Subject: Re: Cryptanalysis (was Re: TEA (was Re: filesystem encryption)) From: mab@crypto.com (Matt Blaze) Date: 1998/06/29 Message-ID: <199806291914.PAA21630@tpc.crypto.com> Newsgroups: ailab.coderpunks NNTP-Posting-Date: 29 Jun 1998 20:42:16 GMT Organization: MIT Artificial Intelligence Lab References: <199806291757.NAA18171@jekyll.piermont.com> Perry is completely right here. Designing ciphers is hard. There's no general theory of cipher design. Even very smart, knowledgeable, experienced people come up with bad ciphers. In the crypto community, people aren't even all that embarrassed when their algorithms get broken. That's how hard it is. It is just plain lunacy to use new designs to protect real data, especially when viable, long-studied alternatives exist. Yet even otherwise smart, sensible people suffer from acute, blinding neophilia the moment they see a shiny, new cipher proposed. (A certain email encryption program's premature adoption of IDEA comes to mind. And the fact that no one has found a viable attack against that cipher does not vindicate a reckless design methodology that selected it for a real application in the first place.) Suppose your doctor said "I realize we have antibiotics that tend to cure the infection you have without harmful side effects, but I'm going to give you ground-up tortilla chip powder instead, because, uh, it MIGHT work". You'd get a new doctor. -matt Perry Metzger writes: > >Paulo Barreto writes: >> 2. DES only received this amount of attention because it *was* incorporated >> into production rather early, and in very, very serious applications > >No. > >DES was very strongly analyzed for a long time before it was made >public -- very amounts of time were put into it *first*. > >> 4. Notice that NSA designed Skipjack instead of simply using (3)DES, and >> NIST requested candidates for a (3)DES replacement. This shows that better >> ciphers are possible and desirable. > >No one said otherwise. Skipjack apparently recieved *years* of >internal NSA analysis, however. My claim is that you are not being >rational if you take a cipher that has had maybe tens of serious hours >of attempt at cracking it at most and use it in a product, when there >are perfectly fine ciphers out there that have been sufficiently >analyzed to gain some comfort. You've mentioned a number of ciphers >that have certainly not recieved anything like sufficient analysis, >when there are plenty that *have* been beaten on for years. > >Arguing that putting the ciphers into serious applications will >encourage people to break them is rather like suggesting that the way >to test a new car safety design is to get someone to drive the car, >personally, into a wall. There are safer mechanisms than this. > >Perry
Last updated August 4, 1998