Can Cryptanalysis Give Us Confidence? (original) (raw)

Terry Ritter

ACiphers By Ritter Page

A recurring theme in these conversations is that cryptanalysis is how we know the strength of a cipher. Of course we want all the cryptanalysis we can get, and we do not use ciphers which are known to be weak. Still, the ciphers we do use have at best been analyzed with respect to attacks in the academic literature, but our opponents are not academics, and are not limited to those attacks. Accordingly, cryptanalysis does not tell us whether or not our data are hidden from our opponents. Since hiding data from our opponents is the whole reason to use cryptography, this issue is not a minor detail.

The intent of this is not to place a cloud over cryptography, but instead to reveal the cloud which is already there. Once we accept reality as it is, no matter how disturbing to our previous beliefs, we can begin to think about doing things beyond conventional cryptography, and so improve our situation. I have many times proposed ciphering with "stacks" of three ciphers which change frequently, and I think that would give us significant benefit. But if someone else can come up with a better solution, I would be glad to hear it.


Contents


Subject: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 07:31:40 -0700 From: Sundial Services info@sundialservices.com Message-ID: 371749CC.4779@sundialservices.com Newsgroups: sci.crypt Lines: 18

When I look at most publicly-available cryptographic algorithms, I see that nearly all of them consist of round upon round of simple operations like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are readily reversible.

About the only "original idea" I've seen, since reading discussions of older machines like SIGABA, is Terry Ritter's "Dynamic Substitution" patent. At least he is using a more complex transformation than 99.9% of the things I've seen ... since SIGABA ... and he's burying a lot more information than most designs do.

My question is, aside from possible requirements for constructing their ciphers in hardware, why do designers routinely limit themselves to these simple bitwise operators in designing ciphers? It seems to me as a layman that the older, more complex designs were also far more secure than what we have now, and that a computer program would have no particular difficulty implementing them. We are not building hardware devices; we are not limited to LFSR's.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 17:28:13 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 37176a30.4219613@news.prosurfr.com References: 371749CC.4779@sundialservices.com Newsgroups: sci.crypt Lines: 111

Sundial Services info@sundialservices.com wrote, in part:

When I look at most publicly-available cryptographic algorithms, I see that nearly all of them consist of round upon round of simple operations like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are readily reversible.

Looking at this paragraph, and your title, my initial reaction was to say that you were wrong - block cipher designers do recognize the importance of nonlinearity, and thus in virtually every block cipher you will find an S-box.

About the only "original idea" I've seen, since reading discussions of older machines like SIGABA, is Terry Ritter's "Dynamic Substitution" patent. At least he is using a more complex transformation than 99.9% of the things I've seen ... since SIGABA ... and he's burying a lot more information than most designs do.

Dynamic Substitution is a good idea, and an original one. And since I consider the SIGABA to be an admirable design, I started to warm to you at this point.

My question is, aside from possible requirements for constructing their ciphers in hardware, why do designers routinely limit themselves to these simple bitwise operators in designing ciphers? It seems to me as a layman that the older, more complex designs were also far more secure than what we have now, and that a computer program would have no particular difficulty implementing them. We are not building hardware devices; we are not limited to LFSR's.

Now this is a question I've been asking myself.

But there are answers to it.

But an academic researcher isn't going to take time studying a cipher that is so big and complicated that there is no hope of coming away with an impressive result - and so big and complicated that even trying to understand it would consume an enormous amount of time and effort.

Thus, designs that are intentionally limited - to one basic type of round, to one underlying principle - have an advantage over designs based on the principle that security is the only goal. They might be less intrinsically secure, but they have a better chance of being able to (appear to) prove (indicate with some tendency to confidence) that they do have a certain level of security.

Although I do understand the rationale behind the "recieved wisdom", that doesn't mean I fully accept it. In practice, when using cryptography, security is what counts; and advances are being made both in the theory of cryptanalysis and in the speed and power of computer chips at a great rate.

Plus, the risk that one's adversary is a hacker of the future with a very powerful desktop computer seems much greater than the risk that one's adversary will be an accomplished cryptanalyst, able to exploit the most subtle flaws in an over-elaborate design.

Hence, I have played with designs that don't just use "simple operations". They do incorporate a lot from the designs of the real experts in the field, compared to which I am a mere amateur, but they go on from there to pile on a higher level of complication than seen in the well-known designs.

Take a look at my Quadibloc II and Quadibloc III designs, in

http://members.xoom.com/quadibloc/co040705.htm http://members.xoom.com/quadibloc/co040705.htm

for example. I think they may address your concern - although they may not go far enough.

One thing I very definitely don't want to do is to go around like certain posters on this NG, and claim that a cipher must be as complicated as these designs of mine in order to be secure. That simply isn't true.

And it is also true that a strong cipher isn't a guarantee of security; designing ciphers may be fun, but preventing data from leaking out the back door is hard work.

While I respect the knowledge and ability of the acknowledged experts in the field, where I think I part company with Bruce Schneier and others is in the following:

I believe it to be possible and useful to develop a design methodology - mainly involving the cutting and pasting of pieces from proven cipher designs - to enable a reasonably qualified person who, however, falls short of being a full-fleged cryptographer, to design his own block cipher, and thereby obtain additional and significant benefits in resistance to cryptanalytic attack by having an unknown and unique algorithm.

I don't deny that there are pitfalls looming in such an approach; if something is left out of the methodology, or if it isn't conscientiously used, people could easily wind up using weak designs and having a false sense of security. I just think the problems can be addressed, and the potential benefits are worth the attempt.

John Savard (teneerf is spelled backwards) http://members.xoom.com/quadibloc/index.html


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 20:20:24 GMT From: ritter@io.com (Terry Ritter) Message-ID: 37179b67.12809750@news.io.com References: 37176a30.4219613@news.prosurfr.com Newsgroups: sci.crypt Lines: 129

On Fri, 16 Apr 1999 17:28:13 GMT, in 37176a30.4219613@news.prosurfr.com, in sci.crypt jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

[...]

I dispute this. This is essentially what Schneier would have us believe, and it is false.

The truth is that we never know the "real" strength of a cipher. No matter how much review or cryptanalysis a cipher gets, we only have the latest "upper bound" for strength. The lower bound is zero: Any cipher can fail at any time.

Since we have only an upper bound for the strength of any cipher, any confidence we may have is no more than our own delusion. We wish and hope for cipher strength, and -- absent a specific proof otherwise -- we gradually come to believe in it. But that does not make it true.

We would like to think that the more we use a cipher, the more confidence we can have in it. We can build confidence in a ciphering program, as to whether or not it crashes and so on. But since our Opponents do not tell us of their success, we do not know that our cipher was successful at hiding data. And we cannot have confidence in a result without knowing what that result is.

[...] But an academic researcher isn't going to take time studying a cipher that is so big and complicated that there is no hope of coming away with an impressive result - and so big and complicated that even trying to understand it would consume an enormous amount of time and effort.

It is always nice to find something important which is easy to do. That would be the academic equivalent of "Make Easy Money Now."

It may be unfortunate for academic cryptographers that a wide variety of new techniques are pioneered by non-academics. But those techniques exist nevertheless, and to the extent that academics do not investigate them, those academics are not up with the state of the art.

It is not, frankly, the role of the innovator to educate the academics, or even to serve technology to them on a silver platter. In the end, academic reputation comes from reality, and the reality is that many crypto academics avoid anything new which does not have an academic source. The consequence is that they simply do not have the background to judge really new designs.

Thus, designs that are intentionally limited - to one basic type of round, to one underlying principle - have an advantage over designs based on the principle that security is the only goal. They might be less intrinsically secure, but they have a better chance of being able to (appear to) prove (indicate with some tendency to confidence) that they do have a certain level of security.

Upon encountering a new design, anyone may choose to simplify that design and then report results from that simplification. This is done all the time. It is not necessary for an innovator to make a simplified design for this purpose.

On the other hand, I have been pioneering the use of scalable technology which, presumably, can be scaled down to a level which can be investigated experimentally. The last I heard, experimentation was still considered a rational basis for the understanding of reality. Indeed, one might argue that in the absence of theoretical strength for any cipher, experimentation is about all we have. But note how little of it we see.

[...] Plus, the risk that one's adversary is a hacker of the future with a very powerful desktop computer seems much greater than the risk that one's adversary will be an accomplished cryptanalyst, able to exploit the most subtle flaws in an over-elaborate design.

But we don't know our Opponents! If we have to estimate their capabilities, I think we are necessarily forced into assuming that they are more experienced, better equipped, have more time, are better motivated, and -- yes -- are even smarter than we are. There is ample opportunity for them to exploit attacks of which we have no inkling at all.

[...] While I respect the knowledge and ability of the acknowledged experts in the field, where I think I part company with Bruce Schneier and others is in the following:

I believe it to be possible and useful to develop a design methodology - mainly involving the cutting and pasting of pieces from proven cipher designs - to enable a reasonably qualified person who, however, falls short of being a full-fleged cryptographer, to design his own block cipher, and thereby obtain additional and significant benefits in resistance to cryptanalytic attack by having an unknown and unique algorithm.

And in this way we can have hundreds or thousands of different ciphers, with more on the way all the time. That means that we can divide the worth of our information into many different ciphers, so that if any one fails, only a fraction of messages are exposed. It also means that any Opponent must keep up with new ciphers and analyze and possibly break each, then design a program, or build new hardware to exploit it. We can make good new ciphers cheaper than they can possibly be broken. The result is that our Opponents must invest far more to get far less, and this advantage does not depend upon the delusion of strength which is all that cryptanalysis can provide.

I don't deny that there are pitfalls looming in such an approach; if something is left out of the methodology, or if it isn't conscientiously used, people could easily wind up using weak designs and having a false sense of security. I just think the problems can be addressed, and the potential benefits are worth the attempt.

Neat.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 14:06:57 -0700 From: "Steven Alexander" steve@cell2000.net Message-ID: jKNR2.591$%L2.8044@news6.ispnews.com References: 37179b67.12809750@news.io.com Newsgroups: sci.crypt Lines: 32

  • Also, since there are many insecure cipher designs floating around, one can't just accept that a cipher is secure based on its designer's say-so. Instead, what gives real confidence in a cipher design is that it has been studied by experts who have failed to crack it, but who have come away from their attempts with an understanding of the source of the design's strengths.

I dispute this. This is essentially what Schneier would have us believe, and it is false.

The truth is that we never know the "real" strength of a cipher. No.....

I don't think that you understand the point that Schneier and others have made. If I(a nobody) create a new cryptosystem tommorrow, nobody will have any confidence in it. But, If I learn to break the ciphers of others and use my experience to create a new cipher that others cannot break it will be listened to because I am known to be knowledgeable in how ciphers work. But, it will still not be trusted. Only after many people have analyzed and failed to break my cipher will people say..."his cipher has held up to five(ten) years of cryptanalysis by very knowledgeable cryptanalysts. We can assume with an adequate level of confidence that the cipher will protect our information." However, it is still realized that at any time someone can invent a new cryptanalytic attack and my cipher will be rendered useless. Schneier and others have acknowledged that any cipher can be broken at any time.

my $.02...-steven


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 22:32:57 GMT From: ritter@io.com (Terry Ritter) Message-ID: 3717ba72.20758328@news.io.com References: jKNR2.591$%L2.8044@news6.ispnews.com Newsgroups: sci.crypt Lines: 87

On Fri, 16 Apr 1999 14:06:57 -0700, in jKNR2.591$%L2.8044@news6.ispnews.com, in sci.crypt "Steven Alexander" steve@cell2000.net wrote:

[...] I dispute this. This is essentially what Schneier would have us believe, and it is false.

The truth is that we never know the "real" strength of a cipher. No.....

I don't think that you understand the point that Schneier and others have made.
If I(a nobody) create a new cryptosystem tommorrow, nobody will have any confidence in it.

This is seriously disturbing: The issue is not who makes a thing, but instead what the thing actually is. Deliberately judging a design in the context of who made it is actually anti-scientific, and should be widely denounced as the superstition it is.

But, If I learn to break the ciphers of others and use my experience to create a new cipher that others cannot break it will be listened to because I am known to be knowledgeable in how ciphers work.

Nonsense. Knowing how to break some ciphers does not mean that you know how ciphers work. That idea is the point "that Schneier and others have made" and it is a fantasy. It is especially fantastic when ciphers use technology which academics have ignored. But in any case, without a LOWER bound on strength, academics REALLY do not even know that ciphers work at all, let alone how.

But, it will still not be trusted. Only after many people have analyzed and failed to break my cipher will people say..."his cipher has held up to five(ten) years of cryptanalysis by very knowledgeable cryptanalysts.

Nonsense. There is no such conclusion. Ciphers do not ripen like cheese.

We first of all do not know how many attacks were made (if any), nor how much effort was placed into them. Attacks made by experienced, well-paid, well-motivated teams with all the equipment they need are quite different from those of single individuals working at a desk at night and coming up with a new mathematical equation. Not finding an equation does not mean some team has not had success.

We only know what success is reported in the academic literature. Unfortunately, when we use a cipher, we are very rarely concerned whether academics can break our cipher or not. We are instead concerned about "bad guys," and they don't tell us when they have been successful.

