Fixing Strength Problems in Cipher Use (original) (raw)

ACiphers By Ritter Page

A sci.crypt conversation on fundamental problems in cryptography.

Introduction and Comments by Terry Ritter

There is no guarantee that any cipher will not fail, but we can use ciphers in ways which require multiple ciphers to failbefore information is exposed.

We cannot know when our cipher has been broken, but we can use ciphers in ways which terminate any existing break and so protect our future messages.

We cannot know the capabilities of our opponents, but we can use ciphers in ways which force our opponents to make huge, continuing investments, just to keep up with us.


Introduction

In several ways, cryptography can be seen as a contest: First and most importantly, it is a contest between cryptographers and unknown opposing cryptanalysts. Next, it is a contest between "our" academic cryptanalysts and the unknown cryptanalysts. Then it is a contest between independent cryptographers and academic cryptanalysts. And, of course, it is also a contest between the academic cryptanalysts.

Seeing cryptography as contest can help clarify the uneven nature of these events.

Trouble in Paradise

It has long been known that cryptography has very serious fundamental problems. Surely we all know that no cipher system is proven secure, yet we often think we can trust a cipher that has been around for a while. These positions are contradictory, and are examples of the "dirty little secrets" which most professionals know and ignore because it seems little can be done about them. Serious issues in cryptography include:

  1. We do not know the "strength" of our ciphers
    ("Strength" is the minimum effort needed to expose protected data). Cryptanalysis does not testify to cipher strength unless it finds a "break," and then it only gives a upper bound. The lower bound is always zero:Any cipher can fail at any time.
    • We cannot "trust" any cipher
      Any trust we may have in a cipher is more self-delusion than science, based on our not being specifically told that our cipher failed. We interpret a lack of information as evidence of strength, and this is a serious error.
    • Older "seasoned" ciphers are not necessarily better
      Older, more mature ciphers are generally more trusted. They also have had more time to be attacked and broken in secret.
    • Any cipher may already be broken
      As long as our opponents do not blab that they have broken our cipher, we will probably continue to use it.
    • Having just a single cipher can lead to loss of all past and future data
      Any cipher can fail at any time.
  2. We cannot know the capabilities of the opposing cryptanalysts
    If our opponents read the open literature they are at least as advanced as "our guys." But they often work for organizations which do their own research and do not share their results. Accordingly, the academic literature does not provide a rational basis for estimating the capabilities of our opponents.
    • As long as we continue to use the same cipher, we have no ability to terminate our opponents' success after they break that cipher
      And we will not be told when they do succeed.
  3. We cannot estimate the chance that our ciphers may fail
    Our opponents work in secret and do not announce their successes. We know neither the number of attempted attacks, nor the number of their successes: We thus have no basis for constructing a probability of opponent success.
    • We cannot estimate failure from academic literature
      Negative academic results are generally not published: We do not know the number of attempted attacks. We also cannot extrapolate academic attacks to those mounted in secret by opponents with unknown resources.
    • Long use is not an indication of success
      We will not know when a cipher is broken for real. Ciphers in use for a long time may have been broken and ineffective for a long time.

Fix Proposals

The conversations archived here start from my proposals to "fix" some of these serious problems. They ran into a great deal of debate and dispute, apparently because these ideas run counter to the currently accepted philosophy of cryptography. Briefly, that philosophy is to have a few ciphers which are analyzed as intensely as possible; if they survive some unknown amount of time or effort, they then transition into use. And while there is a general acceptance of the idea that even well-analyzed ciphers may fail, there is a remarkable lack of protocols intended to prevent such failure, or even reduce the consequences. It appears that most professionals believe in the ciphers they use, which may be more a testimony of the intimidating role of academic cryptanalysis than of any factual basis for such belief.

Quick Entries into the Discussion

Fix Proposals

Note that there are repeated descriptions and arguments for this "fix package" throughout the discussion, but they do tend to be piece-by-piece rather than as a collected unit.

The Kerkhoff's Law Delusion

Kerhkoff's laws were intended to formalize the real situation of ciphers in the field. Basically, the more we use any particular cipher system, the more likely it is that it will "escape" into enemy hands. So we start out assuming that our opponents know "all the details" of the cipher system, except the key.

Part of the fix proposal is to have many different ciphers, and to select among them "at random" by a key. The particular cipher used is thus unknown to our opponents; they do know, of course, that our system uses many ciphers. And if they can simply try each possible cipher, there is not much protection (although, presumably, they could not break every cipher). But with a substantial number of ciphers (say, 1000), used in a 3-level "cascade" of multi-ciphering, we have over 10**9 different cipher possibilities. And each of these is stronger than any one cipher alone, because known plaintext and defined plaintext attacks are not possible on the individual component ciphers.

The first effect we see here is keyspace, and we already have plenty of keyspace. But the effect we really want is the partitioning and compartmentalization of our data so that a failure in one cipher means the exposure of only a small part of the data.

The Cipher Strength Delusion

It is well-known and universally accepted that any cipher _might_be weak. When ciphers have been extensively analyzed, this possibility has generally been thought unlikely. But examination of what we know and what we cannot know shows that we have no basis for estimating such a possibility: We thus have no grounds for assuming cipher failure to be "unlikely." The immediate consequence of such a realization is that we need to do something about this in real systems.

The Probability or Risk of Cipher Failure Delusion

The Confidence and Trust Delusion

The "No Other Choice" Delusion

The "Multi-Ciphering is Bad" Delusion

The "It's Not What You Say, It's Who Your Are" Delusion


Contents


Subject: Re: Announce - ScramDisk v2.02h Date: Fri, 02 Apr 1999 19:03:38 GMT From: ritter@io.com (Terry Ritter) Message-ID: 3705141b.4312658@news.io.com References: 7e2vge$o82$1@nnrp1.dejanews.com 7e2br4$7i3$1@nnrp1.dejanews.com Newsgroups: alt.security.pgp,sci.crypt Lines: 58

On Fri, 02 Apr 1999 17:41:35 GMT, in 7e2vge$o82$1@nnrp1.dejanews.com, in sci.crypt ssimpson@hertreg.ac.uk wrote:

[...] The point of that section of the document was that an adversary is not aware of which algorithm you use....They have no method of detecting whether TEA, Blowfish, IDEA, 3DES etc is used. Both PGPDisk & Bestcrypt plainly state the algorithm employed.

So, to "brute force" a ScramDisk container an adversary has to effectively try all 10 ciphers, whereas to brute force other products containers they only have to try 1 cipher. Is this snake oil? No.

For some years I have been promoting the idea of using multiple ciphers, but my argument is different:

  1. I see little keyspace (brute-force search) advantage with just a few ciphers. If we had a robust industry of replaceable cipher modules, with tens of thousands of possibilities and growing all the time, then we get some keyspace. But with just 10 ciphers, the keyspace advantage is lost in the noise of attacks which need 2**43 known-plaintexts.

  2. The big advantage of having a huge number of ciphers is the burden it places on any Opponent, who necessarily must keep up. Opponents must distinguish each cipher, obtain it, break it, then construct software and perhaps even hardware to automate the process. Given a continuous production of large numbers of new ciphers, I believe that "keeping up" must have a terrible cost that not even a country can afford.

  3. The risk of using a single popular cipher (no matter how extensively analyzed) is that a vast amount of information is protected by one cipher. This makes that cipher a special target -- a contest with a payoff far beyond the games we normally play. I think we want to avoid using such a cipher.

  4. To make the cost of multiple ciphers real, we cannot keep using the same cipher, but instead must use different (new) ciphers periodically. We will want to use the same cipher-system, so our system must support "clip-in" modules for ciphers which have not yet been written.

  5. One of the facts of ciphering life is that we cannot prove the strength of any cipher. Even NIST review and group-cryptanalysis does not give us proven strength in a cipher, so any cipher we select might be already broken, and we would not know. We cannot change this, but we can greatly improve our odds as a user, by multi-ciphering under different ciphers. Doing this means an Opponent must break all of those ciphers -- not just one -- to expose our data. I like the idea of having three layers of different cipher, each with its own key.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Announce - ScramDisk v2.02h Date: Fri, 02 Apr 1999 18:37:41 -0500 From: Boris Kazak bkazak@worldnet.att.net Message-ID: 370554C5.156E@worldnet.att.net References: 3705141b.4312658@news.io.com Newsgroups: alt.security.pgp,sci.crypt Lines: 65

Terry Ritter wrote:

The point of that section of the document was that an adversary is not aware of which algorithm you use....They have no method of detecting whether TEA, Blowfish, IDEA, 3DES etc is used. Both PGPDisk & Bestcrypt plainly state the algorithm employed.

So, to "brute force" a ScramDisk container an adversary has to effectively try all 10 ciphers, whereas to brute force other products containers they only have to try 1 cipher. Is this snake oil? No. /...../ 2. The big advantage of having a huge number of ciphers is the burden it places on any Opponent, who necessarily must keep up. Opponents must distinguish each cipher, obtain it, break it, then construct software and perhaps even hardware to automate the process. Given a continuous production of large numbers of new ciphers, I believe that "keeping up" must have a terrible cost that not even a country can afford.


And how about a "variable" cipher? The one which philosophy will

be based on 1. a big number of key-derived S-boxes 2. a plaintext-dependent sequence of invocation for these S-boxes. In case where there will be enough plaintext-dependent variability, no two plaintexts will be encrypted along the same sequence. This will be essentially equivalent to adding the plaintext space and the key space together. With all the additional effort for the attacker.

  1. The risk of using a single popular cipher (no matter how extensively analyzed) is that a vast amount of information is protected by one cipher. This makes that cipher a special target -- a contest with a payoff far beyond the games we normally play. I think we want to avoid using such a cipher.

  2. To make the cost of multiple ciphers real, we cannot keep using the same cipher, but instead must use different (new) ciphers periodically. We will want to use the same cipher-system, so our system must support "clip-in" modules for ciphers which have not yet been written.


A long overdue problem - standard cipher-to-application interface.

  1. One of the facts of ciphering life is that we cannot prove the strength of any cipher. Even NIST review and group-cryptanalysis does not give us proven strength in a cipher, so any cipher we select might be already broken, and we would not know. We cannot change this, but we can greatly improve our odds as a user, by multi-ciphering under different ciphers. Doing this means an Opponent must break all of those ciphers -- not just one -- to expose our data. I like the idea of having three layers of different cipher, each with its own key.

Have a little pity for the export bureaucrats! They are kind enough to allow exporting three different ciphers, and now you want to use their kindness to show all the world that their export regulations can be circumvented and that they are not worth the paper they are printed on.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM

Best wishes                 BNK

Subject: Re: Announce - ScramDisk v2.02h Date: Sun, 04 Apr 1999 03:46:48 GMT From: lyeoh@pop.jaring.nospam.my (Lincoln Yeoh) Message-ID: 3706da06.2109438@nntp.jaring.my References: 3705141b.4312658@news.io.com Newsgroups: alt.security.pgp,sci.crypt Lines: 47

On Fri, 02 Apr 1999 19:03:38 GMT, ritter@io.com (Terry Ritter) wrote:

  1. One of the facts of ciphering life is that we cannot prove the strength of any cipher. Even NIST review and group-cryptanalysis does not give us proven strength in a cipher, so any cipher we select might be already broken, and we would not know. We cannot change this, but we can greatly improve our odds as a user, by multi-ciphering under different ciphers. Doing this means an Opponent must break all of those ciphers -- not just one -- to expose our data. I like the idea of having three layers of different cipher, each with its own key.

Yeah. I like the idea of superencryption too, and I don't know why so few people seem to like it. So far I have not had a good answer to how an attacker would know if he or she has succeeded.

In fact I'd go further- by having layers of many and not just 3 layers of encryption, and each layer not leaking any headers at all, the attacker's work will be very much harder, even if each layer is just 40 bit crypto.

I would think if we use ciphers A, B, C in such a headerless manner, A.B.C is unlikely to be weaker than either A or B or C alone, despite some FUD about "cipher interaction", heck if such an effect was likely we'd see more cryptographers encrypting stuff with various other ciphers to decrypt it.

Since no one can prove a single cipher is secure, it is hubris to assume that one cipher is better than the rest or that one can even select a single preferred one. For high confidentiality one could perhaps super encrypt data with the top 6 AES contenders.

As for cpu consumption, I'm wondering if chaining reduced round ciphers together would be too risky. But your point about having a large pool of ciphers can help here. With the number of possibilities, analysis could be come prohibitive. The opponent may just have to resort to brute force - trying out various keys with various ciphers.

I'm wondering if cryptanalysis of plaintext encrypted with ABCDEFG be different from analysis of AGDCBEF?

Have fun!

Link.


Reply to: @Spam to lyeoh at @people@uu.net pop.jaring.my @



Subject: Re: Announce - ScramDisk v2.02h Date: 9 Apr 1999 11:10:56 GMT From: aph@cygnus.remove.co.uk (Andrew Haley) Message-ID: 7ekn80$kc1$1@korai.cygnus.co.uk References: 3706da06.2109438@nntp.jaring.my Newsgroups: sci.crypt Lines: 16

[ Newsgroups list trimmed ]

Lincoln Yeoh (lyeoh@pop.jaring.nospam.my) wrote:

: I like the idea of superencryption too, and I don't know why so few : people seem to like it. So far I have not had a good answer to how : an attacker would know if he or she has succeeded.

The answer is simple. Kerckhoff's maxim says that your attacker knows the cryptosystem you're using, but does not know the key. If you're using superencryption, your attacker knows which systems you're using.

Of course, your attacker must now analyze the compound cipher, which is almost certainly harder to do than than attacking a single cipher.

Andrew.


Subject: Re: Announce - ScramDisk v2.02h Date: Fri, 09 Apr 1999 17:10:12 GMT From: ritter@io.com (Terry Ritter) Message-ID: 370e33ea.2675997@news.io.com References: 7ekn80$kc1$1@korai.cygnus.co.uk Newsgroups: sci.crypt Lines: 39

On 9 Apr 1999 11:10:56 GMT, in 7ekn80$kc1$1@korai.cygnus.co.uk, in sci.crypt aph@cygnus.remove.co.uk (Andrew Haley) wrote:

[ Newsgroups list trimmed ]

Lincoln Yeoh (lyeoh@pop.jaring.nospam.my) wrote:

: I like the idea of superencryption too, and I don't know why so few : people seem to like it. So far I have not had a good answer to how : an attacker would know if he or she has succeeded.

The answer is simple. Kerckhoff's maxim says that your attacker knows the cryptosystem you're using, but does not know the key. If you're using superencryption, your attacker knows which systems you're using.

That's fine if you always use the same ciphers in the same order. But if the ciphers are dynamically selected by keying, or just dynamically selected frequently by communications under cipher, the attacker does not know "which systems you're using." Kerckhoff's maxim does not apply.

I suggest that each communication include a small encrypted control channel, over which a continuous conversation of what ciphers to use next takes place. This would be an automatic negotiation, somewhat like occurs in modern modems, from cipher selections approved by the users (or their security people).

Of course, your attacker must now analyze the compound cipher, which is almost certainly harder to do than than attacking a single cipher.

Yes. Even if each cipher used has known weaknesses, those may not be exploitable in the multi-ciphering case.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Announce - ScramDisk v2.02h Date: 9 Apr 1999 13:16:35 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: 7elg63$eeq$1@quine.mathcs.duq.edu References: 370e33ea.2675997@news.io.com Newsgroups: sci.crypt Lines: 32

In article 370e33ea.2675997@news.io.com, Terry Ritter ritter@io.com wrote:

On 9 Apr 1999 11:10:56 GMT, in 7ekn80$kc1$1@korai.cygnus.co.uk, in sci.crypt aph@cygnus.remove.co.uk (Andrew Haley) wrote:

[ Newsgroups list trimmed ]

Lincoln Yeoh (lyeoh@pop.jaring.nospam.my) wrote:

: I like the idea of superencryption too, and I don't know why so few : people seem to like it. So far I have not had a good answer to how : an attacker would know if he or she has succeeded.

The answer is simple. Kerckhoff's maxim says that your attacker knows the cryptosystem you're using, but does not know the key. If you're using superencryption, your attacker knows which systems you're using.

That's fine if you always use the same ciphers in the same order. But if the ciphers are dynamically selected by keying, or just dynamically selected frequently by communications under cipher, the attacker does not know "which systems you're using." Kerckhoff's maxim does not apply.

Unfortunately, this isn't the case.

If the system is dynamically selected by keying, then the exact selection becomes part of the key. If you are taking a set of cyphers and reordering them, Kerchoff's maxim suggests that you have to assume that the attacker knows the set of cyphers and just doesn't know the order.

-kitten

Subject: Re: Announce - ScramDisk v2.02h Date: Fri, 09 Apr 1999 18:06:51 -0400 From: Boris Kazak bkazak@worldnet.att.net Message-ID: 370E79FB.5B1C@worldnet.att.net References: 7elg63$eeq$1@quine.mathcs.duq.edu Newsgroups: sci.crypt Lines: 27

Patrick Juola wrote: > > In article 370e33ea.2675997@news.io.com, Terry Ritter ritter@io.com wrote: > >But > >if the ciphers are dynamically selected by keying, or just dynamically > >selected frequently by communications under cipher, the attacker does > >not know "which systems you're using." Kerckhoff's maxim does not > >apply. > > Unfortunately, this isn't the case. > > If the system is dynamically selected by keying, then the exact > selection becomes part of the key. If you are taking a set of cyphers > and reordering them, Kerchoff's maxim suggests that you have to assume > that the attacker knows the set of cyphers and just doesn't know > the order. > > -kitten

It all depends on the numbers in question. If there are 2,3,10, even 100 ciphers, you can afford an exhaustive search, but what if there are 2^16 ciphers (or 2^16 variations of the base cipher), what then? Essentially you are adding together the key space and the ciphers space, with the corresponding increase of problems for an attacker.

Best wishes                  BNK

Subject: Re: Announce - ScramDisk v2.02h Date: Fri, 09 Apr 1999 22:24:20 GMT From: ritter@io.com (Terry Ritter) Message-ID: 370e7e04.21648784@news.io.com References: 7elg63$eeq$1@quine.mathcs.duq.edu Newsgroups: sci.crypt Lines: 47

On 9 Apr 1999 13:16:35 -0500, in 7elg63$eeq$1@quine.mathcs.duq.edu, in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:

In article 370e33ea.2675997@news.io.com, Terry Ritter ritter@io.com wrote:

On 9 Apr 1999 11:10:56 GMT, in 7ekn80$kc1$1@korai.cygnus.co.uk, in sci.crypt aph@cygnus.remove.co.uk (Andrew Haley) wrote:

[...] The answer is simple. Kerckhoff's maxim says that your attacker knows the cryptosystem you're using, but does not know the key. If you're using superencryption, your attacker knows which systems you're using.

That's fine if you always use the same ciphers in the same order. But if the ciphers are dynamically selected by keying, or just dynamically selected frequently by communications under cipher, the attacker does not know "which systems you're using." Kerckhoff's maxim does not apply.

Unfortunately, this isn't the case.

If the system is dynamically selected by keying, then the exact selection becomes part of the key.

Which of course means that the dynamic selection is not subject to Kerckhoff's maxim. End case 1.

If you are taking a set of cyphers and reordering them, Kerchoff's maxim suggests that you have to assume that the attacker knows the set of cyphers and just doesn't know the order.

First of all, this is not true if we have a dynamically-expanding set of ciphers. Every cipher is only "known" to the Opponents after they have identified it, acquired it, analyzed it, and, presumably, broken it. All this necessarily takes time, and this time works for the user and against the attacker.

But even if The Opponents do know the set of existing ciphers, when the ciphers used are selected by some periodic random selection, there is secret information which is not exposed. This is a sort of keying. We cannot simply assume that it is exposed. End case 2.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Announce - ScramDisk v2.02h Date: Fri, 9 Apr 1999 11:31:40 -0700 From: "Harvey Rook" redrook@someyahoo.com Message-ID: 7elhhc$ic6@news.dns.microsoft.com References: 370e33ea.2675997@news.io.com Newsgroups: sci.crypt Lines: 65

Terry Ritter ritter@io.com wrote in message news:370e33ea.2675997@news.io.com...

On 9 Apr 1999 11:10:56 GMT, in 7ekn80$kc1$1@korai.cygnus.co.uk, in sci.crypt aph@cygnus.remove.co.uk (Andrew Haley) wrote:

The answer is simple. Kerckhoff's maxim says that your attacker knows the cryptosystem you're using, but does not know the key. If you're using superencryption, your attacker knows which systems you're using.

That's fine if you always use the same ciphers in the same order. But if the ciphers are dynamically selected by keying, or just dynamically selected frequently by communications under cipher, the attacker does not know "which systems you're using." Kerckhoff's maxim does not apply.

This is incorrect. By Kerchhoff's maxim, you have to assume your attacker has a copy of your deciphering machine. If he has a copy of your deciphering machine, the attacker can figure out the algorithm you use to select ciphers. Once he knows the algorithm used to select ciphers, super-encipherment only doubles or triples the amount of time needed to brute force. You'd be much better off adding an extra byte to your key.

I suggest that each communication include a small encrypted control channel, over which a continuous conversation of what ciphers to use next takes place. This would be an automatic negotiation, somewhat like occurs in modern modems, from cipher selections approved by the users (or their security people).

Of course, your attacker must now analyze the compound cipher, which is almost certainly harder to do than than attacking a single cipher.

Yes. Even if each cipher used has known weaknesses, those may not be exploitable in the multi-ciphering case.

It's only harder by one or two orders of magnitude. Computers built 3 years from now will have enough power to compensate for this difference. Adding an extra byte to your key makes the problem harder by 4 to 8 orders of magnitude. This is much harder to attack, yet it's simpler and cleaner to analyze. Simple clean systems, are much less likely to have holes.

Unexpected weaknesses in ciphers designed by good cryptographers (Say Rivest, or Schneier) are very unlikely to appear. Remember DES, after 25 years of analysis, is still only vulnerable to a brute force attack. I'd be willing to bet that RC-6 and TwoFish will withstand the same scrutiny.

Security breaks down because of bad passwords and poor protocols. Not because of cipher weakness. Plan your system accordingly, or you are deluding yourself.

Harv RedRook At Zippy The Yahoo Dot Com Remove the Zippy The to send email.


Subject: Re: Announce - ScramDisk v2.02h Date: Fri, 09 Apr 1999 22:24:44 GMT From: ritter@io.com (Terry Ritter) Message-ID: 370e7e29.21686311@news.io.com References: 7elhhc$ic6@news.dns.microsoft.com Newsgroups: sci.crypt Lines: 104

On Fri, 9 Apr 1999 11:31:40 -0700, in 7elhhc$ic6@news.dns.microsoft.com, in sci.crypt "Harvey Rook" redrook@someyahoo.com wrote:

Terry Ritter ritter@io.com wrote in message news:370e33ea.2675997@news.io.com...

On 9 Apr 1999 11:10:56 GMT, in 7ekn80$kc1$1@korai.cygnus.co.uk, in sci.crypt aph@cygnus.remove.co.uk (Andrew Haley) wrote:

The answer is simple. Kerckhoff's maxim says that your attacker knows the cryptosystem you're using, but does not know the key. If you're using superencryption, your attacker knows which systems you're using.

That's fine if you always use the same ciphers in the same order. But if the ciphers are dynamically selected by keying, or just dynamically selected frequently by communications under cipher, the attacker does not know "which systems you're using." Kerckhoff's maxim does not apply.

This is incorrect. By Kerchhoff's maxim, you have to assume your attacker has a copy of your deciphering machine. If he has a copy of your deciphering machine, the attacker can figure out the algorithm you use to select ciphers.

That is no more true than saying that the attacker can figure out the message key or the initialization vector. We assume the system has some reliable random source to make such values. Similar values select what ciphers to use in what order. And this should change frequently.

Once he knows the algorithm used to select ciphers, super-encipherment only doubles or triples the amount of time needed to brute force. You'd be much better off adding an extra byte to your key.

The issue is far beyond increasing the keyspace, since that would take a huge number of ciphers. The issue instead is about spreading messages among many different ciphers, thus forcing The Opponents to "keep up" by identifying, acquiring, attacking, and breaking a continuing flow of new ciphers. This forces The Opponents to invest far more, and breaking any of these gains them far less. Note the contrast to the current situation, where only a few main ciphers are used, so only those need be broken.

[...] Yes. Even if each cipher used has known weaknesses, those may not be exploitable in the multi-ciphering case.

It's only harder by one or two orders of magnitude.

Well, let's see: Suppose we have about 4K ciphers. By selecting 3 at random so we have about 4k**3 selections. This is somewhat larger than "two orders of magnitude."

But, again, the issue is not really the increase in keyspace. The issue is that The Opponents have to increase their analysis budget by, say, a factor of 1k. And even when they are successful, they get at most 1 message out of 1k. And we reduce that to 1 in 1k1k1k by using 3 layers of cipher.

Computers built 3 years from now will have enough power to compensate for this difference. Adding an extra byte to your key makes the problem harder by 4 to 8 orders of magnitude. This is much harder to attack, yet it's simpler and cleaner to analyze. Simple clean systems, are much less likely to have holes.

Using a layered structure is far, far simpler than trying to analyze a cipher to the degree of predicting that one cipher is stronger than another by n orders of magnitude. Neither value is known, so we can hardly compare them.

Unexpected weaknesses in ciphers designed by good cryptographers (Say Rivest, or Schneier) are very unlikely to appear.

Sorry. That is an insupportable statement (and of course unprovable). Being a crypto god does not prevent mistakes.

Remember DES, after 25 years of analysis, is still only vulnerable to a brute force attack.

Also insupportable: DES may have a fast break right now, and if it does, would those who have it have told you? Yet you feel free to assume that there is no break. Good for you. Now prove it.

I'd be willing to bet that RC-6 and TwoFish will withstand the same scrutiny.

But that is hardly science or even rational reasoning, is it?


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Announce - ScramDisk v2.02h Date: Fri, 9 Apr 1999 18:58:49 -0700 From: "Harvey Rook" redrook@someyahoo.com Message-ID: 7emb5m$iq2@news.dns.microsoft.com References: 370e7e29.21686311@news.io.com Newsgroups: sci.crypt Lines: 161

My comments withing... Terry Ritter ritter@io.com wrote in message news:370e7e29.21686311@news.io.com...

On Fri, 9 Apr 1999 11:31:40 -0700, in 7elhhc$ic6@news.dns.microsoft.com, in sci.crypt "Harvey Rook" redrook@someyahoo.com wrote:

This is incorrect. By Kerchhoff's maxim, you have to assume your attacker has a copy of your deciphering machine. If he has a copy of your deciphering machine, the attacker can figure out the algorithm you use to select ciphers.

That is no more true than saying that the attacker can figure out the message key or the initialization vector. We assume the system has some reliable random source to make such values. Similar values select what ciphers to use in what order. And this should change frequently.

The reliable random source must be communicated to both the encryptor, and the decryptor. Because it's transmitted or shared, you must assume the attacker has intercepted it. Because the attacker has intercepted the it, the attacker knows what ciphers you are using.

Once he knows the algorithm used to select ciphers, super-encipherment only doubles or triples the amount of time needed to brute force. You'd be much better off adding an extra byte to your key.

The issue is far beyond increasing the keyspace, since that would take a huge number of ciphers. The issue instead is about spreading messages among many different ciphers, thus forcing The Opponents to "keep up" by identifying, acquiring, attacking, and breaking a continuing flow of new ciphers. This forces The Opponents to invest far more, and breaking any of these gains them far less. Note the contrast to the current situation, where only a few main ciphers are used, so only those need be broken.

Good ciphers cannot be instantly generated. They must be individually scrutinized and tested. If you don't do that, you are setting yourself up for failure.

[...] Yes. Even if each cipher used has known weaknesses, those may not be exploitable in the multi-ciphering case.

It's only harder by one or two orders of magnitude.

Well, let's see: Suppose we have about 4K ciphers. By selecting 3 at random so we have about 4k**3 selections. This is somewhat larger than "two orders of magnitude."

But, again, the issue is not really the increase in keyspace. The issue is that The Opponents have to increase their analysis budget by, say, a factor of 1k. And even when they are successful, they get at most 1 message out of 1k. And we reduce that to 1 in 1k1k1k by using 3 layers of cipher.

Why is this not the same as increasing key space? The algorithms you use to choose the ciphers, must be transmitted to the decriptor. Once the attacker intercepts this, he can deduce the ciphers used.

Which would you rather trust, one well analyzed cipher with 140 bits of key, or 4096 ciphers that probably aren't well analyzed, 128 bits of key, and some mechanism to flip between the ciphers.

Computers built 3 years from now will have enough power to compensate for this difference. Adding an extra byte to your key makes the problem harder by 4 to 8 orders of magnitude. This is much harder to attack, yet it's simpler and cleaner to analyze. Simple clean systems, are much less likely to have holes.

Using a layered structure is far, far simpler than trying to analyze a cipher to the degree of predicting that one cipher is stronger than another by n orders of magnitude. Neither value is known, so we can hardly compare them.

Unexpected weaknesses in ciphers designed by good cryptographers (Say Rivest, or Schneier) are very unlikely to appear.

Sorry. That is an insupportable statement (and of course unprovable). Being a crypto god does not prevent mistakes.

Correct. However, because many ciphers have a similar structure. An advance in discreet mathematics needed to crack one well designed cipher would most likely apply to many ciphers. If you have some kind of scheme that allowed you to generate thousands of ciphers, then it is very likely that the weakness would apply to all.

I think it's very unlikely that some one could generate 4096 ciphers that don't share a common weakness, and still properly analyzed all of them. Even if they did, the selection of which ciphers to use, is part of the key. Brute forcing an N bit key plus K bits of which-cipher materical takes O(2^(N+K)) Bruit forcing an N+K bit key also takes O(2^(N+K+b))

See, for every cipher you add, there is an equivalent scheme with only one cipher that has the same keys size.

I dare you to name a relevent security breakdown in the past 20 years that was not the result poor key managment, or poor protocol design. We have good algorithms. Good security comes not form flipping between the algorithms, but from using the algorithms properly.

Remember DES, after 25 years of analysis, is still only vulnerable to a brute force attack.

Also insupportable: DES may have a fast break right now, and if it does, would those who have it have told you? Yet you feel free to assume that there is no break. Good for you. Now prove it.

In the same vein, prove to me that a significant percentage of your 4096 ciphers will be strong. Unless a cipher is widely scrutinized, by many intelligent people, you must assume it is weak. A solid analysis of 4096 ciphers would take decades. We need good security now.

It usually impossible to prove an impossibility. In the absense of proof you have to bet on the evidence. We have evidence that a few ciphers are strong. We also have evidence that most ciphers are weak.

I'd be willing to bet that RC-6 and TwoFish will withstand the same scrutiny.

But that is hardly science or even rational reasoning, is it?

The scientific prinipal is observe, hypothesize, experiment, repeat. I can observe that one cipher looks strong. I can form hypothesis about it's strengths and weaknesses. I can test these hypothesis, and I can repeat until I trust.

With thousands of ciphers, I probably could not observe that they all look strong. There are too many of them. The analysis would be over whelming. How can I go from this state, to hypothesizing that combining them would be secure?

Harv RedRook At Some Yahoo Dot Com Remove the Some to send email.


Subject: Re: Announce - ScramDisk v2.02h Date: Sat, 10 Apr 1999 03:56:08 GMT From: ritter@io.com (Terry Ritter) Message-ID: 370ecbaa.2845710@news.io.com References: 7emb5m$iq2@news.dns.microsoft.com Newsgroups: sci.crypt Lines: 252

On Fri, 9 Apr 1999 18:58:49 -0700, in 7emb5m$iq2@news.dns.microsoft.com, in sci.crypt "Harvey Rook" redrook@someyahoo.com wrote:

My comments withing... Terry Ritter ritter@io.com wrote in message news:370e7e29.21686311@news.io.com...

On Fri, 9 Apr 1999 11:31:40 -0700, in 7elhhc$ic6@news.dns.microsoft.com, in sci.crypt "Harvey Rook" redrook@someyahoo.com wrote:

This is incorrect. By Kerchhoff's maxim, you have to assume your attacker has a copy of your deciphering machine. If he has a copy of your deciphering machine, the attacker can figure out the algorithm you use to select ciphers.

That is no more true than saying that the attacker can figure out the message key or the initialization vector. We assume the system has some reliable random source to make such values. Similar values select what ciphers to use in what order. And this should change frequently.

The reliable random source must be communicated to both the encryptor, and the decryptor. Because it's transmitted or shared, you must assume the attacker has intercepted it. Because the attacker has intercepted the it, the attacker knows what ciphers you are using.

That is false. It is always necessary to transport keys in some way. But whatever way this is done -- by courier, multiple channels, or authenticated public key -- random message key value are known by both ends. That keying value can be used to select ciphers.

In practice, I would expect background negotiation between the cipher programs to occur with each message transmission, and produce a new cipher set with each message or every couple of messages.

Once he knows the algorithm used to select ciphers, super-encipherment only doubles or triples the amount of time needed to brute force. You'd be much better off adding an extra byte to your key.

The issue is far beyond increasing the keyspace, since that would take a huge number of ciphers. The issue instead is about spreading messages among many different ciphers, thus forcing The Opponents to "keep up" by identifying, acquiring, attacking, and breaking a continuing flow of new ciphers. This forces The Opponents to invest far more, and breaking any of these gains them far less. Note the contrast to the current situation, where only a few main ciphers are used, so only those need be broken.

Good ciphers cannot be instantly generated. They must be individually scrutinized and tested. If you don't do that, you are setting yourself up for failure.

Look around: My guess is that we could probably point to hundreds of cipher designs which now exist. This is in an environment where there is no recognition of the value of multiple ciphers, and no common interface to handle plug-in cipher components. Were the environment to change, I think we could easily see 500 ciphers in a few years, and tens of thousands of ciphers in a couple of decades.

[...] Yes. Even if each cipher used has known weaknesses, those may not be exploitable in the multi-ciphering case.

It's only harder by one or two orders of magnitude.

Well, let's see: Suppose we have about 4K ciphers. By selecting 3 at random so we have about 4k**3 selections. This is somewhat larger than "two orders of magnitude."

But, again, the issue is not really the increase in keyspace. The issue is that The Opponents have to increase their analysis budget by, say, a factor of 1k. And even when they are successful, they get at most 1 message out of 1k. And we reduce that to 1 in 1k1k1k by using 3 layers of cipher.

Why is this not the same as increasing key space? The algorithms you use to choose the ciphers, must be transmitted to the decriptor. Once the attacker intercepts this, he can deduce the ciphers used.

Certainly, the cipher selection amounts to a sort of key, but this would be a one-time message key or initialization vector, as opposed to a repeatedly-used user key.

Which would you rather trust, one well analyzed cipher with 140 bits of key, or 4096 ciphers that probably aren't well analyzed, 128 bits of key, and some mechanism to flip between the ciphers.

I take the 4096 ciphers, and I have explained why: First, the multi-cipher situation forces any Opponent whatsoever to keep up in a process which is vastly more expensive for them then for us. Next, we divide our total traffic among many different ciphers. So even if an Opponent breaks a cipher, the best they can hope for is 1/n of the traffic. And in the multi-ciphering case, they don't even get that.

As to "trust," you should be aware that there is no way to prove strength, to measure strength, to build strength or test strength. Any "trust" of a cipher is a delusion only. For example, the best cryptanalysis can do is find weakness, and this only helps if weakness is actually found. If no weakness is found, cryptanalysis does not testify to strength.

Personally, I think we are better off with user selection (e.g., "I use what my friend uses," or "We bought a custom cipher subscription") than any standard picked by a central authority.

Computers built 3 years from now will have enough power to compensate for this difference. Adding an extra byte to your key makes the problem harder by 4 to 8 orders of magnitude. This is much harder to attack, yet it's simpler and cleaner to analyze. Simple clean systems, are much less likely to have holes.

Using a layered structure is far, far simpler than trying to analyze a cipher to the degree of predicting that one cipher is stronger than another by n orders of magnitude. Neither value is known, so we can hardly compare them.

Unexpected weaknesses in ciphers designed by good cryptographers (Say Rivest, or Schneier) are very unlikely to appear.

Sorry. That is an insupportable statement (and of course unprovable). Being a crypto god does not prevent mistakes.

Correct. However, because many ciphers have a similar structure. An advance in discreet mathematics needed to crack one well designed cipher would most likely apply to many ciphers. If you have some kind of scheme that allowed you to generate thousands of ciphers, then it is very likely that the weakness would apply to all.

Certainly any cipher designer will have his bag of tricks. One might expect that some of those tricks would be risky, but hardly all. And the vast number of designers would be using many different approaches. It seems extremely unlikely that a single breakthrough would affect them all. Indeed, the unexpected break would be far, far more likely (and far, far more serious) if we have just one standard cipher.

I think it's very unlikely that some one could generate 4096 ciphers that don't share a common weakness, and still properly analyzed all of them. Even if they did, the selection of which ciphers to use, is part of the key. Brute forcing an N bit key plus K bits of which-cipher materical takes O(2^(N+K)) Bruit forcing an N+K bit key also takes O(2^(N+K+b))

See, for every cipher you add, there is an equivalent scheme with only one cipher that has the same keys size.

Only in the sense that the meta cipher has various components, but these are unknown until they are written. That meta cipher does not exist until nobody is writing new ciphers anymore.

I dare you to name a relevent security breakdown in the past 20 years that was not the result poor key managment, or poor protocol design.

DES keyspace.

We have good algorithms. Good security comes not form flipping between the algorithms, but from using the algorithms properly.

In the present tense, it is certain that this rarely happens now. But the opportunity is available for the future.

Remember DES, after 25 years of analysis, is still only vulnerable to a brute force attack.

Also insupportable: DES may have a fast break right now, and if it does, would those who have it have told you? Yet you feel free to assume that there is no break. Good for you. Now prove it.

In the same vein, prove to me that a significant percentage of your 4096 ciphers will be strong. Unless a cipher is widely scrutinized, by many intelligent people, you must assume it is weak. A solid analysis of 4096 ciphers would take decades. We need good security now.

First of all, ciphers should be selected by users, and your so-called strength is up to them. If a cipher is found weak in some academic paper, the users may choose to disable that cipher from further use, or not. In contrast, if the one standard cipher is found weak, there is no real alternative, and no process for making that change.

Significant security is provided simply by partitioning the message space into many different ciphers; by having a continuing flow of new ciphers; and by making multi-ciphering an expected process. This is security added to any set of ciphers which may already exist.

Any widely scrutinized cipher could be used in this process, and would not be weakened by it. The many-cipher situation can only improve things, not weaken what is already there.

It usually impossible to prove an impossibility. In the absense of proof you have to bet on the evidence. We have evidence that a few ciphers are strong. We also have evidence that most ciphers are weak.

In the absence of proof of strength, it is foolish to bet that a particular cipher is strong. The best bet is to use multiple ciphers at the same time, change ciphers often, and be prepared to disable particular ciphers at the first sign of trouble.

I'd be willing to bet that RC-6 and TwoFish will withstand the same scrutiny.

But that is hardly science or even rational reasoning, is it?

The scientific prinipal is observe, hypothesize, experiment, repeat. I can observe that one cipher looks strong. I can form hypothesis about it's strengths and weaknesses. I can test these hypothesis, and I can repeat until I trust.

No, you cannot test strength. Neither can anyone else. That is the problem.

With thousands of ciphers, I probably could not observe that they all look strong. There are too many of them. The analysis would be over whelming. How can I go from this state, to hypothesizing that combining them would be secure?

By observing that any one cipher that you do accept can be part of stack. That would give you 2 changing ciphers, the ability to switch to another if you get bad news, and the knowledge that any hidden break to your favorite cipher is protected by the rest of the stack.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Announce - ScramDisk v2.02h Date: Mon, 12 Apr 1999 10:31:55 GMT From: ssimpson@hertreg.ac.uk Message-ID: 7esi2r$cct$1@nnrp1.dejanews.com References: 7elhhc$ic6@news.dns.microsoft.com Newsgroups: sci.crypt Lines: 41

In article 7elhhc$ic6@news.dns.microsoft.com, "Harvey Rook" redrook@someyahoo.com wrote:

Terry Ritter ritter@io.com wrote in message news:370e33ea.2675997@news.io.com...

On 9 Apr 1999 11:10:56 GMT, in 7ekn80$kc1$1@korai.cygnus.co.uk, in sci.crypt aph@cygnus.remove.co.uk (Andrew Haley) wrote:

The answer is simple. Kerckhoff's maxim says that your attacker knows the cryptosystem you're using, but does not know the key. If you're using superencryption, your attacker knows which systems you're using.

That's fine if you always use the same ciphers in the same order. But if the ciphers are dynamically selected by keying, or just dynamically selected frequently by communications under cipher, the attacker does not know "which systems you're using." Kerckhoff's maxim does not apply.

This is incorrect. By Kerchhoff's maxim, you have to assume your attacker has a copy of your deciphering machine. If he has a copy of your deciphering machine, the attacker can figure out the algorithm you use to select ciphers.

Make the cipher selection(s) dependant on additional key material?

Once he knows the algorithm used to select ciphers, super-encipherment only doubles or triples the amount of time needed to brute force. You'd be much better off adding an extra byte to your key.

Depends on the method of selection, range of ciphers and number we are willing to employ to encrypt one message doesn't it?

Sam Simpson Comms Analyst -- http://www.scramdisk.clara.net/ for ScramDisk hard-drive encryption & Delphi Crypto Components. PGP Keys available at the same site.

-----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own


Subject: Re: Announce - ScramDisk v2.02h Date: Fri, 09 Apr 1999 18:28:10 -0400 From: Boris Kazak bkazak@worldnet.att.net Message-ID: 370E7EFA.7BB2@worldnet.att.net References: 370e33ea.2675997@news.io.com Newsgroups: sci.crypt Lines: 19

Terry Ritter wrote: > ................. > >Of course, your attacker must now analyze the compound cipher, which > >is almost certainly harder to do than than attacking a single cipher. > > Yes. Even if each cipher used has known weaknesses, those may not be > exploitable in the multi-ciphering case. > > --- > Terry Ritter ritter@io.com http://www.io.com/~ritter/ > Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM

A practical suggestion: what if we would initialize BLOWFISH not with the digits of 'pi', but with some other constant - e, sqrt(2), sin(1)...? How many different ciphers can we generate from the same base algorithm, and how big will be the additional effort to break them all? Especially if dynamically selected...

Best wishes BNK


Subject: Re: Announce - ScramDisk v2.02h Date: Mon, 12 Apr 1999 10:26:58 GMT From: ssimpson@hertreg.ac.uk Message-ID: 7eshpd$c28$1@nnrp1.dejanews.com References: 7ekn80$kc1$1@korai.cygnus.co.uk Newsgroups: sci.crypt Lines: 39

Why not make cipher selection for the compound cipher part of the key? The first one or two bytes of the key could be used to select 3 (or whatever number is desirable) ciphers out of a pool of equally good ciphers.

This sounds (imho) like a good idea - as long as there are no disastrously weak combinations of ciphers.

Comments?

Sam Simpson Communications Analyst -- http://www.scramdisk.clara.net/ for ScramDisk hard-drive encryption & Delphi Crypto Components. PGP Keys available at the same site.

In article 7ekn80$kc1$1@korai.cygnus.co.uk, aph@cygnus.remove.co.uk (Andrew Haley) wrote:

[ Newsgroups list trimmed ]

Lincoln Yeoh (lyeoh@pop.jaring.nospam.my) wrote:

: I like the idea of superencryption too, and I don't know why so few : people seem to like it. So far I have not had a good answer to how : an attacker would know if he or she has succeeded.

The answer is simple. Kerckhoff's maxim says that your attacker knows the cryptosystem you're using, but does not know the key. If you're using superencryption, your attacker knows which systems you're using.

Of course, your attacker must now analyze the compound cipher, which is almost certainly harder to do than than attacking a single cipher.

Andrew.

-----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own


Subject: Re: Announce - ScramDisk v2.02h Date: Mon, 12 Apr 1999 15:30:03 -0600 From: jcoffin@taeus.com (Jerry Coffin) Message-ID: MPG.117bdb60312a13119899e2@news.rmi.net References: 7eshpd$c28$1@nnrp1.dejanews.com Newsgroups: sci.crypt Lines: 16

In article 7eshpd$c28$1@nnrp1.dejanews.com, ssimpson@hertreg.ac.uk says...

Why not make cipher selection for the compound cipher part of the key? The first one or two bytes of the key could be used to select 3 (or whatever number is desirable) ciphers out of a pool of equally good ciphers.

This sounds (imho) like a good idea - as long as there are no disastrously weak combinations of ciphers.

This might optimize speed slightly, but I don't see it helping security. If you're going to include code for a number of forms of encryption, from a viewpoint of security, you might as well just always use ALL the forms of encryption supported, and use the entire key as a key instead some of it as a key and some to select the method(s) of encryption to be used.


Subject: Re: Announce - ScramDisk v2.02h Date: 22 Apr 1999 20:02:39 -0700 From: mskala@ansuz.sooke.bc.ca. (Matthew Skala) Message-ID: 7fonsf$so3$1@ruby.ansuz.sooke.bc.ca References: MPG.117bdb60312a13119899e2@news.rmi.net Newsgroups: sci.crypt Lines: 18

In article MPG.117bdb60312a13119899e2@news.rmi.net, Jerry Coffin jcoffin@taeus.com wrote:

security. If you're going to include code for a number of forms of encryption, from a viewpoint of security, you might as well just always use ALL the forms of encryption supported, and use the entire

Speed. If you use all the ciphers to encrypt the whole file, it may take you a very long time. But here's another idea: use some sort of all-or-nothing scheme, so attackers have to attack the entire file at once, and then encrypt say the first block with IDEA, the second block with Blowfish, the third with 3DES, the fourth with SCOTT19U, and so on.
I'm not fully up on how well all-or-nothing schemes work, but it seems like it should be possible to require the attackers to break all the ciphers, while still not having to do all the ciphers on all the blocks.

Matthew Skala Ansuz BBS (250) 472-3169 http://www.islandnet.com/~mskala/

                        GOD HATES SPAM

Subject: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 07:31:40 -0700 From: Sundial Services info@sundialservices.com Message-ID: 371749CC.4779@sundialservices.com Newsgroups: sci.crypt Lines: 18

When I look at most publicly-available cryptographic algorithms, I see that nearly all of them consist of round upon round of simple operations like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are readily reversible.

About the only "original idea" I've seen, since reading discussions of older machines like SIGABA, is Terry Ritter's "Dynamic Substitution" patent. At least he is using a more complex transformation than 99.9% of the things I've seen ... since SIGABA ... and he's burying a lot more information than most designs do.

My question is, aside from possible requirements for constructing their ciphers in hardware, why do designers routinely limit themselves to these simple bitwise operators in designing ciphers? It seems to me as a layman that the older, more complex designs were also far more secure than what we have now, and that a computer program would have no particular difficulty implementing them. We are not building hardware devices; we are not limited to LFSR's.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 17:28:13 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 37176a30.4219613@news.prosurfr.com References: 371749CC.4779@sundialservices.com Newsgroups: sci.crypt Lines: 111

Sundial Services info@sundialservices.com wrote, in part:

When I look at most publicly-available cryptographic algorithms, I see that nearly all of them consist of round upon round of simple operations like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are readily reversible.

Looking at this paragraph, and your title, my initial reaction was to say that you were wrong - block cipher designers do recognize the importance of nonlinearity, and thus in virtually every block cipher you will find an S-box.

About the only "original idea" I've seen, since reading discussions of older machines like SIGABA, is Terry Ritter's "Dynamic Substitution" patent. At least he is using a more complex transformation than 99.9% of the things I've seen ... since SIGABA ... and he's burying a lot more information than most designs do.

Dynamic Substitution is a good idea, and an original one. And since I consider the SIGABA to be an admirable design, I started to warm to you at this point.

My question is, aside from possible requirements for constructing their ciphers in hardware, why do designers routinely limit themselves to these simple bitwise operators in designing ciphers? It seems to me as a layman that the older, more complex designs were also far more secure than what we have now, and that a computer program would have no particular difficulty implementing them. We are not building hardware devices; we are not limited to LFSR's.

Now this is a question I've been asking myself.

But there are answers to it.

But an academic researcher isn't going to take time studying a cipher that is so big and complicated that there is no hope of coming away with an impressive result - and so big and complicated that even trying to understand it would consume an enormous amount of time and effort.

Thus, designs that are intentionally limited - to one basic type of round, to one underlying principle - have an advantage over designs based on the principle that security is the only goal. They might be less intrinsically secure, but they have a better chance of being able to (appear to) prove (indicate with some tendency to confidence) that they do have a certain level of security.

Although I do understand the rationale behind the "recieved wisdom", that doesn't mean I fully accept it. In practice, when using cryptography, security is what counts; and advances are being made both in the theory of cryptanalysis and in the speed and power of computer chips at a great rate.

Plus, the risk that one's adversary is a hacker of the future with a very powerful desktop computer seems much greater than the risk that one's adversary will be an accomplished cryptanalyst, able to exploit the most subtle flaws in an over-elaborate design.

Hence, I have played with designs that don't just use "simple operations". They do incorporate a lot from the designs of the real experts in the field, compared to which I am a mere amateur, but they go on from there to pile on a higher level of complication than seen in the well-known designs.

Take a look at my Quadibloc II and Quadibloc III designs, in

http://members.xoom.com/quadibloc/co040705.htm http://members.xoom.com/quadibloc/co040705.htm

for example. I think they may address your concern - although they may not go far enough.

One thing I very definitely don't want to do is to go around like certain posters on this NG, and claim that a cipher must be as complicated as these designs of mine in order to be secure. That simply isn't true.

And it is also true that a strong cipher isn't a guarantee of security; designing ciphers may be fun, but preventing data from leaking out the back door is hard work.

While I respect the knowledge and ability of the acknowledged experts in the field, where I think I part company with Bruce Schneier and others is in the following:

I believe it to be possible and useful to develop a design methodology - mainly involving the cutting and pasting of pieces from proven cipher designs - to enable a reasonably qualified person who, however, falls short of being a full-fleged cryptographer, to design his own block cipher, and thereby obtain additional and significant benefits in resistance to cryptanalytic attack by having an unknown and unique algorithm.

I don't deny that there are pitfalls looming in such an approach; if something is left out of the methodology, or if it isn't conscientiously used, people could easily wind up using weak designs and having a false sense of security. I just think the problems can be addressed, and the potential benefits are worth the attempt.

John Savard (teneerf is spelled backwards) http://members.xoom.com/quadibloc/index.html


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 20:20:24 GMT From: ritter@io.com (Terry Ritter) Message-ID: 37179b67.12809750@news.io.com References: 37176a30.4219613@news.prosurfr.com Newsgroups: sci.crypt Lines: 129

On Fri, 16 Apr 1999 17:28:13 GMT, in 37176a30.4219613@news.prosurfr.com, in sci.crypt jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

[...]

I dispute this. This is essentially what Schneier would have us believe, and it is false.

The truth is that we never know the "real" strength of a cipher. No matter how much review or cryptanalysis a cipher gets, we only have the latest "upper bound" for strength. The lower bound is zero: Any cipher can fail at any time.

Since we have only an upper bound for the strength of any cipher, any confidence we may have is no more than our own delusion. We wish and hope for cipher strength, and -- absent a specific proof otherwise -- we gradually come to believe in it. But that does not make it true.

We would like to think that the more we use a cipher, the more confidence we can have in it. We can build confidence in a ciphering program, as to whether or not it crashes and so on. But since our Opponents do not tell us of their success, we do not know that our cipher was successful at hiding data. And we cannot have confidence in a result without knowing what that result is.

[...] But an academic researcher isn't going to take time studying a cipher that is so big and complicated that there is no hope of coming away with an impressive result - and so big and complicated that even trying to understand it would consume an enormous amount of time and effort.

