There is no easy solution to this problem. It's a conflux of many factors. (There are no more "third spaces". Too much rent-seeking behavior. The centralization of platforms consolidates power and creates inertia. The dopamine-hacking of recommendation algorithms. Social media in general.)
I've written at length about related topics. Unfortunately, there are powerful invested interests in keeping things shitty. It's often critiqued as "capitalism is bad" but we're seeing today is better described as techno-feudalism than capitalism.
Presumably one would want to use Ed448 in order to achieve for session key establishment or for digital signing a level of security comparable to using for encryption AES with a 256-bit key.
ED25519 has a level of security only comparable with AES with an 128-bit key.
Nowadays many prefer to use for encryption AES or similar ciphers with a 256-bit key, to guard against possible future advances, like the development of quantum computers. In such cases, ED25519 remains the component with the lowest resistance against brute force, but it is less common to use something better than it because of the increase in computational cost for session establishment.
> Presumably one would want to use Ed448 in order to achieve for session key establishment or for digital signing a level of security comparable to using for encryption AES with a 256-bit key.
Ed448 is an instantiation of EdDSA (the Edwards curve digital signature algorithm) over the Edwards448 curve (a Goldilocks curve), as defined in RFC 7748 and RFC 8032.
Key establishment would use X448 (formerly "Curve448") for Diffie-Hellman, although ECDH over Edwards448 is also (strictly speaking) possible.
Using Ed448 for key exchange is a TypeError.
But that's neither here nor there. I was asking about real world applications that need Ed448 specifically, not a vague question of how cryptography works.
> ED25519 has a level of security only comparable with AES with an 128-bit key.
No. The whole notion of "security levels" is a military meme that doesn't actually meaningfully matter the way people talk about it.
There are about 2^252 possible Ed25519 public keys. Recovering a secret key from Pollard's rho takes about 2^126 or so computations (where each computation requires a scalar multiplication), and that's why people pair it with an equivalent "security level" as AES-128, but the only meaningful difference between the algorithms (besides their performance footprint) is security against multi-user attacks.
With a 256-bit AES key, you can have 2^40 users each choose 2^50 keys and still have a probability of key reuse below 2^-32.
With 128-bit AES keys, you don't have that guarantee. 2^90 keys is well beyond the birthday bound of a 128-bit function, which means the probability of two users choosing the same key is higher than 2^32. (It's actually higher than 50% at 2^90 out of 2^128.)
However, despite the "security level" claims, Ed25519 has 2^252 keys. The multi-user security of Ed25519 (and X25519) is meaningfully on par with AES-256.
As things stand today, the 128-bit symmetric cryptography "security level" is unbreakable. You would need to run the entire Bitcoin mining network for on the order of a billion years to brute force an AES-128 key.
> Nowadays many prefer to use for encryption AES or similar ciphers with a 256-bit key, to guard against possible future advances, like the development of quantum computers.
This is a common misunderstanding. So common that I once made the same mistake.
Grover's attack requires a quantum circuit size of 2^106.
> In such cases, ED25519 remains the component with the lowest resistance against brute force, but it is less common to use something better than it because of the increase in computational cost for session establishment.
I do not understand what this sentence is trying to say.
TLDR - on the TLS parts, quite a lot, up to 2x slower on certain paths. Amusingly, openssl 1.1 was much faster.
libcrypto tends to be quite solid though, though over the years, other libraries have collected weird SIMD optimizations that enable them to beat openssl by healthy margins.
I got that impression too. Gatekeeping sensitive information is not necessarily bad, but the entire thing is sketchy. For example, is it legal or ethical for this group to have Washington Post data that was leaked or stolen? Are we really supposed to be against something called "Free Speech Union" because of the owners having controversial views? There is clearly a political angle to most of the stuff I've seen at a glance, and a lot of politics on one side only.
Most evil groups have "good" and "innocent" names in order to attract a following. The "Worker's Party of Korea" sounds like a great party for all Koreans out there to vote on. Likewise, the "National Socialist German Workers' Party" sounds, on paper, like a great political party for the German labourers out there.
Unfortunately, both the WPK and the NSDAP are very evil organisations, with no real intentions of helping actual workers, but the names of their organisations wouldn't reveal that.
You can't look at the name of an organisation to find out what their values and hidden agendas are. Names are the most valuable assets in any effective propaganda, and should therefore be seen as completely untrustworthy.
The "Free Speech Union" don't just have "controversial views", they are actively spreading disinformation about COVID-19 vaccines.
I agree about names in general but I know how fraught the topic of free speech is these days. I am a free speech absolutist in the same spirit as Voltaire.
>The "Free Speech Union" don't just have "controversial views", they are actively spreading disinformation about COVID-19 vaccines.
The whole point of free speech rights is to protect speech that is disagreeable! COVID-19 "misinformation" censorship is a major pet peeve of mine. Just as with your point about names, people lie all the time about what constitutes "misinformation", "harmful", etc. Doctors and researchers were paid off and had their careers threatened for daring to question government policy in this case. Everyone else was threatened to force them to comply. This is not how science or freedom works. We're not talking about some zombie virus. We're talking about a disease with a very low mortality rate even at its peak, and a vaccine that objectively did not stop the spread. If a researcher did want to criticize the vax, they'd risk their career. So get f'd or get paid, some hard decision right? If politicians can be bought then so can researchers.
Some of the powers that be would love you to give them the authority to censor people to influence your pet issues. They would declare your views to be misinformation or hate speech just as soon as you become inconvenient to them.
(Also as a furry this whole thread is funny.)
reply