Perry E. Metzger (perry@piermont.com)
Thu, 16 Jul 1998 23:37:47 -0400
Bruce Schneier writes:
> >> I don't buy the design process.
> >
> >Really? I actually like the design process -- it strikes me as having
> >some actual system to it, which most such processes do not have.
>
> My problem with the CAST design process is it solely focused on the
> known attacks. The S-boxes were designed to be secure against
> linear and differential cryptanalysis. And they are. And then along
> comes higher order differential cryptanalysis and some of the CAST
> designs don't look very good anymore. Some of the designs, including
> CAST-128, were immune, but the attacks cast serious doubts on the
> design process.
Well, it is true that focusing solely on known attacks is not going to
protect you always, but you must admit that there are problems in
trying to find protection against unknown kinds of attack. :)
(I'm only being half facetious here.)
> My main complaint about MARS is that I cannot keep the entire design
> in my head. One of the Twofish design goals was to create a cipher
> that could be easily memorized. I find that I can imagine new
> attacks, and carry out analysis, easier if the cipher is easy to
> conceptualize. With MARS I am continually going back to the paper
> to remember how something works. I am much less likely to find good
> analyses.
I do understand the complaint -- it makes some considerable sense.
It certainly is a rather complex cipher. Of course, the design
document explains the reason behind all the complexities. The
observations about attempting to thwart early and late round attacks
by special mechanisms seemed to warrant some of the complexity
(although the use of whitening in other designs at least weakly
addresses this as well.)
> >Coolest of the recent AES batch seemed to be RC6, but the paper also
> >left a bit to be desired in the way of transparency in describing
> >attacks. I liked the design methodology description, though.
>
> Data dependent rotations worry me,
They seem to be another new trend in several designs, though,
including MARS. Now that techniques have been pioneered to assure that
the rotations don't only depend on the low order bits of the data
(done in very different ways in both MARS and RC6), I think it may be
an effective new tool (although I obviously have no proof that the
technique isn't vulnerable.)
Perry
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:31 ADT