Bruce Schneier (schneier@counterpane.com)
Thu, 16 Jul 1998 21:26:24 -0500
I belive newness to be neither an advantage or disadvantage. Analysis is an advantage. Ananlysis often comes with age. IDEA, for example, is well analyzed. Diamond, as far as I know, has not received any serious analysis. (Nothing personal, mind you. I haven't looked at it primarly because an analysis would not be accepted at any conference. If the design gets published somewhere, that would be different.)
At 03:52 PM 7/16/98 -0600, Michael Paul Johnson wrote:
>Actually, newness is a cryptographic advantage (as well as disadvantage).
>
>Older cryptographic algorithms:
>+ Have been well analyzed and it is likely that the most significant
>weaknesses, if any, have been published.
>+ Are well supported in hardware and software toolkits.
>+ Are accepted as standards for secure information interchange.
>+ Are easily endorsed by conservative cryptographic experts.
>+ May have patents expired.
>- Have been well analyzed by adversaries who would not publish weaknesses
>found.
>- Are much more likely to have custom cracking solutions actually secretly
>in use.
>- Often give a false sense of security due to pure age, without actual
>determined effort to crack the algorithm being applied by knowledgeable
>publishing adversaries.
>- Frequently are targeted to a world with less computing horsepower than
>today or the next 20-30 years.
>- Often are difficult to extend to longer key lengths or wider block sizes
>without exposing weaknesses or creating significant inefficiencies.
>- May or may not have been designed by someone who qualified to do such
>things.
>
>Newer cryptographic algorithms:
>+ Have not had much public scrutiny UNLESS they are an "interesting" target
>(like SKIPJACK).
>+ Usually come with at least a reference implementation in software.
>+ Have not been seriously analyzed by adversaries.
>+ Are generally not supported by specialized cracking machines.
>+ Are often in the Public Domain or freely usable anyway.
>+ Are more likely to be targeted to contemporary computing horsepower.
>- May or may not be seriously looked at, depending on the source, where
>published (if at all).
>- Are not generally accepted as standards, but may end up in practical
>applications, anyway.
>- May or may not have a serious flaw in the design.
>- May or may not have been designed by someone who qualified to do such
>things.
>
>What is the line between an "old" and a "new" cryptographic algorithm? That
>is a fuzzy line, indeed. I tend to think more in terms of amount of review
>than pure time. For example, SKIPJACK has been extensively internally
>reviewed at the NSA by people paid to do so, and now by many people who
>were naturally curious about this unique cipher. Blowfish has been
>published widely and discussed heavily. The Diamond 2 Block Cipher is
>"older" than both of them, and probably stronger (AES-sized blocks and keys
>give it a head start), but it hasn't been published as widely. Being too
>lazy to submit it for AES evaluation probably contributed to that. Anyway,
>I think that I'd be comfortable with any of the AES submissions that
>survive the selection process scrutiny without weaknesses being found as
>far as security goes. Then again, I still like Diamond 2...
>
>Where interoperability is not a major concern, there is some value in
>trying to use something that isn't widely used, but that has been
>reasonably well scrutinized for problems. You be the judge of what
>"reasonably well" means.
>
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:30 ADT