The Value of Cryptanalysis

A Ciphers By Ritter Page

This huge conversation starts out with the article by Schneier. That article is controversial in various ways:

the path to success in cryptography is cryptanalysis, and the path to that is academic publication.
cryptanalysis is how we know the strength of ciphers,
a cipher with an "impractical break" should be seen as weaker than ciphers without such a break.

These arguments bring out fundamental issues in cryptography which are generally assumed to have been resolved long ago, with the answers now obvious. See my response, my later response and someone else's response and math descriptions.

1998-10-17 Bruce Schneier: "Congratulations. You've just invented this great new cipher, and you want to do something with it. You're new in the field; no one's heard of you, and you don't have any credentials as a cryptanalyst. You want to get well-known cryptographers to look at your work. What can you do?
"Unfortunately, you have a tough road ahead of you."
1998-10-18 George Barwood: "I disagree - some time ago I posted an algorithm to sci.crypt, and recieved a quick (and useful) analysis from David Wagner."
1998-10-18 Karl-Friedrich Lenz: "Probably Mr. Schneier intended to say 'not a second glance by professionals in scientific papers', which might be true. But the level of sci.crypt is not that low, and there seem to be quite a lot of people ready to have a swing at new ideas."
1998-10-18 Bruce Schneier: "You're right. There are exceptions to this. Agreed."
1998-10-18 Jon Haugsand: "Actually, wouldn't this be a good way to train oneself with cryptoanalyzing? Breaking amateur ciphers posted to the usenet?"
1998-10-19 Bruce Schneier: "Definitely. I think it's the best way. Not only do you get experience breaking ciphers, but you get some very easy ones to start on."
1998-10-17 W T Shaw: "A contrived obstacle course means being sure that few can finish, and more are discouraged from even trying."
1998-10-18 Lloyd Miller: "Bruce's religion makes a lot more sense to me than your's."
1998-10-18 Jay Holovacs: "If you can't break codes that are out there, why should anyone believe that you have an answer."
1998-10-18 W T Shaw: "In Bruce's work, there are sinful omissions and comissions, but the subject is so large that this would always be a surity in some form. To judge his character, we will see if he mentions in the future any things he has previously ignored and have been pointed out directly to him."
1998-10-18 dscott@networkusa.net: "I like your chemsitry example it fits well witht the load of stuff Bruce is trying to pass off."
1998-10-19 : "...cryptanalysis is a discipline of its own, and requires either considerable stamina or advanced mathematical skills. One does not quite need these qualifications to design a secure cipher, particularly if one is following your earlier advice and not ignoring the lessons of previous designs."
1998-10-19 Mark Tillotson: "Nonsense! How on earth can you claim to design a secure cipher if you are _incapable_ of distinquishing a weak cipher from a strong cipher???"
1998-10-22 John Savard: "...while a _knowledge_ of cryptanalysis is needed, actually being a cryptanalyst - actually being able to carry out, in full, the cryptanalysis of a difficult cipher, or being able to make theoretical contributions to the field - is not, strictly speaking, necessary...."
1998-10-22 W T Shaw: "Many imply that if you simply follow their rules for cipher construction, you need not do much of the analysis yourself."
1998-10-26 Bruce Schneier: "Many are wrong."
1998-10-25 W T Shaw: "...the AES process is *designed* as a big feedback mechanism, the quicker acting the better."
1998-10-26 Bruce Schneier: "Rah rah."
1998-10-26 cryptonews@my-dejanews.com: "This is not about crypto and security, it is rather becoming about Bruce Schneir BIG EGO and what he thinks the world should be."
1998-10-26 dscott@networkusa.net: "For a while I thought I was the only one intelligent enough to notice Mr B.S. is nothing but a big BLOWHART it seems that every one else was following him like a god."
1998-10-26 John Savard: "No, that is not at all true or fair." "Actually, if there were 10,000 amateur cipher designs published, the harm would be mainly to amateur cipher designers...."
1998-10-28 Gurripato (x=nospam): "If those 10.000 amateur cipher existed and were published, crypto vendors would start incorporating them into their products. How would the customers react when 9.990 of those ciphers are proved to be weak?"
1998-10-28 Terry Ritter: "This is a legitimate concern, but it applies to everything we have." "The problem is that we cannot measure the strength of a cipher. But that means *any* cipher, even the well-regarded ones."
1998-10-28 Patrick Juola: "This is untrue. It's fairly easy to come up with a measurement of the strength of a cypher...."
1998-11-02 Terry Ritter: "From the user's standpoint, an upper bound is *not* the strength, and is not even a useful estimate." "To the user, since we have *neither* the real strength, *nor* the lower bound, we have no useful measure of strength at all."
1998-11-02 Patrick Juola: "I have an upper bound, I insure against the lower bound being smaller than I envision, and the risk becomes Lloyd's."
1998-11-10 Terry Ritter: "When cryptanalysis identifies a practical break, it provides very useful information." "But most cryptanalysis does not do this, but instead produces yet another impractical break."
1998-11-10 John Savard: "...since differential, meet-in-the-middle attacks, etc., require enormous quantities of known plaintext, either it is not clear they invalidate a system for practical use...."
1998-11-10 Bruce Schneier: "To many of us, impractical breaks provide very useful information to judge between ciphers."
1998-11-11 Douglas A. Gwyn: "They provide information, which you may *choose* to use in judging, but that is not necessarily a rational choice. To be rational, its *relevance* to the functional criteria needs to be established."
1998-11-12 Terry Ritter: "Finding a successful attack certainly tells us that "strength" can be no higher than that attack. But it does not tell us what the strength really is. So the attack tells us *nothing* about the real strength of the cipher."
1998-11-03 Sandy Harris: "I think that for good ciphers, lower bounds on the resources required for most or all of those can be proved."
1998-11-03 dscott@networkusa.net: "...how much information is needed by the guy breaking to know if he his decoded the file."
1998-11-03 Mike McCarty: "This principle seems good to me."
1998-11-03 Terry Ritter: "...if it were practical to know lower bounds for these attacks, why would we ever see improved versions in the literature?"
1998-11-06 Bryan G. Olson; CMSC (G): "You've talked yourself into a bunch of nonsense."
1998-11-02 John Savard: "I feel, on the other hand, that this isn't a problem one *can* work on specifically."
1998-11-03 Terry Ritter: "The whole point of the actual use of cryptography is to *enforce* security. Without at least a minimum value for strength, the user has no guarantee -- or even a useful probability -- of that."
1998-11-03 John Savard: "I don't contradict your statement that this is a serious problem for cryptography... but if there is no realistic prospect of obtaining it... however badly we need it, is _still_ a waste of time." "...on a very high level, cryptanalysis can be divided into three types of operation:...."
1998-11-04 Douglas A. Gwyn: "It's nice to try to bring order to the subject, but the above is not complete."
1998-11-04 dscott@networkusa.net: "...sometimes the encryption program itself does not use or solve for the key that the method is based on."
1998-11-10 Terry Ritter: "It was suggested that cryptanalysis is the way users know the strength of their ciphers. That suggestion is false." "In reality, cryptanalysis only benefits *users* when their particular cipher is actually shown to be weak in practice *and* the user can switch to something else."
1998-11-10 John Savard: "...between two closely similar ciphers, the one protected against the impractical break but not otherwise different is likely to be stronger."
1998-11-04 Jerry Leichter: "There is no proof of security for key locks, combination locks, or any other means of providing physical security." "With any of the well-studied cipher systems out there today, it's unlikely that the mathematical structure of the cipher will be the weakest component of a real-world system in which it is embedded."
1998-11-06 Bruce Schneier: "Profoundly true."
1998-11-10 Terry Ritter: "But we can be more sure about these simple devices than the vast majority of far-more-complex ciphers." "The problem is these 'special understandings.' As long as we produce ciphers that admit new cryptanalysis, we cannot be sure of their true strength. If we cannot somehow confine or bound the unknown 'special understandings,' we will never have factual grounds to state that cipher strength is 'unlikely' to be the weakest part of the system."
1998-11-10 Jerry Leichter: "...there are *no* published attacks with any real-world significance - except for brute force relying on limited key spaces - against any of, say, DES, RC4, IDEA, or RSA." "You can explain this difference in three ways:"
1998-11-11 Douglas A. Gwyn: "More than three."
1998-11-11 Jerry Leichter: "Well, OK."
1998-10-18 dscott@networkusa.net: "Part of the NSA job is to keep the world in the dark about real ctypto. Think about it. What better way to do it than by creating crypto preists for people to whorship."
1998-10-19 Tim Bass: "Most of those whom have written strong ciphers did not write them without very significant research into the field."
1998-10-19 dscott@networkusa.net: "John you shouldn't try to confuse a Bruce Worshiper with facts."
1998-10-19 David Hamilton: "Has the USA NSA succeeded in keeping you in the dark about 'real crypto'?"
1998-10-19 dscott@networkusa.net: "Obviously you don't read all of crapola...."
1998-10-26 dscott@networkusa.net: "What I don't like is the spying on Americans for political reasons that will someday make what the Soviet Union had look like a dream of a long lost freedom."
1998-10-20 dscott@networkusa.net: "...if he had a contest it would be embarassing to have a rank ametur break it."
1998-10-20 Terry Ritter: "It is not the responsibility of the developers to go around and inform all the 'experts' through their chosen media outlet. Either they keep up, or they are not experts on what they have missed, and it's just that simple.
1998-10-22 Bryan G. Olson; CMSC (G): "I have to agree with Mr. Ritter on this one."
1998-10-22 dscott@networkusa.net: "...even if the name is removed I bet any one with have a brain could tell mine from Bruces and from Mr Ritter since we all 3 have different writting styles even if we all 3 write about the exact same subject."
1998-10-22 Mark Carroll: "What interests would the review panel have in choosing Bruce's paper over yours if yours is so much better?"
1998-10-23 dscott@networkusa.net: "...they may be aready attuned to his narrow closed style of thinking since the reveiwers most like got to there positions in the same way he did and they may not be any more cabable of objective thought than he is."
1998-10-22 Andrew Haley: "Why should anyone be bothered to read what you write if you can't be bothered to correct any of your mistakes?"
1998-10-22 Patrick Juola: "...for most major conferences, it's expected."
1998-10-22 Terry Ritter: "...this entire thread is a response to the original article by Schneier...." "...he clearly *did* imply that *something* prevents "unknowns" from publishing in conferences and workshops."
1998-10-23 Patrick Juola: "...if you're a total unknown, you probably won't get workshop invitations. You can, however, easily get into conferences *if* you can write a good enough paper...."
1998-10-26 Bruce Schneier: "...'hard' is not impossible."
1998-10-26 Terry Ritter: "...it is largely the lack of a broad and robust literature on breaks of all types which makes 'the newbie problem' as bad as it is. The process of selecting only good designs for the archival literature leaves us with little description of the bad ones, and less archived reasoning about their weaknesses. I claim we would be better off if every newbie cipher was presented and broken in the literature."
1998-10-27 dscott@networkusa.net: "Mr RItter I feel that Bruce is one of those self inflated people incapable of understanding your writting. He is afraid of real competition so will attempt to put it done with jokes and such...."
1998-10-26 John Savard: "But we can be very thankful he published his design."
1998-10-27 "Keith Lockstone": "This idea has been published before on sci.crypt...."
1998-10-23 dscott@networkusa.net: "REAL CRYPTO conferences should have executable program or functions where the input and output can be analysed and various real testing done on computers."
1998-10-22 W T Shaw: "You are confusing narrow mindedness with focus."
1998-10-23 Patrick Juola: "I suspect that his ability to master English will be a more vital asset for his eventual programming abilities."
1998-10-23 Andrew Haley: "...you can gain some idea of the level of a programmer's skill just by listening to them."
1998-10-26 Mok-Kong Shen: "I am however anyway convinced that if one has acquired sufficient proficiency in a foreign language, the difference between a foreign language and one's mother tongue disappears."
1998-10-27 fungus: "...there are some concepts which have a word in one language but not in another. Sometimes you find yourself arrive at the middle of a sentence wanting to use a word from the other language because no equivalent exists in the language you're speaking."
1998-10-27 Mok-Kong Shen: "That's why good translations of master pieces are rare."
1998-10-27 Patrick Juola: "French, for example, has no single word meaning 'shallow.'" "This does NOT, however, mean that the French don't understand the distinction between deep and shallow water, or even that they can't talk about it."
1998-10-25 W T Shaw: "Prejudice by language, life style, heritage, anything you want to throw in. Concentrating on style rather that substance is easy, and wrong."
1998-10-26 Bruce Schneier: "You can figure out the authors of some papers without the authors' names, but not all of them. You can easily figure out who is schooled in the mathematics of cryptography and who isn't."
1998-10-26 Bruce Schneier: "...even the conferences that referee papers anonymously don't publish design papers unless they are REALLY impressive."
1998-10-26 Bryan G. Olson; CMSC (G): "...here's how to really get a design published in the crypto lit: Find some new and interesting fact, develop a design that incorporates the result, then write a paper that presents both the theorem and the system."
1998-10-26 Bruce Schneier: I invite you to submit a paper, based on your patent #5,727,062 ('Variable Size Block Ciphers') to the 1999 Fast Software Encryption workshop. I believe it will be published." (Ed. Note: This public invitation was later retracted in private email./TFR)
1998-10-26 Bruce Schneier: "Please submit your good ideas to cryptography workshops. FSE and SAC are good places to start." "Statistical tests are not very meaningful. If you saw a cipher design that was accompanied by nothing other than statistical tests of randomness, wouldn't your snake-oil detector go off?"
1998-10-26 W T Shaw: "Statistics can measure more things than randomness."
1998-10-26 John Savard: "That's all Bruce was saying; statistics aren't enough - although specialized statistical tests, directly related to the possible forms of cryptanalysis that a cipher may face, can, of course, be very applicable."
1998-10-26 Terry Ritter: "We *never* know that a cipher is strong. Ever." "Now, we might 'consider' a cipher strong when all *our* guys have looked at it and found no break. But, quite frankly, the *other* guys have more training, more experience, more resources, more time, and they may even be smarter than our guys." "I claim it is more important to have many different ciphers than to have a few which are 'considered strong.' Why? Because we *can't* know how strong our ciphers *really* are to the other guy. But we *can* -- guaranteed -- make The Opponent pay dearly to keep up."
1998-10-27 John Savard: "This is something I basically agree with."
1998-10-28 Christopher Browne: "As far as I can tell, the only reasonably universal such language is that of mathematical notation."
1998-10-28 Terry Ritter: "I see nothing wrong with ordinary people making their own decisions on cryptography -- or anything else -- based on whatever information they wish to use."
1998-10-28 W T Shaw: "You could run the risk of producing some interference pattern in the combination of algorithms that could produce a poor result...."
1998-10-28 Terry Ritter: "While *possible*, in the context of structurally-different ciphers it is *extremely* unlikely."
1998-10-29 dscott@networkusa.net: "It is obvious that mixinf three different types of ciphers would be better than Triple DES...."
1998-10-29 Terry Ritter: "...in practice, most of the time, ciphers only need oppose direct technical attacks which are cheaper than bribery, and that will be a pretty weak attack. In that sense, weak ciphers may be less of a problem than having a single fixed cipher that might be cryptanalyzed once and used to expose everybody." "Since we can't know what NSA can do, I think it can be a waste of time to worry about it."
1998-10-29 Tim Bass: "From an intellectual perspective, I've read nothing which is remotely enlightening from this entire thread."
1998-10-29 Andrew Haley: "How do you expect a female cryptographer feels when told to conduct herself like a gentleman?"
1998-10-30 Douglas A. Gwyn: "...some of my best friends are women -- but I wouldn't want my sister to marry one!"
1998-10-30 dscott@networkusa.net: "That is a sexist statement if I ever saw one."
1998-10-30 Tim Bass: "'Please Little Boys, Be Nice, Stop Fighting and Play Together!'"
1998-10-30 Tim Bass: "Restraint from harsh and offensive speech would make sci.crypt a much more positive experience for everyone, IMHO."
1998-10-31 dscott@networkusa.net: "Are you for real."
1998-10-31 Douglas A. Gwyn: "...trying to change the language to force one's political views on the world is sickening."
1998-10-30 dscott@networkusa.net: "I liked your answer...."
1998-10-29 Jerry Leichter: "Not only is it extremely unlikely - it would be a direct indication that *both* of the ciphers involved were weaker than expected."
1998-10-29 Bruce Schneier: "Indeed. You cannot prove that a cascade of several ciphers is stronger than any individual cipher, but is seems reasonable that it is the case."
1998-10-29 W T Shaw: "Reason requires consideration of details."
1998-10-29 Bruce Schneier: "I know of various efforts to look at the AES submmissions with respect to different attacks, but I have never heard of anyone looking at the possibilty of short cycles or group structure."
1998-10-29 W T Shaw: "You can only mix a few things in so many ways in a fixed length block until your ciphertext is identical with one of your previous plaintexts."
1998-10-29 Terry Ritter: "If these 'short cycles' are just those which naturally appear in random permutations, surely a large block is a prescription to make it unlikely that we could ever find one, or encounter one by chance."
1998-10-30 dscott@networkusa.net: "...the Paul Onion attack for a choosen plain test file if allowed shows that if cycle length known you can taylor an attack against a pure iterating cipher."
1998-10-30 Jerry Leichter: "What we need to know is that the short cycles - all of whose members correspond to "weak keys" of a sort - amount to only an insignificant fraction of the group."
1998-10-30 Terry Ritter: "...a random permutation of reasonable size should not have this difficulty."
1998-11-02 Jerry Leichter: "That's easy to prove...."
1998-10-29 W T Shaw: "And, we find that the effective keylength is somewhat less than 3 times DES."
1998-10-29 ssimpson@hertreg.ac.uk: "The best we can hope to do is use our complete arsenal of analysis tools to prove that a cipher is insecure. If it fails to succumb to these tools then it is not _proven_ to be secure, but it indicates that a degree of faith can be placed in the cipher."
1998-10-30 Terry Ritter: "Concluding that a cipher which has not been shown weak is therefore strong is surely incorrect reasoning. So the cipher may be weak. And if the cipher *is* weak, we surely would be fools to have faith in it, no matter how much analysis was done previously."
1998-10-30 ssimpson@hertreg.ac.uk: "But we have to have faith in one (or possibly more) block ciphers. Rather than pick this cipher at 'random' it is surely better to pick the a block cipher that has been subjected to and resisted all known attacks."
1998-10-30 Terry Ritter: "I guess faith is about the only thing we *can* have. But that's religion, not science. We may use a cipher, but we *cannot* trust it." "...I have come to believe that it may be more important to use a multiplicity of ciphers -- accepting their possible weaknesses -- than to use a single cipher -- and accepting its possible weakness."
1998-10-30 Douglas A. Gwyn: "...I can exhibit the design for a block cipher that is demonstrably secure according to the rules of the game, although it wouldn't be *practical*."
1998-10-30 Bruce Schneier: "While it is certainly possible to, in theory, give a proof of security that does not also prove that P != NP, most formulations of such a proof--which, of course, does not exist--hinge on proving P != NP."
1998-10-31 Douglas A. Gwyn: "I don't think *any* block ciphers have anything to do with P?=NP."
1998-11-02 John Savard: "...if a proof that P=NP is interpreted as indicating there are no mathematical problems that get really intractable to solve, compared to the effort required to verify the solution, then that would seem to affect everything - even if the application to secret-key ciphers would still be awkwards."
1998-11-02 Patrick Juola: "In the case of any *particular* block cypher, with any *particular* key-space and any *particular* block size, &c, then the problem size is probably fixed (and P/NP is indeed a red herring). So proving that P == NP probably wouldn't affect the solution of DES much."
1998-11-03 Douglas A. Gwyn: "But the issue is not whether there is an *effective algorithm* for inverting *every* system of equations, which might bear on P?=NP. The statement was that proof of security of *any particular example* of a block cipher system would imply P=NP. That's what I doubt."
1998-11-02 Nicol So: "Whether a proof of security of a block cipher has anything to do with the question of P?=NP depends on how you formalize the notion of security."
1998-11-03 Nicol So: "...I meant to say...."
1998-11-03 Patrick Juola: "If I could prove that DES (or any particular sub-class of the general problem) *were* solvable in polynomial time, this would NOT prove that P == NP."
1998-11-03 bobs@rsa.com: "It is well known that problems exist that are HARDER than any problems in NP."
1998-11-03 Douglas A. Gwyn: "Please, check the attributions before posting."
1998-10-30 ssimpson@hertreg.ac.uk: "Are Schneier et al wrong?"
1998-10-30 Sandy Harris: "Methinks this argument is hopelessly flawed because the keylength in most ciphers cannot vary beyond a certain range & the whole P/NP distinction depends on reasoning for "in the limit" & "for sufficiently large N", so it cannot reasonably be applied."
1998-10-30 bobs@rsa.com: "Merely showing that breaking the key takes exponential time is NOT equivalent to proving it is NP-Complete."
1998-10-30 Patrick Juola: "Showing that breaking the key takes *provably* exponential time would suffice to show that P != NP."
1998-10-30 Paul Rubin: "If you can prove that *only* brute force works, the cipher is not in P."
1998-11-02 John Savard: "I think the idea is that while a _proof_ that only brute force works would indeed catapult cryptanalyzing it out of P, in general the fact that only brute force is known at present (which some people might take for a proof) certainly doesn't have anything to do with P versus NP."
1998-11-03 Shawn Willden: "Let me see if I can lay this out clearly and thoroughly enough that someone can point out the flaw in the reasoning...."
1998-11-02 John Savard: "Proving that brute force was not necessary would not prove P=NP...."
1998-10-31 Douglas A. Gwyn: "No, that's not even close to a proof...."
1998-11-02 Bryan G. Olson; CMSC (G): "Hmmm, I see it as kind of close."
1998-10-28 Bryan G. Olson; CMSC (G): "There are very few on this group who actually devote time and effort to looking into other peoples suggestions."
1998-10-21 dianelos@tecapro.com: "I would rather not use the word "break" to describe the successful cryptanalysis of a cipher." "...in the future Internet newsgroups will be the most important medium for communicating ideas while peer reviewed publications, as we know them today, will be less and less important."
1998-10-22 John Savard: "...with specific reference to the AES process, a cryptanalytic result that indicates a proposed cipher is less than _perfect_ is, quite properly, considered significant."
1998-10-23 W T Shaw: "...he said the describing a cipher in C would be OK with him, but not in a traditional *hardware* schematic."
1998-10-24 dianelos@tecapro.com: "What representation you choose is not a trivial matter. If a cipher designer always works sketching diagrams, in praxis he will artificially limit the range of ideas that he will consider."
1998-10-25 W T Shaw: "Having to work things out in solely by careful appearing and impressive sounding logic that may not be applicable to the real world is the essence of the scientific Greek Tragedy."
1998-10-26 Bruce Schneier: "I agree that 'break' is overused." "In a world where everyone is a publisher, editors become even more important."
1998-10-26 Mok-Kong Shen: "I think that the economy of description decides to some extent which way of presentation is to be prefered."
1998-10-26 Terry Ritter: "I recently posted a quote about this from the current IEEE Spectrum in another thread. Basically the idea is that the world is moving *away* from intermediaries who filter and decide for us, to the end-user (of clothes, of technical articles, etc.) surveying it all, and making the decision on what to select." "If math is a great advantage in understanding logic machines, why are logic machines not generally described that way? Why? Because schematics can be clearer, that's why."
1998-10-28 Frank O'Dwyer: "In a world where everyone can be a publisher, everyone can be an editor too."
1998-10-28 Patrick Juola: "Which implies that the value of good, worthwhile editing will continue to climb, just as the value of good *writing* has been climbing since the development of the Internet."
1998-10-28 Gurripato (x=nospam): "How would you then best describe Dobbertin�s attack on the compression function of MD5? Does it go all the way to demolition, plan brack, or just academic break?"
