
The NSA's crypto "breakthrough" - qubitsam
http://www.economist.com/blogs/babbage/2013/09/breaking-cryptography
======
kcorbitt
Breaking public-key crypto would have to be the biggest coup in SIGINT in the
history of _ever_. Much bigger than cracking the Enigma. Just thinking about
the sheer volume of internet traffic at every level and in every country that
relies on the security of encryption makes the possibility of it being
fundamentally broken a literal nightmare.

I don't think it has happened. But _if it had_ , that would be the kind of
secret that would go in the President's book of secrets right along with the
existence of National Treasure or the Men in Black. :P Snowden would never
have a clue.

~~~
yk
Well, it would be a very well guarded secret. But even then the question is
how public key crypto is broken. If they can easily generate exploits for
implementations, because they know a essential implementation detail everybody
else is missing, then it would be fundamentally different from being able to
break RSA directly, or if they have a constructive prove of P=NP.

~~~
cschmidt
Remember that factoring primes isn't know to be NP Hard. There is no
complexity breakthrough required, we just don't know how to do it quickly. So
we don't get P=NP from any factoring breakthrough.

~~~
yk
Depends on the breakthrough, we know that multiplication is in P and therefore
factorization in NP. So a P?=NP breakthrough may or may not have consequences
for integer factorization. ( Actually since I did write that, I wonder if P=NP
would invalidate any public key crypto, since efficient encryption should be
in P.)

------
derefr
One of the "nice" things about the NSA: they rely on pretty standard crypto--
the same kind the rest of us do!--for their less sensitive, but still
classified, secrets. NSA Ciphersuite B
([http://en.m.wikipedia.org/wiki/NSA_Suite_B_Cryptography](http://en.m.wikipedia.org/wiki/NSA_Suite_B_Cryptography))
is built into a _lot_ of gov/mil communications technology. And it's just RSA,
ECDHE, and so on--all that same stuff available in TLS.

In other words: if the NSA break one of these "public" algorithms, you'll be
able to tell; they'll soon be picking new Suite B ciphers. (There _will_ be a
time-delay, but _not_ of the intentional "let's capture+break foreign
transmissions before scaring them away from this cipher" kind. Re-securing our
_own_ transmissions takes priority, always. Even if it was broken because of
some "quantum leap"\--pardon the pun--we have to assume our enemies are
advancing their own tech at roughly the same rate, so if we can crack it, they
can too.)

~~~
sdevlin
Suite B does not contain RSA.

EDIT: To your latter point, some people would consider this to be a telling
fact.

~~~
yk
Judging from the wikipedia link, Suite B does not contain a public key cypher.
Which either tells us, that the NSA does not use asymmetric cyphers because
they are broken. _Or_ that they have a technical reason for it, like being
able to do everything they want with key exchange, signature and symmetric
cypher. So it is probably worth pointing out, that this speculations are
interesting, but ultimately fruitless since we simply do not have enough
information.

~~~
harshreality
There's ECDH and ECDSA.

~~~
yk
Yes, I should have read the wiki link. However my point was, that Suite B is
so generic that we can not really speculate why the NSA did recommend this set
of algos and not something else.

~~~
twotwotwo
They've written up a case for ECC. More elsewhere in the comments, but a key
point is "RSA's really slow if you want 2^256 security":
[http://www.nsa.gov/business/programs/elliptic_curve.shtml](http://www.nsa.gov/business/programs/elliptic_curve.shtml)

------
alcari
This article does a few things that make it seem poorly written. First,
there's the sentence "But, analysing a particular colossal number and trying
to determine whether it possesses prime factors is colossally difficult." No,
it's not difficult to determine _whether_ a large number has prime factors.
The answer to that question is yes. Determining which prime numbers are
factors is extremely hard, and what they should have said.

Second, they use an example from GCHQ's public key cryptography work rather
than the more relevant NSA work on differential cryptanalysis, which became
public knowledge in the late 1980s, was discovered by IBM in 1974, and which
the NSA was already "well aware of" in 1974 [0].

[0]:
[https://en.wikipedia.org/wiki/Differential_cryptanalysis#His...](https://en.wikipedia.org/wiki/Differential_cryptanalysis#History)

------
crazygringo
Totally tangential, but... I must have seen that exact same photo of NSA
headquarters 100 times over the past month, at the head of every blog entry
related to it.

It is too much to ask the nation's photographers just to take a few more
pictures from different angles? ;) It's as bad as as the Onion's opinion on
Snowden ("Nation Demands New Photograph Of Edward Snowden"):

[https://www.google.com/search?safe=off&q=%22Nation+Demands+N...](https://www.google.com/search?safe=off&q=%22Nation+Demands+New+Photograph+Of+Edward+Snowden%22)

~~~
ianstallings
It's really hard to take pictures of the NSA and I wish I was joking. When you
drive past it, on say MD's Route 100, there are signs stating not to stop or
take pictures and police officers with their lights on at all times on the
side of the road. You can't stop here unless it's an emergency. I'm not sure
about the laws that back this up but I've never tested them.

