[mcint]

p 11 (/30), makes a terrible case in handwaving.

It ignores the requirement that secret data needs to stay secret for 30 years, or 100 years, or long into the future, and attacks only get better.

https://www.schneier.com/blog/archives/2009/07/another_new_a...

> They also describe an attack against 11-round AES-256 that requires 2^70 time—almost practical.

>> AES is the best known and most widely used block cipher. Its three versions (AES-128, AES-192, and AES-256) differ in their key sizes (128 bits, 192 bits and 256 bits) and in their number of rounds (10, 12, and 14, respectively).

>> In the case of AES-128, there is no known attack which is faster than the 2^128 complexity of exhaustive search. However, AES-192 and AES-256 were recently shown to be breakable by attacks which require 2^176 and 2^119 time, respectively.

[vitus]

    > They also describe an attack against 11-round AES-256 that requires
    > 2^70 time—almost practical.

But... nobody uses 11-round AES-256. And, crucially, these are related-key attacks, not practical for, say, breaking TLS.

    In 2009, a new related-key attack was discovered that exploits the
    simplicity of AES's key schedule and has a complexity of 2^119. In
    December 2009 it was improved to 2^99.5... However, related-key attacks
    are not of concern in any properly designed cryptographic protocol, as
    a properly designed protocol (i.e., implementational software) will
    take care not to allow related keys, essentially by constraining an
    attacker's means of selecting keys for relatedness.

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#K...

(Note that the attack with time complexity 2^99.5 also requires 77 bits of memory, or ~16 ZiB, which is, um, billions of terabytes of RAM? edit: actually, this is 2^77 blocks worth of memory, so add a couple more orders of magnitude.)

To date, the best unconditional attack on any full variant of AES provides a factor of ~4 speedup, although it requires 9 PB of data just for AES-128.

[bawolff]

> It ignores the requirement that secret data needs to stay secret for 30 years, or 100 years, or long into the future, and attacks only get better.

What data has to stay secret for 100 years?

To extrapolate backwards, was there anything in 1925 that would be still sensitive today? Its hard to imagine.

[Jedd]

"I don't know of any long-lasting secrets" ≠ "There is / will be no need for long-lasting secrets"

The fact you don't know about these might in fact simply indicate the efficacy of the secret keepers.

[bawolff]

> "I don't know of any long-lasting secrets" ≠ "There is / will be no need for long-lasting secrets"

This feels like a bad argument for religion.

The point though is not that i don't know any but that i can't concieve of any. I can't even imagine such a scenario, even hypothetically.

[Jedd]

Sure, but that inequality of meaning would have to lead to a 'Therefore I conclude this specific, highly infeasible, self-contradictory secret exists' - which is perhaps a common problem with arguments for religion.

I'm confident there's fairly mundane multi-generational secrets, without having to summon the illuminati or knights templar. Either way it doesn't negate the interest in having a technology that could provide that.

[bawolff]

Cryptography isn't a technology for keeping secrets, its a technology for keeping secrets in transit. Its not particularly useful for keeping multigenerational secrets (how do you do key management over 100 years?)

[Jedd]

Is your suggestion that key rotation is a necessary requirement?

I feel we're coming full circle towards the original discussion about pqc.

(Also, I feel cryptography is very much a tech that can assist you in keeping secrets at rest.)

[rocqua]

Diplomatic communications about how you plan / succeed at undermining allies. Or communications about atrocities you knew were happening, but decided to ignore.

There is plenty of reason to want to keep diplomatic and military communications secret for a long time.

[bawolff]

> Diplomatic communications about how you plan / succeed at undermining allies. Or communications about atrocities you knew were happening, but decided to ignore.

>There is plenty of reason to want to keep diplomatic and military communications secret for a long time.

I don't think that makes sense. Why would you want to keep implicating communications around for 100 years? Wouldn't you just destroy them?

Cryptography isn't useful for secrets you want nobody to know. Its useful for secrets you want some people to know but not others.

That said it also seems questionable how much people care about atrocities hundred years after the fact. For example, nobody is boycotting IBM today for their role in the holocaust.

[mannykannot]

News of these things does come out from time to time, usually over a shorter time period, and these create embarrassment, shock, pain and anger, but has any had significant substantive consequences? Here is a hypothetical one to consider: FDR secretly informed Hitler that the US would support an invasion of the USSR - how far would be the consequences of such a revelation reach, if it were revealed today?

[rocqua]

It's not so much about the impact of the secrets leaking. Instead, its about the impact on communications if diplomats need to worry about their communications leaking.

[hatsunearu]

idk why you're fixated on 100 years, but stuff like nuclear weapons tech is 1940s-1960s technology and that's still classified.

[bawolff]

> idk why you're fixated on 100 years

Because that was the number the person i was responding to gave.

In any case north korea has the bomb. I think the secret is out. The most difficult thing at this point is the engineering challenge not the book knowledge.

[bee_rider]

I was under the impression that information about how to build nukes was mostly well known by most countries, and it is just a matter of getting enough of the right type of uranium or whatever.

[readams]

And will still be classified in 2045...

[ziofill]

My genetic data will be relevant even after I'm dead because my children and grandchildren share it with me. And it's a modern kind of data that didn't exist in 1925.

[pclmulqdq]

I hate to tell you, but even if you have never done 23 and me or anything similar, enough of your family has that your genetic data is already very readily accessible to the parties who need it.

[bawolff]

Realistically you cant keep that secret though. There are a lot of people who share enough of your dna to reconstruct parts of it. Possibly hundreds. And all it takes is a hair folicule or spit.

You are never keeping that secret against an interested adversary.

[ein0p]

Your genetic data is not secret though. It's rather easy to obtain during your lifetime, even without you knowing.

[dcow]

Anything tied to a blockchain.