1998-10-27 Stefek Zaba: "'I Was A Chinese Sex Slave'"
1998-10-22 Mr. I. O. Yankle: "When I first read "Memo to the Amateur Cipher Designer" in Bruce Schneier's CRYPTO-GRAM, it was so clearly true and sensible to me that I expected it to gain immediate acceptance on sci.crypt and to even gain the status of 'required reading'. I still hope that this will be the case, but I can see now that it will take some time."
1998-10-22 W T Shaw: "...many of the thoughts have been expressed before."
1998-10-26 Terry Ritter: "I would hope that anyone reading Schneier's article would recognize that it is seriously flawed in many ways."
1998-10-27 Kery Minola: "You are really grasping at straws...."
1998-10-27 Xcott Craver: "!!! It's obvious that the memo did not mean 'prove' in the strict mathematical sense, but in the empirical sense."
1998-10-27 Douglas A. Gwyn: "The 'empirical proof' means very little since it can't allow for the eavesdropper's cryptanalytic abilities."
1998-10-27 Xcott Craver: "Are you suggesting that we should use something other than the scientific method?"
1998-10-27 W T Shaw: "To demand a single route to the truth is to prejudice against truths that may not be so conform to that path. This is the essence of what is wrong with what Bruce advocates, which is the same old tired argument we have heard for ages."
t 98-10-02 Mike Zorn: "As an example, the benzene ring was not discovered by the 'scientific method'."
1998-10-28 Stefek Zaba: "Kekule's *intuition* about a possible structure for benzene may be implausible to explain as a deductive process...."
1998-10-28 Terry Ritter: "In normal science we innovate experiments to prove a result and get a new fact. In cryptography, we innovate experiments to prove a failure, and with a lack of failure we somehow leap to a conclusion of strength. This is a faulty leap. Crucially, the inability to break a cipher after much effort says nothing about its 'real' strength."
1998-10-28 dscott@networkusa.net: "ACtually if you come up with a good cipher you will not get it tested since they try to keep the rank of phony experts quite small."
1998-10-28 Douglas A. Gwyn: "...the so-called 'scientific method' is but one tool in our epistemological arsenal and ought not to be applied where it is ineffective."
1998-10-28 Xcott Craver: "Well, so what do you suggest as an alternative?"
1998-10-28 Bryan G. Olson; CMSC (G): "I agreed with Mr. Ritter on one point, but clearly Bruce got at least a 95%."
1998-10-26 Patrick Juola: "It's quite reasonable to use a person's ability to write clearly as a gauge for his/her ability to *think* clearly, given the observed high correlation between the two."
1998-10-27 Mok-Kong Shen: "In all fields of knowledge (including handcrafts) there are professionals and amateurs, the one group can't exist (by definition) without the other."
1998-10-27 Bruce Schneier: "While it is true that not every application need strong cryptography, this does not mean that these applications should look towards weak cryptography." "I think cryptography is one of the few branches of mathematics where the amateur can definitely compete with the professional."
1998-10-27 W T Shaw: "What you said above suggests the importance of diversity of method and manner which is opposed to the message of the Memo."
1998-10-27 W T Shaw: "Experience with a weaker version of an algorithm can teach you many things. If true scalable algorithms are involved, it remains the question of how strong do you want some implementation to be, always being able to make it infinitely stronger."
1998-10-28 Mok-Kong Shen: "The easier jobs have probably already all been discovered by the more capable professionals and done earlier, leaving the newcommers little chance. Thus I think the requirement of proving ones 'better' analysis capability is suppressive for novel design ideas from coming up."
1998-10-28 Bruce Schneier: "...people who have not demonstrated their ability to break algorithms are unlikely to develop algorithms that cannot easily be broken. I don't believe the easier jobs havae all been taken."
1998-10-28 Mok-Kong Shen: "These are so to say 'ready foods' for the would-be professionals on the way to their true professional status. Why have these been so rarely attacked? Or are there barely any would-be professionals around perhaps?"
1998-10-28 Bruce Schneier: "Because people are busy. Because not everyone has time to spend weeks (or days or even hours) analyzing every random cipher that comes across their desk. Because the designs are not pubished, so the breaks are not publishable."
1998-10-29 Mok-Kong Shen: "I disagree. The would-be professionals are busy in attempting to proving their 'better'... analyis capability through cracking algorithms that are presumably hard."
1998-10-29 Bruce Schneier: "Many of us have breaks of amateur ciphers, ones that appear on sc.crypt, get patents, or are used opterationally, that we just don't have time to write up or flesh out. It's just not worth the bother."
1998-10-29 Mok-Kong Shen: "You said that because people are busy no one has the time to look at the amateur ciphers that are unpublished, etc. etc. I argued, hopefully convincingly and clearly, that at least Terry Ritter's designs do deserve being analyzed...."
1998-10-29 Bruce Schneier: "You know, I don't want to pick on Ritter in particular here. I don't know about whether his designs "deserve" to be analyzed; that is a value judgment. I don't know if they are strong or weak."
1998-10-30 dscott@networkusa.net: "...I guess I sometimes do agree with limited parts of what Bruce Babels out."
1998-10-30 Mok-Kong Shen: "Very sorry that I am not on your side. Quite a lot of what Bruce Schneier said does correspond to the reality (a sad reality though)...."
1998-10-30 : "I'd like to see a group that tries to develop and to break amateur ciphers - not as a group of cryptographers that develope strong ciphers, but as cryptanalyticers (something like the ACA but working with computers and modern cryptanalysis)."
1998-10-30 W T Shaw: "Many in the ACA are working with computers and extending their capabilities. The first hurdle has been in developing automated means of solving all ciphers in the ACA stable."
1998-10-31 Douglas A. Gwyn: "Actually, the ACA does have a section devoted to computers. But it needs more members!"
1998-10-30 Mok-Kong Shen: "Are you saying that the academia neglects the patent publications?"
1998-10-30 dscott@networkusa.net: "I guess then you greatly underestamate the EGO of the phony crypto gods."
1998-10-30 Bruce Schneier: "Ritter is an example of someone who does not publish (in an academic sense) but does patent. His writings are generally ignored by the academic community. I'm sorry this is true; I'd like it to be different."
1998-10-30 Mok-Kong Shen: "Patents cannot be ignored by the academic community. If one develops a new cipher, he needs to know whether he doesn't infringe on someone's patents."
1998-10-30 Bruce Schneier: "Patents are not considered peer-reviewed publications in academia."
1998-11-02 Mok-Kong Shen: "In A. J. Menezes et al. a whole chapter, Chap. 15, is devoted to 'Patents and Standards'. There they write: 'This chapter discusses two topics which have significant impact on the use of cryptology in practice: patents and standards.'"
1998-11-02 Patrick Juola: "The overall standing of patent review is sufficiently low that the people who have the authority to decide what does and doesn't constitute 'peer review' have decided that patents don't cut it."
1998-11-02 JPeschel: "Why not go here and look around...."
1998-11-03 Mok-Kong Shen: "There are scientific conferences where the majority of the program committe, even including the chair, are not from universities. Are those who are not academics not 'peers' doing the review and are not equivalent to those who have university positions in the process?"
1998-11-06 Bruce Schneier: "I believe you would be amazed by what gets through the patent office. The only thing they regularly catch are perpetual motion machines...."
1998-11-06 Bruce Schneier: "Oops. I meant 'community.'"
1998-11-10 Mok-Kong Shen: "My sincere apology all to readers of the group for having wasted bandwidth."
1998-11-11 Mok-Kong Shen: "If the academics choose to ignore the patent publications and claim that only the papers in journals edited by them are scientific contributions (I doubt this), then they are not practicizing science but 'religion'!"
1998-11-11 Stefan Axelsson: "...the majority of researchers recognise that there are difficult, and fundamental problems with referring to URL:s, or other forms of transient communication."
1998-11-11 W T Shaw: "Scientific truth is what is valuable, preferable to that of a paper published through a process that might ignore aspects by limiting debate of the particulars."
1998-11-12 Stefan Axelsson: "Now, of course there are references, and references, but if one resorts to to building ones argument on a reference that the reader cannot himself verify, then of course one must question why...."
1998-11-12 Joseph K. Nilaad: "I can see that URL may be short life, but as long as it lives, it should be considered valid reference."
1998-11-12 Patrick Juola: "But http://www.bedrock.com/~fleems isn't nearly as helpful if the domain no longer exists and I can't even tell who did the work to phone him."
1998-11-18 Joseph K. Nilaad: "Likewise, what if the publishers like Random house no longer exist. So what If referenced URL no longer exist. At least you're being *honest* about it."
1998-11-18 Patrick Juola: "The basic problem is that telling him that it's at http:[...]/~fleems is borderline useless."
1998-11-23 Coen L.S. Visser: "The problem is more serious than just a disappearing URL. What if the URL still exists, but the content has changed."
1998-11-23 Arnoud "Galactus" Engelfriet: "How about downloading the relevant documents from the Web and putting them on a CD-ROM, which is distributed together with the report?"
1998-11-23 Coen L.S. Visser: "That would be really nice of course but as you already state it has a lot of practical problems."
1998-11-23 Stefan Axelsson: "What is needed, is some other, resilient, long lasting, redundant third party storage of references, such as a library is for printed material today."
1998-11-23 Coen L.S. Visser: "Libraries would be ideal for that task...."
1998-11-14 Stefan Axelsson: "...the average time from research to publication in a refereed journal today is two years. Many/most of those URL:s will be dead by the time the paper leaves the presses."
1998-11-16 Joseph K. Nilaad: "By the time it is published, the matterial may not be applicable 2-3 years later." "...just because publishing via URL is relatively short life comparing with hard copies, it doesn't mean we should not give publishers their credits. Unless, if you think that swindling someone's idea is OK."
1998-11-17 W T Shaw: "If you can give credit, fine."
1998-11-17 Stefan Axelsson: "...If your only motivation for including a reference is to acknowledge someone else's, idea, then the name of said person would (in general) do nicely. If you include a URL, it should be with the knowledge that it is/will become useless to the reader in a very short period of time."
1998-11-12 Terry Ritter: "This addresses the *convenience* of Science to the reader. But it ignores the *responsibility* of the author and the *requirement* of scientific publication to acknowledge the previous work, the source of the inspiration (rarely is any work completely original). If that previous work came in a private letter, so be it."
1998-11-14 Stefan Axelsson: "...if you *build* your argument on something you reference, then this reference should be reliably available to your peers."
1998-11-11 Bruce Schneier: "...I consider myself avant guard by citing email messages, URLs, and patents in my papers. I take some flak for it, but I do it anyway. Most others don't bother...."
1998-11-11 Mok-Kong Shen: "To be an avantguard is one thing yet not to mention a relevant fact that a scientist himself is MOST familiar...."
1998-11-11 Bruce Schneier: "Yeah. Sure. You're right. Whatever."
1998-11-11 W T Shaw: "You have that in common with Ritter, as I recall."
1998-11-11 Bruce Schneier: "There are others, too. Currently the academic community is still trying to figure out how to handle URL references."
1998-11-12 W T Shaw: "Fair use should mean that you could post the reference if it disappeared. Important things change from what is printed in journals and books too, job titles, mailing addresses and phone numbers. Actual technical mistakes are rather hard to reverse as well in fixed media; note the increased leaning on the web for current updates."
1998-11-12 Bruce Schneier: "The page I look at when I write my paper may or may not be the same page you look at when you check my reference."
1998-11-12 Tim Bass: "With the current state of the network, it is quite unprofessional to reference URLS."
1998-11-12 Terry Ritter: "...I often find myself dealing with an different version of a well-known work than someone else is quoting. I handle this, when necessary, by going to the library and getting 'the' reference."
1998-11-13 Mok-Kong Shen: "Informations on the internet, in particular Web, is getting archived."
1998-11-13 Patrick Juola: "...assuming the average document half-life is about six months (which I pulled out of thin air, but seems about right), then you'll need to buy the entire Web in terms of disk capacity EVERY YEAR."
1998-11-18 Coen L.S. Visser: "I think the author making the reference should be responsible for archiving the particular web page in case the original reference becomes invalid."
1998-11-18 Patrick Juola: "I think that's about the fourth most unreasonable assertion I've heard in my life."
1998-11-23 Coen L.S. Visser: "...if you write books for a living and you have a web page, I believe the chances are quite high that your (new) web page can be found."
1998-11-13 Joseph K. Nilaad: "This is just a thought of handling referred URL documents: If a document has references from any URL, those URL referrences must be electronically signed."
1998-11-17 Mok-Kong Shen: "...paper publications actually also have the same problem."
1998-11-17 Stefan Axelsson: "...if the IEEE for example where to say, OK, to h*ll with the dead trees, let there be business as usual, but on the web instead, then of course, (almost) all that which is the IEEE would transfer to the electronic medium, and little would have to change." "The situation with everyone "publishing" their material is so far removed from this that I don't know where to start."
1998-11-17 Mok-Kong Shen: "How do we know that this document is really from the person having the name X?"
1998-11-17 Patrick Juola: "The IEEE (for example) has implicitly 'signed' or 'authenticated' the claims made in its published work."
1998-11-23 Stefan Axelsson: "...the beauty of there being several hard copies made of each publication, makes it trivial for the reader to get his material from several sources, should he lack trust in any single one of them."
1998-11-17 W T Shaw: "You could mail or email a question to the author."
1998-11-17 Patrick Juola: "...even if you send mail and get a response back, how do you know that you're getting the right person?"
1998-11-22 W T Shaw: "There is something said for meeting people physically, creating a history on which verification can be based."
1998-11-11 Bruce Schneier: "Almost all patents are examined by almost nobody."
1998-11-11 Mok-Kong Shen: "...large chemical firms need people knowledgeable in such patents in order that they can do their business properly."
1998-11-11 Bruce Schneier: "I'm going to drop the thread."
1998-11-12 Mok-Kong Shen: "That patents are important in the 'practice' (as against pure theory) of a large number of professions should be well-known."
1998-11-13 Mok-Kong Shen: "...only three days after the issue of the patent it is already to be found on a Web page...."
1998-11-18 Mok-Kong Shen: "Patents play in science and technology a significant role which cannot be and is not ignored by the academic community...."
1998-11-19 Mok-Kong Shen: "I was only arguing about the VALUE of patent documents which Bruce Schneier negated, saying that these are not even publications."
1998-11-12 Joseph K. Nilaad: "...why should one work for someone for free? The patents are owned by somebody!"
1998-11-16 Denning Langston: "Processes that create useful chemical compounds efficiently or cheaply are patentable, and specific uses of chemical compounds are patentable (pharmaceuticals, pesticides, herbicides, etc.), but chemical compounds in and of themselves are not patentable."
1998-11-16 Mok-Kong Shen: "...patents... contain... essential and valuable scientific informations which should not be ignored by the academics (those at the universities and the academies of sciences) and, as far as I can make out, are indeed not largely ignored by them (the converse was argued by Bruce Schneier.)"
1998-11-10 Joseph K. Nilaad: "My point is that it doesn't matter whether it is amateur or expert who design the crypto, patent or not, we all want the best crypto possible. If AES confine to non patent algorithm, I think it is very narrow minded."
1998-11-10 Patrick Juola: "No apologies for patent agents should be necessary -- they're overworked civil servants doing the best they can under adverse conditions. But they're certainly not the peers of the authors of papers at CRYPTO'97."
1998-11-10 : "Without patents all new inventions would have to be kept secret to keep others from copying it." "But it is really not their job to test an encryption algorithm for strength."
1998-11-10 Andrew Haley: "If the AES is to be universally used, it must not be encumbered by royalties."
1998-11-11 W T Shaw: "AES has several implications, only one of them be that could replace lots of others."
1998-11-10 Bruce Schneier: "I have nothing against patented algorithms. People are welcome to patent algorithms. I see no reason to implement patented algorithms when there are unpatented alternatifves. This is just good economics. I see no reason to perform free analysis on patented algorithms unless there is a good reason to do so."
1998-11-11 malinov@mindless.com: "Last I checked, cryptography is examined at the USPTO in art unit 2766 by three primary examiners, two juniors on the verge of becoming primaries and four juniors still in their first six months."
1998-11-12 Terry Ritter: "This is *temporary* economics. By failing to compensate the work actually performed, we fail to build a profit-based business of cipher design. We have ciphers, yes. But we do not have a continuing business of cipher design, along with the expensive expertise and corporate history associated with other technologies."
1998-11-13 : "Free software has a long tradition and no other software is developed faster and more continuous than free software."
1998-11-13 Andrew Haley: "A successful AES candidate must be universal. This means that it must be used everywhere, in both free and unfree software. A patented algorithm may not be used in free software, so cannot be used universally."
1998-11-13 Bryan G. Olson; CMSC (G): "If Bob works on an algorithm for free, then if he finds a weakness he gets to publish, and if he doesn't he never has reveal he tried."
1998-11-13 Bruce Schneier: "Occasionally a company hires us to review an open cryptographic primitive, and allows us to publish our results."
1998-11-16 John Savard: "...the absence of a thriving cryptography industry means that the ciphers available for use are not as strong, or as well-analyzed, as they might be."
1998-11-11 Joseph K. Nilaad: "This really bothers me."
1998-10-30 Patrick Juola: "The existence of embarassingly large numbers of thoroughly ludicrous patents is well-documented."
1998-11-04 W T Shaw: "Cryptography is a special class...."
1998-11-05 dscott@networkusa.net: "If the NSA is doing its job at all any encryption that is used at all on the net would be analyzed by them."
1998-11-04 Andrew Carol: "In my military comm days, we had a custom IO proccessor which could handle word sizes from 5 upto 32 bits, in either big or little endian, in either positive or negative logic, with any parity (or even multiple parity per word)."
1998-11-05 dscott@networkusa.net: "...I still feel that having a non mulitple of 8 makes it even safer."
1998-11-05 Andrew Carol: "One's complement is, in my humble opinion, a real waste."
1998-11-05 dscott@networkusa.net: "At least the 1's complement had the same range of numbers in the positive and negative direction...."
1998-11-05 Andrew Carol: "...I end up using features of 2's complement almost everyday, and can't think of the last time I wished I was using the 1's complement"
1998-11-5 R H Braddam: "Your post reminds me of the AN/FST-2B data processor."
1998-11-05 Andrew Carol: "I worked on the follow-on system, FYQ-9?"
1998-11-06 Douglas A. Gwyn: "The right to privacy is not explicitly spelled out...."
1998-11-06 David Sternlight: "...the government may compel productions of one's private papers via lawful subpoena despite the Constitutional 'right to be secure in one's papers'."
1998-11-11 Scott Nelson: "The existence of the general right to privacy has never seriously been questioned."
1998-11-12 pstromer@my-dejanews.com: "'We recently referred [p*485] in Mapp v. Ohio, 367 U.S. 643, 656, to the Fourth Amendment as creating a 'right to privacy, no less important than any other right carefully an particularly reserved to the people.'"
1998-11-12 R H Braddam: "I hope this ends the discussion about the right to privacy -- whether it exists or not. It does, not just in my opinion, but in the opinion of the Congress and the Supreme Court."
1998-11-18 lamontg@bite.me.spammers: "It has never, however, been an explicit part of the Constitition."
1998-11-06 Bryan G. Olson; CMSC (G): "Two's complement is simply arithmetic mod 2^WordSize, while one's complement is mod (2^WordSize)-1."
1998-11-07 : "...it is true that less circuitry is required to add a negative integer to a positive integer in two's complement...."
1998-11-08 Douglas A. Gwyn: "I've programmed both, and either representation is reasonable for most purposes."
1998-11-04 W T Shaw: "I expect they already have looked at your various algorithms. After all it is their job to do this sort of thing."
1998-11-06 Bruce Schneier: "The NSA does not comment on patentability. Actually, I'm pretty sure they don't review crypto patent apps anymore."
1998-11-06 W T Shaw: "I don't expect NSA to be incompetent, which means it should it sops up and funnels ALL the easy leads to the company store for analysis."
1998-11-10 Terry Ritter: "It is my understanding that there is "a NSA desk" in the PTO which does review crypto applications. If so, it must be a tough job." "My Dynamic Substitution patent file actually *disappeared* from the PTO for a while in 1990."
1998-11-10 malinov@mindless.com: "Applications by US citizens which involve real cryptography are copied; the copy is sent to someone at NSA for review."
1998-11-10 Terry Ritter: "I was eventually bucked up to the department head Herself and she wouldn't tell me where the file was or why, which seems unusual to this day."
1998-11-11 malinov@mindless.com: "Secrecy orders are only imposed on government owned systems, usually classified from birth."
1998-11-10 John Savard: "...unbreakable encryption is already a reality for anyone who wants it."
1998-11-10 Bo D�mstedt: "What would happen if some foreigner, such as me, would file a cipher patent application?"
1998-11-11 malinov@mindless.com: "If you filed an application from Sweden in the US, it would not even be shown to NSA."
1998-10-30 Terry Ritter: "I have no doubt that understanding the patent literature is substantially more difficult than understanding academic papers. Still, it *is* published technology. Failing to know published technology means failing to be an expert in the field." "It's *not* true that I don't publish; I just don't publish in a particular form and outlet."
1998-10-30 Bruce Schneier: "Perhaps it is true that someone who does not regularly read the patent output stream should not be considered an expert in the field. I don't know. None of this is related to my point, which is about what actually does happen."
1998-10-31 dscott@networkusa.net: "How political correct."
1998-10-31 JPeschel: "Look, Dave, you aren't helping your cause...."
1998-10-31 Remo A. Linky: "Thanks for hanging in there!"
1998-10-31 Bruce Schneier: "Thanks."
1998-10-31 dscott@networkusa.net: "...even though my rules are unfair to bad for you other guys and I don't mind telling about these unfair rules of mine."
1998-10-31 W T Shaw: "...please don't consider our academic and philosophical criticisms as personal attacks; heated debate can merely mean that people are getting down to the most important aspects of their differences...."
1998-10-31 Bruce Schneier: "I like the academic and philosophical criticisms; that's why I stay here."
1998-10-31 W T Shaw: "Sometimes it is best to see how far you can go on your own without tainting your thoughts with the misgivings of others."
1998-10-30 John Savard: "It should be noted, though, that Terry Ritter has had academic publications in the past; three or so papers in Cryptologia on Dynamic Substitution and related topics."
1998-10-30 Bruce Schneier: "Thanks for pointing that out. I had meant to, but forgot."
1998-10-31 dscott@networkusa.net: "Get real your iragance is showing through."
1998-10-31 dscott@networkusa.net: "John Bruce most likely was in his usual put people down mode...."
1998-10-31 Terry Ritter: "Let's just try to hold it down a little."
1998-10-28 Terry Ritter: "...my stuff is *scalable*: We have *no* *doubt* that the ultimate scaled-down versions will be weak. By using few component types and an overall regular structure, I hope to *expose* every avenue into the design."
1998-10-28 Bruce Schneier: "It would be better if you would put up strawman designs, so that people would have something concrete to analyze...."
1998-10-30 John Savard: "...the quote as I saw it in later posts, out of context, seems to say that here are designs that even amateurs can break."
1998-10-28 Douglas A. Gwyn: "...occasionally breakthroughs in knowledge are made by 'dabblers' who work outside the mainstream. However, the odds are still that in any given case a dabbler is wasting his time."
1998-10-29 W T Shaw: "I suppose I am an optomist, but fairness seems to mean giving someone the benefit of the doubt, whether you want to or not."
1998-10-29 Bruce Schneier: "If someone tries hard enough, he will wear his 'benefit of the doubt' out."
1998-10-30 dscott@networkusa.net: "Not sure if I should give you the benefit of the doubt since you only tend to look down on the masses and prevent any one with a good idea to get a fair chance."
1998-10-31 fungus: "A serious analysis of something like ScottXX is a serious undertaking, probably a couple of months of hard work."
1998-11-09 newWebsite: "The website is ready for you!"

