Paulo Barreto (pbarreto@nw.com.br)
Mon, 29 Jun 1998 23:37:33 -0300
At 13:57 1998.06.29 -0400, Perry E. Metzger wrote:
>
>Paulo Barreto writes:
>> 2. DES only received this amount of attention because it *was* incorporated
>> into production rather early, and in very, very serious applications
>
>No.
>
>DES was very strongly analyzed for a long time before it was made
>public -- very amounts of time were put into it *first*.
I meant *public* analysis, not NSA's classified assessment.
>Arguing that putting the ciphers into serious applications will
>encourage people to break them is rather like suggesting that the way
>to test a new car safety design is to get someone to drive the car,
>personally, into a wall. There are safer mechanisms than this.
Well, let me first also quote Matt Blaze:
>Suppose your doctor said "I realize we have antibiotics that tend
>to cure the infection you have without harmful side effects, but
>I'm going to give you ground-up tortilla chip powder instead,
>because, uh, it MIGHT work". You'd get a new doctor.
Now let me quote myself (I thought I had sufficiently stressed my words,
but it seems it was not enough):
****************************************************************************
******
****************************************************************************
******
> >>> NOTE: I'm NOT suggesting to put unanalyzed ciphers into widespread
use. <<<
****************************************************************************
******
****************************************************************************
******
Both Perry and Matt speak like I were suggesting using snake oil. This is
too much of paranoia (neophobia?). The design rationale behind Square is
clear and publicly available. The cipher is around for a year and a half
now. Contrary to some other proposals (which merely state "this
construction looks good", "we believe this technique is strong" or similar
qualitative/subjective assertions), in the Square definition paper there
are quantitative measurements of the effort needed to break it within the
statistical model of differential and linear cryptanalysis and their
variants. And as I mentioned, some of its building blocks are now being
used in other cipher proposals (e.g. Twofish). By no means it is anything
like the empty "challenges" that appear once in a while (stating otherwise
is unfair to say the least -- probably you simply didn't read the defining
paper).
Some remarks about the lack of more published analyses of Square. Consider
the works on the statistical properties of the DES S-boxes. Why aren't
there similar papers on the Square S-box? Because it was built on a
previous analysis by K. Nyberg on the properties of several possible
S-boxes. Consider the classical statistical attacks against DES (Biham and
Shamir's, Davies', and Matsui's). Why aren't there similar attacks against
Square? Because they are avoided by construction. And we could further
extend this list. Now consider papers on some other ciphers (e.g. CAST,
RC5, SAFER). Though these are not "broken", all of the published analyses
point out weaknesses in these ciphers (not counting "loyal cryptanalysis"
made by colleagues of a cipher's author -- see the early RSA analyses of
RC5, for instance). Square did receive public analysis since it was
published; if there are no published works on it, maybe nobody found any
successful attack against it (but of course no researcher would distribute
a note saying "I tried for over a year but was not able to break that
cipher").
On the other hand, why insist on Square? There are other ciphers built on
sound basis.
As for the funny (sarcastic?) medicine story, the proper speech should be
"I realize we have antibiotics that tend to cure the infection you have
with harmless but annoying side effects, but here's a new one that is the
result of long research, has no known side effect, and can cure you faster
than the old one". Your point of view seems to be "let's not use any new
medicine; why should we, since we have the old ones?". If so, why should
laboratories keep researching new solutions?
Now both of you, Perry and Matt. Instead of just saying "don't use this,
it might be dangerous", how about providing some concrete, quantitative
ground for your counterindications? In my opinion, calling a cipher
"ground-up tortilla chip powder" without providing mathematical basis for
it is as unprofessional as selling "snake oil".
Anyway, I'm somewhat tired of this line of discussion. I'll let you have
the last word (darts welcome).
Regards,
Paulo.
P.S. The idolatry toward DES nowadays is interesting. During a long time
people thought NSA might have put some trapdoor into it and were reluctant
to accept the cipher. Well, nobody has unambiguously *proven* the contrary
in the open literature, but DES (and extensions like 3DES) are seen as the
panacea for symmetric cryptography.
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:19:13 ADT