So this delay -- supposedly for gaining confidence -- in reality tells us nothing at all about the strength of the cipher.

We can assume with an adequate level of confidence that the cipher will protect our information." However, it is still realized that at any time someone can invent a new cryptanalytic attack and my cipher will be rendered useless. Schneier and others have acknowledged that any cipher can be broken at any time.

As I recall, Schneier and others claim that cryptanalysis is how we know the strength of a cipher. It is not. Cryptanalysis can only show weakness, only that when it is successful, and even then it only gives us the latest upper bound.

But the main problem is not knowing the strength of new ciphers, but rather knowing the strength of old ciphers: we are actually using the old ciphers. When ciphers have been in long use there is a delusion that we know their strength and can use them as a benchmark against new ciphers. Absent a non-zero LOWER bound on strength, this is false on both counts.

As I recall, in his comments on AES, Schneier has said that simply finding a cryptanalytic weakness in one of the designs would be sufficient to remove it from competition, even if the weakness was impractical. He would thus have us believe that the lack of information about weakness in one cipher is superior to information of impractical weakness in another cipher. I disagree.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 15:41:12 -0700 From: "Steven Alexander" steve@cell2000.net Message-ID: X6PR2.1145$5E.10730@news7.ispnews.com References: 3717ba72.20758328@news.io.com Newsgroups: sci.crypt Lines: 18

I think the point that Schneier and others have made, which I personally agree with, is that no cipher is "secure". We can however put more trust into an algorithm that has undergone more cryptanalysis and has been tested against the newest cryptanalytic techniques because we know what will not break the cipher. I personally would not trust any algorithm that I and other motivated people had not tested. I also think that understanding how to break ciphers gives a better knowledge of how to build ciphers because you know what can break them. This is why some of the best security experts are hackers...they know how to get in. You cannot prevent your computer from being hacked if you do not know what means someone will use to break in. It would be like building large stone walls around a military base and not expecting someone to fly over and drop a bomb...if you don't know that airplanes and bombs can destroy your base as well as ground troops...you've already lost.

-steven


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 23:53:14 GMT From: ritter@io.com (Terry Ritter) Message-ID: 3717cd62.25607206@news.io.com References: X6PR2.1145$5E.10730@news7.ispnews.com Newsgroups: sci.crypt Lines: 61

On Fri, 16 Apr 1999 15:41:12 -0700, in X6PR2.1145$5E.10730@news7.ispnews.com, in sci.crypt "Steven Alexander" steve@cell2000.net wrote:

I think the point that Schneier and others have made, which I personally agree with, is that no cipher is "secure".

I think you are being selective in stating "the" point Schneier has made. While he may have conceded that no cipher is secure after long discussion, his point often is that cryptanalysis is necessary to know the strength of a cipher. Of course, the fact that he sells such services would have nothing to do with it.

We can however put more trust into an algorithm that has undergone more cryptanalysis and has been tested against the newest cryptanalytic techniques because we know what will not break the cipher.

Nope. Simply because "we" cannot break it does not mean that others cannot break it. We are not confronting our clones: our Opponents know more than we do, and are probably smarter as well.

I personally would not trust any algorithm that I and other motivated people had not tested.

But there is no test for strength.

I also think that understanding how to break ciphers

But there is no one way, nor any fixed set of ways, which are "how to break ciphers." No matter how much you "understand," there is more to know. That is the problem.

gives a better knowledge of how to build ciphers because you know what can break them.

One proper role for cryptanalysis is to support the design of ciphers.

This is why some of the best security experts are hackers...they know how to get in. You cannot prevent your computer from being hacked if you do not know what means someone will use to break in. It would be like building large stone walls around a military base and not expecting someone to fly over and drop a bomb...if you don't know that airplanes and bombs can destroy your base as well as ground troops...you've already lost.

Then you are lost. Neither you nor anybody else can predict every possible way to attack a cipher or a base.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 17:05:05 -0700 From: "Steven Alexander" steve@cell2000.net Message-ID: xlQR2.1311$5E.12276@news7.ispnews.com References: 3717cd62.25607206@news.io.com Newsgroups: sci.crypt Lines: 19

What exactly is your suggestion for the creation of a cipher in which we can place our trust? The best we can do at any one point is to create a cipher that is secure against the attacks that we know of . If we do not know of many attacks this will not entail much. If we have a group of the best cryptanalysts who analyze a cipher and find no vulnerabilities, this does not mean that any vulnerabilities do not exist...it only means that those that we know of...and variations thereof do not exist in that cipher. This gives us a degree of trust in the cipher. In RSA for example, we believe that the only way to break the cipher is to factor n. If I find a new way to factor n in just a couple of minutes on your typical PC the cipher is broken. However, the odds that someone will invent a way to factor that is so phenomenally better is very unlikely. If I try to build a cipher and do not understand cryptanalysis I will not ahve any idea how to protect my cipher. If you have a better way to design ciphers, please share.

-steven


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 04:39:12 GMT From: ritter@io.com (Terry Ritter) Message-ID: 3718105d.5227815@news.io.com References: xlQR2.1311$5E.12276@news7.ispnews.com Newsgroups: sci.crypt Lines: 58

On Fri, 16 Apr 1999 17:05:05 -0700, in xlQR2.1311$5E.12276@news7.ispnews.com, in sci.crypt "Steven Alexander" steve@cell2000.net wrote:

What exactly is your suggestion for the creation of a cipher in which we can place our trust?

Absent a theory or overall test of strength, there can be no trust in a cipher. All the trust one can have is delusion.

The best we can do at any one point is to create a cipher that is secure against the attacks that we know of . If we do not know of many attacks this will not entail much. If we have a group of the best cryptanalysts who analyze a cipher and find no vulnerabilities, this does not mean that any vulnerabilities do not exist...it only means that those that we know of...and variations thereof do not exist in that cipher.

Exactly.

This gives us a degree of trust in the cipher.

What most people want is a strong cipher. Absent evidence of strength there is no basis for such trust.

In RSA for example, we believe that the only way to break the cipher is to factor n. If I find a new way to factor n in just a couple of minutes on your typical PC the cipher is broken. However, the odds that someone will invent a way to factor that is so phenomenally better is very unlikely.

This is a disturbingly-unwarranted statement: Nobody has any idea what the true odds are, so we cannot infer that they are good or bad.

If I try to build a cipher and do not understand cryptanalysis I will not ahve any idea how to protect my cipher. If you have a better way to design ciphers, please share.

Actually, I think there are better ways. For one thing we can use very simple constructs with few types of component, each of which can be fully understood for what it does. For another we can design scalable ciphers that can be scaled down to experimental size.

However, the real issue is that while supposedly everyone knows that any cipher can be weak, there has been essentially no attention given to protocols which deal with this problem.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 22:09:10 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 371a5737.341699@news.prosurfr.com References: xlQR2.1311$5E.12276@news7.ispnews.com Newsgroups: sci.crypt Lines: 18

"Steven Alexander" steve@cell2000.net wrote, in part:

If I try to build a cipher and do not understand cryptanalysis I will not ahve any idea how to protect my cipher. If you have a better way to design ciphers, please share.

You are right that avoiding known weaknesses is important, and understanding cryptanalysis is important.

However, I think that there is a "better way to design ciphers" than to place too much faith in the present knowledge of cryptanalysis. A cipher should be designed conservatively: not just in the sense of having a few extra rounds, but in the sense of having extra complexities in its design far beyond those needed (nonlinear S-boxes, irregularities in the key schedule) to frustrate known methods of attack.

John Savard ( teenerf<- ) http://members.xoom.com/quadibloc/index.html


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 23:55:28 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1804992355290001@dial-243-098.itexas.net References: 371a5737.341699@news.prosurfr.com Newsgroups: sci.crypt Lines: 26

In article 371a5737.341699@news.prosurfr.com, jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

"Steven Alexander" steve@cell2000.net wrote, in part:

If I try to build a cipher and do not understand cryptanalysis I will not ahve any idea how to protect my cipher. If you have a better way to design ciphers, please share.

You are right that avoiding known weaknesses is important, and understanding cryptanalysis is important.

However, I think that there is a "better way to design ciphers" than to place too much faith in the present knowledge of cryptanalysis. A cipher should be designed conservatively: not just in the sense of having a few extra rounds, but in the sense of having extra complexities in its design far beyond those needed (nonlinear S-boxes, irregularities in the key schedule) to frustrate known methods of attack.

A good trick is to telescope complexities into new primatives if you can. Multiple layers of appropriate complexity do work, but the cost is diversified in several directions.

A new random permutation generator: You put X windoze machines in a room, merely start them up, and record the order in which they eventually crash on their own.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 02:22:42 GMT From: fqkhuo@gmrvavvrcd.fl (ybizmt) Message-ID: slrn7hfs2u.cc.fqkhuo@tpep.nofsozwovh.yq References: 3717cd62.25607206@news.io.com Newsgroups: sci.crypt Lines: 9

On Fri, 16 Apr 1999 23:53:14 GMT, Terry Ritter ritter@io.com wrote:

I think you are being selective in stating "the" point Schneier has made. While he may have conceded that no cipher is secure after long discussion, his point often is that cryptanalysis is necessary to know the strength of a cipher. Of course, the fact that he sells such services would have nothing to do with it.

Refresh my memory. What do you sell?


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 04:39:19 GMT From: ritter@io.com (Terry Ritter) Message-ID: 37181072.5248874@news.io.com References: slrn7hfs2u.cc.fqkhuo@tpep.nofsozwovh.yq Newsgroups: sci.crypt Lines: 26

On Sat, 17 Apr 1999 02:22:42 GMT, in slrn7hfs2u.cc.fqkhuo@tpep.nofsozwovh.yq, in sci.crypt fqkhuo@gmrvavvrcd.fl (ybizmt) wrote:

On Fri, 16 Apr 1999 23:53:14 GMT, Terry Ritter ritter@io.com wrote:

I think you are being selective in stating "the" point Schneier has made. While he may have conceded that no cipher is secure after long discussion, his point often is that cryptanalysis is necessary to know the strength of a cipher. Of course, the fact that he sells such services would have nothing to do with it.

Refresh my memory. What do you sell?

Just the truth, lately.

I just find it an interesting coincidence when people promote errors in reasoning which just happen to benefit their business.

On the other hand, promoting truths which also happen to benefit one's business seems not nearly as disturbing.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 18 Apr 99 01:49:42 GMT From: jsavard@ecn.ab.ca () Message-ID: 37193a36.0@ecn.ab.ca References: 3717ba72.20758328@news.io.com Newsgroups: sci.crypt Lines: 15

Terry Ritter (ritter@io.com) wrote: : This is seriously disturbing: The issue is not who makes a thing, but : instead what the thing actually is. Deliberately judging a design in : the context of who made it is actually anti-scientific, and should be : widely denounced as the superstition it is.

That's true if judging a cipher that way is used as a substitute for actual analytical study of the cipher itself by a competent individual. Where the services of an expert are not available, or there is insufficient time to fully evaluate all candidate ciphers for an application, choosing a cipher from a respected source is not "superstition", and it is the kind of choice people make all the time: i.e., when shopping for a new computer.

John Savard


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 22:03:24 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371cf99f.7573878@news.io.com References: 37193a36.0@ecn.ab.ca Newsgroups: sci.crypt Lines: 33

On 18 Apr 99 01:49:42 GMT, in 37193a36.0@ecn.ab.ca, in sci.crypt jsavard@ecn.ab.ca () wrote:

Terry Ritter (ritter@io.com) wrote: : This is seriously disturbing: The issue is not who makes a thing, but : instead what the thing actually is. Deliberately judging a design in : the context of who made it is actually anti-scientific, and should be : widely denounced as the superstition it is.

That's true if judging a cipher that way is used as a substitute for actual analytical study of the cipher itself by a competent individual. Where the services of an expert are not available, or there is insufficient time to fully evaluate all candidate ciphers for an application, choosing a cipher from a respected source is not "superstition", and it is the kind of choice people make all the time: i.e., when shopping for a new computer.

Is shopping for a cipher like shopping for a new computer? Yes, I think so, but this situation is not a technical discussion between people of expertise but, rather, ordinary users who really have no choice but to rely upon promotion and rumor.

When experts themselves cannot fully characterize the strength of a system specifically designed to produce strength, we know we are in trouble. It's just that this is the way it's always been, and most of us forgot what it means. It does not mean that we must rely upon the same promotion and rumor as ordinary users.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 22:50:19 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-2004992250200001@dial-243-073.itexas.net References: 371cf99f.7573878@news.io.com Newsgroups: sci.crypt Lines: 14

In article 371cf99f.7573878@news.io.com, ritter@io.com (Terry Ritter) wrote: > > Is shopping for a cipher like shopping for a new computer? Yes, I > think so, but this situation is not a technical discussion between > people of expertise but, rather, ordinary users who really have no > choice but to rely upon promotion and rumor.
> I wonder if the FTC has a role in determining if claims are reasonable. They would have to yield to NSA for expertise? Perhaps we can try to shift burden directly to government to prove strength, therefore making them show their hand.

