes of multiple standard ciphers (unrelated keys) in some long block modes.

Then inside the encrypted messages you send symmetric keys generated using H(random, data_thats_part_of_your_private_key) which your receiver will save and use as an additional key in your KDFs in messages they send to you in the future (perhaps up to N of them with octave spacing, so a spy that can break the public key stuff will get locked out with high probability if they miss any of your messages).

Perhaps then the whole message gets thrown through a gnarly unkeyed cryptographic permutation and coded up with a RS code and you replace it with the non-systematic outputs and, at your option send, the message in as many parts as you like over different communications channels... so an attacker who can't snoop all of them learns almost nothing about the whole message.

Care would need to be taken to avoid interactions that hurt security.. but for encrypted messages.. who gives a crap if there is 50K of overhead and it takes a half second to decrypt?  There are plenty of applications where thats totally unacceptable, like Bitcoin... but also plenty where it is.

... wait. what board is this?? woah .. way offtopic.

No problem I personally use 4096 bit keys for PGP and don't worry.  I does what its name says it does "pretty good privacy".  I also agree even if 4096 bit can be broken someday it is more likely someone is going to beat me with a wrench instead.    Someone uninformed however might reach the wrong conclusion.  I guess it all depends on how secret your secrets are or maybe more importantly how long they need to remain a secret.


Symmetric cryptography and hashing functions (assuming the algorithm itself is secure) don't have the same attack vectors that public key cryptography does.  They also aren't vulnerable to Shor's algorithm. It is very like we will never need larger than 256 bit symmetric encryption or 512 bit hashes due to thermodynamics*.   Public key is always going to be trickier to keep secure as they all rely on assumptions, and that will lead to a never ending "arms race".  BTW I like that cartoon I have a signed print on my wall.  Good reminder to see the forest from the trees when dealing with security.


* Brute forcing a 256 bit key is a "never" scenario (more energy than available in our star system).  
https://www.schneier.com/blog/archives/2009/09/the_doghouse_cr.html

Ok. I stand corrected. The word "never" was used as hyperbole. 2030 to 2060 is just about right, and maybe even sooner. Obligatory cartoon here:

http://xkcd.com/538/



However, those same studies find 256 bit symmetric keys and hashes going far beyond the year 2080. We can already start using 512 bit hash functions.

This.  There is a high probability that 4096 bit asymmetric encryption will eventually be broken (by classical computing).  Various agencies estimate a high probability that 4096 bit will no longer be secure after 2030-2060.   That being said 4096 bit RSA provides reasonable security for the intermediate future however "never" is a long time.  If it must be longer than your lifespan you should be looking at something like 15,360 bit RSA or 512 bit ECC.