Subject: Memo to the Amateur Cipher Designer
Date: Sat, 17 Oct 1998 23:35:28 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <36292906.1151332@news.visi.com>
Newsgroups: sci.crypt
Lines: 152

This was in the October CRYPTO-GRAM, but I thought I'd run it through
sci.crypt, since so many people seem to be asking questions on the
topic.

Bruce

      Memo to the Amateur Cipher Designer

Congratulations.  You've just invented this great new cipher, and you
want to do something with it.  You're new in the field; no one's heard
of you, and you don't have any credentials as a cryptanalyst.  You
want to get well-known cryptographers to look at your work.  What can
you do?

Unfortunately, you have a tough road ahead of you.  I see about two
new cipher designs from amateur cryptographers every week.  The odds
of any of these ciphers being secure are slim.  The odds of any of
them being both secure and efficient are negligible.  The odds of any
of them being worth actual money are virtually non-existent.

Anyone, from the most clueless amateur to the best cryptographer, can
create an algorithm that he himself can't break.  It's not even hard.
What is hard is creating an algorithm that no one else can break, even
after years of analysis.  And the only way to prove that is to subject
the algorithm to years of analysis by the best cryptographers around.

"The best cryptographers around" break a lot of ciphers.  The academic
literature is littered with the carcasses of ciphers broken by their
analyses.  But they're a busy bunch; they don't have time to break
everything.  How do they decide what to look at?

Ideally, cryptographers should only look at ciphers that have a
reasonable chance of being secure.  And since anyone can create a
cipher that he believes to be secure, this means that cryptographers
should only look at ciphers created by people whose opinions are worth
something.  No one is impressed if a random person creates an cipher
he can't break; but if one of the world's best cryptographers creates
an cipher he can't break, now that's worth looking at.

The real world isn't that tidy.  Cryptographers look at algorithms
that are either interesting or are likely to yield publishable
results.  This means that they are going to look at algorithms by
respected cryptographers, algorithms fielded in large public systems
(e.g., cellular phones, pay-TV decoders, Microsoft products), and
algorithms that are published in the academic literature.  Algorithms
posted to Internet newsgroups by unknowns won't get a second glance.
Neither will patented but unpublished algorithms, or proprietary
algorithms embedded in obscure products.

It's hard to get a cryptographic algorithm published.  Most
conferences and workshops won't accept designs from unknowns and
without extensive analysis.  This may seem unfair: unknowns can't get
their ciphers published because they are unknowns, and hence no one
will ever see their work.  In reality, if the only "work" someone ever
does is in design, then it's probably not worth publishing.  Unknowns
can become knowns by publishing cryptanalyses of existing ciphers;
most conferences accept these papers.

When I started writing _Applied Cryptography_, I heard the maxim that
the only good algorithm designers were people who spent years
analyzing existing designs.  The maxim made sense, and I believed it.
Over the years, as I spend more time doing design and analysis, the
truth of the maxim has gotten stronger and stronger.  My work on the
Twofish design has made me believe this even more strongly.  The
cipher's strength is not in its design; anyone could design something
like that.  The strength is in its analysis.  We spent over 1000
man-hours analyzing Twofish, breaking simplified versions and
variants, and studying modifications.  And we could not have done that
analysis, nor would we have had any confidence in that analysis, had
not the entire design team had experience breaking many other
algorithm designs.

A cryptographer friend tells the story of an amateur who kept
bothering him with the cipher he invented.  The cryptographer would
break the cipher, the amateur would make a change to "fix" it, and the
cryptographer would break it again.  This exchange went on a few times
until the cryptographer became fed up.  When the amateur visited him
to hear what the cryptographer thought, the cryptographer put three
envelopes face down on the table.  "In each of these envelopes is an
attack against your cipher.  Take one and read it.  Don't come back
until you've discovered the other two attacks."  The amateur was never
heard from again.

I don't mean to be completely negative.  People occasionally design
strong ciphers.  Amateur cryptographers even design strong ciphers.
But if you are not known to the cryptographic community, and you
expect other cryptographers to look at your work, you have to do
several things:

1.  Describe your cipher using standard notation.  This doesn't mean C
code.  There is established terminology in the literature.  Learn it
and use it; no one will learn your specialized terminology.

2.  Compare your cipher with other designs.  Most likely, it will use
some ideas that have been used before.  Reference them.  This will
make it easier for others to understand your work, and shows that you
understand the literature.

3.  Show why your cipher is immune against each of the major attacks
known in literature.  It is not good enough just to say that it is
secure, you have to show why it is secure against these attacks.  This
requires, of course, that you not only have read the literature, but
also understand it. Expect this process to take months, and result in
a large heavily mathematical document.  And remember, statistical
tests are not very meaningful.

4.  Explain why your cipher is better than existing alternatives.  It
makes no sense to look at something new unless it has clear advantages
over the old stuff.  Is it faster on Pentiums?  Smaller in hardware?
What?  I have frequently said that, given enough rounds, pretty much
anything is secure. Your design needs to have significant performance
advantages.  And "it can't be broken" is not an advantage; it's a
prerequisite.

5.  Publish the cipher.  Experience shows that ciphers that are not
published are most often very weak.  Keeping the cipher secret does
not improve the security once the cipher is widely used, so if your
cipher has to be kept secret to be secure, it is useless anyway.

6.  Don't patent the cipher.  You can't make money selling a cipher.
There are just too many good free ones.  Everyone who submitted a
cipher to the AES is willing to just give it away; many of the
submissions are already in the public domain.  If you patent your
design, everyone will just use something else.  And no one will
analyze it for you (unless you pay them); why should they work for you
for free?

7.  Be patient.  There are a lot of algorithms to look at right now.
The AES competition has given cryptographers 15 new designs to
analyze, and we have to pick a winner by Spring 2000.  Any good
cryptographer with spare time is poking at those designs.

If you want to design algorithms, start by breaking the ones out
there. Practice by breaking algorithms that have already been broken
(without peeking at the answers).  Break something no one else has
broken.  Break another.  Get your breaks published.  When you have
established yourself as someone who can break algorithms, then you can
start designing new algorithms.  Before then, no one will take you
seriously.

Creating a cipher is easy.  Analyzing it is hard.

See "Self-Study Course in Block Cipher Cryptanalysis":
http://www.counterpane.com/self-study.html
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sun, 18 Oct 1998 04:20:15 GMT
From: george.barwood@dial.pipex.com (George Barwood)
Message-ID: <362967c9.4415110@news.dial.pipex.com>
References: <36292906.1151332@news.visi.com>
Newsgroups: sci.crypt
Lines: 14

On Sat, 17 Oct 1998 23:35:28 GMT, schneier@counterpane.com (Bruce
Schneier) wrote in part:

> Algorithms posted to Internet newsgroups by unknowns won't get a second glance.

I disagree - some time ago I posted an algorithm to sci.crypt, and
recieved a quick (and useful) analysis from David Wagner. The
algorithm was not strong against known-plaintext attack, but this was
as expected (the design aim was speed at all costs).

Not that I disagree with the intent or conclusions of your article -
but I don't this statement holds up. 

George

Subject: Re: Memo to the Amateur Cipher Designer
Date: 18 Oct 1998 06:07:01 -0700
From: Karl-Friedrich Lenz
Message-ID: <70cp5l$jbu@edrn.newsguy.com>
References: <362967c9.4415110@news.dial.pipex.com>
Newsgroups: sci.crypt
Lines: 22

In article , george.barwood@dial.pipex.com says...
>
>On Sat, 17 Oct 1998 23:35:28 GMT, schneier@counterpane.com (Bruce
>Schneier) wrote in part:
>
>>Algorithms posted to Internet newsgroups by unknowns won't get a second glance.
>
>I disagree - some time ago I posted an algorithm to sci.crypt, and
>recieved a quick (and useful) analysis from David Wagner. The
>algorithm was not strong against known-plaintext attack, but this was
>as expected (the design aim was speed at all costs).
>
>Not that I disagree with the intent or conclusions of your article -
>but I don't this statement holds up. 

Probably Mr. Schneier intended to say "not a second glance by professionals in
scientific papers", which might be true. But the level of sci.crypt is not that
low, and there seem to be quite a lot of people ready to have a swing at new
ideas.

Karl-Friedrich Lenz :-)
www.toptext.com/crypto

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sun, 18 Oct 1998 15:00:36 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <362a0287.3103532@news.visi.com>
References: <362967c9.4415110@news.dial.pipex.com>
Newsgroups: sci.crypt
Lines: 23

On Sun, 18 Oct 1998 04:20:15 GMT, george.barwood@dial.pipex.com
(George Barwood) wrote:

>On Sat, 17 Oct 1998 23:35:28 GMT, schneier@counterpane.com (Bruce
>Schneier) wrote in part:
>
>> Algorithms posted to Internet newsgroups by unknowns won't get a second glance.
>
>I disagree - some time ago I posted an algorithm to sci.crypt, and
>recieved a quick (and useful) analysis from David Wagner. The
>algorithm was not strong against known-plaintext attack, but this was
>as expected (the design aim was speed at all costs).
>
>Not that I disagree with the intent or conclusions of your article -
>but I don't this statement holds up. 

You're right.  There are exceptions to this.  Agreed.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: 18 Oct 1998 17:17:12 +0200
From: Jon Haugsand <haugsand@procyon.nr.no>
Message-ID: <yzobtn9nblz.fsf@procyon.nr.no>
References: <362a0287.3103532@news.visi.com>
Newsgroups: sci.crypt
Lines: 19

* Bruce Schneier
| >> Algorithms posted to Internet newsgroups by unknowns won't get a second glance.
| >
| >I disagree - some time ago I posted an algorithm to sci.crypt, and
| >recieved a quick (and useful) analysis from David Wagner. The
| >algorithm was not strong against known-plaintext attack, but this was
| >as expected (the design aim was speed at all costs).
| 
| You're right.  There are exceptions to this.  Agreed.