Life's battles do not always go to the stronger of faster man... But, sooner or later always go to the fellow who thinks he can.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 00:28:46 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1704990028460001@dial-243-079.itexas.net References: jKNR2.591$%L2.8044@news6.ispnews.com Newsgroups: sci.crypt Lines: 35

In article jKNR2.591$%L2.8044@news6.ispnews.com, "Steven Alexander" steve@cell2000.net wrote:

I don't think that you understand the point that Schneier and others have made. If I(a nobody) create a new cryptosystem tommorrow, nobody will have any confidence in it. But, If I learn to break the ciphers of others and use my experience to create a new cipher that others cannot break it will be listened to because I am known to be knowledgeable in how ciphers work. But, it will still not be trusted. Only after many people have analyzed and failed to break my cipher will people say..."his cipher has held up to five(ten) years of cryptanalysis by very knowledgeable cryptanalysts. We can assume with an adequate level of confidence that the cipher will protect our information." However, it is still realized that at any time someone can invent a new cryptanalytic attack and my cipher will be rendered useless. Schneier and others have acknowledged that any cipher can be broken at any time.

You are still living in the same furrow. What matters is whether a cipher is good, and it will be so regardless of confidence bestowed by some select group fixated on a remarkedly few, perhaps some wrong, design criteria.

Converting unearned trust into acceptability can make a poor cipher pass for more than it is, and cause a great cipher to not get any attention. Your statement unfortunately often is a self-fulfilling prophesy that certain ciphers of a narrow nature will be given undue attention and consequently are more likely to get accepted. I would rather that people learn to not follow the leader so closely; it's a big world out there worth exploring cryptologically.

One thing I do like about the AES process is that there was some diversity, not enough, but some. Unfortunately, the target was more influenced by those who were creatures of the furrow.

Too much of a good thing can be much worse than none.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 20:36:40 -0400 From: "Trevor Jackson, III" fullmoon@aspi.net Message-ID: 37192918.13924DDE@aspi.net References: jKNR2.591$%L2.8044@news6.ispnews.com Newsgroups: sci.crypt Lines: 50

Steven Alexander wrote:

  • Also, since there are many insecure cipher designs floating around, one can't just accept that a cipher is secure based on its designer's say-so. Instead, what gives real confidence in a cipher design is that it has been studied by experts who have failed to crack it, but who have come away from their attempts with an understanding of the source of the design's strengths.

I dispute this. This is essentially what Schneier would have us believe, and it is false.

The truth is that we never know the "real" strength of a cipher. No.....

I don't think that you understand the point that Schneier and others have made. If I(a nobody) create a new cryptosystem tommorrow, nobody will have any confidence in it. But, If I learn to break the ciphers of others and use my experience to create a new cipher that others cannot break it will be listened to because I am known to be knowledgeable in how ciphers work. But, it will still not be trusted. Only after many people have analyzed and failed to break my cipher will people say..."his cipher has held up to five(ten) years of cryptanalysis by very knowledgeable cryptanalysts. We can assume with an adequate level of confidence that the cipher will protect our information." However, it is still realized that at any time someone can invent a new cryptanalytic attack and my cipher will be rendered useless. Schneier and others have acknowledged that any cipher can be broken at any time.

There's a name for this attitude. It's called the Aristotelean Fallacy -- the appeal to authority. It dominated science for centuries, and science suffered for it.

But even granting that I would prefer to purchase cryptographic products from a professional rather than an amateur, all this changes is the unit of measure. Instead of measuring the quality of the product we'll end up measuring the quality of the author. Now it's hard enough to define a unit of measure for ciphers. Imagine defining the unit of measure for cipher designers.

The fact that the best (only) standard we have for judging ciphers and their implementations is that of Brand Names indicates just how young/volatile/immature the field is. We've got good mathematical tools and good software engineering tools, but the toolbox for the crypto designer is mostly defined in the negative; by the toolbox of the crypto analyst.

When we have crypto-engineering standards similar to civil-engineering standards, we'll have a mature science (and very little excitement :-).


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 00:28:12 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1804990028130001@dial-243-094.itexas.net References: 37192918.13924DDE@aspi.net Newsgroups: sci.crypt Lines: 35

In article 37192918.13924DDE@aspi.net, "Trevor Jackson, III" fullmoon@aspi.net wrote:

There's a name for this attitude. It's called the Aristotelean Fallacy -- the appeal to authority. It dominated science for centuries, and science suffered for it.

But even granting that I would prefer to purchase cryptographic products from a professional rather than an amateur, all this changes is the unit of measure. Instead of measuring the quality of the product we'll end up measuring the quality of the author. Now it's hard enough to define a unit of measure for ciphers. Imagine defining the unit of measure for cipher designers.

The most professional cryptographic designers, the opponents, in the world have offered of late...dung.

The fact that the best (only) standard we have for judging ciphers and their implementations is that of Brand Names indicates just how young/volatile/immature the field is. We've got good mathematical tools and good software engineering tools, but the toolbox for the crypto designer is mostly defined in the negative; by the toolbox of the crypto analyst.

So they would have you believe.

When we have crypto-engineering standards similar to civil-engineering standards, we'll have a mature science (and very little excitement :-).

Over standardization, regulation, formalizaton, and authoritarization has killed many a good field. Maturation is not the enemy of creative, but wheeler-dealer, power-sponges, who imagine that everyone else must follow their lead, are.

Too much of a good thing can be much worse than none.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 21 Apr 1999 15:43:53 -0400 From: budney@peregrine.maya.com (Leonard R. Budney) Message-ID: m3d80xwyh2.fsf@peregrine.maya.com References: 37192918.13924DDE@aspi.net Newsgroups: sci.crypt Lines: 66

"Trevor Jackson, III" fullmoon@aspi.net writes:

Steven Alexander wrote:

If I learn to break the ciphers of others and use my experience to create a new cipher that others cannot break it will be listened to because I am known to be knowledgeable in how ciphers work...

There's a name for this attitude. It's called the Aristotelean Fallacy -- the appeal to authority. It dominated science for centuries, and science suffered for it.

An appeal to authority is invalid under two conditions. First, if the claim is subject to rigorous proof--making opinion irrelevant. Second, if the authority appealed to is not a legitimate authority in a relevant area. See <http://www.nizkor.org/features/fallacies/appeal-to-authority.html>.

When rigorous proof is not available, then the opinion of an expert constitutes the best information to be had. Under that condition, the best expert is the one with the longest experience and the most successes.

The fact that the best (only) standard we have for judging ciphers and their implementations is that of Brand Names indicates just how young/volatile/immature the field is.

Perhaps, but not necessarily. It is probable that Goedel's Incompleteness Theorem implies that the strength of at least some algorithms cannot be determined, even theoretically (forgive my speculating aloud here). Further, it might turn out that all 'measurable' algorithms turn out to be weak--with some definition of weak--implying that the non-measurable algorithms are the ONLY interesting ones.

Remember, Fermat's last theorem went unproven for more than 350 years. Huge quantities of number-theoretic research arose directly out of attempts to prove or disprove the theorem.

Remember, too, that many mathematical cranks turned up with "proofs" of Fermat's theorem (and the four color theorem, and...). Call it arrogant, but mathematicians tend to treat them with a priori scepticism, given that 350 years of experts failed to turn up a proof. One is quite justified in seriously doubting that Joe Blow from Podunk has stumbled upon a solution.

Such considerations suggest, at least to me, that "crypto-engineering", by which we might crank out ciphers of known strength, is probably a pipe-dream.

BTW this example has a bearing on our confidence in RSA. It is doubted that polynomial-time factoring of primes is possible, just as it is doubted that NP = P. Further, it is conjectured that cracking RSA without factoring is not possible (absent other data, such as decryption timings). Why are these conjectures made? Because a generation or so of experts and geniuses haven't resolved these problems. If the NSA has, then they've almost certainly made one of the great discoveries of the century. Of course, they're not talking.

Len Budney                 |  Designing a cipher takes only a
Maya Design Group          |  few minutes.  The only problem is
budney@maya.com            |  that almost all designs are junk.
                           |              -- Prof. Dan Bernstein

Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Thu, 22 Apr 1999 09:12:49 +0100 From: "Sam Simpson" ssimpson@hertreg.ac.uk Message-ID: 371ed9e2.0@nnrp1.news.uk.psi.net References: m3d80xwyh2.fsf@peregrine.maya.com Newsgroups: sci.crypt Lines: 43

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Leonard R. Budney budney@peregrine.maya.com wrote in message news:m3d80xwyh2.fsf@peregrine.maya.com...

BTW this example has a bearing on our confidence in RSA. It is doubted that polynomial-time factoring of primes is possible, just as it is doubted that NP = P. Further, it is conjectured that cracking RSA without factoring is not possible (absent other data, such as decryption timings).

Actually, certain instances of RSA cannot be equivalent to the underlying IFP (D.Boneh, R.Venkatesan, "Breaking RSA may not be equivalent to factoring").

Cheers,


Sam Simpson Comms Analyst http://www.scramdisk.clara.net/ for ScramDisk hard-drive encryption & Delphi Crypto Components. PGP Keys available at the same site. If you're wondering why I don't reply to Sternlight, it's because he's kill filed. See http://www.openpgp.net/FUD for why!

-----BEGIN PGP SIGNATURE----- Version: 6.0.2ckt http://members.tripod.com/IRFaiad/

iQA/AwUBNx7Z/u0ty8FDP9tPEQJVjwCdElMbx8eOjPva0qOKAkCTzKte+MwAoMoE PG95Mhvh0WP9lAZT5Sw5XwRC =SIRn -----END PGP SIGNATURE-----


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 16 Apr 1999 17:21:22 -0400 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: 7f89ki$gng$1@quine.mathcs.duq.edu References: 37179b67.12809750@news.io.com Newsgroups: sci.crypt Lines: 38

In article 37179b67.12809750@news.io.com, Terry Ritter ritter@io.com wrote:

On Fri, 16 Apr 1999 17:28:13 GMT, in 37176a30.4219613@news.prosurfr.com, in sci.crypt jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

[...]

  • Also, since there are many insecure cipher designs floating around, one can't just accept that a cipher is secure based on its designer's say-so. Instead, what gives real confidence in a cipher design is that it has been studied by experts who have failed to crack it, but who have come away from their attempts with an understanding of the source of the design's strengths.

I dispute this. This is essentially what Schneier would have us believe, and it is false.

The truth is that we never know the "real" strength of a cipher. No matter how much review or cryptanalysis a cipher gets, we only have the latest "upper bound" for strength. The lower bound is zero: Any cipher can fail at any time.

Since we have only an upper bound for the strength of any cipher, any confidence we may have is no more than our own delusion. We wish and hope for cipher strength, and -- absent a specific proof otherwise -- we gradually come to believe in it. But that does not make it true.

So you're suggesting that a cypher that has withstood years of intensive analysis by professionals is NO better than a cypher that has not been analyzed at all?

I don't believe this; in fact, I think it's total bullshit. It's certainly true that you may not be able to formalize the difference into a p-value, but you're committing a grievious error if you think that something doesn't exist merely because you can't quantify it.

-kitten

Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 23:53:19 GMT From: ritter@io.com (Terry Ritter) Message-ID: 3717cd6d.25617381@news.io.com References: 7f89ki$gng$1@quine.mathcs.duq.edu Newsgroups: sci.crypt Lines: 53

On 16 Apr 1999 17:21:22 -0400, in 7f89ki$gng$1@quine.mathcs.duq.edu, in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:

[...] So you're suggesting that a cypher that has withstood years of intensive analysis by professionals is NO better than a cypher that has not been analyzed at all?

It is not provably better. And not provably better admits the possibility of contradiction. So we do not know. Which means that interpreting years of intensive analysis as strength is nothing more than DELUSION. Cryptanalysis of any length whatsoever provides no rational scientific indication of strength.

I don't believe this;

It is not necessary for you to believe it: It is what it is.

in fact, I think it's total bullshit.

Then you need to think about it more deeply.

It's certainly true that you may not be able to formalize the difference into a p-value, but you're committing a grievious error if you think that something doesn't exist merely because you can't quantify it.

The issue is not the "formalization" of something we know but cannot quantify, but rather something we actually do not know. When we attempt to formalize what we really do not know we commit logical error. In fact, I would say that this process is in some cases a deliberate attempt to hide these issues from management, command staff and the general user.

In some cases this process is a deliberate attempt to make cryptanalysis seem more than it is, so that ciphers which have "passed" (whatever that means) will be accepted as "strong," which should never be done. We can see this in the path of the AES process, which, presumably, gets us a "strong" cipher. We see NO attempt to innovate constructions or protocols which give strength in the context of ciphers which may be weak. Yet you would have us assume that everyone knows that ciphers may be weak, and simply chooses to do nothing about it.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 02:28:52 GMT From: fqkhuo@gmrvavvrcd.fl (ybizmt) Message-ID: slrn7hfsef.cc.fqkhuo@tpep.nofsozwovh.yq References: 3717cd6d.25617381@news.io.com Newsgroups: sci.crypt Lines: 26

On Fri, 16 Apr 1999 23:53:19 GMT, Terry Ritter ritter@io.com wrote:

It is not provably better. And not provably better admits the possibility of contradiction. So we do not know. Which means that interpreting years of intensive analysis as strength is nothing more than DELUSION. Cryptanalysis of any length whatsoever provides no rational scientific indication of strength.