It is always nice to find something important which is easy to do. That would be the academic equivalent of "Make Easy Money Now."

It may be unfortunate for academic cryptographers that a wide variety of new techniques are pioneered by non-academics. But those techniques exist nevertheless, and to the extent that academics do not investigate them, those academics are not up with the state of the art.

It is not, frankly, the role of the innovator to educate the academics, or even to serve technology to them on a silver platter. In the end, academic reputation comes from reality, and the reality is that many crypto academics avoid anything new which does not have an academic source. The consequence is that they simply do not have the background to judge really new designs.

Thus, designs that are intentionally limited - to one basic type of round, to one underlying principle - have an advantage over designs based on the principle that security is the only goal. They might be less intrinsically secure, but they have a better chance of being able to (appear to) prove (indicate with some tendency to confidence) that they do have a certain level of security.

Upon encountering a new design, anyone may choose to simplify that design and then report results from that simplification. This is done all the time. It is not necessary for an innovator to make a simplified design for this purpose.

On the other hand, I have been pioneering the use of scalable technology which, presumably, can be scaled down to a level which can be investigated experimentally. The last I heard, experimentation was still considered a rational basis for the understanding of reality. Indeed, one might argue that in the absence of theoretical strength for any cipher, experimentation is about all we have. But note how little of it we see.

[...] Plus, the risk that one's adversary is a hacker of the future with a very powerful desktop computer seems much greater than the risk that one's adversary will be an accomplished cryptanalyst, able to exploit the most subtle flaws in an over-elaborate design.

But we don't know our Opponents! If we have to estimate their capabilities, I think we are necessarily forced into assuming that they are more experienced, better equipped, have more time, are better motivated, and -- yes -- are even smarter than we are. There is ample opportunity for them to exploit attacks of which we have no inkling at all.

[...] While I respect the knowledge and ability of the acknowledged experts in the field, where I think I part company with Bruce Schneier and others is in the following:

I believe it to be possible and useful to develop a design methodology - mainly involving the cutting and pasting of pieces from proven cipher designs - to enable a reasonably qualified person who, however, falls short of being a full-fleged cryptographer, to design his own block cipher, and thereby obtain additional and significant benefits in resistance to cryptanalytic attack by having an unknown and unique algorithm.

And in this way we can have hundreds or thousands of different ciphers, with more on the way all the time. That means that we can divide the worth of our information into many different ciphers, so that if any one fails, only a fraction of messages are exposed. It also means that any Opponent must keep up with new ciphers and analyze and possibly break each, then design a program, or build new hardware to exploit it. We can make good new ciphers cheaper than they can possibly be broken. The result is that our Opponents must invest far more to get far less, and this advantage does not depend upon the delusion of strength which is all that cryptanalysis can provide.

I don't deny that there are pitfalls looming in such an approach; if something is left out of the methodology, or if it isn't conscientiously used, people could easily wind up using weak designs and having a false sense of security. I just think the problems can be addressed, and the potential benefits are worth the attempt.

Neat.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 14:06:57 -0700 From: "Steven Alexander" steve@cell2000.net Message-ID: jKNR2.591$%L2.8044@news6.ispnews.com References: 37179b67.12809750@news.io.com Newsgroups: sci.crypt Lines: 32

  • Also, since there are many insecure cipher designs floating around, one can't just accept that a cipher is secure based on its designer's say-so. Instead, what gives real confidence in a cipher design is that it has been studied by experts who have failed to crack it, but who have come away from their attempts with an understanding of the source of the design's strengths.

I dispute this. This is essentially what Schneier would have us believe, and it is false.

The truth is that we never know the "real" strength of a cipher. No.....

I don't think that you understand the point that Schneier and others have made. If I(a nobody) create a new cryptosystem tommorrow, nobody will have any confidence in it. But, If I learn to break the ciphers of others and use my experience to create a new cipher that others cannot break it will be listened to because I am known to be knowledgeable in how ciphers work. But, it will still not be trusted. Only after many people have analyzed and failed to break my cipher will people say..."his cipher has held up to five(ten) years of cryptanalysis by very knowledgeable cryptanalysts. We can assume with an adequate level of confidence that the cipher will protect our information." However, it is still realized that at any time someone can invent a new cryptanalytic attack and my cipher will be rendered useless. Schneier and others have acknowledged that any cipher can be broken at any time.

my $.02...-steven


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 22:32:57 GMT From: ritter@io.com (Terry Ritter) Message-ID: 3717ba72.20758328@news.io.com References: jKNR2.591$%L2.8044@news6.ispnews.com Newsgroups: sci.crypt Lines: 87

On Fri, 16 Apr 1999 14:06:57 -0700, in jKNR2.591$%L2.8044@news6.ispnews.com, in sci.crypt "Steven Alexander" steve@cell2000.net wrote:

[...] I dispute this. This is essentially what Schneier would have us believe, and it is false.

The truth is that we never know the "real" strength of a cipher. No.....

I don't think that you understand the point that Schneier and others have made.
If I(a nobody) create a new cryptosystem tommorrow, nobody will have any confidence in it.

This is seriously disturbing: The issue is not who makes a thing, but instead what the thing actually is. Deliberately judging a design in the context of who made it is actually anti-scientific, and should be widely denounced as the superstition it is.

But, If I learn to break the ciphers of others and use my experience to create a new cipher that others cannot break it will be listened to because I am known to be knowledgeable in how ciphers work.

Nonsense. Knowing how to break some ciphers does not mean that you know how ciphers work. That idea is the point "that Schneier and others have made" and it is a fantasy. It is especially fantastic when ciphers use technology which academics have ignored. But in any case, without a LOWER bound on strength, academics REALLY do not even know that ciphers work at all, let alone how.

But, it will still not be trusted. Only after many people have analyzed and failed to break my cipher will people say...CRYPHTML.HTM"his cipher has held up to five(ten) years of cryptanalysis by very knowledgeable cryptanalysts.

Nonsense. There is no such conclusion. Ciphers do not ripen like cheese.

We first of all do not know how many attacks were made (if any), nor how much effort was placed into them. Attacks made by experienced, well-paid, well-motivated teams with all the equipment they need are quite different from those of single individuals working at a desk at night and coming up with a new mathematical equation. Not finding an equation does not mean some team has not had success.

We only know what success is reported in the academic literature. Unfortunately, when we use a cipher, we are very rarely concerned whether academics can break our cipher or not. We are instead concerned about "bad guys," and they don't tell us when they have been successful.

So this delay -- supposedly for gaining confidence -- in reality tells us nothing at all about the strength of the cipher.

We can assume with an adequate level of confidence that the cipher will protect our information." However, it is still realized that at any time someone can invent a new cryptanalytic attack and my cipher will be rendered useless. Schneier and others have acknowledged that any cipher can be broken at any time.

As I recall, Schneier and others claim that cryptanalysis is how we know the strength of a cipher. It is not. Cryptanalysis can only show weakness, only that when it is successful, and even then it only gives us the latest upper bound.

But the main problem is not knowing the strength of new ciphers, but rather knowing the strength of old ciphers: we are actually using the old ciphers. When ciphers have been in long use there is a delusion that we know their strength and can use them as a benchmark against new ciphers. Absent a non-zero LOWER bound on strength, this is false on both counts.

As I recall, in his comments on AES, Schneier has said that simply finding a cryptanalytic weakness in one of the designs would be sufficient to remove it from competition, even if the weakness was impractical. He would thus have us believe that the lack of information about weakness in one cipher is superior to information of impractical weakness in another cipher. I disagree.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 15:41:12 -0700 From: "Steven Alexander" steve@cell2000.net Message-ID: X6PR2.1145$5E.10730@news7.ispnews.com References: 3717ba72.20758328@news.io.com Newsgroups: sci.crypt Lines: 18

I think the point that Schneier and others have made, which I personally agree with, is that no cipher is "secure". We can however put more trust into an algorithm that has undergone more cryptanalysis and has been tested against the newest cryptanalytic techniques because we know what will not break the cipher. I personally would not trust any algorithm that I and other motivated people had not tested. I also think that understanding how to break ciphers gives a better knowledge of how to build ciphers because you know what can break them. This is why some of the best security experts are hackers...they know how to get in. You cannot prevent your computer from being hacked if you do not know what means someone will use to break in. It would be like building large stone walls around a military base and not expecting someone to fly over and drop a bomb...if you don't know that airplanes and bombs can destroy your base as well as ground troops...you've already lost.

-steven


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 23:53:14 GMT From: ritter@io.com (Terry Ritter) Message-ID: 3717cd62.25607206@news.io.com References: X6PR2.1145$5E.10730@news7.ispnews.com Newsgroups: sci.crypt Lines: 61

On Fri, 16 Apr 1999 15:41:12 -0700, in X6PR2.1145$5E.10730@news7.ispnews.com, in sci.crypt "Steven Alexander" steve@cell2000.net wrote:

I think the point that Schneier and others have made, which I personally agree with, is that no cipher is "secure".

I think you are being selective in stating "the" point Schneier has made. While he may have conceded that no cipher is secure after long discussion, his point often is that cryptanalysis is necessary to know the strength of a cipher. Of course, the fact that he sells such services would have nothing to do with it.

We can however put more trust into an algorithm that has undergone more cryptanalysis and has been tested against the newest cryptanalytic techniques because we know what will not break the cipher.

Nope. Simply because "we" cannot break it does not mean that others cannot break it. We are not confronting our clones: our Opponents know more than we do, and are probably smarter as well.

I personally would not trust any algorithm that I and other motivated people had not tested.

But there is no test for strength.

I also think that understanding how to break ciphers

But there is no one way, nor any fixed set of ways, which are "how to break ciphers." No matter how much you "understand," there is more to know. That is the problem.

gives a better knowledge of how to build ciphers because you know what can break them.

One proper role for cryptanalysis is to support the design of ciphers.

This is why some of the best security experts are hackers...they know how to get in. You cannot prevent your computer from being hacked if you do not know what means someone will use to break in. It would be like building large stone walls around a military base and not expecting someone to fly over and drop a bomb...if you don't know that airplanes and bombs can destroy your base as well as ground troops...you've already lost.

Then you are lost. Neither you nor anybody else can predict every possible way to attack a cipher or a base.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 17:05:05 -0700 From: "Steven Alexander" steve@cell2000.net Message-ID: xlQR2.1311$5E.12276@news7.ispnews.com References: 3717cd62.25607206@news.io.com Newsgroups: sci.crypt Lines: 19

What exactly is your suggestion for the creation of a cipher in which we can place our trust? The best we can do at any one point is to create a cipher that is secure against the attacks that we know of . If we do not know of many attacks this will not entail much. If we have a group of the best cryptanalysts who analyze a cipher and find no vulnerabilities, this does not mean that any vulnerabilities do not exist...it only means that those that we know of...and variations thereof do not exist in that cipher. This gives us a degree of trust in the cipher. In RSA for example, we believe that the only way to break the cipher is to factor n. If I find a new way to factor n in just a couple of minutes on your typical PC the cipher is broken. However, the odds that someone will invent a way to factor that is so phenomenally better is very unlikely. If I try to build a cipher and do not understand cryptanalysis I will not ahve any idea how to protect my cipher. If you have a better way to design ciphers, please share.

-steven


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 04:39:12 GMT From: ritter@io.com (Terry Ritter) Message-ID: 3718105d.5227815@news.io.com References: xlQR2.1311$5E.12276@news7.ispnews.com Newsgroups: sci.crypt Lines: 58

On Fri, 16 Apr 1999 17:05:05 -0700, in xlQR2.1311$5E.12276@news7.ispnews.com, in sci.crypt "Steven Alexander" steve@cell2000.net wrote:

What exactly is your suggestion for the creation of a cipher in which we can place our trust?

Absent a theory or overall test of strength, there can be no trust in a cipher. All the trust one can have is delusion.

The best we can do at any one point is to create a cipher that is secure against the attacks that we know of . If we do not know of many attacks this will not entail much. If we have a group of the best cryptanalysts who analyze a cipher and find no vulnerabilities, this does not mean that any vulnerabilities do not exist...it only means that those that we know of...and variations thereof do not exist in that cipher.

Exactly.

This gives us a degree of trust in the cipher.

What most people want is a strong cipher. Absent evidence of strength there is no basis for such trust.

In RSA for example, we believe that the only way to break the cipher is to factor n. If I find a new way to factor n in just a couple of minutes on your typical PC the cipher is broken. However, the odds that someone will invent a way to factor that is so phenomenally better is very unlikely.

This is a disturbingly-unwarranted statement: Nobody has any idea what the true odds are, so we cannot infer that they are good or bad.

If I try to build a cipher and do not understand cryptanalysis I will not ahve any idea how to protect my cipher. If you have a better way to design ciphers, please share.

Actually, I think there are better ways. For one thing we can use very simple constructs with few types of component, each of which can be fully understood for what it does. For another we can design scalable ciphers that can be scaled down to experimental size.

However, the real issue is that while supposedly everyone knows that any cipher can be weak, there has been essentially no attention given to protocols which deal with this problem.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 22:09:10 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 371a5737.341699@news.prosurfr.com References: xlQR2.1311$5E.12276@news7.ispnews.com Newsgroups: sci.crypt Lines: 18

"Steven Alexander" steve@cell2000.net wrote, in part:

If I try to build a cipher and do not understand cryptanalysis I will not ahve any idea how to protect my cipher. If you have a better way to design ciphers, please share.

You are right that avoiding known weaknesses is important, and understanding cryptanalysis is important.

However, I think that there is a "better way to design ciphers" than to place too much faith in the present knowledge of cryptanalysis. A cipher should be designed conservatively: not just in the sense of having a few extra rounds, but in the sense of having extra complexities in its design far beyond those needed (nonlinear S-boxes, irregularities in the key schedule) to frustrate known methods of attack.

John Savard ( teenerf<- ) http://members.xoom.com/quadibloc/index.html


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 23:55:28 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1804992355290001@dial-243-098.itexas.net References: 371a5737.341699@news.prosurfr.com Newsgroups: sci.crypt Lines: 26

In article 371a5737.341699@news.prosurfr.com, jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

"Steven Alexander" steve@cell2000.net wrote, in part:

If I try to build a cipher and do not understand cryptanalysis I will not ahve any idea how to protect my cipher. If you have a better way to design ciphers, please share.

You are right that avoiding known weaknesses is important, and understanding cryptanalysis is important.

However, I think that there is a "better way to design ciphers" than to place too much faith in the present knowledge of cryptanalysis. A cipher should be designed conservatively: not just in the sense of having a few extra rounds, but in the sense of having extra complexities in its design far beyond those needed (nonlinear S-boxes, irregularities in the key schedule) to frustrate known methods of attack.

A good trick is to telescope complexities into new primatives if you can. Multiple layers of appropriate complexity do work, but the cost is diversified in several directions.

A new random permutation generator: You put X windoze machines in a room, merely start them up, and record the order in which they eventually crash on their own.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 02:22:42 GMT From: fqkhuo@gmrvavvrcd.fl (ybizmt) Message-ID: slrn7hfs2u.cc.fqkhuo@tpep.nofsozwovh.yq References: 3717cd62.25607206@news.io.com Newsgroups: sci.crypt Lines: 9

On Fri, 16 Apr 1999 23:53:14 GMT, Terry Ritter ritter@io.com wrote:

I think you are being selective in stating "the" point Schneier has made. While he may have conceded that no cipher is secure after long discussion, his point often is that cryptanalysis is necessary to know the strength of a cipher. Of course, the fact that he sells such services would have nothing to do with it.

Refresh my memory. What do you sell?


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 04:39:19 GMT From: ritter@io.com (Terry Ritter) Message-ID: 37181072.5248874@news.io.com References: slrn7hfs2u.cc.fqkhuo@tpep.nofsozwovh.yq Newsgroups: sci.crypt Lines: 26

On Sat, 17 Apr 1999 02:22:42 GMT, in slrn7hfs2u.cc.fqkhuo@tpep.nofsozwovh.yq, in sci.crypt fqkhuo@gmrvavvrcd.fl (ybizmt) wrote:

On Fri, 16 Apr 1999 23:53:14 GMT, Terry Ritter ritter@io.com wrote:

I think you are being selective in stating "the" point Schneier has made. While he may have conceded that no cipher is secure after long discussion, his point often is that cryptanalysis is necessary to know the strength of a cipher. Of course, the fact that he sells such services would have nothing to do with it.

Refresh my memory. What do you sell?

Just the truth, lately.

I just find it an interesting coincidence when people promote errors in reasoning which just happen to benefit their business.

On the other hand, promoting truths which also happen to benefit one's business seems not nearly as disturbing.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 18 Apr 99 01:49:42 GMT From: jsavard@ecn.ab.ca () Message-ID: 37193a36.0@ecn.ab.ca References: 3717ba72.20758328@news.io.com Newsgroups: sci.crypt Lines: 15

Terry Ritter (ritter@io.com) wrote: : This is seriously disturbing: The issue is not who makes a thing, but : instead what the thing actually is. Deliberately judging a design in : the context of who made it is actually anti-scientific, and should be : widely denounced as the superstition it is.

That's true if judging a cipher that way is used as a substitute for actual analytical study of the cipher itself by a competent individual. Where the services of an expert are not available, or there is insufficient time to fully evaluate all candidate ciphers for an application, choosing a cipher from a respected source is not "superstition", and it is the kind of choice people make all the time: i.e., when shopping for a new computer.

John Savard


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 22:03:24 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371cf99f.7573878@news.io.com References: 37193a36.0@ecn.ab.ca Newsgroups: sci.crypt Lines: 33

On 18 Apr 99 01:49:42 GMT, in 37193a36.0@ecn.ab.ca, in sci.crypt jsavard@ecn.ab.ca () wrote:

Terry Ritter (ritter@io.com) wrote: : This is seriously disturbing: The issue is not who makes a thing, but : instead what the thing actually is. Deliberately judging a design in : the context of who made it is actually anti-scientific, and should be : widely denounced as the superstition it is.

That's true if judging a cipher that way is used as a substitute for actual analytical study of the cipher itself by a competent individual. Where the services of an expert are not available, or there is insufficient time to fully evaluate all candidate ciphers for an application, choosing a cipher from a respected source is not "superstition", and it is the kind of choice people make all the time: i.e., when shopping for a new computer.

Is shopping for a cipher like shopping for a new computer? Yes, I think so, but this situation is not a technical discussion between people of expertise but, rather, ordinary users who really have no choice but to rely upon promotion and rumor.

When experts themselves cannot fully characterize the strength of a system specifically designed to produce strength, we know we are in trouble. It's just that this is the way it's always been, and most of us forgot what it means. It does not mean that we must rely upon the same promotion and rumor as ordinary users.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 22:50:19 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-2004992250200001@dial-243-073.itexas.net References: 371cf99f.7573878@news.io.com Newsgroups: sci.crypt Lines: 14

In article 371cf99f.7573878@news.io.com, ritter@io.com (Terry Ritter) wrote: > > Is shopping for a cipher like shopping for a new computer? Yes, I > think so, but this situation is not a technical discussion between > people of expertise but, rather, ordinary users who really have no > choice but to rely upon promotion and rumor.
> I wonder if the FTC has a role in determining if claims are reasonable. They would have to yield to NSA for expertise? Perhaps we can try to shift burden directly to government to prove strength, therefore making them show their hand.

Life's battles do not always go to the stronger of faster man... But, sooner or later always go to the fellow who thinks he can.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 00:28:46 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1704990028460001@dial-243-079.itexas.net References: jKNR2.591$%L2.8044@news6.ispnews.com Newsgroups: sci.crypt Lines: 35

In article jKNR2.591$%L2.8044@news6.ispnews.com, "Steven Alexander" steve@cell2000.net wrote:

I don't think that you understand the point that Schneier and others have made. If I(a nobody) create a new cryptosystem tommorrow, nobody will have any confidence in it. But, If I learn to break the ciphers of others and use my experience to create a new cipher that others cannot break it will be listened to because I am known to be knowledgeable in how ciphers work. But, it will still not be trusted. Only after many people have analyzed and failed to break my cipher will people say...CRYPHTML.HTM"his cipher has held up to five(ten) years of cryptanalysis by very knowledgeable cryptanalysts. We can assume with an adequate level of confidence that the cipher will protect our information." However, it is still realized that at any time someone can invent a new cryptanalytic attack and my cipher will be rendered useless. Schneier and others have acknowledged that any cipher can be broken at any time.

You are still living in the same furrow. What matters is whether a cipher is good, and it will be so regardless of confidence bestowed by some select group fixated on a remarkedly few, perhaps some wrong, design criteria.

Converting unearned trust into acceptability can make a poor cipher pass for more than it is, and cause a great cipher to not get any attention. Your statement unfortunately often is a self-fulfilling prophesy that certain ciphers of a narrow nature will be given undue attention and consequently are more likely to get accepted. I would rather that people learn to not follow the leader so closely; it's a big world out there worth exploring cryptologically.

One thing I do like about the AES process is that there was some diversity, not enough, but some. Unfortunately, the target was more influenced by those who were creatures of the furrow.

Too much of a good thing can be much worse than none.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 20:36:40 -0400 From: "Trevor Jackson, III" fullmoon@aspi.net Message-ID: 37192918.13924DDE@aspi.net References: jKNR2.591$%L2.8044@news6.ispnews.com Newsgroups: sci.crypt Lines: 50

Steven Alexander wrote:

  • Also, since there are many insecure cipher designs floating around, one can't just accept that a cipher is secure based on its designer's say-so. Instead, what gives real confidence in a cipher design is that it has been studied by experts who have failed to crack it, but who have come away from their attempts with an understanding of the source of the design's strengths.

I dispute this. This is essentially what Schneier would have us believe, and it is false.

The truth is that we never know the "real" strength of a cipher. No.....

I don't think that you understand the point that Schneier and others have made. If I(a nobody) create a new cryptosystem tommorrow, nobody will have any confidence in it. But, If I learn to break the ciphers of others and use my experience to create a new cipher that others cannot break it will be listened to because I am known to be knowledgeable in how ciphers work. But, it will still not be trusted. Only after many people have analyzed and failed to break my cipher will people say...CRYPHTML.HTM"his cipher has held up to five(ten) years of cryptanalysis by very knowledgeable cryptanalysts. We can assume with an adequate level of confidence that the cipher will protect our information." However, it is still realized that at any time someone can invent a new cryptanalytic attack and my cipher will be rendered useless. Schneier and others have acknowledged that any cipher can be broken at any time.

There's a name for this attitude. It's called the Aristotelean Fallacy -- the appeal to authority. It dominated science for centuries, and science suffered for it.

But even granting that I would prefer to purchase cryptographic products from a professional rather than an amateur, all this changes is the unit of measure. Instead of measuring the quality of the product we'll end up measuring the quality of the author. Now it's hard enough to define a unit of measure for ciphers. Imagine defining the unit of measure for cipher designers.

The fact that the best (only) standard we have for judging ciphers and their implementations is that of Brand Names indicates just how young/volatile/immature the field is. We've got good mathematical tools and good software engineering tools, but the toolbox for the crypto designer is mostly defined in the negative; by the toolbox of the crypto analyst.

When we have crypto-engineering standards similar to civil-engineering standards, we'll have a mature science (and very little excitement :-).


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 00:28:12 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1804990028130001@dial-243-094.itexas.net References: 37192918.13924DDE@aspi.net Newsgroups: sci.crypt Lines: 35

In article 37192918.13924DDE@aspi.net, "Trevor Jackson, III" fullmoon@aspi.net wrote:

There's a name for this attitude. It's called the Aristotelean Fallacy -- the appeal to authority. It dominated science for centuries, and science suffered for it.

But even granting that I would prefer to purchase cryptographic products from a professional rather than an amateur, all this changes is the unit of measure. Instead of measuring the quality of the product we'll end up measuring the quality of the author. Now it's hard enough to define a unit of measure for ciphers. Imagine defining the unit of measure for cipher designers.

The most professional cryptographic designers, the opponents, in the world have offered of late...dung.

The fact that the best (only) standard we have for judging ciphers and their implementations is that of Brand Names indicates just how young/volatile/immature the field is. We've got good mathematical tools and good software engineering tools, but the toolbox for the crypto designer is mostly defined in the negative; by the toolbox of the crypto analyst.

So they would have you believe.

When we have crypto-engineering standards similar to civil-engineering standards, we'll have a mature science (and very little excitement :-).

Over standardization, regulation, formalizaton, and authoritarization has killed many a good field. Maturation is not the enemy of creative, but wheeler-dealer, power-sponges, who imagine that everyone else must follow their lead, are.

Too much of a good thing can be much worse than none.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 21 Apr 1999 15:43:53 -0400 From: budney@peregrine.maya.com (Leonard R. Budney) Message-ID: m3d80xwyh2.fsf@peregrine.maya.com References: 37192918.13924DDE@aspi.net Newsgroups: sci.crypt Lines: 66

"Trevor Jackson, III" fullmoon@aspi.net writes:

Steven Alexander wrote:

If I learn to break the ciphers of others and use my experience to create a new cipher that others cannot break it will be listened to because I am known to be knowledgeable in how ciphers work...

There's a name for this attitude. It's called the Aristotelean Fallacy -- the appeal to authority. It dominated science for centuries, and science suffered for it.

An appeal to authority is invalid under two conditions. First, if the claim is subject to rigorous proof--making opinion irrelevant. Second, if the authority appealed to is not a legitimate authority in a relevant area. See <http://www.nizkor.org/features/fallacies/appeal-to-authority.html.

When rigorous proof is not available, then the opinion of an expert constitutes the best information to be had. Under that condition, the best expert is the one with the longest experience and the most successes.

The fact that the best (only) standard we have for judging ciphers and their implementations is that of Brand Names indicates just how young/volatile/immature the field is.

Perhaps, but not necessarily. It is probable that Goedel's Incompleteness Theorem implies that the strength of at least some algorithms cannot be determined, even theoretically (forgive my speculating aloud here). Further, it might turn out that all 'measurable' algorithms turn out to be weak--with some definition of weak--implying that the non-measurable algorithms are the ONLY interesting ones.

Remember, Fermat's last theorem went unproven for more than 350 years. Huge quantities of number-theoretic research arose directly out of attempts to prove or disprove the theorem.

Remember, too, that many mathematical cranks turned up with "proofs" of Fermat's theorem (and the four color theorem, and...). Call it arrogant, but mathematicians tend to treat them with a priori scepticism, given that 350 years of experts failed to turn up a proof. One is quite justified in seriously doubting that Joe Blow from Podunk has stumbled upon a solution.

Such considerations suggest, at least to me, that "crypto-engineering", by which we might crank out ciphers of known strength, is probably a pipe-dream.

BTW this example has a bearing on our confidence in RSA. It is doubted that polynomial-time factoring of primes is possible, just as it is doubted that NP = P. Further, it is conjectured that cracking RSA without factoring is not possible (absent other data, such as decryption timings). Why are these conjectures made? Because a generation or so of experts and geniuses haven't resolved these problems. If the NSA has, then they've almost certainly made one of the great discoveries of the century. Of course, they're not talking.

Len Budney                 |  Designing a cipher takes only a
Maya Design Group          |  few minutes.  The only problem is
budney@maya.com            |  that almost all designs are junk.
                           |              -- Prof. Dan Bernstein

Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Thu, 22 Apr 1999 09:12:49 +0100 From: "Sam Simpson" ssimpson@hertreg.ac.uk Message-ID: 371ed9e2.0@nnrp1.news.uk.psi.net References: m3d80xwyh2.fsf@peregrine.maya.com Newsgroups: sci.crypt Lines: 43

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Leonard R. Budney budney@peregrine.maya.com wrote in message news:m3d80xwyh2.fsf@peregrine.maya.com...

BTW this example has a bearing on our confidence in RSA. It is doubted that polynomial-time factoring of primes is possible, just as it is doubted that NP = P. Further, it is conjectured that cracking RSA without factoring is not possible (absent other data, such as decryption timings).

Actually, certain instances of RSA cannot be equivalent to the underlying IFP (D.Boneh, R.Venkatesan, "Breaking RSA may not be equivalent to factoring").

Cheers,


Sam Simpson Comms Analyst http://www.scramdisk.clara.net/ for ScramDisk hard-drive encryption & Delphi Crypto Components. PGP Keys available at the same site. If you're wondering why I don't reply to Sternlight, it's because he's kill filed. See http://www.openpgp.net/FUD for why!

-----BEGIN PGP SIGNATURE----- Version: 6.0.2ckt http://members.tripod.com/IRFaiad/

iQA/AwUBNx7Z/u0ty8FDP9tPEQJVjwCdElMbx8eOjPva0qOKAkCTzKte+MwAoMoE PG95Mhvh0WP9lAZT5Sw5XwRC =SIRn -----END PGP SIGNATURE-----


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 16 Apr 1999 17:21:22 -0400 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: 7f89ki$gng$1@quine.mathcs.duq.edu References: 37179b67.12809750@news.io.com Newsgroups: sci.crypt Lines: 38

In article 37179b67.12809750@news.io.com, Terry Ritter ritter@io.com wrote:

On Fri, 16 Apr 1999 17:28:13 GMT, in 37176a30.4219613@news.prosurfr.com, in sci.crypt jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

[...]

  • Also, since there are many insecure cipher designs floating around, one can't just accept that a cipher is secure based on its designer's say-so. Instead, what gives real confidence in a cipher design is that it has been studied by experts who have failed to crack it, but who have come away from their attempts with an understanding of the source of the design's strengths.

I dispute this. This is essentially what Schneier would have us believe, and it is false.

The truth is that we never know the "real" strength of a cipher. No matter how much review or cryptanalysis a cipher gets, we only have the latest "upper bound" for strength. The lower bound is zero: Any cipher can fail at any time.

Since we have only an upper bound for the strength of any cipher, any confidence we may have is no more than our own delusion. We wish and hope for cipher strength, and -- absent a specific proof otherwise -- we gradually come to believe in it. But that does not make it true.

So you're suggesting that a cypher that has withstood years of intensive analysis by professionals is NO better than a cypher that has not been analyzed at all?

I don't believe this; in fact, I think it's total bullshit. It's certainly true that you may not be able to formalize the difference into a p-value, but you're committing a grievious error if you think that something doesn't exist merely because you can't quantify it.

-kitten

Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 23:53:19 GMT From: ritter@io.com (Terry Ritter) Message-ID: 3717cd6d.25617381@news.io.com References: 7f89ki$gng$1@quine.mathcs.duq.edu Newsgroups: sci.crypt Lines: 53

On 16 Apr 1999 17:21:22 -0400, in 7f89ki$gng$1@quine.mathcs.duq.edu, in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:

[...] So you're suggesting that a cypher that has withstood years of intensive analysis by professionals is NO better than a cypher that has not been analyzed at all?

It is not provably better. And not provably better admits the possibility of contradiction. So we do not know. Which means that interpreting years of intensive analysis as strength is nothing more than DELUSION. Cryptanalysis of any length whatsoever provides no rational scientific indication of strength.

I don't believe this;

It is not necessary for you to believe it: It is what it is.

in fact, I think it's total bullshit.

Then you need to think about it more deeply.

It's certainly true that you may not be able to formalize the difference into a p-value, but you're committing a grievious error if you think that something doesn't exist merely because you can't quantify it.

The issue is not the "formalization" of something we know but cannot quantify, but rather something we actually do not know. When we attempt to formalize what we really do not know we commit logical error. In fact, I would say that this process is in some cases a deliberate attempt to hide these issues from management, command staff and the general user.

In some cases this process is a deliberate attempt to make cryptanalysis seem more than it is, so that ciphers which have "passed" (whatever that means) will be accepted as "strong," which should never be done. We can see this in the path of the AES process, which, presumably, gets us a "strong" cipher. We see NO attempt to innovate constructions or protocols which give strength in the context of ciphers which may be weak. Yet you would have us assume that everyone knows that ciphers may be weak, and simply chooses to do nothing about it.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 02:28:52 GMT From: fqkhuo@gmrvavvrcd.fl (ybizmt) Message-ID: slrn7hfsef.cc.fqkhuo@tpep.nofsozwovh.yq References: 3717cd6d.25617381@news.io.com Newsgroups: sci.crypt Lines: 26

On Fri, 16 Apr 1999 23:53:19 GMT, Terry Ritter ritter@io.com wrote:

It is not provably better. And not provably better admits the possibility of contradiction. So we do not know. Which means that interpreting years of intensive analysis as strength is nothing more than DELUSION. Cryptanalysis of any length whatsoever provides no rational scientific indication of strength.

Nor is it intended to. Who has ever claimed that analysis equals strength in any field? It is intended to make you more confident that something is strong. No one is saying it proves strength. Not at least trying cryptanalysis on a cipher is stupid which I'm sure you agree with.

In some cases this process is a deliberate attempt to make cryptanalysis seem more than it is, so that ciphers which have "passed" (whatever that means) will be accepted as "strong," which should never be done. We can see this in the path of the AES process, which, presumably, gets us a "strong" cipher. We see NO attempt to innovate constructions or protocols which give strength in the context of ciphers which may be weak. Yet you would have us assume that everyone knows that ciphers may be weak, and simply chooses to do nothing about it.

Nice rant. Where are you going with this and how does it sell your product?


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 04:39:24 GMT From: ritter@io.com (Terry Ritter) Message-ID: 37181079.5255438@news.io.com References: slrn7hfsef.cc.fqkhuo@tpep.nofsozwovh.yq Newsgroups: sci.crypt Lines: 81

On Sat, 17 Apr 1999 02:28:52 GMT, in slrn7hfsef.cc.fqkhuo@tpep.nofsozwovh.yq, in sci.crypt fqkhuo@gmrvavvrcd.fl (ybizmt) wrote:

On Fri, 16 Apr 1999 23:53:19 GMT, Terry Ritter ritter@io.com wrote:

It is not provably better. And not provably better admits the possibility of contradiction. So we do not know. Which means that interpreting years of intensive analysis as strength is nothing more than DELUSION. Cryptanalysis of any length whatsoever provides no rational scientific indication of strength.

Nor is it intended to. Who has ever claimed that analysis equals strength in any field? It is intended to make you more confident that something is strong. No one is saying it proves strength.

Sure they are. As far as I know, Schneier's point has always been that cryptanalysis is the way we know a cipher's strength. I'm sure he would agree that this is not proof, but I do not agree that it says anything at all. The implication that cryptanalysis would like to promote is indeed that of tested strength.

Not at least trying cryptanalysis on a cipher is stupid which I'm sure you agree with.

I do. But there is no one cryptanalysis. Indeed, there is no end to it. But we do have to make an end before we can field anything. This in itself tells us that cryptanalysis as certification is necessarily incomplete.

Our main problem is that cryptanalysis does NOT say that there is no simpler attack. It does NOT say that a well-examined cipher is secure from your kid sister. Oh, many people will offer their opinion, but you won't see many such a claims in scientific papers, because there we expect actual facts, as opposed to wishes, hopes, and dreams.

Cryptanalysis does NOT give us an indication of how much effort our Opponent will have to spend to break the cipher. Yet that is exactly what the cryptanalytic process would like us to believe: That is why we have the process of: 1) design a cipher, and 2) certify the cipher by cryptanalysis. As I see it, the real opportunity for cryptanalysis is as part of a dynamic and interactive cipher design process, as opposed to final certification.

In some cases this process is a deliberate attempt to make cryptanalysis seem more than it is, so that ciphers which have "passed" (whatever that means) will be accepted as "strong," which should never be done. We can see this in the path of the AES process, which, presumably, gets us a "strong" cipher. We see NO attempt to innovate constructions or protocols which give strength in the context of ciphers which may be weak. Yet you would have us assume that everyone knows that ciphers may be weak, and simply chooses to do nothing about it.

Nice rant.

Thanks. I suggest you learn it by heart if you intend to depend upon cryptography.

Where are you going with this and how does it sell your product?

This is my bit for public education.

I have no modern products. I do offer cryptographic consulting time, and then I call it as I see it. I also own patented cryptographic technology which could be useful in a wide range of ciphers.

I see no problem with someone promoting what they think is an advance in the field, even if they will benefit. But when reasoning errors are promoted which just happen to benefit one's business -- in fact, a whole sub-industry -- some skepticism seems appropriate. Just once I would like to see delusions promoted which produce less business.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 18 Apr 99 02:05:37 GMT From: jsavard@ecn.ab.ca () Message-ID: 37193df1.0@ecn.ab.ca References: 37181079.5255438@news.io.com Newsgroups: sci.crypt Lines: 16

Terry Ritter (ritter@io.com) wrote: : As I see it, the real opportunity for : cryptanalysis is as part of a dynamic and interactive cipher design : process, as opposed to final certification.

Two comments are warranted here.

John Savard


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 22:04:54 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 371a56a8.198396@news.prosurfr.com References: 37193df1.0@ecn.ab.ca Newsgroups: sci.crypt Lines: 23

jsavard@ecn.ab.ca () wrote, in part:

Terry Ritter (ritter@io.com) wrote: : As I see it, the real opportunity for : cryptanalysis is as part of a dynamic and interactive cipher design : process, as opposed to final certification.

Two comments are warranted here.

I should note, though, that I basically agree with your point - and - but I simply think that these two arguments also need to be addressed.

John Savard ( teenerf<- ) http://members.xoom.com/quadibloc/index.html


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 22:03:33 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371cf9af.7589747@news.io.com References: 37193df1.0@ecn.ab.ca Newsgroups: sci.crypt Lines: 28

On 18 Apr 99 02:05:37 GMT, in 37193df1.0@ecn.ab.ca, in sci.crypt jsavard@ecn.ab.ca () wrote:

Terry Ritter (ritter@io.com) wrote: : As I see it, the real opportunity for : cryptanalysis is as part of a dynamic and interactive cipher design : process, as opposed to final certification.

Two comments are warranted here.

I agree.

You lost me on that one.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Wed, 21 Apr 1999 16:12:35 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 371df7b2.320404@news.prosurfr.com References: 371cf9af.7589747@news.io.com Newsgroups: sci.crypt Lines: 27

ritter@io.com (Terry Ritter) wrote, in part:

On 18 Apr 99 02:05:37 GMT, in 37193df1.0@ecn.ab.ca, in sci.crypt jsavard@ecn.ab.ca () wrote:

  • And I think you can see why this design process actually increases the probability of a design which is strong against known attacks, but weak against a future attack someone might discover.

You lost me on that one.

When testing a computer system, sometimes a small number of known bugs are deliberately introduced, so that, if not all of those bugs are found, one has an indication that testing should continue (on the assumption that a similar proportion of the unknown bugs really being looked for have not been found yet either).

What I was thinking of here is that the cryptanalyst will find what he knows how to look for; and so, weaknesses beyond the reach of current cryptanalysis won't be found; but if a cipher designed by a non-cryptanalyst did not have a single known weakness (known to the cryptanalysts, not to the designer) then one might have grounds to hope (but, of course, not proof) that unknown weaknesses were scarce as well, while getting rid of the known weaknesses specifically doesn't give any such hope.

John Savard ( teneerf<- ) http://members.xoom.com/quadibloc/index.html


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Wed, 21 Apr 1999 18:59:11 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371e1f94.6051889@news.io.com References: 371df7b2.320404@news.prosurfr.com Newsgroups: sci.crypt Lines: 67

On Wed, 21 Apr 1999 16:12:35 GMT, in 371df7b2.320404@news.prosurfr.com, in sci.crypt jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

ritter@io.com (Terry Ritter) wrote, in part:

On 18 Apr 99 02:05:37 GMT, in 37193df1.0@ecn.ab.ca, in sci.crypt jsavard@ecn.ab.ca () wrote:

  • And I think you can see why this design process actually increases the probability of a design which is strong against known attacks, but weak against a future attack someone might discover.

You lost me on that one.

When testing a computer system, sometimes a small number of known bugs are deliberately introduced, so that, if not all of those bugs are found, one has an indication that testing should continue (on the assumption that a similar proportion of the unknown bugs really being looked for have not been found yet either).

I believe this is generally called "error injection," and one problem with it is the assumption that the known errors are of the same nature as the unknown errors. Only then can we extrapolate from our results into the unknown. Basically what we measure is the effectiveness of the process which seeks that sort of error -- usually some sort of mechanical error like failing to use the result of some computation. This is not going to work very well when the errors are conceptual in the structure of the computation itself. Error injection is not very useful in asserting that we will get the correct answer to the original problem, and that is the unknown crypto area.

So this doesn't really help us.

What I was thinking of here is that the cryptanalyst will find what he knows how to look for; and so, weaknesses beyond the reach of current cryptanalysis won't be found; but if a cipher designed by a non-cryptanalyst did not have a single known weakness (known to the cryptanalysts, not to the designer) then one might have grounds to hope (but, of course, not proof) that unknown weaknesses were scarce as well, while getting rid of the known weaknesses specifically doesn't give any such hope.

The idea of a brand-new designer with a brand-new design in which no weakness can be found is a silly hope. I suppose it might happen, but it is not the way real things are designed and built. At the very best it is a wish, a dream, something disassociated with practical reality and the design of real things. And the failure of such exaggerated expectations often leads to a supposedly-justified demeaning of the designer as not meeting the goals of the field. This is essentially sick reasoning, because it sets up unreasonable goals, then reacts with staged regret when they are not met.

I claim the main use of cryptanalysis is in the give and take of a design process, not the end game of certification, which is what cryptanalysis cannot do. In fact, academic cryptanalysis generally only reports weakness -- few reports are published that no weakness was found. There is thus no basis even in open cryptography for knowing how many cryptanalytic attempts have been made unsuccessfully, or for taking advantage of the game when a new designer actually does have a design which has no known weakness.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 17 Apr 1999 16:32:27 -0400 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: 7far4r$htf$1@quine.mathcs.duq.edu References: 3717cd6d.25617381@news.io.com Newsgroups: sci.crypt Lines: 48

In article 3717cd6d.25617381@news.io.com, Terry Ritter ritter@io.com wrote:

On 16 Apr 1999 17:21:22 -0400, in 7f89ki$gng$1@quine.mathcs.duq.edu, in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:

[...] So you're suggesting that a cypher that has withstood years of intensive analysis by professionals is NO better than a cypher that has not been analyzed at all?

It is not provably better. And not provably better admits the possibility of contradiction.

But not-provable is not the same as unknown.

I don't know that Pittsburgh won't be hit by a devastating hurricane in the next month.

But I've got a bright crisp $20 in my pocket that says that it won't.

In a philosophical sense, "knowledge" is a "justified true belief"; I don't have proof that Pittsburgh won't be hit by a hurricane, but I can produce lots and lots of justification.

So we do not know. Which means that interpreting years of intensive analysis as strength is nothing more than DELUSION. Cryptanalysis of any length whatsoever provides no rational scientific indication of strength.

Interesting. So your "rational scientific indication" is that we've got no way of figuring out which side of my Pittsburgh weather bet is the smart one?

I don't believe this;

It is not necessary for you to believe it: It is what it is.

in fact, I think it's total bullshit.

Then you need to think about it more deeply.

I just did. It's still total bullshit.

Knowledge doesn't require proof. Belief doesn't require knowledge. Confidence doesn't even require belief.

-kitten

Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 23:40:04 GMT From: ritter@io.com (Terry Ritter) Message-ID: 37191bc9.2524456@news.io.com References: 7far4r$htf$1@quine.mathcs.duq.edu Newsgroups: sci.crypt Lines: 85

On 17 Apr 1999 16:32:27 -0400, in 7far4r$htf$1@quine.mathcs.duq.edu, in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:

In article 3717cd6d.25617381@news.io.com, Terry Ritter ritter@io.com wrote:

On 16 Apr 1999 17:21:22 -0400, in 7f89ki$gng$1@quine.mathcs.duq.edu, in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:

[...] So you're suggesting that a cypher that has withstood years of intensive analysis by professionals is NO better than a cypher that has not been analyzed at all?

It is not provably better. And not provably better admits the possibility of contradiction.

But not-provable is not the same as unknown.

I don't know that Pittsburgh won't be hit by a devastating hurricane in the next month.

But I've got a bright crisp $20 in my pocket that says that it won't.

Which means to me that you have some understanding of the risk of hurricanes in Pittsburgh. You get this understanding from reported reality.

Unfortunately, neither you nor anyone else can have a similar understanding of the risk of cipher failure -- there is no reporting of cipher failure. There is instead every effort made to keep that information secret, and in fact to generate false reporting to buoy your unfounded delusion of strength.

In a philosophical sense, "knowledge" is a "justified true belief"; I don't have proof that Pittsburgh won't be hit by a hurricane, but I can produce lots and lots of justification.

Too bad we cannot do the same for a cipher.

So we do not know. Which means that interpreting years of intensive analysis as strength is nothing more than DELUSION. Cryptanalysis of any length whatsoever provides no rational scientific indication of strength.

Interesting. So your "rational scientific indication" is that we've got no way of figuring out which side of my Pittsburgh weather bet is the smart one?

Nonsense. Knowing the past weather in Pittsbugh is possible: Knowing the past strength of a cipher is not.

I don't believe this;

It is not necessary for you to believe it: It is what it is.

in fact, I think it's total bullshit.

Then you need to think about it more deeply.

I just did. It's still total bullshit.

Then you need to think about it even more deeply.

Knowledge doesn't require proof. Belief doesn't require knowledge. Confidence doesn't even require belief.

Fine. I will grant that you can be confident completely independent of reality. Oddly, I assumed that we were talking Science here.

RATIONAL confidence requires a quantification of risk, even if only as a handwave generality. But that is not available in ciphers. Until we have a complete theory of strength, or a complete theory of cryptanalysis, we have no basis by which to judge the risk we take by using any particular cipher.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 18 Apr 99 01:55:36 GMT From: jsavard@ecn.ab.ca () Message-ID: 37193b98.0@ecn.ab.ca References: 3717cd6d.25617381@news.io.com Newsgroups: sci.crypt Lines: 31

Terry Ritter (ritter@io.com) wrote:

: On 16 Apr 1999 17:21:22 -0400, in 7f89ki$gng$1@quine.mathcs.duq.edu, : in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:

: >[...] : >So you're suggesting that a cypher that has withstood years of : >intensive analysis by professionals is NO better than a cypher : >that has not been analyzed at all?

: It is not provably better. And not provably better admits the : possibility of contradiction. So we do not know. Which means that : interpreting years of intensive analysis as strength is nothing more : than DELUSION. Cryptanalysis of any length whatsoever provides no : rational scientific indication of strength.

Yes and no.

Your point is valid, however, what do we do if there is no way to obtain a lower bound on the strength of a cipher? I fear this is quite possible: proving a cipher is strong against attacks we can't even imagine seems to me to be equivalent to solving the halting problem.

Then it does make sense to look at the upper bound, because it's one of the few indications we have. But it also makes sense - and here, I think, we come closer to agreement - not to put too much faith in that upper bound, and to add constructs of different types, and constructs that seem like any mathematical tools to analyze them which would be useful for cryptanalysts are far in advance of the state of current knowledge.

John Savard


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 22:03:47 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371cf9b7.7597561@news.io.com References: 37193b98.0@ecn.ab.ca Newsgroups: sci.crypt Lines: 55

On 18 Apr 99 01:55:36 GMT, in 37193b98.0@ecn.ab.ca, in sci.crypt jsavard@ecn.ab.ca () wrote:

Terry Ritter (ritter@io.com) wrote:

: On 16 Apr 1999 17:21:22 -0400, in 7f89ki$gng$1@quine.mathcs.duq.edu, : in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:

: >[...] : >So you're suggesting that a cypher that has withstood years of : >intensive analysis by professionals is NO better than a cypher : >that has not been analyzed at all?

: It is not provably better. And not provably better admits the : possibility of contradiction. So we do not know. Which means that : interpreting years of intensive analysis as strength is nothing more : than DELUSION. Cryptanalysis of any length whatsoever provides no : rational scientific indication of strength.

Yes and no.

Your point is valid, however, what do we do if there is no way to obtain a lower bound on the strength of a cipher? I fear this is quite possible:

I agree.

proving a cipher is strong against attacks we can't even imagine seems to me to be equivalent to solving the halting problem.

We have the testimony of 50 years of mathematical cryptography which has not achieved the Holy Grail. I just think reality is trying to tell us something.

Then it does make sense to look at the upper bound, because it's one of the few indications we have.

No. Completely false. I see no reason why the upper bound should have any correlation at all to the lower bound.

In any security audit, we have to consider the worst case attacks, not just the ones we expect, and not just the ones we tried.

But it also makes sense - and here, I think, we come closer to agreement - not to put too much faith in that upper bound, and to add constructs of different types, and constructs that seem like any mathematical tools to analyze them which would be useful for cryptanalysts are far in advance of the state of current knowledge.

I'm not sure I understand this fully.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Wed, 21 Apr 1999 16:21:01 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 371df919.679323@news.prosurfr.com References: 371cf9b7.7597561@news.io.com Newsgroups: sci.crypt Lines: 37

ritter@io.com (Terry Ritter) wrote, in part:

On 18 Apr 99 01:55:36 GMT, in 37193b98.0@ecn.ab.ca, in sci.crypt jsavard@ecn.ab.ca () wrote:

Then it does make sense to look at the upper bound, because it's one of the few indications we have.

No. Completely false. I see no reason why the upper bound should have any correlation at all to the lower bound.

It will definitely be higher than the lower bound, but yes, it doesn't prevent the lower bound from being low.

In any security audit, we have to consider the worst case attacks, not just the ones we expect, and not just the ones we tried.

Any security audit will have to include a disclaimer that the true security of the cipher systems used is essentially unknowable, but even real-world financial audits do routinely include various sorts of disclaimer.

But it also makes sense - and here, I think, we come closer to agreement - not to put too much faith in that upper bound, and to add constructs of different types, and constructs that seem like any mathematical tools to analyze them which would be useful for cryptanalysts are far in advance of the state of current knowledge.

I'm not sure I understand this fully.

Given that a cipher highly resistant to known attacks (i.e., differential cryptanalysis) could still be very weak, as far as we know, what can we do about it? The closest thing to a sensible suggestion I can make is this: make our ciphers stronger (that is, use more rounds) and more intrinsically difficult to analyze (use complicated, highly nonlinear, constructs) than the known attacks indicate is necessary.

John Savard ( teneerf<- ) http://members.xoom.com/quadibloc/index.html


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Wed, 21 Apr 1999 18:59:23 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371e2003.6163199@news.io.com References: 371df919.679323@news.prosurfr.com Newsgroups: sci.crypt Lines: 73

On Wed, 21 Apr 1999 16:21:01 GMT, in 371df919.679323@news.prosurfr.com, in sci.crypt jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

ritter@io.com (Terry Ritter) wrote, in part:

On 18 Apr 99 01:55:36 GMT, in 37193b98.0@ecn.ab.ca, in sci.crypt jsavard@ecn.ab.ca () wrote:

Then it does make sense to look at the upper bound, because it's one of the few indications we have.

No. Completely false. I see no reason why the upper bound should have any correlation at all to the lower bound.

It will definitely be higher than the lower bound, but yes, it doesn't prevent the lower bound from being low.

In any security audit, we have to consider the worst case attacks, not just the ones we expect, and not just the ones we tried.

Any security audit will have to include a disclaimer that the true security of the cipher systems used is essentially unknowable, but even real-world financial audits do routinely include various sorts of disclaimer.

I think you will find that financial disclaimers are not to avoid responsibility for the financial service supplied. For example, an audit disclaimer might say that the audit results were correct, provided the supplied accounting information was correct. But that is something which is, at least in principle, verifiable.

We don't have financial disclaimers which say that the audit is 90 percent certain to be correct, which is the sort of thing you might like to think that cryptanalytic certification could at least do, since it cannot provide certainty. But the very idea makes no sense. The very companies that need the best auditing might also be the most deceptive and able to hide their manipulations. There is no useful "average" company, and so no useful statistics. Every case is different.

