Perry E. Metzger (perry@piermont.com)
Fri, 17 Jul 1998 14:14:20 -0400
Carlisle Adams writes:
> Hi Bruce, Perry,
Hi Carlisle!
> > >I agree with this. The paper did not give me a sense of ease. Too many
> > >"we believe the upper bound for this is X, so we therefore believe
> > >that we are likely immune to this attack", and not enough "we have
> > >actually attacked this" bits. The cipher may be okay (Carlisle is a
> > >smart guy) but the paper is not that comfort inducing.
BTW, I want to emphasize that the paper didn't make me think the
cipher was weak. I just didn't like the paper. (Bruce might have other
opinions.)
> We did what we were able to do with the time and resources available to us.
> The paper was written to be as clear and simple as possible; if you found it
> to be so "simple" that it lacked the detail you wanted, I apologize.
>
> My personal opinion is that detailed (public) analysis by the authors of a
> cipher often gives readers a "sense of ease", but really it
> shouldn't.
It isn't a question of a sense of ease. Some of the papers, like the
MARS paper, contain enough detail for a sophisticated reader to
quickly follow, in detail, what the authors had in mind. The MARS (and
also twofish) papers also include systematic examination of all the
aspects of the cipher ("this is how we designed it, this is how we
attacked it, etc.") in roughly the order that a reviewer would want to
look at it.
The CAST paper, by contrast, seemed muddy. This causes trouble. As
just one example, were I attacking twofish, I could quickly dtermine
precisely what attacks had already been tried. Attacking CAST-256, I
would have to expand all of your hints to the reader first and then
figure out where to start up again.
BTW, I emphasize again, this is purely a criticism of the paper's
style -- not of the cipher itself.
One thing I noted which was strange was that you were listed as sole
author on the CAST-256 paper, btw.
> The authors should, of course, do this analysis, but their
> publication of this should be, at some level, largely irrelevant.
> The "sense of ease" can ONLY come from the analysis of everyone BUT
> the authors.
I agree -- however, it is not that I want to TRUST the authors, but
that I want the missing detail.
As with a scientific paper, one wants enough detail in the methods
section to be able to reproduce everything the authors themselves did
when starting up one's own research on the topic.
> With the AES process, this analysis will occur over the next 1-2
> years. My opinion is that the goal of the "analysis" portion of
> each author's submission package is not to try to convince anyone of
> the cipher's security (ultimately the authors cannot do this!), but
> rather to motivate others to analyze the cipher in detail (i.e., to
> make the cipher look appealing and worthy of study). Our package
> was written with this goal in mind.
That is reasonable -- I just don't think you had enough detail to let
people "jump right in". In particular, other papers had detail that I
found more useful. Again, not a criticism of the cipher itself, and
not a reason I think it shouldn't be considered as seriously as all
the rest.
Perry
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:34 ADT