Nor is it intended to. Who has ever claimed that analysis equals strength in any field? It is intended to make you more confident that something is strong. No one is saying it proves strength. Not at least trying cryptanalysis on a cipher is stupid which I'm sure you agree with.

In some cases this process is a deliberate attempt to make cryptanalysis seem more than it is, so that ciphers which have "passed" (whatever that means) will be accepted as "strong," which should never be done. We can see this in the path of the AES process, which, presumably, gets us a "strong" cipher. We see NO attempt to innovate constructions or protocols which give strength in the context of ciphers which may be weak. Yet you would have us assume that everyone knows that ciphers may be weak, and simply chooses to do nothing about it.

Nice rant. Where are you going with this and how does it sell your product?


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 04:39:24 GMT From: ritter@io.com (Terry Ritter) Message-ID: 37181079.5255438@news.io.com References: slrn7hfsef.cc.fqkhuo@tpep.nofsozwovh.yq Newsgroups: sci.crypt Lines: 81

On Sat, 17 Apr 1999 02:28:52 GMT, in slrn7hfsef.cc.fqkhuo@tpep.nofsozwovh.yq, in sci.crypt fqkhuo@gmrvavvrcd.fl (ybizmt) wrote:

On Fri, 16 Apr 1999 23:53:19 GMT, Terry Ritter ritter@io.com wrote:

It is not provably better. And not provably better admits the possibility of contradiction. So we do not know. Which means that interpreting years of intensive analysis as strength is nothing more than DELUSION. Cryptanalysis of any length whatsoever provides no rational scientific indication of strength.

Nor is it intended to. Who has ever claimed that analysis equals strength in any field? It is intended to make you more confident that something is strong. No one is saying it proves strength.

Sure they are. As far as I know, Schneier's point has always been that cryptanalysis is the way we know a cipher's strength. I'm sure he would agree that this is not proof, but I do not agree that it says anything at all. The implication that cryptanalysis would like to promote is indeed that of tested strength.

Not at least trying cryptanalysis on a cipher is stupid which I'm sure you agree with.

I do. But there is no one cryptanalysis. Indeed, there is no end to it. But we do have to make an end before we can field anything. This in itself tells us that cryptanalysis as certification is necessarily incomplete.

Our main problem is that cryptanalysis does NOT say that there is no simpler attack. It does NOT say that a well-examined cipher is secure from your kid sister. Oh, many people will offer their opinion, but you won't see many such a claims in scientific papers, because there we expect actual facts, as opposed to wishes, hopes, and dreams.

Cryptanalysis does NOT give us an indication of how much effort our Opponent will have to spend to break the cipher. Yet that is exactly what the cryptanalytic process would like us to believe: That is why we have the process of: 1) design a cipher, and 2) certify the cipher by cryptanalysis. As I see it, the real opportunity for cryptanalysis is as part of a dynamic and interactive cipher design process, as opposed to final certification.

In some cases this process is a deliberate attempt to make cryptanalysis seem more than it is, so that ciphers which have "passed" (whatever that means) will be accepted as "strong," which should never be done. We can see this in the path of the AES process, which, presumably, gets us a "strong" cipher. We see NO attempt to innovate constructions or protocols which give strength in the context of ciphers which may be weak. Yet you would have us assume that everyone knows that ciphers may be weak, and simply chooses to do nothing about it.

Nice rant.

Thanks. I suggest you learn it by heart if you intend to depend upon cryptography.

Where are you going with this and how does it sell your product?

This is my bit for public education.

I have no modern products. I do offer cryptographic consulting time, and then I call it as I see it. I also own patented cryptographic technology which could be useful in a wide range of ciphers.

I see no problem with someone promoting what they think is an advance in the field, even if they will benefit. But when reasoning errors are promoted which just happen to benefit one's business -- in fact, a whole sub-industry -- some skepticism seems appropriate. Just once I would like to see delusions promoted which produce less business.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 18 Apr 99 02:05:37 GMT From: jsavard@ecn.ab.ca () Message-ID: 37193df1.0@ecn.ab.ca References: 37181079.5255438@news.io.com Newsgroups: sci.crypt Lines: 16

Terry Ritter (ritter@io.com) wrote: : As I see it, the real opportunity for : cryptanalysis is as part of a dynamic and interactive cipher design : process, as opposed to final certification.

Two comments are warranted here.

John Savard


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 22:04:54 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 371a56a8.198396@news.prosurfr.com References: 37193df1.0@ecn.ab.ca Newsgroups: sci.crypt Lines: 23

jsavard@ecn.ab.ca () wrote, in part:

Terry Ritter (ritter@io.com) wrote: : As I see it, the real opportunity for : cryptanalysis is as part of a dynamic and interactive cipher design : process, as opposed to final certification.

Two comments are warranted here.

I should note, though, that I basically agree with your point - and I do think that in the specific case of the AES, going back to the drawing board a bit would make quite a bit of sense - but I simply think that these two arguments also need to be addressed.

John Savard ( teenerf<- ) http://members.xoom.com/quadibloc/index.html


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 22:03:33 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371cf9af.7589747@news.io.com References: 37193df1.0@ecn.ab.ca Newsgroups: sci.crypt Lines: 28

On 18 Apr 99 02:05:37 GMT, in 37193df1.0@ecn.ab.ca, in sci.crypt jsavard@ecn.ab.ca () wrote:

Terry Ritter (ritter@io.com) wrote: : As I see it, the real opportunity for : cryptanalysis is as part of a dynamic and interactive cipher design : process, as opposed to final certification.

Two comments are warranted here.

I agree.

You lost me on that one.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Wed, 21 Apr 1999 16:12:35 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 371df7b2.320404@news.prosurfr.com References: 371cf9af.7589747@news.io.com Newsgroups: sci.crypt Lines: 27

ritter@io.com (Terry Ritter) wrote, in part:

On 18 Apr 99 02:05:37 GMT, in 37193df1.0@ecn.ab.ca, in sci.crypt jsavard@ecn.ab.ca () wrote:

  • And I think you can see why this design process actually increases the probability of a design which is strong against known attacks, but weak against a future attack someone might discover.

You lost me on that one.

When testing a computer system, sometimes a small number of known bugs are deliberately introduced, so that, if not all of those bugs are found, one has an indication that testing should continue (on the assumption that a similar proportion of the unknown bugs really being looked for have not been found yet either).

What I was thinking of here is that the cryptanalyst will find what he knows how to look for; and so, weaknesses beyond the reach of current cryptanalysis won't be found; but if a cipher designed by a non-cryptanalyst did not have a single known weakness (known to the cryptanalysts, not to the designer) then one might have grounds to hope (but, of course, not proof) that unknown weaknesses were scarce as well, while getting rid of the known weaknesses specifically doesn't give any such hope.

John Savard ( teneerf<- ) http://members.xoom.com/quadibloc/index.html


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Wed, 21 Apr 1999 18:59:11 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371e1f94.6051889@news.io.com References: 371df7b2.320404@news.prosurfr.com Newsgroups: sci.crypt Lines: 67

On Wed, 21 Apr 1999 16:12:35 GMT, in 371df7b2.320404@news.prosurfr.com, in sci.crypt jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

ritter@io.com (Terry Ritter) wrote, in part:

On 18 Apr 99 02:05:37 GMT, in 37193df1.0@ecn.ab.ca, in sci.crypt jsavard@ecn.ab.ca () wrote:

  • And I think you can see why this design process actually increases the probability of a design which is strong against known attacks, but weak against a future attack someone might discover.

You lost me on that one.

When testing a computer system, sometimes a small number of known bugs are deliberately introduced, so that, if not all of those bugs are found, one has an indication that testing should continue (on the assumption that a similar proportion of the unknown bugs really being looked for have not been found yet either).

I believe this is generally called "error injection," and one problem with it is the assumption that the known errors are of the same nature as the unknown errors. Only then can we extrapolate from our results into the unknown. Basically what we measure is the effectiveness of the process which seeks that sort of error -- usually some sort of mechanical error like failing to use the result of some computation. This is not going to work very well when the errors are conceptual in the structure of the computation itself. Error injection is not very useful in asserting that we will get the correct answer to the original problem, and that is the unknown crypto area.

So this doesn't really help us.

What I was thinking of here is that the cryptanalyst will find what he knows how to look for; and so, weaknesses beyond the reach of current cryptanalysis won't be found; but if a cipher designed by a non-cryptanalyst did not have a single known weakness (known to the cryptanalysts, not to the designer) then one might have grounds to hope (but, of course, not proof) that unknown weaknesses were scarce as well, while getting rid of the known weaknesses specifically doesn't give any such hope.

The idea of a brand-new designer with a brand-new design in which no weakness can be found is a silly hope. I suppose it might happen, but it is not the way real things are designed and built. At the very best it is a wish, a dream, something disassociated with practical reality and the design of real things. And the failure of such exaggerated expectations often leads to a supposedly-justified demeaning of the designer as not meeting the goals of the field. This is essentially sick reasoning, because it sets up unreasonable goals, then reacts with staged regret when they are not met.

I claim the main use of cryptanalysis is in the give and take of a design process, not the end game of certification, which is what cryptanalysis cannot do. In fact, academic cryptanalysis generally only reports weakness -- few reports are published that no weakness was found. There is thus no basis even in open cryptography for knowing how many cryptanalytic attempts have been made unsuccessfully, or for taking advantage of the game when a new designer actually does have a design which has no known weakness.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 17 Apr 1999 16:32:27 -0400 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: 7far4r$htf$1@quine.mathcs.duq.edu References: 3717cd6d.25617381@news.io.com Newsgroups: sci.crypt Lines: 48

In article 3717cd6d.25617381@news.io.com, Terry Ritter ritter@io.com wrote:

On 16 Apr 1999 17:21:22 -0400, in 7f89ki$gng$1@quine.mathcs.duq.edu, in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:

[...] So you're suggesting that a cypher that has withstood years of intensive analysis by professionals is NO better than a cypher that has not been analyzed at all?

It is not provably better. And not provably better admits the possibility of contradiction.

But not-provable is not the same as unknown.

I don't know that Pittsburgh won't be hit by a devastating hurricane in the next month.

But I've got a bright crisp $20 in my pocket that says that it won't.

In a philosophical sense, "knowledge" is a "justified true belief"; I don't have proof that Pittsburgh won't be hit by a hurricane, but I can produce lots and lots of justification.

So we do not know. Which means that interpreting years of intensive analysis as strength is nothing more than DELUSION. Cryptanalysis of any length whatsoever provides no rational scientific indication of strength.

Interesting. So your "rational scientific indication" is that we've got no way of figuring out which side of my Pittsburgh weather bet is the smart one?

I don't believe this;

It is not necessary for you to believe it: It is what it is.

in fact, I think it's total bullshit.

Then you need to think about it more deeply.

I just did. It's still total bullshit.

Knowledge doesn't require proof. Belief doesn't require knowledge. Confidence doesn't even require belief.

-kitten

Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 23:40:04 GMT From: ritter@io.com (Terry Ritter) Message-ID: 37191bc9.2524456@news.io.com References: 7far4r$htf$1@quine.mathcs.duq.edu Newsgroups: sci.crypt Lines: 85

On 17 Apr 1999 16:32:27 -0400, in 7far4r$htf$1@quine.mathcs.duq.edu, in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:

In article 3717cd6d.25617381@news.io.com, Terry Ritter ritter@io.com wrote:

On 16 Apr 1999 17:21:22 -0400, in 7f89ki$gng$1@quine.mathcs.duq.edu, in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:

[...] So you're suggesting that a cypher that has withstood years of intensive analysis by professionals is NO better than a cypher that has not been analyzed at all?

It is not provably better. And not provably better admits the possibility of contradiction.

But not-provable is not the same as unknown.

I don't know that Pittsburgh won't be hit by a devastating hurricane in the next month.

But I've got a bright crisp $20 in my pocket that says that it won't.

Which means to me that you have some understanding of the risk of hurricanes in Pittsburgh. You get this understanding from reported reality.

Unfortunately, neither you nor anyone else can have a similar understanding of the risk of cipher failure -- there is no reporting of cipher failure. There is instead every effort made to keep that information secret, and in fact to generate false reporting to buoy your unfounded delusion of strength.

In a philosophical sense, "knowledge" is a "justified true belief"; I don't have proof that Pittsburgh won't be hit by a hurricane, but I can produce lots and lots of justification.

Too bad we cannot do the same for a cipher.

So we do not know. Which means that interpreting years of intensive analysis as strength is nothing more than DELUSION. Cryptanalysis of any length whatsoever provides no rational scientific indication of strength.

Interesting. So your "rational scientific indication" is that we've got no way of figuring out which side of my Pittsburgh weather bet is the smart one?

Nonsense. Knowing the past weather in Pittsbugh is possible: Knowing the past strength of a cipher is not.

I don't believe this;

It is not necessary for you to believe it: It is what it is.

in fact, I think it's total bullshit.

Then you need to think about it more deeply.

I just did. It's still total bullshit.

Then you need to think about it even more deeply.

Knowledge doesn't require proof. Belief doesn't require knowledge. Confidence doesn't even require belief.

Fine. I will grant that you can be confident completely independent of reality. Oddly, I assumed that we were talking Science here.