But it also makes sense - and here, I think, we come closer to agreement - not to put too much faith in that upper bound, and to add constructs of different types, and constructs that seem like any mathematical tools to analyze them which would be useful for cryptanalysts are far in advance of the state of current knowledge.

I'm not sure I understand this fully.

Given that a cipher highly resistant to known attacks (i.e., differential cryptanalysis) could still be very weak, as far as we know, what can we do about it? The closest thing to a sensible suggestion I can make is this: make our ciphers stronger (that is, use more rounds) and more intrinsically difficult to analyze (use complicated, highly nonlinear, constructs) than the known attacks indicate is necessary.

We could hardly disagree more.

I find "rounds" (the repeated application of the same operation) silly and I don't use them. I do use "layers" in which different operations are applied in each layer.

And I think that making a cipher more difficult to analyze can only benefit the Opponents who have more resources for analysis. Personally, I try to make ciphers as conceptually simple as possible (though not simpler). Simple does not mean weak; simple means appropriately decomposing the cipher into relatively few types of substantial subcomponent which can be understood on their own, then using those components in clear, structured ways.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Wed, 21 Apr 1999 23:41:13 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 371e59c7.25432288@news.prosurfr.com References: 371e2003.6163199@news.io.com Newsgroups: sci.crypt Lines: 53

ritter@io.com (Terry Ritter) wrote, in part:

jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

Given that a cipher highly resistant to known attacks (i.e., differential cryptanalysis) could still be very weak, as far as we know, what can we do about it? The closest thing to a sensible suggestion I can make is this: make our ciphers stronger (that is, use more rounds) and more intrinsically difficult to analyze (use complicated, highly nonlinear, constructs) than the known attacks indicate is necessary.

We could hardly disagree more.

I find "rounds" (the repeated application of the same operation) silly and I don't use them. I do use "layers" in which different operations are applied in each layer.

And I think that making a cipher more difficult to analyze can only benefit the Opponents who have more resources for analysis. Personally, I try to make ciphers as conceptually simple as possible (though not simpler). Simple does not mean weak; simple means appropriately decomposing the cipher into relatively few types of substantial subcomponent which can be understood on their own, then using those components in clear, structured ways.

It certainly does make sense to understand the parts of a cipher, to ensure that the cipher is providing, as a minimum, some basic level of "security": that is, for example, one might know that one's cipher is at least as secure as DES, even if one doesn't know for sure that the effort required to break DES is not trivial.

The original poster - Sundial Services - praised your Dynamic Substitution because it "buries a lot more information" than ordinary designs, and this is the sort of thing I'm thinking of. When I got past his first paragraph, where he seemed to have forgotten about S-boxes, and saw that DynSub and the SIGABA were the kinds of designs he praised, I saw that the kinds of ciphers that appeal to him were the same ones as appeal intuitively to me.

Precisely because you have noted that we don't have a way to put a good lower bound on the effort required to break a cipher, I find it hard to think that I could achieve the goal, for a cipher, that is indeed appropriate for a scientific theory, of making it "as simple as possible, but no simpler"; if I am totally in the dark about how strong a cipher really is, and how astute my adversaries are, that seems an inadvisable goal, because I can never know what is necessary.

Since I have an upper bound instead of a lower bound, unless there is some way to resolve that problem, and your researches may well achieve something relevant, even if not a total solution, all I can do is try for a generous margin of safety. True, it's not proof. But proof isn't available, except for the one-time pad.

John Savard ( teneerf<- ) http://members.xoom.com/quadibloc/index.html


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 00:38:15 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1704990038160001@dial-243-079.itexas.net References: 37179b67.12809750@news.io.com Newsgroups: sci.crypt Lines: 28

In article 37179b67.12809750@news.io.com, ritter@io.com (Terry Ritter) wrote:

On the other hand, I have been pioneering the use of scalable technology which, presumably, can be scaled down to a level which can be investigated experimentally. The last I heard, experimentation was still considered a rational basis for the understanding of reality. Indeed, one might argue that in the absence of theoretical strength for any cipher, experimentation is about all we have. But note how little of it we see.

It's at least good science, beyond making lots of sense. .....

And in this way we can have hundreds or thousands of different ciphers, with more on the way all the time.

I resemble that remark. Better dust off the ole compiler again. More dumb ciphers on the way...

.....The result is that our Opponents must invest far more to get far less, and this advantage does not depend upon the delusion of strength which is all that cryptanalysis can provide.

It's aways difficult to stop a wave, be it composed of hoards of combatants or algorithms.

Too much of a good thing can be much worse than none.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Mon, 19 Apr 1999 20:15:32 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 371b8ba8.16131590@news.prosurfr.com References: 37179b67.12809750@news.io.com Newsgroups: sci.crypt Lines: 116

ritter@io.com (Terry Ritter) wrote, in part:

jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

  • Also, since there are many insecure cipher designs floating around, one can't just accept that a cipher is secure based on its designer's say-so. Instead, what gives real confidence in a cipher design is that it has been studied by experts who have failed to crack it, but who have come away from their attempts with an understanding of the source of the design's strengths.

I dispute this. This is essentially what Schneier would have us believe, and it is false.

The truth is that we never know the "real" strength of a cipher. No matter how much review or cryptanalysis a cipher gets, we only have the latest "upper bound" for strength. The lower bound is zero: Any cipher can fail at any time.

I agree with you that we don't have a way to prove that a cipher really is strong. But cryptanalysis still gives the best confidence currently available.

It is not, frankly, the role of the innovator to educate the academics, or even to serve technology to them on a silver platter. In the end, academic reputation comes from reality, and the reality is that many crypto academics avoid anything new which does not have an academic source. The consequence is that they simply do not have the background to judge really new designs.

That is true: the desires of the academic community aren't a valid excuse for compromising one's cipher designs.

Upon encountering a new design, anyone may choose to simplify that design and then report results from that simplification. This is done all the time. It is not necessary for an innovator to make a simplified design for this purpose.

And that is one of the reasons why.

On the other hand, I have been pioneering the use of scalable technology which, presumably, can be scaled down to a level which can be investigated experimentally. The last I heard, experimentation was still considered a rational basis for the understanding of reality. Indeed, one might argue that in the absence of theoretical strength for any cipher, experimentation is about all we have. But note how little of it we see.

Are you drawing a distinction between "experimental investigation" and "cryptanalysis"? If so, it would appear you are saying that there is an additional method for obtaining some additional, though still imperfect, confidence in a cipher design.

Plus, the risk that one's adversary is a hacker of the future with a very powerful desktop computer seems much greater than the risk that one's adversary will be an accomplished cryptanalyst, able to exploit the most subtle flaws in an over-elaborate design.

But we don't know our Opponents! If we have to estimate their capabilities, I think we are necessarily forced into assuming that they are more experienced, better equipped, have more time, are better motivated, and -- yes -- are even smarter than we are. There is ample opportunity for them to exploit attacks of which we have no inkling at all.

Most cipher users are more worried about their communications being read by the typical computer hacker than by the NSA.

I suppose it's possible that one day a giant EFT heist will be pulled off by retired NSA personnel, but that's the sort of thing which happens far more often as the plot for a movie than in real life.

The problem is, of course, that if one has data that should remain secret for 100 years, one does have to face advances in cryptanalytic knowledge...as well as unimaginable advances in computer power.

I believe it to be possible and useful to develop a design methodology - mainly involving the cutting and pasting of pieces from proven cipher designs - to enable a reasonably qualified person who, however, falls short of being a full-fleged cryptographer, to design his own block cipher, and thereby obtain additional and significant benefits in resistance to cryptanalytic attack by having an unknown and unique algorithm.

And in this way we can have hundreds or thousands of different ciphers, with more on the way all the time. That means that we can divide the worth of our information into many different ciphers, so that if any one fails, only a fraction of messages are exposed. It also means that any Opponent must keep up with new ciphers and analyze and possibly break each, then design a program, or build new hardware to exploit it. We can make good new ciphers cheaper than they can possibly be broken. The result is that our Opponents must invest far more to get far less, and this advantage does not depend upon the delusion of strength which is all that cryptanalysis can provide.

I don't deny that there are pitfalls looming in such an approach; if something is left out of the methodology, or if it isn't conscientiously used, people could easily wind up using weak designs and having a false sense of security. I just think the problems can be addressed, and the potential benefits are worth the attempt.

Neat.

And of course, I must confess that my present efforts in this direction have not gotten to the point of providing an explicit "toolkit". I've contented myself with explaining, in my web site, a large number of historical designs - with a very limited discussion of cryptanalysis - and I've illustrated how an amateur might design a cipher only by example, with the ciphers of my Quadibloc series, as well as various ideas in the conclusions sections of the first four chapters.

Right now, although my web site is educational, it's also fairly light and entertaining as well: I haven't tried to trouble the reader with any difficult math, for example.

John Savard ( teenerf<- ) http://members.xoom.com/quadibloc/index.html


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 04:24:33 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371c014c.3018295@news.io.com References: 371b8ba8.16131590@news.prosurfr.com Newsgroups: sci.crypt Lines: 107

On Mon, 19 Apr 1999 20:15:32 GMT, in 371b8ba8.16131590@news.prosurfr.com, in sci.crypt jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

ritter@io.com (Terry Ritter) wrote, in part: [...]

The truth is that we never know the "real" strength of a cipher. No matter how much review or cryptanalysis a cipher gets, we only have the latest "upper bound" for strength. The lower bound is zero: Any cipher can fail at any time.

I agree with you that we don't have a way to prove that a cipher really is strong. But cryptanalysis still gives the best confidence currently available.

I guess I dispute "confidence." Confidence and Trust and Reliability are exactly what we do not have. I cannot say it more clearly: cryptanalysis gives us no lower bound to strength.

As an engineer growing up with an engineer dad, I have lived with bounded specifications most of my life. These bounds are what we pay for in products; this is the performance the manufacturer guarantees. I suppose like me most buyers have been caught at least once by the consequences getting the cheapest part on the basis of "typical" specs instead of "worst case." But "typical" is all cryptanalysis tells us. Depending on that will sink us, sooner or later.

[...]

On the other hand, I have been pioneering the use of scalable technology which, presumably, can be scaled down to a level which can be investigated experimentally. The last I heard, experimentation was still considered a rational basis for the understanding of reality. Indeed, one might argue that in the absence of theoretical strength for any cipher, experimentation is about all we have. But note how little of it we see.

Are you drawing a distinction between "experimental investigation" and "cryptanalysis"? If so, it would appear you are saying that there is an additional method for obtaining some additional, though still imperfect, confidence in a cipher design.

We were OK up to the "c" word: I assert that we can have no confidence in a cipher. We have no way to prove strength. Any strength we assume is based upon the conceit that all others are just as limited in their capabilities as we are. Drawing conclusions by wishing and hoping the other guy is at least as dumb as us is not my idea of good cryptography.

I do make a distinction (which probably should not exist) between "theoretical" or "equation-based" or "academic" cryptography and experimental investigation. I suppose this is really much like the difference between math and applied math, with much of the same theoretically friendly antagonism.

It is clear that we may never have a provable theory of strength. This may mean that our only possible avenue toward certainty is some sort of exhaustive test. Surely we cannot imagine such testing of a full-size cipher. But if we can scale that same design down, in the same way that small integers work like large ones, maybe we can work with large enough samples of the full population to be able to draw reasonable experimental conclusions.

Plus, the risk that one's adversary is a hacker of the future with a very powerful desktop computer seems much greater than the risk that one's adversary will be an accomplished cryptanalyst, able to exploit the most subtle flaws in an over-elaborate design.

But we don't know our Opponents! If we have to estimate their capabilities, I think we are necessarily forced into assuming that they are more experienced, better equipped, have more time, are better motivated, and -- yes -- are even smarter than we are. There is ample opportunity for them to exploit attacks of which we have no inkling at all.

Most cipher users are more worried about their communications being read by the typical computer hacker than by the NSA.

I suppose it's possible that one day a giant EFT heist will be pulled off by retired NSA personnel, but that's the sort of thing which happens far more often as the plot for a movie than in real life.

The problem is, of course, that if one has data that should remain secret for 100 years, one does have to face advances in cryptanalytic knowledge...as well as unimaginable advances in computer power.

I wrote in a post which I did not send that if only NSA could read my mail, the way it is now, I would not much care. Of course things change in politics, and my view could change as well. But for me, NSA is really just an illustration of the abstract threat.

As I understand security, one of the worst things we can do is to make assumptions about our Opponents which do not represent their full threat capabilities. ("Never underestimate your opponent.") Because of this I am not interested in identifying a cipher Opponent, unless in the process I can identify them as the absolute worst threat and know their capabilities as well. This is obviously impossible. So if we are to enforce our security despite the actions and intents of others, we must assume our Opponents are far more powerful than we know, then learn to deal with that threat.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 19:20:24 +0200 From: Mok-Kong Shen mok-kong.shen@stud.uni-muenchen.de Message-ID: 371CB758.E30A081B@stud.uni-muenchen.de References: 371c014c.3018295@news.io.com Newsgroups: sci.crypt Lines: 17

Terry Ritter wrote:

I guess I dispute "confidence." Confidence and Trust and Reliability are exactly what we do not have. I cannot say it more clearly: cryptanalysis gives us no lower bound to strength.

No intention to take part in the current discussion. But the word 'lower bound' raised association in my mind to an interesting sentence that A. Salomaa wrote (1990):

There are no provable lower bounds for the amount of work
of a cryptanalyst analyzing a public-key cryptosystem.

M. K. Shen http://www.stud.uni-muenchen.de/~mok-kong.shen/ (Updated: 12 Apr 99)


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 23 Apr 1999 05:39:45 GMT From: olson@umbc.edu (Bryan G. Olson; CMSC (G)) Message-ID: 7fp131$dg1$1@news.umbc.edu References: 37179b67.12809750@news.io.com Newsgroups: sci.crypt Lines: 51

Terry Ritter (ritter@io.com) wrote:

[...] : It may be unfortunate for academic cryptographers that a wide variety : of new techniques are pioneered by non-academics. But those : techniques exist nevertheless, and to the extent that academics do not : investigate them, those academics are not up with the state of the : art.

: It is not, frankly, the role of the innovator to educate the : academics, or even to serve technology to them on a silver platter. : In the end, academic reputation comes from reality, and the reality is : that many crypto academics avoid anything new which does not have an : academic source.

This impression of the academic crypto community as a closed club that ignores the work of outsiders is flat out false. Consider power and timing analysis - the entire area came from the crypto left-field and was pioneered by a recent grad with a B.A. in biology. The work was good, so now he's one of those respected cryptologists. The various attacks I've heard on academics are invariably by those whose work is simply not of the same caliber.

For an example of an idea the crypto community has ignored because it is truly dreadful:

[...] : And in this way we can have hundreds or thousands of different : ciphers, with more on the way all the time. That means that we can : divide the worth of our information into many different ciphers, so : that if any one fails, only a fraction of messages are exposed.

Absurdly naive. In any real project or real enterprise, the same information is carried by many, many messages. The degree of protection of any piece of intelligence is that of the weakest of the systems carrying it.

: It : also means that any Opponent must keep up with new ciphers and : analyze and possibly break each, then design a program, or build new : hardware to exploit it. We can make good new ciphers cheaper than : they can possibly be broken. The result is that our Opponents must : invest far more to get far less, and this advantage does not depend : upon the delusion of strength which is all that cryptanalysis can : provide.

Nonsense. The attacker just waits for the information he wants to be transmitted under a system he can break.

--Bryan


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 23 Apr 1999 21:23:23 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 3720e200.23217001@news.prosurfr.com References: 7fp131$dg1$1@news.umbc.edu Newsgroups: sci.crypt Lines: 51

olson@umbc.edu (Bryan G. Olson; CMSC (G)) wrote, in part:

This impression of the academic crypto community as a closed club that ignores the work of outsiders is flat out false.
Consider power and timing analysis - the entire area came from the crypto left-field and was pioneered by a recent grad with a B.A. in biology. The work was good, so now he's one of those respected cryptologists. The various attacks I've heard on academics are invariably by those whose work is simply not of the same caliber.

I have every respect for the advanced work done by people such as Eli Biham or David Wagner. And you're absolutely right that cryptography, like many other fields, has its cranks and quacks.

However, I don't think it's appropriate to automatically conclude that everyone who expresses concern about the way in which the public cryptography field is going is necessarily a crank. For example, if even a layperson looks at DES, or IDEA, or SERPENT, and expresses the opinion that these designs all seem too regular, too repetitious, so that some form of analysis at least seems like it may be someday possible - well, if that is such a silly notion, what are you going to say to the people who designed MARS, who happen to be the among the well-qualified?

For an example of an idea the crypto community has ignored because it is truly dreadful:

[...] : And in this way we can have hundreds or thousands of different : ciphers, with more on the way all the time. That means that we can : divide the worth of our information into many different ciphers, so : that if any one fails, only a fraction of messages are exposed.

Absurdly naive. In any real project or real enterprise, the same information is carried by many, many messages. The degree of protection of any piece of intelligence is that of the weakest of the systems carrying it.

While that is true, that just means that, for internal encryption in an company data with ciphers their employer does not trust.

For a program of the PGP type, that lets people exchange E-Mail with other private individuals, allowing each party to specify a choice of preferred ciphers, and yet interoperate within the framework of using the same program, this sort of thing is a good idea.

'Dreadful' is not the same as 'not everywhere applicable'.

John Savard ( teneerf<- ) http://members.xoom.com/quadibloc/index.html


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 25 Apr 1999 10:58:07 GMT From: olson@umbc.edu (Bryan G. Olson; CMSC (G)) Message-ID: 7fusfv$as8$1@news.umbc.edu References: 3720e200.23217001@news.prosurfr.com Newsgroups: sci.crypt Lines: 79

John Savard (jsavard@tenMAPSONeerf.edmonton.ab.ca) wrote: : olson@umbc.edu (Bryan G. Olson; CMSC (G)) wrote, in part:

: >This impression of the academic crypto community as a closed : >club that ignores the work of outsiders is flat out false.
: >Consider power and timing analysis - the entire area came : >from the crypto left-field and was pioneered by a recent grad : >with a B.A. in biology. The work was good, so now he's one : >of those respected cryptologists. The various attacks I've : >heard on academics are invariably by those whose work is : >simply not of the same caliber.

: I have every respect for the advanced work done by people such as Eli Biham : or David Wagner. And you're absolutely right that cryptography, like many : other fields, has its cranks and quacks.

: However, I don't think it's appropriate to automatically conclude that : everyone who expresses concern about the way in which the public : cryptography field is going is necessarily a crank. For example, if even a : layperson looks at DES, or IDEA, or SERPENT, and expresses the opinion that : these designs all seem too regular, too repetitious, so that some form of : analysis at least seems like it may be someday possible - well, if that is : such a silly notion, what are you going to say to the people who designed : MARS, who happen to be the among the well-qualified?

Quite right, but as I understood Mr. Ritter's statements, he's deriding the crypto establishment for ignoring the work of outsiders. My counter is not the crypto community is right to generally ignore outsiders, but that in fact they do no such thing.

: >For an example of an idea the crypto community has ignored : >because it is truly dreadful:

: >[...] : >: And in this way we can have hundreds or thousands of different : >: ciphers, with more on the way all the time. That means that we can : >: divide the worth of our information into many different ciphers, so : >: that if any one fails, only a fraction of messages are exposed.

: >Absurdly naive. In any real project or real enterprise, the : >same information is carried by many, many messages. The degree : >of protection of any piece of intelligence is that of the : >weakest of the systems carrying it.

: While that is true, that just means that, for internal encryption in an : organization, a method should not be used that allows employees to protect : company data with ciphers their employer does not trust.

I agree it means that, but certainly not that it "just means" that. Specifically, it should guide those employers in deciding how many ciphers to designate as trusted.

[...] : 'Dreadful' is not the same as 'not everywhere applicable'.

True, but I'm saying that in all the real projects or enterprises I know of, an attacker can gain most of the intelligence value in the message traffic by compromising only a small percentage of the messages. Are there projects in which documents do not go through many revisions? In which everyone works with a mutually exclusive subset of the information?

There is a situation worse than having all one's eggs in one basket. The problem with one basket is that there exists a potential failure that would be catastrophic. What's worse is a system in which any one of many possible failures would be catastrophic. If one accepts that in realistic applications of cryptography the same intelligence is available from many messages, then choosing from a thousand ciphers for each message moves us from one potential catastrophic failure to many potential catastrophic failures.

--Bryan


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 25 Apr 1999 07:02:01 -0700 From: Sundial Services info@sundialservices.com Message-ID: 37232059.4FA1@sundialservices.com References: 7fusfv$as8$1@news.umbc.edu Newsgroups: sci.crypt Lines: 28

: olson@umbc.edu (Bryan G. Olson; CMSC (G)) wrote, in part: [...] : However, I don't think it's appropriate to automatically conclude that : everyone who expresses concern about the way in which the public : cryptography field is going is necessarily a crank. For example, if even a : layperson looks at DES, or IDEA, or SERPENT, and expresses the opinion that : these designs all seem too regular, too repetitious, so that some form of : analysis at least seems like it may be someday possible ...

I think that this is basically where -I- am coming from. If you look at the design of these Feistel ciphers, well, to me they smack of Enigma, with its clockwork-like rotation of the cipher elements which ultimately proved its downfall. Compare this to SIGABA, which with its many layers of complexity "cascading" upon one another produced what is obviously an extremely strong cipher. There is a LOT more randomness for the cryptographer to figure out.

I stare at this "more stages = more security" story and ponder if, given the extreme regularity of the cipher algorithm, this intuitive notion is actually true. Frankly, I don't believe that it is.

I see no creativity here. (So to speak!!) (So to speak!!!!)

Furthermore... the ciphers are far simpler than they need to be. A computer program can do anything. It can use as much memory as it likes. My 2,048 bit public-key could just as easily be 200K and it would be no more difficult to manage.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 25 Apr 1999 07:04:08 -0700 From: Sundial Services info@sundialservices.com Message-ID: 372320D8.59EC@sundialservices.com References: 37232059.4FA1@sundialservices.com Newsgroups: sci.crypt Lines: 15

Sundial Services wrote: [...]

I think that this is basically where -I- am coming from. If you look at the design of these Feistel ciphers, well, to me they smack of Enigma, with its clockwork-like rotation of the cipher elements which ultimately proved its downfall. Compare this to SIGABA, which with its many layers of complexity "cascading" upon one another produced what is obviously an extremely strong cipher. There is a LOT more randomness for the cryptographer to figure out.

I should clarify my thought here. "The layers in SIGABA are not all the same design. The layers in an n-round Feistel cipher are, literally by definition, all the same. And all made of extremely simple primitive operations: bitwise substitution, shifting, exclusive-OR, perhaps multiplication ....


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 25 Apr 1999 15:51:42 GMT From: m@mbsks.franken.de (Matthias Bruestle) Message-ID: 1999Apr25.155142.3195@mbsks.franken.de References: 37232059.4FA1@sundialservices.com Newsgroups: sci.crypt Lines: 28

Mahlzeit

Sundial Services (info@sundialservices.com) wrote:

Furthermore... the ciphers are far simpler than they need to be. A computer program can do anything. It can use as much memory as it likes. My 2,048 bit public-key could just as easily be 200K and it would be no more difficult to manage.

But you wouldn't want to use this key. A 9000bit key needs about 15 minutes of a 486DX 33MHz CPU. I think the decryption/signing time raises at n^2, so a 200kbit key would require about 100 hours of this CPU. A Pentium 200MHz, not that old, is about 10 times as fast and would require about 10 CPU hours. Would you want to wait 10 hours to read an email?

With all crypto applications there are speed requirements.

Mahlzeit

endergone Zwiebeltuete

-- PGP: SIG:C379A331 ENC:F47FA83D I LOVE MY PDP-11/34A, M70 and MicroVAXII!

Remember, even if you win the rat race -- you're still a rat.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 25 Apr 1999 23:49:11 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-2504992349120001@dial-243-065.itexas.net References: 7fusfv$as8$1@news.umbc.edu Newsgroups: sci.crypt Lines: 31

In article 7fusfv$as8$1@news.umbc.edu, olson@umbc.edu (Bryan G. Olson; CMSC (G)) wrote:

There is a situation worse than having all one's eggs in one basket. The problem with one basket is that there exists a potential failure that would be catastrophic. What's worse is a system in which any one of many possible failures would be catastrophic. If one accepts that in realistic applications of cryptography the same intelligence is available from many messages, then choosing from a thousand ciphers for each message moves us from one potential catastrophic failure to many potential catastrophic failures.

With some effort, but it could be completely automated, using several algorithms, it is reasonable to maximize security available not by living in fear of the weakest algorithm but working to make sure the strongest was included.

Consider the following key handling scheme: A OTP quality stream key is converted to a number of complementary keys that must all be assimilated to reestablish the real key. Those several keys are encrypted using different algorithms. If any of the several algorithms is broken, it does not matter because all must be broken to get at the real key.

The disadvantages are the combined length of all the keys, and needing them all. A scheme might be devised somewhat similiar where only a certain number of the keys would be needed. The result would be the same, shared maximized strength of different algorithms.

Life's battles do not always go to the stronger of faster man... But, sooner or later always go to the fellow who thinks he can.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 24 Apr 1999 01:15:17 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-2404990115180001@dial-243-115.itexas.net References: 7fp131$dg1$1@news.umbc.edu Newsgroups: sci.crypt Lines: 41

In article 7fp131$dg1$1@news.umbc.edu, olson@umbc.edu (Bryan G. Olson; CMSC (G)) wrote:

Terry Ritter (ritter@io.com) wrote:

[...] : And in this way we can have hundreds or thousands of different : ciphers, with more on the way all the time. That means that we can : divide the worth of our information into many different ciphers, so : that if any one fails, only a fraction of messages are exposed.

Absurdly naive. In any real project or real enterprise, the same information is carried by many, many messages. The degree of protection of any piece of intelligence is that of the weakest of the systems carrying it.

From a herd point of view, you may be right, but specific information between individuals is not apt to pass but once or few times at the most. To fully follow the dialog, all parts of the conversation should be recovered. Even when encrypted, however, the use allegory and novel in text, security measures in themselves, should be used. > > : It > : also means that any Opponent must keep up with new ciphers and > : analyze and possibly break each, then design a program, or build new > : hardware to exploit it. We can make good new ciphers cheaper than > : they can possibly be broken. The result is that our Opponents must > : invest far more to get far less, and this advantage does not depend > : upon the delusion of strength which is all that cryptanalysis can > : provide. > > Nonsense. The attacker just waits for the information he wants > to be transmitted under a system he can break. > If certain information is so common, it may not be worth encrypting in the first place. The idea of putting all eggs in one basket, or very few, is not supportable; But, one should only use promising baskets in any event. Keep 'em busy with ciphers that they have not even considered before.

Life's battles do not always go to the stronger of faster man... But, sooner or later always go to the fellow who thinks he can.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 12:54:41 -0500 From: Medical Electronics Lab rosing@physiology.wisc.edu Message-ID: 37177961.663E@physiology.wisc.edu References: 371749CC.4779@sundialservices.com Newsgroups: sci.crypt Lines: 47

Sundial Services wrote:

When I look at most publicly-available cryptographic algorithms, I see that nearly all of them consist of round upon round of simple operations like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are readily reversible.

Being reversible makes a cipher decipherable :-)

About the only "original idea" I've seen, since reading discussions of older machines like SIGABA, is Terry Ritter's "Dynamic Substitution" patent. At least he is using a more complex transformation than 99.9% of the things I've seen ... since SIGABA ... and he's burying a lot more information than most designs do.

Terry's got a lot of good ideas. But even he would like a cipher that can be analyzed completely.

My question is, aside from possible requirements for constructing their ciphers in hardware, why do designers routinely limit themselves to these simple bitwise operators in designing ciphers? It seems to me as a layman that the older, more complex designs were also far more secure than what we have now, and that a computer program would have no particular difficulty implementing them. We are not building hardware devices; we are not limited to LFSR's.

XOR is really addition in GF(2^n) and rotation is equivelent to multiplication by x (or squaring in a normal basis). These "simple" operations can come from really complex math. By using math as a basis for the creation of a cipher, you can determine the work factor to break it more accurately.

Some of the things you want to make happen in a cipher are "avalanch" and "diffusion". You want to make sure that if you change any one bit in the plain text that half the bits change in the cipher text. You also want to have a non-linear function between input and output so there is no hope of writing down a system of equations which could solve a cipher.

Just because something looks complex doesn't make it so. Some things which look really simple can have very complex mathematical relationships, and that's far more useful to a cipher design than something which appears complex but has a simple mathematical construction.

Patience, persistence, truth, Dr. mike


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 00:16:49 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1704990016490001@dial-243-079.itexas.net References: 37177961.663E@physiology.wisc.edu Newsgroups: sci.crypt Lines: 32

In article 37177961.663E@physiology.wisc.edu, Medical Electronics Lab rosing@physiology.wisc.edu wrote:

Some of the things you want to make happen in a cipher are "avalanch" and "diffusion". You want to make sure that if you change any one bit in the plain text that half the bits change in the cipher text. You also want to have a non-linear function between input and output so there is no hope of writing down a system of equations which could solve a cipher.

See there, you prove his point, as avalanche paired with diffusion are essential properties of operations involving only some ciphers, and cryptography can be done with narry a bit in sight.

The design can demand so many equations be written that it is impractical to do so.

Just because something looks complex doesn't make it so.

To that, I agree.

Some things which look really simple can have very complex mathematical relationships, and that's far more useful to a cipher design than something which appears complex but has a simple mathematical construction.

Then there are those designs that tend to impress people because they are overly complex in construction and perhaps made so for devious purposes.

Too much of a good thing can be much worse than none.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 21:16:02 -0400 From: Boris Kazak bkazak@worldnet.att.net Message-ID: 3717E0D2.225A@worldnet.att.net References: 371749CC.4779@sundialservices.com Newsgroups: sci.crypt Lines: 56

Sundial Services wrote: > > When I look at most publicly-available cryptographic algorithms, I see > that nearly all of them consist of round upon round of simple operations > like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are > readily reversible. > > About the only "original idea" I've seen, since reading discussions of > older machines like SIGABA, is Terry Ritter's "Dynamic Substitution" > patent. At least he is using a more complex transformation than 99.9% > of the things I've seen ... since SIGABA ... and he's burying a lot more > information than most designs do. > > My question is, aside from possible requirements for constructing their > ciphers in hardware, why do designers routinely limit themselves to > these simple bitwise operators in designing ciphers? It seems to me as > a layman that the older, more complex designs were also far more secure > than what we have now, and that a computer program would have no > particular difficulty implementing them. We are not building hardware > devices; we are not limited to LFSR's.

As layman to layman - the most obvious reason is that these simple operations are easy to analyze. It is not by accident that the only exception to this rule is IDEA, based on modular multiplication, and this immediately brushes away a whole bunch of possible attacks. Another observation - most published attacks against various ciphers are essentially attacking not as much the cipher per se, as its key schedule. It is not by accident that BLOWFISH is so steady, its key schedule does not provide any opportunity for related-key attacks. On the other hand, a recently published attack against IDEA makes heavy use of the fact that its subkeys are produced just by 25-bit circular shift. Use another key scheduling mechanism (same modular multiplication which is akready present in the program), and this attack will result in nothing. As a layman, I experimented with modular multiplication mod 2^32-1 and mod 2^32+1, found the cycles produced by raising different numbers to the subsequent powers, discovered methods of testing numbers for having the multiplicative inverses, and finally wrote a program for a cipher which I call LETSIEF (FEISTEL spelled backwards). This program uses multiplication mod 2^32-1 as the combining operation between L and R halves. The speed is fantastic - multiplication mod 2^32-1 is implemented in 3 processor instructions on a Pentium, an array of 256 modular multipliers assures full plaintext dependency, inverses also occupy an array of 256 elements, so the only difference between encryption and decryption is that you take your multiplier from a conjugate array. Key scheduling uses the same multiplication routine which already exists in the program. I am not going to post this program or to promote it in any way. It serves my purposes, I am ready to give the code to anybody who is interested, but nothing beyond that. BTW, I also experimented with multiplication mod 2^64+1 and 2^64-1. Unfortunately, I am not so great a programmer, and my computer has no 64-bit registers. So beyond some basic knowledge, nothing yet did come into practice (but the ciphers could be terrific!).

Best wishes BNK


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Mon, 19 Apr 1999 15:38:34 -0600 From: jcoffin@taeus.com (Jerry Coffin) Message-ID: MPG.1182a9a3823e66899899fb@news.rmi.net References: 3717E0D2.225A@worldnet.att.net Newsgroups: sci.crypt Lines: 33

In article 3717E0D2.225A@worldnet.att.net, bkazak@worldnet.att.net says...

[ ... ]

BTW, I also experimented with multiplication mod 2^64+1 and 2^64-1. Unfortunately, I am not so great a programmer, and my computer has no 64-bit registers. So beyond some basic knowledge, nothing yet did come into practice (but the ciphers could be terrific!).

...or they might not be. 2^32-1 happens to be a prime number. In many cases, the smallest factor of your modulus has a large effect on the security of encryption using that modulus.

By contrast, 2^64-1 is what you might call extremely composite -- its prime factorization is (3 5 17 257 641 65537 6700417). This large number of relatively small factors will often make this a particularly bad choice of modulus.

Depending on what you're doing, 2^64+1 is likely to be a MUCH better choice -- it's still not a prime, but its prime factorization is (274177 67280421310721). In many cases, the largest prime factor is what matters, and in this case, it's MUCH larger -- 14 digits instead of 7 (which is also considerably larger than 2^32-1). Unfortunately, using 2^64+1 as a modulus is likely to be fairly difficult even if you have a 64-bit type available.

I obviously haven't studied your encryption method in detail (or at all) so I don't know that this will make a difference in your particular case, but it's definitely something to keep in mind. Many, many forms of encryption that work quite well in 32-bit arithmetic basically fall to pieces when converted to use 64-bit arithmetic instead.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Mon, 19 Apr 1999 19:45:17 -0400 From: Boris Kazak bkazak@worldnet.att.net Message-ID: 371BC00D.3FA8@worldnet.att.net References: MPG.1182a9a3823e66899899fb@news.rmi.net Newsgroups: sci.crypt Lines: 53

Jerry Coffin wrote: > ...or they might not be. 2^32-1 happens to be a prime number. In > many cases, the smallest factor of your modulus has a large effect on > the security of encryption using that modulus.

Sorry, 2^32-1 = 351725765537, but I have found nice ways to set up key-derived multipliers in this field. The maximum length of the multiplicative cycle is 65536, so you can select an appropriate SEED and raise it to any power < 2^16. In fact, both the modular multiplier and its inverse are computed in the same subroutine. > > By contrast, 2^64-1 is what you might call extremely composite -- its > prime factorization is (3 5 17 257 641 65537 6700417). This large > number of relatively small factors will often make this a particularly > bad choice of modulus.

Also not necessarily. The important thing is the multiplicative cycle length which can be achieved, this gives you an idea of how many multipliers you can produce from an appropriately chosen SEED. BTW, the only practical requirement to the SEED is that it should produce the maximum length cycle of its powers, i.e be a generator. > > Depending on what you're doing, 2^64+1 is likely to be a MUCH better > choice -- it's still not a prime, but its prime factorization is > (274177 67280421310721). In many cases, the largest prime factor is > what matters, and in this case, it's MUCH larger -- 14 digits instead > of 7 (which is also considerably larger than 2^32-1). Unfortunately, > using 2^64+1 as a modulus is likely to be fairly difficult even if you > have a 64-bit type available.

As a matter of fact, very easy. The hex number c720a6486e45a6e2 produces in the 2^64+1 field a cycle of its own powers which is 72057331223781120 long (just under 2^56). This number is simply the first 16 hex digits of sqrt(3), and I am sure that it will take me not more than 15 minutes to find 5-6 numbers more like this. (Please, don't ask me about a source code for the program, I've written it in FORTH). So I can generate random 32-bit subkeys, raise my SEED to these powers and I am in business... Go guess the linear and differential properties of these multipliers, especially if they will be chosen for encryption in a plaintext-dependent way! > > I obviously haven't studied your encryption method in detail (or at > all) so I don't know that this will make a difference in your > particular case, but it's definitely something to keep in mind. Many, > many forms of encryption that work quite well in 32-bit arithmetic > basically fall to pieces when converted to use 64-bit arithmetic > instead.

I do not intend to keep it secret. If you are interested (just for fun), I am ready to discuss with you the method of file transfer (unfortunately, I don't have a Web page).

Thanks for your courtesy Best wishes BNK


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 11:42:53 -0600 From: jcoffin@taeus.com (Jerry Coffin) Message-ID: MPG.11866a88f9e5b896989a08@news.rmi.net References: 371BC00D.3FA8@worldnet.att.net Newsgroups: sci.crypt Lines: 40

In article 371BC00D.3FA8@worldnet.att.net, bkazak@worldnet.att.net says...

Jerry Coffin wrote: > ...or they might not be. 2^32-1 happens to be a prime number. In > many cases, the smallest factor of your modulus has a large effect on > the security of encryption using that modulus.

Sorry, 2^32-1 = 351725765537, but I have found nice ways to set up key-derived multipliers in this field. The maximum length of the multiplicative cycle is 65536, so you can select an appropriate SEED and raise it to any power < 2^16. In fact, both the modular multiplier and its inverse are computed in the same subroutine.

Oops -- my bad. It's 2^31-1 which is a prime. Of course, if you work in 32-bit integers, it's also 2^31-1 that you end up using as a modulus unless you take steps to ensure against it.

However, even though I wasn't thinking very straight when posting, the fact remains that the largest 32-bit number is a prime, and the largest 64-bit number isn't. Interestingly enough, 2^63+1 also has a much larger factor than 2^63-1, though it's a lot smaller than the largest factor of 2^64+1 (only 11 digits instead of 14).

I do not intend to keep it secret. If you are interested (just for fun), I am ready to discuss with you the method of file transfer (unfortunately, I don't have a Web page).

If it's written in Forth, I'll pass, thanks anyway. It's been many years since the last time I tried to work in Forth at all, and from what I remember, it's probably something that you have to either use a lot, or you might as well forget it completely.

Then again, I suppose many people would say the same about C, C++ and Scheme, all of which I use fairly regularly. Scheme (or almost any LISP-like language) supports working with large integers, which tends to be handy when you're dealing with factoring and such.

Thanks for your courtesy Best wishes BNK

Likewise, especially when I posted something as boneheaded as I did...


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 19:53:16 -0400 From: Boris Kazak bkazak@worldnet.att.net Message-ID: 371D136C.411A@worldnet.att.net References: MPG.11866a88f9e5b896989a08@news.rmi.net Newsgroups: sci.crypt Lines: 22

Jerry Coffin wrote: > If it's written in Forth, I'll pass, thanks anyway. It's been many > years since the last time I tried to work in Forth at all, and from > what I remember, it's probably something that you have to either use a > lot, or you might as well forget it completely.

No, it's plain conventional C, even without Assembler. It is one of my "essays" on the subject of drunken ciphers, where you set up a lot of S-boxes deriving them from the key, and then encrypt using the plaintext-dependent path through these S-boxes. so that each plaintext will follow the maze along its own unique path. Quite entertaining... BTW, key scheduling uses the same modular multiplication already present in the program.

Then again, I suppose many people would say the same about C, C++ and Scheme, all of which I use fairly regularly. Scheme (or almost any LISP-like language) supports working with large integers, which tends to be handy when you're dealing with factoring and such.

Thanks for your courtesy Best wishes BNK

Likewise, especially when I posted something as boneheaded as I did...


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 02:50:00 GMT From: phr@netcom.com (Paul Rubin) Message-ID: phrFAGvvC.3vz@netcom.com References: MPG.1182a9a3823e66899899fb@news.rmi.net Newsgroups: sci.crypt Lines: 10

In article MPG.1182a9a3823e66899899fb@news.rmi.net, Jerry Coffin jcoffin@taeus.com wrote:

...or they might not be. 2^32-1 happens to be a prime number.

2^32-1 = (2^16)^2-1 = (2^16+1)(2^16-1) = (2^16+1)(2^8+1)(2^8-1) = (2^16+1)(2^8+1)(2^4+1)(2^4-1) = (2^16+1)(2^8+1)(2^4+1)(2^2+1)(2^2-1) = 65537 *257 *17 *5 *3


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 00:03:53 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1704990003530001@dial-243-079.itexas.net References: 371749CC.4779@sundialservices.com Newsgroups: sci.crypt Lines: 26

In article 371749CC.4779@sundialservices.com, info@sundialservices.com wrote:

When I look at most publicly-available cryptographic algorithms, I see that nearly all of them consist of round upon round of simple operations like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are readily reversible.

About the only "original idea" I've seen, since reading discussions of older machines like SIGABA, is Terry Ritter's "Dynamic Substitution" patent. At least he is using a more complex transformation than 99.9% of the things I've seen ... since SIGABA ... and he's burying a lot more information than most designs do.

My question is, aside from possible requirements for constructing their ciphers in hardware, why do designers routinely limit themselves to these simple bitwise operators in designing ciphers? It seems to me as a layman that the older, more complex designs were also far more secure than what we have now, and that a computer program would have no particular difficulty implementing them. We are not building hardware devices; we are not limited to LFSR's.

You've got it right, cryptography is a most complicated and broad field; every cooperating to plow and plant the same furrow does not make lots of sense.

Too much of a good thing can be much worse than none.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 18🔞34 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: 3718cff6.15699939@news.visi.com References: 371749CC.4779@sundialservices.com Newsgroups: sci.crypt Lines: 25

On Fri, 16 Apr 1999 07:31:40 -0700, Sundial Services info@sundialservices.com wrote:

When I look at most publicly-available cryptographic algorithms, I see that nearly all of them consist of round upon round of simple operations like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are readily reversible.

Operations from the RISC subset are efficient on a wide variety of microprocessors. Look at the AES submissions. Algorithms that limited themselves to those operations--Serpent, Rijndael, Twofish--had realtively equivalent performance on 8-bit CPUs, 32-bit CPUs, smart card, DSPs, etc. Algorithms that used more complicated operations like data dependent rotations and multiplications--Mars, RC6, DFC--had widely different performance depending on the particular characteristics of the CPU it is running on.

For a standard cipher at least, sticking to the RISC subset is just smart.

Bruce


Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 18 Apr 99 02:10:22 GMT From: jsavard@ecn.ab.ca () Message-ID: 37193f0e.0@ecn.ab.ca References: 3718cff6.15699939@news.visi.com Newsgroups: sci.crypt Lines: 15

Bruce Schneier (schneier@counterpane.com) wrote: : For a standard cipher at least, sticking to the RISC subset is just : smart.

My comment on that paragraph is that he forgot S-boxes, which, if one is using the RISC subset, one cannot omit. But looking at the rest of his post, I don't think he was thinking of things like data-dependent rotations, multiplication, and so on, as much as he was thinking of more creative use of S-boxes or more creative combinations of RISC-subset operations.

Think FROG. Or recall my "Mishmash" posting. This, I think, is the kind of thing he is talking about.

John Savard


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 00:41:15 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1804990041160001@dial-243-094.itexas.net References: 3718A7C9.12B5EEF@null.net 3718324d.13916819@news.io.com Newsgroups: sci.crypt Lines: 15

In article 3718A7C9.12B5EEF@null.net, "Douglas A. Gwyn" DAGwyn@null.net wrote:

I guess you're talking about AES. If time constraints allow, that would be one reasonable part of the evaluation procedure, but you still have to drawn the line somewhere and pick the best-to-date.

Ah, elections do come up at some point. As I remember, the final pick is to be submitted to higher, political, authority for approval, which is apt not to be a technical decision based on purely scientific considerations. Meanwhile, back at the ranch, we can make things better by trying to go beyond such a seal.

Too much of a good thing can be much worse than none.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 00:45:35 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1804990045350001@dial-243-094.itexas.net References: 3718A84E.A90A3130@null.net jgfunj-1704990016490001@dial-243-079.itexas.net Newsgroups: sci.crypt Lines: 15

In article 3718A84E.A90A3130@null.net, "Douglas A. Gwyn" DAGwyn@null.net wrote:

wtshaw wrote:

The design can demand so many equations be written that it is impractical to do so.

How could the design be conveyed to the implementor, then?

I was thinking more in terms of a simple design, guess, where the burden of writing the equations would be on the attacker who would be trying to make sense out of lots of ciphertext. You know, something easy to do knowing the key, and impractical not knowing it.

Too much of a good thing can be much worse than none.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 23:36:51 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1804992336510001@dial-243-098.itexas.net References: 3719F8DA.B280DB30@null.net jgfunj-1804990041160001@dial-243-094.itexas.net Newsgroups: sci.crypt Lines: 28

In article 3719F8DA.B280DB30@null.net, "Douglas A. Gwyn" DAGwyn@null.net wrote:

wtshaw wrote:

Ah, elections do come up at some point. As I remember, the final pick is to be submitted to higher, political, authority for approval, which is apt not to be a technical decision ...

The technical decision would already have been made, and any further process would be simply an approve/disapprove decision.

That is an easy prediction for a technical person. In politics, the rule is there are no rules, except that rules of more equal for those who contribute to the right people.

I don't know what "elections" have to do with it. You can't think that the electorate in general cares one whit about AES.

A new random permutation generator: You put X windoze machines in a room, merely start them up, and record the order in which they eventually crash on their own.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 17 Apr 1999 03:25:46 GMT From: David A Molnar dmolnar@fas.harvard.edu Message-ID: 7f8uvq$h94$1@news.fas.harvard.edu References: 3718235E.CB681D9C@null.net 3717ba72.20758328@news.io.com Newsgroups: sci.crypt Lines: 51

Douglas A. Gwyn DAGwyn@null.net wrote:

The only valid thing they could say is that they don't know any way to demonstrate that a cipher is inherently secure (to some agreed level of confidence, under ideal operating conditions). However, there have been a few academic publications purporting to demonstrate provable security for certain systems. A valid proof would mean that the system was secure so long as nothing went wrong. (That is always an important practical caveat, since things do occasionally go wrong.)

Could you mention the publications of which you're thinking? Most of the provable security I've seen comes in terms of statements like "if this scheme is breakable, then factoring integers is easy," usually by providing an argument that any adversary who magically comes across the key necessarily gains enough information to do something ridiculous like factor huge numbers. I'm just wondering if that is to what you're referring.

In this vein, right now I really like the papers by Mihir Bellare and Phil Rogaway which advocate and demonstrate what they call "exact security" -- giving the amount of time and the probability of breaking a scheme in terms of values like "amount of computing power posessed by adversary", "number of {chosen | known | adaptive chosen } ciphertexts known", and so on. There's an overview at http://www-cse.ucsd.edu/users/mihir/papers/pops.ps which sort of falls into the category of not quite bragging about the acheivement.

One of the nice things about this area is that the definition of what it means to be "secure" can be made precise and formal. That doesn't prove anything by itself, but offers a way to start proving things. This is rather fun, if you can swallow the assumptions (e.g. RSA is hard).

Anyway, PKCS #1 v2.0 and lots of the upcoming IEEE P1363 standard will be based on this problem. So, while I'm not quite sure what 'a few' means yet, it is important to know about. If only to see if and how it applies to the standard sci.crypt discussion on the stength of cipher X, or the best cipher for application Y.

If that's not quite what you meant -- for instance if you mean tools like code specification, hardening card protocols against attacks on the device, and so on, then I'd be interested in seeing 'em.

The real problem is as you say -- prolly best summed up by Bruce Schneier's pronouncement along thie lines of "The math is perfect, the hardware is not so great, the software is corrupt, and the people are horrible) . That, and sometimes stupid assumptions. seem to be worth watching the **** out for when implementing this kind of thing...

-David

shift and XOR?


Subject: Re: Thought question: why do public ciphers use only simple ops like Date: Sat, 17 Apr 1999 04:39:52 GMT From: "Douglas A. Gwyn" DAGwyn@null.net Message-ID: 37181E71.17709C61@null.net References: 371749CC.4779@sundialservices.com Newsgroups: sci.crypt Lines: 43

Sundial Services wrote:

like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are readily reversible.

Yes, that ensures that decryption is feasible.

About the only "original idea" I've seen, since reading discussions of older machines like SIGABA, is Terry Ritter's "Dynamic Substitution" patent. At least he is using a more complex transformation than 99.9% of the things I've seen ... since SIGABA ... and he's burying a lot more information than most designs do.

Complexity in itself is no guarantee of security; witness Knuth's "super-random" number generator (Algorithm K). As to how "deeply buried" the information is, how do you determine that? Is there some computable figure of merit, or what?

My question is, aside from possible requirements for constructing their ciphers in hardware, why do designers routinely limit themselves to these simple bitwise operators in designing ciphers?

Simpler systems are, usually, easier to analyze more thoroughly. The more thoroughly we understand a class of systems, the more confident we can be that other analysts won't find some shortcut.

It seems to me as a layman that the older, more complex designs were also far more secure than what we have now,

How do you know what we have now? The public didn't have access to SIGABA systems back then, just as they don't have access to today.

and that a computer program would have no particular difficulty implementing them. We are not building hardware devices; we are not limited to LFSR's.

It is true that simulation of a Hagelin or Hebern machine, or SIGABA, is easy these days, and that computer programs don't have to follow a classical hardware model. However, things like LFSRs have been thoroughly studied by cryptomathematicians, so informed decisions can be made about how (or whether) to use them. If you attempt a new system structure, until it is well understood mathematically, you'd have no justification for thinking it to be secure.

shift and XOR?


Subject: Re: Thought question: why do public ciphers use only simple ops like Date: Sat, 17 Apr 1999 05:00:53 GMT From: "Douglas A. Gwyn" DAGwyn@null.net Message-ID: 3718235E.CB681D9C@null.net References: 3717ba72.20758328@news.io.com Newsgroups: sci.crypt Lines: 52

Terry Ritter wrote:

But, If I learn to break the ciphers of others and use my experience to create a new cipher that others cannot break it will be listened to because I am known to be knowledgeable in how ciphers work. Nonsense. Knowing how to break some ciphers does not mean that you know how ciphers work. ...

I think the truth is somewhere in between. I myself maintain that if you know too little about how cryptosystems are broken, you also don't know all the potential vulnerabilities of a system you may design, and so unless you have unusual "beginner's luck", your system is bound to be vulnerable. Worse, it is vulnerable in ways that were preventable if only you hadn't tried to take a shortcut to success...

We only know what success is reported in the academic literature. Unfortunately, when we use a cipher, we are very rarely concerned whether academics can break our cipher or not. We are instead concerned about "bad guys," and they don't tell us when they have been successful.

That is the reason for "tiger teams", who act the part of bad guys. If your system hasn't been attacked by cryptanalysts who know how to mount such an attack, then it hasn't undergone sufficient Quality Control.

... Schneier and others have acknowledged that any cipher can be broken at any time.

The only valid thing they could say is that they don't know any way to demonstrate that a cipher is inherently secure (to some agreed level of confidence, under ideal operating conditions). However, there have been a few academic publications purporting to demonstrate provable security for certain systems. A valid proof would mean that the system was secure so long as nothing went wrong. (That is always an important practical caveat, since things do occasionally go wrong.)

Absence of knowledge is not knowledge of absence.

... He would thus have us believe that the lack of information about weakness in one cipher is superior to information of impractical weakness in another cipher.