~~~
DanBC
In England there's the Official Secrets Act. Signs say something like "a
prohibited area as defined by the Official Secrets Act".

There has been some paranoia around photographers taking photographs in
public. The London police force had to issue guidelines for their officers
about correct procedure.
([http://content.met.police.uk/Site/photographyadvice](http://content.met.police.uk/Site/photographyadvice))
([http://www.bjp-online.com/british-journal-of-
photography/new...](http://www.bjp-online.com/british-journal-of-
photography/news/1648032/met-police-clarifies-public-photography-guidelines))

It's probably not a good idea to stand outside GCHQ's fence and take photos.
They'll claim it's to protect secrets - the privacy and secrecy of who works
for them, for example. (Because there is mostly carpark between the doughnut
and the public road). I don't know if someone would get arrested, but "they"
would certainly feel able to use their anti-terror powers and the experience
would not be pleasant.

------
s_q_b
The Economist:

> _Does the NSA have a quantum computer in the basement of its headquarters in
> Maryland (pictured above)? It is theoretically possible, but pretty
> unlikely...

A Canadian firm called D-Wave is presently selling a specialised kind of
quantum computer—Lockheed Martin, an American defence giant, and Google have
each bought one—but it is not suitable for this kind of work._

In-Q-Tel - "About Us"

> _" We make investments in startup companies that have developed
> commercially-focused technologies that will provide strong, near-term
> advantages (within 36 months) to the IC mission. We design our strategic
> investments to accelerate product development and delivery for this ready-
> soon innovation, and specifically to help companies add capabilities needed
> by our customers in the Intelligence Community._

"D-Wave Systems, Inc., the World's First Commercial Quantum Computing Company,
Secures $30 Million in a New Equity Round From Investors Including Bezos
Expeditions and In-Q-Tel" [0]

 _" Burnaby, BC - Milpitas, CA - October 4, 2012 - D-Wave Systems, Inc. today
announced that it has closed a $30 million round of equity funding. Bezos
Expeditions and In-Q-Tel (IQT) have joined the investment round. Bezos
Expeditions is the personal investment company of Jeff Bezos. IQT is the
strategic investment firm that delivers innovative technology solutions in
support of the missions of the U.S. Intelligence Community."_

[0]
[http://www.dwavesys.com/en/pressreleases.html#investment_201...](http://www.dwavesys.com/en/pressreleases.html#investment_2012)

~~~
seiji
The most advanced math a quantum computer has done to date is "factored 21
into 3×7, with high probability (Martín-López et al. 2012)."

Remember: companies are in the game of marketing hype to ride your scifi hopes
and dreams. When you see a company saying "quantum" anything, discount their
unqualified claims greatly. (Investors are not immune to being manipulated by
hype. Claiming "they must be good because they have fancy investors!" provides
no more weight to their ability than a hobo claiming he keeps the airplane
aloft by snapping his fingers every 3.2 seconds.)

~~~
devx
I think that's for "normal" quantum computers. D-wave is a different kind of
quantum computer.

~~~
tanzam75
The D-Wave machine is not a general quantum computer.

For example, the quantum computer that factored 21 into 3 x 7 did it by using
Shor's algorithm for quantum factoring in polynomial time. The D-Wave machine
cannot implement Shor's algorithm.

The D-Wave machine would be more capable on a different problem, one that maps
efficiently onto the D-Wave machine's problem space. But we're talking about
factoring here.

------
devx
Sounds like we need a couple more Snowden's to come out from NSA.

~~~
sillysaurus2
Why? Because the government doesn't deserve to have any secret programs
whatsoever? I've said it before and I'll say it again: Even if leaking
XKeyscore and PRISM was morally justified, leaking the intelligence budget or
leaking other programs is probably unwise. Remember that when we talk about
leaking, we're talking about weakening the American government. We should at
least think about the implications.

~~~
natrius
The American government is collecting as much data about as many humans as it
can, which I find morally repugnant. I support efforts to make that more
difficult, even if it weakens the American government.

~~~
engrenage
Government strength is relative. Weakening the American government is
equivalent to strengthening other Governments. Would you mind telling us which
ones you prefer and why they are morally superior?

~~~
CamperBob2
_Weakening the American government is equivalent to strengthening other
Governments._

No, building petabyte-scale data centers to spy on you and me is what's
weakening the American government. _We 're_ not the problem, right?

The NSA is like the drunk who looks for his lost keys under the lamppost,
"because that's where the light is." Not only does the American government's
idea of a hypersecure state not make us any more free, there's vanishingly
little evidence that it accomplishes its purpose of making us any more secure.

~~~
engrenage
The lack of evidence isn't surprising given that they are a _spy agency_. They
may not be protecting the US from terrorism, but there are major geopolitical
adversaries at work who have no scruples about using cyberwarfare techniques.
There is something akin to the Cold War in play, and the NSA is a significant
part of the US's position in that war.

~~~
CamperBob2
Sorry, 1% of America's GDP is too much to pay for a suit-and-tie version of
Anonymous.

