Schneier on Security

Clive Robinson • February 26, 2024 10:11 AM

@ Bruce,

“The mathematics of cryptanalysis for these lattice and other systems is still rapidly evolving, and we’re likely to break more of them —and learn a lot in the process— over the coming few years.”

My advice as the use of hybrid algorithms is for some reason frowned upon is to do “two step” encryption.

1, Use a well found symmetric algorithm for message “content” in an E2EE arrangement (end user to end user encryption).

2, Use the Post QC stuff for message “transmission” (comms point to comms point / line encryption).

That way your “traffic” neither stands out or requires changes to Comms systems you end up having to use for “economic” etc not “real security” reasons.

Clive Robinson • February 27, 2024 7:06 AM

@ Stuart P,

Re : Suggested or not.

“I don’t believe anyone respectable is suggesting such a thing.”

Well leaving aside you notion of respectable or not, there are a couple of points to consider,

1, Such a failing and thus attack vector has happened several times in the past (it’s one reason why MiTM is talked about quite a bit).

2, For some reason the ICTindustry and Software development in particular appear to be incapable of learning from past mistakes, even those made within easy memory of less than a decade (“If you don’t learn from your history you are condemned to relive it in ever increasing ways”).

Both of these are factually verifiable and to be honest I really don’t see any changes happening any time soon in the second point.

So the alleged Chinese curse of,

“May you live in interesting times”

Appears to apply.

Now if you regard that reasoning as “reasonable or not” is upto you, but it is a very real potential vulnerability that certain types of hybrid system suffer from.

As for,

“and the keys are truly independent”

Oh dear, have you not noticed the fad for automated key management systems?

Because users are not capable of doing it correctly as evidenced in papers like,

“Why Johnny Can’t Encrypt”

and it’s multiple updates over time.

All such “Key Management”(KeyMan) systems are “fully deterministic” thus by very definition are not nor can not be “truly independent”.

They are at the end of the day based on the “assumed notion” that there are actually “One Way Functions” that don’t have “short cuts” or “breaks” neither has been proved. Thus what has been proved is Shannon’s “unicity distance” comes into play.

As a rough rule of thumb, it’s going to be less than,

“Three times the changeable bits of state minus two bits.”

Which can be actually quite short in many automated KeyMat “Key Generation”(KeyGen) systems. Because all to often “Magic Pixie Dust Thinking” comes in and developers use hashes to fake actual state entropy increase[1].

It’s actually very hard to get a really large number of state bits to change in an unpredictable fashion yet be usable in KeyMan KeyGen deterministic systems.

I can go through why this if you want but it would take quite a few column inches. However our host @Bruce has written about it in –if memory serves correctly– at least three papers and two books that talk about the design of secure TRNGs in computers.

[1] You see “Magic Pixie Dust Thinking” all over the place where OWFs based hashes get used. Think of their use as like a simple substitution cipher. If the range of inputs is 4bits, it does not matter that the hash output is 256bits in size because you will only ever get 2^4 or 16 different outputs. Even if you use some pre substitution cipher mode, it’s going to be a deterministic process thus unless well considered be limited in range or fairly easily determined as it will be based on the equivalent of an incrementing counter and substitution cipher more than likely with the equivalent of a fixed increment of one. It’s why the number of changeable bits of state for each iteration has to be actually large not faux / pseudo large from the OWF in a known hash function.

Clive Robinson • February 27, 2024 9:52 AM

@ Bill, ALL,

“One way to protect against this scenario is to simply generate far more data than can possibly be stored.”

No it’s not, it’s an old idea of “swamping” and it does not work and has not since before the Internet existed.

The first thing for you to consider is how do you generate such large volumes of traffic without falling into “repetitions”, “patterns” and similar that can be filtered or compressed because they lack actual entropy because they have been generated deterministically.

People thought years ago that steganography could be used to do similar, but algorithms were fairly quickly developed to spot it easily. You are in effect talking about doing stego on a grand scale, but those algorithms generally don’t care about “scale”.

Also look at “Traffic Analysis” and how it works very effectively without having to find KeyMat because it works on patterns in meta-data.

Then get to understand what meta-meta-data is and how it can be used. Put over simply the easiest example is “evidence that evidence is missing”. That is meta-data is the shadows data casts and their form says much about the objects that cast them. With meta-meta-data being the absence of shadows where you would expect shadows to exist.

An example from the physical world is spotting camouflage by what is not there. If you put a tank somewhere and put scrim net etc over it, though the tank is not visible it’s shadow tells a story, as do physical tracks on/in the ground from the tank and others servicing it. That is meta-data that can be analysed and the tank identified as a target.

Now consider instead the tank is parked up next to a building and then covered with scrim net etc and care is taken to stop shadows forming and to eradicate tracks.

Well the thing about camouflage d objects is they still show up. If it looks like a tree or bush from above then it will have been there for sone time and will have effected the natural vegetation around it. It’s difficult if not impossible to get this right most of the time because it’s an absence of something that is the cause and this in turn causes another predictable absence. That is neta-meta-data that can be analysed to say something is wrong in that area and it should be scrutinized to find out what or why something is missing. But quickly again the general size of the area will reveal a potentially tank sized object is camouflaged.

Way way to many people don’t understand the power of meta-meta-data analysis.

Like traffic analysis did not leak into the public domain untill four decades after it was invented and has taken another four decades to become recognised as useful out side of Mil-Intel circles and become meta-data analysis. Meta-meta-data analysis was in use back at the time of the Falklands War, but four decades later is still effectively not in the public domain yet, so few actually know of it, lets hope it does not become another four decades before it becomes sufficiently recognised to be used outside of Mil-Intel etc.