Perry E. Metzger (perry@piermont.com)
Mon, 29 Jun 1998 23:49:29 -0400
Paulo Barreto writes:
> At 13:57 1998.06.29 -0400, Perry E. Metzger wrote:
> >
> >Paulo Barreto writes:
> >> 2. DES only received this amount of attention because it *was* incorporate
d
> >> into production rather early, and in very, very serious applications
> >
> >No.
> >
> >DES was very strongly analyzed for a long time before it was made
> >public -- very amounts of time were put into it *first*.
>
> I meant *public* analysis, not NSA's classified assessment.
I suggest reading the paper by Don Coppersmith from the IBM Tech
Journal on the design of DES.
> Both Perry and Matt speak like I were suggesting using snake oil. This is
> too much of paranoia (neophobia?).
I did not suggest you were suggesting snake oil. That is different.
I suggested you were suggesting the use of UNPROVEN ciphers.
You are right that I'm paranoid. If you work in this field, that is
your job -- paranoia. You are supposed to keep data secure, not find
new and interesting ways to get your clients killed.
> The design rationale behind Square is clear and publicly available.
> The cipher is around for a year and a half now.
"Whoop de do".
I'm sure that SQUARE is a nice enough cipher. Really I am. It has,
however, not recieved the testing that other ciphers you can use
*have* had -- even ones around for only the last year and a half. Why
are you suggesting people risk money and/or lives on it, when there is
stuff that has solid evidence behind it?
> And as I mentioned, some of its building blocks are now being
> used in other cipher proposals (e.g. Twofish).
I wouldn't use Twofish yet, either -- or RC6, or MARS, or any of the
rest.
> Some remarks about the lack of more published analyses of Square. Consider
> the works on the statistical properties of the DES S-boxes. Why aren't
> there similar papers on the Square S-box? Because it was built on a
> previous analysis by K. Nyberg on the properties of several possible
> S-boxes.
Lovely. Maybe in a few years Square will be solidly defended against
attack. Meanwhile, it is *new*.
I think that you are missing a principle here. Cryptography is a
science with two bad properties to it -- the penalty for failure is
sometimes death, and almost always very expensive if not death, and we
have few if any proofs associated with the correctness of our
work. Given this, those of us who have a solid sense of what we are
doing get *very* conservative.
Right now, 3DES runs at wire speeds on ethernet for modern
processors. Most people aren't moving enough volume of data to care
for most applications if they are using 3DES or another
construction. I've used some other ciphers in very odd circumstances
-- when dealing with severely performance constrained environments
where the issue was real -- but in ordinary circumstances there are
few excuses not to be highly conservative.
When the AES candidates get heavily beaten on, and when one of them
gets the NSA secret handshake, I may feel comfortable with one of
them. Certainly they are all going to get heavy scrutiny. Until then,
though...
> Now both of you, Perry and Matt. Instead of just saying "don't use this,
> it might be dangerous", how about providing some concrete, quantitative
> ground for your counterindications?
I cannot *prove* Square is unsafe. I only know it hasn't been beaten
on for long.
There is a minefield in front of you. You have a well worn path
through it you can take, or you can take a shortcut, relying upon a
map that may or may not be accurate. If you're like me, you take the
shortcut, and wait for people to blow up walking through the
rest.
I suppose you don't care much for life and limb. I hope the five
minutes you save on the walk are safe ones.
> P.S. The idolatry toward DES nowadays is interesting. During a long time
> people thought NSA might have put some trapdoor into it and were reluctant
> to accept the cipher. Well, nobody has unambiguously *proven* the contrary
> in the open literature, but DES (and extensions like 3DES) are seen as the
> panacea for symmetric cryptography.
Actually, Matt *has* proven it would be exceptionally hard (if not
impossible) to hide trap doors in most ciphers other than simple
unknown attacks. See his paper on the subject. As for the design of
DES -- we now understand how it was designed.
I'm personally hoping AES lets us finally abandon DES entirely. The
attention being paid to the candidates is high. I'm personally very
impressed by some of the work -- MARS, in particular, feels very solid
in its design. That does not mean I would use it before many man years
of effort are expended assaulting it in vain, however.
Perry
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:19:13 ADT