RATIONAL confidence requires a quantification of risk, even if only as a handwave generality. But that is not available in ciphers. Until we have a complete theory of strength, or a complete theory of cryptanalysis, we have no basis by which to judge the risk we take by using any particular cipher.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 18 Apr 99 01:55:36 GMT From: jsavard@ecn.ab.ca () Message-ID: 37193b98.0@ecn.ab.ca References: 3717cd6d.25617381@news.io.com Newsgroups: sci.crypt Lines: 31

Terry Ritter (ritter@io.com) wrote:

: On 16 Apr 1999 17:21:22 -0400, in 7f89ki$gng$1@quine.mathcs.duq.edu, : in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:

: >[...] : >So you're suggesting that a cypher that has withstood years of : >intensive analysis by professionals is NO better than a cypher : >that has not been analyzed at all?

: It is not provably better. And not provably better admits the : possibility of contradiction. So we do not know. Which means that : interpreting years of intensive analysis as strength is nothing more : than DELUSION. Cryptanalysis of any length whatsoever provides no : rational scientific indication of strength.

Yes and no.

Your point is valid, however, what do we do if there is no way to obtain a lower bound on the strength of a cipher? I fear this is quite possible: proving a cipher is strong against attacks we can't even imagine seems to me to be equivalent to solving the halting problem.

Then it does make sense to look at the upper bound, because it's one of the few indications we have. But it also makes sense - and here, I think, we come closer to agreement - not to put too much faith in that upper bound, and to add constructs of different types, and constructs that seem like any mathematical tools to analyze them which would be useful for cryptanalysts are far in advance of the state of current knowledge.

John Savard


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 22:03:47 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371cf9b7.7597561@news.io.com References: 37193b98.0@ecn.ab.ca Newsgroups: sci.crypt Lines: 55

On 18 Apr 99 01:55:36 GMT, in 37193b98.0@ecn.ab.ca, in sci.crypt jsavard@ecn.ab.ca () wrote:

Terry Ritter (ritter@io.com) wrote:

: On 16 Apr 1999 17:21:22 -0400, in 7f89ki$gng$1@quine.mathcs.duq.edu, : in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:

: >[...] : >So you're suggesting that a cypher that has withstood years of : >intensive analysis by professionals is NO better than a cypher : >that has not been analyzed at all?

: It is not provably better. And not provably better admits the : possibility of contradiction. So we do not know. Which means that : interpreting years of intensive analysis as strength is nothing more : than DELUSION. Cryptanalysis of any length whatsoever provides no : rational scientific indication of strength.

Yes and no.

Your point is valid, however, what do we do if there is no way to obtain a lower bound on the strength of a cipher? I fear this is quite possible:

I agree.

proving a cipher is strong against attacks we can't even imagine seems to me to be equivalent to solving the halting problem.

We have the testimony of 50 years of mathematical cryptography which has not achieved the Holy Grail. I just think reality is trying to tell us something.

Then it does make sense to look at the upper bound, because it's one of the few indications we have.

No. Completely false. I see no reason why the upper bound should have any correlation at all to the lower bound.

In any security audit, we have to consider the worst case attacks, not just the ones we expect, and not just the ones we tried.

But it also makes sense - and here, I think, we come closer to agreement - not to put too much faith in that upper bound, and to add constructs of different types, and constructs that seem like any mathematical tools to analyze them which would be useful for cryptanalysts are far in advance of the state of current knowledge.

I'm not sure I understand this fully.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Wed, 21 Apr 1999 16:21:01 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 371df919.679323@news.prosurfr.com References: 371cf9b7.7597561@news.io.com Newsgroups: sci.crypt Lines: 37

ritter@io.com (Terry Ritter) wrote, in part:

On 18 Apr 99 01:55:36 GMT, in 37193b98.0@ecn.ab.ca, in sci.crypt jsavard@ecn.ab.ca () wrote:

Then it does make sense to look at the upper bound, because it's one of the few indications we have.

No. Completely false. I see no reason why the upper bound should have any correlation at all to the lower bound.

It will definitely be higher than the lower bound, but yes, it doesn't prevent the lower bound from being low.

In any security audit, we have to consider the worst case attacks, not just the ones we expect, and not just the ones we tried.

Any security audit will have to include a disclaimer that the true security of the cipher systems used is essentially unknowable, but even real-world financial audits do routinely include various sorts of disclaimer.

But it also makes sense - and here, I think, we come closer to agreement - not to put too much faith in that upper bound, and to add constructs of different types, and constructs that seem like any mathematical tools to analyze them which would be useful for cryptanalysts are far in advance of the state of current knowledge.

I'm not sure I understand this fully.

Given that a cipher highly resistant to known attacks (i.e., differential cryptanalysis) could still be very weak, as far as we know, what can we do about it? The closest thing to a sensible suggestion I can make is this: make our ciphers stronger (that is, use more rounds) and more intrinsically difficult to analyze (use complicated, highly nonlinear, constructs) than the known attacks indicate is necessary.

John Savard ( teneerf<- ) http://members.xoom.com/quadibloc/index.html


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Wed, 21 Apr 1999 18:59:23 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371e2003.6163199@news.io.com References: 371df919.679323@news.prosurfr.com Newsgroups: sci.crypt Lines: 73

On Wed, 21 Apr 1999 16:21:01 GMT, in 371df919.679323@news.prosurfr.com, in sci.crypt jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

ritter@io.com (Terry Ritter) wrote, in part:

On 18 Apr 99 01:55:36 GMT, in 37193b98.0@ecn.ab.ca, in sci.crypt jsavard@ecn.ab.ca () wrote:

Then it does make sense to look at the upper bound, because it's one of the few indications we have.

No. Completely false. I see no reason why the upper bound should have any correlation at all to the lower bound.

It will definitely be higher than the lower bound, but yes, it doesn't prevent the lower bound from being low.

In any security audit, we have to consider the worst case attacks, not just the ones we expect, and not just the ones we tried.

Any security audit will have to include a disclaimer that the true security of the cipher systems used is essentially unknowable, but even real-world financial audits do routinely include various sorts of disclaimer.

I think you will find that financial disclaimers are not to avoid responsibility for the financial service supplied. For example, an audit disclaimer might say that the audit results were correct, provided the supplied accounting information was correct. But that is something which is, at least in principle, verifiable.

We don't have financial disclaimers which say that the audit is 90 percent certain to be correct, which is the sort of thing you might like to think that cryptanalytic certification could at least do, since it cannot provide certainty. But the very idea makes no sense. The very companies that need the best auditing might also be the most deceptive and able to hide their manipulations. There is no useful "average" company, and so no useful statistics. Every case is different.

But it also makes sense - and here, I think, we come closer to agreement - not to put too much faith in that upper bound, and to add constructs of different types, and constructs that seem like any mathematical tools to analyze them which would be useful for cryptanalysts are far in advance of the state of current knowledge.

I'm not sure I understand this fully.

Given that a cipher highly resistant to known attacks (i.e., differential cryptanalysis) could still be very weak, as far as we know, what can we do about it? The closest thing to a sensible suggestion I can make is this: make our ciphers stronger (that is, use more rounds) and more intrinsically difficult to analyze (use complicated, highly nonlinear, constructs) than the known attacks indicate is necessary.

We could hardly disagree more.

I find "rounds" (the repeated application of the same operation) silly and I don't use them. I do use "layers" in which different operations are applied in each layer.

And I think that making a cipher more difficult to analyze can only benefit the Opponents who have more resources for analysis. Personally, I try to make ciphers as conceptually simple as possible (though not simpler). Simple does not mean weak; simple means appropriately decomposing the cipher into relatively few types of substantial subcomponent which can be understood on their own, then using those components in clear, structured ways.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Wed, 21 Apr 1999 23:41:13 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 371e59c7.25432288@news.prosurfr.com References: 371e2003.6163199@news.io.com Newsgroups: sci.crypt Lines: 53

ritter@io.com (Terry Ritter) wrote, in part:

jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

Given that a cipher highly resistant to known attacks (i.e., differential cryptanalysis) could still be very weak, as far as we know, what can we do about it? The closest thing to a sensible suggestion I can make is this: make our ciphers stronger (that is, use more rounds) and more intrinsically difficult to analyze (use complicated, highly nonlinear, constructs) than the known attacks indicate is necessary.

We could hardly disagree more.

I find "rounds" (the repeated application of the same operation) silly and I don't use them. I do use "layers" in which different operations are applied in each layer.

And I think that making a cipher more difficult to analyze can only benefit the Opponents who have more resources for analysis. Personally, I try to make ciphers as conceptually simple as possible (though not simpler). Simple does not mean weak; simple means appropriately decomposing the cipher into relatively few types of substantial subcomponent which can be understood on their own, then using those components in clear, structured ways.

It certainly does make sense to understand the parts of a cipher, to ensure that the cipher is providing, as a minimum, some basic level of "security": that is, for example, one might know that one's cipher is at least as secure as DES, even if one doesn't know for sure that the effort required to break DES is not trivial.

The original poster - Sundial Services - praised your Dynamic Substitution because it "buries a lot more information" than ordinary designs, and this is the sort of thing I'm thinking of. When I got past his first paragraph, where he seemed to have forgotten about S-boxes, and saw that DynSub and the SIGABA were the kinds of designs he praised, I saw that the kinds of ciphers that appeal to him were the same ones as appeal intuitively to me.

Precisely because you have noted that we don't have a way to put a good lower bound on the effort required to break a cipher, I find it hard to think that I could achieve the goal, for a cipher, that is indeed appropriate for a scientific theory, of making it "as simple as possible, but no simpler"; if I am totally in the dark about how strong a cipher really is, and how astute my adversaries are, that seems an inadvisable goal, because I can never know what is necessary.

Since I have an upper bound instead of a lower bound, unless there is some way to resolve that problem, and your researches may well achieve something relevant, even if not a total solution, all I can do is try for a generous margin of safety. True, it's not proof. But proof isn't available, except for the one-time pad.

John Savard ( teneerf<- ) http://members.xoom.com/quadibloc/index.html


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 00:38:15 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1704990038160001@dial-243-079.itexas.net References: 37179b67.12809750@news.io.com Newsgroups: sci.crypt Lines: 28

In article 37179b67.12809750@news.io.com, ritter@io.com (Terry Ritter) wrote:

On the other hand, I have been pioneering the use of scalable technology which, presumably, can be scaled down to a level which can be investigated experimentally. The last I heard, experimentation was still considered a rational basis for the understanding of reality. Indeed, one might argue that in the absence of theoretical strength for any cipher, experimentation is about all we have. But note how little of it we see.

It's at least good science, beyond making lots of sense. .....

And in this way we can have hundreds or thousands of different ciphers, with more on the way all the time.

I resemble that remark. Better dust off the ole compiler again. More dumb ciphers on the way...

.....The result is that our Opponents must invest far more to get far less, and this advantage does not depend upon the delusion of strength which is all that cryptanalysis can provide.

It's aways difficult to stop a wave, be it composed of hoards of combatants or algorithms.

Too much of a good thing can be much worse than none.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Mon, 19 Apr 1999 20:15:32 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 371b8ba8.16131590@news.prosurfr.com References: 37179b67.12809750@news.io.com Newsgroups: sci.crypt Lines: 116

ritter@io.com (Terry Ritter) wrote, in part:

jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

  • Also, since there are many insecure cipher designs floating around, one can't just accept that a cipher is secure based on its designer's say-so. Instead, what gives real confidence in a cipher design is that it has been studied by experts who have failed to crack it, but who have come away from their attempts with an understanding of the source of the design's strengths.

I dispute this. This is essentially what Schneier would have us believe, and it is false.

The truth is that we never know the "real" strength of a cipher. No matter how much review or cryptanalysis a cipher gets, we only have the latest "upper bound" for strength. The lower bound is zero: Any cipher can fail at any time.

I agree with you that we don't have a way to prove that a cipher really is strong. But cryptanalysis still gives the best confidence currently available.

It is not, frankly, the role of the innovator to educate the academics, or even to serve technology to them on a silver platter. In the end, academic reputation comes from reality, and the reality is that many crypto academics avoid anything new which does not have an academic source. The consequence is that they simply do not have the background to judge really new designs.

That is true: the desires of the academic community aren't a valid excuse for compromising one's cipher designs.

Upon encountering a new design, anyone may choose to simplify that design and then report results from that simplification. This is done all the time. It is not necessary for an innovator to make a simplified design for this purpose.

And that is one of the reasons why.

On the other hand, I have been pioneering the use of scalable technology which, presumably, can be scaled down to a level which can be investigated experimentally. The last I heard, experimentation was still considered a rational basis for the understanding of reality. Indeed, one might argue that in the absence of theoretical strength for any cipher, experimentation is about all we have. But note how little of it we see.

Are you drawing a distinction between "experimental investigation" and "cryptanalysis"? If so, it would appear you are saying that there is an additional method for obtaining some additional, though still imperfect, confidence in a cipher design.

Plus, the risk that one's adversary is a hacker of the future with a very powerful desktop computer seems much greater than the risk that one's adversary will be an accomplished cryptanalyst, able to exploit the most subtle flaws in an over-elaborate design.