~~~
engrenage
How do you know?

~~~
CamperBob2
We could take a 9/11 in the shorts every year, for what we spend on the tiger-
proof rocks sold by the Intelligence Community.

That sounds like a fair trade considering the cost in human lives... except
that there's no evidence we're "trading" anything but our own treasure and
freedom.

------
ianstallings
Could it instead be ASIC technology on a massive scale? This might help break
some of the hashing through very specialized chips.

~~~
michaelt
According to
[https://www.schneier.com/blog/archives/2009/09/the_doghouse_...](https://www.schneier.com/blog/archives/2009/09/the_doghouse_cr.html)
if you built a chip that could could test a password with a single increment
of a counter, and that chip was the most efficient chip theoretically
possible, and you built a dyson sphere to capture all the sun's energy to run
the chip, it would still take 32 years to crack a 192-bit symmetric crypto
password.

ASICs may well be involved, but they'd need math advances or implementation
bugs rather than just brute force.

------
lazyjones
Somewhat misleading title. No answers, just more questions on the topic.

~~~
frank_boyd
Well, that's important to keep in mind:

There are no answers and there will never be, b/c:

We can never trust/accept any statements from any government, except for
admissions of guilt.

------
ig1
There's at least two other significant possibilities:

1) There's an attack against RSA which doesn't involve factorization

2) There's an attack against AES / Serpent / Twofish

I'd say the second is considerably more likely, firstly because the one NSA
quote we have on it is "cryptanalyze, or break, unfathomably complex
encryption systems" \- which sounds much more like a new attack like
differential cryptanalysis which provides a general purpose attack against
complex symmetric crypto ("unfathomly complex" sounds much more like AES than
RSA).

In addition we have numerous quotes in recent days about how GCHQ is working
on breaking the encryption on the Miranda hard-drive; which we now know to be
a truecrypt drive.

~~~
twotwotwo
On point 2, NSA still allows the use of AES-256 to protect top secret data:
[http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography](http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography)

~~~
crazypyro
Why is everyone assuming the NSA has to be using their own standards, behind
close doors?

~~~
harshreality
They don't. They use Suite A, which is an eclectic mix of proprietary
algorithms. Firefly/Enhanced Firefly for key exchange (PKI), Joeski (allegedly
a pair of algorithms for encrypting and decrypting other ciphers or firmware
with the interesting property that encryption algorithm cannot be deduced from
the decryption algorithm and vice versa), and a bunch of others. They have
different algorithms depending on the specific information channel. Permanent
data storage uses one (or perhaps a few), communications traffic uses others,
and communications are further split depending on channel bandwidth and
presumably long-term classification needs of the data.

They have to recommend Suite B to the government and military in cases where
NSA validated hardware can't be used. Examples would be military
communications with allies, garden variety agencies that can't afford or can't
be trusted with Suite A modules.

------
nilved
As a rule of thumb, I don't take any article that refers to Snowden's leaks as
"revelations" seriously. The only new information Snowden revealed is that
their programs are called PRISM, upstream and xKeyscore; and if a journalist
learned the details behind those programs from Snowden -- when they've been
going on for at least a decade -- they clearly don't know much about the
subject.

~~~
nodata
What a ridiculous rule of thumb: Snowden got a lot of closely held information
in front of the general public. If that doesn't count as a revelation, your
standards are too high.

~~~
nilved
No, he really didn't. We knew that the USA intercepted any Internet traffic
they could get their hands on, and we knew that big data companies were in bed
with the NSA. If the talking point is that Snowden got these facts on
mainstream news, that isn't a revelation, that's marketing. "Relevation"
implies the idea didn't exist beforehand.

~~~
nodata
So a revelation isn't the revealing of a secret to people who don't know the
secret?

(or to put it another way: revealing a secret to a population where the vast
majority do not know it)

Snowden revealed the scale of the operation too, and the depth of the rabbit
hole.

~~~
nilved
Not if that information is already publicly and easily accessible to that
group. If I was to post a link to an existing but obscure Wikipedia article on
Hacker News, it would be as much of a "revelation" as Snowden's "revelations."

------
ianstallings
What worries me is that the breakthrough might just be a re-interpretation of
the law.

------
shortcj
In view of this "breakthrough" leak, I am now supposing that Edward Snowden is
a willing participant in psy-ops.

"An all knowing deity is a cheap cop."

------
officialjunk
"algorithsm"

------
batgaijin
p=np yo

~~~
shmageggy
Integer factorization is currently not known to be NP complete, and is
expected to not be so. Therefore, even such a breakthrough as posited in the
article would have no immediate bearing on the question of P vs NP.

[http://en.wikipedia.org/wiki/Integer_factorization#Difficult...](http://en.wikipedia.org/wiki/Integer_factorization#Difficulty_and_complexity)

~~~
yk
Other way round, multiplication is in P, so integer factorization is in NP.
And a breakthrough in P?=NP could have implications for factorization.

~~~
shmageggy
> so integer factorization is in NP

I never said it wasn't.

> And a breakthrough in P?=NP could have implications for factorization.

Indeed, but what's implied in the article is that they might have made a
breakthrough in factorization specifically, not in fundamental CS theory at
large.

