Please create an account to participate in the Slashdot moderation system


Forgot your password?
United States

U.S. Government Encryption Irony 46

Bruce Lane writes "Given the US Government's hype and paranoia about not allowing strong encryption out of the country, I find it particularly ironic that they should choose, as finalists competing for the next federally-blessed encryption standard, a couple of schemes developed outside the country altogether. The full story is here. Enjoy!"
This discussion has been archived. No new comments can be posted.

U.S. Government Encryption Irony

Comments Filter:
  • What the government is _really_ trying to do is promote better quality international encryption. "We _know_ your encryption is better than ours, so we won't inflict any of our suck encryption on you."
  • It might really be a step in the right direction. If they adopt algorithms developed in foreign nations, they might realize how silly it is to try to stop exportation of strong crypto. It is also a good decision in that they realize that the encryptions they've been using are going to rapidly start becoming less trustworthy as faster and larger computers as well as distributed computing become more and more common.

    Speaking of distributed computing, does anyone know if has plans to add a new contest for these encryption schemes?
  • heh. That explains it, alright!

    Seriously, our virtual guarantee of non-competition has made feasible encryption research that otherwise might not have happened.

    Congratulations, Mr. Clinton and Friends, you now know that the high-tech advantage goes to those who work in the field rather than those who sit on their advantage. You have effectively subsidized far more foreign participants. Can we get back to a rational encryption policy now, please?
  • It seems pretty apparent to me that people in other countries, who have no particular disadvantage compared to americans in writing software and certainly not in doing math, would be able to come up with their own encryption algorithms. The US always is always attempting to take away the liberties of their own citizens under the pretext of 'protecting from terrorists', which they claim is one reason for the encryption restrictions. Since they give that reason for many other laws and restrictions where it is clear that they have other motives, i wonder exactly what they are thinking. Perhaps they will wise up about encryption restriction now, and release it, or at least tell us their real reason for restriction?
  • One would hope that these facts might convince some of the Congress-critters and the FBI's Louis Freeh of the absurdity of their position against encryption, but I wouldn't bet on it.
  • The proposed codes are far more robust than the existing Federal Information Processing Standard Digital Encryption System (DES), which has encryption key sizes of 128, 192 and 256 bits
    128,192 and 256 bit DES? I can't remember those variants of the beastie......
  • In particular, check out Rijndael. A real sweet algorithm: fast, secure, portable. A very very nice design.

    And completely developed outside the US.
  • There's an added irony that this story hasn't pointed out - the disparity in import and export laws on cryptography.

    In the US there are restrictions on EXPORTing cryptography, but no restrictions on IMPORTing cryptography. Getting good quality cryptography here isn't easy, but for some things it's mandatory.

    Right now I'm designing and coding an e-commerce solution. The target customers are mostly here in the US, but one is in Canada, and who knows when someone will come on board to make it international?

    So the solution to where to get cryptography packages? Off-shore! Obtain it outside the US, import it into the US, and that's it. No applying for export licenses, no restrictions or background checks on customers, no having them fill out nasty looking legal disclaimers. The worst we'd have to do is make each on-US customer "import" the package on his/her own to make it legal (So we wouldn't be 'exporting' anything - even something we imported already. I'm not sure on that point - anyone?)

    There are Open Source cryptography packages available for Import. The only problem with them: I can't help! (being in the US, this might 'taint' their legal stance)

    Want strong encryption not hampered by our silly laws? Go get some! (Yes, Virginia, there really are mathemeticians outside the US.)
  • 340 to the 35th keys by itself does not provide something "far more robust" than 256 bit keys. In fact, 340 to the 35th is equivalent to 294 bits. "according to sources" anyway...
  • This will be excellent fodder for the vote on the SAFE bill (see which is coming up for a vote, most likely in September.

    Being able to point to foreign crypto that's good enough to be considered for new standards will help our jobs immensely in convincing Congress to pass SAFE and quit limiting the export of encryption.

  • Looks like they just garbled their own english. 128, 192 and 256 bit are keysizes required for AES.

    What really bugged me is the "340**35" number at the bottom. It looks like someone just pulled some random base and exponent out of thin air.

    Most reporters take pride in their accuracy. *snicker* Oh well, I guess reporters get confused by technical stuff just like all other non-techies.

  • that one part of the government is trying to support strong crypto and provide it to the people, while another part is trying to limit the spread of ANY crypto whatsoever, and wants to limit not only the export of cryptography but its distribution and use withing the United States.

  • Yeah, Rijndael appears to have a good chance at becoming the AES.

    Check out NIST's Round 1 Report (PDF) [] for the raw details if you haven't already.

    Of the five that made it to round 2, Mars and RC6 can probably be counted out right away. Mars is too complicated and RC6 doesn't have a large security margin. And both are highly platform-dependant for their speed.