Actually, wouldn't this be a good way to train oneself with
cryptoanalyzing? Breaking amateur ciphers posted to the usenet?

-- 
Jon Haugsand
  Norwegian Computing Center, <http://www.nr.no/engelsk/> 
  <mailto:haugsand@nr.no>  Pho: +47 22852608 / +47 22852500, 
  Fax: +47 22697660, Pb 114 Blindern, N-0314 OSLO, Norway

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 19 Oct 1998 04:09:14 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <362abb52.2020632@news.visi.com>
References: <yzobtn9nblz.fsf@procyon.nr.no>
Newsgroups: sci.crypt
Lines: 25

On 18 Oct 1998 17:17:12 +0200, Jon Haugsand <haugsand@procyon.nr.no>
wrote:

>* Bruce Schneier
>| >> Algorithms posted to Internet newsgroups by unknowns won't get a second glance.
>| >
>| >I disagree - some time ago I posted an algorithm to sci.crypt, and
>| >recieved a quick (and useful) analysis from David Wagner. The
>| >algorithm was not strong against known-plaintext attack, but this was
>| >as expected (the design aim was speed at all costs).
>| 
>| You're right.  There are exceptions to this.  Agreed.
>
>Actually, wouldn't this be a good way to train oneself with
>cryptoanalyzing? Breaking amateur ciphers posted to the usenet?

Definitely.  I think it's the best way.  Not only do you get
experience breaking ciphers, but you get some very easy ones to start
on.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sat, 17 Oct 1998 22:33:44 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-1710982234000001@dialup175.itexas.net>
References: <36292906.1151332@news.visi.com>
Newsgroups: sci.crypt
Lines: 110

In article <36292906.1151332@news.visi.com>, schneier@counterpane.com
(Bruce Schneier) wrote:

> This was in the October CRYPTO-GRAM, but I thought I'd run it through
> sci.crypt, since so many people seem to be asking questions on the
> topic.
> 
> Bruce.
....

There have been many such discussions which marry some good advice with
propaganda, serving the status quo rather than being inclusive of all
attempts at improvement in the condition of man.  A contrived obstacle
course means being sure that few can finish, and more are discouraged from
even trying.  Those that do run the gauntlet and break the tape seem to
confirm its validity to the blinded faithful, not withstanding the best
intentions of those who would sit in judgement, doing the best they can to
feel that the whole process is of inordinate value.

As with any presentation, you are encouraged to find weaknesses in what is
included in the prior posting in this thread.  Authoritarianism is always
subject to incompleteness in information that conflicts with its adopted
views; and, the stronger it is the more vocal it is in denouncing whatever
differs with it.  Intolerance ain't pretty.

Since sound reasoning is essential in cryptography: If you know where your
feet are, you should be able to cut through the nonsense to glean
something even useful from the talk. Much of the content is not new at
all, but contrived decades ago, and seeks to hamstring the possibilities
of the present to the hinderances of the past, more especially in this
subject of ours, and not further the open art at all.  The scripting of
the elements is in the form of an arrangement in supportative order for
argument's sake so they sound more reasonable that they are.  The caveats
do form comfortable enclaves for those that want to excuse the rest of the
stuff. 

Remember, the only excuse for formal education is learning how to learn. 
The end ideal is to become a self-starter in your search for truth, not
requiring so many hours credit in order to have particular ability.  What
is to be acquired is being able to DO rather than always having to ask
permission and direction for your occupations.  When this honest goal of
finding your own direction is realized, it means that you are weaned.  It
means that you are no longer required to seak an academic teat, or kiss
customary areas of despoiled anatomy.  

You still have the right to seek helpful advice for its own sake, but no
obigation to bow and scrape for the priviledge.  Good information is not
to be cloistered.

You are allowed to judge legitimacy on intrinsic content rather than
whether it contradicts prior cannonized scripture.  You are encouraged in
true scientific tradition to test and inquire into the nature of anything
that has been spread before as the gospel.

If you are overly addicted to the opinons of certain people, you tend to
acquire their prejudices; afterwards, know that discovering any flaws is
prohibited, and severly punished by excommunication, which has always been
a religious act aimed at the unfaithful so as to humiliate and silence
them.  This technique is often used as well against those that do not buy
the bit up front.

So often those that tout a regimen are just saying that it worked for
them, so it can do the same for you.  You can eat the blood pudding of
tradition as long as you like, or you can graduate in informal elegancy,
freedom of thought being its own reward.

If you are not ready to fly, you may crash, which is preferable to being
stoned or shot down as a heretic in the other model. You then have the
option to dust yourself off, learn from your mistakes, and flap your wings
again. 

Reinforcing the status quo means going nowhere not on the approved map;
innovation and creativity mean taking new and unorthodox approaches, and
sometimes finding that assumed ground rules are merely generalizations
that are not always true.

Life is far more variable than anyone can realize.  It is such that you
can almost have nothing on the surface in common with whole groups of
people.  This means that methods that work for some are going to be
rejected as bad style by others.  The challenge is not to forcefully
remake everyone else in your own image, but to realize that noone has a
lock on the path to truth.  It should be self-evident that what leads you
is the greater good rather than finding a way to get more articles
published than someone else.                 

In crypto, as in many other fields, sufficient study will lead you to
agreement with lots of what passes for acceptable thought.  It can allow
you to unmask areas that have been glossed over.  I would never discourage
someone from going it alone in a quest; so much in science is the product
of the dedicated contrarians who focused on a star that others wanted to
excuse as an photographic artifact.  Be constrained only by those barriers
you show to be actually there.  Cryptography is still wide open to new
concepts, as well as novel unifying ideas that put older methods in
prospective.

Bruce is a good soldier, but some don't march to the same drummer.  I
would like to believe that anyone as intelligent as he appears to be would
serve less in the role of retelling so many false echos from the past.  He
continually tells us how difficult good cryptography is; I suppose that
reflects his experience.  I am sure that he would like to make it easier
for others to learn what he has without going down the same path, yet he
would recommend it still.

Yet, I would not discourage him either from any cryptological endeavor, as
I would not do that to anyone.
-- 
---
Insanity means doing the same thing over and over again and expecting different results...like CDA2.  
---
Decrypt with ROT13 to get correct email address.

User-Agent: tin/pre-1.4-980618 (UNIX) (AIX/4-1)
Cache-Post-Path: server.cuug.ab.ca!unknown@ibm.cuug.ab.ca

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sun, 18 Oct 1998 04:07:00 GMT
From: Lloyd Miller <millerl@cuugnet.cuug.ab.ca>
Message-ID: <908683620.523852@server.cuug.ab.ca>
References: <jgfunj-1710982234000001@dialup175.itexas.net>
Newsgroups: sci.crypt
Lines: 25

W T Shaw <jgfunj@EnqvbSerrGrknf.pbz> wrote:
: In article <36292906.1151332@news.visi.com>, schneier@counterpane.com
: (Bruce Schneier) wrote:

:> This was in the October CRYPTO-GRAM, but I thought I'd run it through
:> sci.crypt, since so many people seem to be asking questions on the
:> topic.
:> 
:> Bruce.
: ....

...
: If you are overly addicted to the opinons of certain people, you tend to
: acquire their prejudices; afterwards, know that discovering any flaws is
: prohibited, and severly punished by excommunication, which has always been
: a religious act aimed at the unfaithful so as to humiliate and silence
: them.  This technique is often used as well against those that do not buy
: the bit up front.

Bruce's religion makes a lot more sense to me than your's.

-- 
 Lloyd Miller, Calgary
 millerl@cuug.ab.ca.
 Terminal Insomniac

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sun, 18 Oct 1998 09:02:32 -0400
From: "Jay Holovacs" <holovacs@idt.net>
Message-ID: <70cs7t$kja@nnrp1.farm.idt.net>
References: <jgfunj-1710982234000001@dialup175.itexas.net>
Newsgroups: sci.crypt
Lines: 56

W T Shaw wrote in message ...
>>>
>
>There have been many such discussions which marry some good advice with
>propaganda, serving the status quo rather than being inclusive of all
>attempts at improvement in the condition of man.  A contrived obstacle
>course means being sure that few can finish, and more are discouraged from
>even trying.  Those that do run the gauntlet and break the tape seem to
>confirm its validity to the blinded faithful, not withstanding the best
>intentions of those who would sit in judgement, doing the best they can to
>feel that the whole process is of inordinate value.
>  [...etc...]

Newton said 'if I have seen farther than most, it is because I stood on the
shoulders of giants.' It has also been said 'he who will not learn from the
past is doomed to repeat it.' Bruce makes a great deal of sense. Crypto is
not a random shot in the dark, it has a long history of mistakes and
discoveries. Just as the patent office became littered with the products of
inventors of 'perpetual energy machines' not realizing what was wrong with
their great ideas, the crypto world is littered with schemes that mean
nothing.

You can't get far in chemistry without learning theory and experience of
those that went before. If you want to develop your own winning racing car,
you'd best begin by working with as many of the machines built by other
great builders as possible. Crypto is no different. If you can't break codes
that are out there, why should anyone believe that you have an answer. (In
truth, analysis is probably the more important part of the field now, even
though most beginners want to rush in and create their own
encryption algorithms.)

There is this mythology that by *not* learning how something is done, you
can come up with a radical new approach. Quaint, but it doesn't work in the
real world. Einstein learned existing physics before he shattered the
boundaries of the known physics world. Good writers, painters and composers
need to know all the rules of their art before they can break them
successfully. Only in areas where there is no history of prior art can
someone really come out of the blue and change things (as with small
computers 15-20 years ago). Crypto is not one of those areas.

Bruce offered some really good advice for getting yourself listened to,
break known codes and write up your results. These are not hard to get
published. If someone who can demonstrably analyze codes produces one, there
is much more reason to take such a person seriously.

Don't make excuses. Don't blame the 'establishment' that's out to stop you.
Listen to people who actually know something. Prove yourself if you want to
believed.

Jay

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sun, 18 Oct 1998 11:34:03 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-1810981134030001@dialup122.itexas.net>
References: <70cs7t$kja@nnrp1.farm.idt.net>
Newsgroups: sci.crypt
Lines: 76

In article <70cs7t$kja@nnrp1.farm.idt.net>, "Jay Holovacs"
<holovacs@idt.net> wrote:
> 
> Bruce offered some really good advice for getting yourself listened to,
> break known codes and write up your results. These are not hard to get
> published. If someone who can demonstrably analyze codes produces one, there
> is much more reason to take such a person seriously.
> 
> Don't make excuses. Don't blame the 'establishment' that's out to stop you.
> Listen to people who actually know something. Prove yourself if you want to
> believed.
> 
The big question is what does one actually know from knowledge delivered
in a transfusion.  In the days when some of us started working, there were
skant few resources to work with, and no open debate on any current crypto
advances. That time was distasteful, and we should not go there in any
respect.

Science is less about belief and more about evidence.  You seem to confuse
the two.  You might prejudice your results by looking for the wrong
evidence.  In the end, each observation stands or falls on its own through
replication and not by the clout of a sole documenter.  Personalities can
get involved, but true inquisitiveness should cause everyone to rise above
that.  Apprenticeships are not a universal requirement.

There is not real establishment in crypto anymore, just truth where you
find it.  In Bruce's work, there are sinful omissions and comissions, but
the subject is so large that this would always be a surity in some form. 
To judge his character, we will see if he mentions in the future any
things he has previously ignored and have been pointed out directly to
him.  If he is a true scientist, he will include such.  I would gamble
that he in the end will chose fairness.  You should not figure that he is
doomed fail to rise to that imperative.  

We each have the option of presenting contasting and contradictory
evidence as we see it.  Look for the amount of cryptological information
to explode as growth occurs in a myrid of directions. No one person will
be able to keep it under his thumb, and we better be willing to accept
increased specialization as it does.

It might surprise you that I do considerable work in code breaking, not
necessarily the ones you would choose.  Sometimes I am more successful,
sometimes less.  The goal for me is to learn how to defeat a weakness and
apply it in a refined design.  To broadcast prematurely such results would
give others the advantage in future designs that I might reserve for
myself; and so probably it is with others.

It does not follow that a successful analysis can always to a better
design, and particularily that one known for solving a particular problem
can pose a better one. For some it is more important to learn from
failures and move on to something better than to trash anothers work as a
justification for raising a consultant fee.

Back to Bruce, he has a couple of interesting designs in a relatively
narrow defined area of crypto.  He is also a good researcher and has
assembled a certain amount of material in a convenient form.  He is a
serious organizer, and exercises great concentration to get what he
wants.  He is an excellent presenter, and most capable in matters closely
related to his work.  He can be a bear in his zeal, and he can be most
cheerful when receiving complements, we all tend to be that way at such
times.  He defends his work as he should; it is considerable, showing a
colossal amount of labor, be it like anything else pushing certain
viewpoints over others.

He is worthy of some respect and will continue to inspire lots of people. 
But, because he is a limited human being, it also follows that the
percentage of cryptography he understands will continue to slip as the
field outpaces anyones ablility to completely grasp it.  This is not a
discourteous observation, just another real one.  It could be as well said
for all others, even those who are into their work as a priority.  We
should all be humbled by the magnitude of the that problem.
-- 
---
Insanity means doing the same thing over and over again and expecting different results...like CDA2.  
---
Decrypt with ROT13 to get correct email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sun, 18 Oct 1998 22:32:14 GMT
From: dscott@networkusa.net
Message-ID: <70dq9e$jjt$1@nnrp1.dejanews.com>
References: <70cs7t$kja@nnrp1.farm.idt.net>
Newsgroups: sci.crypt
Lines: 48

In article <70cs7t$kja@nnrp1.farm.idt.net>,
  "Jay Holovacs" <holovacs@idt.net> wrote:
>
> W T Shaw wrote in message ...
> >>>
> >
> >There have been many such discussions which marry some good advice with
> >propaganda, serving the status quo rather than being inclusive of all
> >attempts at improvement in the condition of man.  A contrived obstacle
> >course means being sure that few can finish, and more are discouraged from
> >even trying.  Those that do run the gauntlet and break the tape seem to
> >confirm its validity to the blinded faithful, not withstanding the best
> >intentions of those who would sit in judgement, doing the best they can to
> >feel that the whole process is of inordinate value.
> >  [...etc...]
>
> Newton said 'if I have seen farther than most, it is because I stood on the
> shoulders of giants.' It has also been said 'he who will not learn from the
> past is doomed to repeat it.' Bruce makes a great deal of sense. Crypto is
> not a random shot in the dark, it has a long history of mistakes and
> discoveries. Just as the patent office became littered with the products of
> inventors of 'perpetual energy machines' not realizing what was wrong with
> their great ideas, the crypto world is littered with schemes that mean
> nothing.
>
> You can't get far in chemistry without learning theory and experience of
> those that went before. If you want to develop your own winning racing car,
> you'd best begin by working with as many of the machines built by other
> great builders as possible. Crypto is no different. If you can't break codes
> that are out there, why should anyone believe that you have an answer. (In
> truth, analysis is probably the more important part of the field now, even
> though most beginners want to rush in and create their own
> encryption algorithms.)
>

  I like your chemsitry example it fits well witht the load of stuff
Bruce is trying to pass off. In chemistry when I had it in school we
got to see a lovely film on the Noble gases. A bunch of PHD experts
siad lets try to make compounds useing this part of periodic table. They
do all sorts of brainy exotic things. But no compounds formed from the
Noble gases. At end of film they pompously stated how foolish it was
to even try and that there are no such compounds. Then are teacher
should us the articles how some nobodys made some. Yes the chemistry
was a good example.

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: 19 Oct 1998 02:14:15 GMT
From: jsavard@freenet.edmonton.ab.ca ()
Message-ID: <70e79n$896$1@news.sas.ab.ca>
References: <70cs7t$kja@nnrp1.farm.idt.net>
Newsgroups: sci.crypt
Lines: 35

Jay Holovacs (holovacs@idt.net) wrote:
: Newton said 'if I have seen farther than most, it is because I stood on the
: shoulders of giants.' It has also been said 'he who will not learn from the
: past is doomed to repeat it.' Bruce makes a great deal of sense. Crypto is
: not a random shot in the dark, it has a long history of mistakes and
: discoveries.

I certainly do agree with this, people wanting to design a new cipher
ought to be familiar with what has gone before.

: Bruce offered some really good advice for getting yourself listened to,
: break known codes and write up your results. These are not hard to get
: published. If someone who can demonstrably analyze codes produces one, there
: is much more reason to take such a person seriously.

Well, I certainly have to admit there is truth to that. In _two_ ways.

Certainly, a cipher design from someone like Eli Biham, one of the
academic discoverers of differential cryptanalysis, is going to be taken
seriously, as it should.

And a general familiarity with the principles of cryptanalysis, especially
as they apply to the kind of cipher one is attempting to design, is going
to be an important guide away from various pitfalls.

However, cryptanalysis is a discipline of its own, and requires either
considerable stamina or advanced mathematical skills. One does not quite
need these qualifications to design a secure cipher, particularly if one
is following your earlier advice and not ignoring the lessons of previous
designs.

Of course, if one wants a hearing, if one's qualifications are modest, one
should be modest.

John Savard

	<jgfunj-1710982234000001@dialup175.itexas.net>
	<70cs7t$kja@nnrp1.farm.idt.net> <70e79n$896$1@news.sas.ab.ca>
Cache-Post-Path: cnn!unknown@spike.long.harlequin.co.uk

Subject: Re: Memo to the Amateur Cipher Designer
Date: 19 Oct 1998 14:29:21 +0100
From: Mark Tillotson <markt@harlequin.co.uk>
Message-ID: <kxsogkfzny.fsf@harlequin.co.uk>
References: <36292906.1151332@news.visi.com>
Newsgroups: sci.crypt
Lines: 64

jsavard@freenet.edmonton.ab.ca () wrote:
| And a general familiarity with the principles of cryptanalysis, especially
| as they apply to the kind of cipher one is attempting to design, is going
| to be an important guide away from various pitfalls.
| 
| However, cryptanalysis is a discipline of its own, and requires either
| considerable stamina or advanced mathematical skills. One does not quite
| need these qualifications to design a secure cipher, particularly if one
| is following your earlier advice and not ignoring the lessons of previous
| designs.

Nonsense!  How on earth can you claim to design a secure cipher if you are
_incapable_ of distinquishing a weak cipher from a strong cipher???  It
just doesn't make any sense at all.

That's like saying a blind person can paint a scene in correct colours
despite being unable to see what they are doing!  Sure it's not
_impossible_ that it could happen, but no-one with an ounce of common sense
expects such an outrageously lucky outcome (or even for the paint to 
end up on the canvas!!)   We don't want a cipher that might well be
extremely strong, we want ciphers that are extremely likely to be
strong...

