Bruce Schneier (schneier@counterpane.com)
Fri, 17 Jul 1998 13:30:26 -0500
I don't want this to turn into an argument about CAST, so I'm going to
stick to general things. For the record, I know of no breaks, either public
or not, against the full implementation of any published CAST versions.
CAST is very similar to Blowfish, which I have always liked. The higher-
order differential attacks against some CAST variants only work for
reduced-round versions of the cipher, and there seems to be no way to
extend those attacks to higher rounds (and many reasons to believe that
it is impossible to extend those attacks).
At 01:47 PM 7/17/98 -0400, Carlisle Adams wrote:
>My personal opinion is that detailed (public) analysis by the authors of a
>cipher often gives readers a "sense of ease", but really it shouldn't. The
>authors should, of course, do this analysis, but their publication of this
>should be, at some level, largely irrelevant. The "sense of ease" can ONLY
>come from the analysis of everyone BUT the authors. With the AES process,
>this analysis will occur over the next 1-2 years. My opinion is that the
>goal of the "analysis" portion of each author's submission package is not to
>try to convince anyone of the cipher's security (ultimately the authors
>cannot do this!), but rather to motivate others to analyze the cipher in
>detail (i.e., to make the cipher look appealing and worthy of study). Our
>package was written with this goal in mind.
I disagree with this. When I see a new cipher design, the most important
thing is the detailed public analysis by the authors. Look at the difference
between a well-reasoned submission like MARS, Twofish, or E2, and an
ad hoc design like LOKI97. When I first looked at the LOKI97 design I
knew that it was breakable, becauase it was clear the the authors did not
analyze their cipher against differential attacks.
I believe that the goal of the AES submissions should be to convince people
that the design is a good one, and the only way to do that is to analyze the
hell out of the design. Anyone can throw a bunch of primitives together and
make a cipher that looks appealing, but cryptanalysts have only so many
hours in a day. If people are going to look at Twofish, I wanted to make their
job as easy as possible. I wanted to delineate everything we did and why,
every attack we tried and how well it worked, and everything we thought about
doing and didn't do. That way, someone can read our paper and say: "Oh
look, they never considered attacks based on x. We should try those." If
the paper doesn't talk about attacks, one is left with the sinking feeling that
they didn't actually consider any attacks.
>> Actually, I have more serious reservations. But there may be a paper
>> in it, so I'll let it go for now.
>>
>Keep us informed of any progress...
Of course.
>I am really looking forward to the next couple of years. This is an
>exciting time for the whole field, and all of us will benefit in some way
>from the intense research activity that AES has already spawned and will
>continue to spawn. Thanks again to NIST for setting all these wheels in
>motion!
I agree with this wholeheartedly.
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:34 ADT