    Serpent (one of the non-US ones) will probably be counted out because of it's slow speed, although the high security margin might still save it. One could argue that as CPUs get faster speed becomes a non-issue compared to security. Just look at the popularity of Triple-DES even today.

    Rijndael (the other non-US one) and Twofish appear to be the favorites. The report listed no real complaints about Rijndael. Twofish is kinda complicated, but has some space/time tradeoff options that might be worth it for low-memory systems.

    Rijndael has a structure that can be parallelized. This could be a very good thing if processing goes that way. Considering that AES is expected to serve for decades, performance on future processors could be very important, though entirely speculative.

    Just don't hold your breath. It'll probably be years before we see a winner.

  • And ths BIG stink in my eyes is tha fact the NIST eliminated stronger contestants. HPC and CAST-256 have no known weeknesses. MARS, RC6 and TWOFISH all have weekneses!!!!!!! That's right. Read this again. Attckes have been shown to work for them. Not break them wide open mind you, just it's not 2^128 or 2^256 possibilities anymore.

    Read the report. HPC does have a serious weakness (equivalent keys, IIRC). And CAST-256 was eliminated because of it's mediocre performance.

    Mars, RC6 and Twofish have NOT had any real weaknesses discovered. Any "weeknesses" are really just interesting observations, and can't be used to reduce the workfactor. It is still 2**128 or 2**256 (or 2**192, or other) possibilities.

  • I think every finalist should have moved to Cuba. Just so not only would the US have had to import the encryption, but from Cuba to boot!
    (Clinton: "Oh, and hey, could you guys bring up some cigars with you as well? Thanks.")

  • Government beurocrats and lawmakers always have had a strong tendency for cluelessness, especially where technology is involved.

    It has always been the case that it is possible for an American to download some freeware source code from a foreign site that contains encryption, modify an aspect of the application that has nothing to do with the encryption (translate the output text to English, perhaps), then if he re-uploads the program, he has committed a federal felony!

    Don't expect our lawmakers to actually be swift enough to see the irony in this, they're far to stupid for that.

    Sometimes I wonder if anything would really change if we just trained chimpanzees to be our senators and congressmen...
  • Actually, whoever wrote that probably isn't American-centric, but just not very good at writing clear sentances. "but one is in Canada" separates out Canada as non-U.S., but then that last part contradicts it. I think the author was referring to the fact that it is a lot easier to export crypto to Canada than to other countries, so it would take another foriegn country to make a problem.

    In fact, doesn't NAFTA basically say that you can't set up restrictions to trade between Canada, the US, and Mexico? How's that fit in with ITAR? Is ITAR even applicable when exporting to Canada?
    If not, would all you Canadians please get rid off all (if any) crypto export restrictions so us oppressed Americans can just route everything through. I at least would be eternally grateful.
  • Actually "exporting" crypto to Canada is perfectly legal, so in that sense Canada is a "state".

    Anyway, you'd probably only "P off" 30 people. Most Canadians say "sorry" when *you* step om their foot.

    D'accord, back intos mon igloo.
  • ...for the better
  • Please, learn a little more about the subject before spreading FUD. All of these ciphers are fine.

    The result against MARS is an equivalent-key attack, for keys *over 1024 bits long*. AES-standard keys (128,192,256-bit) are fine, it's just a wee problem with some extended functionality that the AES doesn't require. And the "tweak" against MARS for a more smartcard-friendly key schedule fixes even this.

    The result for Twofish is even weaker: not all subkeys are possible. However, the subkey entropy is quite sufficient to ensure the security of the cipher, and it doesn't lead to a break. See the paper on the subject on the Twofish home page.

    And there's nothing listed for RC6 at all!

    HPC is big and slow and complex and impossible to analyse; it would be a terrible mistake to bring it into Round 2. CAST-256 was rejected because everything it does, Serpent does better.

    I'm happy with the choices NIST made and the reasoning they give. And like everyone else, I think that the final battle will be between Rijndael and Twofish. It's interesting to note that neither of these excellent ciphers are patent-encumbered.

    Oh, and it's not 2^128, it's 2^128 + 2^192 + 2^256, a 78-digit number
  • It is perfectly clear from Reno's letters to Warssanaw (I probably didn't spell that right) countries that she would just as soon have crypto be inaccessable to ANYONE.

    A similiar letter from Janet Reno was sent to Germany's federal minister of justice Hertha Däubler-Gmelin too.
    Read that letter here [] and the background story here [].

    The only explanation that makes sense to me is that the U.S. government indeed is able to gather a lot of useful information under present communication habits.

    And what nature is this information - fighting drug dealers, organized crime or terrorists?

