Can We Trust Our Cipher? (original) (raw)

Terry Ritter

ACiphers By Ritter Page

There would seem to be no point in using a cipher we cannot trust. Unfortunately, that is the reality we find ourselves in. There is no cipher we can rationally trust in practice. We can thus either content ourselves with trust as a delusion, or accept the appalling reality and try to innovate a system which improves our situation.


Contents


Subject: Re: Notes on the "Vortex" block cipher Date: Sun, 14 May 2000 21:14:48 GMT From: Tom St Denis stdenis@compmore.net Message-ID: 8fn500$82o$1@nnrp1.deja.com References: 391f108c.2748172@news.io.com 8fmhlt$k30$1@nnrp1.deja.com Newsgroups: sci.crypt Lines: 20

In article 391f108c.2748172@news.io.com, ritter@io.com (Terry Ritter) wrote:

On Sun, 14 May 2000 15:45:04 GMT, in 8fmhlt$k30$1@nnrp1.deja.com, in sci.crypt Tom St Denis stdenis@compmore.net wrote:

[...] Yeah but in blowfish all of the input goes thru the sboxes. So you can't just say "Blowfish is similar so my cipher must be secure too".

...especially since there is no way to know that Blowfish is secure in the first place.

There has been some scrutiny of blowfish. I would trust it.

Tom

Sent via Deja.com http://www.deja.com/ Before you buy.


Subject: Re: Notes on the "Vortex" block cipher Date: Mon, 15 May 2000 02:11:27 GMT From: ritter@io.com (Terry Ritter) Message-ID: 391f5cb2.1938412@news.io.com References: 8fn500$82o$1@nnrp1.deja.com Newsgroups: sci.crypt Lines: 26

On Sun, 14 May 2000 21:14:48 GMT, in 8fn500$82o$1@nnrp1.deja.com, in sci.crypt Tom St Denis stdenis@compmore.net wrote:

In article 391f108c.2748172@news.io.com, ritter@io.com (Terry Ritter) wrote:

On Sun, 14 May 2000 15:45:04 GMT, in 8fmhlt$k30$1@nnrp1.deja.com, in sci.crypt Tom St Denis stdenis@compmore.net wrote:

[...] Yeah but in blowfish all of the input goes thru the sboxes. So you can't just say "Blowfish is similar so my cipher must be secure too".

...especially since there is no way to know that Blowfish is secure in the first place.

There has been some scrutiny of blowfish. I would trust it.

You can wish and hope and believe what you want, but there still is no scientific basis for such trust.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Notes on the "Vortex" block cipher Date: Mon, 15 May 2000 02:38:56 GMT From: Tom St Denis stdenis@compmore.net Message-ID: 8fnnvu$s29$1@nnrp1.deja.com References: 391f5cb2.1938412@news.io.com Newsgroups: sci.crypt Lines: 36

In article 391f5cb2.1938412@news.io.com, ritter@io.com (Terry Ritter) wrote:

On Sun, 14 May 2000 21:14:48 GMT, in 8fn500$82o$1@nnrp1.deja.com, in sci.crypt Tom St Denis stdenis@compmore.net wrote:

In article 391f108c.2748172@news.io.com, ritter@io.com (Terry Ritter) wrote:

On Sun, 14 May 2000 15:45:04 GMT, in <8fmhlt$k30 $1@nnrp1.deja.com>, in sci.crypt Tom St Denis stdenis@compmore.net wrote:

[...] Yeah but in blowfish all of the input goes thru the sboxes. So you can't just say "Blowfish is similar so my cipher must be secure too".

...especially since there is no way to know that Blowfish is secure in the first place.

There has been some scrutiny of blowfish. I would trust it.

You can wish and hope and believe what you want, but there still is no scientific basis for such trust.

By that same token, never drive a car, ride a bus, fly a plane, get in an elevator, etc.. because you would have to trust those engineers too.

Tom

Sent via Deja.com http://www.deja.com/ Before you buy.