The problem is, a decision has to be made, despite having incomplete information. All other things being equal, a demonstrated weakness is some evidence against that system, even if we can't quantify how much, which would tip the balance. But when there are factor both pro and con, then your criticism is apropos -- we need to know the relative amount of weight to give each factor if we want to make the most rational decision.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 07:03:48 GMT From: ritter@io.com (Terry Ritter) Message-ID: 3718324d.13916819@news.io.com References: 3718235E.CB681D9C@null.net Newsgroups: sci.crypt Lines: 91

On Sat, 17 Apr 1999 05:00:53 GMT, in 3718235E.CB681D9C@null.net, in sci.crypt "Douglas A. Gwyn" DAGwyn@null.net wrote:

Terry Ritter wrote:

But, If I learn to break the ciphers of others and use my experience to create a new cipher that others cannot break it will be listened to because I am known to be knowledgeable in how ciphers work. Nonsense. Knowing how to break some ciphers does not mean that you know how ciphers work. ...

I think the truth is somewhere in between. I myself maintain that if you know too little about how cryptosystems are broken, you also don't know all the potential vulnerabilities of a system you may design, and so unless you have unusual "beginner's luck", your system is bound to be vulnerable. Worse, it is vulnerable in ways that were preventable if only you hadn't tried to take a shortcut to success...

I agree with this to some extent. In particular, I have experienced being "blind" to particular attacks which others have seen, so I am not sure that a person can expect to be all things in this process. I would like to see cryptanalysis be more open to changes in the design. Currently, cryptanalysis seems to be some sort of "one shot" contest against the cryptographer, as opposed to an interactive joint process to attain a better cipher.

We only know what success is reported in the academic literature. Unfortunately, when we use a cipher, we are very rarely concerned whether academics can break our cipher or not. We are instead concerned about "bad guys," and they don't tell us when they have been successful.

That is the reason for "tiger teams", who act the part of bad guys. If your system hasn't been attacked by cryptanalysts who know how to mount such an attack, then it hasn't undergone sufficient Quality Control.

Even so, we still don't know that their guys aren't better, or even just luckier. I think it sometimes just takes a particular point of view to enable an alternative -- possibly much easier -- attack. And it may not be the smartest guy who has that new point of view.

... Schneier and others have acknowledged that any cipher can be broken at any time.

The only valid thing they could say is that they don't know any way to demonstrate that a cipher is inherently secure (to some agreed level of confidence, under ideal operating conditions). However, there have been a few academic publications purporting to demonstrate provable security for certain systems. A valid proof would mean that the system was secure so long as nothing went wrong. (That is always an important practical caveat, since things do occasionally go wrong.)

I don't have a problem with assumptions that nothing will go wrong (although I would expect a real design to consider this). But all of the proofs I have seen either imply a very heavy computational burden or have made very significant assumptions simply to get the proof. Such results may be useful when and if we can prove the basic assumption, but I am unaware that we can.

Absence of knowledge is not knowledge of absence.

... He would thus have us believe that the lack of information about weakness in one cipher is superior to information of impractical weakness in another cipher.

The problem is, a decision has to be made, despite having incomplete information. All other things being equal, a demonstrated weakness is some evidence against that system, even if we can't quantify how much, which would tip the balance. But when there are factor both pro and con, then your criticism is apropos -- we need to know the relative amount of weight to give each factor if we want to make the most rational decision.

That seems like a reasonable position.

I guess I would suggest that if the goal was to get the best cipher, we would see a post-analysis re-design phase intended to fix known problems, with the final comparison being made between full-strength designs.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 00🔞55 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1804990018560001@dial-243-094.itexas.net References: 3718324d.13916819@news.io.com Newsgroups: sci.crypt Lines: 24

In article 3718324d.13916819@news.io.com, ritter@io.com (Terry Ritter) wrote:

I guess I would suggest that if the goal was to get the best cipher, we would see a post-analysis re-design phase intended to fix known problems, with the final comparison being made between full-strength designs.

Even some of the worst overall ciphers that have come to light here and there can have a novelity within which should be cherished by the crypto community.

It would seem that the best use of the talent involved in the AES process would be to identify any new techniques that might have crept in, and see how these could be used to supplement the best of whatelse we know. To stop with what we have seen thusfar would be a big mistake. It is in the interest of cryptography for some sort of evolutionary recombination to continue, with active support of those civilians involved, which is almost a given as the process is merely a seed for growing beyond any government imposed limits.

Well known are some of my reservations about AES, but I cheer on those who even try to do the best they can, even with self-imposed handicaps.

Too much of a good thing can be much worse than none.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 14:28:05 GMT From: "Douglas A. Gwyn" DAGwyn@null.net Message-ID: 3718A84E.A90A3130@null.net References: jgfunj-1704990016490001@dial-243-079.itexas.net Newsgroups: sci.crypt Lines: 5

wtshaw wrote:

The design can demand so many equations be written that it is impractical to do so.

How could the design be conveyed to the implementor, then?


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 13:24:01 GMT From: "Douglas A. Gwyn" DAGwyn@null.net Message-ID: 3719F8DA.B280DB30@null.net References: jgfunj-1804990041160001@dial-243-094.itexas.net Newsgroups: sci.crypt Lines: 10

wtshaw wrote:

Ah, elections do come up at some point. As I remember, the final pick is to be submitted to higher, political, authority for approval, which is apt not to be a technical decision ...

The technical decision would already have been made, and any further process would be simply an approve/disapprove decision.

I don't know what "elections" have to do with it. You can't think that the electorate in general cares one whit about AES.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 15:37:54 +0200 From: "H. Ellenberger" hansell@smile.ch Message-ID: 3719E032.5E53C5AF@smile.ch References: 37179b67.12809750@news.io.com Newsgroups: sci.crypt Lines: 22

Terry Ritter wrote:

[...]

The truth is that we never know the "real" strength of a cipher. No matter how much review or cryptanalysis a cipher gets, we only have the latest "upper bound" for strength. The lower bound is zero: Any cipher can fail at any time.

Correct, however you only describe the bewildering lack of a sound theoretical foundation of the subject matter.

Since we have only an upper bound for the strength of any cipher, any confidence we may have is no more than our own delusion. We wish and hope for cipher strength, and -- absent a specific proof otherwise -- we gradually come to believe in it. But that does not make it true.

Correct. Should we therfore stop analyzing existing ciphers?


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 19:27:29 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371a31eb.2079148@news.io.com References: 3719E032.5E53C5AF@smile.ch Newsgroups: sci.crypt Lines: 36

On Sun, 18 Apr 1999 15:37:54 +0200, in 3719E032.5E53C5AF@smile.ch, in sci.crypt "H. Ellenberger" hansell@smile.ch wrote:

Terry Ritter wrote:

[...]

The truth is that we never know the "real" strength of a cipher. No matter how much review or cryptanalysis a cipher gets, we only have the latest "upper bound" for strength. The lower bound is zero: Any cipher can fail at any time.

Correct, however you only describe the bewildering lack of a sound theoretical foundation of the subject matter.

Incorrect. The problem is both theoretical and practical; there is ample reason to make serious changes. And, I do not only describe the problem, but have also given prescriptions for increasing system strength even when every cipher is suspect.

Since we have only an upper bound for the strength of any cipher, any confidence we may have is no more than our own delusion. We wish and hope for cipher strength, and -- absent a specific proof otherwise -- we gradually come to believe in it. But that does not make it true.

Correct. Should we therfore stop analyzing existing ciphers?

No. We should stop depending on any small set of ciphers, no matter how well analyzed.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 13:01:26 GMT From: dscott@networkusa.net Message-ID: 7fa0n5$v4m$1@nnrp1.dejanews.com References: 371749CC.4779@sundialservices.com Newsgroups: sci.crypt Lines: 47

In article 371749CC.4779@sundialservices.com, info@sundialservices.com wrote:

When I look at most publicly-available cryptographic algorithms, I see that nearly all of them consist of round upon round of simple operations like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are readily reversible.

One really is not left with much choice in that if one does not use reversible operations one may end up doing hashing which is not encryption. But you are right that most encryption methods use operations that are readily reversible. That is one reason I use as large an S-table that is possible in my encryption programs. Most people complain that my S-tables are to large. Since the size of s-tables in scott18u.zip is effectively larger than a one million byte key.

About the only "original idea" I've seen, since reading discussions of older machines like SIGABA, is Terry Ritter's "Dynamic Substitution" patent. At least he is using a more complex transformation than 99.9% of the things I've seen ... since SIGABA ... and he's burying a lot more information than most designs do.

If you want to see originality look at scott19u.zip

My question is, aside from possible requirements for constructing their ciphers in hardware, why do designers routinely limit themselves to these simple bitwise operators in designing ciphers? It seems to me as a layman that the older, more complex designs were also far more secure than what we have now, and that a computer program would have no particular difficulty implementing them. We are not building hardware devices; we are not limited to LFSR's.

--

My feeling is that the method that computers use should involve much more operations than what the public is use to. My code treats the whole file as a block. Which is something else the current blessed methods do not do.

David Scott

http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip http://members.xoom.com/ecil/index.htm

-----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 00:35:24 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1804990035240001@dial-243-094.itexas.net References: 7fa0n5$v4m$1@nnrp1.dejanews.com Newsgroups: sci.crypt Lines: 14

In article 7fa0n5$v4m$1@nnrp1.dejanews.com, dscott@networkusa.net wrote: > > My feeling is that the method that computers use should involve much > more operations than what the public is use to. My code treats the > whole file as a block. Which is something else the current blessed > methods do not do. > Which is strange since the one thing that you highlight is something that perhaps is the biggest weakness in the utility of what you have done. And, trying to make the various blessed methods somehow stronger by making block affect each other through shoddy methods is also a step in the wrong direction. All-or-nothing logic has always been considered as a fallacy.

Too much of a good thing can be much worse than none.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 13:38:07 GMT From: dscott@networkusa.net Message-ID: 7fcn7v$3nv$1@nnrp1.dejanews.com References: jgfunj-1804990035240001@dial-243-094.itexas.net Newsgroups: sci.crypt Lines: 34

In article jgfunj-1804990035240001@dial-243-094.itexas.net, jgfunj@vgrknf.arg (wtshaw) wrote:

In article 7fa0n5$v4m$1@nnrp1.dejanews.com, dscott@networkusa.net wrote: > > My feeling is that the method that computers use should involve much > more operations than what the public is use to. My code treats the > whole file as a block. Which is something else the current blessed > methods do not do. > Which is strange since the one thing that you highlight is something that perhaps is the biggest weakness in the utility of what you have done. And, trying to make the various blessed methods somehow stronger by making block affect each other through shoddy methods is also a step in the wrong direction. All-or-nothing logic has always been considered as a fallacy.

Since when has the "All-or-nothing logic" been considered as a fallacy or what have you been smoking. I am sure that would be news to Mr R. of RSA fame. All or nothing encryption has not been around very long and is not something groups like NSA are very ready to deal with. I would like to see some so called expert say that "wrapped PCBC" is a step in the wrong direction making the socalled blessed ciphers weaker. Quite the opossite is true since wrapped PCBC would add the "all or nothing logic" to the AES candidates as well as solve the problem of handling files or sub files that are not made up of a number of bits that are a muliply of the block cipher size used.

David A. Scott

http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip http://members.xoom.com/ecil/index.htm

-----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 23:50:41 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1804992350410001@dial-243-098.itexas.net References: 7fcn7v$3nv$1@nnrp1.dejanews.com Newsgroups: sci.crypt Lines: 32

In article 7fcn7v$3nv$1@nnrp1.dejanews.com, dscott@networkusa.net wrote:

Since when has the "All-or-nothing logic" been considered as a fallacy or what have you been smoking.

It's bigger than mere crypto, it applies to all logic. Formally, the concept was presented to me eons ago in Freshman English, but I was already familiar with the concept, with the others that go along with it.

It's also put in the wisdom of not putting all your eggs in one basket, which is rather a historically known truth.

I am sure that would be news to Mr R. of RSA fame.

He surely is a nice fellow, but I am also pretty sure he is liberally educated in basic logic as well.

All or nothing encryption has not been around very long and is not something groups like NSA are very ready to deal with.

I doubt that the methods used by many are that much of a problem. I will grant that you do something better there.

I consider the technology just a patch that can be used on any of several weaker-than- they-should-be algorithms, not to consider yours in that lower class at all. However, the practice limits the use of your algorithms. There may be a fix to what you have done, making your encryption more acceptable to me, but you may not like the idea at first.

A new random permutation generator: You put X windoze machines in a room, merely start them up, and record the order in which they eventually crash on their own.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Mon, 19 Apr 1999 02:24:57 GMT From: dianelos@tecapro.com Message-ID: 7fe45i$730$1@nnrp1.dejanews.com References: 371749CC.4779@sundialservices.com Newsgroups: sci.crypt Lines: 40

In article 371749CC.4779@sundialservices.com, info@sundialservices.com wrote:

When I look at most publicly-available cryptographic algorithms, I see that nearly all of them consist of round upon round of simple operations like: shift, exclusive-OR, and "bit-twiddling ... My question is, aside from possible requirements for constructing their ciphers in hardware, why do designers routinely limit themselves to these simple bitwise operators in designing ciphers? It seems to me as a layman that the older, more complex designs were also far more secure than what we have now, and that a computer program would have no particular difficulty implementing them. We are not building hardware devices; we are not limited to LFSR's.

Whether you use simple or complex operations to describe a cipher
is not relevant: a multiplication can be seen as a sequence of
SHIFTs and ADDs; in fact any cipher can in principle be expressed
using only ANDs and NOTs. What is relevant in practice is to have
a cipher design with fast software execution on some hardware
platform. Therefore it can be useful to use the more complex
machine instructions. For example a multiplication, when available
in hardware, is much faster than the corresponding sequence of
SHIFTs and ADDs. The designer will always try to make the hardware
processor expend as much cryptographically useful work as possible
within a particular time frame. That is why it is so difficult to
design a cipher that is fast on many different processor designs.
In other words, if a cipher is especially optimized for one
platform it will probably be comparatively slower on others.

DES, the mother of all ciphers, uses only XORs, substitutions, and
bit transpositions. When I designed Frog, I decided to use only
XORs and substitutions (and continue the tradition), even though I
knew that ADD has better diffusion properties than XOR. In all
synchronous processors ADD takes the same time as XOR and I think
now that I made a bad decision then.

-----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Mon, 19 Apr 1999 22:05:58 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 371ba7fd.23385300@news.prosurfr.com References: 7fe45i$730$1@nnrp1.dejanews.com Newsgroups: sci.crypt Lines: 21

dianelos@tecapro.com wrote, in part:

DES, the mother of all ciphers, uses only XORs, substitutions, and bit transpositions. When I designed Frog, I decided to use only XORs and substitutions (and continue the tradition), even though I knew that ADD has better diffusion properties than XOR. In all synchronous processors ADD takes the same time as XOR and I think now that I made a bad decision then.

While at first the poster does appear to be making the important mistake of forgetting that most block ciphers do include one complex operation - the S-box - reading the post further, and noting the examples he used, such as SIGABA, led me to the conclusion that he wasn't really asking about why not many block ciphers use, say, multiply instructions, but instead was asking why they don't use more involved structures with a little creativity.

In other words, I think he was asking why block ciphers weren't more like FROG! (My original reply to his post goes into this at greater length.)

John Savard ( teenerf<- ) http://members.xoom.com/quadibloc/index.html


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Wed, 21 Apr 1999 11:46:08 GMT From: SCOTT19U.ZIP_GUY dscott@networkusa.net Message-ID: 7fkdq0$qra$1@nnrp1.dejanews.com References: 3718AA8A.B2B460DE@null.net 7fa0n5$v4m$1@nnrp1.dejanews.com Newsgroups: sci.crypt Lines: 45

In article 3718AA8A.B2B460DE@null.net, "Douglas A. Gwyn" DAGwyn@null.net wrote:

dscott@networkusa.net wrote:

... Most people complain that my S-tables are too large. Since the size of s-tables in scott18u.zip is effectively larger than a one million byte key.

I think the question in their minds is, whether such a large S-table is essential to attain the desired level of security, or whether other approaches might be comparably secure.

My feeling is that the method that computers use should involve much more operations than what the public is use to. My code treats the whole file as a block. Which is something else the current blessed methods do not do.

The immediate thought one has is that treating the whole message would be a problem in many applications where data is generated in a stream, for example a TELNET session. However, a whole-file method can be applied to small blocks simply by treating each block in the sequence as a separate file. That would lose any benefit from the large-file property, however. Have you any estimate of the security of your method when used with small "files" (say, 512 bytes or less)?

Well from reading Ritters stuff one can not really estimate the security. However it would treat the 512 bytes as a single block. I think if one used a fixed block size of any size say 512 bytes. Then it would be easyer to study the cipher for its weak points. But it is not the fastest method out there. Many seem concerned with speed. I feel in my gut that the faster a method is then there is likely an easy method to break it. My methods reqire a lot of time compared to others. But I feel if one wants real security then my methods are the way to go.

David A. Scott

http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip http://members.xoom.com/ecil/index.htm NOTE EMAIL address is for SPAMERS to email me use address on WEB PAGE

-----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Thu, 22 Apr 1999 02:15:17 GMT From: tomstdenis@my-dejanews.com Message-ID: 7fm0ni$be4$1@nnrp1.dejanews.com References: 371e2003.6163199@news.io.com Newsgroups: sci.crypt Lines: 50

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

I find "rounds" (the repeated application of the same operation) silly and I don't use them. I do use "layers" in which different operations are applied in each layer.

And I think that making a cipher more difficult to analyze can only benefit the Opponents who have more resources for analysis. Personally, I try to make ciphers as conceptually simple as possible (though not simpler). Simple does not mean weak; simple means appropriately decomposing the cipher into relatively few types of substantial subcomponent which can be understood on their own, then using those components in clear, structured ways.

This is true. While you could encoporate a variety of P and S functions in one cipher. If you had for example 24 rounds you could have 6 different P and S functions, each with 4 stagered rounds each.

I also believe in keeping ciphers simple. In some cases difficult just comes with it (public-key).

I would suggest if anyone is getting started to read about the following ciphers, which are easy to read, implement and study.

IDEA, Blowfish, RC5, TEA, X-TEA and CAST.

Tom -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i

iQA/AwUBNx6E28nv2fqXBZQeEQILNgCdHThETQtVxpZoKLTRPx5nbuz8Vw8AoNDO kG/DtwpLc1oyT5c8xOWwmg3Q =8iVV -----END PGP SIGNATURE-----

-- PGP public keys. SPARE key is for daily work, WORK key is for published work. The spare is at 'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at 'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!

-----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Thu, 22 Apr 1999 13:50:15 GMT From: dianelos@tecapro.com Message-ID: 7fn9el$e2v$1@nnrp1.dejanews.com References: 371a56a8.198396@news.prosurfr.com Newsgroups: sci.crypt Lines: 54

In article 371a56a8.198396@news.prosurfr.com, jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

... Two comments are warranted here.

  • Since cryptanalysis represents the "hard" part of the work in designing a cipher, this is why cipher designers should themselves know something about cryptanalysis;
  • And I think you can see why this design process actually increases the probability of a design which is strong against known attacks, but weak against a future attack someone might discover.
This is an extremely radical statement. Do you know of others who
argue in the same vein?

Personally, I have often expressed the opinion that the biggest
security risk in cipher design is the possible discovery of a
catastrophic attack method against cipher designs considered
strong today. A catastrophic attack would be an attack that can be
used in _practice_ to uncover the secret key based on only a
handful of known plaintexts. If this should happen in the future
and work against a standard cipher, the repercussions could be
worse than the Y2K error.

Now I have argued that a possible defense against unknown attacks
are ciphers that have as little internal structure as possible. My
reasoning is that a catastrophic attack will probably take
advantage of some characteristic or weakness of the cipher's
structure. If a cipher has little structure then it will be less
likely to have that weakness. Now, what you are saying is I think
more radical: you are saying that current cipher design
methodology based on analysis against known attacks not only fails
to strengthen the new ciphers against unknown attacks but actually
makes them weaker.

Super-encipherment, where several distinct ciphers, preferably
with distinct design philosophies, are combined in series is
another albeit slower defense against unknown attacks. The
reasoning is that it is unlikely that an attack would be powerful
enough to penetrate all different key-schedule methods and layers
of rounds. There is another advantage here: there may exist a
"General Cryptanalytic Theory" that can be used to analyze and
catastrophically break _any_ cipher whose workload is bellow some
limit, i.e. any cipher that is fast enough. A slow and complex
"Super-Cipher" would hopefully exceed this limit. I wonder if
concurrently to the fast AES, we shouldn't have a standard
Superencipherment algorithm scalable in speed. Really important
security could then be done at orders of magnitude less speed than
the AES, possibly at a few kilobytes per second on a PC.

-----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Thu, 22 Apr 1999 18:48:07 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 371f6e1c.13388611@news.prosurfr.com References: 7fn9el$e2v$1@nnrp1.dejanews.com Newsgroups: sci.crypt Lines: 26

dianelos@tecapro.com wrote, in part:

In article 371a56a8.198396@news.prosurfr.com, jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

  • And I think you can see why this design process actually increases the probability of a design which is strong against known attacks, but weak against a future attack someone might discover.

This is an extremely radical statement. Do you know of others who argue in the same vein?

I think it may have seemed more radical than it was. I wasn't saying that modifying a cipher design in response to cryptanalysis makes it weaker, which would be not only very radical, but quite wrong.

What I had meant was that if we consider acceptable a design that was initially weak against known attacks, but which was modified later specifically to resist them, then we are, I think, with that kind of design more likely to fall prey to new attacks than we would be with a design that was resistant to the known attacks right from the start.

And I don't think that that is a particularly radical statement, but I could be wrong.

John Savard ( teneerf<- ) http://members.xoom.com/quadibloc/index.html


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Thu, 22 Apr 1999 19:51:14 GMT From: SCOTT19U.ZIP_GUY dscott@networkusa.net Message-ID: 7fnujg$2tj$1@nnrp1.dejanews.com References: 7fn9el$e2v$1@nnrp1.dejanews.com Newsgroups: sci.crypt Lines: 65

In article 7fn9el$e2v$1@nnrp1.dejanews.com, dianelos@tecapro.com wrote:

... Personally, I have often expressed the opinion that the biggest security risk in cipher design is the possible discovery of a catastrophic attack method against cipher designs considered strong today. A catastrophic attack would be an attack that can be used in practice to uncover the secret key based on only a handful of known plaintexts. If this should happen in the future and work against a standard cipher, the repercussions could be worse than the Y2K error.

Now I have argued that a possible defense against unknown attacks
are ciphers that have as little internal structure as possible. My
reasoning is that a catastrophic attack will probably take
advantage of some characteristic or weakness of the cipher's
structure. If a cipher has little structure then it will be less
likely to have that weakness. Now, what you are saying is I think
more radical: you are saying that current cipher design
methodology based on analysis against known attacks not only fails
to strengthen the new ciphers against unknown attacks but actually
makes them weaker.

Super-encipherment, where several distinct ciphers, preferably
with distinct design philosophies, are combined in series is
another albeit slower defense against unknown attacks. The
reasoning is that it is unlikely that an attack would be powerful
enough to penetrate all different key-schedule methods and layers
of rounds. There is another advantage here: there may exist a
"General Cryptanalytic Theory" that can be used to analyze and
catastrophically break _any_ cipher whose workload is bellow some
limit, i.e. any cipher that is fast enough. A slow and complex
"Super-Cipher" would hopefully exceed this limit. I wonder if
concurrently to the fast AES, we shouldn't have a standard
Superencipherment algorithm scalable in speed. Really important
security could then be done at orders of magnitude less speed than
the AES, possibly at a few kilobytes per second on a PC.

Your feelings are correct except for one small point. The AES contest is not about having secure encryption. The NSA would never allow a good common method to be blessed by the government for general use. So that is why you will never see a blessed super cipher method made of completely different methods. Unless each method added information at each pass so that they could be broken independitly.

If you put such a package together be sure to add scott16u or scott19u in it. In each a have a mode where the file size out matchs the file size in. This should be a requirement for your approach to a super-cipher. If the method cahnges the file length it is to hard to check for NSA approved added info to the methods so that it could be broken. I also think even my hate mongers would agree my methods are very different than the so called blessed methods.

David A. Scott

http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip http://members.xoom.com/ecil/index.htm NOTE EMAIL address is for SPAMERS to email me use address on WEB PAGE

-----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 24 Apr 1999 01:36:38 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-2404990136390001@dial-243-115.itexas.net References: 7fq06b$t83$1@nnrp1.dejanews.com jgfunj-2304990140240001@dial-243-089.itexas.net 7fnujg$2tj$1@nnrp1.dejanews.com Newsgroups: sci.crypt Lines: 83

In article 7fq06b$t83$1@nnrp1.dejanews.com, SCOTT19U.ZIP_GUY dscott@networkusa.net wrote:

In article jgfunj-2304990140240001@dial-243-089.itexas.net, jgfunj@vgrknf.arg (wtshaw) wrote:

In article 7fnujg$2tj$1@nnrp1.dejanews.com, SCOTT19U.ZIP_GUY dscott@networkusa.net wrote:

Your feelings are correct except for one small point. The AES contest is not about having secure encryption. The NSA would never allow a good common method to be blessed by the government for general use. So that is why you will never see a blessed super cipher method made of completely different methods. Unless each method added information at each pass so that they could be broken independitly.

We can expect that there are tactics and strategies on file for finding a way for the government to get itself out of the corner that it has painted itself into. Whether any of them will work or is going to be acceptable is up for grabs.

As seen in many cases before, our government is adept at doing inconsistent things, even, alas, contradicting itself in statements of mission and policy. As in any level of organization, individual to government, the devil is in the details, that is which values are given more weight at the time. In time of war....well, we will see...rather not have to have any war that might be abused for ulterior motives aside from those well recognized.

These inconsistent things are done for a reason. One branch of the government can promise you something in exchange for something but when you keep your promise then another branch can punish you for the very same action. That way those in power can really do what the hell they want because there are so many laws rules and organiszations they are routinely selectively applied. As an example is the tax structure. It cost a lot of money to collect and process the taxs any comgress man knows a simple flat tax would save the government money and be best for the population as a whole and it could make the size of government smaller. But this will never happen it is designed to keep citizens in fear instead of helping them. Also as a recent stufy showed for a family of 4 with a simple tax set up the mahority of CPA's could not do the tax forms correctly. The govenment likes this. If you vote wrong or whatevery you can be charged with falsefying your income taxes. This tool is to powerful for government to throw away. The governments main concern is to keep the status quo and to control. Not to help people.

I agree with you about most of what you have said above, but it may be more true of some in government than others. We could add lots of other examples, at various levels of government. The best thing to be is open and honest, something government does not particularly like to do as it limits arbitrary power.

Next silly thing your going to tell me is that if the Pres comitted perjury he would be punished in court like any other man.

Lots of wrong statements make it into the record by default. Inconsistencies are overlooked because they are so common, and the workloads demand getting on to something else. And, perjury is often expected to have occured at some point; otherwise, anyone protesting charges were untrue could be charged with perjury if there was a conviction.

In Clinton's case, due process was carried out, be it a special form.

I still think the shootings in Colorado are more the result of the mixed signals we send our kids. We teach them about truth and justice and fair play. But then the first taste of justice is a dishonest traffic ticket.

We have many good rules about how school should be. The school authorities do not follow them too closely all too often. When problems are not addressed, the odds that trouble will occur just increase. What should be done is an open question, every contemplated action has its down side; formal demands for guaranteeing a good education environment are all too often treated as mere guidelines. It is the same story as it was with the courts, time constraints are real in the schools; but, that is no excuse for not doing more to address real problems that affect each individual, and individuals do reach breaking points.

Life's battles do not always go to the stronger of faster man... But, sooner or later always go to the fellow who thinks he can.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 25 Apr 1999 00:34:37 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-2504990034380001@dial-243-101.itexas.net References: 3721B517.ED9E4D4F@null.net jgfunj-2404990136390001@dial-243-115.itexas.net Newsgroups: sci.crypt Lines: 28

In article 3721B517.ED9E4D4F@null.net, "Douglas A. Gwyn" DAGwyn@null.net wrote:

wtshaw wrote:

We have many good rules about how school should be. The school authorities do not follow them too closely all too often.

I wouldn't place most of the blame on the educational system, bad as it is, when parents allow their kids to stray so far off-track as in the Columbine case.

Anyway, this is off-topic. I presume there is some better place for such discussions.

Topics sometimes wander...you're right.

Back to topic, simple answer to the question in the title: Monkey see, monkey do.

This is not meant to be a slam, but a clear fact that if you only learn a few selected crypto primatives, those are the ones you are apt to utilize. The same applies to almost any area of endeavor as well. Only when you get beyond following in someelse's wake will you feel the freedom to explore the unknown, which means finding different ways of doing things, perhaps even a few better ones mixed in.

Life's battles do not always go to the stronger of faster man... But, sooner or later always go to the fellow who thinks he can.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 25 Apr 1999 20:56:52 GMT From: bryan.olson@uptronics.com Message-ID: 7fvvii$pu7$1@nnrp1.dejanews.com References: 37232059.4FA1@sundialservices.com Newsgroups: sci.crypt Lines: 14

In article 37232059.4FA1@sundialservices.com, info@sundialservices.com wrote:

: olson@umbc.edu (Bryan G. Olson; CMSC (G)) wrote, in part: [...] : However, I don't think it's appropriate to automatically conclude that [...]

I (Bryan) only wrote that in quoting its author, John Savard.

--Bryan

-----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Mon, 26 Apr 1999 05:38:03 GMT From: dianelos@tecapro.com Message-ID: 7g0u3r$j1h$1@nnrp1.dejanews.com References: 7fusfv$as8$1@news.umbc.edu Newsgroups: sci.crypt Lines: 96

In article 7fusfv$as8$1@news.umbc.edu, olson@umbc.edu (Bryan G. Olson; CMSC (G)) wrote:

... There is a situation worse than having all one's eggs in one basket. The problem with one basket is that there exists a potential failure that would be catastrophic. What's worse is a system in which any one of many possible failures would be catastrophic. If one accepts that in realistic applications of cryptography the same intelligence is available from many messages, then choosing from a thousand ciphers for each message moves us from one potential catastrophic failure to many potential catastrophic failures.

I think you assume that the attacker will know which cipher has
been used. In fact, a good variable cipher protocol would hide the
information about which cipher or cipher combination has been
used.

Let us design two possible future worlds and then pick the one
that is more secure:

In the first the AES is used for almost all encryption.

In the second world we define a set of several interesting
ciphers, preferably ciphers that are different in some fundamental
ways. We put in there the AES, some more ciphers that have been
extensively analyzed, some ciphers that follow different design
methodologies (for example variable ciphers such as Frog, ciphers
designed specifically for making analysis very difficult, ciphers
using novel primitives or structures, etc.). Now add to all
encrypted data or make implicit in all security applications the
following information: the subset of the ciphers that must be used
and at which "depth", i.e. how many ciphers out of this subset are
cascaded in series. Finally extend the secret key with a
sufficient number of bits that define the sequence of the ciphers.
(I don't want to discuss here how the individual ciphers' keys are
defined - I know it is not optimal but as a first approximation
let us suppose all individual keys are identical.) Now observe
that if you want to use the AES, you just define a subset that
includes only the AES and a depth of one. But you can also include
the entire set and a depth of one hundred.

In fact, the original set of ciphers need not be fixed. Allow
anybody to add his or her code to the lot in a public Internet
server in an environment where everybody can "Amazon-like" comment
on all present ciphers, where the experts' opinion is expressively
stated and where statistics are held about which products include
which ciphers in their "standard" set of ciphers. If my email
program receives a message that uses a subset with a cipher not
present in my computer, then it will download the authenticated
Java code from the public server before decrypting.

So which world do you think is more secure: the AES-centric one,
or the "organized chaos" one? It seems to me the latter, because
the attacker will have a more complex task and less information to
work with.

Now, even if we agree that the organized chaos world is more
secure we still have to discuss costs. Now observe that people can
always use only optimized AES code in their applications (in fact,
the public server could also include optimized code for several
cipher/platform combinations). In all cases, royalty free Java
code for the cascaded ciphers would not really increase the cost
of an application. Many secure applications could even be
cipher-neutral. For example, a paranoid organization could use a
standard email program and define a large subset of ciphers at a
great depth without really paying anything more. So I think the
increase of costs would really be marginal and would correspond
largely to the definition of a standard protocol for cascading
ciphers as well as the operation of the "cipher server". In fact
in some cases there may be some cost advantages. For example,
suppose RC6 is chosen as the AES but this cipher can not be as
easily ported to smartcards as RC6a. In the organized chaos world
a smartcard manufacturer could use the cheaper RC6a even in
applications where this smartcard will communicate with PCs all
over the world.

One can ask if all this is really necessary. After all most
experts think that it is extremely unlikely that the AES will
suffer a catastrophic failure in the next 50 years or so. Even so,
it is deeply troubling to think that we are moving towards an
information society and that much of its security will not be
based on theoretical proof or, at least, experimental test but on
personal opinion of a few dozen people, even if they are excellent
and well meaning professionals.

It is still possible that somebody will publish a provable secure
cipher that is practical to implement. Meanwhile a variable cipher
protocol similar to the one described above would fulfil almost
everybody's requirements for symmetric encryption. This would leave
many other problems to worry about such as key management and
public key systems, Trojan horses, the appropriate use of encryption
technology, etc.

-----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Mon, 26 Apr 1999 15:58:37 -0600 From: jcoffin@taeus.com (Jerry Coffin) Message-ID: MPG.118e89fdf2aca1bd989a25@news.rmi.net References: 7g0u3r$j1h$1@nnrp1.dejanews.com Newsgroups: sci.crypt Lines: 132

In article 7g0u3r$j1h$1@nnrp1.dejanews.com, dianelos@tecapro.com says...

[ ... ]

Let us design two possible future worlds and then pick the one
that is more secure:

In the first the AES is used for almost all encryption.

In the second world we define a set of several interesting
ciphers, preferably ciphers that are different in some fundamental
ways. We put in there the AES, some more ciphers that have been
extensively analyzed, some ciphers that follow different design
methodologies (for example variable ciphers such as Frog, ciphers
designed specifically for making analysis very difficult, ciphers
using novel primitives or structures, etc.). Now add to all
encrypted data or make implicit in all security applications the
following information: the subset of the ciphers that must be used
and at which "depth", i.e. how many ciphers out of this subset are
cascaded in series. Finally extend the secret key with a
sufficient number of bits that define the sequence of the ciphers.
(I don't want to discuss here how the individual ciphers' keys are
defined - I know it is not optimal but as a first approximation
let us suppose all individual keys are identical.) Now observe
that if you want to use the AES, you just define a subset that
includes only the AES and a depth of one. But you can also include
the entire set and a depth of one hundred.

The first is more secure, or at least more dependably secure. The problem is, when you combine two algorithms, you're basically designing a new cypher. If you're lucky, it'll combine the strengths of both the base cyphers, while negating some of the weaknesses of each.

Unfortunately, in cryptology luck tends to be of the bad kind -- you might combine two cyphers that end up negating each other's good points, and nearly eliminating each other strengths.

Ultimately, when somebody designs something like DES, IDEA or Blowfish, they're combining a number of more primitive operations into a single, complete cypher.

In your scenario, essentially the same thing is happening, EXCEPT that instead of an expert in cryptography studying the individual primitives in detail to ensure that they produce a good output, in the typical scenario somebody who knows nothing about cryptography is going to combine things with little or no chance to study them at all.
The result may be quite secure, but it may also be EXTREMELY insecure.
Without doing a fairly intensive study of the exact combination used, it's nearly impossible to say which.

In fact, the original set of ciphers need not be fixed. Allow
anybody to add his or her code to the lot in a public Internet
server in an environment where everybody can "Amazon-like" comment
on all present ciphers, where the experts' opinion is expressively
stated and where statistics are held about which products include
which ciphers in their "standard" set of ciphers.

This gets worse and worse. Rather than having a small set of primitives that you might be able to study in detail, you're now combining an unknown number of primitives in completely unknown ways.
There's simply no way that anybody can keep up with all the possible combinations and figure out which of them produce dangerously poorly encrypted output.

So which world do you think is more secure: the AES-centric one,
or the "organized chaos" one? It seems to me the latter, because
the attacker will have a more complex task and less information to
work with.

It seems to me the former. Ultimately, you're designing a single cypher that'll be used to do the job. You're simply taking the design of the cypher away from people who study for years about how to do it as well as possible, and instead putting it in the hands of (mostly) people who haven't a clue of how to design a cypher.

One can ask if all this is really necessary.

One should start by asking whether it's really useful. Since the answer is "only rarely, if ever", it's pointless to deal with costs, necessity, etc.

It is still possible that somebody will publish a provable secure
cipher that is practical to implement. Meanwhile a variable cipher
protocol similar to the one described above would fulfil almost
everybody's requirements for symmetric encryption. This would leave
many other problems to worry about such as key management and
public key systems, Trojan horses, the appropriate use of encryption
technology, etc.

First of all, to a limited degree, variable protocols such as you describe are already available -- for example, different versions of PGP support triple-DES either or IDEA for the encryption, and RSA or Diffie-Hellman for key exchange. Secure email-protocols support relatively open-ended descriptions of the encryption used in a particular message, though (thankfully) only a few forms of encryption are presently supported.

Second, the variable protocol you propose would be likely to fulfill people's needs under only two possible sets of circumstances: either

  1. everybody becomes an expert in designing encryption before they use it, or 2) they really don't need much security in the first place.

DES, AES, etc., are all about one basic idea: since most people neither know, nor want to know how to design secure encryption, the people who do know and care design something that nearly anybody can use, and derive real usefulness from it. If you take a number of components of poorly understood design, and leave it to a total amateur to pick a combination that'll work well, chances are all too high that the final result will be catastrophically awful.

In short: if you intend to combine cyphers and get a secure result, you need to put in quite a bit of study to know how they may interact.
Just for example, most people take for granted that triple-DES is more secure than DES, simply because you have three times as large of a key. In fact, in the case of DES, it IS true, because it's been proven that DES does not form a group.

By contrast, assume somebody has the mistaken assumption that it all really comes down to key-size (quite a common misconception). He notices that the "XOR stream encryption" module will allow him to enter MUCH larger keys than any of the others, so he decides to do a "triple XOR stream encryption" with three different 40-byte (320-bit) keys.

Now, it happens that a simple XOR stream encryption DOES form a group, so first of all, doing it three times with three different keys hasn't really accomplished a thing -- you've still basically got only a 40- byte key. As I'm sure you're well aware, a simple XOR encryption with a 40-byte key is pathetically easy to break, even for a rank amateur at cryptanalysis.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 27 Apr 1999 09:25:50 -0400 From: "Trevor Jackson, III" fullmoon@aspi.net Message-ID: 3725BADE.EF3B0685@aspi.net References: MPG.118e89fdf2aca1bd989a25@news.rmi.net Newsgroups: sci.crypt Lines: 143

Jerry Coffin wrote:

In article 7g0u3r$j1h$1@nnrp1.dejanews.com, dianelos@tecapro.com says...

[ ... ]

Let us design two possible future worlds and then pick the one
that is more secure:

In the first the AES is used for almost all encryption.

In the second world we define a set of several interesting
ciphers, preferably ciphers that are different in some fundamental
ways. We put in there the AES, some more ciphers that have been
extensively analyzed, some ciphers that follow different design
methodologies (for example variable ciphers such as Frog, ciphers
designed specifically for making analysis very difficult, ciphers
using novel primitives or structures, etc.). Now add to all
encrypted data or make implicit in all security applications the
following information: the subset of the ciphers that must be used
and at which "depth", i.e. how many ciphers out of this subset are
cascaded in series. Finally extend the secret key with a
sufficient number of bits that define the sequence of the ciphers.
(I don't want to discuss here how the individual ciphers' keys are
defined - I know it is not optimal but as a first approximation
let us suppose all individual keys are identical.) Now observe
that if you want to use the AES, you just define a subset that
includes only the AES and a depth of one. But you can also include
the entire set and a depth of one hundred.

The first is more secure, or at least more dependably secure. The problem is, when you combine two algorithms, you're basically designing a new cypher. If you're lucky, it'll combine the strengths of both the base cyphers, while negating some of the weaknesses of each.

Unfortunately, in cryptology luck tends to be of the bad kind -- you might combine two cyphers that end up negating each other's good points, and nearly eliminating each other strengths.

Ultimately, when somebody designs something like DES, IDEA or Blowfish, they're combining a number of more primitive operations into a single, complete cypher.

In your scenario, essentially the same thing is happening, EXCEPT that instead of an expert in cryptography studying the individual primitives in detail to ensure that they produce a good output, in the typical scenario somebody who knows nothing about cryptography is going to combine things with little or no chance to study them at all. The result may be quite secure, but it may also be EXTREMELY insecure. Without doing a fairly intensive study of the exact combination used, it's nearly impossible to say which.

In fact, the original set of ciphers need not be fixed. Allow
anybody to add his or her code to the lot in a public Internet
server in an environment where everybody can "Amazon-like" comment
on all present ciphers, where the experts' opinion is expressively
stated and where statistics are held about which products include
which ciphers in their "standard" set of ciphers.

This gets worse and worse. Rather than having a small set of primitives that you might be able to study in detail, you're now combining an unknown number of primitives in completely unknown ways. There's simply no way that anybody can keep up with all the possible combinations and figure out which of them produce dangerously poorly encrypted output.

So which world do you think is more secure: the AES-centric one,
or the "organized chaos" one? It seems to me the latter, because
the attacker will have a more complex task and less information to
work with.

It seems to me the former. Ultimately, you're designing a single cypher that'll be used to do the job. You're simply taking the design of the cypher away from people who study for years about how to do it as well as possible, and instead putting it in the hands of (mostly) people who haven't a clue of how to design a cypher.

One can ask if all this is really necessary.

One should start by asking whether it's really useful. Since the answer is "only rarely, if ever", it's pointless to deal with costs, necessity, etc.

It is still possible that somebody will publish a provable secure
cipher that is practical to implement. Meanwhile a variable cipher
protocol similar to the one described above would fulfil almost
everybody's requirements for symmetric encryption. This would leave
many other problems to worry about such as key management and
public key systems, Trojan horses, the appropriate use of encryption
technology, etc.

First of all, to a limited degree, variable protocols such as you describe are already available -- for example, different versions of PGP support triple-DES either or IDEA for the encryption, and RSA or Diffie-Hellman for key exchange. Secure email-protocols support relatively open-ended descriptions of the encryption used in a particular message, though (thankfully) only a few forms of encryption are presently supported.

Second, the variable protocol you propose would be likely to fulfill people's needs under only two possible sets of circumstances: either

  1. everybody becomes an expert in designing encryption before they use it, or 2) they really don't need much security in the first place.

DES, AES, etc., are all about one basic idea: since most people neither know, nor want to know how to design secure encryption, the people who do know and care design something that nearly anybody can use, and derive real usefulness from it. If you take a number of components of poorly understood design, and leave it to a total amateur to pick a combination that'll work well, chances are all too high that the final result will be catastrophically awful.

In short: if you intend to combine cyphers and get a secure result, you need to put in quite a bit of study to know how they may interact. Just for example, most people take for granted that triple-DES is more secure than DES, simply because you have three times as large of a key. In fact, in the case of DES, it IS true, because it's been proven that DES does not form a group.

By contrast, assume somebody has the mistaken assumption that it all really comes down to key-size (quite a common misconception). He notices that the "XOR stream encryption" module will allow him to enter MUCH larger keys than any of the others, so he decides to do a "triple XOR stream encryption" with three different 40-byte (320-bit) keys.

Now, it happens that a simple XOR stream encryption DOES form a group, so first of all, doing it three times with three different keys hasn't really accomplished a thing -- you've still basically got only a 40- byte key. As I'm sure you're well aware, a simple XOR encryption with a 40-byte key is pathetically easy to break, even for a rank amateur at cryptanalysis.

You've made some strong claims here, and demolished a trivial example. Can you show a real example? Are there any known weaknesses in combining any pair of the following: Blowfish, IDEA, 3DES? An easier question would be to ask whther there are any weaknesses known in combining one of the previously mentioned list with any other cipher.

Are there real facts behind your claims or are you expressing a subjective judgement?


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 27 Apr 1999 22:15:30 -0600 From: jcoffin@taeus.com (Jerry Coffin) Message-ID: MPG.11902efa82856502989a2e@news.rmi.net References: 3725BADE.EF3B0685@aspi.net MPG.118e89fdf2aca1bd989a25@news.rmi.net Newsgroups: sci.crypt Lines: 63

In article 3725BADE.EF3B0685@aspi.net, fullmoon@aspi.net says...

[ ... ]

You've made some strong claims here, and demolished a trivial example. Can you show a real example? Are there any known weaknesses in combining any pair of the following: Blowfish, IDEA, 3DES?

An easier question would be to ask whther there are any weaknesses known in combining one of the previously mentioned list with any other cipher.

Are there real facts behind your claims or are you expressing a subjective judgement?

Of course there are real facts. I've demonstrated how one trivial example shows up poorly -- I'd thought that would show the fundamental problem, but apparently it didn't, so I'll try to point out the most fundamental problem more explicitly.

The most fundamental problem with the idea as-presented is that all the forms of encryption use the same key. That means that if any one of the forms of encryption used is broken, the enemy can recover the key and decrypt the message.

Just for the sake of demonstration, assume that you've got a message that you want to ensure against being decrypted within 10 years. For the sake of argument, let's say you use Blowfish, IDEA and triple-DES.
Again, purely for the sake of having some numbers, let's assign a 20% chance to each of these three forms of encryption being broken within the ten year time-frame.

In this case, encrypting with one of the three means you have a 20% chance of your message being decrypted. Encrypting with all three means you have a 60% chance of the message being decrypted.

IOW, by using the same key for all forms of encryption, the best you can hope for is to get the overall strength of the single weakest form of encryption used. If any one form of encryption is broken, the message can be decrypted.

To be at all useful, you need to start by using an independent key for each form of encryption. This means breaking one has no effect on the others.

Then you hope that applying the forms of encryption together doesn't lead to some previously unknown/unexpected weakness. Without fairly extensive study of a specific combination, it's impossible to make specific comments, but I'll point out a basic concept to consider: the forms of encryption we're talking about are all symmetric. If you apply essentially the same form of encryption twice, the second can end up decrypting the first. When you combine the two, you're basically hoping for a sum of their individual strengths, but if one ends up partially decrypting the other, you can end up with the difference instead of the sum, with results you'd rather not know about.

Of course, using independent keys for the different forms of encryption CAN help a great deal in this regard as well -- as long as the two forms of encryption don't form a co-group (so to speak) you can end up with a stronger result even if both using the same key would partly or completely cancel each other out. OTOH, if the two form a co-group, using a separate key for each might not help at all.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Wed, 28 Apr 1999 05🔞00 GMT From: dianelos@tecapro.com Message-ID: 7g65m6$9uo$1@nnrp1.dejanews.com References: MPG.118e89fdf2aca1bd989a25@news.rmi.net 7g0u3r$j1h$1@nnrp1.dejanews.com Newsgroups: sci.crypt Lines: 103

In article MPG.118e89fdf2aca1bd989a25@news.rmi.net, jcoffin@taeus.com (Jerry Coffin) wrote:

In article 7g0u3r$j1h$1@nnrp1.dejanews.com, dianelos@tecapro.com says...

[ ... ]

Let us design two possible future worlds and then pick the one
that is more secure:

In the first the AES is used for almost all encryption.

In the second world we define a set of several interesting
ciphers, preferably ciphers that are different in some fundamental
ways. We put in there the AES, some more ciphers that have been
extensively analyzed, some ciphers that follow different design
methodologies (for example variable ciphers such as Frog, ciphers
designed specifically for making analysis very difficult, ciphers
using novel primitives or structures, etc.). Now add to all
encrypted data or make implicit in all security applications the
following information: the subset of the ciphers that must be used
and at which "depth", i.e. how many ciphers out of this subset are
cascaded in series. Finally extend the secret key with a
sufficient number of bits that define the sequence of the ciphers.
(I don't want to discuss here how the individual ciphers' keys are
defined - I know it is not optimal but as a first approximation
let us suppose all individual keys are identical.) Now observe
that if you want to use the AES, you just define a subset that
includes only the AES and a depth of one. But you can also include
the entire set and a depth of one hundred.

The first is more secure, or at least more dependably secure. The problem is, when you combine two algorithms, you're basically designing a new cypher. If you're lucky, it'll combine the strengths of both the base cyphers, while negating some of the weaknesses of each.

Unfortunately, in cryptology luck tends to be of the bad kind -- you might combine two cyphers that end up negating each other's good points, and nearly eliminating each other strengths.

It is possible that the combination of several independently
designed ciphers is weaker than each one of them, but it is also
highly unlikely. It is also possible to break a 3DES encryption by
guessing the correct key on the first try, but again this is very
unlikely. Unless someone finds a proof for a cipher's security the
best we can do is estimate probabilities. Cascading ciphers does
increase security in this sense. Schneier discusses this method in
chapter 15.7 of the second edition of Applied Cryptography. There
are also two papers by Maurer discussing the combination of
block ciphers and of stream ciphers.

[...]

Dianelos wrote:

In fact, the original set of ciphers need not be fixed. Allow
anybody to add his or her code to the lot in a public Internet
server in an environment where everybody can "Amazon-like" comment
on all present ciphers, where the experts' opinion is expressively
stated and where statistics are held about which products include
which ciphers in their "standard" set of ciphers.

This gets worse and worse. Rather than having a small set of primitives that you might be able to study in detail, you're now combining an unknown number of primitives in completely unknown ways. There's simply no way that anybody can keep up with all the possible combinations and figure out which of them produce dangerously poorly encrypted output.

Exactly right. You see the point is that if you use a set of eight
ciphers, you cascade 50 executions of them and you keep the
sequence secret you end up with about 2^150 _different_ ciphers.
Also observe that the attacker will not know which of these ciphers
is used. No possible adversary will be able to analyze any
significant subset of this monstrous number of ciphers in order to
mount an attack if, incredibly, a weak combination was found and
also if, incredibly, this precise combination was used by
somebody.

BTW I allow any cipher to be included in the Internet server as a
matter of practicality. After all, all known ciphers are published
somewhere and by having them all in one place my email program
will be able to decrypt anything. Surely the experts would
recommend which sub-sets of these ciphers should be used in
practice.

[...]

Dianelos wrote:

One can ask if all this is really necessary.

One should start by asking whether it's really useful. Since the answer is "only rarely, if ever", it's pointless to deal with costs, necessity, etc.

On the contrary, such a scheme would be useful in almost all cases
where speed in not an issue. There are many important cases where
this is the case, such as email or financial transactions.

[...]

-----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 14:25:52 GMT From: "Douglas A. Gwyn" DAGwyn@null.net Message-ID: 3718A7C9.12B5EEF@null.net References: 3718324d.13916819@news.io.com Newsgroups: sci.crypt Lines: 26

Terry Ritter wrote:

Currently, cryptanalysis seems to be some sort of "one shot" contest against the cryptographer, as opposed to an interactive joint process to attain a better cipher.

That is a management problem at the developing organization.

Even so, we still don't know that their guys aren't better, or even just luckier. I think it sometimes just takes a particular point of view to enable an alternative -- possibly much easier -- attack. And it may not be the smartest guy who has that new point of view.

Yes, but if your tiger team is really good and experienced (another management issue), you can attain a certain degree of confidence based on their positive evaluation (assuming they didn't have uneasy feelings about undiscovered weaknesses).

I guess I would suggest that if the goal was to get the best cipher, we would see a post-analysis re-design phase intended to fix known problems, with the final comparison being made between full-strength designs.

I guess you're talking about AES. If time constraints allow, that would be one reasonable part of the evaluation procedure, but you still have to drawn the line somewhere and pick the best-to-date.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 16:49:26 -0400 From: Uri Blumenthal uri@watson.ibm.com Message-ID: 371A4556.F9D193FB@watson.ibm.com References: 3718324d.13916819@news.io.com Newsgroups: sci.crypt Lines: 7

At least one publicly known cipher (GOST) uses ADD (a more complex operation)...