But we don't know our Opponents! If we have to estimate their capabilities, I think we are necessarily forced into assuming that they are more experienced, better equipped, have more time, are better motivated, and -- yes -- are even smarter than we are. There is ample opportunity for them to exploit attacks of which we have no inkling at all.

Most cipher users are more worried about their communications being read by the typical computer hacker than by the NSA.

I suppose it's possible that one day a giant EFT heist will be pulled off by retired NSA personnel, but that's the sort of thing which happens far more often as the plot for a movie than in real life.

The problem is, of course, that if one has data that should remain secret for 100 years, one does have to face advances in cryptanalytic knowledge...as well as unimaginable advances in computer power.

I believe it to be possible and useful to develop a design methodology - mainly involving the cutting and pasting of pieces from proven cipher designs - to enable a reasonably qualified person who, however, falls short of being a full-fleged cryptographer, to design his own block cipher, and thereby obtain additional and significant benefits in resistance to cryptanalytic attack by having an unknown and unique algorithm.

And in this way we can have hundreds or thousands of different ciphers, with more on the way all the time. That means that we can divide the worth of our information into many different ciphers, so that if any one fails, only a fraction of messages are exposed. It also means that any Opponent must keep up with new ciphers and analyze and possibly break each, then design a program, or build new hardware to exploit it. We can make good new ciphers cheaper than they can possibly be broken. The result is that our Opponents must invest far more to get far less, and this advantage does not depend upon the delusion of strength which is all that cryptanalysis can provide.

I don't deny that there are pitfalls looming in such an approach; if something is left out of the methodology, or if it isn't conscientiously used, people could easily wind up using weak designs and having a false sense of security. I just think the problems can be addressed, and the potential benefits are worth the attempt.

Neat.

And of course, I must confess that my present efforts in this direction have not gotten to the point of providing an explicit "toolkit". I've contented myself with explaining, in my web site, a large number of historical designs - with a very limited discussion of cryptanalysis - and I've illustrated how an amateur might design a cipher only by example, with the ciphers of my Quadibloc series, as well as various ideas in the conclusions sections of the first four chapters.

Right now, although my web site is educational, it's also fairly light and entertaining as well: I haven't tried to trouble the reader with any difficult math, for example.

John Savard ( teenerf<- ) http://members.xoom.com/quadibloc/index.html


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 04:24:33 GMT From: ritter@io.com (Terry Ritter) Message-ID: 371c014c.3018295@news.io.com References: 371b8ba8.16131590@news.prosurfr.com Newsgroups: sci.crypt Lines: 107

On Mon, 19 Apr 1999 20:15:32 GMT, in 371b8ba8.16131590@news.prosurfr.com, in sci.crypt jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

ritter@io.com (Terry Ritter) wrote, in part: [...]

The truth is that we never know the "real" strength of a cipher. No matter how much review or cryptanalysis a cipher gets, we only have the latest "upper bound" for strength. The lower bound is zero: Any cipher can fail at any time.

I agree with you that we don't have a way to prove that a cipher really is strong. But cryptanalysis still gives the best confidence currently available.

I guess I dispute "confidence." Confidence and Trust and Reliability are exactly what we do not have. I cannot say it more clearly: cryptanalysis gives us no lower bound to strength.

As an engineer growing up with an engineer dad, I have lived with bounded specifications most of my life. These bounds are what we pay for in products; this is the performance the manufacturer guarantees. I suppose like me most buyers have been caught at least once by the consequences getting the cheapest part on the basis of "typical" specs instead of "worst case." But "typical" is all cryptanalysis tells us. Depending on that will sink us, sooner or later.

[...]

On the other hand, I have been pioneering the use of scalable technology which, presumably, can be scaled down to a level which can be investigated experimentally. The last I heard, experimentation was still considered a rational basis for the understanding of reality. Indeed, one might argue that in the absence of theoretical strength for any cipher, experimentation is about all we have. But note how little of it we see.

Are you drawing a distinction between "experimental investigation" and "cryptanalysis"? If so, it would appear you are saying that there is an additional method for obtaining some additional, though still imperfect, confidence in a cipher design.

We were OK up to the "c" word: I assert that we can have no confidence in a cipher. We have no way to prove strength. Any strength we assume is based upon the conceit that all others are just as limited in their capabilities as we are. Drawing conclusions by wishing and hoping the other guy is at least as dumb as us is not my idea of good cryptography.

I do make a distinction (which probably should not exist) between "theoretical" or "equation-based" or "academic" cryptography and experimental investigation. I suppose this is really much like the difference between math and applied math, with much of the same theoretically friendly antagonism.

It is clear that we may never have a provable theory of strength. This may mean that our only possible avenue toward certainty is some sort of exhaustive test. Surely we cannot imagine such testing of a full-size cipher. But if we can scale that same design down, in the same way that small integers work like large ones, maybe we can work with large enough samples of the full population to be able to draw reasonable experimental conclusions.

Plus, the risk that one's adversary is a hacker of the future with a very powerful desktop computer seems much greater than the risk that one's adversary will be an accomplished cryptanalyst, able to exploit the most subtle flaws in an over-elaborate design.

But we don't know our Opponents! If we have to estimate their capabilities, I think we are necessarily forced into assuming that they are more experienced, better equipped, have more time, are better motivated, and -- yes -- are even smarter than we are. There is ample opportunity for them to exploit attacks of which we have no inkling at all.

Most cipher users are more worried about their communications being read by the typical computer hacker than by the NSA.

I suppose it's possible that one day a giant EFT heist will be pulled off by retired NSA personnel, but that's the sort of thing which happens far more often as the plot for a movie than in real life.

The problem is, of course, that if one has data that should remain secret for 100 years, one does have to face advances in cryptanalytic knowledge...as well as unimaginable advances in computer power.

I wrote in a post which I did not send that if only NSA could read my mail, the way it is now, I would not much care. Of course things change in politics, and my view could change as well. But for me, NSA is really just an illustration of the abstract threat.

As I understand security, one of the worst things we can do is to make assumptions about our Opponents which do not represent their full threat capabilities. ("Never underestimate your opponent.") Because of this I am not interested in identifying a cipher Opponent, unless in the process I can identify them as the absolute worst threat and know their capabilities as well. This is obviously impossible. So if we are to enforce our security despite the actions and intents of others, we must assume our Opponents are far more powerful than we know, then learn to deal with that threat.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 19:20:24 +0200 From: Mok-Kong Shen mok-kong.shen@stud.uni-muenchen.de Message-ID: 371CB758.E30A081B@stud.uni-muenchen.de References: 371c014c.3018295@news.io.com Newsgroups: sci.crypt Lines: 17

Terry Ritter wrote:

I guess I dispute "confidence." Confidence and Trust and Reliability are exactly what we do not have. I cannot say it more clearly: cryptanalysis gives us no lower bound to strength.

No intention to take part in the current discussion. But the word 'lower bound' raised association in my mind to an interesting sentence that A. Salomaa wrote (1990):

There are no provable lower bounds for the amount of work
of a cryptanalyst analyzing a public-key cryptosystem.

M. K. Shen http://www.stud.uni-muenchen.de/~mok-kong.shen/ (Updated: 12 Apr 99)


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 23 Apr 1999 05:39:45 GMT From: olson@umbc.edu (Bryan G. Olson; CMSC (G)) Message-ID: 7fp131$dg1$1@news.umbc.edu References: 37179b67.12809750@news.io.com Newsgroups: sci.crypt Lines: 51

Terry Ritter (ritter@io.com) wrote:

[...] : It may be unfortunate for academic cryptographers that a wide variety : of new techniques are pioneered by non-academics. But those : techniques exist nevertheless, and to the extent that academics do not : investigate them, those academics are not up with the state of the : art.

: It is not, frankly, the role of the innovator to educate the : academics, or even to serve technology to them on a silver platter. : In the end, academic reputation comes from reality, and the reality is : that many crypto academics avoid anything new which does not have an : academic source.

This impression of the academic crypto community as a closed club that ignores the work of outsiders is flat out false.
Consider power and timing analysis - the entire area came from the crypto left-field and was pioneered by a recent grad with a B.A. in biology. The work was good, so now he's one of those respected cryptologists. The various attacks I've heard on academics are invariably by those whose work is simply not of the same caliber.

For an example of an idea the crypto community has ignored because it is truly dreadful:

[...] : And in this way we can have hundreds or thousands of different : ciphers, with more on the way all the time. That means that we can : divide the worth of our information into many different ciphers, so : that if any one fails, only a fraction of messages are exposed.

Absurdly naive. In any real project or real enterprise, the same information is carried by many, many messages. The degree of protection of any piece of intelligence is that of the weakest of the systems carrying it.

: It : also means that any Opponent must keep up with new ciphers and : analyze and possibly break each, then design a program, or build new : hardware to exploit it. We can make good new ciphers cheaper than : they can possibly be broken. The result is that our Opponents must : invest far more to get far less, and this advantage does not depend : upon the delusion of strength which is all that cryptanalysis can : provide.

Nonsense. The attacker just waits for the information he wants to be transmitted under a system he can break.

--Bryan


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 23 Apr 1999 21:23:23 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 3720e200.23217001@news.prosurfr.com References: 7fp131$dg1$1@news.umbc.edu Newsgroups: sci.crypt Lines: 51

olson@umbc.edu (Bryan G. Olson; CMSC (G)) wrote, in part:

This impression of the academic crypto community as a closed club that ignores the work of outsiders is flat out false.
Consider power and timing analysis - the entire area came from the crypto left-field and was pioneered by a recent grad with a B.A. in biology. The work was good, so now he's one of those respected cryptologists. The various attacks I've heard on academics are invariably by those whose work is simply not of the same caliber.

I have every respect for the advanced work done by people such as Eli Biham or David Wagner. And you're absolutely right that cryptography, like many other fields, has its cranks and quacks.

However, I don't think it's appropriate to automatically conclude that everyone who expresses concern about the way in which the public cryptography field is going is necessarily a crank. For example, if even a layperson looks at DES, or IDEA, or SERPENT, and expresses the opinion that these designs all seem too regular, too repetitious, so that some form of analysis at least seems like it may be someday possible - well, if that is such a silly notion, what are you going to say to the people who designed MARS, who happen to be the among the well-qualified?

For an example of an idea the crypto community has ignored because it is truly dreadful:

[...] : And in this way we can have hundreds or thousands of different : ciphers, with more on the way all the time. That means that we can : divide the worth of our information into many different ciphers, so : that if any one fails, only a fraction of messages are exposed.

Absurdly naive. In any real project or real enterprise, the same information is carried by many, many messages. The degree of protection of any piece of intelligence is that of the weakest of the systems carrying it.

While that is true, that just means that, for internal encryption in an company data with ciphers their employer does not trust.

For a program of the PGP type, that lets people exchange E-Mail with other private individuals, allowing each party to specify a choice of preferred ciphers, and yet interoperate within the framework of using the same program, this sort of thing is a good idea.

'Dreadful' is not the same as 'not everywhere applicable'.

John Savard ( teneerf<- ) http://members.xoom.com/quadibloc/index.html


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 25 Apr 1999 10:58:07 GMT From: olson@umbc.edu (Bryan G. Olson; CMSC (G)) Message-ID: 7fusfv$as8$1@news.umbc.edu References: 3720e200.23217001@news.prosurfr.com Newsgroups: sci.crypt Lines: 79

John Savard (jsavard@tenMAPSONeerf.edmonton.ab.ca) wrote: : olson@umbc.edu (Bryan G. Olson; CMSC (G)) wrote, in part:

: >This impression of the academic crypto community as a closed : >club that ignores the work of outsiders is flat out false.
: >Consider power and timing analysis - the entire area came : >from the crypto left-field and was pioneered by a recent grad : >with a B.A. in biology. The work was good, so now he's one : >of those respected cryptologists. The various attacks I've : >heard on academics are invariably by those whose work is : >simply not of the same caliber.

: I have every respect for the advanced work done by people such as Eli Biham : or David Wagner. And you're absolutely right that cryptography, like many : other fields, has its cranks and quacks.

: However, I don't think it's appropriate to automatically conclude that : everyone who expresses concern about the way in which the public : cryptography field is going is necessarily a crank. For example, if even a : layperson looks at DES, or IDEA, or SERPENT, and expresses the opinion that : these designs all seem too regular, too repetitious, so that some form of : analysis at least seems like it may be someday possible - well, if that is : such a silly notion, what are you going to say to the people who designed : MARS, who happen to be the among the well-qualified?

Quite right, but as I understood Mr. Ritter's statements, he's deriding the crypto establishment for ignoring the work of outsiders. My counter is not the crypto community is right to generally ignore outsiders, but that in fact they do no such thing.

: >For an example of an idea the crypto community has ignored : >because it is truly dreadful:

: >[...] : >: And in this way we can have hundreds or thousands of different : >: ciphers, with more on the way all the time. That means that we can : >: divide the worth of our information into many different ciphers, so : >: that if any one fails, only a fraction of messages are exposed.

: >Absurdly naive. In any real project or real enterprise, the : >same information is carried by many, many messages. The degree : >of protection of any piece of intelligence is that of the : >weakest of the systems carrying it.

: While that is true, that just means that, for internal encryption in an : organization, a method should not be used that allows employees to protect : company data with ciphers their employer does not trust.