Subject: Re: Notes on the "Vortex" block cipher Date: Mon, 15 May 2000 06:41:59 GMT From: ritter@io.com (Terry Ritter) Message-ID: 391f9c27.3970068@news.io.com References: 8fnnvu$s29$1@nnrp1.deja.com Newsgroups: sci.crypt Lines: 62

On Mon, 15 May 2000 02:38:56 GMT, in 8fnnvu$s29$1@nnrp1.deja.com, in sci.crypt Tom St Denis stdenis@compmore.net wrote:

In article 391f5cb2.1938412@news.io.com, ritter@io.com (Terry Ritter) wrote:

On Sun, 14 May 2000 21:14:48 GMT, in 8fn500$82o$1@nnrp1.deja.com, in sci.crypt Tom St Denis stdenis@compmore.net wrote:

In article 391f108c.2748172@news.io.com, ritter@io.com (Terry Ritter) wrote:

On Sun, 14 May 2000 15:45:04 GMT, in <8fmhlt$k30 $1@nnrp1.deja.com>, in sci.crypt Tom St Denis stdenis@compmore.net wrote:

[...] Yeah but in blowfish all of the input goes thru the sboxes. So you can't just say "Blowfish is similar so my cipher must be secure too".

...especially since there is no way to know that Blowfish is secure in the first place.

There has been some scrutiny of blowfish. I would trust it.

You can wish and hope and believe what you want, but there still is no scientific basis for such trust.

By that same token, never drive a car, ride a bus, fly a plane, get in an elevator, etc.. because you would have to trust those engineers too.

Nonsense. That is not the same at all:

In all normal fields of engineering design (and I am a professional engineer), engineers can test their work. Most designs will have specifications, and the resulting equipment can be tested to see if it meets those specifications. In most areas of life, we can detect design bugs simply because the machine (including software) does not do what we want it to: it does not meet specs.

But in cryptography -- alone out of all fields as far as I know -- we cannot know whether a cipher will keep our information from our opponents. Indeed, we do not even know who our opponents are, nor can we know their capabilities. We thus cannot test that a cipher does what we use a cipher to do. We can only test things like "can it encipher any possible thing," "can it decipher every possible enciphering," and measure "how fast does it work." But that is not what we use a cipher to do. We use a cipher to keep our information secret, yet we can't know whether or not it does.

We can trust other systems in our lives because we can see that they do what we want them to do. We cannot know that about cryptography. And neither can the "experts." So we are ill-advised to trust.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Notes on the "Vortex" block cipher Date: Mon, 15 May 2000 09:49:22 GMT From: Tom St Denis stdenis@compmore.net Message-ID: 8foh6v$mib$1@nnrp1.deja.com References: 391f9c27.3970068@news.io.com Newsgroups: sci.crypt Lines: 24

In article 391f9c27.3970068@news.io.com, ritter@io.com (Terry Ritter) wrote:

Nonsense. That is not the same at all:

In all normal fields of engineering design (and I am a professional engineer), engineers can test their work. Most designs will have specifications, and the resulting equipment can be tested to see if it meets those specifications. In most areas of life, we can detect design bugs simply because the machine (including software) does not do what we want it to: it does not meet specs.

Hindenburg. Nuff said.

You are trying to tell me everything engineers do is flawless? Shaw- right.

There is some science behind cryptography whether you want to believe it or not.

Tom

Sent via Deja.com http://www.deja.com/ Before you buy.


Subject: Re: Notes on the "Vortex" block cipher Date: Mon, 15 May 2000 13:39:08 +0200 From: Runu Knips runu.knips.NOSPAM@DELETEgmx.de Message-ID: 391FE1DC.E164C696@DELETEgmx.de References: 8foh6v$mib$1@nnrp1.deja.com Newsgroups: sci.crypt Lines: 7

Tom St Denis wrote:

There is some science behind cryptography whether you want to believe it or not.

And I think his dislike of Blowfish is only instinctive. I would trust Blowfish, too. It only requires a little bit too much resources for some applications.


Subject: Re: Notes on the "Vortex" block cipher Date: Mon, 15 May 2000 17🔞20 GMT From: ritter@io.com (Terry Ritter) Message-ID: 39203155.2427148@news.io.com References: 391FE1DC.E164C696@DELETEgmx.de Newsgroups: sci.crypt Lines: 22

On Mon, 15 May 2000 13:39:08 +0200, in 391FE1DC.E164C696@DELETEgmx.de, in sci.crypt Runu Knips runu.knips.NOSPAM@DELETEgmx.de wrote:

Tom St Denis wrote:

There is some science behind cryptography whether you want to believe it or not.

