Constraints

30 May 2009

Three results

Filed under: Commentary — András Salamon @ 16:36
Tags:

Three fascinating results that appear to have no connection other than being rather surprising.

First, the chromatic number of the plane. The number of colours required for colouring the real plane, where no two points unit distance apart may be the same colour, is known to be either 4, 5, 6, or 7. Shelah and Soifer noted in 2003 that the actual value relates to the proposed axiom LM of set theory that requires that every set of reals is Lebesgue measurable. Specifically, the chromatic number of the plane is 4 with the usual ZF axioms of set theory, augmented with the Axiom of Choice. This was shown by Erdős and de Bruijn in 1951. However, the chromatic number of the plane is at least 5 in ZF together with LM and a weaker version of AOC, the Principle of Dependent Choices that Bernays proposed in 1942. So the Axiom of Choice does impact the real world, after all, at least for some definition of “real world”!

The second result is a problem that only requires a poly-logarithmic number of nondeterministic steps for a polynomial-time solution, and which has a deterministic runtime upper bound that is almost, but not quite, polynomial. A hitting set X of a hypergraph H (also known as a transversal of H) intersects each edge of H. A minimal transversal contains no strict subset that is a transversal. The hypergraph of all minimal transversals of a hypergraph H is its transversal hypergraph. TRANS-HYP is the problem of deciding, given two hypergraphs H and H’, whether H’ is the transversal hypergraph of H. TRANS-HYP is in co-NP but not obviously in NP. Fredman and Khachiyan showed that it is possible to recognize the transversal hypergraph of a given H in time O(n^{\log n}), where n is the size of the input. (This result was actually expressed in terms of recognition of duals of monotone Boolean functions.) The surprising result is that it is possible to show that a given hypergraph is not a transversal hypergraph of another in polynomial time using only O(\log^2 n/\log \log n) nondeterministic steps. This was shown by Eiter, Gottlob, Makino and independently by Kavvadias and Stavropoulos, in 2002-3. If one is allowed a polynomial number of nondeterministic steps then of course one can capture NP, while a logarithmic number of nondeterministic steps captures P. This important problem therefore occupies a surprising place in the bounded nondeterminism hierarchy (which was last surveyed by Goldsmith, Levy, Mundhenk in 1997). A succinct overview of the state of the art is the paper by Eiter, Makino, Gottlob published in 2008.

Finally, an upcoming paper. Michael Mitzenmacher has briefly discussed the STOC 2009 programme; following on, I would recommend the recent paper by Moser and Tardos; it presents a beautiful and short algorithmic proof of the Lovász Local Lemma in a very general form, and appears to supersede the (excellent) paper of Moser at STOC. But back to the paper I actually wanted to highlight: in among the STOC 2009 abstracts there was the intriguing comment in the abstract of a paper by Kawarabayashi and Reed discussing their algorithm deciding the Hadwiger Conjecture. For the special case k=5 this algorithm apparently implies the Four-Colour Theorem. Since the abstract seems to indicate that the detailed case analysis of the previous constructive proofs is largely avoided, I await the full paper with great anticipation. (Edit: the full paper has corrected the sentence. The result seems to be an important step forward in proving the Hadwiger Conjecture, but it doesn’t supply a short proof for the 4CT, alas.)

3 May 2009

Parallel slowdown

Filed under: Commentary — András Salamon @ 19:15
Tags:

This is a quick high-level tour of my recent paper with Vashti Galpin, Bounds on series-parallel slowdown.

Suppose you are writing some parallel code. You fire up Matlab, and plan to use the Parallel Computing Toolbox to sort out the tedious details of scheduling. But it doesn’t run nearly as fast as you were hoping. What went wrong?

There are many ways for parallel computations to fail to achieve their potential. Ideally, running a computation on m processors should take only 1/m times as long as on one processor, a speedup of m times. At the very least, one would hope for \Theta(m) speedup. For problems involving searching, starting the search in many different places can even make the speedup superlinear; so randomized restarts after a timeout can be a good strategy for such problems. But usually various delays are introduced in the parallel implementation, compared to the idealised computation that one would wish to see, so there is a slowdown.

The first attempt to explain slowdown was Amdahl’s Law: if a fraction of the computation is inherently not parallel, then as the rest of the computation disappears to zero with the addition of more and more processors, this non-parallel fraction will dominate. So if 1% is inherently not parallel, then even if the rest takes no time at all, the computation can never achieve speedup of more than 100. The figure illustrates how the speedup S is limited by both the number of processors m as well as the fraction f of the program that is inherently not parallel.
Amdahl's Law
In practice, it is not clear how to find the magic fraction — what exactly does it mean for part of the code to be inherently not parallelisable?

