Matt Blaze (mab@crypto.com)
Thu, 16 Jul 1998 18:59:51 -0400
>
> Actually, newness is a cryptographic advantage (as well as disadvantage).
>
No. Newnewss is neither an advantage nor a disadvantage. Strength is
an advantage. Unfortunately, we don't know what the real strength of
any practical block cipher is. (Keylength provides an upper bound on
effort, but knowing the real strength requires a lower bound).
Because the analysis of block ciphers is ad hoc (there being no theory that
allows us to look at a cipher and determine its strength), we know more
about the strength of studied (old) ciphers than we do about less studied (new)
ones. While there may be a period of time after a weakness is discovered by
an adversary but before it is rediscovered by the public community, the
history of science in general (and mathematics in particular) suggests that
techniques cannot be held in secret for very long. Attacks and techniques
get rediscovered or leaked over time. The inequality of knowledge about
a subject tends to be greatest at first, but goes down over time as interest
becomes broader and broader. That's why the professional cryptologic
community prefers (unbroken) old ciphers to new ones. The longer
an algorithm has been studied, the more we can be assured that we
probably know as much about it as others do.
It may be intutively "obvious" that new ciphers have some advantage from
the adversary not having had time to discover the attack. Like many
"obvious" ideas, it is also nonsense.
-matt
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:29 ADT