And I think his dislike of Blowfish is only instinctive. I would trust Blowfish, too. It only requires a little bit too much resources for some applications.

That particular answer of mine would have been the same for any other cipher. The problem is not a particular cipher, the problem is in trusting something which cannot be tested to see how closely it comes to doing what we want it to do.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Notes on the "Vortex" block cipher Date: Mon, 15 May 2000 19:57:09 GMT From: Tom St Denis stdenis@compmore.net Message-ID: 8fpkqb$v8c$1@nnrp1.deja.com References: 39203155.2427148@news.io.com Newsgroups: sci.crypt Lines: 34

In article 39203155.2427148@news.io.com, ritter@io.com (Terry Ritter) wrote:

On Mon, 15 May 2000 13:39:08 +0200, in 391FE1DC.E164C696@DELETEgmx.de, in sci.crypt Runu Knips runu.knips.NOSPAM@DELETEgmx.de wrote:

Tom St Denis wrote:

There is some science behind cryptography whether you want to believe it or not.

And I think his dislike of Blowfish is only instinctive. I would trust Blowfish, too. It only requires a little bit too much resources for some applications.

That particular answer of mine would have been the same for any other cipher. The problem is not a particular cipher, the problem is in trusting something which cannot be tested to see how closely it comes to doing what we want it to do.

But that's true of any finite state machine. So therefore trust nothing? I think that's a bit bitter. Realistic or not.

We need to send secure digital info, this is the best we can do. If cipher X stops %99.999999 of all messages from being read then Iwill be happy with it.

Tom

Sent via Deja.com http://www.deja.com/ Before you buy.


Subject: Re: Notes on the "Vortex" block cipher Date: Mon, 15 May 2000 17:09:32 -0400 From: "Trevor L. Jackson, III" fullmoon@aspi.net Message-ID: 3920678C.9AD95C37@aspi.net References: 8fpkqb$v8c$1@nnrp1.deja.com Newsgroups: sci.crypt Lines: 46

Tom St Denis wrote:

In article 39203155.2427148@news.io.com, ritter@io.com (Terry Ritter) wrote:

On Mon, 15 May 2000 13:39:08 +0200, in 391FE1DC.E164C696@DELETEgmx.de, in sci.crypt Runu Knips runu.knips.NOSPAM@DELETEgmx.de wrote:

Tom St Denis wrote:

There is some science behind cryptography whether you want to believe it or not.

And I think his dislike of Blowfish is only instinctive. I would trust Blowfish, too. It only requires a little bit too much resources for some applications.

That particular answer of mine would have been the same for any other cipher. The problem is not a particular cipher, the problem is in trusting something which cannot be tested to see how closely it comes to doing what we want it to do.

But that's true of any finite state machine.

Not quite. TR expressed the purpose of the cipher as if it were a positive statement; "what we want it to do". But that expression is confusing because what we want is a negative proposition. The purpose of a cipher is to not leak information. Because the purpose is negative it is not testable. More accurately, no finite sequence of tests can prove that no leaks are possible.

So therefore trust nothing? I think that's a bit bitter. Realistic or not.

We need to send secure digital info, this is the best we can do. If cipher X stops %99.999999 of all messages from being read then Iwill be happy with it.

But how will you know whether it stops any percentage of messages from being read? You can assume that the cipher prevents messages from being read, but then you're dodging the question. The fundamental issue is what basis we have for making that assumption. In theory, none.


Subject: Re: Notes on the "Vortex" block cipher Date: Mon, 15 May 2000 17:55:51 -0600 From: John Myre jmyre@sandia.gov Message-ID: 39208E87.C9EBE8BE@sandia.gov References: 3920678C.9AD95C37@aspi.net Newsgroups: sci.crypt Lines: 16

"Trevor L. Jackson, III" wrote:

> The purpose of a cipher is to not > leak information. Because the purpose is negative it is not testable. More > accurately, no finite sequence of tests can prove that no leaks are possible.

That's too much. As a counterexample, an "ideal OTP" can be proven not to leak information. (I don't think the controversy over whether "truly random" bits are practically obtainable changes this).