Yet it turns out that adding just a little more detail to our model of parallel programs allows some progress. Let slowdown be the ratio of the time to run the program to the time one would hope it would take.

To keep things really simple, consider a particular instance of a computation, corresponding to the instructions and state of a parallel program while it runs. Group sequences of instructions into activities in some way, each having some duration. Then some parts of the computation will depend on the results produced by other parts, creating precedence constraints between activities: some activities will need to complete before other activities can start.
Now even if there are no delays at all due to communication, cache misses, resource contention, or any of the other fun things that make parallel systems so interesting, there will still be some inherent slowdown.

On the one hand, the activities could be represented directly, and we could tell the system about all the precedence constraints between them, letting it work things out.

But this is not what actually happens. Creating a synchronisation object (as in OpenCL) for every precedence constraint is tedious and adds a lot of overhead. Usually one instead uses a toolkit of parallel operations provided by the system. These involve creating and managing threads, sending and waiting for messages, or most commonly, operations like Matlab’s parfor which flags activities that all may run in parallel.

Our representation of the parallel computation tells the system about our choice of activities and the precedence constraints between them. Each particular representation has syntactic limitations, which may implicitly introduce additional precedence constraints between activities.

We consider the question:

How much slowdown can we attribute to being restricted to only series-parallel language constructs?

Neighbour-synchronised activities
Let’s look at an example. Suppose the activities are neighbour synchronised, as illustrated by the black arrows in the second figure. This structure is common in pipelines, or with finite element method calculations. The red arrows indicate precedence constraints added implicitly when we represent this computation in Matlab in the obvious way:
for i = 1 : t
parfor j = 1 : N
% compute activity a_{i,j}
end
end

Even if everything else is ideal, the additional precedence constraints will cause slowdown. The combination of the for and parfor constructs turns the activity network into a series-parallel activity network, adding extra constraints implicitly. Many of the standard constructs to express parallelism implicitly series-parallelise the computation.

In the paper, we show that the slowdown can be arbitrarily large in the worst case, for any choice of how to series-parallelise the computation! If we choose the representation before the computation actually happens, and that representation forces the activity network to be of series-parallel form, then all the stochastic effects in the parallel system may interact badly with the particular choices made.

We also show that if one postpones the choice of which series-parallelisation to use until the activity durations are known, then a slowdown of at most 4/3 should be possible. This remains a conjecture, although one that has been proved for small activity networks.

Finally, actually achieving a series-parallelisation with 4/3 slowdown seems to be a difficult problem.

What does this mean? If the system is not prone to stochastic effects that may cause some activities to take much longer than we expect, then all we have to do is to ensure all activities are similar in duration. We show that this can then be handled very easily, and the slowdown is bounded above by the ratio of the largest to the smallest activity duration. But if this is not possible to achieve, then we need to express our computation in a better way.

I propose something like
neisyn d w g f(d,w,g) where d and w are iterators, g is an optional parameter describing the maximum out-degree of the network of constraints, and f is a block of code that depends on g and the current value of d and w. As a first attempt to implement neisyn, it could be translated into the for/parfor combination above (or its equivalent), which is most likely how the code would have been written anyway if those were the only constructs available. If a better implementation of neisyn were to replace this simple hack, the code would then not need to change.

A construct such as neisyn is straightforward to use. To implement it efficiently probably requires highly non-trivial work behind the scenes, for instance an efficient dynamic scheduler. Yet there is clear value in trying this approach. Imagine the computation of a_{i,j} taking a very long time for some reason. With a particular choice of series-parallelisation, every activity that has been requested to depend on a_{i,j} will have to wait for it to finish. Instead, neisyn allows the computation to proceed as a wave front across the activities, achieving better performance overall than a more rigidly structured computation. Testing this experimentally would be interesting.

9 March 2009

Apple Keyboards: curse of the paragraph key

Filed under: Commentary — András Salamon @ 20:53

I’ve been doing a fair bit of typing on a new Apple wired keyboard.  It’s fairly flat and manages to support quick typing. It reminds me a little of the keyboard that the ZX Spectrum sported (it’s not nearly as spongy, luckily).

However. Let’s rewind.