Regards, Uri -=-=-==-=-=-


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 14:37:37 GMT From: "Douglas A. Gwyn" DAGwyn@null.net Message-ID: 3718AA8A.B2B460DE@null.net References: 7fa0n5$v4m$1@nnrp1.dejanews.com Newsgroups: sci.crypt Lines: 22

dscott@networkusa.net wrote:

... Most people complain that my S-tables are too large. Since the size of s-tables in scott18u.zip is effectively larger than a one million byte key.

I think the question in their minds is, whether such a large S-table is essential to attain the desired level of security, or whether other approaches might be comparably secure.

My feeling is that the method that computers use should involve much more operations than what the public is use to. My code treats the whole file as a block. Which is something else the current blessed methods do not do.

The immediate thought one has is that treating the whole message would be a problem in many applications where data is generated in a stream, for example a TELNET session. However, a whole-file method can be applied to small blocks simply by treating each block in the sequence as a separate file. That would lose any benefit from the large-file property, however. Have you any estimate of the security of your method when used with small "files" (say, 512 bytes or less)?


Subject: Question on confidence derived from cryptanalysis. Date: Sat, 17 Apr 1999 15:00:25 -0400 From: Geoff Thorpe geoff@raas.co.nz Message-ID: 3718DA49.90CA4FAD@raas.co.nz References: 37181079.5255438@news.io.com Newsgroups: sci.crypt Lines: 219

Hi there,

I have been following this thread with interest, albeit silently for a while, and for the most part I have enjoyed the intellectual horn-locking, especially Terry's unconventional but often insightful contributions. However, good ideas can quickly get buried in slop, or just unmasked as reactionary drivel as they seem (IMHO) to in Mr Ritter's post below ...

Terry Ritter wrote:

Sure they are. As far as I know, Schneier's point has always been that cryptanalysis is the way we know a cipher's strength. I'm sure he would agree that this is not proof, but I do not agree that it says anything at all. The implication that cryptanalysis would like to promote is indeed that of tested strength.

You're contributions in this thread seem to have an emerging theme ... that continued testing of a cipher by cryptanalysists (presumably using the "current most widely recognised techniques") does not guarantee some absolute/quantitative strength of the cipher against any attack (which I'm sure we would ALL, including Mr Schneier, agree with). However you also seem to suggest that it gives us no indication of tested strength at all. And here I disagree with you.

You want to sound a cautionary note that we all risk being naive and over-confident in our "cryptanalytic testing" of ciphers - excellent point and it is well taken. However, please do not go so far as to be similarly naive yourself, and to play things out to an theoretical abyss and expect us to follow you there.

History does in fact support the claim that bashing away at problems with the best techniques you can come up with at the time, for a period of time, DOES give some degree of confidence in "strength" that failing to do so does. Here strength is a practical measure, not a theoretical one.

Now no rational person is going to tell you that RSA simply will never be attacked at a much better complexity than the best current factoring techniques. Similarly, no rational person should assure you that attacking DES or triple DES will never improve much beyond brute-force key-searches. However, I will humbly suggest to you we ARE a lot safer against those possibilities than similar risks with newer and less studied techniques - and that history and common sense DO give us the right to those basic assumptions contrary to the gloomy and highly unhelpful view you hold.

A quick glance at any of the big mathematical problems in history, particularly the ones that are simply stated (ie the difficulty is not composed even partially out of obscurity - it looks more like a brick wall than a maze) almost always are either not solved even today, or were solved using techniques much more sophisticated than those available to those who posed the original question and first tried to solve it. Indeed the classical problems have typically given rise to entire branches of mathematics that grew out of a pursuit of that problem.

Fermat's Theorem is the obvious example but there are others too. Someone more up to date with things could clarify, but I think they were trying to refine Andrew Wiles' proof a little to slice a couple of hundred pages off it ... it simply was not solved using a ruler and compass and the odd quadratic here and there. And yes, as I'm sure you're thinking, it IS possible it can be solved with a ruler and compass and the occasional discriminant. But most people will be happy to accept that that is a lot LESS likely to happen than if I just pose a new simply stated differential equation and state it can't be solved in simple terms only to have someone prove me wrong.

Techniques, understanding, and formalised mathematical frameworks evolve

Let me ask the following - do you disagree with the following statement; "History has demonstrated time and time again, that the longer a problem resists the attack of academics, hobbyists, and mechanics - the probability the problem can be broken using simple techniques that were available at the time the problem was posed (or even comprehensible to the people of that time) decreases."

Occasionally someone invents a wheel, but divine beams of light are a lot less common than simple grunt-work and craftsmanship. This is also true of "our opponents" as you have a tendency to call them.

Not at least trying cryptanalysis on a cipher is stupid which I'm sure you agree with.

I do. But there is no one cryptanalysis. Indeed, there is no end to it. But we do have to make an end before we can field anything. This in itself tells us that cryptanalysis as certification is necessarily incomplete.

It is all probabilities and risk management. Mr Schneier will hopefully agree with me on that and I hope you do too (I hope anyone contributing to the crypto-frameworks I will have to use day-to-day agree with that also).

Would you have us believe that all things that are not absolute are necessarily equal? God, this sounds like a debate on socialism all of a sudden - my humblest apologies [;-)

Our main problem is that cryptanalysis does NOT say that there is no simpler attack. It does NOT say that a well-examined cipher is secure from your kid sister. Oh, many people will offer their opinion, but you won't see many such a claims in scientific papers, because there we expect actual facts, as opposed to wishes, hopes, and dreams.

But those claims say as much as; "we've hopefully done the best we can with the best techniques we have and the best people we can find, and this one seemed to resist our best attacks the best so we can only give you the best assurances we can that the best chance you have is to use this one".

If you cannot interpret cryptanalytic conclusions in that fashion then you seem to miss their point. I agree with Mr Schneier ... it is a race

Cryptanalysis does NOT give us an indication of how much effort our Opponent will have to spend to break the cipher. Yet that is exactly what the cryptanalytic process would like us to believe: That is why

I disagree - your point of view has some merit but is no more valid than the polar opposite statement. If people devote their lives to keeping up to date with the literature and do their best to innovate and develop in full public-view, and their best attempts to break things fail for a period of time (and I'm talking about the crypto community as a whole here) then we CAN infer that that process represents a steadily increasing probability that it's not going to fall over tomorrow in some dramatic fashion. I do not mean that evolving cryptanalysis work provides increasing confidence in brand-new ciphers and what-not, rather that as one cipher builds up a catalogue of evolving cryptanalysis work against it that we DO have a decreasing probability that THAT cipher will fall over in show-stopper fashion.

we have the process of: 1) design a cipher, and 2) certify the cipher by cryptanalysis. As I see it, the real opportunity for cryptanalysis is as part of a dynamic and interactive cipher design process, as opposed to final certification.

And it currently isn't? What exactly does the open publication of research, countless conferences, news-groups, mail-lists, web-sites, open-source projects, etc amount to other than a dynamic and interactive process? Also, thousands of hobbyists and professionals all doing their damndest to break each others ciphers gives me personally some confidence in the value of "standing the test of time".

Thanks. I suggest you learn it by heart if you intend to depend upon cryptography.

I suggest that you get a little more realistic. What do you have more confidence in, "NT.DLL" or an established release version of the linux kernel? Or IIS versus Apache? (again, speaking about versions which aren't acknowledged by the authors as being "beta"). And no, that question is not rhetorical, I'm actually interested to hear your response.

As for your continued suggestion that confidence in (relative) conclusions reached by noted cryptanalysts is overrated and work by lesser mortals unfairly disregarded. In reality I think you are wrong. (a) If a lesser mortal finds an improvement in cracking DES keys, they need only publish it to sci.crypt with the header "I think I can hack DES keys a bit faster ...CRYPHTML.HTM" and they will get all the attention to their claims they desire, and if they have the facts to back it up they needn't worry about anonymity. (b) If someone with a track-record proposes a new cipher (or in my metaphor, an alteration to kernel.c in Linux) and someone unknown does the same, it is natural, right, and fair for me to regard the latter with more scepticism and the former with a little more of an open mind.

Perhaps this Darwinist philosophy is not to your liking but I'm afraid it fits the model. If I have a studied knowledge of shooting, am good at it myself, stay abreast of the most modern trends, and am widely respected as an expert in the field - then I am probably as good a person as any to suggest methods for staying out of the firing line.

This is my bit for public education.

And it has been useful to provide for thoughtful debate - but I think you overreach to absolute conclusions to counter opposing conclusions that I don't think anybody is actually making.

I have no modern products. I do offer cryptographic consulting time, and then I call it as I see it. I also own patented cryptographic technology which could be useful in a wide range of ciphers.

Great - perhaps if you would benefit us all (if that is your aim) by describing (a) how you made design decisions for your cryptographic technology (particularly with relationship to your awareness of classical and modern loopholes and weaknesses you were trying to avoid). (b) what kind of analysis has been (or could be) done on the/those technology(ies). (c) how you would convince anybody that your ideas merit some degree of trust/faith/use/investment.

Do you expect us to assume that even though the winning AES candidate will have been subjected to very deep analysis by vary many parties of very different angles of vested interest/disinterest, because it COULD be broken tomorrow it is has no more measurable "strength" than a boutique new idea which has not been widely distributed and tested? The fact two things are neither black or white does not imply they are the same shade of grey.

I see no problem with someone promoting what they think is an advance in the field, even if they will benefit. But when reasoning errors are promoted which just happen to benefit one's business -- in fact, a whole sub-industry -- some skepticism seems appropriate. Just once I would like to see delusions promoted which produce less business.

You call them "delusions", I call them "reasoned and qualified critiques open to public dissemination and review" - let's call the whole thing off. (as the song goes).

Regards, Geoff


Subject: Re: Question on confidence derived from cryptanalysis. Date: Sat, 17 Apr 1999 19:50:05 GMT From: ritter@io.com (Terry Ritter) Message-ID: 3718e5e9.9093614@news.io.com References: 3718DA49.90CA4FAD@raas.co.nz Newsgroups: sci.crypt Lines: 463

On Sat, 17 Apr 1999 15:00:25 -0400, in 3718DA49.90CA4FAD@raas.co.nz, in sci.crypt Geoff Thorpe geoff@raas.co.nz wrote:

Hi there,

I have been following this thread with interest, albeit silently for a while, and for the most part I have enjoyed the intellectual horn-locking, especially Terry's unconventional but often insightful contributions. However, good ideas can quickly get buried in slop, or just unmasked as reactionary drivel as they seem (IMHO) to in Mr Ritter's post below ...

Terry Ritter wrote:

Sure they are. As far as I know, Schneier's point has always been that cryptanalysis is the way we know a cipher's strength. I'm sure he would agree that this is not proof, but I do not agree that it says anything at all. The implication that cryptanalysis would like to promote is indeed that of tested strength.

You're contributions in this thread seem to have an emerging theme ... that continued testing of a cipher by cryptanalysists (presumably using the "current most widely recognised techniques") does not guarantee some absolute/quantitative strength of the cipher against any attack (which I'm sure we would ALL, including Mr Schneier, agree with). However you also seem to suggest that it gives us no indication of tested strength at all. And here I disagree with you.

So here we are in disagreement.

You want to sound a cautionary note that we all risk being naive and over-confident in our "cryptanalytic testing" of ciphers - excellent point and it is well taken.

No, the point is NOT well-taken. It is ignored and brushed off as trivial and known. Then everyone sticks their head in the sand again until I bring it up again. This has happened for years.

However, please do not go so far as to be similarly naive yourself, and to play things out to an theoretical abyss and expect us to follow you there.

The abyss is there. By not following, you are in it.

History does in fact support the claim that bashing away at problems with the best techniques you can come up with at the time, for a period of time, DOES give some degree of confidence in "strength" that failing to do so does. Here strength is a practical measure, not a theoretical one.

But the only thing being "measured" here is the open, academic analysis. The real experts do not play this way. We thus have no way to understand their capabilities. The strength value measured on academics cannot apply to the real problem.

Now no rational person is going to tell you that RSA simply will never be attacked at a much better complexity than the best current factoring techniques. Similarly, no rational person should assure you that attacking DES or triple DES will never improve much beyond brute-force key-searches. However, I will humbly suggest to you we ARE a lot safer against those possibilities than similar risks with newer and less studied techniques - and that history and common sense DO give us the right to those basic assumptions contrary to the gloomy and highly unhelpful view you hold.

On the contrary: I have shown several different approaches which are helpful for security even in an environment where we cannot assure ourselves of the strength of any particular cipher. What is really gloomy and unhelpful is this insistence that the only thing we can do is wait for the "experts" to certify a cipher so we can use it.

We hit on a cipher as hard as we can and then assume it to be strong and insist that we use that one cipher because it is "better tested" than anything new. The "better tested" part is probably true, but unless we know the capabilities of our Opponents, it hardly matters. We don't know how they hit, or how hard.

A quick glance at any of the big mathematical problems in history, particularly the ones that are simply stated (ie the difficulty is not composed even partially out of obscurity - it looks more like a brick wall than a maze) almost always are either not solved even today, or were solved using techniques much more sophisticated than those available to those who posed the original question and first tried to solve it. Indeed the classical problems have typically given rise to entire branches of mathematics that grew out of a pursuit of that problem.

Fermat's Theorem is the obvious example but there are others too. Someone more up to date with things could clarify, but I think they were trying to refine Andrew Wiles' proof a little to slice a couple of hundred pages off it ... it simply was not solved using a ruler and compass and the odd quadratic here and there. And yes, as I'm sure you're thinking, it IS possible it can be solved with a ruler and compass and the occasional discriminant. But most people will be happy to accept that that is a lot LESS likely to happen than if I just pose a new simply stated differential equation and state it can't be solved in simple terms only to have someone prove me wrong.

Techniques, understanding, and formalised mathematical frameworks evolve

I doubt that the historical record applies to ciphers in the same way it does other problems. Nature is not deliberately trying to confuse and hide. Cryptography has a completely different situation.

Let me ask the following - do you disagree with the following statement; "History has demonstrated time and time again, that the longer a problem resists the attack of academics, hobbyists, and mechanics - the probability the problem can be broken using simple techniques that were available at the time the problem was posed (or even comprehensible to the people of that time) decreases."

Yes, I disagree. Each cipher either can or can not be solved easily. A Boolean result is not a probability. We only get a probability when we have a wide variety of ciphers. And then of course we still do not know what that probability is.

Occasionally someone invents a wheel, but divine beams of light are a lot less common than simple grunt-work and craftsmanship. This is also true of "our opponents" as you have a tendency to call them.

Not at least trying cryptanalysis on a cipher is stupid which I'm sure you agree with.

I do. But there is no one cryptanalysis. Indeed, there is no end to it. But we do have to make an end before we can field anything. This in itself tells us that cryptanalysis as certification is necessarily incomplete.

It is all probabilities and risk management. Mr Schneier will hopefully agree with me on that and I hope you do too (I hope anyone contributing to the crypto-frameworks I will have to use day-to-day agree with that also).

This is particularly disturbing: You do not know the probabilities, and you do not know the risk, yet you would have us manage the situation using exactly these quantities. That is mad.

I agree with a lot of handwave statements. I also take on the limits of the handwaves which are false. I am not against cryptanalysis; I think it should be used. I am against endowing it with mystical powers, and I am against the implication that this is how we know the strength of a cipher. Cryptanalysis gives us something, but not that. In particular, cryptanalysis does not really provide the confidence that others see in a "certified" result.

Would you have us believe that all things that are not absolute are necessarily equal? God, this sounds like a debate on socialism all of a sudden - my humblest apologies [;-)

In ciphers, YES, I would have you so believe.

Ciphers are distinctly different from other areas of experience. The problem is that our Opponents operate in secrecy. That means we actually do not know when our ciphers fail. But unless we know about failure, we cannot assess risk. Yet you and most others attempt to interpret risk as we do in areas where we know the risk.

For example, we have some general feeling about the risk of driving our cars because we see failure announced on the news. Everybody knows the risk of flying because we see the disaster reported. Crypto failure is not reported, so we assume that risk is low. That is a faulty assumption. We do not know the risk. But in any security analysis we necessarily must assume the risk is real.

Our main problem is that cryptanalysis does NOT say that there is no simpler attack. It does NOT say that a well-examined cipher is secure from your kid sister. Oh, many people will offer their opinion, but you won't see many such a claims in scientific papers, because there we expect actual facts, as opposed to wishes, hopes, and dreams.

But those claims say as much as; "we've hopefully done the best we can with the best techniques we have and the best people we can find, and this one seemed to resist our best attacks the best so we can only give you the best assurances we can that the best chance you have is to use this one".

Yes, those are the formal claims. And then we see everyone putting their eggs in the basket of a single cipher (or small fixed group of ciphers) once again. The formal claims are not really what is being transmitted: What people see is a "certified" cipher which everyone should use instead of "uncertified" ciphers. In fact it is openly argued that "uncertified" ciphers have more risk, without being able to quantify that risk. While I would hope every cipher would get as much analysis as it could get, the "certification" of one cipher does not give us what we need. All it would take is a failure of that one cipher for us to lose everything we try to protect.

If you cannot interpret cryptanalytic conclusions in that fashion then you seem to miss their point.

On the contrary, if you cannot interpret the way those conclusions are mis-taken -- even in this group, even by you -- it is you who misses the point.

I agree with Mr Schneier ... it is a race

I disagree with Schneier. I will agree that it is contest between cryptographer and HIDDEN cryptanalyst. But it is no race because we do not know what the hidden guys can do. This is about like calling AES a "contest," when the rules are hidden so the winner can be chosen in a smoke-filled back room. This is not to mention the fact that patented ciphers were kept out, yet another decision influenced by Schneier which just happens to benefit him. Just a coincidence.

Cryptanalysis does NOT give us an indication of how much effort our Opponent will have to spend to break the cipher. Yet that is exactly what the cryptanalytic process would like us to believe: That is why

I disagree - your point of view has some merit but is no more valid than the polar opposite statement.

Hardly: The polar opposite does not provide a motive to alter the usual recumbent attitude and actually change the way we do business. Relying on any one cipher is a risk, and the extent of that risk is not known. Because the risk is unknown, it hardly makes sense to say that the experts have done all they can so we should trust the result.

Users should insist on having and using a wide and growing variety of ciphers. The fact is that these ciphers cannot be as well "certified" as any one cipher. But since "certification" cannot be complete, the possibility of failure even in such a cipher should not be ignored. But if one were to use that cipher in multiple ciphering along with two others (selected, say, by a random message key), we get the best of both worlds, at the cost of somewhat reduced throughput.

If people devote their lives to keeping up to date with the literature and do their best to innovate and develop in full public-view, and their best attempts to break things fail for a period of time (and I'm talking about the crypto community as a whole here) then we CAN infer that that process represents a steadily increasing probability that it's not going to fall over tomorrow in some dramatic fashion. I do not mean that evolving cryptanalysis work provides increasing confidence in brand-new ciphers and what-not, rather that as one cipher builds up a catalogue of evolving cryptanalysis work against it that we DO have a decreasing probability that THAT cipher will fall over in show-stopper fashion.

We know no such thing. We have no idea how many attacks there may be in theory, so cannot judge how many of those we know. All we know is that we know more than we used to, which is no probability at all.

we have the process of: 1) design a cipher, and 2) certify the cipher by cryptanalysis. As I see it, the real opportunity for cryptanalysis is as part of a dynamic and interactive cipher design process, as opposed to final certification.

And it currently isn't? What exactly does the open publication of research, countless conferences, news-groups, mail-lists, web-sites, open-source projects, etc amount to other than a dynamic and interactive process?

The usual refusal to re-analyze a corrected work.

Also, thousands of hobbyists and professionals all doing their damndest to break each others ciphers gives me personally some confidence in the value of "standing the test of time".

There is no such standing without knowing real results. We have no idea how many tests are made, with what background and effort, and have no idea what the results were. This "test of time" is an illusion.

Thanks. I suggest you learn it by heart if you intend to depend upon cryptography.

I suggest that you get a little more realistic. What do you have more confidence in, "NT.DLL" or an established release version of the linux kernel? Or IIS versus Apache? (again, speaking about versions which aren't acknowledged by the authors as being "beta"). And no, that question is not rhetorical, I'm actually interested to hear your response.

I have no opinion. Confidence in programs is far different from confidence in ciphers. We can "test" programs, at least to see whether they do what we want, whether they crash, and so on. Ciphers are fundamentally different. We can test a cipher program to see whether it crashes, but we cannot know if it is providing the protection we want. We do not know if the cipher has already been penetrated and is being read by our Opponents just as easily as by the recipient. We do not know. And without knowing, we are unable to assess risk, or build either confidence or trust.

As for your continued suggestion that confidence in (relative) conclusions reached by noted cryptanalysts is overrated and work by lesser mortals unfairly disregarded. In reality I think you are wrong. (a) If a lesser mortal finds an improvement in cracking DES keys, they need only publish it to sci.crypt with the header "I think I can hack DES keys a bit faster ...CRYPHTML.HTM" and they will get all the attention to their claims they desire, and if they have the facts to back it up they needn't worry about anonymity.

Excuse me, but why would someone with such a breakthrough publish it for free? Academics are paid to do their work, and paid to publish (in fact, most professional journals expect the author's organization to pay page fees). In a sense, academics are paid by society to give their work away -- but exactly where is the payment for the individual who comes up with similar advances? Why would they post it for free?

Anyone who thinks I am a greedy SOB, please feel free to look at my pages and see the information there for free. I am not paid to do that, nor am I compensated for "web excess bandwidth" charges for your downloads. But, somewhere, there must be a profit to be able to continue the work. People who do not get paid for publishing cryptanalysis have scant motive to do it. Unfortunately, I expect that our Opponents do indeed get paid for such work.

(b) If someone with a track-record proposes a new cipher (or in my metaphor, an alteration to kernel.c in Linux) and someone unknown does the same, it is natural, right, and fair for me to regard the latter with more scepticism and the former with a little more of an open mind.

You are forced into a basically unscientific approach because you have no way to measure the true strength of the designs. The very fact you are behaving this way tells us much about whether such designs can be trusted for what they are, or whether you would accept them being promoted as something they really are not. You would.

Perhaps this Darwinist philosophy is not to your liking but I'm afraid it fits the model. If I have a studied knowledge of shooting, am good at it myself, stay abreast of the most modern trends, and am widely respected as an expert in the field - then I am probably as good a person as any to suggest methods for staying out of the firing line.

But in shooting -- as in most other activities -- one knows the result. Ciphers are fundamentally different in that one does not know whether they are working or not.

This is my bit for public education.

And it has been useful to provide for thoughtful debate - but I think you overreach to absolute conclusions to counter opposing conclusions that I don't think anybody is actually making.

It is obvious that people are making the conclusion that cryptanalysis is certification, for there has been no effort to construct protocols which deal with the fact that we can have no confidence in the resulting cipher.

I have no modern products. I do offer cryptographic consulting time, and then I call it as I see it. I also own patented cryptographic technology which could be useful in a wide range of ciphers.

Great - perhaps if you would benefit us all (if that is your aim) by describing (a) how you made design decisions for your cryptographic technology (particularly with relationship to your awareness of classical and modern loopholes and weaknesses you were trying to avoid).

Basically I started out in stream ciphers, and read everything I could about them. As I recall, getting cryptographic information was far more difficult at the time. I followed the basic path from Vernam, and found more information about the sequence of development in the patent literature than elsewhere. We can see an ever-increasing complexity in the "running key generator" producing what I now call the "confusion sequence." As far as I could tell there had been no attempt to improve the combiner itself, and there was some feeling that a reversible nonlinear combiner was a contradiction in terms. But I did in fact find a new concept: Dynamic Substitution, which I patented and now own.

A stream cipher also needs an efficient confusion source, so I embarked on a survey of RNG technology. You can read about that in my Cryptologia article on my pages. From among the various schemes I selected the Additive RNG as being fast, and capable of expansion. For the first version, I found a primitive mod-2 polynomial of degree 11,213 and so constructed an RNG holding about 44K of state. I also innovated a new nonlinear filter to protect the RNG. The resulting CLOAK cipher used two levels of Dynamic Substitution, with 16 dynamic tables in the second level, which further protects the RNG.

With respect to my work in block ciphers, I have some descriptions of the tests I have used, and the results found, on my pages. In particular, I think the use of nonlinear complexity measurements to show the expected distribution for a larger block constructed out of smaller blocks and mixing, is fairly persuasive. Not proof, of course, but we already talked about that.

(b) what kind of analysis has been (or could be) done on the/those technology(ies).

My new technologies have been ignored by academia, even when formally published in Cryptologia. Schneier has said that this is normal for patented technology. Of course, academics are compensated for the work they do; I am not.

The fact that my work is not addressed probably has negative consequences for me. But it also means that academia has no background for dealing with these structures beyond what I have personally published. That may be insufficient, but it is all there is.

(c) how you would convince anybody that your ideas merit some degree of trust/faith/use/investment.

Jeez, I'm a technical guy (much to my loss I'm sure). I deliberately do not try to convince people. I do try to make information available for people to use. But as you imply most people are not able to use that information, and don't want to, but do want me to give them confidence in whatever cipher they are using. Alas, I know there is no such confidence, so I have no confidence to give them. They generally find this disturbing.

Do you expect us to assume that even though the winning AES candidate will have been subjected to very deep analysis by vary many parties of very different angles of vested interest/disinterest, because it COULD be broken tomorrow it is has no more measurable "strength" than a boutique new idea which has not been widely distributed and tested? The fact two things are neither black or white does not imply they are the same shade of grey.

No, it implies that they have the same unknown risk: That of complete exposure. To not use one because we are afraid of that risk and then use the other which may have the same outcome is foolish.

I see no problem with someone promoting what they think is an advance in the field, even if they will benefit. But when reasoning errors are promoted which just happen to benefit one's business -- in fact, a whole sub-industry -- some skepticism seems appropriate. Just once I would like to see delusions promoted which produce less business.

You call them "delusions", I call them "reasoned and qualified critiques open to public dissemination and review" - let's call the whole thing off. (as the song goes).

Which means?


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Question on confidence derived from cryptanalysis. Date: Sun, 18 Apr 1999 00:35:46 GMT From: "Douglas A. Gwyn" DAGwyn@null.net Message-ID: 371944CB.9B77BF62@null.net References: 3718e5e9.9093614@news.io.com Newsgroups: sci.crypt Lines: 43

Terry Ritter wrote:

It is obvious that people are making the conclusion that cryptanalysis is certification, for there has been no effort to construct protocols which deal with the fact that we can have no confidence in the resulting cipher.

There is a difference between "less than total confidence" and "no confidence". In many cases, one can reliably estimate the enemy's capabilities and be confident that he is not in as good a position to succeed in attacks against your system as your own tiger team is; so if your guys can't crack the system, it is more likely than not that the enemy can't crack it either. Depending on the potential cost of being wrong, that might be good enough. If not, then your idea of additional protection makes sense. However, you need to prove that your protocols do add significant security; otherwise the new "protocolled" system is subject to the same argument you made about the original system, namely one doesn't know whether or not the enemy can crack it.

... As far as I could tell there had been no attempt to improve the combiner itself, and there was some feeling that a reversible nonlinear combiner was a contradiction in terms.

I assume you're talking about the open literature, because it's not the case inside the fence. That's one of the frustrating things about this business; there is a lot of (slow) reinvention of the wheel, due to extreme secrecy about what is known.

The fact that my work is not addressed probably has negative consequences for me. But it also means that academia has no background for dealing with these structures beyond what I have personally published. That may be insufficient, but it is all there is.

Largely, academia studies what they already know how to study, because the expectation of producing something "publishable" is greater that way. This is really sad, but understandable.

Just so you know, I appreciate your work and especially your making useful information available via the Web. Maybe self- publication will help mankind make progress in fields that are currently stagnating due to academic inbreeding.


Subject: Re: Question on confidence derived from cryptanalysis. Date: Sun, 18 Apr 1999 05:20:40 GMT From: ritter@io.com (Terry Ritter) Message-ID: 37196b57.4012898@news.io.com References: 371944CB.9B77BF62@null.net Newsgroups: sci.crypt Lines: 90

On Sun, 18 Apr 1999 00:35:46 GMT, in 371944CB.9B77BF62@null.net, in sci.crypt "Douglas A. Gwyn" DAGwyn@null.net wrote:

Terry Ritter wrote:

It is obvious that people are making the conclusion that cryptanalysis is certification, for there has been no effort to construct protocols which deal with the fact that we can have no confidence in the resulting cipher.

There is a difference between "less than total confidence" and "no confidence". In many cases, one can reliably estimate the enemy's capabilities and be confident that he is not in as good a position to succeed in attacks against your system as your own tiger team is; so if your guys can't crack the system, it is more likely than not that the enemy can't crack it either.

But you know this can be skating pretty near the edge. Sometimes it's hard to know what "we" can do (and, presumably, we know our guys), let alone predict what "they" can do. But in the case of a general-use crypto standard, this is a game we cannot play and could not afford the risk of playing anyway.

Depending on the potential cost of being wrong, that might be good enough. If not, then your idea of additional protection makes sense. However, you need to prove that your protocols do add significant security; otherwise the new "protocolled" system is subject to the same argument you made about the original system, namely one doesn't know whether or not the enemy can crack it.

I've given the basic argument various times. The argument for multiple ciphering is well known. The argument for using many ciphers rests on partitioning the data into independently-protected channels which compartmentalizes risk by reducing single-failure loss. This also reduces the motive for Opponents who might otherwise try to attack a single standard cipher. The argument for having a continuous flow of new cipher designs rests on the cost implications to any Opponent who tries to keep up with new designs.

Of these three, the last two both depend upon having a substantial number of ciphers, and the argument is made that these cannot be as well constructed -- or as thoroughly certified -- as a single standard. My response is that we do not know, in general, that even a "certified" cipher is strong enough. If we did, we would not need all this other stuff. I think it very reasonable to leave it to each user (or security office) to select the ciphers they want to use, and modify that list based on the latest ciphers and academic results. At least that way everyone is in charge of their own fate.

... As far as I could tell there had been no attempt to improve the combiner itself, and there was some feeling that a reversible nonlinear combiner was a contradiction in terms.

I assume you're talking about the open literature, because it's not the case inside the fence. That's one of the frustrating things about this business; there is a lot of (slow) reinvention of the wheel, due to extreme secrecy about what is known.

Yes, of course, I know only the open literature. I have no idea what was developed otherwise. For example, after I developed Dynamic Substitution, I realized that one could use a random Latin square as a combiner. I would expect that this was long known "inside," but am unaware of any open literature about it. (Shannon of course talks about Latin squares, but does so in the context of entire cipher transformations, and not stream-cipher combiners.)

The fact that my work is not addressed probably has negative consequences for me. But it also means that academia has no background for dealing with these structures beyond what I have personally published. That may be insufficient, but it is all there is.

Largely, academia studies what they already know how to study, because the expectation of producing something "publishable" is greater that way. This is really sad, but understandable.

Just so you know, I appreciate your work and especially your making useful information available via the Web. Maybe self- publication will help mankind make progress in fields that are currently stagnating due to academic inbreeding.

Coming from you, that means a lot. Thanks.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Question on confidence derived from cryptanalysis. Date: Tue, 20 Apr 1999 17:36:26 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 371cb65e.4479246@news.prosurfr.com References: 37196b57.4012898@news.io.com Newsgroups: sci.crypt Lines: 49

ritter@io.com (Terry Ritter) wrote, in part:

On Sun, 18 Apr 1999 00:35:46 GMT, in 371944CB.9B77BF62@null.net, in sci.crypt "Douglas A. Gwyn" DAGwyn@null.net wrote:

I assume you're talking about the open literature, because it's not the case inside the fence. That's one of the frustrating things about this business; there is a lot of (slow) reinvention of the wheel, due to extreme secrecy about what is known.

Yes, of course, I know only the open literature. I have no idea what was developed otherwise. For example, after I developed Dynamic Substitution, I realized that one could use a random Latin square as a combiner. I would expect that this was long known "inside," but am unaware of any open literature about it. (Shannon of course talks about Latin squares, but does so in the context of entire cipher transformations, and not stream-cipher combiners.)

Largely, academia studies what they already know how to study, because the expectation of producing something "publishable" is greater that way. This is really sad, but understandable.

Just so you know, I appreciate your work and especially your making useful information available via the Web. Maybe self- publication will help mankind make progress in fields that are currently stagnating due to academic inbreeding.

Coming from you, that means a lot. Thanks.

Although lately, once again, I've made a number of posts criticizing places where I think you've overstated your case - and I think it's very important not to overstate one's case when one is advocating a minority position - I will take the opportunity to acknowledge both that you have made contributions through your own work, as well as by representing a point of view that points in the direction of what I, also, feel is a correction needed by the cryptographic community.

One needs the very highest credibility when one is engaged in telling people what they do not want to hear.

As I, too, know "only what I read in the papers", I have no idea if someone in Serbia reading my web page has forced the NSA to spend X billions of dollars on new computers - I don't believe I've said anything in my own designs that would not have been obvious to professionals even in countries with far less impressive cryptographic capabilities than those of the U.S.

John Savard ( teenerf<- ) http://members.xoom.com/quadibloc/index.html


Subject: Re: Question on confidence derived from cryptanalysis. Date: Tue, 20 Apr 1999 22:03:05 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371cf98b.7553742@news.io.com References: 371cb65e.4479246@news.prosurfr.com Newsgroups: sci.crypt Lines: 68

On Tue, 20 Apr 1999 17:36:26 GMT, in 371cb65e.4479246@news.prosurfr.com, in sci.crypt jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

[...] Although lately, once again, I've made a number of posts criticizing places where I think you've overstated your case

Well, I guess in that case I need to go back and directly address those issues. They frankly seemed less compelling than some others at the time, and there is only so much time. In fact, I'm going to have to finish this up soon and get back to work.

I think it should be very disturbing to anyone actually trying to do Science to have to consider whether or not the conclusions they come to are a "minority position." It really does not matter how people vote on the facts: The facts are what they are. I do not even think about whether my "positions" are minority or majority, and I do not care.

I don't suppose there ever has been or ever will be anything I write that I will not look back on and say "Gee, I could have put that better." But I see no overstatement. If you do, you should state clearly what you consider the limits of the correct position, and highlight the excess which you consider beyond reality.

What I see in my comments is an attempt to correct certain irrational conclusions about cryptanalysis and strength which may have very significant negative consequences for society. This should be pretty much a straight logic argument with little opinion involved. The issue reappears periodically, but has been promoted recently in various writings by Schneier (in particular, the article in the March IEEE Computer column).

I will take the opportunity to acknowledge both that you have made contributions through your own work, as well as by representing a point of view that points in the direction of what I, also, feel is a correction needed by the cryptographic community.

One is tempted to ask why -- if you think this correction is needed -- you are not also trying to make it happen. Will you step into the breach as I retire? If you are not part of the solution....

One needs the very highest credibility when one is engaged in telling people what they do not want to hear.

On the contrary, all one needs to do is to show the logic: It is compelling.

If people want to wait for a crypto god to find a way to gracefully change his point of view, fine, but that is rumor and superstition, not Science. To really know what is going on you have to be able to draw your own conclusions, and to believe your own results. It is not my goal to provide a different package of rumor and superstition which happens to be correct. I am no crypto god, and I don't want to be one. This is not about me.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Question on confidence derived from cryptanalysis. Date: Sun, 18 Apr 1999 06:38:36 GMT From: tuwatc@buwoqwbopu.jxf (ovbxotm) Message-ID: slrn7hiven.c9.tuwatc@tpep.nofsozwovh.yq References: 3718e5e9.9093614@news.io.com Newsgroups: sci.crypt Lines: 5

Reading the same stuff from you Terry is getting old. Listening to you try to discuss "logic" with your tone is also getting old.

Guess its time to add an entry to my killfile.


Subject: Re: Question on confidence derived from cryptanalysis. Date: Sun, 18 Apr 1999 18:48:37 -0400 From: Geoff Thorpe geoff@raas.co.nz Message-ID: 371A6145.FAE5E8B@raas.co.nz References: 3718e5e9.9093614@news.io.com Newsgroups: sci.crypt Lines: 570

Hello,

Terry Ritter wrote:

You want to sound a cautionary note that we all risk being naive and over-confident in our "cryptanalytic testing" of ciphers - excellent point and it is well taken.

No, the point is NOT well-taken. It is ignored and brushed off as trivial and known. Then everyone sticks their head in the sand again until I bring it up again. This has happened for years.

Once again, we are in disagreement - philosophically and factually it would appear. From your postings, I can understand why you think this, but it is based on a premise I simply do not accept and will not no matter how many times you repeat it. Namely, that repeated cryptanalytic testing does not provide a measure of the tested strength of a cipher. You often repeat claims to the effect or (a caveat as I'm not using your exact words) "if you can't break it or prove it unbreakable then you know nothing of the cipher's strength".

Abstract, extremist, conspiracy-theoretic poppycock.

I don't want to devolve into word games but it seems necessary here to at least address our difference, although I doubt it will lead to a "resolution" of that difference. Namely, the meaning of "strength". Me, like I said in my previous post, I regard it as a practical measure, not a theoretical one.

An algorithm is not implicitly "strong" - it is just an algorithm. It is not strong "against attack" in any purely abstract sense (unless you can prove it so; very unlikely in most cases for now it would seem). I measure strength as a fuzzy quality with many fuzzy factors and am quite happy to do so. You seem to find this objectionable and your puristic approach, though obviously suitable for you, would be unacceptable and impractical for me. Many other people too, I dare suggest, are in the real world and have to "make calls" on such things rather than sitting around contemplating their navals and espousing puristic and entirely unhelpful messages of gloom. I prefer to be pragmatic than idealistic.

However, please do not go so far as to be similarly naive yourself, and to play things out to an theoretical abyss and expect us to follow you there.

The abyss is there. By not following, you are in it.

You claim an abyss - and your justifications for it risk sending this discussion into the "There is a god - No there isn't" realm ... that is to say, our views seem axiomatically different and I don't expect one of us to substantially sway the other. If you claim there is a God, and I can't prove there isn't one, that does not imply that a God exists (for me at least). I consider triple-DES to be pretty "strong" - but you claim that we don't know how our "enemy" might be attacking it and our inability to fundamentally crack it means little - it's no more "strong" than anything else we haven't broken yet. I don't agree but I can't PROVE you wrong. It does not mean you're right - and many people share MY point of view on this. Please do not be so arrogant to state your opinion as fact and to deride others for not agreeing.

But the only thing being "measured" here is the open, academic analysis. The real experts do not play this way. We thus have no way to understand their capabilities. The strength value measured on academics cannot apply to the real problem.

perhaps this is because you're a little disgruntled with what you clearly see as ivory tower academics who don't measure up to the military resources or the hard-working "non-academics" of the world? Who knows. I certainly have no time for such cold-war style conspiracy theories - that somehow the knowledge present in military/intelligence agencies or foreign unstable countries (do the US still call them "commies"??) is probably so far distanced and disimilar to what is available in the open as to make work, developments, and failures (to break ciphers) in the open completely irrelevant when considering "the enemy"'s corresponding work. They do not, as far as I know, take new-borns into their underground caves and transform them into teenage mutant ninja-cryptologists. In fact if I had to make a guess, I'd probably say that "they" (to avoid the Men In Black paying me a visit) would constitute the equivalent of a strong university research department with a few hundred times the computing power (and a few thousand times the budget). They're still the same species, again - as far as I know.

I know such views are not so fashionable, but I really don't fear the NSA and co's ability to be vastly more clever in punching through theoretical walls that seem impossible to us in the public - I regard it as a much greater risk that they have hidden agendas in the work that they do, seem to have a lack of checks and balances to protect against abuses (civil liberties and other such things), and technological arsenal enabling impractical breaks (for the public) to be highly practical ones.

On the contrary: I have shown several different approaches which are helpful for security even in an environment where we cannot assure ourselves of the strength of any particular cipher. What is really gloomy and unhelpful is this insistence that the only thing we can do is wait for the "experts" to certify a cipher so we can use it.

Exactly when did the experts certify triple-DES? If you're talking standards (or Government) committees putting a seal on it then no problem - I don't think anyone really thinks that gives the cipher an overnight guarantee of "strength". And when the AES winner is announced

As for the "experts" certifying a cipher ... I've yet to see a widely referenced paper by a widely referenced author that claims a cipher to be "secure" in any sense other than, "not insecure from the point of attack of this particular piece of research". Most papers I've seen in fact continue to add in the usual syntactical caveats even when most reasonable humans would infer them automatically. In fact, lately sci.crypt has demonstrated perfectly that the only ones claiming "100% secure" are the boutique unknowns who insist on heated and irrational accusations targetted at established technologies and technologists. Generally I find that the "experts" tend to be quite cautious in their own conclusions of their own products, ideas, and research.

We hit on a cipher as hard as we can and then assume it to be strong and insist that we use that one cipher because it is "better tested" than anything new. The "better tested" part is probably true, but unless we know the capabilities of our Opponents, it hardly matters. We don't know how they hit, or how hard.

No, but that does not mean their abilities are completely independant of ours. They probably grow up spoon-fed on the same academic literature that "we" are, continue to kept up to date with "our" developments - and may occasionally discover something before us, or even more radically - something we don't discover at all. This does not mean they exist in some parallel universe whereby our own work and conclusions can not be used to make even educated guesses as to what "they" might be able to achieve. That is simply naive and stubborn.

I doubt that the historical record applies to ciphers in the same way it does other problems. Nature is not deliberately trying to confuse and hide. Cryptography has a completely different situation.

That is a very vague dismissal of my point - without even attempting to justify your own statement, let alone why mine might have been wrong. Mathematical problems - that is what I was referring to ... Fermat, squaring the circle, approximating Pi, you name it - the same theme arises and I think the model does say something relevant for cryptography. Namely, lots of easily stated problems have easy solutions, lots of complicated problems have easy or complicated solutions (the remainder have no solutions), and there are a few pesky problems that are easy to state but prove very difficult to break. Here I mean, that the difficulty seems to stem not from any difficulty to phrase or comprehend the question correctly, but from some intrinsic "resilience" to attack (yes, using CONVENTIONAL methods of the time). History DOES provides an argument that the longer those pesky problems stay around, despite determined efforts to crack them - even developing entire branches of maths around them, then the probability DOES go down that someone is just going to slap their head and say "oops - damn, it was so obvious - why didn't we try that before". Sure it can happen, but like I said - we're talking probabilities and risk-management ... I don't mind if the coming years bring deep deep advances in finite algebra to the point that in 20 years, someone can break triple-DES with a polynomial-like complexity on time, key-length, and known plain-texts. But I will highly ticked off if someone discovers that despite years of cryptanalysis, it's actually easy to break it using well established techniques and we should have spotted it before (and the military already had).

Let me ask the following - do you disagree with the following statement; "History has demonstrated time and time again, that the longer a problem resists the attack of academics, hobbyists, and mechanics - the probability the problem can be broken using simple techniques that were available at the time the problem was posed (or even comprehensible to the people of that time) decreases."

Yes, I disagree. Each cipher either can or can not be solved easily. A Boolean result is not a probability. We only get a probability when we have a wide variety of ciphers. And then of course we still do not know what that probability is.

And here you've just completely misunderstood, I hope as an oversight and not just to be provocative. I will agree that each cipher can or can not be solved easily - depending on suitably pinned-down definitions of "solved" and "easily". And yes that represents a boolean characteristic of the algorithm (applies to implementation too). But I was talking about the probability of that characteristic being true when it has not yet been discovered and yet people have been working hard to find such an "easy" "solution". If you really don't get this, rather than you just not reading it carefully, let me wander down a STATS101 example ...

I have a coin - I can see that one side has "heads". I acknowledge that the other side could either be a "tails", or someone has slipped me a bogus coin and both sides are "heads". I will even (for the benefit of the cipher-breaking metaphor) give the coin the benefit of the doubt that most likely, the other side is a "tails". However, after flipping the coin 4 times and it landing heads each time I'm starting to get a little more confidence that someone has slipped me a bogus coin. 400 heads later I'm really beginning to feel that the coin is bogus, or I'm incredibly unlucky. However, the other side of that coin was always a head or a tail - but until we determine that the best we can get is a (maybe conditional) probability. I'm not suggesting that we now have quite the confidence in triple-DES that I would have after flipping 400 heads with my coin, but if you post a new cipher tomorrow - I WILL have the same confidence in it (or less) than if I hadn't flipped the coin yet.

It is all probabilities and risk management. Mr Schneier will hopefully agree with me on that and I hope you do too (I hope anyone contributing to the crypto-frameworks I will have to use day-to-day agree with that also).

This is particularly disturbing: You do not know the probabilities, and you do not know the risk, yet you would have us manage the situation using exactly these quantities. That is mad.

Do you insure your car? Do you know the probabilities or the risk? I take a look at my driving, most others' driving, the risk (=trashing the car with no insurance), the probabilities (guess work based on my driving and others' too), the cost of insurance, and make a judgement call. It's called risk management and it's also called the real world. What information do I have on a brand-new cipher? I can probably download a PDF and some source code. What information do I have on triple-DES? It's still standing. I make a judgement call - don't call me MAD for that. I think you're mad if don't see the distinction.

I agree with a lot of handwave statements. I also take on the limits of the handwaves which are false. I am not against cryptanalysis; I think it should be used. I am against endowing it with mystical powers, and I am against the implication that this is how we know the strength of a cipher. Cryptanalysis gives us something, but not that. In particular, cryptanalysis does not really provide the confidence that others see in a "certified" result.

Mystical??? I think your sticking up your own strawmen here. Ask any implementor out there - "is IDEA breakable?" - I expect the answer in most cases to be - "dunno, it seems pretty strong". If so, they'd be using the same definition of strong I use.

Would you have us believe that all things that are not absolute are necessarily equal? God, this sounds like a debate on socialism all of a sudden - my humblest apologies [;-)

In ciphers, YES, I would have you so believe.

Well I think you're wrong. But I won't have you believe anything you don't want to believe.

Ciphers are distinctly different from other areas of experience. The problem is that our Opponents operate in secrecy. That means we actually do not know when our ciphers fail. But unless we know about failure, we cannot assess risk. Yet you and most others attempt to interpret risk as we do in areas where we know the risk.

Bull**** ... the risk is extremely well known; the risk is that someone can break our symmetric ciphers like water biscuits. We all know that risk - it's the probabilities that are open to debate. And I'm simply saying that a cipher not falling over after an extended period of review and all-out attack helps the probabilities. Wherever the probability is not 0 or 1 (or exactly 0.5) there is room for a surprise - in risk management you weigh up the probabilities with the effect of the possible outcomes, and make the best judgement call you can from that.

Me, I'm going to stick with RSA and triple-DES for a while. If you can't get a lot of worthwhile review of your technologies than that is a shame and may be doing you and your ideas a horrible disservice - but unfortunately as far as the real world is concerned, for now that DOES make your technology a bigger risk than RSA and triple-DES. Sorry but there it is.

For example, we have some general feeling about the risk of driving our cars because we see failure announced on the news. Everybody

No I get a feeling of the risk because everyday I take the car out onto the road and others fail to hit me almost every time. That's how I get a general feeling for the risk.

knows the risk of flying because we see the disaster reported. Crypto failure is not reported, so we assume that risk is low. That is a faulty assumption. We do not know the risk. But in any security analysis we necessarily must assume the risk is real.

Sure it's reported, as long as it is discovered by someone who reports such things. So the risk is that crypto fails, but fails in secrecy (and noone else independently reaches the same discovery and reports it). If the people who break these things without reporting it have skills completely independant of ours, or a large order of magnitude greater, then our failure to break it is independent of their failure or success. Otherwise, our failure to break it DOES decrease the chances that they have. The risk IS real, but the probability is not unrelated to our own abilities. That is just not the real world.

Yes, those are the formal claims. And then we see everyone putting their eggs in the basket of a single cipher (or small fixed group of ciphers) once again. The formal claims are not really what is being transmitted: What people see is a "certified" cipher which everyone should use instead of "uncertified" ciphers. In fact it is openly argued that "uncertified" ciphers have more risk, without being able to quantify that risk. While I would hope every cipher would get as much analysis as it could get, the "certification" of one cipher does not give us what we need. All it would take is a failure of that one cipher for us to lose everything we try to protect.

Exactly why do you, or many other designers, put multiple stages in a cipher design. I'm guessing it's so that the cipher is at least as strong as the strongest element in the chain (assuming the symbolic "chain" here is serial and not parallel, otherwise someone can go around rather than through that element).

The continuum between a cipher using different cryptographic primitives, and a protocol (eg SSL) supporting multiple ciphers is purely one of packaging and patents. In fact, allowing multiple ciphers is perhaps weaker because once a cipher is broken, you need to ensure that you "switch" that cipher off ... whereas a cipher with multiple different stages means cracking one stage just weakens it a bit (and probably causes a bit of a panic to get people off that cipher before it falls down totally).

Perchance, how do you propose that extensible, scalable, and interoperable computer network systems be built around an indefinate length-list of ciphers - many having not undergone much analysis - and with all the inevitable problems of entities not agreeing on ciphers that they both have implemented. Some kind of distributed object model? But wait, you'd have to secure the underlying comms for THAT with something and that means getting people to agree once again ... Perhaps you want to bring the discussion above these petty real-world considerations?

On the contrary, if you cannot interpret the way those conclusions are mis-taken -- even in this group, even by you -- it is you who misses the point.

Tell me where, especially if I've done it. I have higher hopes for something that has received a lot of review and is still standing than something that has not. So does nature, it's called natural selection. Pick a metaphor and run with it ... If a lion cub survives the first X months of life (low probability) then its chances of living to the age of Y improve greatly. etc etc etc.

I disagree with Schneier. I will agree that it is contest between cryptographer and HIDDEN cryptanalyst. But it is no race because we do not know what the hidden guys can do. This is about like calling

And they are after all some alien race having developed an entire society of thought and process so vastly different to our own that our own results (or lack of) give no indication whatsoever as to their foreign abilities?

AES a "contest," when the rules are hidden so the winner can be chosen in a smoke-filled back room. This is not to mention the fact that patented ciphers were kept out, yet another decision influenced by Schneier which just happens to benefit him. Just a coincidence.

What were we discussing again? You said no matter how long a cipher stands up to public scrutiny and analysis, until it's broken or proved secure we have no more right to trust it than anything else. I disagreed. Now apparently AES is rigged??? These posts are long enough without that kind of divergence.

Cryptanalysis does NOT give us an indication of how much effort our Opponent will have to spend to break the cipher. Yet that is exactly what the cryptanalytic process would like us to believe: That is why

I disagree - your point of view has some merit but is no more valid than the polar opposite statement.

Hardly: The polar opposite does not provide a motive to alter the usual recumbent attitude and actually change the way we do business. Relying on any one cipher is a risk, and the extent of that risk is not known. Because the risk is unknown, it hardly makes sense to say that the experts have done all they can so we should trust the result.

So you would have us all jump from one cipher to the next, making interoperability and standardisation nigh on impossible because all out attack on a few select (and widely discussed) algorithms will tell us nothing? No thanks. This is one sure way to guarantee that "they" definately CAN break a good percentage of our traffic.

Users should insist on having and using a wide and growing variety of ciphers. The fact is that these ciphers cannot be as well "certified" as any one cipher. But since "certification" cannot be complete, the possibility of failure even in such a cipher should not be ignored.

No, but sound risk management should weigh up the fact that the more homegrown, back-country, and un-analysed ciphers you employ, the more certain you can be that you're using something some of the time that can be broken without trouble. Conversely, you are right that using one simple cipher can be a risk also. However, a well designed cipher should, I hope, rely on at least a couple of stages based on some effectively independant design ideas - achieving much the same thing as stringing 2 or more independent ciphers end on end. I am not a cipher designer however so I will yield to those who are to comment further on this idea.