One could say that there is at present a lamentable dearth of proven results, but I don't think it is reasonable to go further and say that provable results are impossible.

John M.


Subject: Re: Notes on the "Vortex" block cipher Date: 16 May 2000 00:19:22 GMT From: David A Molnar dmolnar@fas.harvard.edu Message-ID: 8fq46a$448$1@news.fas.harvard.edu References: 39208E87.C9EBE8BE@sandia.gov Newsgroups: sci.crypt Lines: 67

John Myre jmyre@sandia.gov wrote:

One could say that there is at present a lamentable dearth of proven results, but I don't think it is reasonable to go further and say that provable results are impossible.

Oddly enough, there seem to be some more recent schemes which are information-theoretically secure. Maurer's web page used to have an excellent demo of "Secret Key Agreement by Public Discussion" which really made a complicated protocol come home. I can't find it now; they seem to be re-working their web page.

The idea there is that there's some source of random bits in the sky. Alice, Bob, and Eve(a passive eavesdropper, no MITM yet) all have access to it and are receiving a stream of bits. But the channel they use to receive bits is noisy, and so there are all these random errors in the string. Through a series of clever manipulations, Alice and Bob can agree on a random string which they share, but Eve has negligible clue about. EVEN if Eve is computationally unbounded. Then the string can be used as a OTP.

Later his group extended this to the Mallet case..I think then Alice and Bob have to share a very short secret with which to authenticate each other, but then they can stretch it into as many bits as they like. The best place to look would be Stefan Wolf's thesis (if that's up on the web yet?) or do a web search for "secret key agreement by public discussion."

The other interesting result is in the "bounded storage space model." Aumann and Rabin at Crypto '99. Same deal -- there's a satellite broadcasting random bits in the sky to everyone. Alice and Bob share a very short secret which they would like to stretch into a longer secret.

Eve is computationally unbounded. Her only limitation is that there is some constant bound on the amount of storage she has. It can be very big, like terabytes, just as long as it's constant.

The idea is that the satellite in the sky is considered as outputting a big stream of random bits. The short secret Alice and Bob share is an index into the stream; it tells them which bits to save. So they only have to store a few bits. Eve, on the other hand, doesn't know the secret, and so doesn't know which bits to save -- she has to store them all. Eventually Eve runs out of space and has to either throw away information or not save new incoming bits. Then Alice and Bob can use some of the bits they've saved as a OTP confident that Eve knows a negligible fraction of them.

The best part? If Eve didn't store the bits going by, she can never get them back. That's because we have a random bit source which will only rarely repeat the same part of the stream twice. So it doesn't matter if Eve buys a bigger hard drive after Alice and Bob get their OTP -- the pad is still safe.

This explanation doesn't cover how Alice and Bob decide which bits to use of the ones they are saving, of course. Nor does it cover the question of "what if Eve tries to store only every other bit, or the parity of a bunch of bits, or some function of all the bits." The paper deals with those questions...and I don't have it in front of me at the moment. It's still worth looking at if you want to see crypto which might be practical without computational assumptions.

The nasty bit about both of these is that they require a public source of random bits. Your mileage may vary as to whether that's more realistic assumption than "RSA is hard" or "DES is hard."

Thanks, -David


Subject: Re: Notes on the "Vortex" block cipher Date: Tue, 16 May 2000 11:54:06 +0200 From: Mok-Kong Shen mok-kong.shen@t-online.de Message-ID: 39211ABD.F77609AF@t-online.de References: 8fq46a$448$1@news.fas.harvard.edu Newsgroups: sci.crypt Lines: 19

David A Molnar wrote:

The nasty bit about both of these is that they require a public source of random bits. Your mileage may vary as to whether that's more realistic assumption than "RSA is hard" or "DES is hard."

I don't understand why it must be 'public'? Couldn't it be something that Bob sends 'privately' and it is however assumed that Eve could tape on? The real problem is probably obtaining really 'random' bits. On the other hand, wouldn't some very good approximation of 'random' stuffs be useful nonetheless with the scheme mentioned (in case one doesn't need absolute security but only sufficiently high security)?