    Nope. It seems to be mostly economical espionage. Some cases that became public:

    • European Union / U.S. economic treaty negotiations - the EU delegation was eavesdropped by the U.S. who had easy play knowing the others strategy and goals
    • A solar energy company from north germany suddenly found their invention patented by a U.S. company
    • During the bidding for a train system, the german led ICE consortium lost to the french TGV because the French were able to eavesdrop the ICE faxes
    Another interesting item is that even the german armed forces use Lotus Notes, despite it's weak encryption..
  • The result against RC6 isn't listed in the body, only the header. And AFAICT it's pretty bad for RC6: its security margin just got much lower. It's a twenty round cipher; this attack breaks a 15 round version, and may well be amenable to extension.

    I don't think RC6 can survive this. This makes it even more sure that only Twofish and Rijndael can win.
  • Hey! This reporter must have phenominal accuracy, to be able to represent a number like that! For most reporters, their MPU would overflow on the exponent, though most should cope with the mantissa OK.
  • That'll be fun! It'll be illegal for Government workers to transmit data without IMPORTING an encryption algorithm, but it'll ALSO be illegal to EXPORT that algorithm, even to the place they got it from!

    That's enough to twist anyone's mind!

  • I dunno. All those lobby groups would end up unemployed and on the streets. They'd overcrowd the sidewalks something chronic.
  • ``...from Reno's letters to Warssanaw (I probably didn't spell that right) countries that she would just as soon have crypto be inaccessable to ANYONE.''

    I suspect that Reno and company would just as soon we didn't seal our envelopes before we put them in the mail either.

    The news is that the crime rate in the U.S. has been declining. Guess if your job is catching bad guys and there's fewer of them around, you find a way to make more people out to be bad guys.

    I can't say who I'd vote for in the 2000 elections but I'm afraid of Gore winning as he might decide to keep Reno on board. (Uuugggh!)

  • If there are no rules on importing cryptography, all cryptographers should move to like Ontario, Canada where they welecome it. Then there won't be any stupid laws about importing and exporting cryptography imposed on the stuff developed there. You can still import it to the US market just fine. Now doesn't everything all peachy work out? The US Government just seems so fucked up. Even with the Microsoft DOJ thing, as much as we hate Microsoft.
  • "The news is that the crime rate in the U.S. has been declining. Guess if your job is catching bad guys and there's fewer of them around, you find a way to make more people out to be bad guys."

    Exactly! Now that every last little dealer of soft drugs is in jail, the U.S. is going to need some new 'laws' to catch 'criminals' and keep the jail-building business a growth industry.
  • The US always is always attempting to take away the liberties of their own citizens under the pretext of 'protecting from terrorists', which they claim is one reason for the encryption restrictions.

    I wonder - can they show as much as a single terrorist that used real encryption? (Not simple codes like "the show starts friday...") Many of them use guns though, which isn't prevented. So why bother with encryption?

  • because americans have the inalienable right to keep and arm bears ... or something along those lines.
  • Speaking of distributed computing, does anyone know if has plans to add a new contest for these encryption schemes?

    I doubt there will ever be a contest for any of these ciphers, and if there is, it will run indefinately. The 128-bit key-space is simply too huge to brute-force search it.

    Quoting Schneier, if you channel all the energy of the Sun into counting through the key-space, you will be able to count about 2^182 keys per year. This is without doing anything at all to the keys you cycle through, no energy wasted in your system and acess to all the energy of the Sun,collected in a huge sphere built around it.

  • I has lunch with some of the designers of the E2 and LOKI97 ciphers yesterday and of course the AES was discussed.

    MARS and RC6 need fast mutipliers to be efficient, which makes them slow on smart-cards, for example.

    Prof. Seberry also expected to see an attack against Twofish fairly soon, so there is a good chance it will be discounted.

    SERPENT may have been left in only for political reasons. It is written by some very clever cryptoanalysts and it would be a good idea to keep those guys trying to break the other ciphers. The actual cipher isn't particularly likely to go anywhere.

    That leaves Rijndael. However, I'm sure that NIST can't pick a European cipher for purely political reasons, as you've all pointed out. The NSA is an advisor to NIST in the contest and I'm sure they'll point out the political aspects of the final choice.

    The next cipher I'm going to add implement [] is going to be Rijndael. I'll probably also have to ad the AES when it is chosen.

  • In Canada, we can import American encryption. However, just like when an American obtains it, we have to agree not to re-distribute it to somebody we're not supposed to. So routing it out of the States through Canada doesn't work :-).

    On the other hand, encryption software written in Canada can be happily exported all over the world. (I believe OpenBSD is based out of Canada, for example.)

If I had only known, I would have been a locksmith. -- Albert Einstein