With cipher design we don't even have a way of distinquishing strong
from weak, we merely have techniques or varying sophistication for
trying to identify and measure weakness, and people more or less
highly skilled at applying them and inventing new techniques of
analysis.   The cipher designer needs to iterate the design through
more and more sophisticated analyses until it _seems_ both
appropriately secure and efficient.  Then the next step is to enlist
some more people to help in the process of searching for missed
weaknesses, and eventually publication.

Its an ongoing process of weeding out weaknesses, gradually bringing
in more and more people as one's confidence in the lack of "silly
mistakes" grows, just like any other safety-critical large-scale
engineering project.

There certainly is a lot of scope for amateurs to suggest _ideas_ to
use in cipher design, but a serious _design_ itself needs to be at the
centre of such a process of cryptanalysis, not just made up by 
inspired guesswork.

So I'd agree that experience in cryptanalysis isn't necessary to
create a plausible _looking_ design, but that it is an _absolute
necessity_ for creating an actual publishable design (unless you just
wanted to create a toy cipher).  If the 10000's of amateur
cryptographers all started publishing designs, we'd be in a total mess!

These days ciphers are expected to be used as building blocks for all
sorts of security primitives, so even "security" involves resisitance
to many different modes of attack, and the amount of work needed to
design a cipher is usually beyond the skills and patience of a single
individual anyway.

Our whole digital infrastructure is going to depend on future ciphers
being secure, and I for one don't want to see the information
superhighway made of "concrete" that's washes away the first time it
rains because its recipe was formulated by a well-meaning amateur who
didn't know anything about QA'ing concrete!!

__Mark
[ markt@harlequin.co.uk | http://www.harlequin.co.uk/ | +44(0)1954 785433 ]

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 22 Oct 1998 19:13:05 GMT
From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard)
Message-ID: <362f81e7.14525013@news.prosurfr.com>
References: <kxsogkfzny.fsf@harlequin.co.uk>
Newsgroups: sci.crypt
Lines: 31

Mark Tillotson <markt@harlequin.co.uk> wrote, in part:
>jsavard@freenet.edmonton.ab.ca () wrote:

>| However, cryptanalysis is a discipline of its own, and requires either
>| considerable stamina or advanced mathematical skills. One does not quite
>| need these qualifications to design a secure cipher, particularly if one
>| is following your earlier advice and not ignoring the lessons of previous
>| designs.

>Nonsense!  How on earth can you claim to design a secure cipher if you are
>_incapable_ of distinquishing a weak cipher from a strong cipher???  It
>just doesn't make any sense at all.

I emphatically _agree_ that if you know *nothing* about cryptanalysis,
you won't be able to design a secure cipher (except by accident, or by
copying someone else's design with trivial changes).

I thought, though, that I was being clear in what I was trying to say;
that while a _knowledge_ of cryptanalysis is needed, actually being a
cryptanalyst - actually being able to carry out, in full, the
cryptanalysis of a difficult cipher, or being able to make theoretical
contributions to the field - is not, strictly speaking, necessary
(although Bruce is still right that those sorts of qualifications will
get you taken seriously) to design a secure cipher.

Maybe you would find that position wrong-headed too, and I can
understand that. But it's not nearly the same as the position you
correctly characterized as expecting a blind person to paint.

John Savard
http://members.xoom.com/quadibloc/index.html

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 22 Oct 1998 13:56:59 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-2210981357000001@dialup159.itexas.net>
References: <kxsogkfzny.fsf@harlequin.co.uk>
Newsgroups: sci.crypt
Lines: 131

In article <kxsogkfzny.fsf@harlequin.co.uk>, Mark Tillotson
<markt@harlequin.co.uk> wrote:

> jsavard@freenet.edmonton.ab.ca () wrote:
> | And a general familiarity with the principles of cryptanalysis, especially
> | as they apply to the kind of cipher one is attempting to design, is going
> | to be an important guide away from various pitfalls.
> | 
> | However, cryptanalysis is a discipline of its own, and requires either
> | considerable stamina or advanced mathematical skills. One does not quite
> | need these qualifications to design a secure cipher, particularly if one
> | is following your earlier advice and not ignoring the lessons of previous
> | designs.
> 
> Nonsense!  How on earth can you claim to design a secure cipher if you are
> _incapable_ of distinquishing a weak cipher from a strong cipher???  It
> just doesn't make any sense at all.

Many imply that if you simply follow their rules for cipher construction,
you need not do much of the analysis yourself.  They even suggest that
someone else do it, a catch 22.
> 
> That's like saying a blind person can paint a scene in correct colours
> despite being unable to see what they are doing!  Sure it's not
> _impossible_ that it could happen, but no-one with an ounce of common sense
> expects such an outrageously lucky outcome (or even for the paint to 
> end up on the canvas!!)   

Did you see the story on TV about the guy who is blind and bicycles.  He
has learned sonic location, and clicks his tongue as a generator.  

Out of curiosity, I once asked a blind man to describe different colors. 
The explanations he had remembered from what he had heard made sense. This
is somewhat in line with my above comments about following someone else's
crypto design strategies.

> We don't want a cipher that might well be
> extremely strong, we want ciphers that are extremely likely to be
> strong...

According to someone else's plan....
> 
> With cipher design we don't even have a way of distinquishing strong
> from weak, we merely have techniques or varying sophistication for
> trying to identify and measure weakness, and people more or less
> highly skilled at applying them and inventing new techniques of
> analysis.   The cipher designer needs to iterate....

As in a Feisal construction?  

> the design through
> more and more sophisticated analyses until it _seems_ both
> appropriately secure and efficient. 

Appropriate for whom?  Not too strong, but just about right?

Efficient? Meets the requirements of someone of few thoughts worth
encrypting or that of a government who would hide the routine from the
prying eyes of the curious? 

> Then the next step is to enlist
> some more people to help in the process of searching for missed
> weaknesses, and eventually publication.

Enlist? Easy for the military to say.  Publication? Easy for the
established press to say.
> 
> Its an ongoing process of weeding out weaknesses, gradually bringing
> in more and more people as one's confidence in the lack of "silly
> mistakes" grows, just like any other safety-critical large-scale
> engineering project.

Large scale projects can fail too...The Broken Pyramid, notable bridge
collapses(interior and exterior), numerous levee systems, multistory old
masonry buildings in earthquakes, anti-disease vaccinations pushed in
hopes that they would work in time of war, etc.

Granted, it is easy to guard against some cryptological mistakes, while
others are sort of obscure, overcoming prejudice and criticism against
concepts that are generally well know is also a hurdle.
> 
> There certainly is a lot of scope for amateurs to suggest _ideas_ to
> use in cipher design, but a serious _design_ itself needs to be at the
> centre of such a process of cryptanalysis, not just made up by 
> inspired guesswork.

All productive guesswork is inspired, it is just the nature of the
inspiration that you really question, but it does not always come in the
same form.  If you do follow someone else's ingredient list, you may, no
surprise, produce ideas in line with the common logic of that receipe.
> 
> So I'd agree that experience in cryptanalysis isn't necessary to
> create a plausible _looking_ design, but that it is an _absolute
> necessity_ for creating an actual publishable design (unless you just
> wanted to create a toy cipher).  If the 10000's of amateur
> cryptographers all started publishing designs, we'd be in a total mess!

Speak for yourself white man.
> 
> These days ciphers are expected to be used as building blocks for all
> sorts of security primitives, so even "security" involves resisitance
> to many different modes of attack, and the amount of work needed to
> design a cipher is usually beyond the skills and patience of a single
> individual anyway.

Ah, beyond the Expert Syndrome to the group-think phenomena.  And, I
suppose that such a design system would put ALL the names of the
contributers out front.  It would seem best to acknowledge even the most
meager of efforts that helped the team, as it might make a difference if
the coffee was brewed correctly.  Including all the help would make the
front people look less important, or are they not the essential ingredient
in the first place?
> 
> Our whole digital infrastructure is going to depend on future ciphers
> being secure, and I for one don't want to see the information
> superhighway made of "concrete" that's washes away the first time it
> rains because its recipe was formulated by a well-meaning amateur who
> didn't know anything about QA'ing concrete!!
> 
Roads unlike cryptographic algorithms are best built under the old Roman
model, and pavement has not improved much since.  The problem with the
whole digital infrastucture is that we have a very sick patient and the
base question should be whether we should start over beginning with the
very design of the lowest end to include historically known security
wisdom and exted it throughout, not to whether we can put it in a rest
home so as to prolong the agony.
-- 
---
Passing a budgit that no single person has fully seen is bad. Ronnie was right at least once.
---
Decrypt with ROT13 to get correct email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 03:41:23 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <3633eed3.1151576@news.visi.com>
References: <jgfunj-2210981357000001@dialup159.itexas.net>
Newsgroups: sci.crypt
Lines: 40

On Thu, 22 Oct 1998 13:56:59 -0600, jgfunj@EnqvbSerrGrknf.pbz (W T
Shaw) wrote:
>Many imply that if you simply follow their rules for cipher construction,
>you need not do much of the analysis yourself.  They even suggest that
>someone else do it, a catch 22.

Many are wrong.

>> That's like saying a blind person can paint a scene in correct colours
>> despite being unable to see what they are doing!  Sure it's not
>> _impossible_ that it could happen, but no-one with an ounce of common sense
>> expects such an outrageously lucky outcome (or even for the paint to 
>> end up on the canvas!!)   
>
>Did you see the story on TV about the guy who is blind and bicycles.  He
>has learned sonic location, and clicks his tongue as a generator.  
>
>Out of curiosity, I once asked a blind man to describe different colors. 
>The explanations he had remembered from what he had heard made sense. This
>is somewhat in line with my above comments about following someone else's
>crypto design strategies.

Remember that security is orthogonal to functionality.  A blind guy
gets feedback--from the pavement, large objects, etc--to tell him he
is succeeding or failing at bicycle riding.  An algorithm designer
gets no such feedback.

>> We don't want a cipher that might well be
>> extremely strong, we want ciphers that are extremely likely to be
>> strong...
>
>According to someone else's plan....

The totality of "someone elses" are the attackers.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sun, 25 Oct 1998 23:31:04 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-2510982331040001@207.22.198.192>
References: <3633eed3.1151576@news.visi.com>
Newsgroups: sci.crypt
Lines: 20

In article <3633eed3.1151576@news.visi.com>, schneier@counterpane.com
(Bruce Schneier) wrote:
> 
> Remember that security is orthogonal to functionality.  A blind guy
> gets feedback--from the pavement, large objects, etc--to tell him he
> is succeeding or failing at bicycle riding.  An algorithm designer
> gets no such feedback.

Sure he does if and when what he did is discovered to be wanting. 
However, it is an oft used tactic to hide that news so that you can
continue to read his mail.

More to the point, the AES process is *designed* as a big feedback
mechanism, the quicker acting the better.
>
-- 
---
Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver.
---
Decrypt with ROT13 to get correct email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 03:38:23 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <3633ee7c.1064691@news.visi.com>
References: <kxsogkfzny.fsf@harlequin.co.uk>
Newsgroups: sci.crypt
Lines: 77

On 19 Oct 1998 14:29:21 +0100, Mark Tillotson <markt@harlequin.co.uk>
wrote:

>jsavard@freenet.edmonton.ab.ca () wrote:
>| And a general familiarity with the principles of cryptanalysis, especially
>| as they apply to the kind of cipher one is attempting to design, is going
>| to be an important guide away from various pitfalls.
>| 
>| However, cryptanalysis is a discipline of its own, and requires either
>| considerable stamina or advanced mathematical skills. One does not quite
>| need these qualifications to design a secure cipher, particularly if one
>| is following your earlier advice and not ignoring the lessons of previous
>| designs.
>
>Nonsense!  How on earth can you claim to design a secure cipher if you are
>_incapable_ of distinquishing a weak cipher from a strong cipher???  It
>just doesn't make any sense at all.
>
>That's like saying a blind person can paint a scene in correct colours
>despite being unable to see what they are doing!  Sure it's not
>_impossible_ that it could happen, but no-one with an ounce of common sense
>expects such an outrageously lucky outcome (or even for the paint to 
>end up on the canvas!!)   We don't want a cipher that might well be
>extremely strong, we want ciphers that are extremely likely to be
>strong...

Good comment.

>With cipher design we don't even have a way of distinquishing strong
>from weak, we merely have techniques or varying sophistication for
>trying to identify and measure weakness, and people more or less
>highly skilled at applying them and inventing new techniques of
>analysis.   The cipher designer needs to iterate the design through
>more and more sophisticated analyses until it _seems_ both
>appropriately secure and efficient.  Then the next step is to enlist
>some more people to help in the process of searching for missed
>weaknesses, and eventually publication.
>
>Its an ongoing process of weeding out weaknesses, gradually bringing
>in more and more people as one's confidence in the lack of "silly
>mistakes" grows, just like any other safety-critical large-scale
>engineering project.
>
>There certainly is a lot of scope for amateurs to suggest _ideas_ to
>use in cipher design, but a serious _design_ itself needs to be at the
>centre of such a process of cryptanalysis, not just made up by 
>inspired guesswork.

Agreed.

>So I'd agree that experience in cryptanalysis isn't necessary to
>create a plausible _looking_ design, but that it is an _absolute
>necessity_ for creating an actual publishable design (unless you just
>wanted to create a toy cipher).  If the 10000's of amateur
>cryptographers all started publishing designs, we'd be in a total mess!

1000s of TriStratas and Ultimate Privacies.  Sounds horrible.

>These days ciphers are expected to be used as building blocks for all
>sorts of security primitives, so even "security" involves resisitance
>to many different modes of attack, and the amount of work needed to
>design a cipher is usually beyond the skills and patience of a single
>individual anyway.
>
>Our whole digital infrastructure is going to depend on future ciphers
>being secure, and I for one don't want to see the information
>superhighway made of "concrete" that's washes away the first time it
>rains because its recipe was formulated by a well-meaning amateur who
>didn't know anything about QA'ing concrete!!

Rah rah.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 08:18:40 GMT
From: cryptonews@my-dejanews.com
Message-ID: <711b90$he8$1@nnrp1.dejanews.com>
References: <3633ee7c.1064691@news.visi.com>
Newsgroups: sci.crypt
Lines: 30

In article <3633ee7c.1064691@news.visi.com>,
  schneier@counterpane.com (Bruce Schneier) wrote:
> >So I'd agree that experience in cryptanalysis isn't necessary to
> >create a plausible _looking_ design, but that it is an _absolute
> >necessity_ for creating an actual publishable design (unless you just
> >wanted to create a toy cipher).  If the 10000's of amateur
> >cryptographers all started publishing designs, we'd be in a total mess!
>
> 1000s of TriStratas and Ultimate Privacies.  Sounds horrible.

    This is not about crypto and security, it is rather becoming about
    Bruce Schneir BIG EGO and what he thinks the world should be.

    You should be ashemed of posting this response on SCI.CRYPT.

Cheers,

Sam Kamille

> Rah rah.
>
> Bruce
> **********************************************************************
> Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
> 101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
>            Free crypto newsletter.  See:  http://www.counterpane.com
>

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 13:06:03 GMT
From: dscott@networkusa.net
Message-ID: <711s3r$3j4$1@nnrp1.dejanews.com>
References: <711b90$he8$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 33

In article <711b90$he8$1@nnrp1.dejanews.com>,
  cryptonews@my-dejanews.com wrote:
> In article <3633ee7c.1064691@news.visi.com>,
>   schneier@counterpane.com (Bruce Schneier) wrote:
> > >So I'd agree that experience in cryptanalysis isn't necessary to
> > >create a plausible _looking_ design, but that it is an _absolute
> > >necessity_ for creating an actual publishable design (unless you just
> > >wanted to create a toy cipher).  If the 10000's of amateur
> > >cryptographers all started publishing designs, we'd be in a total mess!
> >
> > 1000s of TriStratas and Ultimate Privacies.  Sounds horrible.
>
>     This is not about crypto and security, it is rather becoming about
>     Bruce Schneir BIG EGO and what he thinks the world should be.
>
>     You should be ashemed of posting this response on SCI.CRYPT.
>
> Cheers,
>
> Sam Kamille
>
>
    Play it again Sam. For a while I thought I was the only one
intelligent enough to notice Mr B.S. is nothing but a big BLOWHART
it seems that every one else was following him like a god. If you
read my hate mail messages.

--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
ftp search for scott*u.zip in norway

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 18:00:16 GMT
From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard)
Message-ID: <3634b729.7043376@news.prosurfr.com>
References: <711b90$he8$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 39

cryptonews@my-dejanews.com wrote, in part:
>In article <3633ee7c.1064691@news.visi.com>,
>  schneier@counterpane.com (Bruce Schneier) wrote:

>> >So I'd agree that experience in cryptanalysis isn't necessary to
>> >create a plausible _looking_ design, but that it is an _absolute
>> >necessity_ for creating an actual publishable design (unless you just
>> >wanted to create a toy cipher).  If the 10000's of amateur
>> >cryptographers all started publishing designs, we'd be in a total mess!

>> 1000s of TriStratas and Ultimate Privacies.  Sounds horrible.

>    This is not about crypto and security, it is rather becoming about
>    Bruce Schneir BIG EGO and what he thinks the world should be.

>    You should be ashemed of posting this response on SCI.CRYPT.

No, that is not at all true or fair.

I'll admit, I'm a bit more liberal.

I think that, while some knowledge of cryptanalysis is needed to
design a secure cipher, one doesn't actually need the level of
knowledge that one can use to easily prove you know what you're
talking about - and so life is more complicated.

I'd also say that amateur cipher designs are harmless enough, if the
person responsible is reasonably modest, and doesn't try to claim he
has the solution to everybody's problem, and all other ciphers are
irrelevant.

Actually, if there were 10,000 amateur cipher designs published, the
harm would be mainly to amateur cipher designers - in that their
designs would recieve even less attention than is now the case. The
channels of professional publication would simply become a bit more
exclusive - in self-defence, to remain usable, not out of egotism.