M. K. Shen


Subject: Re: Notes on the "Vortex" block cipher Date: Tue, 16 May 2000 14:04:51 GMT From: Tim Tyler tt@cryogen.com Message-ID: FunoG3.1p6@bath.ac.uk References: 8fq46a$448$1@news.fas.harvard.edu Newsgroups: sci.crypt Lines: 35

David A Molnar dmolnar@fas.harvard.edu wrote: : John Myre jmyre@sandia.gov wrote:

:> One could say that there is at present a lamentable dearth of proven :> results, but I don't think it is reasonable to go further and say that :> provable results are impossible.

: Oddly enough, there seem to be some more recent schemes which are : information-theoretically secure. [...]

[snip "Secret Key Agreement by Public Discussion"]

: The nasty bit about both of these is that they require a public source of : random bits [...]

Also perhaps worthy of mention is the fantastic volume of data Alice and Bob need to wade through in order to ensure that Eve has a small chance of storing enough of the stream to be able to recover any message contents.

It seems likely that you'll need to wait years between transmitting messages - if you want to ensure the defeat the storage capabilities of governmental Eves.

Different parties need to use independent streams of bits from the sky - unless they want an attacker to be able to share its resources across different messages in order to break the messages of all the parties concerned.

The end result is less secure than a OTP - since Eve has the chance to make as many guesses at the shared secret as she has storage to support.

It all seems a little impractical.

__________ Lotus Artificial Life http://alife.co.uk/ tt@cryogen.com |im |yler The Mandala Centre http://mandala.co.uk/ Be good, do good.


Subject: Re: Notes on the "Vortex" block cipher Date: Tue, 16 May 2000 08:22:57 -0400 From: "Trevor L. Jackson, III" fullmoon@aspi.net Message-ID: 39213DA1.E1971059@aspi.net References: 39208E87.C9EBE8BE@sandia.gov Newsgroups: sci.crypt Lines: 45

John Myre wrote:

"Trevor L. Jackson, III" wrote:

> The purpose of a cipher is to not > leak information. Because the purpose is negative it is not testable. More > accurately, no finite sequence of tests can prove that no leaks are possible.

That's too much. As a counterexample, an "ideal OTP" can be proven not to leak information.

There is a significant difference between testing and proving. Certainly an OTP is provably secure in theory. But I suggest that an OTP is not "testably" secure in practice. That is, no sequence of tests can be applied to an OTP to show it's security.

(I don't think the controversy over whether "truly random" bits are practically obtainable changes this).

Agreed.

One could say that there is at present a lamentable dearth of proven results, but I don't think it is reasonable to go further and say that provable results are impossible.

I tried hard not to say that provable results are impossible.

Let's try a chronological ordering: design, implementation, testing. Proofs of security appear in the design phase. Tests of security (cryptographic attacks) appear in the testing phase. Admittedly, this model is simplistic because there are rich forms of feedback and interaction between iterations of the phases.

Given the above, the point is that there is no collection of attempted cryptographic attacks that is equivalent to a proof of security. Thus fielding a cipher and having it subjected to unrelenting attacks by both opponents and allies yields no increment in the theoretical security the cipher provides. The process may yield increments in the practical security offered, but eliminating the known forms of attack, but this is unsatisfactory because the massive accumulation of failed attacks will not prevent an opponent from reading the traffic using a successful attack.

A proof rules out the possibility of a successful attack. A test cannot. Tests can only rule in a successful attack.


Subject: Re: Notes on the "Vortex" block cipher Date: Tue, 16 May 2000 13:50:15 GMT From: Tim Tyler tt@cryogen.com Message-ID: Funnrq.19D@bath.ac.uk References: 39208E87.C9EBE8BE@sandia.gov Newsgroups: sci.crypt Lines: 19

John Myre jmyre@sandia.gov wrote: : "Trevor L. Jackson, III" wrote:

:> The purpose of a cipher is to not leak information. Because the purpose :> is negative it is not testable. More accurately, no finite sequence :> of tests can prove that no leaks are possible.

: That's too much. As a counterexample, an "ideal OTP" can be proven : not to leak information. (I don't think the controversy over whether : "truly random" bits are practically obtainable changes this).

I think we should be discussing real systems - rather than imaginary ones

In reality, if you can't PROVE the bits are random, the OTP security proof fails to say anything very concrete.