While we're on the subject ... it seems most crypto protocols (SSL, PKCS#7/SMIME, OpenPGP? - not sure about that one) employ a bank of ciphers. And to be honest, if say 3 ciphers get through the AES process intact and all exhibit excellent performance or implementation characteristics ... I dare say the 2 that don't "win" will still get their fair share of implementation. If this one can be optimized well for smart-cards, but that one is much better for high-throughput implementations, the industry (not Government agencies) will push its considerable weight in that direction. I just don't think anyone should use the 128-bit cipher I came up with during an episode of the X-files just because you say in theory it's as strong as triple-DES until someone breaks either one of them.

But if one were to use that cipher in multiple ciphering along with two others (selected, say, by a random message key), we get the best of both worlds, at the cost of somewhat reduced throughput.

And this can't be achieved within ONE cipher? When you start talking multiple algorithms, you instantly start talking interoperability and standardisation headaches. You also increase the number of "pieces" in your puzzle when simplicity is far preferable. I see a security by obscurity argument in here somewhere ...

dramatic fashion. I do not mean that evolving cryptanalysis work provides increasing confidence in brand-new ciphers and what-not, rather that as one cipher builds up a catalogue of evolving cryptanalysis work against it that we DO have a decreasing probability that THAT cipher will fall over in show-stopper fashion.

We know no such thing. We have no idea how many attacks there may be in theory, so cannot judge how many of those we know. All we know is that we know more than we used to, which is no probability at all.

wrong. We know that existing attacks have failed to bust that cipher so far, and we know how much time/effort it stood up to. Let's assume (reasonably) that "the enemy" is privvy to all our documented techniques

And it currently isn't? What exactly does the open publication of research, countless conferences, news-groups, mail-lists, web-sites, open-source projects, etc amount to other than a dynamic and interactive process?

The usual refusal to re-analyze a corrected work.

You sound bitter. Please answer the question with some explanation, justification, or even a reference - or move on ... perhaps you think that because the (US?) Government runs everything that political rather than industrial considerations pave the way? Well, I have a lot more faith in the industry and innovative people than you do if that's the case.

Also, thousands of hobbyists and professionals all doing their damndest to break each others ciphers gives me personally some confidence in the value of "standing the test of time".

There is no such standing without knowing real results. We have no idea how many tests are made, with what background and effort, and have no idea what the results were. This "test of time" is an illusion.

I see ... so the mystical men in black theory, put forward without evidence, should be allowed to dictate our thinking? All things, including ciphers, are relative. For the purposes of this post (now quite a huge one) I really don't care any more if "they" (the spooky people) have broken anything or not ... the fact is that on our side of the fence we've got reason to rate certain ciphers as having been tested more rigorously than others, and that (in lieu of ANY useful information about the spooky people) is what I intend to use in my decision making.

protection we want. We do not know if the cipher has already been penetrated and is being read by our Opponents just as easily as by the recipient. We do not know. And without knowing, we are unable to assess risk, or build either confidence or trust.

translation: "Without knowing if it is true or false, we cannot assess the probability as to whether it is true or false".

You are forced into a basically unscientific approach because you have no way to measure the true strength of the designs. The very fact you are behaving this way tells us much about whether such designs can be trusted for what they are, or whether you would accept them being promoted as something they really are not. You would.

Who's talking about "TRUE STRENGTH" ... we already agree that until it's proved secure or broken that we can't measure THAT, if in fact THAT exists at all. If I'm being forced into a basically unscientific approach - fine, I'm going for a pragmatic one instead - I'm talking about "tested strength". You on the other hand would prefer to run away from the issue and give no value to vast existing cryptanalytic work on widely distributed ciphers because "the enemy might have already have broken them". I simply do not think that's rational.

Perhaps this Darwinist philosophy is not to your liking but I'm afraid it fits the model. If I have a studied knowledge of shooting, am good at it myself, stay abreast of the most modern trends, and am widely respected as an expert in the field - then I am probably as good a person as any to suggest methods for staying out of the firing line.

But in shooting -- as in most other activities -- one knows the result. Ciphers are fundamentally different in that one does not know whether they are working or not.

alteration: If for any key, it encrypts and can successfully decrypt, then it is working. What we don't know is if someone "else" has broken it, but "we" haven't yet. Unless you are overly paranoid, it is not unreasonable to draw "probabilistic" conclusions relating the "their" abilities and "ours". My point is even more straightforward than that - if our people can break it, then of course they can too; if ours try but can't, that improves our chances a little that "they" haven't. Not even knowing whether "we" can crack it after a period of time is just opening the probabilistic window wider than we should for anything we plan to use.

It is obvious that people are making the conclusion that cryptanalysis is certification, for there has been no effort to construct protocols which deal with the fact that we can have no confidence in the resulting cipher.

Well if I had NO confidence in the cipher, why would I be using it? I've got loads of compressors and encoders I can call upon, why would I use a cipher if I have no confidence in it doing it's job? Presumably, any such constructed protocol would provide a safeguard against a cipher not doing its job, that is encrypting with some degree of confidence. In other words, your protocol would be a security protocol. Do you see anything at all recursive here or is it just me?

[snipped lots of good stuff about your technologies, which I liked and do not have any beef with at all]

(b) what kind of analysis has been (or could be) done on the/those technology(ies).

My new technologies have been ignored by academia, even when formally published in Cryptologia. Schneier has said that this is normal for patented technology. Of course, academics are compensated for the work they do; I am not.

Well, you'll have to settle that with him and the others if you can. Like I said earlier, this may be doing you and your ideas a great disservice, but as long as it stands that way - people DO have the right to regard your ideas as "riskier" than the "rusted but not busted" ones.

The fact that my work is not addressed probably has negative consequences for me. But it also means that academia has no background for dealing with these structures beyond what I have personally published. That may be insufficient, but it is all there is.

So all ciphers are innocent until proven guilty? Unfortunately, when people's privacy and identity are at stake, ciphers (and other cryptographic primitives) are guilty until the prosecution have failed time and time again to get a conviction. It gets even worse, the cipher is never truly innocent, it just has a slowly decreasing degree of suspicion surrounding it.

No, it implies that they have the same unknown risk: That of complete exposure. To not use one because we are afraid of that risk and then use the other which may have the same outcome is foolish.

So what are we to do? Anyway, are we talking here about the chances of a cipher getting busted (ie the whole "strength" issue), or about the effect it would have if it DOES get busted. Whatever you use (be it 3 "ciphers" strung in a line), call it a cipher and go back to square one of the problem. If you keep changing ciphers, then you and I (and you and everybody else) will not have interoperating systems.

You call them "delusions", I call them "reasoned and qualified critiques open to public dissemination and review" - let's call the whole thing off. (as the song goes).

Which means?

One man's trash is another man's treasure ... insert any vaguely similar cliche for the same effect. I think repeated attempts by many people to break something and failing represents "tested strength". You think it represents "delusions". What are we to do?

Cheers, Geoff


Subject: Re: Question on confidence derived from cryptanalysis. Date: Mon, 19 Apr 1999 05:16:48 GMT From: "Douglas A. Gwyn" DAGwyn@null.net Message-ID: 371AD828.30BA797A@null.net References: 371A6145.FAE5E8B@raas.co.nz Newsgroups: sci.crypt Lines: 99

Geoff Thorpe wrote:

perhaps this is because you're a little disgruntled with what you clearly see as ivory tower academics who don't measure up to the military resources or the hard-working "non-academics" of the world? Who knows. I certainly have no time for such cold-war style conspiracy theories - that somehow the knowledge present in military/intelligence agencies or foreign unstable countries (do the US still call them "commies"??) is probably so far distanced and disimilar to what is available in the open as to make work, developments, and failures (to break ciphers) in the open completely irrelevant when considering "the enemy"'s corresponding work.

It depends on who you conceive the potential "enemy" to be. For many perfectly decent people, their own governments can become their enemies; history gives us many instances of this.

While the cryptanalytic bureaus of most third-world countries might not be very advanced, the one in the US certainly is. Therefore, it is quite appropriate to be concerned with provable security instead of "nobody in academia has a clue" security. The former should, if properly applied, stand up against any enemy, while the latter stands up only against, shall we say, amateurs.

(I'm not suggesting that academics haven't made useful contributions to the state of the art, just that their work does not define the total state of the art.)

Mathematical problems - that is what I was referring to ...

Yes, cryptology is largely applied mathematics, but practical cryptanalysis has evolved in the context of operational experience that is largely unavailable to outsiders, and that has caused a substantial difference between insiders and outsiders in their aims and methods.

Some problems, like efficient factoring, are obviously relevant, and unlikely to be achieved in secret without happening in the outside around the same time. Other breakthroughs have been kept secret for decades, in some cases. So there really is reason to fear that the most advanced "enemies" might know how to easily crack some system you use that appears uncrackable to all outsiders.

But I will highly ticked off if someone discovers that despite years of cryptanalysis, it's actually easy to break [3DES] using well established techniques and we should have spotted it before (and the military already had).

There is a significant difference between what is "well established" in long-existing, well-funded cryptologic dispersed, high-turnover-rate academic community.

There is a big problem in working in applied fields academically, since it is harder to get academic respect from publication of application or tutorial papers instead of research papers. There are many technologies that are well-known in general in the research community, but their specific application to cryptology is not well known.

We all know that risk - it's the probabilities that are open to debate. ...

More precisely, the likelihoods. The nice thing is that relative likelihoods can be estimated and used to make decisions; e.g. "I need a cipher that -- pick one." If the consequences of not making a decision are sufficiently severe, then even an uncertain decision can be better than letting the uncertainty stop you from making a decision.

Me, I'm going to stick with RSA and triple-DES for a while.

In a well-designed cryptosystem, these do seem sufficiently secure against realistic threats for the near future. Any vulnerabilities would most likely occur elsewhere in the system/protocols, not in these encryption algorithms as such (assuming of course a long RSA key, and 168-bit 3DES key).

Exactly why do you, or many other designers, put multiple stages in a cipher design. I'm guessing it's so that the cipher is at least as strong as the strongest element in the chain ...

That seems to be part of Ritter's aim, but others seem to think that during cryptanalysis the stages have to be peeled like an onion, and they assume that there is not enough pattern available at the next-to-outermost layer for there to be any chance of peeling the outer layer off.

And this can't be achieved within ONE cipher? When you start talking multiple algorithms, you instantly start talking interoperability and standardisation headaches.

That's a significant concern, because breakdowns in operational procedure often provide the enemy analyst the entering wedge he needs to crack a system.


Subject: Re: Question on confidence derived from cryptanalysis. Date: Mon, 19 Apr 1999 13:37:32 -0400 From: Geoff Thorpe geoff@raas.co.nz Message-ID: 371B69DC.17EE09E1@raas.co.nz References: 371AD828.30BA797A@null.net Newsgroups: sci.crypt Lines: 195

Hello,

"Douglas A. Gwyn" wrote:

It depends on who you conceive the potential "enemy" to be. For many perfectly decent people, their own governments can become their enemies; history gives us many instances of this.

Of course, and for most people following the current crypto issues even passively, I think they regard the regulatory and military arms of government to be the biggest problem.

While the cryptanalytic bureaus of most third-world countries might not be very advanced, the one in the US certainly is.

Agreed - it would extraordinarily naive to dispute that fact. The point I was trying to make was that the collective academic grunt (and other "in the open" contributors) we have in cryptography and cryptology does not (or rather, can not) pale so completely by comparison to "the enemy" that our research and results give no indication to a cipher's susceptibility to "theirs". Mr Ritter seemed to have very different and quite extreme view on this point. However, I get the impression you tend to agree - if we can't punch a hole in it, that lowers the odds that they can (as compared to not having really seen if WE can yet).

Therefore, it is quite appropriate to be concerned with provable security instead of "nobody in academia has a clue" security. The former should, if properly applied, stand up against any enemy, while the latter stands up only against, shall we say, amateurs.

Provable security is a very hairy branch of science - unless you pin yourself to some pretty broad axiomatic presumptions (which themselves then become the target of much scepticism and debate) proving security becomes highly awkward. I guess this is necessary because it is nearly impossible to categorise the class of "attacks" in any meaningful way (except perhaps invoking Turing machines?! [;-) If one could show that a given cipher (key) can or can not be broken at a expected running time better than 50% of a key-space search by an appropriate Turing machine it would be quite a piece of work.

(I'm not suggesting that academics haven't made useful contributions to the state of the art, just that their work does not define the total state of the art.)

Oh I agree completely - I was just taking issue with what I perceived to be the following idea: Until we actually break it, or prove it secure, we have no more measure of strength for it than for another (less "investigated") one. I feel that quite the opposite is true - it IS a very appropriate statistical measure of strength, and moreover the only realistic one we have to work with. If the total state of the art stays roughly in sync with the academics, albeit "they" may have a couple of things up their sleeves and they may often get the jump on us by a few months/years with various developments, then we can make reasoned guestimations on the strength of a cipher against them based on the strength of a cipher against us.

Mathematical problems - that is what I was referring to ...

Yes, cryptology is largely applied mathematics, but practical cryptanalysis has evolved in the context of operational experience that is largely unavailable to outsiders, and that has caused a substantial difference between insiders and outsiders in their aims and methods.

Well yes and no ... applied mathematics has a handy of way of pushing things along nicely particularly in the area of computation (complexity) problems. "Their" ideals may be different to ours but I doubt their aims or methods are ... everybody would love to break an established cipher (with the possible exception of the patent holder), everybody would love to prove a cipher secure (with the possible exception of the patent holder's competition). I dare say the NSA et al have less motivation to chase down some of the more daunting theoretical possibilities for weaknesses in algorithms, especially when in reality, so many of them lead nowhere or to advances that are at best - theoretical.

"They" have budgets (albeit big ones) and they probably have things they'd rather spend it on (satelites, lobbying, hardware, breaking implementations, breaking installations, etc). OTOH, having been post-grad in a mathematics department before I know very well that this obsession for looking in every nook and cranny of all things theoretical is exactly the sort of thing academics get off on. Cracking ciphers (ie. the actual algorithm itself, not the practical implementation details that may be vulnerable) is much more the meat and veg of academics who like to play and write papers. "They" just want information, and I'm guessing just do whatever they got to do to get it - and searching endlessly for little theoretical weaknesses is probably not their top priority. That's not to say they don't do it and do it very well, but I doubt their considerable advantages in resources are put so much to this task as to make our abilities so incomparable or unrelated as some might believe.

Some problems, like efficient factoring, are obviously relevant, and unlikely to be achieved in secret without happening in the outside around the same time. Other

I agree but I doubt very much Mr Ritter does.

breakthroughs have been kept secret for decades, in some cases. So there really is reason to fear that the most advanced "enemies" might know how to easily crack some system you use that appears uncrackable to all outsiders.

I know - and there's a lot of targets out there so the odds are on that at least one of them has fallen completely to an "unpublished" source without our knowing it. However, I just think it's more likely to be something less well analysed in the "open" than something well analysed in the "open" for the reasons I've mentioned, and that Mr Ritter doesn't agree with.

On a related note (and all IMHO), bit-twiddling little ciphers are no less "mathematical" than effecient factoring. Discrete maths actually finds that cute little "permutation stuff" quite fashionable from my limited contact with it (and them). Factoring tends to interest (again from my limited contact) more the applied heads - meaning I'd give better odds to developments in faster optimizations on 64-bit platforms with super-dooper cache, than to fundamental breaks in the factoring algorithms [;-)

There is a significant difference between what is "well established" in long-existing, well-funded cryptologic organizations and what is "well established" in the dispersed, high-turnover-rate academic community.

True - and to agree with Mr Ritter for a moment, I think perhaps another risk is that the academics tend to show interest in things that interest them - where as the well-funded organisations you speak of more likely show interest in things that give them the best chance of accomplishing some objective. However, this pragmatic mind-set, albeit fearsome in many ways, might give us some hope that in the ethereal hights of trying (and hoping) to break an already well-studied algorithm, they probably are less hopeful, less obsessed, and more practical and realistic. After all, RSA, IDEA may be perfect but if Win95's TCP allows a password-sniffer to leak into your PC "they" have accomplished their objective and "broken" PGP as far as "they" are concerned.

There is a big problem in working in applied fields academically, since it is harder to get academic respect from publication of application or tutorial papers instead of research papers. There are many technologies that are well-known in general in the research community, but their specific application to cryptology is not well known.

Probably quite true.

We all know that risk - it's the probabilities that are open to debate. ...

More precisely, the likelihoods. The nice thing is that relative likelihoods can be estimated and used to make decisions; e.g. "I need a cipher that -- pick one." If the consequences of not making a decision are sufficiently severe, then even an uncertain decision can be better than letting the uncertainty stop you from making a decision.

Exactly, and well said.

Me, I'm going to stick with RSA and triple-DES for a while.

In a well-designed cryptosystem, these do seem sufficiently secure against realistic threats for the near future. Any vulnerabilities would most likely occur elsewhere in the system/protocols, not in these encryption algorithms as such (assuming of course a long RSA key, and 168-bit 3DES key).

I think that too, but as Mr Ritter might say - you are already in the abyss and are naive if you think that. If that is so, I am comfortable in my naivety.

That seems to be part of Ritter's aim, but others seem to think that during cryptanalysis the stages have to be peeled like an onion, and they assume that there is not enough pattern available at the next-to-outermost layer for there to be any chance of peeling the outer layer off.

Well hopefully someone will look at this, and demonstrate some success from it. Results speak for themselves, even to ivory tower academics [;-)

And this can't be achieved within ONE cipher? When you start talking multiple algorithms, you instantly start talking interoperability and standardisation headaches.

That's a significant concern, because breakdowns in operational procedure often provide the enemy analyst the entering wedge he needs to crack a system.

Exactly, and if I resort to using a different cipher every week ... the cryptanalysts will not keep up with them satisfactorily and I have a lot more confidence that "they" WILL be breaking my traffic on a semi-regular basis.

Cheers, Geoff


Subject: Re: Question on confidence derived from cryptanalysis. Date: Mon, 19 Apr 1999 19:05:13 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371b7e4f.6941446@news.io.com References: 371B69DC.17EE09E1@raas.co.nz Newsgroups: sci.crypt Lines: 169

On Mon, 19 Apr 1999 13:37:32 -0400, in 371B69DC.17EE09E1@raas.co.nz, in sci.crypt Geoff Thorpe geoff@raas.co.nz wrote:

[...] Agreed - it would extraordinarily naive to dispute that fact. The point I was trying to make was that the collective academic grunt (and other "in the open" contributors) we have in cryptography and cryptology does not (or rather, can not) pale so completely by comparison to "the enemy" that our research and results give no indication to a cipher's susceptibility to "theirs". Mr Ritter seemed to have very different and quite extreme view on this point. However, I get the impression you tend to agree - if we can't punch a hole in it, that lowers the odds that they can (as compared to not having really seen if WE can yet).

If you really want to bait Mr. Ritter, I'll go one round with you:

I have just previously covered my main argument, which is basically that IN MY OPINION, with a single standard cipher, there will be far too much value at risk to endure even a small possibility of single-cipher failure. I note that the POSSIBILITY of such failure is fact, not opinion. The opinion part of this is my judgment of the costs and consequences of failure, versus the additional cost of protecting against such failure.

My position is that the consequences of failure of a universal single-cipher system would be catastrophic, and that even a small probability of such failure is unacceptable. This means we cannot depend on any single cipher, no matter how well reviewed. We can reduce the probability of single-cipher failure, and reduce also the value of information at risk from any failure, by changing what we consider a cipher system to be.

What I call the cul-de-sac extension of this argument is the question of just how small the probability of failure is.

  1. I dispute the idea that by applying various attacks to a cipher we somehow can predict how it will perform on future unknown and potentially unrelated attacks. (And if this were true, we should be able to see the effect with respect to past ciphers. This should be measurable and quantifiable in a scientific sense. But we have no such reports.)

  2. I dispute the idea that by looking at the attacks we have we can somehow estimate the probability that unknown attacks exist. (Again, were this true, we should have scientific evidence to support it. But we do not.)

  3. I dispute that we can estimate the capabilities of our Opponents from the capabilities we see in academics or that we can extrapolate from our open experience to predict the capabilities of our Opponents.

(Alas, there is no evidence to be had here.)

In summary: 1) We cannot estimate the probability that an effective attack exists which we did not find; and 2) We cannot estimate the probability that even if such an attack does exist, our Opponents can find it and use it. I thus claim that we CAN know nothing of the probability of future cipher failure, and cannot even reason that this probability is "small." The practical consequence of this is that we cannot trust any cipher.

IF we were willing to assume that our Opponents would use only the attacks we know and have tried, presumably we could have insight into the amount of effort needed to break a cipher (although we might have screwed up in testing). But I am of the opinion that we cannot assume that our Opponents have our limitations. Indeed, I think this is very basic cryptography.

[...] I was just taking issue with what I perceived to be the following idea: Until we actually break it, or prove it secure, we have no more measure of strength for it than for another (less "investigated") one. I feel that quite the opposite is true - it IS a very appropriate statistical measure of strength, and moreover the only realistic one we have to work with. If the total state of the art stays roughly in sync with the academics, albeit "they" may have a couple of things up their sleeves and they may often get the jump on us by a few months/years with various developments, then we can make reasoned guestimations on the strength of a cipher against them based on the strength of a cipher against us.

And upon what evidence do you base you opinion that we can predict what our Opponents can do?

Do you even have evidence that we can predict what our guys can do?

[...]

Some problems, like efficient factoring, are obviously relevant, and unlikely to be achieved in secret without happening in the outside around the same time. Other

I agree but I doubt very much Mr Ritter does.

The idea that any cipher may have an effective attack is fact, not opinion. The only opinion here is whether the issue is worth addressing.

Presumably, you would handwave about what our Opponents can do both now and in the future and say that caution is silly. But that conclusion is based on your opinion that we can predict what others may do in the future, which I find very strange. If that were true in general, we could put criminals in jail before they did anything.

breakthroughs have been kept secret for decades, in some cases. So there really is reason to fear that the most advanced "enemies" might know how to easily crack some system you use that appears uncrackable to all outsiders.

I know - and there's a lot of targets out there so the odds are on that at least one of them has fallen completely to an "unpublished" source without our knowing it. However, I just think it's more likely to be something less well analysed in the "open" than something well analysed in the "open" for the reasons I've mentioned, and that Mr Ritter doesn't agree with.

Mr. Ritter has always recommended that we get as much cryptanalysis as we can. But he also points out that this is an open-ended process which in any case must be terminated to have a product. So our cryptanalysis can never be complete.

With respect to the problem of potential catastrophic failure from a single-cipher system, no amount of cryptanalysis can prevent such failure. Both untested ciphers and massively-tested ciphers are the same in the sense that neither can be trusted.

[...]

Me, I'm going to stick with RSA and triple-DES for a while.

In a well-designed cryptosystem, these do seem sufficiently secure against realistic threats for the near future. Any vulnerabilities would most likely occur elsewhere in the system/protocols, not in these encryption algorithms as such (assuming of course a long RSA key, and 168-bit 3DES key).

I think that too, but as Mr Ritter might say - you are already in the abyss and are naive if you think that. If that is so, I am comfortable in my naivety.

Mr. Ritter would say that you are vulnerable to a single-cipher failure. And as long as the problem is just you, we really don't care. But if the problem eventually becomes the whole society pretty much using the same cipher, we may care, yet be well past the time to do much about it.

[...] Exactly, and if I resort to using a different cipher every week ... the cryptanalysts will not keep up with them satisfactorily and I have a lot more confidence that "they" WILL be breaking my traffic on a semi-regular basis.

The whole point of that particular approach is that cryptanalysts will not keep up. In particular, the other side will not keep up, and those are the guys we have to worry about.

It should be possible for a true cipher designer to use various alternatives to achieve a similar result, thus mixing and matching and producing various different ciphers with similar supposed strength, whatever that may be. We cannot hope to know that strength by cryptanalysis, of course.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Question on confidence derived from cryptanalysis. Date: Wed, 21 Apr 1999 19:07:13 GMT From: aardwolf@telusplanet.net (Earth Wolf) Message-ID: 371b711c.6682075@news.calgary.telusplanet.net References: 371b7e4f.6941446@news.io.com Newsgroups: sci.crypt Lines: 110

On Mon, 19 Apr 1999 19:05:13 GMT, ritter@io.com (Terry Ritter) wrote:

I have just previously covered my main argument, which is basically that IN MY OPINION, with a single standard cipher, there will be far too much value at risk to endure even a small possibility of single-cipher failure.

Depends on what you're trying to protect. Is it tactical or strategic information? i.e. does it have to be kept secret for the next millennium, or will it be public knowledge at 9:00 a.m. next Tuesday? If this secret is revealed, will I lose a hundred dollars on the stock market, or will the world be sucked into a black hole? Is my quest for the "ultimate" cryptosystem going to be so horrendously cumbersome that the users will refuse to use it? Is the decrease in bandwidth going to prevent vital information from being disseminated in a timely fashion?

Remember Pearl Harbour, where warning of the impending attack arrived by messenger amid the smoking aftermath? A clear case of how too much security can be almost as bad as none at all. Real world security deals with these kinds of trade-offs in a way that your ivory tower thinking can never comprehend, I'm afraid.

  1. I dispute the idea that by applying various attacks to a cipher we somehow can predict how it will perform on future unknown and potentially unrelated attacks. (And if this were true, we should be able to see the effect with respect to past ciphers. This should be measurable and quantifiable in a scientific sense. But we have no such reports.)

What kinds of reports are you looking for? There are lots of archaic ciphers which were considered unbreakable in their day which are child's play to solve with modern technology. The Jefferson wheel, for example. What more were you looking for?

In summary: 1) We cannot estimate the probability that an effective attack exists which we did not find;

Of course we can. I estimate it to be 17.375%. It may not be the most reliable estimate, of course :-)

I thus claim that we CAN know nothing of the probability of future cipher failure, and cannot even reason that this probability is "small." The practical consequence of this is that we cannot trust any cipher.

I'll trust DES a heck of a lot more than I trust ROT-13. And I'll trust 3DES a heck of a lot more than I trust DES.

IF we were willing to assume that our Opponents would use only the attacks we know and have tried, presumably we could have insight into the amount of effort needed to break a cipher (although we might have screwed up in testing). But I am of the opinion that we cannot assume that our Opponents have our limitations. Indeed, I think this is very basic cryptography.

No, basic cryptography involves making your best estimate of your opponents' capabilities and desiging a cipher which, to the best of your knowledge, will be impervious to those capabilities for as long as it needs to be.

And upon what evidence do you base you opinion that we can predict what our Opponents can do?

Basically, the same way we can predict what the surface temperature is on Mercury, or anything else that cannot be measured directly. We take what observations we can and attempt to extrapolate what we don't know.from what we do know.

That's basic physics, btw. :-)

Presumably, you would handwave about what our Opponents can do both now and in the future and say that caution is silly. But that conclusion is based on your opinion that we can predict what others may do in the future, which I find very strange. If that were true in general, we could put criminals in jail before they did anything.

This author makes no distinction between being able to predict something with 100% accuracy and being able to predict something with lesser accuracy. For example, magician and card-sharp John Scarne once described playing gin rummy (for money) with a player who, after shuffling the cards, would square up the deck with the bottom facing towards him. An innocent-seeming idiosyncracy, except that he now knew the bottom card in the deck (which in gin rummy never comes into play). Suppose this card were the 8 of hearts; the player cannot predict, with 100% accuracy, what the next card in the deck will be, but he knows it will not be the 8 of hearts. This seemingly insignificant piece of information gives him a huge advantage; he knows that there is little percentage in trying to fill a meld of 8's or a run of 6-7-8 or 8-9-T of hearts, and none whatsoever in trying to fill an inside run of 7-8-9.

In studying PRBGs, ability to predict the next bit with a probability of 0.5 + epsilon, where epsilon is a small number (usually on the order of 1/polynomial(log n) ) can be a huge advantage.

With respect to the problem of potential catastrophic failure from a single-cipher system, no amount of cryptanalysis can prevent such failure. Both untested ciphers and massively-tested ciphers are the same in the sense that neither can be trusted.

Rubbish. I don't trust Charlie the counterfeiter, Ernie the embezzler, Rocco the rapist, or Sammy the serial killer. But I can give you a rough estimate of who I'd least like to crash my sister's slumber party.

Earth Wolf


Subject: Re: Question on confidence derived from cryptanalysis. Date: Wed, 21 Apr 1999 21:33:47 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371e4437.15431777@news.io.com References: 371b711c.6682075@news.calgary.telusplanet.net Newsgroups: sci.crypt Lines: 210

On Wed, 21 Apr 1999 19:07:13 GMT, in 371b711c.6682075@news.calgary.telusplanet.net, in sci.crypt aardwolf@telusplanet.net (Earth Wolf) wrote:

On Mon, 19 Apr 1999 19:05:13 GMT, ritter@io.com (Terry Ritter) wrote:

I have just previously covered my main argument, which is basically that IN MY OPINION, with a single standard cipher, there will be far too much value at risk to endure even a small possibility of single-cipher failure.

Depends on what you're trying to protect. Is it tactical or strategic information? i.e. does it have to be kept secret for the next millennium, or will it be public knowledge at 9:00 a.m. next Tuesday? If this secret is revealed, will I lose a hundred dollars on the stock market, or will the world be sucked into a black hole?

I guess "yes." If there is just one standard cipher, the issue is not so much what any one of us has to lose as it is what society as a whole has to lose.

Is my quest for the "ultimate" cryptosystem going to be so horrendously cumbersome that the users will refuse to use it? Is the decrease in bandwidth going to prevent vital information from being disseminated in a timely fashion?

I see no particular reason why good cryptography cannot be relatively efficient. There might be some control overhead which might average 5 or 10 percent. Some particular ciphers might well elect to insert "null's" to a greater extent that we have seen. But if users can select ciphers, they can choose to not select those which have the problems that matter to them.

Remember Pearl Harbour, where warning of the impending attack arrived by messenger amid the smoking aftermath? A clear case of how too much security can be almost as bad as none at all. Real world security deals with these kinds of trade-offs in a way that your ivory tower thinking can never comprehend, I'm afraid.

I see a future in which most cryptography is mostly hidden, and is a minor overhead to communications. I see homes and businesses in which every wall switch and every lamp control is a networked device. And if we want to control those from the Internet, all of that stuff will need good crypto. Every light switch.

  1. I dispute the idea that by applying various attacks to a cipher we somehow can predict how it will perform on future unknown and potentially unrelated attacks. (And if this were true, we should be able to see the effect with respect to past ciphers. This should be measurable and quantifiable in a scientific sense. But we have no such reports.)

What kinds of reports are you looking for? There are lots of archaic ciphers which were considered unbreakable in their day which are child's play to solve with modern technology. The Jefferson wheel, for example. What more were you looking for?

The question is not what I am looking for. My position is that no rational extrapolation of past tests to future strength is possible. The lack of literature containing such a thesis is consistant with my position, and inconsistant with the alternative.

In summary: 1) We cannot estimate the probability that an effective attack exists which we did not find;

Of course we can. I estimate it to be 17.375%. It may not be the most reliable estimate, of course :-)

Yes. Quite amusing.

I thus claim that we CAN know nothing of the probability of future cipher failure, and cannot even reason that this probability is "small." The practical consequence of this is that we cannot trust any cipher.

I'll trust DES a heck of a lot more than I trust ROT-13. And I'll trust 3DES a heck of a lot more than I trust DES.

You are free to do as you will, including your own interpretation of trust. However, I suspect that your meaning of "trust" for cryptography will differ than the "trust" of other things.

My guess would be that you "trust" DES because nobody has openly demonstrated that they can break it. So if you worry that your information will be stolen by academics, you can have some reasonable degree of trust in DES.

But if you use cryptography to protect your information from those who operate in secret and hide their successes, you have no data upon which to base trust. As Savard has pointed out, these people cannot be less capable than academics (unless they cannot read); that means it is quite likely that they are indeed more capable. Since you can have no published experience to guide you on the risk of using DES in such an environment, how will you gain any "trust" in it at all?

IF we were willing to assume that our Opponents would use only the attacks we know and have tried, presumably we could have insight into the amount of effort needed to break a cipher (although we might have screwed up in testing). But I am of the opinion that we cannot assume that our Opponents have our limitations. Indeed, I think this is very basic cryptography.

No, basic cryptography involves making your best estimate of your opponents' capabilities and desiging a cipher which, to the best of your knowledge, will be impervious to those capabilities for as long as it needs to be.

No, that is basic military cryptography, where we have known opponents and can better estimate both the probability and consequences of cipher failure.

Basic social cryptography (for lack of a better term) must concern itself with every non-military use for hiding data. Much of this will be financial and industrial data which is as much or more of a part of the strength of society than pure military power. Those who might attack such data are quite diverse, each with their own motives. And the consequences of a successful attack could be almost universal.

From this I conclude that the use of a single standard cipher throughout society would be an unthinkable risk.

And upon what evidence do you base you opinion that we can predict what our Opponents can do?

Basically, the same way we can predict what the surface temperature is on Mercury, or anything else that cannot be measured directly. We take what observations we can and attempt to extrapolate what we don't know.from what we do know.

And this is the same sort of answer we have had several times before with the driving analogy: when we drive, we know the consequences. When we measure temperature, we are sensing reality. But when a cipher fails we have no indication of failure.

When there is no indication of failure, there is nothing to extrapolate. And when there is no measure for the thing which fails, there is no meaning to extrapolation.

That's basic physics, btw. :-)

And we see just how well it did.

Presumably, you would handwave about what our Opponents can do both now and in the future and say that caution is silly. But that conclusion is based on your opinion that we can predict what others may do in the future, which I find very strange. If that were true in general, we could put criminals in jail before they did anything.

This author makes no distinction between being able to predict something with 100% accuracy and being able to predict something with lesser accuracy. For example, magician and card-sharp John Scarne once described playing gin rummy (for money) with a player who, after shuffling the cards, would square up the deck with the bottom facing towards him. An innocent-seeming idiosyncracy, except that he now knew the bottom card in the deck (which in gin rummy never comes into play). Suppose this card were the 8 of hearts; the player cannot predict, with 100% accuracy, what the next card in the deck will be, but he knows it will not be the 8 of hearts. This seemingly insignificant piece of information gives him a huge advantage; he knows that there is little percentage in trying to fill a meld of 8's or a run of 6-7-8 or 8-9-T of hearts, and none whatsoever in trying to fill an inside run of 7-8-9.

In studying PRBGs, ability to predict the next bit with a probability of 0.5 + epsilon, where epsilon is a small number (usually on the order of 1/polynomial(log n) ) can be a huge advantage.

I assume this analogy is intended to show that in some cases one can use past observations to usefully predict the future. Such is the role of most industrial knowledge. But this analogy is inappropriate for the issue being discussed.

The issue is whether cryptanalytic results can be used to compare the strength of ciphers with respect to the future abilities of unknown Opponents. In the above analogy, the Opponent is known, his weakness already judged, and ongoing results measurable. The cryptography issue has no such convenient touchstones.

With respect to the problem of potential catastrophic failure from a single-cipher system, no amount of cryptanalysis can prevent such failure. Both untested ciphers and massively-tested ciphers are the same in the sense that neither can be trusted.

Rubbish. I don't trust Charlie the counterfeiter, Ernie the embezzler, Rocco the rapist, or Sammy the serial killer. But I can give you a rough estimate of who I'd least like to crash my sister's slumber party.

I have no idea what this means.

I see no reason to change my statement, since it is correct as it stands.

I suppose the issue here is your interpretation of "trust," which I touched on earlier.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Question on confidence derived from cryptanalysis. Date: Wed, 21 Apr 1999 23:58:27 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 371e6357.27881073@news.prosurfr.com References: 371e4437.15431777@news.io.com Newsgroups: sci.crypt Lines: 27

ritter@io.com (Terry Ritter) wrote, in part:

I guess "yes." If there is just one standard cipher, the issue is not so much what any one of us has to lose as it is what society as a whole has to lose.

From this I conclude that the use of a single standard cipher throughout society would be an unthinkable risk.

Here, you and I are in agreement. New attacks are being found against symmetric block ciphers, such as the boomerang attack and the slide attack. Also, one of the papers on the NIST site is called "Future Resiliency", and it is a defense of that point of view.

However, I don't think that for the AES process to pick one winner will lead to that situation, any more than the existence of DES has stopped people from using IDEA or Blowfish.

If anything, I'm more worried about a lot of messages suddenly becoming readable through a catastrophic failure of public-key cryptography. But such a failure at least is likely to become public knowledge; an and secretly breaking "the" block cipher without anyone knowing certainly is a real possibility.

John Savard ( teneerf<- ) http://members.xoom.com/quadibloc/index.html


Subject: Re: Question on confidence derived from cryptanalysis. Date: Fri, 23 Apr 1999 22:46:33 GMT From: "Douglas A. Gwyn" DAGwyn@null.net Message-ID: 3720F809.52DB949B@null.net References: 371b711c.6682075@news.calgary.telusplanet.net Newsgroups: sci.crypt Lines: 12

Earth Wolf wrote:

Remember Pearl Harbour, where warning of the impending attack arrived by messenger amid the smoking aftermath?

That's not what happened. The Japanese cleverly misled our intelligence analysts into believing that their fleet was still in home waters. What indication we had was that hostilities were about to commence, not that Pearl would be the actual target.

That's the "executive summary" of the outcome of a massive Congressional investigation, record of which are available in the National Archives II (Modern Military History branch).


Subject: Re: Question on confidence derived from cryptanalysis. Date: Mon, 19 Apr 1999 21:49:34 GMT From: "Douglas A. Gwyn" DAGwyn@null.net Message-ID: 371BC0D6.158C18E9@null.net References: 371B69DC.17EE09E1@raas.co.nz Newsgroups: sci.crypt Lines: 20

Geoff Thorpe wrote:

... I dare say the NSA et al have less motivation to chase down some of the more daunting theoretical possibilities for weaknesses in algorithms, especially when in reality, so many of them lead nowhere or to advances that are at best - theoretical.

For example, several "significant" results in academic papers say that certain systems can be broken with an inordinate amount of resources, if 2^24 chosen plaintexts are used. It's hard to justify such work when your job performance is measured by practical results "in the field".

Generally speaking, Terry is right to be concerned over the unknown, but some risks are greater than others. The specific algorithms you mentioned previously are among the better risks. If the stakes are really high, thoroughly studied systems are better bets than untested ones. That's not to say that we don't need new, better systems, but it takes time to subject them to enough testing and analysis to develop confidence in them. Maybe some day we'll all understand that Terry's approach (or David's) is a better way to go -- or maybe not.


Subject: Re: Question on confidence derived from cryptanalysis. Date: 19 Apr 1999 23:21:54 GMT From: David A Molnar dmolnar@fas.harvard.edu Message-ID: 7fgdqi$k09$1@news.fas.harvard.edu References: 371BC0D6.158C18E9@null.net Newsgroups: sci.crypt Lines: 62

Douglas A. Gwyn DAGwyn@null.net wrote:

For example, several "significant" results in academic papers say that certain systems can be broken with an inordinate amount of resources, if 2^24 chosen plaintexts are used. It's hard to justify such work when your job performance is measured by practical results "in the field".

I agree with you about 85%. The other 15% comes from refinements of those attacks which make them more practical, and the cases where bad design of a system make them relevant. For example, it was known that knapsack public-key systems leaked bits of information long before any specific catastophic results were known. The single bit doesn't help much, but acts as a warning sign that something is wrong. Now knapsacks are the prime example of crypto that seemed 'pretty secure' and wasn't. i

Adaptive chosen ciphertext attack is a very strong attack, requiring that the adversary decrypt values of its choice on your equipment, and perhaps lots of them. It is not obvious how someone would apply it to a real world system. Yet Daniel Bleichenbacher found that some implementations of SSL aren't secure against it. Even though that attack is just barely on the edge of practicality, we now have a new RSA PKCS standard.

Then you can improve attacks by gaining more information about what, exactly, it is that you're attacking. There's a paper in Crypto '98 (for the life of me I can't find it now, I'm sorry ) on "From Differential Cryptanalysis To Ciphertext Only Attacks." It uses the assumption that the cryptanalyst is dealing with English text to turn chosen-plaintext attacks into ciphertext-only attacks. I can't find it, or else I'd report how efficient the new attacks are -- but this is a qualitative difference in utility. It wouldn't be possible without the earlier work.

My point is that there's enough precedent that I can imagine a boss with foresight not being too dismayed by the "2^24 chosen plaintexts, needs 2^42 operations and 2^56 blocks of memory" sort of result. I can imagine that she wouldn't be thrilled, but I can also imagine that she'd try to follow it up, too.

Generally speaking, Terry is right to be concerned over the unknown, but some risks are greater than others. The specific algorithms you mentioned previously are among the better risks. If the stakes are really high, thoroughly studied systems are better bets than untested ones. That's not to say that we don't need new, better systems, but it takes time to subject them to enough testing and analysis to develop confidence in them. Maybe some day we'll all understand that Terry's approach (or David's) is a better way to go -- or maybe not.

Thank you for referring to it that way, but I'm rather new to the approach. I suspect my enthusiasm comes from its novelty, as well as the prospect of finally being able to "measure" security. :-)

So far provable security doesn't seem to do much for block ciphers, though... at least that I've seen (and I've heard about DFC but haven't looked at it much yet), or indeed quick bulk ciphers of any kind. That leaves Terry's approach and whatever you want to call the other.

Honestly, I need to read more about ciphers by ritter and see what this 'scaled down to experimental size' means, along with everything else.

Thanks, -David Molnar


Subject: Re: Question on confidence derived from cryptanalysis. Date: Tue, 20 Apr 1999 06:37:03 -0400 From: "Trevor Jackson, III" fullmoon@aspi.net Message-ID: 371C58CF.286794F7@aspi.net References: 371B69DC.17EE09E1@raas.co.nz Newsgroups: sci.crypt Lines: 205

Geoff Thorpe wrote:

Hello,

"Douglas A. Gwyn" wrote:

(I'm not suggesting that academics haven't made useful contributions to the state of the art, just that their work does not define the total state of the art.)

Oh I agree completely - I was just taking issue with what I perceived to be the following idea: Until we actually break it, or prove it secure, we have no more measure of strength for it than for another (less "investigated") one. I feel that quite the opposite is true - it IS a very appropriate statistical measure of strength, and moreover the only realistic one we have to work with. If the total state of the art stays roughly in sync with the academics, albeit "they" may have a couple of things up their sleeves and they may often get the jump on us by a few months/years with various developments, then we can make reasoned guestimations on the strength of a cipher against them based on the strength of a cipher against us.

This usage of the term strength may be inappropriate. As a substitute I offer the term confidence. The difference is partly connotative, but an example may illustrate a real distinction worth preserving. In a restricted set of cases one might use a weak cipher, knowing that it is theoretically breakable, but also knowing that the adversaries (threat model) cannot break it in practice. The reasons for their inability might be lack of resources, cruptographic sophistication, or as simple as one message sent one time. In this situation we have confidence that the cipher will protect the secret, but the cipher is not strong.

The practical test of ciphers is valid in the sense that it can give us confidence, but it cannot give us strength. In a sense the practical test of exposure to many and varied attacks gives us a kind of lower bound on the types of attacks a cipher might not resist. Once a cipher has survived a gauntlet, we know that any successful attack must be fairly sophisticated, optomized agains the particular cipher, or simple but based on a radical insight or advance in the field (linear, differential, boomerang, or sliding attacks appear to be advances ).

But this lower bound does not tell us anything about the "strength" of the cipher (the units for which are completely undefined), but tells us a lot about the confidence we might repose in the cipher.

Ritter appears to be after strength. Thorpe appears to be after confidence.

Mathematical problems - that is what I was referring to ...

Yes, cryptology is largely applied mathematics, but practical cryptanalysis has evolved in the context of operational experience that is largely unavailable to outsiders, and that has caused a substantial difference between insiders and outsiders in their aims and methods.

Well yes and no ... applied mathematics has a handy of way of pushing things along nicely particularly in the area of computation (complexity) problems. "Their" ideals may be different to ours but I doubt their aims or methods are ... everybody would love to break an established cipher (with the possible exception of the patent holder), everybody would love to prove a cipher secure (with the possible exception of the patent holder's competition). I dare say the NSA et al have less motivation to chase down some of the more daunting theoretical possibilities for weaknesses in algorithms, especially when in reality, so many of them lead nowhere or to advances that are at best - theoretical.

"They" have budgets (albeit big ones) and they probably have things they'd rather spend it on (satelites, lobbying, hardware, breaking implementations, breaking installations, etc). OTOH, having been post-grad in a mathematics department before I know very well that this obsession for looking in every nook and cranny of all things theoretical is exactly the sort of thing academics get off on. Cracking ciphers (ie. the actual algorithm itself, not the practical implementation details that may be vulnerable) is much more the meat and veg of academics who like to play and write papers. "They" just want information, and I'm guessing just do whatever they got to do to get it - and searching endlessly for little theoretical weaknesses is probably not their top priority. That's not to say they don't do it and do it very well, but I doubt their considerable advantages in resources are put so much to this task as to make our abilities so incomparable or unrelated as some might believe.

A good point. However, we canot deal with their (secret) intentions, but must anticipate their possible (even more secret) capabilities. Thus amplifying the threat model is a sensible thing to do. It eliminates some of the risk of catastrophically underestimating them by enhancing the risk of expensively overestimating them.

An appropriate paranoia dictates that we accept the costs of overestimation.

Some problems, like efficient factoring, are obviously relevant, and unlikely to be achieved in secret without happening in the outside around the same time. Other

I agree but I doubt very much Mr Ritter does.

breakthroughs have been kept secret for decades, in some cases. So there really is reason to fear that the most advanced "enemies" might know how to easily crack some system you use that appears uncrackable to all outsiders.

I know - and there's a lot of targets out there so the odds are on that at least one of them has fallen completely to an "unpublished" source without our knowing it. However, I just think it's more likely to be something less well analysed in the "open" than something well analysed in the "open" for the reasons I've mentioned, and that Mr Ritter doesn't agree with.

It appears to me that he does agree (tho he can certainly speak for himself), which is why he has repeatedly proposed the use of multiple ciphers both to spread eggs across baskets, and to provide layered security where warranted.

On a related note (and all IMHO), bit-twiddling little ciphers are no less "mathematical" than effecient factoring. Discrete maths actually finds that cute little "permutation stuff" quite fashionable from my limited contact with it (and them). Factoring tends to interest (again from my limited contact) more the applied heads - meaning I'd give better odds to developments in faster optimizations on 64-bit platforms with super-dooper cache, than to fundamental breaks in the factoring algorithms [;-)

There is a significant difference between what is "well established" in long-existing, well-funded cryptologic organizations and what is "well established" in the dispersed, high-turnover-rate academic community.

True - and to agree with Mr Ritter for a moment, I think perhaps another risk is that the academics tend to show interest in things that interest them - where as the well-funded organisations you speak of more likely show interest in things that give them the best chance of accomplishing some objective. However, this pragmatic mind-set, albeit fearsome in many ways, might give us some hope that in the ethereal hights of trying (and hoping) to break an already well-studied algorithm, they probably are less hopeful, less obsessed, and more practical and realistic. After all, RSA, IDEA may be perfect but if Win95's TCP allows a password-sniffer to leak into your PC "they" have accomplished their objective and "broken" PGP as far as "they" are concerned.

There is a big problem in working in applied fields academically, since it is harder to get academic respect from publication of application or tutorial papers instead of research papers. There are many technologies that are well-known in general in the research community, but their specific application to cryptology is not well known.

Probably quite true.

We all know that risk - it's the probabilities that are open to debate. ...

More precisely, the likelihoods. The nice thing is that relative likelihoods can be estimated and used to make decisions; e.g. "I need a cipher that -- pick one." If the consequences of not making a decision are sufficiently severe, then even an uncertain decision can be better than letting the uncertainty stop you from making a decision.

Exactly, and well said.

Me, I'm going to stick with RSA and triple-DES for a while.

In a well-designed cryptosystem, these do seem sufficiently secure against realistic threats for the near future. Any vulnerabilities would most likely occur elsewhere in the system/protocols, not in these encryption algorithms as such (assuming of course a long RSA key, and 168-bit 3DES key).

I think that too, but as Mr Ritter might say - you are already in the abyss and are naive if you think that. If that is so, I am comfortable in my naivety.

That seems to be part of Ritter's aim, but others seem to think that during cryptanalysis the stages have to be peeled like an onion, and they assume that there is not enough pattern available at the next-to-outermost layer for there to be any chance of peeling the outer layer off.

Well hopefully someone will look at this, and demonstrate some success from it. Results speak for themselves, even to ivory tower academics [;-)

And this can't be achieved within ONE cipher? When you start talking multiple algorithms, you instantly start talking interoperability and standardisation headaches.

That's a significant concern, because breakdowns in operational procedure often provide the enemy analyst the entering wedge he needs to crack a system.

Exactly, and if I resort to using a different cipher every week ... the cryptanalysts will not keep up with them satisfactorily and I have a lot more confidence that "they" WILL be breaking my traffic on a semi-regular basis.

Layered algorithms do not dictate expensive or complex operational requirements. The implementation of a layered cipher needs some care, but no more than any other secure system. This issue appears to be a red herring.


Subject: Re: Question on confidence derived from cryptanalysis. Date: Tue, 20 Apr 1999 00:28:14 -0400 From: Geoff Thorpe geoff@raas.co.nz Message-ID: 371C025E.6AD4BAB8@raas.co.nz References: 371C58CF.286794F7@aspi.net Newsgroups: sci.crypt Lines: 131

Hello,

"Trevor Jackson, III" wrote:

This usage of the term strength may be inappropriate. As a substitute I offer the term confidence. The difference is partly connotative, but an example may illustrate a real distinction worth preserving. In a

Well originally this grew out of the idea of "tested strength" (whatever that might mean). I dropped the "tested" after a while [;-) By the way, it was me who chose to rename the subject of this branch of the thread ... so I do agree with you.

The practical test of ciphers is valid in the sense that it can give us confidence, but it cannot give us strength. In a sense the practical test of exposure to many and varied attacks gives us a kind of lower bound on the types of attacks a cipher might not resist. Once a cipher has survived a gauntlet, we know that any successful attack must be fairly sophisticated, optomized agains the particular cipher, or simple but based on a radical insight or advance in the field (linear, differential, boomerang, or sliding attacks appear to be advances ).

I totally agree.

But this lower bound does not tell us anything about the "strength" of the cipher (the units for which are completely undefined), but tells us a lot about the confidence we might repose in the cipher.

Well it gives us a sort of "measure" that we can apply when we make our choice ... something new, has held out for just a little while, but really motors along on a RISC chip - might lead to one choice. Something old, battled, and stubborn - might be more appropriate where performance is less important and it's wiser to be ultra-conservative about security.

Ritter appears to be after strength. Thorpe appears to be after confidence.

We're probably all after both.

As this discussion keeps dividing in cellular fashion, I can't really reply to each post that was a reply to one of mine - so, in another "branch" Terry said the following;

Terry Ritter said:

In summary: 1) We cannot estimate the probability that an effective attack exists which we did not find; and 2) We cannot estimate the probability that even if such an attack does exist, our Opponents can find it and use it. I thus claim that we CAN know nothing of the probability of future cipher failure, and cannot even reason that this probability is "small." The practical consequence of this is that we cannot trust any cipher.

I disagree - and I disagree with every sentence moreover. I may not design ciphers but I can definately slug it out with most people regarding probability theory, statistics, and logic. I also have to assist with various API designs and have been on the (l)using end of quite a few if we want to talk standards, picking algorithms, and covering butts (oh yeah, I've done quite a bit of Risk Management related stuff too).