I agree it means that, but certainly not that it "just means" that. Specifically, it should guide those employers in deciding how many ciphers to designate as trusted.

[...] : 'Dreadful' is not the same as 'not everywhere applicable'.

True, but I'm saying that in all the real projects or enterprises I know of, an attacker can gain most of the intelligence value in the message traffic by compromising only a small percentage of the messages. Are there projects in which documents do not go through many revisions? In which everyone works with a mutually exclusive subset of the information?

There is a situation worse than having all one's eggs in one basket. The problem with one basket is that there exists a potential failure that would be catastrophic. What's worse is a system in which any one of many possible failures would be catastrophic. If one accepts that in realistic applications of cryptography the same intelligence is available from many messages, then choosing from a thousand ciphers for each message moves us from one potential catastrophic failure to many potential catastrophic failures.

--Bryan


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 25 Apr 1999 07:02:01 -0700 From: Sundial Services info@sundialservices.com Message-ID: 37232059.4FA1@sundialservices.com References: 7fusfv$as8$1@news.umbc.edu Newsgroups: sci.crypt Lines: 28

: olson@umbc.edu (Bryan G. Olson; CMSC (G)) wrote, in part: [...] : However, I don't think it's appropriate to automatically conclude that : everyone who expresses concern about the way in which the public : cryptography field is going is necessarily a crank. For example, if even a : layperson looks at DES, or IDEA, or SERPENT, and expresses the opinion that : these designs all seem too regular, too repetitious, so that some form of : analysis at least seems like it may be someday possible ...

I think that this is basically where -I- am coming from. If you look at the design of these Feistel ciphers, well, to me they smack of Enigma, with its clockwork-like rotation of the cipher elements which ultimately proved its downfall. Compare this to SIGABA, which with its many layers of complexity "cascading" upon one another produced what is obviously an extremely strong cipher. There is a LOT more randomness for the cryptographer to figure out.

I stare at this "more stages = more security" story and ponder if, given the extreme regularity of the cipher algorithm, this intuitive notion is actually true. Frankly, I don't believe that it is.

I see no creativity here. (So to speak!!) (So to speak!!!!)

Furthermore... the ciphers are far simpler than they need to be. A computer program can do anything. It can use as much memory as it likes. My 2,048 bit public-key could just as easily be 200K and it would be no more difficult to manage.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 25 Apr 1999 07:04:08 -0700 From: Sundial Services info@sundialservices.com Message-ID: 372320D8.59EC@sundialservices.com References: 37232059.4FA1@sundialservices.com Newsgroups: sci.crypt Lines: 15

Sundial Services wrote: [...]

I think that this is basically where -I- am coming from. If you look at the design of these Feistel ciphers, well, to me they smack of Enigma, with its clockwork-like rotation of the cipher elements which ultimately proved its downfall. Compare this to SIGABA, which with its many layers of complexity "cascading" upon one another produced what is obviously an extremely strong cipher. There is a LOT more randomness for the cryptographer to figure out.

I should clarify my thought here. "The layers in SIGABA are not all the same design. The layers in an n-round Feistel cipher are, literally by definition, all the same. And all made of extremely simple primitive operations: bitwise substitution, shifting, exclusive-OR, perhaps multiplication ....


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 25 Apr 1999 15:51:42 GMT From: m@mbsks.franken.de (Matthias Bruestle) Message-ID: 1999Apr25.155142.3195@mbsks.franken.de References: 37232059.4FA1@sundialservices.com Newsgroups: sci.crypt Lines: 28

Mahlzeit

Sundial Services (info@sundialservices.com) wrote:

Furthermore... the ciphers are far simpler than they need to be. A computer program can do anything. It can use as much memory as it likes. My 2,048 bit public-key could just as easily be 200K and it would be no more difficult to manage.

But you wouldn't want to use this key. A 9000bit key needs about 15 minutes of a 486DX 33MHz CPU. I think the decryption/signing time raises at n^2, so a 200kbit key would require about 100 hours of this CPU. A Pentium 200MHz, not that old, is about 10 times as fast and would require about 10 CPU hours. Would you want to wait 10 hours to read an email?

With all crypto applications there are speed requirements.

Mahlzeit

endergone Zwiebeltuete

-- PGP: SIG:C379A331 ENC:F47FA83D I LOVE MY PDP-11/34A, M70 and MicroVAXII!

Remember, even if you win the rat race -- you're still a rat.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 25 Apr 1999 23:49:11 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-2504992349120001@dial-243-065.itexas.net References: 7fusfv$as8$1@news.umbc.edu Newsgroups: sci.crypt Lines: 31

In article 7fusfv$as8$1@news.umbc.edu, olson@umbc.edu (Bryan G. Olson; CMSC (G)) wrote:

There is a situation worse than having all one's eggs in one basket. The problem with one basket is that there exists a potential failure that would be catastrophic. What's worse is a system in which any one of many possible failures would be catastrophic. If one accepts that in realistic applications of cryptography the same intelligence is available from many messages, then choosing from a thousand ciphers for each message moves us from one potential catastrophic failure to many potential catastrophic failures.

With some effort, but it could be completely automated, using several algorithms, it is reasonable to maximize security available not by living in fear of the weakest algorithm but working to make sure the strongest was included.

Consider the following key handling scheme: A OTP quality stream key is converted to a number of complementary keys that must all be assimilated to reestablish the real key. Those several keys are encrypted using different algorithms. If any of the several algorithms is broken, it does not matter because all must be broken to get at the real key.

The disadvantages are the combined length of all the keys, and needing them all. A scheme might be devised somewhat similiar where only a certain number of the keys would be needed. The result would be the same, shared maximized strength of different algorithms.

Life's battles do not always go to the stronger of faster man... But, sooner or later always go to the fellow who thinks he can.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 24 Apr 1999 01:15:17 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-2404990115180001@dial-243-115.itexas.net References: 7fp131$dg1$1@news.umbc.edu Newsgroups: sci.crypt Lines: 41

In article 7fp131$dg1$1@news.umbc.edu, olson@umbc.edu (Bryan G. Olson; CMSC (G)) wrote:

Terry Ritter (ritter@io.com) wrote:

[...] : And in this way we can have hundreds or thousands of different : ciphers, with more on the way all the time. That means that we can : divide the worth of our information into many different ciphers, so : that if any one fails, only a fraction of messages are exposed.

Absurdly naive. In any real project or real enterprise, the same information is carried by many, many messages. The degree of protection of any piece of intelligence is that of the weakest of the systems carrying it.

From a herd point of view, you may be right, but specific information between individuals is not apt to pass but once or few times at the most. To fully follow the dialog, all parts of the conversation should be recovered. Even when encrypted, however, the use allegory and novel in text, security measures in themselves, should be used. > > : It > : also means that any Opponent must keep up with new ciphers and > : analyze and possibly break each, then design a program, or build new > : hardware to exploit it. We can make good new ciphers cheaper than > : they can possibly be broken. The result is that our Opponents must > : invest far more to get far less, and this advantage does not depend > : upon the delusion of strength which is all that cryptanalysis can > : provide. > > Nonsense. The attacker just waits for the information he wants > to be transmitted under a system he can break. > If certain information is so common, it may not be worth encrypting in the first place. The idea of putting all eggs in one basket, or very few, is not supportable; But, one should only use promising baskets in any event. Keep 'em busy with ciphers that they have not even considered before.

Life's battles do not always go to the stronger of faster man... But, sooner or later always go to the fellow who thinks he can.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 12:54:41 -0500 From: Medical Electronics Lab rosing@physiology.wisc.edu Message-ID: 37177961.663E@physiology.wisc.edu References: 371749CC.4779@sundialservices.com Newsgroups: sci.crypt Lines: 47

Sundial Services wrote:

When I look at most publicly-available cryptographic algorithms, I see that nearly all of them consist of round upon round of simple operations like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are readily reversible.

Being reversible makes a cipher decipherable :-)

About the only "original idea" I've seen, since reading discussions of older machines like SIGABA, is Terry Ritter's "Dynamic Substitution" patent. At least he is using a more complex transformation than 99.9% of the things I've seen ... since SIGABA ... and he's burying a lot more information than most designs do.

Terry's got a lot of good ideas. But even he would like a cipher that can be analyzed completely.

My question is, aside from possible requirements for constructing their ciphers in hardware, why do designers routinely limit themselves to these simple bitwise operators in designing ciphers? It seems to me as a layman that the older, more complex designs were also far more secure than what we have now, and that a computer program would have no particular difficulty implementing them. We are not building hardware devices; we are not limited to LFSR's.

XOR is really addition in GF(2^n) and rotation is equivelent to multiplication by x (or squaring in a normal basis). These "simple" operations can come from really complex math. By using math as a basis for the creation of a cipher, you can determine the work factor to break it more accurately.

Some of the things you want to make happen in a cipher are "avalanch" and "diffusion". You want to make sure that if you change any one bit in the plain text that half the bits change in the cipher text. You also want to have a non-linear function between input and output so there is no hope of writing down a system of equations which could solve a cipher.

Just because something looks complex doesn't make it so. Some things which look really simple can have very complex mathematical relationships, and that's far more useful to a cipher design than something which appears complex but has a simple mathematical construction.

Patience, persistence, truth, Dr. mike


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 00:16:49 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1704990016490001@dial-243-079.itexas.net References: 37177961.663E@physiology.wisc.edu Newsgroups: sci.crypt Lines: 32

In article 37177961.663E@physiology.wisc.edu, Medical Electronics Lab rosing@physiology.wisc.edu wrote:

Some of the things you want to make happen in a cipher are "avalanch" and "diffusion". You want to make sure that if you change any one bit in the plain text that half the bits change in the cipher text. You also want to have a non-linear function between input and output so there is no hope of writing down a system of equations which could solve a cipher.

See there, you prove his point, as avalanche paired with diffusion are essential properties of operations involving only some ciphers, and cryptography can be done with narry a bit in sight.

The design can demand so many equations be written that it is impractical to do so.

Just because something looks complex doesn't make it so.

To that, I agree.

Some things which look really simple can have very complex mathematical relationships, and that's far more useful to a cipher design than something which appears complex but has a simple mathematical construction.

Then there are those designs that tend to impress people because they are overly complex in construction and perhaps made so for devious purposes.

Too much of a good thing can be much worse than none.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 21:16:02 -0400 From: Boris Kazak bkazak@worldnet.att.net Message-ID: 3717E0D2.225A@worldnet.att.net References: 371749CC.4779@sundialservices.com Newsgroups: sci.crypt Lines: 56

Sundial Services wrote: > > When I look at most publicly-available cryptographic algorithms, I see > that nearly all of them consist of round upon round of simple operations > like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are > readily reversible. > > About the only "original idea" I've seen, since reading discussions of > older machines like SIGABA, is Terry Ritter's "Dynamic Substitution" > patent. At least he is using a more complex transformation than 99.9% > of the things I've seen ... since SIGABA ... and he's burying a lot more > information than most designs do. > > My question is, aside from possible requirements for constructing their > ciphers in hardware, why do designers routinely limit themselves to > these simple bitwise operators in designing ciphers? It seems to me as > a layman that the older, more complex designs were also far more secure > than what we have now, and that a computer program would have no > particular difficulty implementing them. We are not building hardware > devices; we are not limited to LFSR's.

As layman to layman - the most obvious reason is that these simple operations are easy to analyze. It is not by accident that the only exception to this rule is IDEA, based on modular multiplication, and this immediately brushes away a whole bunch of possible attacks. Another observation - most published attacks against various ciphers are essentially attacking not as much the cipher per se, as its key schedule. It is not by accident that BLOWFISH is so steady, its key schedule does not provide any opportunity for related-key attacks. On the other hand, a recently published attack against IDEA makes heavy use of the fact that its subkeys are produced just by 25-bit circular shift. Use another key scheduling mechanism (same modular multiplication which is akready present in the program), and this attack will result in nothing. As a layman, I experimented with modular multiplication mod 2^32-1 and mod 2^32+1, found the cycles produced by raising different numbers to the subsequent powers, discovered methods of testing numbers for having the multiplicative inverses, and finally wrote a program for a cipher which I call LETSIEF (FEISTEL spelled backwards). This program uses multiplication mod 2^32-1 as the combining operation between L and R halves. The speed is fantastic - multiplication mod 2^32-1 is implemented in 3 processor instructions on a Pentium, an array of 256 modular multipliers assures full plaintext dependency, inverses also occupy an array of 256 elements, so the only difference between encryption and decryption is that you take your multiplier from a conjugate array. Key scheduling uses the same multiplication routine which already exists in the program. I am not going to post this program or to promote it in any way. It serves my purposes, I am ready to give the code to anybody who is interested, but nothing beyond that. BTW, I also experimented with multiplication mod 2^64+1 and 2^64-1. Unfortunately, I am not so great a programmer, and my computer has no 64-bit registers. So beyond some basic knowledge, nothing yet did come into practice (but the ciphers could be terrific!).

Best wishes BNK


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Mon, 19 Apr 1999 15:38:34 -0600 From: jcoffin@taeus.com (Jerry Coffin) Message-ID: MPG.1182a9a3823e66899899fb@news.rmi.net References: 3717E0D2.225A@worldnet.att.net Newsgroups: sci.crypt Lines: 33

In article 3717E0D2.225A@worldnet.att.net, bkazak@worldnet.att.net says...