__________ Lotus Artificial Life http://alife.co.uk/ tt@cryogen.com |im |yler The Mandala Centre http://mandala.co.uk/ Legalise IT.


Subject: Re: Notes on the "Vortex" block cipher Date: Tue, 16 May 2000 11:10:01 +0200 From: Mok-Kong Shen mok-kong.shen@t-online.de Message-ID: 39211069.45C4E7BC@t-online.de References: 39203155.2427148@news.io.com Newsgroups: sci.crypt Lines: 44

Terry Ritter wrote:

runu.knips.NOSPAM@DELETEgmx.de wrote:

Tom St Denis wrote:

There is some science behind cryptography whether you want to believe it or not.

And I think his dislike of Blowfish is only instinctive. I would trust Blowfish, too. It only requires a little bit too much resources for some applications.

That particular answer of mine would have been the same for any other cipher. The problem is not a particular cipher, the problem is in trusting something which cannot be tested to see how closely it comes to doing what we want it to do.

It's really for me astonishing that this kind of dispute recur time and again and again in the group. I like to repeat one point that I stated long time ago: In engineering or fields like pharmacy, the authorities and the common people are on one and the SAME side (we neglect lobbying here), i.e. attempting to attain the best security possible within the framework of economical constraints and state of the art. There are diverse controlling organizations to oversee what is being done in practice and effect corrective measures, if necessary. In crypto, the situation is fundamentally different. One has only to look at issues of export regulations, Wassenaar Arrangements, key escrows, Echelons, special regulations concerning telecommunication providers, etc. etc. in order to convince oneself of that. Thus it is a better stategy to risk to err having too little trust than to err having too much trust in crypto in general.

M. K. Shen

http://home.t-online.de/home/mok-kong.shen


Subject: Re: Notes on the "Vortex" block cipher Date: Tue, 16 May 2000 12:43:03 +0200 From: Mok-Kong Shen mok-kong.shen@t-online.de Message-ID: 39212637.544816B@t-online.de References: 8fr4jg$jlq$1@nnrp1.deja.com 39211069.45C4E7BC@t-online.de Newsgroups: sci.crypt Lines: 18

Tom St Denis wrote:

You are kidding right? And how many new drugs have "acceptable" side effects because these scientists just want to push their drugs?

No. The real world is certainly not perfect. There are scientists who do frauds. But there are also judges who are corrupt. But on the whole it is true that the diverse controlling organizations are assuring security in the real interest of the common people. Before your house is built, its construction plan has to be examined and approved by a local authority. Do you suspect that any guy there has the motivation of intentionally doing something such that the building crashs when the wind comes for the first time?

M. K. Shen


Subject: Re: Notes on the "Vortex" block cipher Date: Mon, 15 May 2000 17🔞31 GMT From: ritter@io.com (Terry Ritter) Message-ID: 3920315f.2437056@news.io.com References: 8foh6v$mib$1@nnrp1.deja.com Newsgroups: sci.crypt Lines: 59

On Mon, 15 May 2000 09:49:22 GMT, in 8foh6v$mib$1@nnrp1.deja.com, in sci.crypt Tom St Denis stdenis@compmore.net wrote:

In article 391f9c27.3970068@news.io.com, ritter@io.com (Terry Ritter) wrote:

Nonsense. That is not the same at all:

In all normal fields of engineering design (and I am a professional engineer), engineers can test their work. Most designs will have specifications, and the resulting equipment can be tested to see if it meets those specifications. In most areas of life, we can detect design bugs simply because the machine (including software) does not do what we want it to: it does not meet specs.

Hindenburg. Nuff said.

Nonsense. When the Hindenberg went down everybody knew that a disaster had happened. CRYPTOGRAPHY IS NOT LIKE THAT! The disaster that happens in cryptography is secret, and so we will keep riding that dirg. Consequently, we will have the same disaster (without really experiencing it), over and over again. The dirg never gets built right because we don't know where it went wrong. And people use it anyway, because they "trust" it.

You are trying to tell me everything engineers do is flawless? Shaw- right.

Nonsense. Never said that, never tried to tell you that.

When we design and use normal things, we can tolerate errors because we see the ultimate results. If the results are not what we want, we can do something about it.

