Ground Tortilla Chip Powder


How to Choose a Cipher

Subject:      Re: Cryptanalysis (was Re: TEA (was Re: filesystem encryption))
From: (Matt Blaze)
Date:         1998/06/29
Message-ID:   <>
Newsgroups:   ailab.coderpunks 
NNTP-Posting-Date: 29 Jun 1998 20:42:16 GMT
Organization: MIT Artificial Intelligence Lab
References:   <>

Perry is completely right here.

Designing ciphers is hard.  There's no general theory of cipher
design.  Even very smart, knowledgeable, experienced people come up
with bad ciphers.  In the crypto community, people aren't even all
that embarrassed when their algorithms get broken.  That's how hard
it is.

It is just plain lunacy to use new designs to protect real data,
especially when viable, long-studied alternatives exist.  Yet even
otherwise smart, sensible people suffer from acute, blinding
neophilia the moment they see a shiny, new cipher proposed.  (A certain
email encryption program's premature adoption of IDEA comes to mind.
And the fact that no one has found a viable attack against that cipher
does not vindicate a reckless design methodology that selected it
for a real application in the first place.)

Suppose your doctor said "I realize we have antibiotics that tend
to cure the infection you have without harmful side effects, but
I'm going to give you ground-up tortilla chip powder instead,
because, uh, it MIGHT work".  You'd get a new doctor.


Perry Metzger writes:
>Paulo Barreto writes:
>> 2. DES only received this amount of attention because it *was* incorporated
>> into production rather early, and in very, very serious applications
>DES was very strongly analyzed for a long time before it was made
>public -- very amounts of time were put into it *first*.
>> 4. Notice that NSA designed Skipjack instead of simply using (3)DES, and
>> NIST requested candidates for a (3)DES replacement.  This shows that better
>> ciphers are possible and desirable.
>No one said otherwise. Skipjack apparently recieved *years* of
>internal NSA analysis, however. My claim is that you are not being
>rational if you take a cipher that has had maybe tens of serious hours
>of attempt at cracking it at most and use it in a product, when there
>are perfectly fine ciphers out there that have been sufficiently
>analyzed to gain some comfort. You've mentioned a number of ciphers
>that have certainly not recieved anything like sufficient analysis,
>when there are plenty that *have* been beaten on for years.
>Arguing that putting the ciphers into serious applications will
>encourage people to break them is rather like suggesting that the way
>to test a new car safety design is to get someone to drive the car,
>personally, into a wall. There are safer mechanisms than this.

Back to my Crypto page
Back to my home page

Last updated August 4, 1998

HTML 3.2 Checked! check now