The UK version of Apple’s keyboard has a nifty pound symbol that I never use (three-letter currency abbreviations are much more useful). It also has to squeeze in a key for the crucially important paragraph/plus-minus key.  This key, possibly mandated by some European Union directive, means that there is a smaller left shift button.  Fine, one could live with all these idiosyncrasies.  But why, oh why, did the backquote/tilde key have to be moved from its top-left position?

Tilde is of course the symbol used to abbreviate $HOME in most shells.  Backquote denotes the position of a tag in vi.  Guess what — I use both the command line and vi all the time.

So I bought the International English keyboard instead.  Great, the dollar sign returns to Shift-4 (try writing some shell scripts or Perl 5 without easily accessible variable sigils sometime), hash is back to Shift-3, and the pound symbol is still available via Opt-3 (just in case).  But, but, BUT! The paragraph key is still there, usurping the backquote/tilde key’s position.  Aaargh!  What exactly is wrong with the usual North American Apple Keyboard layout for English?  Do Mac users outside the USA really require paragraph and plus-minus keys; is this an intimation (or even a slur) that International English is for those corporate minded and also equivocal?

Enough ranting: a reasonable workaround is to use a free utility called Ukelele to generate a custom keymap. I changed the paragraph key to a duplicate backquote/tilde key, solving this particular problem. Great for those whose fingers are hard-wired to use the top-left key for useful stuff, instead of peppering keyboard input with strange symbols. Thanks to the folks at SIL for making this tool available.

STACS 2009

Filed under: Commentary — András Salamon @ 20:24
Tags:

STACS 2009 was held 26 to 28 February 2009 in Freiburg, Germany.  Several papers are relevant to constraints, here are rather biased synopses of two of these.

Andrei A. Bulatov, Víctor Dalmau, Martin Grohe, and Dániel Marx: Enumerating Homomorphisms

Let ECSP(S,T) be the problem instance that requires generating all homomorphisms from S to T.  For classes A and B of relational structures, all with the same finite signature, let ECSP(A,B) be the problem consisting of all instances ECSP(S,T) where S is in A and T is in B.  (In particular, the fixed finite signature means that only constraint satisfaction problems of bounded arity are dealt with here.)  In general ECSP has exponentially many solutions, so of interest are A and B that lead to a procedure to generate all solutions in time that is polynomial in the total size of the input and the output.  The main focus of this paper are conditions that guarantee that solutions can be computed with polynomial delay (WPD), which guarantees polynomial total time.

Lemma 3.3 is interesting: for a fixed core T, and letting C_T be the class of disjoint unions of structures S and T where there is a homomorphism from S to T, the decision problem CSP(_,T) is in PTIME iff the problem of finding a solution SCSP(C_T,_) is in PTIME.  Lemma 3.4 similarly relates SCSP and ECSP: for a class A of relational structures, let A’ be the class of structures constructed from A by adding |A| new independent vertices to each structure; then SCSP(A,_) is in PTIME iff ECSP(A’,_) is in PTIME.  Theorem 4.10 states that if A is a class of structures such that the k-core of each structure in A has tree width at most k, then ECSP(A,_) is solvable WPD.  Let CQE(A,B) be the problem of enumerating all extendible partial mappings from a given subset of the vertices of the given source structure S from A to the given target structure T from B, in the sense that the partial mapping can be extended to a homomorphism from S to T.  For a particular class A whose 2-cores have bounded width, Example 6.2 shows that if CQE(A,_) is solvable WPD, then W[1] = FPT.

Dániel Marx: Tractable Structures for Constraint Satisfaction with Truth Tables

This paper deals with unbounded arity problems which are represented as truth tables.  Most of the work on complexity of constraint satisfaction has focused on listing all tuples in each relational structure in the instance.  A truth table representation is a generalized adjacency matrix: instead of listing a tuple, a 1 represents its presence.  For sparse problems truth tables are therefore very large, but for dense problems they are reasonable.  The main result is Theorem 1.5: assuming a conjecture of the author, CSP(A,_) is tractable iff the class of hypergraphs of structures in A has bounded adaptive width.  Adaptive width is a new measure based on fractional independent sets that (Proposition 5.1) is at most as large as fractional hypertree width.  Previously fractional hypertree width was the most general width measure known that guaranteed tractability.