Now, statement (1) is wrong. Maybe you cannot make estimates, and maybe you do not like the estimates others may employ. But there are ways to make estimates whose rationalisation is acceptable to those involved. That includes me. You also referred in that post to a complete lack of evidence but I think you yourself would be well positioned to refute that. Take every damned cipher you ever heard of (with any degree of cryptanalysis against it), exercise some personal judgement as to some measure of time+effort that the cipher was subjected to (by publishing authors - obviously not the spooks) before it became widely regarded as unacceptable, and take a look at the resulting distribution. That may not be a precise science, and of course it involves warm-fuzzy personal interpretations (time+effort) but it is not unacceptable for many people, particularly those who would otherwise be rendered with NO effective way to evaluate. I dare say that your distribution, if you've made semi-reasonable interpretations along the way, will show that a ciphers that lasted 10 years had a much better chance of lasting another year than the average "expected life". It's a very basic and common mathematical model/argument, and it's common sense.

I've already explained why I think that (2) is wrong - nobody knows any of this stuff FOR SURE, but you make a call when you don't have perfect information. Our Opponents are just well-paid versions of us, most of whom probably grew up around us, and who find their occupations not too unfathomably unethical to suffer day by day. I still maintain that what we can do and achieve is a statistical, probabilistic, and "confidence" variable that does not run along independantly of theirs. Depends how much George Orwell you read though ...

like to play and write papers. "They" just want information, and I'm guessing just do whatever they got to do to get it - and searching endlessly for little theoretical weaknesses is probably not their top priority. That's not to say they don't do it and do it very well, but I doubt their considerable advantages in resources are put so much to this task as to make our abilities so incomparable or unrelated as some might believe.

A good point. However, we canot deal with their (secret) intentions, but must anticipate their possible (even more secret) capabilities. Thus amplifying the threat model is a sensible thing to do. It eliminates some of the risk of catastrophically underestimating them by enhancing the risk of expensively overestimating them.

Sure thing - but the whole system does not collapse down to a binary system of "broken" and "not-broken-yet" ... as you say, you put together a threat model ... consistent with your requirements and using a chosen method for judging a components "worth", and amplify it here and there as appropriate. A lot like putting together a cost-proposal I guess ... add in your known prices, choose an acceptable value for the "unknowns", amplify the costs of all the "risky" bits, add x% profit on top - and then bang another 30% on top for good measure, and generally covering your butt some more.

It appears to me that he does agree (tho he can certainly speak for himself), which is why he has repeatedly proposed the use of multiple ciphers both to spread eggs across baskets, and to provide layered security where warranted.

3 ciphers strung in a line is, to me, a cipher. You need all three in the same place and in the same order to have anything other than a "noise generator". Breaking 3 ciphers should be no more difficult than breaking one well designed one using 3 different stages (if a cipher is based on one "idea", "primitive", or whatever then your vulnerability must surely be higher than distinct ideas employed serially?). It seems the argument put forth was more one of splitting the traffic (conceptually across time and application, not packet by packet I assume) across ciphers, and rotating the old out and the new in on a regular basis. I see this as unacceptable in a real-world scenario for reasons of interoperability & standardisation, as well as security.

Cheers, Geoff


Subject: Re: Question on confidence derived from cryptanalysis. Date: Tue, 20 Apr 1999 05:52:19 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371c15e3.8290372@news.io.com References: 371C025E.6AD4BAB8@raas.co.nz Newsgroups: sci.crypt Lines: 176

On Tue, 20 Apr 1999 00:28:14 -0400, in 371C025E.6AD4BAB8@raas.co.nz, in sci.crypt Geoff Thorpe geoff@raas.co.nz wrote:

[...] Terry Ritter said:

In summary: 1) We cannot estimate the probability that an effective attack exists which we did not find; and 2) We cannot estimate the probability that even if such an attack does exist, our Opponents can find it and use it. I thus claim that we CAN know nothing of the probability of future cipher failure, and cannot even reason that this probability is "small." The practical consequence of this is that we cannot trust any cipher.

I disagree - and I disagree with every sentence moreover. I may not design ciphers but I can definately slug it out with most people regarding probability theory, statistics, and logic.

You may be willing to "duke it out," as though this were some sort of winner-take-all contest, but if you believe your logic is compelling, you will have to think again. Not only am I not compelled, I am appalled to see you repeating things over and over, in the apparent illusion that this has some relation to logic or scientific argument.

I also have to assist with various API designs and have been on the (l)using end of quite a few if we want to talk standards, picking algorithms, and covering butts (oh yeah, I've done quite a bit of Risk Management related stuff too).

What a guy you are I'm sure. Let's get on with it:

Recall that my position does not rest upon an estimation of someone else's capabilities. It is not my opinion that any cipher we have might possibly break -- that is fact. I assume the worst case, and propose systems to provide strength even then.

Your position, dare I state it, is that you can estimate the capabilities of your Opponents. You also say you can estimate the future strength of a cipher from past tests. But for all this claiming, we see no similar statements in the scientific literature. So these are simply your opinions, and I see no supporting facts.

Now, statement (1) is wrong.

Which was: "1) We cannot estimate the probability that an effective attack exists which we did not find."

Since you think this is wrong, you must believe we can make an estimate. Fine. Do it. Show me.

Maybe you cannot make estimates, and maybe you do not like the estimates others may employ. But there are ways to make estimates whose rationalisation is acceptable to those involved. That includes me.

Alas, what people believe is not science.

You also referred in that post to a complete lack of evidence but I think you yourself would be well positioned to refute that. Take every damned cipher you ever heard of (with any degree of cryptanalysis against it), exercise some personal judgement as to some measure of time+effort that the cipher was subjected to (by publishing authors - obviously not the spooks) before it became widely regarded as unacceptable, and take a look at the resulting distribution. That may not be a precise science, and of course it involves warm-fuzzy personal interpretations (time+effort) but it is not unacceptable for many people, particularly those who would otherwise be rendered with NO effective way to evaluate. I dare say that your distribution, if you've made semi-reasonable interpretations along the way, will show that a ciphers that lasted 10 years had a much better chance of lasting another year than the average "expected life". It's a very basic and common mathematical model/argument, and it's common sense.

Oddly, no such study has appeared in the literature. That seems somewhat strange, since you say it is very basic common sense. Perhaps everyone else in cryptography has simply been blinded to this fundamental truth. When will you write it up for us?

You are arguing your opinion about cipher strength. (Recall that I do not argue an opinion about cipher strength, but instead the fact that any cipher may be weak.) If you have compelling factual evidence, I will support it. Show me the correlation you say exists. Prove it. Then you can use it.

I've already explained why I think that (2) is wrong - nobody knows any of this stuff FOR SURE, but you make a call when you don't have perfect information.

Nobody has any problem with you making a call for yourself and risking only yourself. But if this "call" is intended to formulate what "should" happen for much of society, you may need to revise your estimate as to the consequences of failure. Just how much disaster are you willing for us to have?

Will it be OK for everyone to use the single standard cipher which you predict is strong, if you turn out to be wrong? Will it be OK when communications grind to a halt and incompatible low-security temporary measures are instituted everywhere while a new cipher is integrated into all the programs which must be replaced throughout society? Is that OK with you?

Our Opponents are just well-paid versions of us, most of whom probably grew up around us, and who find their occupations not too unfathomably unethical to suffer day by day.

This is simply breathtaking: It is appallingly, plainly, immediately false even to the most casual observer. People do differ, we do have limitations others do not have, and others often do take advantage of knowledge to which we have no access.

[...] Sure thing - but the whole system does not collapse down to a binary system of "broken" and "not-broken-yet" ... as you say, you put together a threat model ... consistent with your requirements and using a chosen method for judging a components "worth", and amplify it here and there as appropriate. A lot like putting together a cost-proposal I guess ... add in your known prices, choose an acceptable value for the "unknowns", amplify the costs of all the "risky" bits, add x% profit on top - and then bang another 30% on top for good measure, and generally covering your butt some more.

Write whatever numbers you want: you cannot support them.

It appears to me that he does agree (tho he can certainly speak for himself), which is why he has repeatedly proposed the use of multiple ciphers both to spread eggs across baskets, and to provide layered security where warranted.

3 ciphers strung in a line is, to me, a cipher.

The distinction is that each cipher is an independent and separable element which can be "mixed and matched" with any other. Each cipher is tested as an independent unit, and brings whatever strength it has independent of internal ciphering requirements. Dynamic mixing and matching prevents having any fixed target to attack.

You need all three in the same place and in the same order to have anything other than a "noise generator". Breaking 3 ciphers should be no more difficult than breaking one well designed one using 3 different stages

Really? Tell me more about how ciphers are designed. How long did you say you have been doing this? How many ciphers have you designed? Have you measured them? Where can we see your work?

(if a cipher is based on one "idea", "primitive", or whatever then your vulnerability must surely be higher than distinct ideas employed serially?). It seems the argument put forth was more one of splitting the traffic (conceptually across time and application, not packet by packet I assume) across ciphers, and rotating the old out and the new in on a regular basis. I see this as unacceptable in a real-world scenario for reasons of interoperability & standardisation, as well as security.

What you mean is that you do not know how such a system would be standardized and made interoperable. Then you imply this means nobody else could do it either.

I note that this is precisely how you reason about the cryptanalytic capabilities of others: It is false here, there, and everywhere you present it. You are not the best example, not everyone is like you, and it is invalid to assume others have your limitations.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Question on confidence derived from cryptanalysis. Date: Tue, 20 Apr 1999 20:35:53 -0400 From: Geoff Thorpe geoff@raas.co.nz Message-ID: 371D1D69.AF9907B6@raas.co.nz References: 371c15e3.8290372@news.io.com Newsgroups: sci.crypt Lines: 347

Hi,

Terry Ritter wrote:

On Tue, 20 Apr 1999 00:28:14 -0400, in 371C025E.6AD4BAB8@raas.co.nz, in sci.crypt Geoff Thorpe geoff@raas.co.nz wrote:

I disagree - and I disagree with every sentence moreover. I may not design ciphers but I can definately slug it out with most people regarding probability theory, statistics, and logic.

You may be willing to "duke it out," as though this were some sort of winner-take-all contest, but if you believe your logic is compelling, you will have to think again. Not only am I not compelled, I am appalled to see you repeating things over and over, in the apparent illusion that this has some relation to logic or scientific argument.

Other parts of your posts refer to your ideas and your technologies and your experience, etc. I do not claim familiarity with your ideas, but moreover I was attempting to say that I also do not claim to be a cipher designer. I am a scientist however, and was tiring of your attempts to state what I saw as broad, arrogant, and overly pessimistic views as fact together with implications of naivety and ignorance on my (and others?) part. I also have no desire to "duke it out", "lock horns", or any such thing - just wanted to make sure you understood that not being a cipher designer does not mean I'm going to lie down, take your statements as authorative when I genuinely disagree with some of your fundamental points.

I also have to assist with various API designs and have been on the (l)using end of quite a few if we want to talk standards, picking algorithms, and covering butts (oh yeah, I've done quite a bit of Risk Management related stuff too).

What a guy you are I'm sure. Let's get on with it:

yadayadayada. I have a vague idea now of some of your areas of expertise as per your posts and the peripheral discussion. You seem to have no tolerance for my views on the matter so I thought it appropriate to at least let you know that I'm not some bunny out on a limb here. However, I'm of the impression that my problem here is not that you won't consider my opinion as worthy of some merit, so much as you won't consider any other opinion than your own as worthy of merit. Mind you, I recall that recently you categorically discarded the considered views of Mr Schneier and others so I guess credentials are a waste of time anyway

else's capabilities. It is not my opinion that any cipher we have might possibly break -- that is fact. I assume the worst case, and propose systems to provide strength even then.

Exactly, you assume the worst case. Whilst you certainly will never be accused of lacking precaution, why should I accept that your position the only appropriate one to adopt? The world operates a lot more pragmatically than you might be prepared to accept, and naturally we roll the dice as a result - memories of the ice-storm in Montreal and the massive power-outage in Auckland, New Zealand (particularly relevant to me) flood to me at this point. Individually, each failure is roundly criticised and everyone pats themselves on the back as to why they wouldn't have fallen into that particular trap.

I could get killed the very next time I go driving, in fact I'm increasingly of the opinion there are those who wouldn't be overly upset about it. But I do not insist that I and others must push through radical measures involving gondolas, pulleys, and the abolition of personal automotive ownership.

Before I get accused of doing precisely what I don't want to do (lock horns, duke it out, etc) ... let me just say that I really am warming to an idea implicit in all of this - and I believe it is one of yours, though it was Trevor I think who recently illustrated it quite well ... namely the employment of a standard bank of ciphers that can be invoked on demand in any number of possible configurations eg strung together in a different order every time, utilising the different modes of operation, etc etc. I also agree the implementation and standardisation headaches of this sort of scheme are not insurmountable - indeed every standard SSL implementation I've seen lately seems to implement most of the core ciphers/modes that could be used in such a scheme. I'm also definately not against the idea of extensibility of frameworks to incorporate as-yet-unknown elements - indeed PKCS#7 probably didn't have DSA, ElGamal etc in mind, but now they seem to be creeping into CMS and that method seems to allow room to grow it again later. (If I've confused this with something else, someone please correct me - I could have my wires a little crossed right now and don't have any reference handy).

But it seems to me, especially with regard to non-realtime applications, that to an extent, less-is-more ... sure a few ciphers in your pool is fine, especially if everyone has them. But the wholesale liberalisation of cipher farming seems to create a very real problem - a kind of protocol grid-lock. And frankly, I still place a lot of stock in what I rank as ciphers of tested strength and wouldn't want any system of mine having too many "new toy" ciphers creeping in. Perhaps we need to agree to disagree.

Your position, dare I state it, is that you can estimate the capabilities of your Opponents. You also say you can estimate the future strength of a cipher from past tests. But for all this claiming, we see no similar statements in the scientific literature. So these are simply your opinions, and I see no supporting facts.

Scientific literature? Ironic that it is precisely this quantity that you appear to place very little value in with regard to ("tested") cipher strength, and yet I am supposed to find some to support my view? Anyway - I have already said that my view (that a cipher not falling over despite some considerable efforts against it does merit some "value") is not based on any exact science. I think history, and some basic common sense warrant my conclusions. Your contrary opinion does not appear to be any more scientifically founded - although it does appear to be a little more "absolute" or "axiomatic" (and IMHO "not terribly practically useful").

Now, statement (1) is wrong.

Which was: "1) We cannot estimate the probability that an effective attack exists which we did not find."

Since you think this is wrong, you must believe we can make an estimate. Fine. Do it. Show me.

The fact that I can drive in Quebec without getting killed for 3 months suggets I can probably survive another few days. I don't know what my chances would be in London - and maybe the insurance salesman doesn't either. Fine, I'll go for a drive shortly and if I STILL don't get killed (ie. I post again in the future to this group) then that supports my estimate of the probability. If you think I'm wrong, break triple-DES and you show me. Otherwise - neither of us is correct in any pure sense ... but I'm still comfortable with my approach and if others are too that's all that matters. Anyway, now I think about it further - exactly how can you possibly insist that "we cannot estimate a probability" ??? Sounds absurd. Particularly with something that has any historical record at all?

As someone with a love of pure mathematics, it does feel a little disturbing to be arguing a point with someone where it is I who am on the fuzzy, pragmatic, approximation side of the fence and the other is arguing puristically.

Alas, what people believe is not science.

But what people believe influences what they will and will not do (and will or will not put up with). And unless a scientist can prove absolutes they will have difficulties imposing absolutes. Perhaps a good way to measure this is to ask an insurance-brokerage expert to comment on the insurability (premiums etc) on an information resource secured using your approach versus something like I prefer. Not a single ounce of "science" will enter into this equation (I suppose) and yet I can't imagine a more adequate way to judge the situation - after all, it is these kind of people whose lives it is to cover the costs of things when they go wrong.

year than the average "expected life". It's a very basic and common mathematical model/argument, and it's common sense.

Oddly, no such study has appeared in the literature. That seems somewhat strange, since you say it is very basic common sense. Perhaps everyone else in cryptography has simply been blinded to this fundamental truth. When will you write it up for us?

If I hire a programmer to work with a new technology and a deadline, and my options (for the same money/conditions etc) are between someone who has demonstrated he/she can handle new technologies (in the past of course), and someone who might be able to handle new technologies, I'm going to hire the one with experience. A new candidate might be faster, hungrier, and actually better with the new technology - but why would I take that chance versus the chance the experienced one ran out of puff? True, until I try one I will not know which one was better but I'll hope you agree estimations, probabilities, and common sense are all present and can be utilised. I got a feel that your view on this was almost quantum mechanical - then I remembered that even QM admits probability result and an unlikely one even though each is possible until you find out for sure).

But I digress perhaps, and we've already demonstrated we don't agree here so ...

You are arguing your opinion about cipher strength. (Recall that I do not argue an opinion about cipher strength, but instead the fact that any cipher may be weak.) If you have compelling factual evidence, I will support it. Show me the correlation you say exists. Prove it. Then you can use it.

I've already admitted that my "correlation" is a fuzzy one, full of ideas that are "compelling" (to me) here, "suggestive" (to me) there, etc - and that my conclusion is a fuzzy one. Perhaps then I've shown compelling "fuzzy" evidence. [;-) Anyway, you are saying I cannot use "tested strength" as a measure - and your sole reason seems to be - "because it could still break tomorrow". Nobody disputes the latter statement but it does not logically imply the blanket assertion you make. Not proving things one way or the other does not mean we need default to your assertion, that all ciphers are equal when only existing failures to break them are in evidence, and abandon my assertion, that failing to break ciphers does provide useful information for "estimations".

And in case you ask, no - I know of NO research paper to support this and have no interest in attempting to create some when I'm already satisfied.

Nobody has any problem with you making a call for yourself and risking only yourself. But if this "call" is intended to formulate what "should" happen for much of society, you may need to revise your estimate as to the consequences of failure. Just how much disaster are you willing for us to have?

The consequences of failure are not what I'm estimating. And again, I'll agree that the idea discussed before (utilising a defined set - for interoperability this seems necessary - of ciphers, algorithms, etc etc that can be jumbled around on the fly to diffuse the impact "a break" would have). It would interesting, though off topic, to see how your absolutist approach generalises to arms control, transportation legislation, etc. All areas where "pragmatic fuzzies" tend to preside over "puristic absolutes" - even when they're cautionary variety.

Will it be OK for everyone to use the single standard cipher which you predict is strong, if you turn out to be wrong? Will it be OK when

I've already moved a bit to your side on at least one point - one single cipher (if they are implicitly atomic and cannot encompass the idea that one can effectively put what would be 3 or 4 atomic ciphers into a "cipher") would not be as comforting as a small (I still think "fixed", or at least "slow moving") collection of ciphers jumbled up to disperse the impact a break in any one configuration would have. I still think my point applies to the selection of those ciphers though.

communications grind to a halt and incompatible low-security temporary measures are instituted everywhere while a new cipher is integrated into all the programs which must be replaced throughout society? Is that OK with you?

And quantum computers could break everything and that wouldn't be OK with me either. But I'm not going to resort to carrier pigeons (which could be broken by a large society of hunters ... oh god ... this is getting too much).

Our Opponents are just well-paid versions of us, most of whom probably grew up around us, and who find their occupations not too unfathomably unethical to suffer day by day.

This is simply breathtaking: It is appallingly, plainly, immediately false even to the most casual observer. People do differ, we do have limitations others do not have, and others often do take advantage of knowledge to which we have no access.

You still don't get what I'm saying ... YES people do differ, but I think continuously, not by quantum leaps that erase any relationship you can draw.

Sure thing - but the whole system does not collapse down to a binary system of "broken" and "not-broken-yet" ... as you say, you put together a threat model ... consistent with your requirements and using a chosen method for judging a components "worth", and amplify it here and there as appropriate. A lot like putting together a cost-proposal I guess ... add in your known prices, choose an acceptable value for the "unknowns", amplify the costs of all the "risky" bits, add x% profit on top - and then bang another 30% on top for good measure, and generally covering your butt some more.

Write whatever numbers you want: you cannot support them.

You can be as cautious as you like and you could still get busted - you can be as irresponsible as you like and you COULD (not likely) get away with it. You can also just give up. That same model applies every time I write a proposal, an electricity company designs and insures an infrastructure, and many other real world situations. Tell me why I HAVE to resort to such a binary system of "broken" and "not-broken-yet". You don't seem to be able to support your claim that the test of time (and attack) does not provide a usable measure and you yourself have not written any numbers to try. Don't tell me and many other people with an interest that it's invalid to use such approaches, and then only support your claim by statement - particularly if you intend to then insist I support my own claims with numbers or proofs I'm supposed to pluck out of thin-air.

3 ciphers strung in a line is, to me, a cipher.

The distinction is that each cipher is an independent and separable element which can be "mixed and matched" with any other. Each cipher is tested as an independent unit, and brings whatever strength it has independent of internal ciphering requirements. Dynamic mixing and matching prevents having any fixed target to attack.

So should good cipher design as far as I can see but I'll go along with you here. I see this idea as promising and will not argue with the premise that if you've got 5 good ones, why just stick with one - indeed why just stick with a fixed arrangement of that 5 (effectively making one very complicated, but still fixed, cipher) when you can jumble the order, modes of operation, etc each time. (The way in which that has been done would presumably become part of the "key"). I'd still prefer that we standardise on those 5 and maybe rotate new ones in "occasionally" (conservatively) in a method not-unlike the current AES process - ie. public exposure to candidates for a good hard thrash at them before actual incorporation of them into systems.

You need all three in the same place and in the same order to have anything other than a "noise generator". Breaking 3 ciphers should be no more difficult than breaking one well designed one using 3 different stages

Really? Tell me more about how ciphers are designed. How long did you say you have been doing this? How many ciphers have you designed? Have you measured them? Where can we see your work?

Already told you I'm not a cipher designer. But there are cipher designers who share my view so attack the idea, not the guy saying it. I might also add - you're asking me to measure ciphers after having insisted quite strongly that any such attempt is implicitly impossible (with the absolute exception of breaking it).

Can I take apart a modern cipher and say "that's not a cipher - look, it's lots of little ciphers"? All I said was the division for me between 3 ciphers strung in a line and one cipher with 3 stages to it seems to be a question of packaging and patents. One could even stretch the definition and include the possibility of reording "stages" based on the "key". But I'm not going to suck myself into a bits-on-the-wire cipher designing discussion because I know I can't make a worthwhile contribution to it.

regular basis. I see this as unacceptable in a real-world scenario for reasons of interoperability & standardisation, as well as security.

What you mean is that you do not know how such a system would be standardized and made interoperable. Then you imply this means nobody else could do it either.

Fair call. Let me try again then - I think there could well be some very useful gains made from employing standards that use multiple primitives that hopefully seem (barring quantum computers?) to be independant targets of attack, that when used in different orders, modes, etc reduce the chances of the whole system getting broken rather than one putting the house on one primitive, or one configuration of the primatives. I do however think we should be measuring the primitives (which you suggest is pointless) as best we can, and that we should use a conservative approach to the standardisation on those primitives and the method by which new ones are incorporated into the standards.

If your "boolean model" of cipher strength is valid - can't this entire idea, when wrapped and considered as an entity in itself, then be implicated as just as "trust-worthy" as a single cipher that hasn't been broken? I would NOT regard them as equal but your argument, by extension, does.

Cheers. Geoff


Subject: Re: Question on confidence derived from cryptanalysis. Date: Wed, 21 Apr 1999 07:28:21 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371d7e0a.11538318@news.io.com References: 371D1D69.AF9907B6@raas.co.nz Newsgroups: sci.crypt Lines: 544

This is going to have to be one of my last. I just can't afford to spend several hours responding as I have here.

On Tue, 20 Apr 1999 20:35:53 -0400, in 371D1D69.AF9907B6@raas.co.nz, in sci.crypt Geoff Thorpe geoff@raas.co.nz wrote:

Hi,

Terry Ritter wrote:

On Tue, 20 Apr 1999 00:28:14 -0400, in 371C025E.6AD4BAB8@raas.co.nz, in sci.crypt Geoff Thorpe geoff@raas.co.nz wrote:

[...] Before I get accused of doing precisely what I don't want to do (lock horns, duke it out, etc) ... let me just say that I really am warming to an idea implicit in all of this - and I believe it is one of yours,

Son of a gun, it is one of mine. Why, what a surprise!

The first thing that happens in these discussions is the outright denial of my points. Then, as my points become unassailable, there is denial that I was the one who presented solutions -- in the very same discussion! Then we will have denial that I originated this issue, then condescending comments that I was not the first to ever do so (despite the level of controversy implying that earlier discussions had little effect). And then, since I talk about this periodically, we will have comments it has to be considered public domain anyway.

Is it any wonder that I patent my stuff?

The current relevant message was:

From: ritter@io.com (Terry Ritter) Newsgroups: sci.crypt Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 20:20:24 GMT Lines: 129 Message-ID: <:37179b67.12809750@news.io.com>

but we can go back years for much of this.

though it was Trevor I think who recently illustrated it quite well ... namely the employment of a standard bank of ciphers that can be invoked on demand in any number of possible configurations eg strung together in a different order every time, utilising the different modes of operation, etc etc. I also agree the implementation and standardisation headaches of this sort of scheme are not insurmountable - indeed every standard SSL implementation I've seen lately seems to implement most of the core ciphers/modes that could be used in such a scheme. I'm also definately not against the idea of extensibility of frameworks to incorporate as-yet-unknown elements - indeed PKCS#7 probably didn't have DSA, ElGamal etc in mind, but now they seem to be creeping into CMS and that method seems to allow room to grow it again later. (If I've confused this with something else, someone please correct me - I could have my wires a little crossed right now and don't have any reference handy).

But it seems to me, especially with regard to non-realtime applications, that to an extent, less-is-more ... sure a few ciphers in your pool is fine, especially if everyone has them. But the wholesale liberalisation of cipher farming seems to create a very real problem - a kind of protocol grid-lock. And frankly, I still place a lot of stock in what I rank as ciphers of tested strength and wouldn't want any system of mine having too many "new toy" ciphers creeping in. Perhaps we need to agree to disagree.

I'm sure we will disagree. But if your disagreement is with the above issues, you again disagree with your particular extrapolation of such a system. Let me describe the right way:

First, we want to be able to plug in arbitrary ciphers. The interface thus has several levels: One level is the OS interface which allows each of multiple packaged routines to be stored on disk, then dynamically loaded and invoked. Another level is the parameter package and functioning of each routine.

Next, we want to be able to accommodate essentially unlimited future ciphers, and do so in a way which does not require a central registration facility (which thus must be operated and funded), with its inherent submission, approval, and listing delays. We can do this by having the implementor of each package give it a unique textual name -- perhaps the company name, style, model number (NOT a serial number). This would be a string which in practice would probably be a single line of 80 characters. When we want that cipher, we use its textual name. Presumably, the cipher system will catalog the various packages available by name so they can be quickly loaded from disk then invoked.

Then we want to satisfy users desire for particular ciphers, or to not use particular ciphers. We can do this by generating a list of ciphers which each user will accept -- a different list for each user, and each connection that user has. We assume that everybody has one of these ciphers, probably 3-key Triple-DES. (In general, once this gets rolling, almost everybody will have the basic 10 or 20 ciphers.)

Next, we want to support changing ciphers mid-conversation. We can do this by establishing a "control channel" which is just a variable-length field distinguished from the normal data payload. All of this is enciphered for transmission, then deciphered. On the control channel, the ciphers propose a short list ciphers to change to, and then additional lists if these are rejected. When they find agreement, both ends switch. I suggest that each direction have its own current cipher, and that ciphers be switched every message or two.

One implication of this is that there must exist a local encrypted database of keys and associated current cipher selections, which must be updated dynamically as the ciphers change. The user must unlock this with the single key he or she needs for the whole system.

I could go on with a specific cipher-change message protocol, but will not.

Your position, dare I state it, is that you can estimate the capabilities of your Opponents. You also say you can estimate the future strength of a cipher from past tests. But for all this claiming, we see no similar statements in the scientific literature. So these are simply your opinions, and I see no supporting facts.

Scientific literature? Ironic that it is precisely this quantity that you appear to place very little value in with regard to ("tested") cipher strength, and yet I am supposed to find some to support my view?

Aw, man, this is soooooo bogus. You have no idea what you are talking about.

Show me one scientific article which does specify cipher strength. Crypto scientists know they CANNOT state a "strength" (as we know the term). There is no (reputable) literature like this. Yet that is exactly what YOU are trying to do.

In this case I agree with virtually the entire body of cryptanalytic literature in that one CANNOT know cipher strength. I also think it is fruitless to speculate on strength, or on the capabilities of our Opponents, and that we are better of spending our time protecting against failures which cryptanalysis cannot avoid.

Which means that attempts to do this -- exactly what you are doing -- are simply unscientific. When you can show that this works, then we can talk about it. (But that is only the beginning of your argument.)

Anyway - I have already said that my view (that a cipher not falling over despite some considerable efforts against it does merit some "value") is not based on any exact science. I think history, and some basic common sense warrant my conclusions. Your contrary opinion does not appear to be any more scientifically founded - although it does appear to be a little more "absolute" or "axiomatic" (and IMHO "not terribly practically useful").

But my "contrary opinion" -- that the past history of the strength of a cipher does NOT tell us about its future strength -- again reflects the scientific literature. I am aware of no articles at all that show such a correlation. That is not my opinion, that is the prevailing scientific understanding. You are the one proposing a clear opinion with no scientific basis whatsoever.

Now, statement (1) is wrong.

Which was: "1) We cannot estimate the probability that an effective attack exists which we did not find."

Since you think this is wrong, you must believe we can make an estimate. Fine. Do it. Show me.

The fact that I can drive in Quebec without getting killed for 3 months suggets I can probably survive another few days. I don't know what my chances would be in London - and maybe the insurance salesman doesn't either. Fine, I'll go for a drive shortly and if I STILL don't get killed (ie. I post again in the future to this group) then that supports my estimate of the probability.

And, as I have said repeatedly, though apparently to little avail, we know the general risk of driving from reporting and experience.

In contrast, there is no reporting of crypto failure.

And we do not experience cipher failure, because simply using a cipher program does not tell us whether or not that cipher has been penetrated and our data exposed. We get no feedback upon which to build an understanding of the risk of cipher failure.

In crypto, we do not have the same cues which support our understanding of risk in real life.

If you think I'm wrong, break triple-DES and you show me.

Nonsense. My point is precisely that cryptanalysis ("breaking") cannot tell us if a cipher is weak. My point is that we must assume weakness without having to break the cipher, if failure would be disastrous. Since that is my point, I hardly need do the opposite to make my argument.

Otherwise - neither of us is correct in any pure sense

I think unscientific arguments would be called "incorrect." You assume something trivial like extrapolating the strength of a cipher from its cryptanalytic testing -- something which does not exist in the scientific literature.

In contrast, I assume that any cipher may fail -- and this is the nearly universal scientific understanding. I would call that correct.

... but I'm still comfortable with my approach and if others are too that's all that matters.

I doubt the facts are changed by their popularity.

Anyway, now I think about it further - exactly how can you possibly insist that "we cannot estimate a probability" ??? Sounds absurd. Particularly with something that has any historical record at all?

ONE MORE TIME... Fine. Do it. Show me. Show us all. Show every cryptographic scientist what they have been missing. Go. Do it now.

As someone with a love of pure mathematics, it does feel a little disturbing to be arguing a point with someone where it is I who am on the fuzzy, pragmatic, approximation side of the fence and the other is arguing puristically.

You seem to be in conflict between your ego and reality. You have told us how good you see yourself as being, which leaves very little room to realize that your entire argument has been wrong from the beginning.

Alas, what people believe is not science.

But what people believe influences what they will and will not do (and will or will not put up with). And unless a scientist can prove absolutes they will have difficulties imposing absolutes. Perhaps a good way to measure this is to ask an insurance-brokerage expert to comment on the insurability (premiums etc) on an information resource secured using your approach versus something like I prefer. Not a single ounce of "science" will enter into this equation (I suppose) and yet I can't imagine a more adequate way to judge the situation - after all, it is these kind of people whose lives it is to cover the costs of things when they go wrong.

Will insurance really cover the expenses of an entire society changing from one standard cipher which fails to another "better" cipher? And what do we do about the little detail that this failure may occur in secret and extend over a period of decades? Could any country pay such a cost? Of what worth is insurance if the reality of failure is Apocalyptic?

year than the average "expected life". It's a very basic and common mathematical model/argument, and it's common sense.

Oddly, no such study has appeared in the literature. That seems somewhat strange, since you say it is very basic common sense. Perhaps everyone else in cryptography has simply been blinded to this fundamental truth. When will you write it up for us?

If I hire a programmer to work with a new technology and a deadline, and my options (for the same money/conditions etc) are between someone who has demonstrated he/she can handle new technologies (in the past of course), and someone who might be able to handle new technologies, I'm going to hire the one with experience. A new candidate might be faster, hungrier, and actually better with the new technology - but why would I take that chance versus the chance the experienced one ran out of puff? True, until I try one I will not know which one was better but I'll hope you agree estimations, probabilities, and common sense are all present and can be utilised. I got a feel that your view on this was almost quantum mechanical - then I remembered that even QM admits probability distributions and expected values (and the difference between a likely result and an unlikely one even though each is possible until you find out for sure).

But I digress perhaps, and we've already demonstrated we don't agree here so ...

It is more than a matter of disagreement; it is a matter of you being wrong.

You are arguing your opinion about cipher strength. (Recall that I do not argue an opinion about cipher strength, but instead the fact that any cipher may be weak.) If you have compelling factual evidence, I will support it. Show me the correlation you say exists. Prove it. Then you can use it.

I've already admitted that my "correlation" is a fuzzy one, full of ideas that are "compelling" (to me) here, "suggestive" (to me) there, etc - and that my conclusion is a fuzzy one. Perhaps then I've shown compelling "fuzzy" evidence. [;-) Anyway, you are saying I cannot use "tested strength" as a measure - and your sole reason seems to be - "because it could still break tomorrow". Nobody disputes the latter statement but it does not logically imply the blanket assertion you make. Not proving things one way or the other does not mean we need default to your assertion, that all ciphers are equal

You oh-so-casually use my words out of context. As you use it, that was not my assertion. I claim that any two ciphers which have not failed are equal with respect to the possibility that they may fail. In that sense, all ciphers are equal, so we can trust none. All ciphers are equal in that we cannot trust them. That includes new ciphers, old ciphers, and everything in between.

when only existing failures to break them are in evidence, and abandon my assertion, that failing to break ciphers does provide useful information for "estimations".

And in case you ask, no - I know of NO research paper to support this and have no interest in attempting to create some when I'm already satisfied.

I would simply hope that your readers are more scientific.

Nobody has any problem with you making a call for yourself and risking only yourself. But if this "call" is intended to formulate what "should" happen for much of society, you may need to revise your estimate as to the consequences of failure. Just how much disaster are you willing for us to have?

The consequences of failure are not what I'm estimating. And again, I'll agree that the idea discussed before (utilising a defined set - for interoperability this seems necessary - of ciphers, algorithms, etc etc that can be jumbled around on the fly to diffuse the impact "a break" would have). It would interesting, though off topic, to see how your absolutist approach generalises to arms control, transportation legislation, etc. All areas where "pragmatic fuzzies" tend to preside over "puristic absolutes" - even when they're cautionary variety.

I have no idea what you are talking about. Those are not analogies I use; I doubt they apply to crypto. If you want to draw such analogies, you will have to do so in much greater detail.

Will it be OK for everyone to use the single standard cipher which you predict is strong, if you turn out to be wrong? Will it be OK when

I've already moved a bit to your side on at least one point - one single cipher (if they are implicitly atomic and cannot encompass the idea that one can effectively put what would be 3 or 4 atomic ciphers into a "cipher") would not be as comforting as a small (I still think "fixed", or at least "slow moving") collection of ciphers jumbled up to disperse the impact a break in any one configuration would have. I still think my point applies to the selection of those ciphers though.

Who knows, you may move "a bit" on that, next.

communications grind to a halt and incompatible low-security temporary measures are instituted everywhere while a new cipher is integrated into all the programs which must be replaced throughout society? Is that OK with you?

And quantum computers could break everything and that wouldn't be OK with me either. But I'm not going to resort to carrier pigeons (which could be broken by a large society of hunters ... oh god ... this is getting too much).

I would say so.

Our Opponents are just well-paid versions of us, most of whom probably grew up around us, and who find their occupations not too unfathomably unethical to suffer day by day.

This is simply breathtaking: It is appallingly, plainly, immediately false even to the most casual observer. People do differ, we do have limitations others do not have, and others often do take advantage of knowledge to which we have no access.

You still don't get what I'm saying ... YES people do differ, but I think continuously, not by quantum leaps that erase any relationship you can draw.

And I think that is false.

Sure thing - but the whole system does not collapse down to a binary system of "broken" and "not-broken-yet" ... as you say, you put together a threat model ... consistent with your requirements and using a chosen method for judging a components "worth", and amplify it here and there as appropriate. A lot like putting together a cost-proposal I guess ... add in your known prices, choose an acceptable value for the "unknowns", amplify the costs of all the "risky" bits, add x% profit on top - and then bang another 30% on top for good measure, and generally covering your butt some more.

Write whatever numbers you want: you cannot support them.

You can be as cautious as you like and you could still get busted - you can be as irresponsible as you like and you COULD (not likely) get away with it. You can also just give up. That same model applies every time I write a proposal, an electricity company designs and insures an infrastructure, and many other real world situations. Tell me why I HAVE to resort to such a binary system of "broken" and "not-broken-yet".

I wouldn't know.

You don't seem to be able to support your claim that the test of time (and attack) does not provide a usable measure and you yourself have not written any numbers to try.

My support is that the "test of time" theory does not exist in cryptographic science. I suggest that the lack of results from a great many very smart people is precisely the sort of prediction you claim to support. And now you ignore it because it is not to your advantage.

on't tell me and many other people with an interest that it's invalid to use such approaches, and then only support your claim by statement - particularly if you intend to then insist I support my own claims with numbers or proofs I'm supposed to pluck out of thin-air.

My claims are supported by the literature, and yours are not. You thus have the greater burden. How unfair of me to be on the right side.

3 ciphers strung in a line is, to me, a cipher.

The distinction is that each cipher is an independent and separable element which can be "mixed and matched" with any other. Each cipher is tested as an independent unit, and brings whatever strength it has independent of internal ciphering requirements. Dynamic mixing and matching prevents having any fixed target to attack.

So should good cipher design as far as I can see but I'll go along with you here. I see this idea as promising and will not argue with the premise that if you've got 5 good ones, why just stick with one - indeed why just stick with a fixed arrangement of that 5 (effectively making one very complicated, but still fixed, cipher) when you can jumble the order, modes of operation, etc each time. (The way in which that has been done would presumably become part of the "key"). I'd still prefer that we standardise on those 5 and maybe rotate new ones in "occasionally" (conservatively) in a method not-unlike the current AES process - ie. public exposure to candidates for a good hard thrash at them before actual incorporation of them into systems.

You need all three in the same place and in the same order to have anything other than a "noise generator". Breaking 3 ciphers should be no more difficult than breaking one well designed one using 3 different stages

Really? Tell me more about how ciphers are designed. How long did you say you have been doing this? How many ciphers have you designed? Have you measured them? Where can we see your work?

Already told you I'm not a cipher designer. But there are cipher designers who share my view so attack the idea, not the guy saying it.

Which particular idea would that be, precisely? Will you find a cipher designer who will say in so many words that he or she can predict the strength of a cipher based on its cryptanalytic history? Will you find someone who will say they can predict the capabilities of future Opponents based on current academic results? I don't think so.

What you actually can find is people who will say that untested ciphers are likely to fail. Note that this is distinctly different from your claims. In particular, having "passed," tells us nothing about the strength with respect to unknown attacks.

I support all the cryptanalysis we can get. But, in the end, we can trust neither cipher to remain unbroken. So, in that sense, new and old ciphers are both equal in their untrustability.

I might also add - you're asking me to measure ciphers after having insisted quite strongly that any such attempt is implicitly impossible (with the absolute exception of breaking it).

You are the one who keeps claiming that realistic comparisons of cipher strength are possible. That is not in the literature, so it is up to you to back it up your claim. Show me. Do it.

I claim it is not possible, and I have the literature on my side.

Can I take apart a modern cipher and say "that's not a cipher - look, it's lots of little ciphers"? All I said was the division for me between 3 ciphers strung in a line and one cipher with 3 stages to it seems to be a question of packaging and patents. One could even stretch the definition and include the possibility of reording "stages" based on the "key". But I'm not going to suck myself into a bits-on-the-wire cipher designing discussion because I know I can't make a worthwhile contribution to it.

regular basis. I see this as unacceptable in a real-world scenario for reasons of interoperability & standardisation, as well as security.

What you mean is that you do not know how such a system would be standardized and made interoperable. Then you imply this means nobody else could do it either.

Fair call. Let me try again then - I think there could well be some very useful gains made from employing standards that use multiple primitives that hopefully seem (barring quantum computers?) to be independant targets of attack, that when used in different orders, modes, etc reduce the chances of the whole system getting broken rather than one putting the house on one primitive, or one configuration of the primatives. I do however think we should be measuring the primitives (which you suggest is pointless) as best we can, and that we should use a conservative approach to the standardisation on those primitives and the method by which new ones are incorporated into the standards.

If your "boolean model" of cipher strength is valid - can't this entire idea, when wrapped and considered as an entity in itself, then be implicated as just as "trust-worthy" as a single cipher that hasn't been broken? I would NOT regard them as equal but your argument, by extension, does.

Without going overboard, I agree! I think "my" Boolean model is overstated, though: Ciphers can be "Boolean" in an abstract sense of broken or not. But since we cannot measure either cipher strength or Opponent capabilities, the distinction seems a waste of time.

We can no more have absolute "trust" or absolute "confidence" in the strength of a layered system than any one cipher. But what I think we can say is: 1) the stack is not weaker than any of the components, and 2) the stack prevents single-component failure from being an overall failure. We might speculate that this "lessens" the probability of failure. But since we cannot measure any of these strengths or probabilities, that seems like yet another chimera just better ignored.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Question on confidence derived from cryptanalysis. Date: Wed, 21 Apr 1999 11:51:36 -0400 From: Geoff Thorpe geoff@raas.co.nz Message-ID: 371DF408.C995EE10@raas.co.nz References: 371d7e0a.11538318@news.io.com Newsgroups: sci.crypt Lines: 185

Hi,

I'm clipping liberally now in part of a joint effort (with Terry I believe) to get this down to a managable size again. Particularly as the themes seem quite universal throughout.

First let me quote the more "emotive" stuff before getting the heart of the issue itself:

Terry Ritter wrote:

You seem to be in conflict between your ego and reality. You have

OK, so now I have an ego problem - after caveats of not being a cipher-designer, knowing that my views of "tested strength" are based on "fuzzy" quantities and "judgement". But then you go on to demonstrate some hypocrisy:

told us how good you see yourself as being, which leaves very little room to realize that your entire argument has been wrong from the beginning.

how arrogant, and yet somehow sad too.

Aw, man, this is soooooo bogus. You have no idea what you are talking about.

once again.

Son of a gun, it is one of mine. Why, what a surprise!

The first thing that happens in these discussions is the outright denial of my points. Then, as my points become unassailable, there is denial that I was the one who presented solutions -- in the very same discussion! Then we will have denial that I originated this issue, then condescending comments that I was not the first to ever do so (despite the level of controversy implying that earlier discussions had little effect). And then, since I talk about this periodically, we will have comments it has to be considered public domain anyway.

Is it any wonder that I patent my stuff?

Is it any wonder you so acidically slam views that do not concur with your own - I'm not rallying behind anything other than my opinion - and I am impartial of the quantities we're dealing with here, I maintain no patents or profit - I do not get paid to do anything "free" (as per the academics) - and yet what I do contribute (coding), in the area of crypto at least, goes straight into the public domain. I stand accused of getting stuck between ego and reality, but all I've done is state that I don't agree with your radical view on the value (or lack of value) one can put on "tested strength" - you however seem guilty of exactly that which you accuse me of. At least I've engaged in discussion with you, it seems your beef should be with those who pay no attention to you.

I'm sure we will disagree. But if your disagreement is with the above issues, you again disagree with your particular extrapolation of such a system. Let me describe the right way:

"the right way" ... why am I not surprised.

[snipped a description of a basic and extensible architecture for a user-maintained collection of ciphers and an outline of how the online protocols might proceed from that].

Frankly Terry there are much better people to comment on this from audit and cryptanalytic points of view but from a software engineer/designer point of view, really nothing here surprises me a great deal. My initial reaction is that it looks a little bit held together with "chicken-wire", and you already know my point of view on standards that just say "plug in the ciphers you feel most 'connected' to" - I'm still not compelled that this will be interoperable but that's not to say you don't have an explanation why it could be - and I'm certainly compelled that this is irresponsible in the extreme, but that of course hinges on my view that triple-DES is a better option than mysticTarot128 even though the latter could have a sexier web-site. And we already know we disagree on that premise so it boils down to axiomatic differences.

I could go on with a specific cipher-change message protocol, but will not.

Might I just say that it seems to me that this approach (a) seems to demand a complicated protocol that itself must be a vulnerable-looking target for a "winner-takes-all" breakage, (b) if you want to to sling requirements of "scientific literature" around then why don't we quote the oft-quoted phrase "security by obscurity". I would still rather use one 128-bit triple-DES stage, than two 128-bit toys in a random configuration. The latter looks more like snake-oil to me and may well impress end-users (for being "configurable" and "too complicated to break (TM)") and impress Opponents ("ha, the fools"). Again, this could boil down to our fundamental difference.

Show me one scientific article which does specify cipher strength. Crypto scientists know they CANNOT state a "strength" (as we know the term). There is no (reputable) literature like this. Yet that is exactly what YOU are trying to do.

You go on to say that you welcome all the concerted cryptanalysis people can come up with. For what? Is that cryptanalysis worthless if it does not actually break a cipher? If not, tell me what value you place on such cryptanalysis (let's say the analysis in question is on DES/triple-DES), call it a unit of "tested strength", and perhaps we don't disagree as much as we did.

In this case I agree with virtually the entire body of cryptanalytic literature in that one CANNOT know cipher strength. I also think it

Yet much of it fails to break the cipher in question, and is often littered with conclusions such as "seems to hold up well in the face of []", "seems to have some strong properties with respect to []", etc. These are morsels that contribute to what I perceive as "tested strength". You seem to think that cryptanalysis is valuable, and yet you place no value on most of it. I choose to. And you also say that the entire body of cryptanalytic literature supports you in all this and it is I who must find evidence, proof, references to support my disagreements with you - when what I'm saying is that cryptanalytic work against a cipher (that doesn't bust it) gives me some confidence over a lack of cryptanalytic work against another. You've still not convinced me that I must abandon that view - you've just stated that I should, and that the literature supports you in that conclusion.

is fruitless to speculate on strength, or on the capabilities of our Opponents, and that we are better of spending our time protecting against failures which cryptanalysis cannot avoid.

That is a noble objective - but whatever the result, it will employ ciphers - and that's where my niggly (and probably highly frustrating to some obsessed with an all-ciphers-are-equal philosophy) little view comes back into the frame.

Which means that attempts to do this -- exactly what you are doing -- are simply unscientific. When you can show that this works, then we

Define "scientific" and we'll probably see you've defined the possibility of discussing this issue scientifically out of existence.

But my "contrary opinion" -- that the past history of the strength of a cipher does NOT tell us about its future strength -- again reflects the scientific literature. I am aware of no articles at all that show

Does it indeed. Funny that rather prolific contributors to the scientific literature are competing in a battle to see whose cipher holds up the best to "historical strength testing" so as to be utilised with improved expectations of "future strength". Perhaps these luminaries won't come out and argue the point with you, but because I'm not so highly esteemed and you're here arguing with me - naivety, unfamiliarity with the literature, historical record, blah blah blah are all valid accusations for you to dismiss the view outright.

such a correlation. That is not my opinion, that is the prevailing scientific understanding. You are the one proposing a clear opinion with no scientific basis whatsoever.

The opinion that placing "tested strength" in something that has withstanded attempts to break it over things which haven't is a core scientific principle in many fields, many of them where disastrous risks of being wrong are involved - and it IS common sense. Telling me it isn't does seem to put a burden of proof on you that goes beyond simply stating it, and making sweeping assertions that "the vast scientific literature" supports you.

Nonsense. My point is precisely that cryptanalysis ("breaking") cannot tell us if a cipher is weak. My point is that we must assume

And apparently cryptanalysis ("not breaking") cannot tell us if a cipher is "strong". What value is it that you actually see in this field of science? How are anyone except the scientists themselves supposed to use or apply the outcome of that work in any practical way?

I think unscientific arguments would be called "incorrect." You assume something trivial like extrapolating the strength of a cipher from its cryptanalytic testing -- something which does not exist in the scientific literature.

Common-sense usage of scientific literature itself not being documented in scientific literature. An interesting rebuttal and one that has me tiring of this pointless back-and-forth. If you are blind, this will go nowhere - if you are right, you need to find a better way of understanding my view and showing me constructively why it is definitively wrong if you want to get anywhere. Bear in mind that my view happens to be shared by many who can not so trivially be swept aside with back-handed commentary about "the scientific literature" and "not knowing what you're talking about".

Regards, Geoff


Subject: Re: Question on confidence derived from cryptanalysis. Date: Thu, 22 Apr 1999 00:21:12 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 371e664f.28640885@news.prosurfr.com References: 371d7e0a.11538318@news.io.com Newsgroups: sci.crypt Lines: 85

ritter@io.com (Terry Ritter) wrote, in part:

On Tue, 20 Apr 1999 20:35:53 -0400, in 371D1D69.AF9907B6@raas.co.nz, in sci.crypt Geoff Thorpe geoff@raas.co.nz wrote:

Before I get accused of doing precisely what I don't want to do (lock horns, duke it out, etc) ... let me just say that I really am warming to an idea implicit in all of this - and I believe it is one of yours,

Son of a gun, it is one of mine. Why, what a surprise!

though it was Trevor I think who recently illustrated it quite well ... namely the employment of a standard bank of ciphers that can be invoked on demand in any number of possible configurations eg strung together in a different order every time, utilising the different modes of operation, etc etc.

I've caught myself stealing some of your ideas - usually in E-mail discussions - and although I suspect what I've done in Mishmash (see Quadibloc III) isn't really the same idea, it uses part of it, in a limited form so as to fit within the framework of a "conventional" block cipher.

And frankly, I still place a lot of stock in what I rank as ciphers of tested strength and wouldn't want any system of mine having too many "new toy" ciphers creeping in. Perhaps we need to agree to disagree.

First, we want to be able to plug in arbitrary ciphers.

Next, we want to be able to accommodate essentially unlimited future ciphers, and do so in a way which does not require a central registration facility (which thus must be operated and funded), with its inherent submission, approval, and listing delays.

Then we want to satisfy users desire for particular ciphers, or to not use particular ciphers.

Which is indeed the point where agreement is restored.

Next, we want to support changing ciphers mid-conversation.

This makes it clear enough that you are in a different and more advanced realm than what I was worried about having "stolen".

While there will be pressure to adopt the standard ciphers for interoperability, such a system definitely does allow for a new cipher to become a new part of the set.

We can no more have absolute "trust" or absolute "confidence" in the strength of a layered system than any one cipher. But what I think we can say is: 1) the stack is not weaker than any of the components, and 2) the stack prevents single-component failure from being an overall failure. We might speculate that this "lessens" the probability of failure. But since we cannot measure any of these strengths or probabilities, that seems like yet another chimera just better ignored.

Unless we fall for that chimera - unless we believe that adopting a layered system will do some good, and reducing the probability that our messages will be read is indeed the only goal pursued here - why bother? Of course, (1) and (2) are valuable in themselves: essentially, (2) is worthwhile pursuing because of the possibility (absent any provably existing nonzero probability) that it will reduce the probability of failure.

