Читать книгу Security Engineering - Ross Anderson - Страница 203

1 1 Information about the machines can be seen at the Crypto Museum, https://www.cryptomuseum.com.

2 2 letters in the case of the Hagelin machine used by the USA, permutations in the case of the German Enigma and the British Typex

3 3 More precisely, the probability that fish chosen randomly from fish are different is which is asymptotically solved by [1039].

4 4 This may have been used first at Bletchley in World War II where a key insight into breaking the German Enigma machine was that no letter ever enciphered to itself.

5 5 In fact, we can also construct hash functions and block ciphers from stream ciphers – so, subject to some caveats I'll discuss in the next section, given any one of these three primitives we can construct the other two.

6 6 The likely discrete log algorithm, NFS, involves a large computation for each prime number followed by a smaller computation for each discrete log modulo that prime number. The open record is 795 bits, which took 3,100 core-years in 2019 [302], using a version of NFS that's three times more efficient than ten years ago. There have been persistent rumours of a further NSA improvement and in any case the agency can throw a lot more horsepower at an important calculation.

7 7 In the 1990s could be in the range 512–1024 bits and 160 bits; this was changed to 1023–1024 bits in 2001 [1404] and 1024–3072 bits in 2009, with in the range 160–256 bits [1405].

8 8 The default sizes of are chosen to be 2048 bits and 256 bits in order to equalise the work factors of the two best known cryptanalytic attacks, namely the number field sieve whose running speed depends on the size of and Pollard's rho which depends on the size of . Larger sizes can be chosen if you're anxious about Moore's law or about progress in algorithms.

9 9 See Katz and Lindell [1025] for an introduction.

10 10 The few that can't, try to cheat. In 2011 Iran hacked the CA Diginotar, and in 2019 Kazakhstan forced its citizens to add a local police certificate to their browser. In both cases the browser vendors pushed back fast and hard: Diginotar failed after it was blacklisted, while the Kazakh cert was blocked even if its citizens installed it manually. This of course raises issues of sovereignty.

11 11 The COVID-19 pandemic has given some respite: Microsoft had been due to remove support for legacy versions of TLS in spring 2020 but has delayed this.

12 12 One of them, the McEliece cryptosystem, has been around since 1978; we've had digital signatures based on hash functions for about as long, and some of us used them in the 1990s to avoid paying patent royalties on RSA.