16 November 2008

Comments on Taleb

Filed under: Commentary — András Salamon @ 23:50

Nassim Nicholas Taleb makes provocative statements with several interesting ideas underpinning them.  To try to get past the over-the-top rhetoric of his interviews and two widely known books Fooled by Randomness and The Black Swan, I spent some time reading the papers at Taleb’s site.

Simplifying vastly, Taleb currently seems to have three main themes.

  1. The convergence to the central limit theorem is too slow to be of any use in processes based on social interaction.  This means that economics (and other social sciences) often cannot use a central limit theorem and work with the limiting stable distributions, but has to grapple with the unknown and often very weird distribution such data has.  In particular, using Gaussian distributions as any kind of approximation is often a very bad idea, even if variance is finite.
  2. The second point is that many social phenomena have self-similar distributions.  Barabási made this idea popular, and it has been widely observed in many kinds of network structures over the last decade.  Taleb argues that most economic time series behave this way also.  This means that their distributions are heavy-tailed, and that it is very difficult to estimate their parameters.
  3. Finally, Taleb notes that many social and economic phenomena are dominated by the effect of single events.  When regulators rejig the rules of a market, or war breaks out, or a meteor hits the earth, the effect is so large that it completely dominates the many years of “normal” behaviour.

This adds up to a pretty pessimistic point of view, on the surface.  However, Taleb appears to be formulating prescriptions for living with this state of affairs.  It seems he believes it is important to bound losses, through mechanisms such as reinsurance or options.  If dragons lurk in the heavy tails, then one can at least reduce their effect by donning some armour.  Taleb hasn’t yet gone far beyond the ranting stage in his published writing, as far as I can see.  It would seem likely that he does have specific prescriptions, since he is one of the principals at Universa Investments, which aims to achieve capital preservation regardless of market conditions.

One way to address the first issue would be to move further along the way towards continuous markets.  Based on the convergence of various distributions, one could estimate the number of events that would have to be observed for some summary event to be close enough to a desired limiting distribution.  There is already a strong move towards markets that are ever less discrete, and doing this analysis would tell us how far we have to go.  Academics in quantitative finance dealing with high frequency data and rough path theory are addressing these kinds of issues.

I’m not sure how to argue with the second issue, unless one can find new types of interaction underlying processes that do not generate self-similar laws.  This might be feasible, but would perhaps require new markets and ways of interacting.  All markets are to some extent designed, so this may be a long term approach, harnessing the work of many people, from different disciplines, on network science.

The issue of single events is probably unavoidable.  If one plans for the meteor strike, then in the interval until it happens life is pretty miserable (what with living underground, keeping a large stock of tinned food, and keeping up a gloomy outlook).  It seems unlikely that human nature could be changed to prepare for the worst, when that could be years or decades away.  The engineering solution (of doubling or trebling tolerances, because we don’t actually know the distributions), or the insurance solution (of keeping a reserve for a rainy 40 days), are difficult to implement when the outliers really are likely to be off the scale.  But again, people are working on this.  (An example was the recent Global Catastrophic Risks Conference.)

In conclusion: Taleb makes some good points, but his claim that everyone is ignoring these issues appears somewhat hollow.

3 August 2008

Minimizing free energy

Filed under: Commentary — András Salamon @ 13:22
Tags:

This is third-hand and several months old, but quite fascinating.  Stanislas Dehane wrote for this year’s Edge question about capturing the overall behaviour of the brain with a compact model.  The gist of his contribution (edited for brevity):

The brain is the outcome of five hundred million years of tinkering.  How could such a jumble be captured by a single mathematical law?

Karl Friston, from UCL in London, has presented “a theory of cortical responses”.  Friston’s theory rests on a single premise: the brain optimizes a free energy function.  This function measures how closely the brain’s internal representation of the world approximates the true state of the real world. From this simple postulate, Friston spins off an enormous variety of predictions.

Neuroscience now has a wealth of beautiful theories that should attract the attention of top-notch mathematicians — we will need them!

Three relevant papers, from Friston’s site:

Free energy and the brain (with KE Stephan, 2007)

A free energy principle for the brain (with J Kilner and L Harrison, 2006)

A theory of cortical responses (2005)

1 August 2008

ECAI 2008 (part 2)

Filed under: Commentary — András Salamon @ 23:23
Tags: ,

Many of the talks at the main conference were interesting; just a few are outlined here.

