Re: Cryptanalysis (was Re: TEA (was Re: filesystem encryption))

Matt Blaze (mab@crypto.com)
Mon, 29 Jun 1998 15:14:36 -0400

• Next message: Michael Paul Johnson: "Re: Cryptanalysis (was Re: TEA (was Re: filesystem encryption))"
• Previous message: Perry E. Metzger: "Re: TEA (was Re: filesystem encryption)"
• In reply to: Cicero: "Re: TEA (was Re: filesystem encryption)"
• Next in thread: Michael Paul Johnson: "Re: Cryptanalysis (was Re: TEA (was Re: filesystem encryption))"
• Reply: Michael Paul Johnson: "Re: Cryptanalysis (was Re: TEA (was Re: filesystem encryption))"

Perry is completely right here.

Designing ciphers is hard. There's no general theory of cipher
design. Even very smart, knowledgeable, experienced people come up
with bad ciphers. In the crypto community, people aren't even all
that embarrassed when their algorithms get broken. That's how hard
it is.

It is just plain lunacy to use new designs to protect real data,
especially when viable, long-studied alternatives exist. Yet even
otherwise smart, sensible people suffer from acute, blinding
neophilia the moment they see a shiny, new cipher proposed. (A certain
email encryption program's premature adoption of IDEA comes to mind.
And the fact that no one has found a viable attack against that cipher
does not vindicate a reckless design methodology that selected it
for a real application in the first place.)

Suppose your doctor said "I realize we have antibiotics that tend
to cure the infection you have without harmful side effects, but
I'm going to give you ground-up tortilla chip powder instead,
because, uh, it MIGHT work". You'd get a new doctor.

-matt

Perry Metzger writes:
>
>Paulo Barreto writes:
>> 2. DES only received this amount of attention because it *was* incorporated
>> into production rather early, and in very, very serious applications
>
>No.
>
>DES was very strongly analyzed for a long time before it was made
>public -- very amounts of time were put into it *first*.
>
>> 4. Notice that NSA designed Skipjack instead of simply using (3)DES, and
>> NIST requested candidates for a (3)DES replacement. This shows that better
>> ciphers are possible and desirable.
>
>No one said otherwise. Skipjack apparently recieved *years* of
>internal NSA analysis, however. My claim is that you are not being
>rational if you take a cipher that has had maybe tens of serious hours
>of attempt at cracking it at most and use it in a product, when there
>are perfectly fine ciphers out there that have been sufficiently
>analyzed to gain some comfort. You've mentioned a number of ciphers
>that have certainly not recieved anything like sufficient analysis,
>when there are plenty that *have* been beaten on for years.
>
>Arguing that putting the ciphers into serious applications will
>encourage people to break them is rather like suggesting that the way
>to test a new car safety design is to get someone to drive the car,
>personally, into a wall. There are safer mechanisms than this.
>
>Perry

• Next message: Michael Paul Johnson: "Re: Cryptanalysis (was Re: TEA (was Re: filesystem encryption))"
• Previous message: Perry E. Metzger: "Re: TEA (was Re: filesystem encryption)"
• In reply to: Cicero: "Re: TEA (was Re: filesystem encryption)"
• Next in thread: Michael Paul Johnson: "Re: Cryptanalysis (was Re: TEA (was Re: filesystem encryption))"
• Reply: Michael Paul Johnson: "Re: Cryptanalysis (was Re: TEA (was Re: filesystem encryption))"