John Savard
http://members.xoom.com/quadibloc/index.html

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 28 Oct 1998 18:32:41 GMT
From: aquiranx@goliat.ugr.es  (Gurripato (x=nospam))
Message-ID: <363758d1.27371552@news.cica.es>
References: <3634b729.7043376@news.prosurfr.com>
Newsgroups: sci.crypt
Lines: 22

On Mon, 26 Oct 1998 18:00:16 GMT, jsavard@tenMAPSONeerf.edmonton.ab.ca (John
Savard) wrote:

>
>Actually, if there were 10,000 amateur cipher designs published, the
>harm would be mainly to amateur cipher designers - in that their
>designs would recieve even less attention than is now the case. The
>channels of professional publication would simply become a bit more
>exclusive - in self-defence, to remain usable, not out of egotism.
>
>John Savard
>http://members.xoom.com/quadibloc/index.html

	Not to speak of crypto-credibility as a whole.  If those 10.000
amateur cipher existed and were published, crypto vendors would start
incorporating them into their products.  How would the customers react when
9.990 of those ciphers are proved to be weak?  They would distrust all
ciphers in general, and perhaps turn into some "credible" source like the
USGov or the NSA  (or Bill Gates, come to that).  Designing homemade ciphers
is fun; pretending they are strong and useful in real life is another
matter.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 28 Oct 1998 19:13:43 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <36376ccf.5706026@news.io.com>
References: <363758d1.27371552@news.cica.es>
Newsgroups: sci.crypt
Lines: 65

On Wed, 28 Oct 1998 18:32:41 GMT, in <363758d1.27371552@news.cica.es>,
in sci.crypt aquiranx@goliat.ugr.es  (Gurripato (x=nospam)) wrote:

>On Mon, 26 Oct 1998 18:00:16 GMT, jsavard@tenMAPSONeerf.edmonton.ab.ca (John
>Savard) wrote:
>
>
>>
>>Actually, if there were 10,000 amateur cipher designs published, the
>>harm would be mainly to amateur cipher designers - in that their
>>designs would recieve even less attention than is now the case. The
>>channels of professional publication would simply become a bit more
>>exclusive - in self-defence, to remain usable, not out of egotism.
>>
>>John Savard
>>http://members.xoom.com/quadibloc/index.html
>
>	Not to speak of crypto-credibility as a whole.  If those 10.000
>amateur cipher existed and were published, crypto vendors would start
>incorporating them into their products.  How would the customers react when
>9.990 of those ciphers are proved to be weak?  They would distrust all
>ciphers in general, and perhaps turn into some "credible" source like the
>USGov or the NSA  (or Bill Gates, come to that).  Designing homemade ciphers
>is fun; pretending they are strong and useful in real life is another
>matter.

This is a legitimate concern, but it applies to everything we have.

The problem is that we cannot measure the strength of a cipher.  But
that means *any* cipher, even the well-regarded ones.  

So, if one of the few well-regarded ciphers that people actually use
is found weak, does this not reflect on the entire field, the whole
profession, indeed the whole concept of cryptography?  

I would argue that the better situation for "crypto-credibility" is if
we have many ciphers and various users need to select a cipher on
their own, and thus take some responsibility for it.  In a "many
cipher" environment, if a particular cipher fails, some subset of the
population is affected, and they quickly change to another cipher.
But if the major cipher we all use fails, and users do not normally
change ciphers (and thus probably can't), we have a major disaster for
a long time, and *that* is how we lose "crypto-credibility."  Better a
lot of small failures and short changeovers than one huge failure with
a changeover that could take years.  

And when a cipher is actually *found* weak, this is actually the
lesser problem, *provided* users have alternate ciphers *and* can
select them rather quickly.  The larger problem is when a cipher *is*
weak and none of our guys can show that.  Then we get to use that
thing.  It is *dangerous* for everybody to use the same cipher.  

Analysis cannot be enough.  We also need to establish defensive
protocols -- such as the ability to change ciphers, universal
multi-ciphering, and having "many ciphers" (to reduce the value of the
traffic under any one) -- to help mitigate our fundamental uncertainty
about cipher strength.  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: 28 Oct 1998 14:52:00 -0500
From: juola@mathcs.duq.edu (Patrick Juola)
Message-ID: <717sl0$m32$1@quine.mathcs.duq.edu>
References: <36376ccf.5706026@news.io.com>
Newsgroups: sci.crypt
Lines: 41

In article <36376ccf.5706026@news.io.com>, Terry Ritter <ritter@io.com> wrote:
>
>On Wed, 28 Oct 1998 18:32:41 GMT, in <363758d1.27371552@news.cica.es>,
>in sci.crypt aquiranx@goliat.ugr.es  (Gurripato (x=nospam)) wrote:
>
>>On Mon, 26 Oct 1998 18:00:16 GMT, jsavard@tenMAPSONeerf.edmonton.ab.ca (John
>>Savard) wrote:
>>
>>
>>>
>>>Actually, if there were 10,000 amateur cipher designs published, the
>>>harm would be mainly to amateur cipher designers - in that their
>>>designs would recieve even less attention than is now the case. The
>>>channels of professional publication would simply become a bit more
>>>exclusive - in self-defence, to remain usable, not out of egotism.
>>>
>>>John Savard
>>>http://members.xoom.com/quadibloc/index.html
>>
>>	Not to speak of crypto-credibility as a whole.  If those 10.000
>>amateur cipher existed and were published, crypto vendors would start
>>incorporating them into their products.  How would the customers react when
>>9.990 of those ciphers are proved to be weak?  They would distrust all
>>ciphers in general, and perhaps turn into some "credible" source like the
>>USGov or the NSA  (or Bill Gates, come to that).  Designing homemade ciphers
>>is fun; pretending they are strong and useful in real life is another
>>matter.
>
>This is a legitimate concern, but it applies to everything we have.
>
>
>The problem is that we cannot measure the strength of a cipher.  But
>that means *any* cipher, even the well-regarded ones.  

This is untrue.  It's fairly easy to come up with a measurement
of the strength of a cypher -- and even a fairly meaningful measurement
of as an upper bound of the strength of a cypher -- to wit, no cypher
can be stronger than the effort required by the best known attack
to break it.

	-kitten

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 02 Nov 1998 17:57:07 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <363df228.1199990@news.io.com>
References: <717sl0$m32$1@quine.mathcs.duq.edu>
Newsgroups: sci.crypt
Lines: 31

On 28 Oct 1998 14:52:00 -0500, in <717sl0$m32$1@quine.mathcs.duq.edu>,
in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:

>>[...]
>>The problem is that we cannot measure the strength of a cipher.  But
>>that means *any* cipher, even the well-regarded ones.  
>
>This is untrue.  It's fairly easy to come up with a measurement
>of the strength of a cypher -- and even a fairly meaningful measurement
>of as an upper bound of the strength of a cypher -- to wit, no cypher
>can be stronger than the effort required by the best known attack
>to break it.

From the user's standpoint, an upper bound is *not* the strength, and
is not even a useful estimate.  

For a user, a *lower* bound would be acceptable, since an Opponent
would have to invest that amount of effort *at least* to penetrate the
cipher.  But an *upper* bound is inherently deceptive of the effort an
Opponent might have to spend.  The real value could be much, much
less.  For any upper bound, the real strength could be none at all.  

To the user, since we have *neither* the real strength, *nor* the
lower bound, we have no useful measure of strength at all.  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: 2 Nov 1998 15:23:18 -0500
From: juola@mathcs.duq.edu (Patrick Juola)
Message-ID: <71l4bm$rm9$1@quine.mathcs.duq.edu>
References: <363df228.1199990@news.io.com>
Newsgroups: sci.crypt
Lines: 39

In article <363df228.1199990@news.io.com>, Terry Ritter <ritter@io.com> wrote:
>
>On 28 Oct 1998 14:52:00 -0500, in <717sl0$m32$1@quine.mathcs.duq.edu>,
>in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:
>
>>>[...]
>>>The problem is that we cannot measure the strength of a cipher.  But
>>>that means *any* cipher, even the well-regarded ones.  
>>
>>This is untrue.  It's fairly easy to come up with a measurement
>>of the strength of a cypher -- and even a fairly meaningful measurement
>>of as an upper bound of the strength of a cypher -- to wit, no cypher
>>can be stronger than the effort required by the best known attack
>>to break it.
>
>From the user's standpoint, an upper bound is *not* the strength, and
>is not even a useful estimate.  

Depends on which user you talk to, I suspect.  It's certainly a
useful estimate if the upper bound is too small to represent an
acceptable risk.   In other words, people *know* not to use DES
not because of the outside chance that a brilliant cryptographer
might be able to crack it quickly, but because there's no possible
way that it could resist a determined brute-force attempt.

One can, after all, always buy insurance against the lucky break.

>To the user, since we have *neither* the real strength, *nor* the
>lower bound, we have no useful measure of strength at all.  

Again, this is incorrect.  I stand by my original statement that
we have a meaningful measure.  Just because it doesn't do what
*YOU* want doesn't make it nonexistent.  Mere dislike has rarely
been able to conjure things out of existence.

I have an upper bound, I insure against the lower bound being
smaller than I envision, and the risk becomes Lloyd's.

	-kitten

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 10 Nov 1998 04:37:50 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <3647c318.8268430@news.io.com>
References: <71l4bm$rm9$1@quine.mathcs.duq.edu>
Newsgroups: sci.crypt
Lines: 51

On 2 Nov 1998 15:23:18 -0500, in <71l4bm$rm9$1@quine.mathcs.duq.edu>,
in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:

>[...]
>In other words, people *know* not to use DES
>not because of the outside chance that a brilliant cryptographer
>might be able to crack it quickly, but because there's no possible
>way that it could resist a determined brute-force attempt.

When cryptanalysis identifies a practical break, it provides very
useful information.  

But most cryptanalysis does not do this, but instead produces yet
another impractical break.  The user thus gets to judge between
ciphers with impractical breaks and ciphers as yet unanalyzed.
Cryptanalysis does not provide information useful for making such a
decision.  

>>To the user, since we have *neither* the real strength, *nor* the
>>lower bound, we have no useful measure of strength at all.  
>
>Again, this is incorrect.  I stand by my original statement that
>we have a meaningful measure.  Just because it doesn't do what
>*YOU* want doesn't make it nonexistent.  Mere dislike has rarely
>been able to conjure things out of existence.

Not only does cryptanalysis not do what *I* want, it hardly does
anything at all *unless* it comes up with a practical break.  The vast
majority of cryptanalysis -- so praised by so many -- does nothing at
all to inform users about the strength of their cipher.  

Indeed, The Opponents may be superior to our analysts in many ways,
and may have breaks our guys do not.  What our guys find in no way
implies that The Opponents have nothing better: that is the crux of
the problem.  

>I have an upper bound, I insure against the lower bound being
>smaller than I envision, and the risk becomes Lloyd's.

So if you have an affair, and The Opponents provide your wife with
that information, does Lloyds guarantee a new wife, one just as good
or better?  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 10 Nov 1998 16:49:40 GMT
From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard)
Message-ID: <36486db8.1953802@news.prosurfr.com>
References: <3647c318.8268430@news.io.com>
Newsgroups: sci.crypt
Lines: 22

ritter@io.com (Terry Ritter) wrote, in part:

>When cryptanalysis identifies a practical break, it provides very
>useful information.  

>But most cryptanalysis does not do this, but instead produces yet
>another impractical break.  The user thus gets to judge between
>ciphers with impractical breaks and ciphers as yet unanalyzed.
>Cryptanalysis does not provide information useful for making such a
>decision.  

Ah. Sorry for failing to understand what you were getting at: since
differential, meet-in-the-middle attacks, etc., require enormous
quantities of known plaintext, either it is not clear they invalidate
a system for practical use, or, if they do prompt some precautionary
measures, the result is still not known to be secure.

And your point that not all risks can be handled by insurance is true
and amusing.

John Savard
http://www.freenet.edmonton.ab.ca/~jsavard/index.html

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 10 Nov 1998 18:12:23 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <364880f0.803066@news.visi.com>
References: <3647c318.8268430@news.io.com>
Newsgroups: sci.crypt
Lines: 34

On Tue, 10 Nov 1998 04:37:50 GMT, ritter@io.com (Terry Ritter) wrote:
>When cryptanalysis identifies a practical break, it provides very
>useful information.  
>
>But most cryptanalysis does not do this, but instead produces yet
>another impractical break.  The user thus gets to judge between
>ciphers with impractical breaks and ciphers as yet unanalyzed.
>Cryptanalysis does not provide information useful for making such a
>decision.  

To many of us, impractical breaks provide very useful information to
judge between ciphers.

>Not only does cryptanalysis not do what *I* want, it hardly does
>anything at all *unless* it comes up with a practical break.  The vast
>majority of cryptanalysis -- so praised by so many -- does nothing at
>all to inform users about the strength of their cipher.  

Probably.  But to me, that's because users are not mathematicians.
The vast majority of cryptoanalysis does a lot of inform
cryptographers about the strength of ciphers.

There's an NSA saying: "Attacks always get better."  Ciphers that
allow theoretical breaks are weaker than ciphers that don't.  For
example, there is an attack against IDEA the works against 4.5 round
variants.  If there were a cipher for which that other attack did not
work, then ALL OTHER THINGS BEING EQUAL I would prefer that other
cipher to IDEA.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 11 Nov 1998 15:18:01 GMT
From: "Douglas A. Gwyn" <DAGwyn@null.net>
Message-ID: <3649AA9A.E8719FD7@null.net>
References: <364880f0.803066@news.visi.com>
Newsgroups: sci.crypt
Lines: 27

Bruce Schneier wrote:
> To many of us, impractical breaks provide very useful information to
> judge between ciphers.

They provide information, which you may *choose* to use in judging,
but that is not necessarily a rational choice.  To be rational, its
*relevance* to the functional criteria needs to be established.

> There's an NSA saying: "Attacks always get better."  Ciphers that
> allow theoretical breaks are weaker than ciphers that don't.

Ah, but how do you know that they don't?  Unless you have a proof
of that, instead what you have is a lack of knowledge of any
successful method of attack.  That doesn't mean one cannot exist.

>  For
> example, there is an attack against IDEA the works against 4.5 round
> variants.  If there were a cipher for which that other attack did not
> work, then ALL OTHER THINGS BEING EQUAL I would prefer that other
> cipher to IDEA.

For that to be rational, you'd need to demonstrate that all other
things are indeed equal.  But that is most unlikely!

I think, as often happens in academia, attention is focused too
heavily on areas where metrics exist, whether or not the metrics
have practical value.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 12 Nov 1998 21:59:21 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <364b5a27.14538834@news.io.com>
References: <364880f0.803066@news.visi.com>
Newsgroups: sci.crypt
Lines: 71

On Tue, 10 Nov 1998 18:12:23 GMT, in <364880f0.803066@news.visi.com>,
in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:

>On Tue, 10 Nov 1998 04:37:50 GMT, ritter@io.com (Terry Ritter) wrote:
>[...]
>>Not only does cryptanalysis not do what *I* want, it hardly does
>>anything at all *unless* it comes up with a practical break.  The vast
>>majority of cryptanalysis -- so praised by so many -- does nothing at
>>all to inform users about the strength of their cipher.  
>
>Probably.  But to me, that's because users are not mathematicians.
>The vast majority of cryptoanalysis does a lot of inform
>cryptographers about the strength of ciphers.

"Strength" is usually taken to be the minimum possible effort used for
any possible successful attack.  

Finding a successful attack certainly tells us that "strength" can be
no higher than that attack.  But it does not tell us what the strength
really is.  So the attack tells us *nothing* about the real strength
of the cipher.  

I would think it quite odd indeed that any mathematician would say
otherwise.

>There's an NSA saying: "Attacks always get better."  

We might just as well say: "Any cipher a man can make, another can
break."  Which means *any* cipher is vulnerable.  

These sayings have their place:  Nobody is going to break a cipher by
starting out saying that the job cannot be done.  Nobody is going to
improve an attack by starting out thinking the first attack is the
final word.  Such sayings have their place in encouraging creative
cryptanalysis on apparently very tough ciphers.  

But sayings are not a basis for scientific comparison.  

>Ciphers that
>allow theoretical breaks are weaker than ciphers that don't.  

And that is precisely the leap I have been discussing.  I am aware of
no scientific basis for that statement.  This takes us back to
witchcraft and old-wives-tales.  

>For
>example, there is an attack against IDEA the works against 4.5 round
>variants.  If there were a cipher for which that other attack did not
>work, then ALL OTHER THINGS BEING EQUAL I would prefer that other
>cipher to IDEA.

And that is a different argument.  That is the extrapolation argument
with which I agree.  

The argument with which I disagree is that a cipher *with* an
impractical break (and which cannot reasonably be extrapolated to
further weakness) can be considered weaker than a cipher *without* an
impractical break.  

To the extent that cryptanalysis produces impractical breaks, that
work tells us nothing about the practical strength of ciphers.   

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 03 Nov 1998 00:28:01 GMT
From: sandy.harris@sympatico.ca (Sandy Harris)
Message-ID: <l6s%1.110$GK.251745@news20.bellglobal.com>
References: <363df228.1199990@news.io.com>
Newsgroups: sci.crypt
Lines: 60

ritter@io.com (Terry Ritter) wrote:

>in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:
>
>>>[...]
>>>The problem is that we cannot measure the strength of a cipher.  But
>>>that means *any* cipher, even the well-regarded ones.  
>>
>>This is untrue.  It's fairly easy to come up with a measurement
>>of the strength of a cypher -- and even a fairly meaningful measurement
>>of as an upper bound of the strength of a cypher -- to wit, no cypher
>>can be stronger than the effort required by the best known attack
>>to break it.
>
>From the user's standpoint, an upper bound is *not* the strength, and
>is not even a useful estimate.  
>
>For a user, a *lower* bound would be acceptable, since an Opponent
>would have to invest that amount of effort *at least* to penetrate the
>cipher.  But an *upper* bound is inherently deceptive of the effort an
>Opponent might have to spend.  The real value could be much, much
>less.  For any upper bound, the real strength could be none at all.  
>
>To the user, since we have *neither* the real strength, *nor* the
>lower bound, we have no useful measure of strength at all.  

Basically, I think you're right here. But I have a question.

We can in fact take the minimum of a set of upper bounds derived
from all the obvious attacks.

        Brute force search.
        Meet-in-the middle search if that appears possible.
        Linear & differential cryptanalysis.
        An attempt to write the cipher as a system of
                Boolean equations expressing ciphertext bits in
                terms of key & plaintext and then, given a bunch
                of plaintext/ciphertext pairs, solve for the key.
        For stream ciphers, linear complexity.
        Attacks based on cycles in block ciphers.
        . . .

I think that for good ciphers, lower bounds on the resources required
for most or all of those can be proved. Any lower bound on resources
needed for an attack is also an upper bound on the strength of the
cipher. It cannot be stronger overall than it is against that attack.

If all of those are much higher than our worst-case estimate of
attacker's resources, then we still don't know the strength of
the cipher, but we do at least know that:

        unless the cipher has a weakness not tested above, it
                is strong enough
        if it does have such a weakness, an attacker is going to
                have to be clever, lucky and/or persistent to find it
        only a new attack based on an unknown weakness can
                succeed

This still does not measure the real strength, but it at least
gives us some reason to hope. 

