Re: Cryptanalysis (was Re: TEA (was Re: filesystem encryption))

New Message Reply About this list Date view Thread view Subject view Author view

Paulo Barreto (pbarreto@nw.com.br)
Sat, 27 Jun 1998 21:26:23 -0300


At 23:04 1998.06.25 -0400, Perry E. Metzger wrote:
>
>Paulo Barreto writes:
>> At 12:02 1998.06.25 -0400, you wrote:
>> >And how much analysis has been done on Square, compared with, say,
>> >3DES?
>>
>> Hmmm... if you really expect an answer, please tell me exactly how much
>> analysis has been done on 3DES :-)
>
>At this point, I'd say somewhere on the order tens to a hundred man
>years. The question of whether DES was a group alone recieved probably
>a couple of man years of work between a number of people.

That's right. In a personal communication, Vincent Rijmen suggested that
DES alone received ten times more attention than all other ciphers
together. This means that comparing any cipher to DES is not exactly fair :-)

>> Seriously, take a look at the Square paper (or at the Rijndael documents).
>> the whole theory behind Square was distilled from all published analyses of
>> known ciphers (plus new results by Joan Daemen and Vincent Rijmen). This
>> way you could almost say that the 3DES analyses are integrated in the
>> design of Square.
>
>No, you couldn't say that. You'll know if Square withstands attack as
>well as 3DES when you *know* that lots of serious analysis has hit it,
>and I suspect it has not. It hasn't even been around that long.
>
>I'm sorry to sound sour, but I am not nearly as enthusiastic about
>early incorporation of new cryptosystems into production use as many
>people around here seem to be.

I see no problem in your being sour; people have the right to freely chose
their flavours :-)

But your point of view has some drawbacks:

1. You seem to mean one cannot learn from the analysis of other ciphers
(especially the rich analyses of DES). I don't mean simply designing
Feistel ciphers or reusing the DES S-boxes, but mainly the several kinds of
statistically-oriented analysis and design strategies.

2. DES only received this amount of attention because it *was* incorporated
into production rather early, and in very, very serious applications (not
to say it was proposed surrounded by mystery). Why bother wasting time to
cryptanalyze anything that is not intended to be effectively used? The
mere pleasure of solving an intellectual problem is not enough. Why even
designing other ciphers? Blindly sticking to 3(DES) and despise research
results could therefore discourage new works.
>>> NOTE: I'm NOT suggesting to put unanalyzed ciphers into widespread use.
<<<

3. There *are* ciphers stronger to (3)DES with respect to all known
attacks, both in relative and absolute terms of the computational effort
needed to break them. DES is not optimized against linear cryptanalysis
(for instance, the actual S-box order is one of the poorest), and
differential attacks are faster than brute force. 3-key 3DES is even
weaker than 2-key 3DES if a related-key differential attack can be applied
(e.g. against hashing function modes), and it is possible to break 2-key
3DES in 2^56 steps under some circumstances (did you know this?). Some
ciphers are provably resistant against these attacks and others. Of course
you could object that (3)DES might be resistant against some classified
attack, but I could assert (on the same ground!) that any of these other
ciphers are equally resistant: none of our assertions can be proved or
disproved unless that assumed attack is disclosed or rediscovered.

4. Notice that NSA designed Skipjack instead of simply using (3)DES, and
NIST requested candidates for a (3)DES replacement. This shows that better
ciphers are possible and desirable.

Cheers,

Paulo.


New Message Reply About this list Date view Thread view Subject view Author view

 
All trademarks and copyrights are the property of their respective owners.

Other Directory Sites: SeekWonder | Directory Owners Forum

The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:19:09 ADT