In cryptography nobody gets to see the ultimate results: We cannot know if our information is hidden from secret opponents. We don't know if problems exist, so we cannot fix them. And the "we" part of this includes everybody: both amateurs and experts.

There is some science behind cryptography whether you want to believe it or not.

Nonsense. I have never said that there is no science behind cryptography. Many things used in cryptography can be measured, and I have personally measured and reported on some of them. Many things in cryptography can be designed to specification, and I have reported on some of those as well. Instead it is the unsupported belief in cipher strength which is unscientific.

Science does not require belief. Indeed, that is the whole point. It is non-science which requires belief, and that is what we have when we trust some cipher: a belief without supporting evidence.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: Notes on the "Vortex" block cipher Date: 16 May 2000 10:26:36 GMT From: dformosa@zeta.org.au (David Formosa (aka ? the Platypus)) Message-ID: slrn8i28lk.660.dformosa@dformosa.zeta.org.au References: 391f5cb2.1938412@news.io.com Newsgroups: sci.crypt Lines: 21

On Mon, 15 May 2000 02:11:27 GMT, Terry Ritter ritter@io.com wrote:

On Sun, 14 May 2000 21:14:48 GMT, in 8fn500$82o$1@nnrp1.deja.com, in sci.crypt Tom St Denis stdenis@compmore.net wrote:

[...]

There has been some scrutiny of blowfish. I would trust it.

You can wish and hope and believe what you want, but there still is no scientific basis for such trust.

Excluding the one time pad (which is useless for most practical perposes) is there any encrytion anlogrythum that there is a scientific basis for such trust.

-- Please excuse my spelling as I suffer from agraphia. See http://dformosa.zeta.org.au/~dformosa/Spelling.html to find out more. Interested in drawing platypie for money? Email me. Crack my Hash win$200 http://dformosa.zeta.org.au/~dformosa/PlatyMAC.txt


Subject: Re: Notes on the "Vortex" block cipher Date: Tue, 16 May 2000 20:47:51 GMT From: ritter@io.com (Terry Ritter) Message-ID: 3921b3ee.5155714@news.io.com References: slrn8i28lk.660.dformosa@dformosa.zeta.org.au Newsgroups: sci.crypt Lines: 54

On 16 May 2000 10:26:36 GMT, in slrn8i28lk.660.dformosa@dformosa.zeta.org.au, in sci.crypt dformosa@zeta.org.au (David Formosa (aka ? the Platypus)) wrote:

On Mon, 15 May 2000 02:11:27 GMT, Terry Ritter ritter@io.com wrote:

On Sun, 14 May 2000 21:14:48 GMT, in 8fn500$82o$1@nnrp1.deja.com, in sci.crypt Tom St Denis stdenis@compmore.net wrote:

[...]

There has been some scrutiny of blowfish. I would trust it.

You can wish and hope and believe what you want, but there still is no scientific basis for such trust.

Excluding the one time pad (which is useless for most practical perposes) is there any encrytion anlogrythum that there is a scientific basis for such trust.

Not in practice, and I see no reason to exclude the one-time-pad (OTP), unless of course it is not used for sending real data at all. Practical OTP systems have been broken in the past, and the usual excuse is that the system was "misused" and so no longer was an OTP. But if we have to depend upon knowing whether or not the system is broken to find out whether we "really" have an OTP, we might as well use a normal cipher. Our first problem is that we lack a testable proof that any particular system which is purported to have OTP properties actually does.

Our next problem is that, even theoretically, OTP properties are not all we might expect from an "absolutely secure" system. In particular, sending the exact same plaintext message to different destinations (even using a different pad for each) is extremely dangerous: If an opponent somehow obtains even one of the plaintexts, that will expose pads which apparently have never been compromised. Opponents then can substitute a false OTP message for the real one, and the receiving user will believe that message because everybody knows that an OTP is absolutely unbreakable, and it says so in the crypto texts!

Sure, sending the same plaintext multiple times is a "misuse" of the OTP, but where do we see that mentioned in the proofs? Do most OTP systems prevent such misuse and every other misuse as well? Or shall we just trust users to have the specialized knowledge to not use an OTP in fatal ways which seem perfectly reasonable?

Knowing this, shall we trust the OTP?


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM


Terry Ritter, hiscurrent address, and histop page.

Last updated: 2001-06-11