RE: WEAK3 -- A Layman's Data Encryption Algorithm

Ian Clysdale (iancly@entrust.com)
Fri, 17 Jul 1998 15:21:47 -0400

• Next message: Stephen Zander: "Strong PRNG recommendations?"
• Previous message: Ray Arachelian: "Re: self-executing "language"?"
• In reply to: DONTstaym@SPAMaccessdata.com: "self-executing "language"?"
• Next in thread: Mok-Kong Shen: "Re: WEAK3 -- A Layman's Data Encryption Algorithm"
• Reply: Mok-Kong Shen: "Re: WEAK3 -- A Layman's Data Encryption Algorithm"

> Owing to the non-trivial programming efforts required, WEAK3 does not
> appear to well satisfy the requirements of a poor man's environment,
> though it may be quite useful in normal environments, being
> independently implementable from scratch in one to two weeks with
> average programming experience.
>
I don't find that particularly impressive. I think that taking two weeks to
implement ANY of the common block algorithms from the specification is close
to excessive, for anyone with a reasonable degree of programming experience.
Now, you can spend a huge amount of time in optimization, but the basic
algorithms are usually rather simple, all in all.

> Therefore I have called it instead a
> layman's data encryption algorithm, since it is designed by a layman
> for use by laymen.
>
This scares me more than a little. Why should I - and I count myself a
layman rather than a cryptographer, because while I have a fair deal of
implementation experience, my mathematical background is much poorer than I
would like - trust a cipher designed by a layman and not extensively
analyzed over a cipher designed by a professional and analyzed by the
cryptographic community? Why should anyone?

> (Hardcore professionals with their insistance on
> rigorous mathematical proofs and the regulating officials taking
> advices from them presumably would not have the least motivation to
> examine, let alone to actually use, anything that is WEAK by name.)
>
I don't think that it's the WEAK aspect of the name, although that probably
doesn't help. What deterred me from even looking at it was my inability to
find an algorithm specification on your page - you seemed to only have the
Fortran reference implementation. A reference implementation is not in any
way a substitute for a well-written specification describing design goals,
the algorithm in pseudocode at a high level (for those of us who have no
desire to try to piece out Fortran) and describing any attacks that have
been made or can be made on the cipher.

This doesn't strike me as an insistence on rigourous mathematical proofs,
but simply a basic requirement for any kind of understanding of the cipher.
You've given absolutely no reason that I, as an implementor, would want to
use your encryption scheme, and you've given no easy way for me, as an
analyst, to even understand what your scheme is doing.

If I just missed the specification, then please take my apologies, let me
know where to find it, and I'll be glad to take a quick look over the scheme
and see if I notice anything.

                                                                ian

• Next message: Stephen Zander: "Strong PRNG recommendations?"
• Previous message: Ray Arachelian: "Re: self-executing "language"?"
• In reply to: DONTstaym@SPAMaccessdata.com: "self-executing "language"?"
• Next in thread: Mok-Kong Shen: "Re: WEAK3 -- A Layman's Data Encryption Algorithm"
• Reply: Mok-Kong Shen: "Re: WEAK3 -- A Layman's Data Encryption Algorithm"