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 03 Nov 1998 09:01:24 GMT
From: dscott@networkusa.net
Message-ID: <71mgp3$f3h$1@nnrp1.dejanews.com>
References: <l6s%1.110$GK.251745@news20.bellglobal.com>
Newsgroups: sci.crypt
Lines: 58

In article <l6s%1.110$GK.251745@news20.bellglobal.com>,
  sandy.harris@sympatico.ca (Sandy Harris) wrote:
> ritter@io.com (Terry Ritter) wrote:
>
> >in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:
> >
> >>>[...]
> >>>The problem is that we cannot measure the strength of a cipher.  But
> >>>that means *any* cipher, even the well-regarded ones.
> >>
> >>This is untrue.  It's fairly easy to come up with a measurement
> >>of the strength of a cypher -- and even a fairly meaningful measurement
> >>of as an upper bound of the strength of a cypher -- to wit, no cypher
> >>can be stronger than the effort required by the best known attack
> >>to break it.
> >
> >From the user's standpoint, an upper bound is *not* the strength, and
> >is not even a useful estimate.
> >
> >For a user, a *lower* bound would be acceptable, since an Opponent
> >would have to invest that amount of effort *at least* to penetrate the
> >cipher.  But an *upper* bound is inherently deceptive of the effort an
> >Opponent might have to spend.  The real value could be much, much
> >less.  For any upper bound, the real strength could be none at all.
> >
> >To the user, since we have *neither* the real strength, *nor* the
> >lower bound, we have no useful measure of strength at all.
>
> Basically, I think you're right here. But I have a question.
>
> We can in fact take the minimum of a set of upper bounds derived
> from all the obvious attacks.
>
>         Brute force search.
>         Meet-in-the middle search if that appears possible.
>         Linear & differential cryptanalysis.
>         An attempt to write the cipher as a system of
>                 Boolean equations expressing ciphertext bits in
>                 terms of key & plaintext and then, given a bunch
>                 of plaintext/ciphertext pairs, solve for the key.
>         For stream ciphers, linear complexity.
>         Attacks based on cycles in block ciphers.
>         . . .
       Some other things that most miss that should be added
to this is how much information is needed by the guy breaking
to know if he his decoded the file. This may same like a hard
to follow concept but if one needs only to like at a small fragment
of file to runs tests to check for a solution then it is a measureble
weakness. My method in scottNu was designed to eliminate this
weakness that is in all the Fishy des type of ciphers.

--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
ftp search for scott*u.zip in norway

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: 3 Nov 1998 16:48:57 GMT
From: jmccarty@sun1307.spd.dsccc.com (Mike McCarty)
Message-ID: <71nc5p$6br$1@relay1.dsccc.com>
References: <l6s%1.110$GK.251745@news20.bellglobal.com>
Newsgroups: sci.crypt
Lines: 59

In article <l6s%1.110$GK.251745@news20.bellglobal.com>,
Sandy Harris <sandy.harris@sympatico.ca> wrote:
)Basically, I think you're right here. But I have a question.
)
)We can in fact take the minimum of a set of upper bounds derived
)from all the obvious attacks.
)
)        Brute force search.
)        Meet-in-the middle search if that appears possible.
)        Linear & differential cryptanalysis.
)        An attempt to write the cipher as a system of
)                Boolean equations expressing ciphertext bits in
)                terms of key & plaintext and then, given a bunch
)                of plaintext/ciphertext pairs, solve for the key.
)        For stream ciphers, linear complexity.
)        Attacks based on cycles in block ciphers.
)        . . .

Are you including attacks based on, say, bribery? Unless you are
willing specifically to state the exact list of attacks (which seems
undesireable), then you must state a specific criterion by which one
may, by application of the criterion, determine whether any given
proposed attack falls in the list of canonical attacks. This seems
difficult to me.

)I think that for good ciphers, lower bounds on the resources required
)for most or all of those can be proved. Any lower bound on resources
)needed for an attack is also an upper bound on the strength of the
)cipher. It cannot be stronger overall than it is against that attack.

This principle seems good to me.

)If all of those are much higher than our worst-case estimate of
)attacker's resources, then we still don't know the strength of
)the cipher, but we do at least know that:
)
)        unless the cipher has a weakness not tested above, it
)                is strong enough
)        if it does have such a weakness, an attacker is going to
)                have to be clever, lucky and/or persistent to find it
)        only a new attack based on an unknown weakness can
)                succeed
)
)This still does not measure the real strength, but it at least
)gives us some reason to hope. 

If we can devise some predicate P(.) which can be applied to attacks and
which determines whether the proposed attack satisfies the predicate for
canonicity, then I think your idea is workable. It seems to me that
formulating this predicate will be (unless it is in the form of a list
of canonical attacks) very difficult to do. Perhaps not impossible. This
looks to me to be a reasonable research area.

Mike
-- 
----
char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
I don't speak for Alcatel      <- They make me say that.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 03 Nov 1998 17:05:48 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <363f37b9.3868604@news.io.com>
References: <l6s%1.110$GK.251745@news20.bellglobal.com>
Newsgroups: sci.crypt
Lines: 86

On Tue, 03 Nov 1998 00:28:01 GMT, in
<l6s%1.110$GK.251745@news20.bellglobal.com>, in sci.crypt
sandy.harris@sympatico.ca (Sandy Harris) wrote:

>ritter@io.com (Terry Ritter) wrote:
>>[...]
>>To the user, since we have *neither* the real strength, *nor* the
>>lower bound, we have no useful measure of strength at all.  
>
>Basically, I think you're right here. But I have a question.
>
>We can in fact take the minimum of a set of upper bounds derived
>from all the obvious attacks.
>
>        Brute force search.
>        Meet-in-the middle search if that appears possible.
>        Linear & differential cryptanalysis.
>        An attempt to write the cipher as a system of
>                Boolean equations expressing ciphertext bits in
>                terms of key & plaintext and then, given a bunch
>                of plaintext/ciphertext pairs, solve for the key.
>        For stream ciphers, linear complexity.
>        Attacks based on cycles in block ciphers.
>        . . .
>
>I think that for good ciphers, lower bounds on the resources required
>for most or all of those can be proved. 

Yet if we look in the cryptanalytic literature, we almost invariably
find a *sequence* of ever-better versions that each improve on the
previous attack.  I believe I have seen improved versions of:

* Meet-in-the-Middle,
* Linear Cryptanalysis, and
* Differential Cryptanalysis,

but I think such sequences are common.  

Now, if it were practical to know lower bounds for these attacks, why
would we ever see improved versions in the literature?  And since we
*do* see improved versions, how can we believe in computing lower
bounds for strength, even for a particular attack?

>Any lower bound on resources
>needed for an attack is also an upper bound on the strength of the
>cipher. It cannot be stronger overall than it is against that attack.
>
>If all of those are much higher than our worst-case estimate of
>attacker's resources, then we still don't know the strength of
>the cipher, but we do at least know that:
>
>        unless the cipher has a weakness not tested above, it
>                is strong enough

These "attacks" each depend upon human interpretation.  Now who tests
the tester?  If someone tells us that a cipher is strong under these
attacks, how can we believe it?  

>        if it does have such a weakness, an attacker is going to
>                have to be clever, lucky and/or persistent to find it

We use cryptography to face attackers with far greater resources in
training, experience, equipment, time and motivation.  Just because
*we* have failed to find a weakness is no reason to think the
attackers will also.  There is no correlation, no correct
extrapolation.  

>        only a new attack based on an unknown weakness can
>                succeed
>
>This still does not measure the real strength, but it at least
>gives us some reason to hope. 

The reason for hope is the acknowledgement of the problem and the use
of protocols which tend to minimize it.  The strength quality is
literally out of control, so we cannot trust that.   

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: 6 Nov 1998 08:42:08 GMT
From: olson@umbc.edu (Bryan G. Olson; CMSC (G))
Message-ID: <71ucp0$ghp$1@news.umbc.edu>
References: <363f37b9.3868604@news.io.com>
Newsgroups: sci.crypt
Lines: 23

Terry Ritter (ritter@io.com) wrote:

[...]
: We use cryptography to face attackers with far greater resources in
: training, experience, equipment, time and motivation.  Just because
: *we* have failed to find a weakness is no reason to think the
: attackers will also.  There is no correlation, no correct
: extrapolation.  

No correlation???? You've talked yourself into a bunch of
nonsense.

Note that for no correlation to exist, it is necessary
that no cipher is weakness free.  If any is, then both
defender and attacker must fail to find weakness and
therefor there would be a correlation.  So how do you 
know there's no correlation?

--Bryan

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 02 Nov 1998 20:01:18 GMT
From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard)
Message-ID: <363e0e04.12569961@news.prosurfr.com>
References: <717sl0$m32$1@quine.mathcs.duq.edu>
Newsgroups: sci.crypt
Lines: 20

juola@mathcs.duq.edu (Patrick Juola) wrote, in part:

>This is untrue.  It's fairly easy to come up with a measurement
>of the strength of a cypher -- and even a fairly meaningful measurement
>of as an upper bound of the strength of a cypher -- to wit, no cypher
>can be stronger than the effort required by the best known attack
>to break it.

But Terry Ritter is right that there's no easy way to derive the
actual strength (or, for that matter, a _lower_ bound on the strength
of a cipher, IMO). He feels this is an important problem in
cryptography to which not enough attention is being devoted.

I feel, on the other hand, that this isn't a problem one *can* work on
specifically. That this is a goal which requires every great question
in mathematics to have been answered. So, in a way, *all* mathematical
work proceeds to that goal - but it's a very distant one.

John Savard
http://members.xoom.com/quadibloc/index.html

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 03 Nov 1998 17:04:48 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <363f37a3.3846779@news.io.com>
References: <363e0e04.12569961@news.prosurfr.com>
Newsgroups: sci.crypt
Lines: 49

On Mon, 02 Nov 1998 20:01:18 GMT, in
<363e0e04.12569961@news.prosurfr.com>, in sci.crypt
jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

>juola@mathcs.duq.edu (Patrick Juola) wrote, in part:
>
>>This is untrue.  It's fairly easy to come up with a measurement
>>of the strength of a cypher -- and even a fairly meaningful measurement
>>of as an upper bound of the strength of a cypher -- to wit, no cypher
>>can be stronger than the effort required by the best known attack
>>to break it.
>
>But Terry Ritter is right that there's no easy way to derive the
>actual strength (or, for that matter, a _lower_ bound on the strength
>of a cipher, IMO). He feels this is an important problem in
>cryptography to which not enough attention is being devoted.

Having no lower bounds for strength may be "an important problem" to
the academic study of cryptography.  

But it also calls into question *the entire field* of practical
cryptography.  

The whole point of the actual use of cryptography is to *enforce*
security.  Without at least a minimum value for strength, the user has
no guarantee -- or even a useful probability -- of that.

We can try to improve this situation by multi-ciphering and other
protocols, but we have a real problem  that should be universally
recognized and commonly discussed.  This is not just, or even mainly,
"academic," it is a real problem in practice for real systems.  

>I feel, on the other hand, that this isn't a problem one *can* work on
>specifically. That this is a goal which requires every great question
>in mathematics to have been answered. So, in a way, *all* mathematical
>work proceeds to that goal - but it's a very distant one.

The actual truth of not knowing the strength of the ciphers we field
for people to use is not just an academic problem.  Breaking a cipher
gives us no more useful information about the strength of the cipher
than we had before that cipher was broken.  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 03 Nov 1998 23:42:10 GMT
From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard)
Message-ID: <363f8efc.24854596@news.prosurfr.com>
References: <363f37a3.3846779@news.io.com>
Newsgroups: sci.crypt
Lines: 74

ritter@io.com (Terry Ritter) wrote, in part:
>jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

>>I feel, on the other hand, that this isn't a problem one *can* work on
>>specifically. That this is a goal which requires every great question
>>in mathematics to have been answered. So, in a way, *all* mathematical
>>work proceeds to that goal - but it's a very distant one.

>The actual truth of not knowing the strength of the ciphers we field
>for people to use is not just an academic problem.  Breaking a cipher
>gives us no more useful information about the strength of the cipher
>than we had before that cipher was broken.  

Breaking a cipher can, of course, give us information that is useful
in a negative sense: we can know for a fact that a certain cipher is
too weak to be worth using.

Of course it isn't merely an academic problem, but something desirable
from a practical point of view, to have a _lower_ bound for a cipher's
strength. Solving it perfectly, in the academic sense, however,
appears to be impossible - unless mathematics ever gets "finished".

Since the current rough-and-ready method of taking the upper bound
with a grain of salt and discounting it as a strength guess is not
acceptable, I assume you want a real, provable, lower bound.

And whether one uses it for academic or practical purposes, it's just
as unobtainable. I don't contradict your statement that this is a
serious problem for cryptography that we don't have this: but if there
is no realistic prospect of obtaining it, directed effort at finding a
way of obtaining lower bounds on cipher strength, however badly we
need it, is _still_ a waste of time.

The fact that we all grow old, and this inevitably leads to death, is
certainly a serious problem; but until very recently, attempting to
solve this problem was still not a rational act.

Of course, the last time I said this, shortly after I came up with an
"insight" into cryptanalysis that I thought got us *slightly* closer
to the goal; no proven lower bound, but at least a little bit more
insight for our guesses.

I'll put that insight on the record again: on a very high level,
cryptanalysis can be divided into three types of operation:

- Brute force trying of all possibilities for the key or for some part
of the key;

- Directly calculating the key from other information (e.g.
calculating the private key from the public key by factoring; trying a
probable word on a Vigenere);

- Separating the key - or, and this is very important, some internal
transform of the key - into pieces that can be brute-forced
separately.

I claim that #3 is sufficiently broad and vague to cover 99% of all
cryptanalytic techniques in existence - yet it has enough content to
suggest ways of making ciphers stronger, and maybe even is a first
step to quantifying strength - in an imperfect and incomplete sense.

Perhaps what I'm saying is obvious to you, and the reason you are
going beyond stating the fact that lower bounds on cryptographic
strength don't exist to criticizing the cryptographic community for
their nonexistence is because you do have some insight into how one
might begin to go about looking for a way to find lower bounds. 

If you do have such an insight, you have come up with something of
great value.

John Savard
http://members.xoom.com/quadibloc/index.html

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 04 Nov 1998 11:56:18 GMT
From: "Douglas A. Gwyn" <DAGwyn@null.net>
Message-ID: <364040DF.98B1A714@null.net>
References: <363f8efc.24854596@news.prosurfr.com>
Newsgroups: sci.crypt
Lines: 16

John Savard wrote:
> I'll put that insight on the record again: on a very high level,
> cryptanalysis can be divided into three types of operation:
> - Brute force trying of all possibilities for the key or for some part
> of the key;
> - Directly calculating the key from other information (e.g.
> calculating the private key from the public key by factoring; trying a
> probable word on a Vigenere);
> - Separating the key - or, and this is very important, some internal
> transform of the key - into pieces that can be brute-forced
> separately.

It's nice to try to bring order to the subject, but the above
is not complete.  Some cryptanalysis doesn't even recover the
key (this happened to me with Zendian DDHAA as I recall),
and at other times one recovers a decimation of the true key.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 04 Nov 1998 23:49:49 GMT
From: dscott@networkusa.net
Message-ID: <71qp6u$a6h$1@nnrp1.dejanews.com>
References: <364040DF.98B1A714@null.net>
Newsgroups: sci.crypt
Lines: 33

In article <364040DF.98B1A714@null.net>,
  "Douglas A. Gwyn" <DAGwyn@null.net> wrote:
> John Savard wrote:
> > I'll put that insight on the record again: on a very high level,
> > cryptanalysis can be divided into three types of operation:
> > - Brute force trying of all possibilities for the key or for some part
> > of the key;
> > - Directly calculating the key from other information (e.g.
> > calculating the private key from the public key by factoring; trying a
> > probable word on a Vigenere);
> > - Separating the key - or, and this is very important, some internal
> > transform of the key - into pieces that can be brute-forced
> > separately.
>
> It's nice to try to bring order to the subject, but the above
> is not complete.  Some cryptanalysis doesn't even recover the
> key (this happened to me with Zendian DDHAA as I recall),
> and at other times one recovers a decimation of the true key.
>

  And sometimes the encryption program itself does not use
or solve for the key that the method is based on. Like in
scott19u.zip  Which an anonymouse crypto person as offered
to set up a site talking about it. I will fix up his omissions
and misunderstandings as time goes on.

--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
http://members.xoom.com/ecil/index.htm

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 10 Nov 1998 03:33:24 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <3647b3ca.4349316@news.io.com>
References: <363f8efc.24854596@news.prosurfr.com>
Newsgroups: sci.crypt
Lines: 59

On Tue, 03 Nov 1998 23:42:10 GMT, in
<363f8efc.24854596@news.prosurfr.com>, in sci.crypt
jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

>[...]
>Breaking a cipher can, of course, give us information that is useful
>in a negative sense: we can know for a fact that a certain cipher is
>too weak to be worth using.

But many of the results in cryptanalysis do not present us with a
cipher known to be unusably weak.  Many of these results need
impractical efforts.  Does an impractical break argue for using
another cipher which has no break -- when that cipher *also* has no
lower bound on strength?  How is that a better situation?  

>[...]
>The fact that we all grow old, and this inevitably leads to death, is
>certainly a serious problem; but until very recently, attempting to
>solve this problem was still not a rational act.

We know that life exists; all we need do is prolong it.  Presumably,
there are many specific problems.  For each one we fix, we can
scientifically verify improved results.

But we do not know that cryptographic strength exists, and we cannot
verify it.  No matter how many problems we fix, we have no idea
whether strength has improved or not.  This is a distinctly different
situation.  

>[...]
>Perhaps what I'm saying is obvious to you, and the reason you are
>going beyond stating the fact that lower bounds on cryptographic
>strength don't exist to criticizing the cryptographic community for
>their nonexistence is because you do have some insight into how one
>might begin to go about looking for a way to find lower bounds. 

Well, it is *not* obvious to me that there *cannot* be a cipher with
some amount of proven strength.  I am aware of no proof that all
ciphers must be weak.  

But the reason I brought this stuff up and stayed with it was in
direct response to the recent stuff on attacking ciphers.  It was
suggested that cryptanalysis is the way users know the strength of
their ciphers.  That suggestion is false.  

In reality, cryptanalysis only benefits *users* when their particular
cipher is actually shown to be weak in practice *and* the user can
switch to something else.  Any cryptanalytic results which show
impractical breaks are irrelevant to the user and essentially
contribute no information about strength.  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 10 Nov 1998 17:26:20 GMT
From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard)
Message-ID: <3648706c.2645679@news.prosurfr.com>
References: <3647b3ca.4349316@news.io.com>
Newsgroups: sci.crypt
Lines: 116

ritter@io.com (Terry Ritter) wrote, in part:
>jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

>>[...]
>>Breaking a cipher can, of course, give us information that is useful
>>in a negative sense: we can know for a fact that a certain cipher is
>>too weak to be worth using.

>But many of the results in cryptanalysis do not present us with a
>cipher known to be unusably weak.  Many of these results need
>impractical efforts.  Does an impractical break argue for using
>another cipher which has no break -- when that cipher *also* has no
>lower bound on strength?  How is that a better situation?  

At that point, my comment was just a minor nitpick for the sake of
strict correctness.

An impractical break is not an argument for using a completely
different cipher, but between two closely similar ciphers, the one
protected against the impractical break but not otherwise different is
likely to be stronger.

>>[...]
>>The fact that we all grow old, and this inevitably leads to death, is
>>certainly a serious problem; but until very recently, attempting to
>>solve this problem was still not a rational act.

>We know that life exists; all we need do is prolong it.  Presumably,
>there are many specific problems.  For each one we fix, we can
>scientifically verify improved results.

>But we do not know that cryptographic strength exists, and we cannot
>verify it.  No matter how many problems we fix, we have no idea
>whether strength has improved or not.  This is a distinctly different
>situation.  

Looked at that way, yes. But the analogy is aimed at a different
aspect of the situation. A fog surrounds cryptographic strength, but
it is not clear that we can lift it, or where we would begin to try to
do so.