Flener, Pearson: Solving Necklace Constraint Problems

Pierre Flener showed how standard constraint satisfaction techniques could be applied to model an enumeration problem in discrete mathematics, without needing any complicated special purpose algorithms.  However, the necklace constraints used in such problems have nice applications in scheduling, and fast propagators can be built.

Bessiere, Hebrard, Hnich, Kiziltan, Walsh: SLIDE: a useful special case of the CardPath constraint

Toby Walsh discussed how SLIDE can be used as a building block for many other global constraints (including REGULAR and CARDPATH, which themselves generalize many others).  The claim is that SLIDE can be as efficient as specialized propagators for sequencing problems, even though propagation for such a general constraint is NP-complete.  When SLIDE is used to encode tractable constraints in the right way, there is a lot of regularity in the encoding, which then yields tractable propagation.  Using an intractable propagator in a tractable way is an interesting idea that I feel it should be possible to formalize.  Experimental results are presented in support, but the theory in Section 6 seems further development to constitute a rigorous argument.  Of course, 5 pages aren’t really enough to do the topic justice, and I look forward to the journal version.  (By the way, coding SLIDE in Tailor’s implementation of Essence’ is proving quite tricky — the lack of macros makes it rather difficult…  The unbounded arity of some of these constraints also means that the Global Constraint Catalog doesn’t list them either!)

Samadi, Schaeffer, Torabi Asr, Samar, Azimifar: Using Abstraction in Two-Player Games

Mehdi Samadi demonstrated that it is possible to abstract from game positions, for instance by removing some pawns from a chess endgame.  By dropping some pieces from the position one may end up with a position close enough to endgame databases so that the gain in accuracy is more important than the inaccuracy of abstraction.  Quite convincing experimental evidence was presented that pure abstraction outperformed Crafty.

Hoche, Flach, Hardcastle: A Fast Method for Property Prediction in Graph-Structured Data from Positive and Unlabelled Examples

Peter Flach spoke about using an iterative neighbourhood majority voting scheme to classify vertices in a graph.  This was apparently faster and not worse than a Markov chain approach.  I think this could be used to weakly tag new objects by pre-populating the suggested tags, which would potentially encourage tagging, instead of presenting an empty tag cloud to the first tagger.

There were several talks about applications of BDDs to various problems.  Donald Knuth’s statement in a talk last year (that BDDs were at the same stage as linked lists were before everyone started using them as a basic data structure in the 1960s) seems more and more on the mark.  There is something in the air…

I missed Adrian Petcu’s talk on his prize-winning dissertation, but a brief outline conveyed on the bus back to the hotel one evening is that 1) communication overhead can swamp the benefit of distributing search, but 2) there are ways of grouping messages to achieve good speedup.

A tiring week, but fun and stimulating.

ECAI 2008

Filed under: Commentary — András Salamon @ 21:33
Tags: ,

I attended ECAI 2008 in Patras, Greece last week. The conference was rather large (perhaps even unwieldy), with over 30 workshops, seven concurrent tracks in the main conference, and more than 600 people attending. Due to the excellent turnout from the constraints community, most of my time was spent at talks about constraints and search, with a few talks from other fields to provide some perspective. It was quite easy to speak to people, perhaps because our submission (Cooper, Jeavons, Salamon: Hybrid tractable CSPs which generalize tree structure) unexpectedly received the best paper award. There was a large turnout at my talk, which was a bit daunting!

Before the main conference, several interesting papers were presented at the Workshop on Modeling and Solving Problems with Constraints (proceedings are available online).

Battiti, Campigotto: Penalties may have collateral effects. A MAX-SAT analysis

Paulo Campigotto argued that fiddling with clause weights to smooth out a MAX-SAT fitness surface doesn’t work except to nudge solutions along from a local minimum; there are simply too many side effects to use this technique globally.

Freuder, Wallace, Nordlander: Debugging Constraint Models with Metamodels and Metaknowledge

Richard Wallace discussed a system named Ananke, after the Goddess of Bonds (and therefore an appropriate deity for constraint satisfaction).  Given specific solutions that the user of the system expects, Ananke suggests ways to alter an overconstrained specification of a constraint problem so that those solutions become possible.  The idea is that this would help find constraints which unnecessarily disallow desired solutions.

Gent, Miguel, Rendl: Common Subexpression Elimination in Automated Constraint Modelling

Andrea Rendl talked about the Tailor system to translate high-level Essence’ specifications of constraint problems into models that can be run using existing constraint programming systems such as Minion.  In the translation, it is possible to detect common subexpressions, as a byproduct of parsing and with minimal overhead, resulting in more compact constraint programs and sometimes also much faster search.  Even where eliminating subexpressions doesn’t yield any improvement, there is essentially no cost to including it as part of the translation phase.