Even when no progress towards a goal can be proven to have taken place, it is impossible to avoid, however chimerical it may be, evaluating measures taken to achieve a goal in terms of that goal. Even when all we have are possibilities instead of probabilities.

And just as using a layered system doesn't prove anything, so does using ciphers that have been studied and found to be resistant against a variety of known attacks. Yet it seems like a sensible thing to do, for want of anything better.

Using a secret cipher of your own for your own communications also makes sense, for different reasons, and using the latest and greatest design, not very well tested yet, because it has a larger key size also makes some sense, and so does using an obscure cipher that attackers may not have bothered with. Because there are different "sensible" things to do than are necessarily popular or respectable - and more sensible things to do than any one cipher can embody - the layered use of multiple ciphers is a good idea. Even if it proves nothing.

John Savard ( teneerf<- ) http://members.xoom.com/quadibloc/index.html


Subject: Re: Question on confidence derived from cryptanalysis. Date: Tue, 20 Apr 1999 18:50:48 -0700 From: Jim Gillogly jim@acm.org Message-ID: 371D2EF8.34DC6802@acm.org References: 371c15e3.8290372@news.io.com 371C025E.6AD4BAB8@raas.co.nz Newsgroups: sci.crypt Lines: 71

I think Terry Ritter's right to be concerned about having essentially everyone move to a single new cipher. If the danger isn't obvious, consider the analogy with biological systems, where a species with no genetic diversity can be wiped out by a single virus incident. Or with computer systems, where something like Melissa can cause widespread annoyance and some down time because almost everyone is using the same operating system and office software suite.

I also agree with him that a careful concatenation of ciphers can help limit the damage. I think we may disagree on what kinds of ciphers would be most appropriate as choices for concatenation, since I prefer ciphers that good analysts have tried and failed to break over ciphers that nobody with cryptanalytical experience has looked at. I define a good analyst as someone who has broken a difficult system.

However, I (like John Savard) think Terry overstates some issues. Here's a case in point:

Terry Ritter wrote:

Your position, dare I state it, is that you can estimate the capabilities of your Opponents.

In another article he wrote:

But the only thing being "measured" here is the open, academic analysis. The real experts do not play this way. We thus have no way to understand their capabilities. The strength value measured on academics cannot apply to the real problem.

These and similar remarks suggest that a conservative threat analysis must regard the opponents as god-like in their cryptanalytic capabilities. Of course in the limit this isn't useful, since we would have no more confidence in a concatenation of ciphers against an opponent like this than we would in a single cipher.

However, we do have ways to estimate the capabilities of the opponents. I suggest that the government cryptologic agencies of the US and UK represent conservative surrogates for the cryptological skills of the strongest opponents, and we have seen several unclassified examples of times when they were less than perfect.

In one case (factoring circa 1973) the UK agency was no further advanced than the academic community, and academic advances in that field were made shortly thereafter. In two other cases the US agency made embarrassingly public blunders (the Clipper checksum exploited by Matt Blaze, and the SHA/SHA-1 botch that they noticed and fixed themselves) that would not have been made if they were omniscient. I don't include Biham's work suggesting SKIPJACK is not a conservative design, since we don't know that it has to be -- for all we know, there are wads of supporting theorems that it's precisely as strong as it needs to be for its size. We do have a couple of other cases of classified discoveries and corresponding unclassified ones: IBM's differential cryptanalysis (15 years) and CESG's non-secret encryption (4 years). There are also training exercises (the Zendian Problem and a British special intelligence course) which anyone can use to compare their skills with advanced cipher school students of the 1960s. The latter does not, of course, give the peak strength of the best cryppies, but does suggest a starting point for the curve. Finally, we have retired NSA cryppie Robert H. Morris's remarks at Crypto '95, where he said that by the middle to late 1960's cryptanalysis had become less cost-effective than other methods of gaining the information. One may choose to disbelieve him, but I don't.

In any case, we do have some data points on the capabilities of the strongest potential opponents, and assuming they're perfect would be overly conservative.

-- Jim Gillogly 30 Astron S.R. 1999, 00:51 12.19.6.2.5, 1 Chicchan 13 Pop, Ninth Lord of Night


Subject: Re: Question on confidence derived from cryptanalysis. Date: Wed, 21 Apr 1999 05:04:20 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371d5c4c.2898786@news.io.com References: 371D2EF8.34DC6802@acm.org Newsgroups: sci.crypt Lines: 153

On Tue, 20 Apr 1999 18:50:48 -0700, in 371D2EF8.34DC6802@acm.org, in sci.crypt Jim Gillogly jim@acm.org wrote:

I think Terry Ritter's right to be concerned about having essentially everyone move to a single new cipher. If the danger isn't obvious, consider the analogy with biological systems, where a species with no genetic diversity can be wiped out by a single virus incident. Or with computer systems, where something like Melissa can cause widespread annoyance and some down time because almost everyone is using the same operating system and office software suite.

I think I have a right to cheer at this agreement with my major point.

I also agree with him that a careful concatenation of ciphers can help limit the damage.

And then I cheer again at this agreement with part of my proposed solution package.

I think we may disagree on what kinds of ciphers would be most appropriate as choices for concatenation, since I prefer ciphers that good analysts have tried and failed to break over ciphers that nobody with cryptanalytical experience has looked at. I define a good analyst as someone who has broken a difficult system.

Then I assume you are willing to make the services of such an analyst available free of charge and without delay. The way it is now, one cannot get such analysis unless one is a particular type of person, working in a few selected environments, and with particular types of design. Having inherited a democracy, I am unwilling to give that up for supposed advantages which, in the limit, do not give us what we want anyway. I think people should be able to select their own ciphers based on any criteria they want, including superstition and innuendo.

However, I (like John Savard) think Terry overstates some issues. Here's a case in point:

Terry Ritter wrote:

Your position, dare I state it, is that you can estimate the capabilities of your Opponents.

In another article he wrote:

But the only thing being "measured" here is the open, academic analysis. The real experts do not play this way. We thus have no way to understand their capabilities. The strength value measured on academics cannot apply to the real problem.

These and similar remarks suggest that a conservative threat analysis must regard the opponents as god-like in their cryptanalytic capabilities.

If that is what you take from these comments (in their proper context), I am not surprised that you call my position overstated. However, you have exaggerated my position.

In particular, I doubt I have ever said the Opponents are "god-like." As far as I can recall, the only people I have accused of being "god-like" are the crypto gods who seem to be able to predict: 1) the future strength of a cipher, based on past tests; and 2) the capabilities of unknown Opponents, based on the capabilities of known academics.

Of course in the limit this isn't useful, since we would have no more confidence in a concatenation of ciphers against an opponent like this than we would in a single cipher.

And so, clearly, I do not so assume. Since I do not assume that an Opponent has unlimited capabilities, this comment strongly misrepresents my arguments.

But what are we to assume? Even a modest "value" for Opponent capabilities is also "not useful" to us. This is because it is (virtually) impossible to measure knowledge, experience, and innovation. And then it is impossible to measure cipher strength. So we first don't know the difficulty of the problem, and then don't know the capabilities our Opponents can bring to the solution. This naturally leave us in a quandary, even without assuming unlimited capabilities. The problem is not that we should assume reasonable value for Opponent capabilities, the problem is that any such values and their implications are unknown, uncalibrated, and unuseful.

I suggest that this whole line of inquiry (into cipher strength and Opponent strength) is a waste of time. Since we know that single-cipher failures are possible, we can work to fix that. Since I assume the triple-cipher scheme will work, it is clear that I do not assume unlimited Opponent capabilities. I do assume that whatever capabilities they do have will be stressed far harder with multi-ciphering than single ciphering. I think this is a reasonable assumption.

Moreover, by using a wide variety of ciphers, we act to limit the amount of data disclosed by any break that does occur. I do assume that this will reduce the attraction of cryptanalysis, by limiting the eventual payoff. Again, I think this a reasonable assumption.

However, we do have ways to estimate the capabilities of the opponents. I suggest that the government cryptologic agencies of the US and UK represent conservative surrogates for the cryptological skills of the strongest opponents, and we have seen several unclassified examples of times when they were less than perfect.

In one case (factoring circa 1973) the UK agency was no further advanced than the academic community, and academic advances in that field were made shortly thereafter. In two other cases the US agency made embarrassingly public blunders (the Clipper checksum exploited by Matt Blaze, and the SHA/SHA-1 botch that they noticed and fixed themselves) that would not have been made if they were omniscient. I don't include Biham's work suggesting SKIPJACK is not a conservative design, since we don't know that it has to be -- for all we know, there are wads of supporting theorems that it's precisely as strong as it needs to be for its size. We do have a couple of other cases of classified discoveries and corresponding unclassified ones: IBM's differential cryptanalysis (15 years) and CESG's non-secret encryption (4 years). There are also training exercises (the Zendian Problem and a British special intelligence course) which anyone can use to compare their skills with advanced cipher school students of the 1960s. The latter does not, of course, give the peak strength of the best cryppies, but does suggest a starting point for the curve. Finally, we have retired NSA cryppie Robert H. Morris's remarks at Crypto '95, where he said that by the middle to late 1960's cryptanalysis had become less cost-effective than other methods of gaining the information. One may choose to disbelieve him, but I don't.

In any case, we do have some data points on the capabilities of the strongest potential opponents, and assuming they're perfect would be overly conservative.

First, none of this tells us about the future. Yet all operation of a cipher takes place in the future, after that cipher is designed. Unless we have a reasonable way to predict future capabilities, we are necessarily forced into conservative measures.

Next, I think it is dangerous to assume our Opponents are the intelligence services we know. In another message I suggested that if the problem was only NSA (the way it is now), we would not have much of a problem. But NSA is only an example of an Opponent, and not necessarily even the most advanced example in particular areas of the technology. We having intractable problems in making any serious extrapolations from this data. Again I suggest that this avenue is both unfruitful and dangerous.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Question on confidence derived from cryptanalysis. Date: Tue, 20 Apr 1999 22:31:22 -0700 From: Jim Gillogly jim@acm.org Message-ID: 371D62AA.3EDA2C55@acm.org References: 371d5c4c.2898786@news.io.com Newsgroups: sci.crypt Lines: 30

Terry Ritter wrote:

Jim Gillogly jim@acm.org wrote:

I prefer ciphers that good analysts have tried and failed to break over ciphers that nobody with cryptanalytical experience has looked at. I define a good analyst as someone who has broken a difficult system.

Then I assume you are willing to make the services of such an analyst available free of charge and without delay. The way it is now, one cannot get such analysis unless one is a particular type of person, working in a few selected environments, and with particular types of design.

No, I'm not. Just as you have the right to patent and profit from your ideas, an analyst has the right to choose what she's going to work on and how much she charges for it. If she'd prefer to spend her time analyzing Rijndael than RC6 because the former is going to be freely usable in her projects whether or not it's selected as the AES, more power to her. We all make choices depending on the outcomes we want or expect. In order to encourage more analysis one could hire appropriate experts (as several crypto developers have done) or offer rewards for interesting analysis whether or not it breaks the algorithm (as I think the Twofish people have done). But you can't expect to get expert analysis for free... the people who chose to enter the AES bake-off aren't getting it free either.

-- Jim Gillogly 30 Astron S.R. 1999, 05:22 12.19.6.2.5, 1 Chicchan 13 Pop, Ninth Lord of Night


Subject: Re: Question on confidence derived from cryptanalysis. Date: Wed, 21 Apr 1999 07:40:34 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371d8016.12062634@news.io.com References: 371D62AA.3EDA2C55@acm.org Newsgroups: sci.crypt Lines: 57

On Tue, 20 Apr 1999 22:31:22 -0700, in 371D62AA.3EDA2C55@acm.org, in sci.crypt Jim Gillogly jim@acm.org wrote:

Terry Ritter wrote:

Jim Gillogly jim@acm.org wrote:

I prefer ciphers that good analysts have tried and failed to break over ciphers that nobody with cryptanalytical experience has looked at. I define a good analyst as someone who has broken a difficult system.

Then I assume you are willing to make the services of such an analyst available free of charge and without delay. The way it is now, one cannot get such analysis unless one is a particular type of person, working in a few selected environments, and with particular types of design.

No, I'm not. Just as you have the right to patent and profit from your ideas, an analyst has the right to choose what she's going to work on and how much she charges for it. If she'd prefer to spend her time analyzing Rijndael than RC6 because the former is going to be freely usable in her projects whether or not it's selected as the AES, more power to her. We all make choices depending on the outcomes we want or expect.

In that case you should agree that each user should have a similar power to make their own choices of cipher. That sounds just fine to me.

Of course the benefits of compartmentalizing data under different ciphers do not really hit home until we have quite a few ciphers. And the benefits of requiring the Opponents to "keep up" also imply a growing substantial body of ciphers.

In order to encourage more analysis one could hire appropriate experts (as several crypto developers have done)

Then we have the situation of reporting "scientific" results paid for by the company which hopes to profit from those results. Will we really trust that process? I wouldn't.

or offer rewards for interesting analysis whether or not it breaks the algorithm (as I think the Twofish people have done). But you can't expect to get expert analysis for free... the people who chose to enter the AES bake-off aren't getting it free either.

I think they will not get nearly as much as they should. Which does not mean that we do not offer them to the users just because they have not met our desired analysis levels.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Question on confidence derived from cryptanalysis. Date: Wed, 21 Apr 1999 08:16:39 -0700 From: Jim Gillogly jim@acm.org Message-ID: 371DEBD7.A9916520@acm.org References: 371d8016.12062634@news.io.com Newsgroups: sci.crypt Lines: 21

Terry Ritter wrote:

In that case you should agree that each user should have a similar power to make their own choices of cipher. That sounds just fine to me.

Let a thousand flowers bloom, eh? With only 30 competent bees, many of your flowers aren't going to get adequately pollinated.

If my banker "makes his own choice" of OTP because he read in AC that it's unbreakable and he chooses an implementation that's easy to use since it needs no key management, I'm the one who takes it in the shorts because he didn't understand anything about cryptology. I as a customer don't in general know what's being used to cover my assets, and he as a user doesn't in general know what makes a cipher suitable for his threat model.

We have wider areas of agreement than disagreement; I'm happy to leave it at that.

Jim Gillogly
30 Astron S.R. 1999, 15:00
12.19.6.2.5, 1 Chicchan 13 Pop, Ninth Lord of Night

Subject: Re: Question on confidence derived from cryptanalysis. Date: Wed, 21 Apr 1999 19:44:12 -0400 From: "Trevor Jackson, III" fullmoon@aspi.net Message-ID: 371E62CC.D66845F1@aspi.net References: 371d5c4c.2898786@news.io.com Newsgroups: sci.crypt Lines: 170

Terry Ritter wrote:

On Tue, 20 Apr 1999 18:50:48 -0700, in 371D2EF8.34DC6802@acm.org, in sci.crypt Jim Gillogly jim@acm.org wrote:

I think Terry Ritter's right to be concerned about having essentially everyone move to a single new cipher. If the danger isn't obvious, consider the analogy with biological systems, where a species with no genetic diversity can be wiped out by a single virus incident. Or with computer systems, where something like Melissa can cause widespread annoyance and some down time because almost everyone is using the same operating system and office software suite.

I think I have a right to cheer at this agreement with my major point.

I also agree with him that a careful concatenation of ciphers can help limit the damage.

And then I cheer again at this agreement with part of my proposed solution package.

I think we may disagree on what kinds of ciphers would be most appropriate as choices for concatenation, since I prefer ciphers that good analysts have tried and failed to break over ciphers that nobody with cryptanalytical experience has looked at. I define a good analyst as someone who has broken a difficult system.

Then I assume you are willing to make the services of such an analyst available free of charge and without delay. The way it is now, one cannot get such analysis unless one is a particular type of person, working in a few selected environments, and with particular types of design. Having inherited a democracy, I am unwilling to give that up for supposed advantages which, in the limit, do not give us what we want anyway. I think people should be able to select their own ciphers based on any criteria they want, including superstition and innuendo.

However, I (like John Savard) think Terry overstates some issues. Here's a case in point:

Terry Ritter wrote:

Your position, dare I state it, is that you can estimate the capabilities of your Opponents.

In another article he wrote:

But the only thing being "measured" here is the open, academic analysis. The real experts do not play this way. We thus have no way to understand their capabilities. The strength value measured on academics cannot apply to the real problem.

These and similar remarks suggest that a conservative threat analysis must regard the opponents as god-like in their cryptanalytic capabilities.

If that is what you take from these comments (in their proper context), I am not surprised that you call my position overstated. However, you have exaggerated my position.

In particular, I doubt I have ever said the Opponents are "god-like." As far as I can recall, the only people I have accused of being "god-like" are the crypto gods who seem to be able to predict: 1) the future strength of a cipher, based on past tests; and 2) the capabilities of unknown Opponents, based on the capabilities of known academics.

Of course in the limit this isn't useful, since we would have no more confidence in a concatenation of ciphers against an opponent like this than we would in a single cipher.

And so, clearly, I do not so assume. Since I do not assume that an Opponent has unlimited capabilities, this comment strongly misrepresents my arguments.

But what are we to assume? Even a modest "value" for Opponent capabilities is also "not useful" to us. This is because it is (virtually) impossible to measure knowledge, experience, and innovation. And then it is impossible to measure cipher strength. So we first don't know the difficulty of the problem, and then don't know the capabilities our Opponents can bring to the solution. This naturally leave us in a quandary, even without assuming unlimited capabilities. The problem is not that we should assume reasonable value for Opponent capabilities, the problem is that any such values and their implications are unknown, uncalibrated, and unuseful.

I suggest that this whole line of inquiry (into cipher strength and Opponent strength) is a waste of time. Since we know that single-cipher failures are possible, we can work to fix that. Since I assume the triple-cipher scheme will work, it is clear that I do not assume unlimited Opponent capabilities. I do assume that whatever capabilities they do have will be stressed far harder with multi-ciphering than single ciphering. I think this is a reasonable assumption.

Some clarification may be called for in that your statements can be construed as claims that cipher diversity solves the problem of inferior talent/resources/etcetera with respect to dark-side adversaries and future adversaries of all shades. I believe this absolutist position to be false.

Your statements can also be constrused to claim that cipher diversity will reduce whatever gap exists. I believe this relative position to be true.

Moreover, by using a wide variety of ciphers, we act to limit the amount of data disclosed by any break that does occur. I do assume that this will reduce the attraction of cryptanalysis, by limiting the eventual payoff. Again, I think this a reasonable assumption.

Some consideration also has to be given to the definition of payoff. The dark-side adversaries get payoff in reaching thei information goals. But academic researchers get payoff by earning the admiration of their peers. That admiration can be earned in the absence of sccessful attacks on a cipher system. A successful attack on a component of a cipher system would be just as admirable as a successful attack on a homogeneous cipher. Thus the cipher collection is not immune to attack by reason of its lack of information leakage. A large body of talented attackers will still be just as motivated as they are now.

However, we do have ways to estimate the capabilities of the opponents. I suggest that the government cryptologic agencies of the US and UK represent conservative surrogates for the cryptological skills of the strongest opponents, and we have seen several unclassified examples of times when they were less than perfect.

In one case (factoring circa 1973) the UK agency was no further advanced than the academic community, and academic advances in that field were made shortly thereafter. In two other cases the US agency made embarrassingly public blunders (the Clipper checksum exploited by Matt Blaze, and the SHA/SHA-1 botch that they noticed and fixed themselves) that would not have been made if they were omniscient. I don't include Biham's work suggesting SKIPJACK is not a conservative design, since we don't know that it has to be -- for all we know, there are wads of supporting theorems that it's precisely as strong as it needs to be for its size. We do have a couple of other cases of classified discoveries and corresponding unclassified ones: IBM's differential cryptanalysis (15 years) and CESG's non-secret encryption (4 years). There are also training exercises (the Zendian Problem and a British special intelligence course) which anyone can use to compare their skills with advanced cipher school students of the 1960s. The latter does not, of course, give the peak strength of the best cryppies, but does suggest a starting point for the curve. Finally, we have retired NSA cryppie Robert H. Morris's remarks at Crypto '95, where he said that by the middle to late 1960's cryptanalysis had become less cost-effective than other methods of gaining the information. One may choose to disbelieve him, but I don't.

In any case, we do have some data points on the capabilities of the strongest potential opponents, and assuming they're perfect would be overly conservative.

First, none of this tells us about the future. Yet all operation of a cipher takes place in the future, after that cipher is designed. Unless we have a reasonable way to predict future capabilities, we are necessarily forced into conservative measures.

Next, I think it is dangerous to assume our Opponents are the intelligence services we know. In another message I suggested that if the problem was only NSA (the way it is now), we would not have much of a problem. But NSA is only an example of an Opponent, and not necessarily even the most advanced example in particular areas of the technology. We having intractable problems in making any serious extrapolations from this data. Again I suggest that this avenue is both unfruitful and dangerous.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Question on confidence derived from cryptanalysis. Date: Wed, 21 Apr 1999 18:59:45 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371e2012.6178031@news.io.com References: 371E62CC.D66845F1@aspi.net Newsgroups: sci.crypt Lines: 109

On Wed, 21 Apr 1999 19:44:12 -0400, in 371E62CC.D66845F1@aspi.net, in sci.crypt "Trevor Jackson, III" fullmoon@aspi.net wrote:

Terry Ritter wrote: [...] Some clarification may be called for in that your statements can be construed as claims that cipher diversity solves the problem of inferior talent/resources/etcetera with respect to dark-side adversaries and future adversaries of all shades. I believe this absolutist position to be false.

I am not sure that I have made such a claim, which I also think is false.

I don't know what could be clearer than my repeated statement that we can trust no cipher. Cipher use cannot build trust in strength. Cryptanalysis cannot certify strength. We must always be aware that failure is a possibility, and we are even unable to estimate that probability. When the consequences of cipher failure are catastrophic, we simply cannot afford to depend on any one cipher.

The many-cipher part of the fix package has multiple goals, the first being to compartmentalize information so that if the cipher (which we do not and can not trust!) protecting that information fails, we do not lose everything, throughout all society.

An implicit part of using multiple ciphers is that we change ciphers at various times, so that we personally or corporately have similar protection (i.e., cipher failure exposes only part of our information). Once we have a way to change ciphers quickly, we have vastly reduced the consequences of an academic break which finds a weakness in our cipher. If any of our ciphers are found wanting, we just use something else. No big deal.

With respect to the talents of the "dark-side adversaries" (a view with which I doubt they would agree), we certainly must assume that they have far greater resources than we do. But even their vast resources are not unlimited; they must make the same tradeoffs any project makes. So if they eventually do succeed against some cipher, they expect a payoff from that success. If there is just one cipher throughout society, that payoff will be huge, but if many ciphers are used, the payoff will be minor.

By injecting a constant flow of new ciphers into the mix we force the "adversaries" to "keep up" if they wish to maintain whatever level of success they have. Each new cipher must be identified, acquired, analyzed, broken, and software and perhaps hardware constructed to automate the break. Their alternative is that less and less information flows under ciphers which they can break. As we often have seen discussed, it is far easier (thus cheaper) to construct a new cipher than it is to analyze that cipher. This advantage in cipher diversity provides some benefit, even if some of the ciphers are weak. This is hardly an absolutist position.

Now, each of these paragraphs have discussed one or two specific problems being solved by the fix package. I doubt that I would say that all problems would be fixed, since that would be the cipher argument in another guise. We cannot know. But very substantial problems are fixed, and for the first time we take the battle to the cryptanalytic "adversaries" and make them pay a price. The alternative is to sit back and wish and hope for cipher strength, because we sure cannot prove it or test it.

Your statements can also be constrused to claim that cipher diversity will reduce whatever gap exists. I believe this relative position to be true.

I'm not quite sure what this means, but thanks!

Moreover, by using a wide variety of ciphers, we act to limit the amount of data disclosed by any break that does occur. I do assume that this will reduce the attraction of cryptanalysis, by limiting the eventual payoff. Again, I think this a reasonable assumption.

Some consideration also has to be given to the definition of payoff. The dark-side adversaries get payoff in reaching thei information goals. But academic researchers get payoff by earning the admiration of their peers. That admiration can be earned in the absence of sccessful attacks on a cipher system. A successful attack on a component of a cipher system would be just as admirable as a successful attack on a homogeneous cipher.

I suppose you mean a particular cipher -- a component in the multi-cipher system. Not just as admirable perhaps, but admirable nevertheless. OK.

Thus the cipher collection is not immune to attack by reason of its lack of information leakage.

I would say that we cannot trust any cipher, and we cannot trust any cipher system, including the fix package applied to current methods. No cipher system can possibly be immune. If we could prove or build "immune," we wouldn't need all this stuff.

A large body of talented attackers will still be just as motivated as they are now.

Which is great, right? We want all the cryptanalysis we can get. If a cipher fails, we just use something else.

Maybe I had some trouble following your reasoning here.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Question on confidence derived from cryptanalysis. Date: Wed, 21 Apr 1999 19:30:38 -0400 From: "Trevor Jackson, III" fullmoon@aspi.net Message-ID: 371E5F9E.EE63FAE1@aspi.net References: 371D2EF8.34DC6802@acm.org Newsgroups: sci.crypt Lines: 85

Jim Gillogly wrote:

I think Terry Ritter's right to be concerned about having essentially everyone move to a single new cipher. If the danger isn't obvious, consider the analogy with biological systems, where a species with no genetic diversity can be wiped out by a single virus incident. Or with computer systems, where something like Melissa can cause widespread annoyance and some down time because almost everyone is using the same operating system and office software suite.

I also agree with him that a careful concatenation of ciphers can help limit the damage. I think we may disagree on what kinds of ciphers would be most appropriate as choices for concatenation, since I prefer ciphers that good analysts have tried and failed to break over ciphers that nobody with cryptanalytical experience has looked at. I define a good analyst as someone who has broken a difficult system.

However, I (like John Savard) think Terry overstates some issues. Here's a case in point:

Terry Ritter wrote:

Your position, dare I state it, is that you can estimate the capabilities of your Opponents.

In another article he wrote:

But the only thing being "measured" here is the open, academic analysis. The real experts do not play this way. We thus have no way to understand their capabilities. The strength value measured on academics cannot apply to the real problem.

These and similar remarks suggest that a conservative threat analysis must regard the opponents as god-like in their cryptanalytic capabilities. Of course in the limit this isn't useful, since we would have no more confidence in a concatenation of ciphers against an opponent like this than we would in a single cipher.

However, we do have ways to estimate the capabilities of the opponents. I suggest that the government cryptologic agencies of the US and UK represent conservative surrogates for the cryptological skills of the strongest opponents, and we have seen several unclassified examples of times when they were less than perfect.

In one case (factoring circa 1973) the UK agency was no further advanced than the academic community, and academic advances in that field were made shortly thereafter. In two other cases the US agency made embarrassingly public blunders (the Clipper checksum exploited by Matt Blaze, and the SHA/SHA-1 botch that they noticed and fixed themselves) that would not have been made if they were omniscient. I don't include Biham's work suggesting SKIPJACK is not a conservative design, since we don't know that it has to be -- for all we know, there are wads of supporting theorems that it's precisely as strong as it needs to be for its size. We do have a couple of other cases of classified discoveries and corresponding unclassified ones: IBM's differential cryptanalysis (15 years) and CESG's non-secret encryption (4 years). There are also training exercises (the Zendian Problem and a British special intelligence course) which anyone can use to compare their skills with advanced cipher school students of the 1960s. The latter does not, of course, give the peak strength of the best cryppies, but does suggest a starting point for the curve. Finally, we have retired NSA cryppie Robert H. Morris's remarks at Crypto '95, where he said that by the middle to late 1960's cryptanalysis had become less cost-effective than other methods of gaining the information. One may choose to disbelieve him, but I don't.

In any case, we do have some data points on the capabilities of the strongest potential opponents, and assuming they're perfect would be overly conservative.

There's no need to assume perfection or god-like omniscience to motivate as conservative an approach as possible. Considerations of our own ignorance regarding advances to be made in the open community during the life cycles of information we want to potect with today's tools dwarfs any sensible interpretation of current adversarial strength.

And with respect to adversaries from the dark side, the failures you mentioned do indicate that they err and thus are human. But they will always be at least as strong as the open community. We have no real clue hom much stronger they actually are, or will be.

Note also that Morris's statement is a relative statement. It can be construed to mean that cryptanalysis is less effective than before, or that "other methods" have become so much more effective that the relative worth of crypto is less. The absolute worth could still be quite high and his statement could still be valid.


Subject: Re: Question on confidence derived from cryptanalysis. Date: Tue, 20 Apr 1999 16:20:31 -0400 From: "Trevor Jackson, III" fullmoon@aspi.net Message-ID: 371CE18F.30553812@aspi.net References: 371C025E.6AD4BAB8@raas.co.nz 371C58CF.286794F7@aspi.net Newsgroups: sci.crypt Lines: 150

Geoff Thorpe wrote:

Now, statement (1) is wrong. Maybe you cannot make estimates, and maybe you do not like the estimates others may employ. But there are ways to make estimates whose rationalisation is acceptable to those involved. That includes me. You also referred in that post to a complete lack of evidence but I think you yourself would be well positioned to refute that. Take every damned cipher you ever heard of (with any degree of cryptanalysis against it), exercise some personal judgement as to some measure of time+effort that the cipher was subjected to (by publishing authors - obviously not the spooks) before it became widely regarded as unacceptable, and take a look at the resulting distribution. That may not be a precise science, and of course it involves warm-fuzzy personal interpretations (time+effort) but it is not unacceptable for many people, particularly those who would otherwise be rendered with NO effective way to evaluate. I dare say that your distribution, if you've made semi-reasonable interpretations along the way, will show that a ciphers that lasted 10 years had a much better chance of lasting another year than the average "expected life". It's a very basic and common mathematical model/argument, and it's common sense.

An interesting concept. But in the absence of evidence I believe it to be wrong. Other than the obvious infant mortality due to negligence on the part of many cipher designers, I'd bet predictions described above are not very strong.

My reasonaing is that as a cipher gains the confidence of the community by surviving the gauntlet of previously known and/or straightforward attacks it will emerge from the background of many such ciphers and be attacked in a more serious way. The degree of emminence attracting more and more attention indicates that the share of offensive effort aimed at the cipher will continue to grow.

Given that there are few ciphers that have survived "the gauntlet" for a respectable period of time compared to the many ciphers without that maturity, the odds look to me much as Ritter described them. If I pick a young cipher, it may be broken tomorrow. If I pick an elderly cipher it may be broken tomorrow.

The appropriate metric for this kind of confidence is the expected wait for failure. Your claim amounts to the statement that the expected wait is longer for an elderly cipher than young one. I'm not comfortable with that.

It is an interesting thesis for study. Perhaps one of the frequent crypto students mght pick it up, define the criteria for judgement, and produce the results of the historical survey you suggested. Then we could discuss the merits of a carefully defined (tailoed?) set of criteria.

I've already explained why I think that (2) is wrong - nobody knows any of this stuff FOR SURE, but you make a call when you don't have perfect information. Our Opponents are just well-paid versions of us, most of whom probably grew up around us, and who find their occupations not too unfathomably unethical to suffer day by day. I still maintain that what we can do and achieve is a statistical, probabilistic, and "confidence" variable that does not run along independantly of theirs. Depends how much George Orwell you read though ...

like to play and write papers. "They" just want information, and I'm guessing just do whatever they got to do to get it - and searching endlessly for little theoretical weaknesses is probably not their top priority. That's not to say they don't do it and do it very well, but I doubt their considerable advantages in resources are put so much to this task as to make our abilities so incomparable or unrelated as some might believe.

A good point. However, we canot deal with their (secret) intentions, but must anticipate their possible (even more secret) capabilities. Thus amplifying the threat model is a sensible thing to do. It eliminates some of the risk of catastrophically underestimating them by enhancing the risk of expensively overestimating them.

Sure thing - but the whole system does not collapse down to a binary system of "broken" and "not-broken-yet" ... as you say, you put together a threat model ... consistent with your requirements and using a chosen method for judging a components "worth", and amplify it here and there as appropriate. A lot like putting together a cost-proposal I guess ... add in your known prices, choose an acceptable value for the "unknowns", amplify the costs of all the "risky" bits, add x% profit on top - and then bang another 30% on top for good measure, and generally covering your butt some more.

A good model for planning the construction of a bridge or any major project. But I can;t apply this model to the construction of a security system because I have no clue how to make something 30% stronger. Do you?

It appears to me that he does agree (tho he can certainly speak for himself), which is why he has repeatedly proposed the use of multiple ciphers both to spread eggs across baskets, and to provide layered security where warranted.

3 ciphers strung in a line is, to me, a cipher. You need all three in the same place and in the same order to have anything other than a "noise generator". Breaking 3 ciphers should be no more difficult than breaking one well designed one using 3 different stages

Here we part company. Your statement assumes that we will choose three ciphers whse strength adds up to the strength of one cipher that is well designed and uses several stages. But this is not the situation we face.

The situation we face is that we have dozens of reasonably strong ciphers, whose relative strengths are immeasurable. We may theorize about their relative merits, but we can't measure their strength in any fundamental sense. Given this I believe it makes sense to reduce risk of catastrophic failure by using a composite of the strongest ciphers of which we are aware.

In the limit (reductio...), we'd use all of the ciphers that we believe to be independent. The resulting monster would have severe implementation problems, but these are engineering issues that can be measured and shown solved. The creation of such a monster would be a never ending task because new ciphers worthy of inclusion are continually developed. This approach would limit the risk of catastrophic failure to the absolute minimum.

Now the monster described aboce is a silly example, but it is not at all absurd. This is why I believe Ritter's concept of composite ciphers has real value.

(if a cipher is

based on one "idea", "primitive", or whatever then your vulnerability must surely be higher than distinct ideas employed serially?). It seems the argument put forth was more one of splitting the traffic (conceptually across time and application, not packet by packet I assume) across ciphers, and rotating the old out and the new in on a regular basis. I see this as unacceptable in a real-world scenario for reasons of interoperability & standardisation, as well as security.

No. Absolutely not. We already have tools that support multiple ciphers. We know how to extend and manage that process. It is not perfect, but it is "merely" engineering effort. Thus there are existential proofs that the interoperability and standardization issues to which you refer are minor compared to the issues of catastrophic failure that is the anti-objective of all our security efforts.

The only additions required to implement dynamic substitution of ciphers is a minor refinment of the existing cipher management capabilities. Automating what users can already do manually does not create the sort of problems that will defeat modern engineering, and eos not compromise security in the least. This issue is a red herring.

Cheers, Geoff


Subject: Re: Question on confidence derived from cryptanalysis. Date: Sun, 25 Apr 1999 11:31:58 +0200 From: "H. Ellenberger" hansell@smile.ch Message-ID: 3722E10E.E9D76CC1@smile.ch References: 371C025E.6AD4BAB8@raas.co.nz 371C58CF.286794F7@aspi.net Newsgroups: sci.crypt Lines: 95

Geoff Thorpe wrote:

[...] 3 ciphers strung in a line is, to me, a cipher. You need all three in the same place and in the same order to have anything other than a "noise generator".

Assuming that cipher should mean strong cipher, then you are wrong:

Combine a very strong encription algorithm with it's decryption algorithm plus a rot_13 and your result is in fact a weak rot_13! This silly combination shows the importance of understanding how the combined algorithms perform and is an argument towards your position.

Breaking 3 ciphers should be no more difficult than breaking one well designed one using 3 different stages (if a cipher is based on one "idea", "primitive", or whatever then your vulnerability must surely be higher than distinct ideas employed serially?). [...]

The problem is that nobody exactly knows what algorithm results in a 'well designed' cipher.

Single algorithms combined to become a cipher are not necessarily strong by themselves, the stregth somehow results from the intelligent combination.

We can prove a bad design by demonstrating how to break it, but todays lack of a successful attack does not prove it's security.

However, there still is a valid argument to use multiple algorithms: Since no algorithm is proved to be unbreakable, take those 10 beleived to be the most secure. Build 5 pairs of them and verify you do not have a weak combination. Now use one of the 5 pairs to encrypt a block, then annother pair for next block.

Alhough I can not prove that this apporach is stronger than a single 'well designed' algorithm, I am convinced that this approach is better.

a) Unless I had bad luck in selecting a pair, the combination of strong algorithms should be at least as safe as the single (strong) algorithm. b) Should someone break a pair, he still can decrypt only 20% of my traffic. This strategy is comparable to stock investors spreading risks...

Can I take apart a modern cipher and say "that's not a cipher - look, it's lots of little ciphers"?

I agree that you can, and I think that stregth results from two mechanisms: a) Combination of basic principles in such a way that attack in the middle becomes suficiently difficult. b) If sufficiently varied ideas are combined, a new method to break one of them may have less chance to be sucessfully applied to the other.

All I said was the division for me between 3 ciphers strung in a line and one cipher with 3 stages to it seems to be a question of packaging and patents.

Wrong.

My personal conclusion:

If science could prove that a certain feasible algorithm is unbreakable, everybody could use it and there would be no need for annother one (and probably this algorithm would be a intelligent combination of various principles).

Without such a proved algorithm it is indeed too risky to use a single algorithm. It is exposed to focused attacks from all sides, and in case it sould break, damages are too important.

[..] I still think "fixed", or at least "slow moving") collection of ciphers jumbled up to disperse the impact a break in any one configuration would have.

That's the way to go. In case one of the ciphers shows to be less secure, it can be instantly removed from the collection without disruption of all secure communication that would occur if only one algorithm would be available in the myriads of computers around the globe.


Subject: Re: Question on confidence derived from cryptanalysis. Date: Sun, 25 Apr 1999 18:57:46 -0400 From: Geoff Thorpe geoff@raas.co.nz Message-ID: 37239DEA.D0F677FD@raas.co.nz References: 3722E10E.E9D76CC1@smile.ch Newsgroups: sci.crypt Lines: 90

Hi there,

"H. Ellenberger" wrote:

[...] 3 ciphers strung in a line is, to me, a cipher. You need all three in the same place and in the same order to have anything other than a "noise generator".

Assuming that cipher should mean strong cipher, then you are wrong:

Combine a very strong encription algorithm with it's decryption algorithm plus a rot_13 and your result is in fact a weak rot_13! This silly combination shows the importance of understanding how the combined algorithms perform and is an argument towards your position.

Of course, you are in fact agreeing with some of my reservations. I don't know if you were following the thread but I was just saying that certain established and unbroken (despite plentiful attempts) ciphers are worthy of more "trust", "strength", "tested strength", "confidence" or whatever than new-toy ciphers. I was saying this to disagree with someone who viewed all not-yet-broken ciphers as equally "(in)secure" and that we should utilise any/all ciphers we want in a variety of ways to spread our risk. I don't completely disagree with the latter point as much as the former.

But you are right ... sticking 2 toys in a line does not make a better wall than triple-DES ... such measures, in my mind, have a bigger risk of falsely convincing us of "security" than our potential opponents. As you pointed out with your ROT-13 illustration ... if the ciphers exhibit any relationship in behaviour then there's even a risk that the combination is weaker than the components. No argument here.

My point was simply that regarding a cipher as an atomic algorithmic unit seemed a narrow point of view - if I design two simple ciphers and am of the opinion that joining them in some suitable way gives better overall properties, can I not call the result a cipher? I am not however a cipher designer, I will not do this, and don't really want to make this point the central issue as there are others better suited to get into it than I.

Breaking 3 ciphers should be no more difficult than breaking one well designed one using 3 different stages (if a cipher is based on one "idea", "primitive", or whatever then your vulnerability must surely be higher than distinct ideas employed serially?). [...]

The problem is that nobody exactly knows what algorithm results in a 'well designed' cipher.

Single algorithms combined to become a cipher are not necessarily strong by themselves, the stregth somehow results from the intelligent combination.

I agree - but the intelligent combination could be termed a "cipher" yes? If so, deployment of that "cipher" is easier than deployment of 10 different ciphers, all with various modes of operation (and hence support in their implementations), and one "cipher" is easier to standardise on and get interoperable systems out of. It does however limit the distribution of patents and recognition for cipher designers.

We can prove a bad design by demonstrating how to break it, but todays lack of a successful attack does not prove it's security.

No, but if you think triple-DES is as "secure", or rather deserves the same "confidence", as mysticTarot128 then you agree with Terry, otherwise you agree with me. Or you may have no opinion on that. I think the chances that something like triple-DES will fall in the next, say, year is less than the chances for some new toy. Terry thinks that is a naive view and "un-scientific".

However, there still is a valid argument to use multiple algorithms: Since no algorithm is proved to be unbreakable, take those 10 beleived to be the most secure.

Not possible according to the views I was disagreeing with. Apparently we must employ any and all ciphers we like and intermingle them in some kind of "risk-dispertion" technique that uses combinations, layers, etc. I see the conservative and simplified application of that technique as having some possible merits (if the technique itself is not subject to an all-or-nothing break), but I still hold to the concept that "less is more", particularly when we have seen before that obscurity doesn't really hide security, it hides weaknesses.

Regards, Geoff


Subject: Re: Question on confidence derived from cryptanalysis. Date: Mon, 19 Apr 1999 06:10:27 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371ac7ce.40448497@news.io.com References: 371A6145.FAE5E8B@raas.co.nz 3718e5e9.9093614@news.io.com Newsgroups: sci.crypt Lines: 78

On Sun, 18 Apr 1999 18:48:37 -0400, in 371A6145.FAE5E8B@raas.co.nz, in sci.crypt Geoff Thorpe geoff@raas.co.nz wrote:

I spent some hours responding to this huge article, and only at the end realized (I assume correctly) that most of the controversy was about something which I consider peripheral to the main issue. So I am going to separate that other stuff off and ignore it so we don't loose sight of the forest. This is not intended to disrespect the effort in the original posting -- as I said, I have already made comparable effort in the response you do not see. But nobody wants to read huge postings, and all the points get lost anyway.

Hello,

Terry Ritter wrote:

You want to sound a cautionary note that we all risk being naive and over-confident in our "cryptanalytic testing" of ciphers - excellent point and it is well taken.

No, the point is NOT well-taken. It is ignored and brushed off as trivial and known. Then everyone sticks their head in the sand again until I bring it up again. This has happened for years.

Once again, we are in disagreement - philosophically and factually it would appear. From your postings, I can understand why you think this, but it is based on a premise I simply do not accept and will not no matter how many times you repeat it. Namely, that repeated cryptanalytic testing does not provide a measure of the tested strength of a cipher.

OK, that is the peripheral cul-de-sac. I believe it, and believe it can be successfully argued, but it is a side-issue nevertheless.

My main argument starts out that no matter how much analysis is done, there is always the possibility that a cipher may fail anyway. I doubt anyone disagrees with this.

Since cipher failure is possible, we need to look at the consequences of failure: If this is to be the one standard cipher for society, the results of such failure would be catastrophic. Again, hardly controversial stuff.

We can do something about this: We can innovate various procedures and protocols to avoid single-cipher failure. As a general concept, it is hard to imagine that even this is controversial. The actual technical details, of course, are arguable and changeable.

The package I have proposed includes compartmentalizing our data under different ciphers, thus reducing the amount of data at risk of any single cipher failure. (This virtually requires us to change ciphers frequently.) I also proposed multi-ciphering as a matter of course (reducing the likelihood of failure), and having a growing body of ciphers from which to choose. Other proposals can of course be made.

At this point, I see arguments for doing nothing (if the fix is too costly compared to the value at risk) and that the fix is worse than the original problem. The first depends upon the extent of the value at risk, which of course will include financial data, so the risk will be very, very high, without much argument. The probability of failure is the cul-de-sac argument itself, and may be hard to resolve. But even a very low probability may not be acceptable; it would not be acceptable to me.

The second part arguments are technical, but we can include the best-tested cipher in the multi-cipher stack. In this case, I think most would agree that -- properly done -- the overall strength could not be weaker than the tested cipher. And I think most would agree that this would indeed help prevent the single-point cipher failure which (almost) everyone will admit is at least possible.

Really, after going though this stuff at great length, I don't see much controversy here. No fireworks tonight: Sorry.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Question on confidence derived from cryptanalysis. Date: Mon, 19 Apr 1999 21:48:09 -0400 From: "Trevor Jackson, III" fullmoon@aspi.net Message-ID: 371BDCD9.673B1A34@aspi.net References: 371ac7ce.40448497@news.io.com Newsgroups: sci.crypt Lines: 123

I rise (type) to speak in support of the proposition. There are two concepts from the field of economics that bear on this issue. The first concept is marginal utility as applied to the efforts of the crypto community. The second is the tendecy of the market to focus on a single "best" product.

The marginal utility concept applies to a cruptologist of any level of education/training/experience. It indicates that the value of an additional increment to the effort invested so far in an "established" cipher may be much less than tha value of that same effort applied to a neglected cipher. The economic case is that a rich man's millionth dollar (hundered billionth in Gates case) is worth less to the rich man than the poor man's thousandth dollar is worth to the poor man. This principle is absolutely fundamental to any economic analysis.

It is also fundamental and valuable in the field of operations reseach in that the fundamental, and mostly provable, assumption is that there is a "happy mix" that dominates all other mixtures of resource deployments. That looking for, and focusing on, "the" critical resource is too simplistic.

IMHO, diversity is a truly excellent thing in crypto. The field is young. There is lots of room for innovation.

The tendency of the market to focus on a single (or few) best product(s) is well established. The true operational basis for this is most often simple laziness. The theoretical basis is that concentrated effort will produce a better best than that same effort spread over a wide variety of options. If one company can dominate a market it can achieve economies of scale in production/design/etcetera.

The narrowing of the market is often seen in "industry shakeouts" where a developing industry with lots of vendors ranging from garage scale to fortune 10,000 scale merge/aquire/fail producing a "mature" market. Most consumer/customers actually like the simplified option menu of the mature market because fewer evaluations are necessary (laziness) and the risk of a really bad choice has been eliminated because the minimum and average quality of products in a mature market are usually much higher than those of a widely diverse market.

IMHO, this tendency should be resisted because I believe that cipher design does not benfit from economy of scale while cipher analysis certainly does.

Two concepts for $0.2. (special discount today only)

Terry Ritter wrote:

On Sun, 18 Apr 1999 18:48:37 -0400, in 371A6145.FAE5E8B@raas.co.nz, in sci.crypt Geoff Thorpe geoff@raas.co.nz wrote:

I spent some hours responding to this huge article, and only at the end realized (I assume correctly) that most of the controversy was about something which I consider peripheral to the main issue. So I am going to separate that other stuff off and ignore it so we don't loose sight of the forest. This is not intended to disrespect the effort in the original posting -- as I said, I have already made comparable effort in the response you do not see. But nobody wants to read huge postings, and all the points get lost anyway.

Hello,

Terry Ritter wrote:

You want to sound a cautionary note that we all risk being naive and over-confident in our "cryptanalytic testing" of ciphers - excellent point and it is well taken.

No, the point is NOT well-taken. It is ignored and brushed off as trivial and known. Then everyone sticks their head in the sand again until I bring it up again. This has happened for years.

Once again, we are in disagreement - philosophically and factually it would appear. From your postings, I can understand why you think this, but it is based on a premise I simply do not accept and will not no matter how many times you repeat it. Namely, that repeated cryptanalytic testing does not provide a measure of the tested strength of a cipher.

OK, that is the peripheral cul-de-sac. I believe it, and believe it can be successfully argued, but it is a side-issue nevertheless.

My main argument starts out that no matter how much analysis is done, there is always the possibility that a cipher may fail anyway. I doubt anyone disagrees with this.

Since cipher failure is possible, we need to look at the consequences of failure: If this is to be the one standard cipher for society, the results of such failure would be catastrophic. Again, hardly controversial stuff.

We can do something about this: We can innovate various procedures and protocols to avoid single-cipher failure. As a general concept, it is hard to imagine that even this is controversial. The actual technical details, of course, are arguable and changeable.

The package I have proposed includes compartmentalizing our data under different ciphers, thus reducing the amount of data at risk of any single cipher failure. (This virtually requires us to change ciphers frequently.) I also proposed multi-ciphering as a matter of course (reducing the likelihood of failure), and having a growing body of ciphers from which to choose. Other proposals can of course be made.

At this point, I see arguments for doing nothing (if the fix is too costly compared to the value at risk) and that the fix is worse than the original problem. The first depends upon the extent of the value at risk, which of course will include financial data, so the risk will be very, very high, without much argument. The probability of failure is the cul-de-sac argument itself, and may be hard to resolve. But even a very low probability may not be acceptable; it would not be acceptable to me.

The second part arguments are technical, but we can include the best-tested cipher in the multi-cipher stack. In this case, I think most would agree that -- properly done -- the overall strength could not be weaker than the tested cipher. And I think most would agree that this would indeed help prevent the single-point cipher failure which (almost) everyone will admit is at least possible.

Really, after going though this stuff at great length, I don't see much controversy here. No fireworks tonight: Sorry.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Question on confidence derived from cryptanalysis. Date: Mon, 19 Apr 1999 15:03:34 GMT From: aquiranx@goliatx.ugr.es (Gurripato (x=nospam)) Message-ID: 371b4488.28191695@news.cica.es References: 371BDCD9.673B1A34@aspi.net Newsgroups: sci.crypt Lines: 25

On Mon, 19 Apr 1999 21:48:09 -0400, "Trevor Jackson, III" fullmoon@aspi.net wrote:

The tendency of the market to focus on a single (or few) best product(s) is well established. The true operational basis for this is most often simple laziness. The theoretical basis is that concentrated effort will produce a better best than that same effort spread over a wide variety of options. If one company can dominate a market it can achieve economies of scale in production/design/etcetera.

I disagree.  There must be some reason why a product is well

established, not necessarily quality. The VCR-format war of the 80�s was won by the VHS system (in the sense that they sell more than any other system). But it is well-known that Beta offers higher quailty. VHS won mainly for marketing problems: Sony kept the Beta patents for himself, while everyone else went to VSH. And if we talk about OS, Windows95 (best seller the world over) falls miserably in quality aspects (hangouts, crashes, etc) to others like Linux or MacOS.

I recall an article on Scientific American about things like

railway width being accepted by the market not for its quality, but rather on a sort of chaos-like process. Sorry, I don�t remember the SA issue.


Subject: Re: Question on confidence derived from cryptanalysis. Date: Tue, 20 Apr 1999 01🔞00 -0400 From: "Trevor Jackson, III" fullmoon@aspi.net Message-ID: 371C0E08.8D00868A@aspi.net References: 371b4488.28191695@news.cica.es Newsgroups: sci.crypt Lines: 30

Gurripato (x=nospam) wrote:

On Mon, 19 Apr 1999 21:48:09 -0400, "Trevor Jackson, III" fullmoon@aspi.net wrote:

The tendency of the market to focus on a single (or few) best product(s) is well established. The true operational basis for this is most often simple laziness. The theoretical basis is that concentrated effort will produce a better best than that same effort spread over a wide variety of options. If one company can dominate a market it can achieve economies of scale in production/design/etcetera.

    I disagree.  There must be some reason why a product is well

established, not necessarily quality. The VCR-format war of the 80�s was won by the VHS system (in the sense that they sell more than any other system). But it is well-known that Beta offers higher quailty. VHS won mainly for marketing problems: Sony kept the Beta patents for himself, while everyone else went to VSH. And if we talk about OS, Windows95 (best seller the world over) falls miserably in quality aspects (hangouts, crashes, etc) to others like Linux or MacOS.

    I recall an article on Scientific American about things like

railway width being accepted by the market not for its quality, but rather on a sort of chaos-like process. Sorry, I don�t remember the SA issue.

You are certainly free to disagree with the marketing theory that says mature markets are better. After all, I disagree with it too.

I find it especially unsuitable for the field of crypto.


Terry Ritter, hiscurrent address, and histop page.

Last updated: 1999-05-12