Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:34 ADT
Carlisle Adams (carlisle.adams@entrust.com)
Fri, 17 Jul 1998 13:47:37 -0400
Hi Bruce, Perry,
Someone forwarded this to me (I'm not on the CodherPlunks list). A couple of
comments.
> ----------
> From: Bruce Schneier[SMTP:schneier@counterpane.com]
> Sent: Thursday, July 16, 1998 11:19 PM
> To: perry@piermont.com; CodherPlunks@toad.com
> Subject: Re: CAST (and random AES chatter)
>
> At 11:13 PM 7/16/98 -0400, Perry E. Metzger wrote:
> >Bruce Schneier writes:
> >> I don't buy the design process.
> >
> >Really? I actually like the design process -- it strikes me as having
> >some actual system to it, which most such processes do not have.
>
> My problem with the CAST design process is it solely focused on the
> known attacks. The S-boxes were designed to be secure against
> linear and differential cryptanalysis. And they are. And then along
> comes higher order differential cryptanalysis and some of the CAST
> designs don't look very good anymore.
>
The best attack I've seen could not get past 5 rounds (out of 16). Note
that DES at 5 rounds would do a very poor job at protecting anybody's data.
Note, too, that ciphers are more easily broken by linear or differential
cryptanalysis at 5 rounds than by higher-order differential cryptanalysis
(the complexities typically being much lower). I wonder, therefore, what
you mean by "don't look very good anymore".
> Some of the designs, including
> CAST-128, were immune, but the attacks cast serious doubts on the
> design process.
>
Actually, it seems to me that the failure of such attacks to make any real
dents speak more to the success of the design process than to its flaws. A
design which keeps a new attack (i.e., one not specifically designed
against) from progressing beyond 5 rounds in this business seems like a
strong design to me. And, as you stated, CAST-128 appears to be immune to
even this new attack (and CAST-256 is completely based on CAST-128).
> >> And I DON'T like CAST-256.
> >
> >I agree with this. The paper did not give me a sense of ease. Too many
> >"we believe the upper bound for this is X, so we therefore believe
> >that we are likely immune to this attack", and not enough "we have
> >actually attacked this" bits. The cipher may be okay (Carlisle is a
> >smart guy) but the paper is not that comfort inducing.
>
We did what we were able to do with the time and resources available to us.
The paper was written to be as clear and simple as possible; if you found it
to be so "simple" that it lacked the detail you wanted, I apologize.
My personal opinion is that detailed (public) analysis by the authors of a
cipher often gives readers a "sense of ease", but really it shouldn't. The
authors should, of course, do this analysis, but their publication of this
should be, at some level, largely irrelevant. The "sense of ease" can ONLY
come from the analysis of everyone BUT the authors. With the AES process,
this analysis will occur over the next 1-2 years. My opinion is that the
goal of the "analysis" portion of each author's submission package is not to
try to convince anyone of the cipher's security (ultimately the authors
cannot do this!), but rather to motivate others to analyze the cipher in
detail (i.e., to make the cipher look appealing and worthy of study). Our
package was written with this goal in mind.
> Actually, I have more serious reservations. But there may be a paper
> in it, so I'll let it go for now.
>
Keep us informed of any progress...
I am really looking forward to the next couple of years. This is an
exciting time for the whole field, and all of us will benefit in some way
from the intense research activity that AES has already spawned and will
continue to spawn. Thanks again to NIST for setting all these wheels in
motion!
--------------------------------------------
Carlisle Adams
Entrust Technologies
cadams@entrust.com
--------------------------------------------
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:34 ADT