Makeeva, Szymanek: Revisiting the Generalized Among Constraint

The main point in this tightly argued talk by Polina Makeeva was that it can be faster to use AMONG (if carefully implemented) than to decompose into individual global constraints, since this allows sharing and reuse of information.  This kind of result would seem to argue against the traditional, loosely coupled view of constraints interacting purely through a set of domains.

Maher, Narodytska, Quimper, Walsh: Flow-Based Propagators for the SEQUENCE and Related Global Constraints

Nina Narodytska argued that for some global constraints one can use an Integer Linear Programming model if a graph model is not known, while some kinds of ILP models can be transformed into flow problems.  If both techniques are applied, one can sometimes find fast flow-based propagators.  An example is the SEQUENCE constraint, and an algorithm was presented to enforce domain consistency down a branch of the search tree in O(n^2) time, an O(\log n) factor improvement on the best previous algorithm.

2 June 2008

STOC 2008

Filed under: Commentary — András Salamon @ 20:32
Tags: ,

A quick rundown of some of the more interesting papers.

Barto, Kozik, Niven: Graphs, polymorphisms and the complexity of homomorphism problems

This paper shows (Theorem 3.1) that if a digraph without sources and sinks admits a weak near unanimity operation, then it retracts onto a disjoint union of circles [a circle is an induced directed cycle].  They also claim to have a more general version in preparation, for relational structures.  This result can then be used to prove the Bang-Jensen/Hell conjecture, that for finite digraphs H without sinks or sources, if each component of the core of H is a circle, then H-colourability is in PTIME, otherwise it is NP-complete.

Rossman: On the constant-depth complexity of k-clique

This shows (Corollary 1.4) that no sentence in first-order logic with at most k/4 variables can express k-clique on the class of finite ordered graphs.  Rossman claims the full version will show that this holds for the class of finite graphs with arbitrary numerical predicates also.  This means (Corollaries 1.5 and 1.7) that the bounded variable hierarchy on finite ordered graphs is non-collapsing and strict; previously it was not known if 3 variables was enough to express every FO formula on finite ordered graphs.  Moreover, Theorem 1.2 says that for every k, the k-clique problem on n-vertex graphs requires constant-depth circuits of asymptotic size at least n^{k/4 + o(1)}.

Frieze, Vempala, Vera: Logconcave random graphs

This generalizes the usual Erdős-Rényi model of a random graph to a two stage process, where first a multivariate distribution determines a random point in an n(n-1)/2-dimensional cube, then a threshold p is used to determine whether the edge corresponding to each direction is present or not.  The usual random graph model with uniform edge probabilities is then the special case of a uniform distribution over the unit cube.  The paper works with a logconcave distribution, and they point out (Open question 5.1) that special cases capture graph classes such as triangle-free, by defining the distribution in terms of the solutions of a linear program.  They ask whether H-free graphs can be “uniformly” generated this way.

16 May 2008

Debian “patch” allows simple brute force attacks

Filed under: Commentary — András Salamon @ 11:42

Back in May 2006, an enterprising Debian team member decided to address the complaints from Purify and/or Valgrind, when compiling OpenSSL.

The result was a patch that silenced those pesky warnings for good.

Notice how the second part of the patch comments out a piece of code calling the MD_Update() function; a piece of code that is explicitly bracketed by a pair of #ifndef PURIFY/#endif directives. In other words, the “right” way to fix this is probably to ensure that PURIFY is set during compilation. The reason provided for the change: “/* purify complains */”. Perhaps it is now usual to ignore the immediate context of code.

The interesting thing about this “patch” is that it reduces the space of keys to 32767 values for each of the common key sizes. As pointed out by the folks over at Metasploit, this makes it easy to generate the full list of keys. In fact, it’s so easy that they provide the list as a convenient download for each common key size, about 250MB of data in all.

The consequence: all SSH and SSL keys generated on Debian 4.0 (etch) derived systems from September 2006 or so are rather easy to guess.

Corollary: any data encrypted using such keys during the last 18 months can now be decrypted by anyone.

Let’s hope people have not kept too many packet traces of SSH connections between machines that use affected keys.

Corollary: change affected keys immediately.

Next Page »

Blog at WordPress.com.