Matt Blaze (mab@research.att.com)
Mon, 22 Jun 1998 15:39:10 -0400
As a rule, I don't participate in cryptographic "challenges" in which
a company marketing a new cryptographic algorithm offers a reward for
solving an instance of their system, in the hope of demonstrating the
system's strength after the reward isn't claimed. These contests have
virtually no scientific value toward determining the strength or merit
of a proposed system, and ignore the well-established principle that
an algorithm can only be considered secure after a long period of
serious, often incrementally progressive, study by the open community.
The cryptologic community, and those who honestly seek to encourage
the development and analysis of strong cryptosystems, would be best
served by ignoring these contests.
It is not hard to construct a contest in no one is likely to claim the
reward for even though the underlying algorithm would be considered
weak by modern standards. Many ciphers, especially those designed by
amateurs, involve layer after layer of complex, obscure bit-twiddling
that contributes nothing toward security except to make the initial
analysis tedious and intellectually unrewarding. Some contests
exploit this obscurity even further by providing only confusing
pseudo-code or, in the case of the challenge discussed here, only
machine object code. In any case, most of these contests provide less
ciphertext/plaintext than might be needed for a cryptanalyticly
significant attack (if they provide plaintext at all), and few
contests address chosen-plaintext or chosen-ciphertext attacks in any
meaningful way. In short, these contests prove nothing, but provide
fodder for misleading marketing when people take them seriously.
An honest, serious designer of a new cipher algorithm never introduces
it by incorporating the cipher into a product and then challenging the
world to "break this". No one who does this deserves to be taken
seriously - at worst, it's dishonest, and at best it reveals a basic
lack of understanding of how strong ciphers get designed and tested.
Serious cryptologists understand that there's no general theory of
secret-key ciphers, and that there's no known way to prove that
exhaustive search is the best attack. They also know the literature
of cryptanalytic tools, and know that because several existing ciphers
do not appear to fall to these tools, any new design must improve upon
what already exists. It's easy to design, e.g., slow ciphers that are
as good as 3DES (just make 3DES one of the steps), or fast ciphers
that aren't secure (just XOR against the key). The hard part is
improving on some aspect of the existing body of ciphers while not
degrading the other aspects.
To be taken seriously, any cipher proposal must, at a minimum, state
what's new and better about the algorithm compared with existing
designs. It needs to show how existing attacks have been tried and
fail, and give enough information that others can launch their own
attacks without being forced to perform needless busywork or
reverse-engineering. The best new ciphers are almost always
introduced to the world first by quietly exposing them to the scrutiny
of the professional community (e.g., by publishing them in places like
Crypto or FSE), and only get incorporated into products once enough
time has passed to to sure that at least known attacks fail.
The cryptologic community has more than enough to do in evaluating
serious proposals - the AES submissions alone should keep us all busy
for many years to come. Why waste should we waste our time on, and
give undeserved credibility to, crackpot challenges when there's so
much interesting work to do right now?
-matt
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:18:51 ADT