[ ... ]

BTW, I also experimented with multiplication mod 2^64+1 and 2^64-1. Unfortunately, I am not so great a programmer, and my computer has no 64-bit registers. So beyond some basic knowledge, nothing yet did come into practice (but the ciphers could be terrific!).

...or they might not be. 2^32-1 happens to be a prime number. In many cases, the smallest factor of your modulus has a large effect on the security of encryption using that modulus.

By contrast, 2^64-1 is what you might call extremely composite -- its prime factorization is (3 5 17 257 641 65537 6700417). This large number of relatively small factors will often make this a particularly bad choice of modulus.

Depending on what you're doing, 2^64+1 is likely to be a MUCH better choice -- it's still not a prime, but its prime factorization is (274177 67280421310721). In many cases, the largest prime factor is what matters, and in this case, it's MUCH larger -- 14 digits instead of 7 (which is also considerably larger than 2^32-1). Unfortunately, using 2^64+1 as a modulus is likely to be fairly difficult even if you have a 64-bit type available.

I obviously haven't studied your encryption method in detail (or at all) so I don't know that this will make a difference in your particular case, but it's definitely something to keep in mind. Many, many forms of encryption that work quite well in 32-bit arithmetic basically fall to pieces when converted to use 64-bit arithmetic instead.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Mon, 19 Apr 1999 19:45:17 -0400 From: Boris Kazak bkazak@worldnet.att.net Message-ID: 371BC00D.3FA8@worldnet.att.net References: MPG.1182a9a3823e66899899fb@news.rmi.net Newsgroups: sci.crypt Lines: 53

Jerry Coffin wrote: > ...or they might not be. 2^32-1 happens to be a prime number. In > many cases, the smallest factor of your modulus has a large effect on > the security of encryption using that modulus.

Sorry, 2^32-1 = 351725765537, but I have found nice ways to set up key-derived multipliers in this field. The maximum length of the multiplicative cycle is 65536, so you can select an appropriate SEED and raise it to any power < 2^16. In fact, both the modular multiplier and its inverse are computed in the same subroutine. > > By contrast, 2^64-1 is what you might call extremely composite -- its > prime factorization is (3 5 17 257 641 65537 6700417). This large > number of relatively small factors will often make this a particularly > bad choice of modulus.

Also not necessarily. The important thing is the multiplicative cycle length which can be achieved, this gives you an idea of how many multipliers you can produce from an appropriately chosen SEED. BTW, the only practical requirement to the SEED is that it should produce the maximum length cycle of its powers, i.e be a generator. > > Depending on what you're doing, 2^64+1 is likely to be a MUCH better > choice -- it's still not a prime, but its prime factorization is > (274177 67280421310721). In many cases, the largest prime factor is > what matters, and in this case, it's MUCH larger -- 14 digits instead > of 7 (which is also considerably larger than 2^32-1). Unfortunately, > using 2^64+1 as a modulus is likely to be fairly difficult even if you > have a 64-bit type available.

As a matter of fact, very easy. The hex number c720a6486e45a6e2 produces in the 2^64+1 field a cycle of its own powers which is 72057331223781120 long (just under 2^56). This number is simply the first 16 hex digits of sqrt(3), and I am sure that it will take me not more than 15 minutes to find 5-6 numbers more like this. (Please, don't ask me about a source code for the program, I've written it in FORTH). So I can generate random 32-bit subkeys, raise my SEED to these powers and I am in business... Go guess the linear and differential properties of these multipliers, especially if they will be chosen for encryption in a plaintext-dependent way! > > I obviously haven't studied your encryption method in detail (or at > all) so I don't know that this will make a difference in your > particular case, but it's definitely something to keep in mind. Many, > many forms of encryption that work quite well in 32-bit arithmetic > basically fall to pieces when converted to use 64-bit arithmetic > instead.

I do not intend to keep it secret. If you are interested (just for fun), I am ready to discuss with you the method of file transfer (unfortunately, I don't have a Web page).

Thanks for your courtesy Best wishes BNK


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 11:42:53 -0600 From: jcoffin@taeus.com (Jerry Coffin) Message-ID: MPG.11866a88f9e5b896989a08@news.rmi.net References: 371BC00D.3FA8@worldnet.att.net Newsgroups: sci.crypt Lines: 40

In article 371BC00D.3FA8@worldnet.att.net, bkazak@worldnet.att.net says...

Jerry Coffin wrote: > ...or they might not be. 2^32-1 happens to be a prime number. In > many cases, the smallest factor of your modulus has a large effect on > the security of encryption using that modulus.

Sorry, 2^32-1 = 351725765537, but I have found nice ways to set up key-derived multipliers in this field. The maximum length of the multiplicative cycle is 65536, so you can select an appropriate SEED and raise it to any power < 2^16. In fact, both the modular multiplier and its inverse are computed in the same subroutine.

Oops -- my bad. It's 2^31-1 which is a prime. Of course, if you work in 32-bit integers, it's also 2^31-1 that you end up using as a modulus unless you take steps to ensure against it.

However, even though I wasn't thinking very straight when posting, the fact remains that the largest 32-bit number is a prime, and the largest 64-bit number isn't. Interestingly enough, 2^63+1 also has a much larger factor than 2^63-1, though it's a lot smaller than the largest factor of 2^64+1 (only 11 digits instead of 14).

I do not intend to keep it secret. If you are interested (just for fun), I am ready to discuss with you the method of file transfer (unfortunately, I don't have a Web page).

If it's written in Forth, I'll pass, thanks anyway. It's been many years since the last time I tried to work in Forth at all, and from what I remember, it's probably something that you have to either use a lot, or you might as well forget it completely.

Then again, I suppose many people would say the same about C, C++ and Scheme, all of which I use fairly regularly. Scheme (or almost any LISP-like language) supports working with large integers, which tends to be handy when you're dealing with factoring and such.

Thanks for your courtesy Best wishes BNK

Likewise, especially when I posted something as boneheaded as I did...


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 19:53:16 -0400 From: Boris Kazak bkazak@worldnet.att.net Message-ID: 371D136C.411A@worldnet.att.net References: MPG.11866a88f9e5b896989a08@news.rmi.net Newsgroups: sci.crypt Lines: 22

Jerry Coffin wrote: > If it's written in Forth, I'll pass, thanks anyway. It's been many > years since the last time I tried to work in Forth at all, and from > what I remember, it's probably something that you have to either use a > lot, or you might as well forget it completely.

No, it's plain conventional C, even without Assembler. It is one of my "essays" on the subject of drunken ciphers, where you set up a lot of S-boxes deriving them from the key, and then encrypt using the plaintext-dependent path through these S-boxes. so that each plaintext will follow the maze along its own unique path. Quite entertaining... BTW, key scheduling uses the same modular multiplication already present in the program.

Then again, I suppose many people would say the same about C, C++ and Scheme, all of which I use fairly regularly. Scheme (or almost any LISP-like language) supports working with large integers, which tends to be handy when you're dealing with factoring and such.

Thanks for your courtesy Best wishes BNK

Likewise, especially when I posted something as boneheaded as I did...


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 02:50:00 GMT From: phr@netcom.com (Paul Rubin) Message-ID: phrFAGvvC.3vz@netcom.com References: MPG.1182a9a3823e66899899fb@news.rmi.net Newsgroups: sci.crypt Lines: 10

In article MPG.1182a9a3823e66899899fb@news.rmi.net, Jerry Coffin jcoffin@taeus.com wrote:

...or they might not be. 2^32-1 happens to be a prime number.

2^32-1 = (2^16)^2-1 = (2^16+1)(2^16-1) = (2^16+1)(2^8+1)(2^8-1) = (2^16+1)(2^8+1)(2^4+1)(2^4-1) = (2^16+1)(2^8+1)(2^4+1)(2^2+1)(2^2-1) = 65537 *257 *17 *5 *3


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 00:03:53 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1704990003530001@dial-243-079.itexas.net References: 371749CC.4779@sundialservices.com Newsgroups: sci.crypt Lines: 26

In article 371749CC.4779@sundialservices.com, info@sundialservices.com wrote:

When I look at most publicly-available cryptographic algorithms, I see that nearly all of them consist of round upon round of simple operations like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are readily reversible.

About the only "original idea" I've seen, since reading discussions of older machines like SIGABA, is Terry Ritter's "Dynamic Substitution" patent. At least he is using a more complex transformation than 99.9% of the things I've seen ... since SIGABA ... and he's burying a lot more information than most designs do.

My question is, aside from possible requirements for constructing their ciphers in hardware, why do designers routinely limit themselves to these simple bitwise operators in designing ciphers? It seems to me as a layman that the older, more complex designs were also far more secure than what we have now, and that a computer program would have no particular difficulty implementing them. We are not building hardware devices; we are not limited to LFSR's.

You've got it right, cryptography is a most complicated and broad field; every cooperating to plow and plant the same furrow does not make lots of sense.

Too much of a good thing can be much worse than none.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 18🔞34 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: 3718cff6.15699939@news.visi.com References: 371749CC.4779@sundialservices.com Newsgroups: sci.crypt Lines: 25

On Fri, 16 Apr 1999 07:31:40 -0700, Sundial Services info@sundialservices.com wrote:

When I look at most publicly-available cryptographic algorithms, I see that nearly all of them consist of round upon round of simple operations like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are readily reversible.

Operations from the RISC subset are efficient on a wide variety of microprocessors. Look at the AES submissions. Algorithms that limited themselves to those operations--Serpent, Rijndael, Twofish--had realtively equivalent performance on 8-bit CPUs, 32-bit CPUs, smart card, DSPs, etc. Algorithms that used more complicated operations like data dependent rotations and multiplications--Mars, RC6, DFC--had widely different performance depending on the particular characteristics of the CPU it is running on.

For a standard cipher at least, sticking to the RISC subset is just smart.

Bruce


Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 18 Apr 99 02:10:22 GMT From: jsavard@ecn.ab.ca () Message-ID: 37193f0e.0@ecn.ab.ca References: 3718cff6.15699939@news.visi.com Newsgroups: sci.crypt Lines: 15

Bruce Schneier (schneier@counterpane.com) wrote: : For a standard cipher at least, sticking to the RISC subset is just : smart.

My comment on that paragraph is that he forgot S-boxes, which, if one is using the RISC subset, one cannot omit. But looking at the rest of his post, I don't think he was thinking of things like data-dependent rotations, multiplication, and so on, as much as he was thinking of more creative use of S-boxes or more creative combinations of RISC-subset operations.

Think FROG. Or recall my "Mishmash" posting. This, I think, is the kind of thing he is talking about.

John Savard


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 00:41:15 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1804990041160001@dial-243-094.itexas.net References: 3718A7C9.12B5EEF@null.net 3718324d.13916819@news.io.com Newsgroups: sci.crypt Lines: 15

In article 3718A7C9.12B5EEF@null.net, "Douglas A. Gwyn" DAGwyn@null.net wrote:

I guess you're talking about AES. If time constraints allow, that would be one reasonable part of the evaluation procedure, but you still have to drawn the line somewhere and pick the best-to-date.

Ah, elections do come up at some point. As I remember, the final pick is to be submitted to higher, political, authority for approval, which is apt not to be a technical decision based on purely scientific considerations. Meanwhile, back at the ranch, we can make things better by trying to go beyond such a seal.

Too much of a good thing can be much worse than none.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 00:45:35 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1804990045350001@dial-243-094.itexas.net References: 3718A84E.A90A3130@null.net jgfunj-1704990016490001@dial-243-079.itexas.net Newsgroups: sci.crypt Lines: 15

In article 3718A84E.A90A3130@null.net, "Douglas A. Gwyn" DAGwyn@null.net wrote:

wtshaw wrote:

The design can demand so many equations be written that it is impractical to do so.

How could the design be conveyed to the implementor, then?

I was thinking more in terms of a simple design, guess, where the burden of writing the equations would be on the attacker who would be trying to make sense out of lots of ciphertext. You know, something easy to do knowing the key, and impractical not knowing it.

Too much of a good thing can be much worse than none.


Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 23:36:51 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: jgfunj-1804992336510001@dial-243-098.itexas.net References: 3719F8DA.B280DB30@null.net jgfunj-1804990041160001@dial-243-094.itexas.net Newsgroups: sci.crypt Lines: 28

In article 3719F8DA.B280DB30@null.net, "Douglas A. Gwyn" DAGwyn@null.net wrote:

wtshaw wrote:

Ah, elections do come up at some point. As I remember, the final pick is to be submitted to higher, political, authority for approval, which is apt not to be a technical decision ...

The technical decision would already have been made, and any further process would be simply an approve/disapprove decision.

That is an easy prediction for a technical person. In politics, the rule is there are no rules, except that rules of more equal for those who contribute to the right people.

I don't know what "elections" have to do with it. You can't think that the electorate in general cares one whit about AES.

A new random permutation generator: You put X windoze machines in a room, merely start them up, and record the order in which they eventually crash on their own.


Terry Ritter, hiscurrent address, and histop page.

Last updated: 2001-06-11