Mok-Kong Shen (mok-kong.shen@stud.uni-muenchen.de)
Thu, 30 Jul 1998 14:06:43 +0100
Bill Stewart wrote:
>
> At 11:12 AM 7/28/98 +0100, Mok-Kong Shen wrote:
> >An ideal crypto algorithm should be easily understandable by the
> >average person (i.e. not exclusively by the experts) and with all
> >design principles clearly and fully laid open.
> >DES is certainly not such a one.
>
> That's not realistic; understanding why algorithms are strong
> (as opposed to merely understanding how to implement them well)
> requires more mathematics than the average technical college graduate has.
> Most engineers know calculus quite well, and some differential equations,
> but haven't spent any time doing group theory, or even much number theory,
> but you can't do much crypto without them - and elliptic curves
> are much hairier than basic RSA. And even among experts,
> it took about 20 years before differential cryptanalysis was
> rediscovered in public, though the Coppersmith asserts they
> knew about it at the time and just kept it quiet.
The fact that differential analysis has to be rediscovered supports
my point that 'an ideal algorithm should have all design principles
clearly and fully laid open'. As to knowledge, certainly in every
field where there is some stuff to be learnt one can't expect an
arbitrary person from the street to quickly comprehend. On the other
hand it is an inherent disadvantage of an algorithm if its theory
can only be understood by a very small and restricted circle of
persons. For one has to rely on their honesty in accepting their
claims. I have no difficulty in accepting e.g. specialists' claim
that Weil's proof of FLT is o.k., because it doesn't matter much even
if it were not true. But crypto with all its deep involvement with
politics (secret information gathering, import/export regulations,
prosecutions) and money (crypto consulting, patents, e-commerce, etc.)
belongs apparently to a category of another nature where the question
of trust cannot be lightly disposed off. (In another occassion I have
referred to the ACM Turing Award Lecture of K. Thompson in Comm. ACM
27 (1984) for the problematics of trusting trusts.) Therefore the
difficulty of understanding the theory underlying an algorithm by
the average person is to be considered a negative aspect when
evaluating encryption algorithms. (I am not saying that algorithms
with such a negative aspect should not be used but only that this
should be taken into consideration when comparing algorighms.)
> And designing good S-boxes for the algorithms that use them is a black art;
> can you really tell if the "selected values at random and discarded bad ones"
> that some algorithms use is honest, or if the dice were loaded,
> and the designers really took a trapdoor-equipped system and
> reverse-engineered a plausible path for the randomness feeding it?
> Rivest's MD5 work avoids some of this by starting with a
> well-known number (was it pi or e?) and using it as a source of digits.
Designing S-Boxes was perhaps a black art but has become a science
in my opinion. There is now quite a lot of papers on optimal design
of S-Boxes (though I suspect that the researchers have hithertofore
neglected a very trivial design criterion, see my note
http://www.stud.uni-muenchen.de/~mok-kong.shen/#paper2). If one takes
a subset of such optimal criteria such that the computing cost of
obtaining sufficiently good S-Boxes is acceptable for real time
(software) random generation of these, then the age old question of
whether there is a back door in the system goes away as it should be
for any genuine encryption algorithm recommended for use by
(law-abiding) people.
M. K. Shen
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:21:01 ADT