I'm not qualified to carry it out, but I wouldn't be surprised if a
competent mathematician couldn't supply a proof that "proving a cipher
strong" is equivalent to solving the halting problem. (Which may have
occurred to Alan Turing...)

>>[...]
>>Perhaps what I'm saying is obvious to you, and the reason you are
>>going beyond stating the fact that lower bounds on cryptographic
>>strength don't exist to criticizing the cryptographic community for
>>their nonexistence is because you do have some insight into how one
>>might begin to go about looking for a way to find lower bounds. 

>Well, it is *not* obvious to me that there *cannot* be a cipher with
>some amount of proven strength.  I am aware of no proof that all
>ciphers must be weak.  

No, there certainly won't be such a proof either! And there is one
cipher with proven strength: the one-time pad, as someone is sure to
note.

But proving something about the _work factor_ required to break a
cipher requires your proof to say something about every possible
attack - based on any mathematical principle that may not even be
discovered yet. Which is the basis for my comment about the halting
problem.

Unless something can be done about this situation, while it is valid
to note its existence as a caveat, it does not invalidate the efforts
of those who are wirking within the realm of what is practical to
achieve. Yes, cryptography is still, in this area, more of an art than
an exact science. But there appear to be fundamental reasons why this
is so.

>But the reason I brought this stuff up and stayed with it was in
>direct response to the recent stuff on attacking ciphers.  It was
>suggested that cryptanalysis is the way users know the strength of
>their ciphers.  That suggestion is false.  

It is the way they can know the little that can be known; the people
saying this are suggesting cryptanalysis in preference to nothing,
citing examples of people designing ciphers with no knowledge of
cryptanalysis, thereby making mistakes that we already know how to
avoid, and coming up with designs that are easily broken.

My response - which I still stand by, despite almost joining the "in
club" with a spurious result against Panama - is that a cipher
designer ought to have an understanding of cryptanalysis, yes, but
having an acquaintance with it and being a fully-qualified
cryptanalyst are two different things, of which only the lesser is
needed for designing ciphers. Not that a higher degree of
qualifications isn't desirable.

But doctors and nurses and pharmacists aren't expected to always be
all three; composers should have some ability to play an instrument,
and performers should understand musical theory, but one can be
first-rate at one while only indifferent at the other.

>In reality, cryptanalysis only benefits *users* when their particular
>cipher is actually shown to be weak in practice *and* the user can
>switch to something else.  Any cryptanalytic results which show
>impractical breaks are irrelevant to the user and essentially
>contribute no information about strength.

Or when the cipher they might have used was shown to be weak before
they used it. Some of the impractical breaks - not all of them - do
hint at the possibility of a weakness that could be exploited in
practice, and that, too, is of some use.

When life gives Bruce a lemon, he makes lemonade. But I'm not aware
that he was pretending it was orange juice, even if the fact that it
is only lemonade should perhaps be underscored a bit more than it has
been.

John Savard
http://www.freenet.edmonton.ab.ca/~jsavard/index.html

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 04 Nov 1998 09:26:28 -0500
From: Jerry Leichter <leichter@smarts.com>
Message-ID: <36406414.3178@smarts.com>
References: <363f37a3.3846779@news.io.com>
Newsgroups: sci.crypt
Lines: 76

| Having no lower bounds for strength may be "an important problem" to
| the academic study of cryptography.
| 
| But it also calls into question *the entire field* of practical
| cryptography.
| 
| The whole point of the actual use of cryptography is to *enforce*
| security.  Without at least a minimum value for strength, the user has
| no guarantee -- or even a useful probability -- of that....

There is no proof of security for key locks, combination locks, or any
other means of providing physical security.  There is no proof of the
security of any practical end-user software, operating system, or even
hardware implementation.  There is no proof that any source of random
numbers is really random.

Even if you *had* a provably-strong encryption algorithm as an abstract
mathematical object (and, in fact, we do - a true OTP), it would be
impossible for you to realize it in a real world without relying on
components about which you could prove very little if anything.

Almost nothing in the real world is amenable to proof in any mathe-
matical sense.  At best, we have "relative" proofs:  *If* quantum
mechanics is correct, *then* thermal noise from a diode is random and
genuinely unpredictable.  *If* our theories about how circuits work are
correct, then a system built of amplifiers, samplers, and such will
retain the randomness inherent in the diode's noise.  *If* the real
physical parts really do behave "closely enough" to our theories, then
the real random noise generator really does generate random bits.  And
so on.

I don't want to criticize mathematical techniques.  They are important
in many areas, cryptography among them, because our intuitions about
security aren't very good:  Long experience has shown us that what seems
secure on the surface may fall to very simple attacks - simple attacks
that may be based on sophisticated mathematical reasoning.

But it's important to understand that ultimately *all* our knowledge of
how physical artifacts work is empirical.  We believe that pin-tumbler
locks are reasonably secure because experience has shown that few people
known how to pick them.  We believe mushroom-head pins give you even
more secure locks because the best lock-pickers have trouble with them.
Similarly, we believe Medeco's are even more secure because no one has
been able to pick them consistently.

On the other hand, Ace locks are a great example of how real attacks
work:  They are virtually unpickable with standard tools, but it's
possible to build a special tool (I believe there's even a patent on
such a tool) that makes it very easy to pick one.  Since hardly anyone
has one of these tools, in the real world, Ace locks are considered
quite secure.

It would be really nice if there were a provably-strong cipher.  It
would be a triumph for mathematics.  Lower bounds on complexity are
known for almost no non-trivial algorithms.  P vs. NP is only one part
of the problem; in most interesting cases, we don't know the degree of
the polynomial.  We can't, in many cases, even say if a sub-exponential
algorithm exists.  (It's a common mistake to think that "not-P" means
"exponential".  There are infinitely many functions that grow faster
than any polynomial but slower than any exponential. Factoring is an
example of an algorithm for which no polynomial algorithm is known - but
for which sub-exponential algorithms have been around for years.) 
Progress in this area has been slow and difficult.

When it comes to proofs (a) the history of mathematics isn't encourag-
ing:  Usually, proofs are available only for approaches that are
idealized in some way to make them amenable to mathematical techniques. 
These are often not particularly well suited for real-world application;
(b) even if you had such a thing, the guarantee that it could give you
concerning the entire real-world system in which it was embedded would
be so weak as to be almost useless.  As always, the security of a system
is only as strong as its weakest component.  With any of the
well-studied cipher systems out there today, it's unlikely that the
mathematical structure of the cipher will be the weakest component of a
real-world system in which it is embedded.
							-- Jerry

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 06 Nov 1998 07:14:41 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <3642a1ca.765177@news.visi.com>
References: <36406414.3178@smarts.com>
Newsgroups: sci.crypt
Lines: 16

On Wed, 04 Nov 1998 09:26:28 -0500, Jerry Leichter
<leichter@smarts.com> wrote:

>As always, the security of a system
>is only as strong as its weakest component.  With any of the
>well-studied cipher systems out there today, it's unlikely that the
>mathematical structure of the cipher will be the weakest component of a
>real-world system in which it is embedded.

Profoundly true.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 10 Nov 1998 03:33:37 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <3647b406.4409649@news.io.com>
References: <36406414.3178@smarts.com>
Newsgroups: sci.crypt
Lines: 109

On Wed, 04 Nov 1998 09:26:28 -0500, in <36406414.3178@smarts.com>, in
sci.crypt Jerry Leichter <leichter@smarts.com> wrote:

>| Having no lower bounds for strength may be "an important problem" to
>| the academic study of cryptography.
>| 
>| But it also calls into question *the entire field* of practical
>| cryptography.
>| 
>| The whole point of the actual use of cryptography is to *enforce*
>| security.  Without at least a minimum value for strength, the user has
>| no guarantee -- or even a useful probability -- of that....
>
>There is no proof of security for key locks, combination locks, or any
>other means of providing physical security.  

But we can be more sure about these simple devices than the vast
majority of far-more-complex ciphers.  I would say that locks are more
like hashes than ciphers.  The only "ciphertext" in a lock is "open"
vs "close."  Often, they are "keyed" by the manufacturer and there is
no key-change ability in the field.  A known-plaintext attack always
works, and we accept that, while we abhor the same thing in a cipher.

But most of all, when a lock is physically broken, we will know.  We
will know that someone had that capability, and exercised it.
Presumably we can use that information to improve our security.  But
when a cipher is broken for real, we will *not* know.  This is a much
worse and more dangerous situation.  

In the physical world, we can monitor the current disposition of our
holdings and provide real-time support for attacks.  We cannot do this
in the data world, so we depend more one the quality of the lock
itself.  Too bad we cannot measure that quality.  

>There is no proof of the
>security of any practical end-user software, operating system, 

Yes.  Vast complexity makes thorough testing impossible, although
proper partitioning into testable components can be a significant
improvement.  

>or even
>hardware implementation.  

Certainly chip manufacturers do in fact try to test every transistor
and every wire in the device.  This testing thus shows a very good
correspondence to the schematic.  Now, whether the schematic builds a
device that does what we want is essentially the previous answer.  

If someone gets to the chip level and can burn contacts or fuse
transistors they can change the operation.  But such a device will not
pass its tests, so at least we have an indication of problem.  

>There is no proof that any source of random
>numbers is really random.

Indeed.

>Even if you *had* a provably-strong encryption algorithm as an abstract
>mathematical object (and, in fact, we do - a true OTP), it would be
>impossible for you to realize it in a real world without relying on
>components about which you could prove very little if anything.

Then I would not *want* a proof for that type of object!  

>[...]
>With any of the
>well-studied cipher systems out there today, it's unlikely that the
>mathematical structure of the cipher will be the weakest component of a
>real-world system in which it is embedded.

Well, you *say* it is "unlikely" as though you know the actual
probability distribution involved.  But I suspect nobody knows that,
so calling it "unlikely" is really quite a leap.  If we don't know, we
can't make a valid statement, because we really *don't know*.  

We *don't know* the strength to the cipher, so we cannot infer that it
has even the strength of the surrounding system.  If the cipher we use
happens to be trivially weak -- provided we were twice as smart as we
are -- then simply using that cipher may be the weakest link.

What I have been addressing here is I think different from relatively
simple mechanical things -- most of which should be within our
understanding -- and ciphers -- which seem to admit "special"
understandings which produce "breaks."  

The problem is these "special understandings."  As long as we produce
ciphers that admit new cryptanalysis, we cannot be sure of their true
strength.  If we cannot somehow confine or bound the unknown "special
understandings," we will never have factual grounds to state that
cipher strength is "unlikely" to be the weakest part of the system.

It is in this sense that cryptanalysis hurts cryptography: not because
it breaks ciphers, but because we cannot know when it has done all it
can do.  Since we do not know that, any cipher continues to be
potentially vulnerable.  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 10 Nov 1998 09:29:39 -0500
From: Jerry Leichter <leichter@smarts.com>
Message-ID: <36484DD3.2452@smarts.com>
References: <3647b406.4409649@news.io.com>
Newsgroups: sci.crypt
Lines: 98

| >With any of the
| >well-studied cipher systems out there today, it's unlikely that the
| >mathematical structure of the cipher will be the weakest component of 
| >a real-world system in which it is embedded.
|
| Well, you *say* it is "unlikely" as though you know the actual
| probability distribution involved.  But I suspect nobody knows that,
| so calling it "unlikely" is really quite a leap.  If we don't know, we
| can't make a valid statement, because we really *don't know*.

While we don't know the exact probability distribution, we *do* have
empirical evidence - just as we have empirical evidence concerning the
security of other systems we rely on.  All we need do is look at the
successful attacks of the last 20 years.  Repeatedly, we find attacks
against things like random number generation (key selection in Net-
scape); protocols (many examples); outright incompetent use of
primitives (Microsoft's use of RC4 as a stream cipher to protect
password databases); physical implementations (many attacks against
smart cards); and so on.  Many of these attacks have had the practical
effect of completely destroying the security of fielded systems.

Over the same period of time, there are *no* published attacks with any
real-world significance - except for brute force relying on limited key
spaces - against any of, say, DES, RC4, IDEA, or RSA.

You can explain this difference in three ways:

	1.  It's just coincidence.  Possible; perhaps a plausible
		explanation 15 years ago.  But by now there are enough
		people, and enough attacks, that it seems very unlikely.

	2.  Bias in the attack distributions:  If there are many more
		attacks against elements *other than* the mathematical
		structure of the algorithms than there are attacks
		against that structure, then naturally there will be
		more such successes.

		However, it's hard to believe that this is the explana-
		tion.  In the same time period, we've seen many
		successful attacks against the mathematical structure
		of ad hoc cryptosystems (pkzip), secretly developed
		systems (some of the cell phone stuff), as well as tons
		and tons of attacks against systems designed by people
		who've had successes elsewhere and against systems that
		are variants of the ones that have stood the test of
		time.  There is no evidence that those who've mounted
		these successful attacks have shied away from attacking
		the systems that remain standing.  To the contrary, some
		of the most potent techniques (differential, linear,
		and related-key cryptanalysis) were developed precisely
		to attack DES (with little success) and PES (with enough
		success to lead it to be replaced by IDEA).

	3.  The only remaining possibility is the one I suggested:  That
		the weakest link in current systems is most likely *not*
		in the mathematical structure of their encryption
		algorithms.

| ...What I have been addressing here is I think different from 
| relatively simple mechanical things -- most of which should be within 
| our understanding -- and ciphers -- which seem to admit "special"
| understandings which produce "breaks."

Do you really think that RC4, say, is any more complicated than a good
combination lock?  It's easy to stand here today and talk about the
simplicity and transparent security of today's locks - but in fact they
evolved over many years as new attacks were found, and new defenses
developed.  The contribution to security of many aspects of the design
of a modern lock are only "obvious" when they're explained!

You can always raise the specter of the unknown techniques developed and
hidden by the "black" organizations.  Well, suppose I tell you that the
CIA has an electromechanical device that can open any pin-tumbler lock,
including the "advanced" versions like the Medeco's, within a few
minutes, usually leaving no marks behind.  (It uses a bunch of flexible,
motor-driven probes and a combination of X-ray backscatter and ultra-
sound monitoring to determine pin position and alignment.)  Do you still
believe your analysis of the "simple, obvious" security of the locks on
your doors?

Now, in fact, I made all that up.  I have absolutely no idea what the
CIA is capable of doing with locks.  But can you provide any rational
basis for claiming my "electromechanical lock picker" is any more or
less likely than the NSA's secret DES crack?

I don't want to carry this analogy too far.  It's a general truth that
digital systems can be much more complex, and much harder to reason
about, than analogue systems.  This causes all kinds of risks - in
security, reliability, predictability, and so on.  Nevertheless, it's
important to keep in mind that engineering - whether of digital or of
analogue systems - is ultimately a real-world, empirical activity. 
Parts of it are amenable to some degree of mathematical analysis;
others, at our present state of knowledge, are not; some probably will
never be.  Even of those amenable to analysis, the role of actual
*proof* is even more limited.  Where we have it, it can be very useful.
But we can't wait for proofs that may, often will, never come!

							-- Jerry

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 11 Nov 1998 15:07:27 GMT
From: "Douglas A. Gwyn" <DAGwyn@null.net>
Message-ID: <3649A820.49A28EE8@null.net>
References: <36484DD3.2452@smarts.com>
Newsgroups: sci.crypt
Lines: 19

Jerry Leichter wrote:
> Over the same period of time, there are *no* published attacks with any
> real-world significance - except for brute force relying on limited key
> spaces - against any of, say, DES, RC4, IDEA, or RSA.
> You can explain this difference in three ways:

More than three.  For example:
	4) Poorly designed protocols are easy to break.
	5) Successful attacks against IDEA et al are likely only by
	   people who know *how*, and would be kept secret.

> Do you really think that RC4, say, is any more complicated than a good
> combination lock?  It's easy to stand here today and talk about the
> simplicity and transparent security of today's locks - but in fact they
> evolved over many years as new attacks were found, and new defenses
> developed.  The contribution to security of many aspects of the design
> of a modern lock are only "obvious" when they're explained!

That's pretty funny, to a locksmith/safeman.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 11 Nov 1998 15:47:14 -0500
From: Jerry Leichter <leichter@smarts.com>
Message-ID: <3649F7D2.37AC@smarts.com>
References: <3649A820.49A28EE8@null.net>
Newsgroups: sci.crypt
Lines: 32

| > Over the same period of time, there are *no* published attacks with 
| > any real-world significance - except for brute force relying on 
| > limited key spaces - against any of, say, DES, RC4, IDEA, or RSA.
| > You can explain this difference in three ways:
| 
| More than three.  For example:

Well, OK.

|         4) Poorly designed protocols are easy to break.

This would be fully consistent with the statement that the crypto
algorithm itself is *not* the likely weak spot in the system.

|         5) Successful attacks against IDEA et al are likely only by
|            people who know *how*, and would be kept secret.

I suppose.  But it would take a hell of a conspiracy, given the number
of attacks against *other* systems that *have* been published.

| > Do you really think that RC4, say, is any more complicated than a 
| > good combination lock?  It's easy to stand here today and talk about 
| > the simplicity and transparent security of today's locks - but in 
| > fact they evolved over many years as new attacks were found, and new 
| > defenses developed.  The contribution to security of many aspects of 
| > the design of a modern lock are only "obvious" when they're 
| > explained!

| That's pretty funny, to a locksmith/safeman.

In what way?
							-- Jerry

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sun, 18 Oct 1998 22:16:30 GMT
From: dscott@networkusa.net
Message-ID: <70dpbv$gal$1@nnrp1.dejanews.com>
References: <36292906.1151332@news.visi.com>
Newsgroups: sci.crypt
Lines: 50

In article <36292906.1151332@news.visi.com>,
  schneier@counterpane.com (Bruce Schneier) wrote:
> This was in the October CRYPTO-GRAM, but I thought I'd run it through
> sci.crypt, since so many people seem to be asking questions on the
> topic.
>
> Bruce
>
>       Memo to the Amateur Cipher Designer
>
> Congratulations.  You've just invented this great new cipher, and you
> want to do something with it.  You're new in the field; no one's heard
> of you, and you don't have any credentials as a cryptanalyst.  You
> want to get well-known cryptographers to look at your work.  What can
> you do?
>
> Unfortunately, you have a tough road ahead of you.  I see about two
> new cipher designs from amateur cryptographers every week.  The odds
> of any of these ciphers being secure are slim.  The odds of any of
> them being both secure and efficient are negligible.  The odds of any
> of them being worth actual money are virtually non-existent.
>
>

   The real truth of the matter is this. If your cipher is any good
people like Bruce will go out of there way to spread lies about it.
It is mostly a closed group of hreatless people who like it act pompous
and wave creditials about. They really know very lttle about real
crypto only the spooks at places like the NSA in america know something
about it. Part of the NSA job is to keep the world in the dark about
real ctypto. Think about it. What better way to do it than by
creating crypto preists for people to whorship. You can not get to
be a very famous person for long in real crypto with out the
blessings of the NSA one way or another. Of course this is just
my opionion I am running a real contest that goes to nov 11 1999
and have supplied more info they you will get in a contest from
Bruce who has a lot more money at his command than I do. The
most liekly reason he can't have a contest like mine is this the
AES code he is trying to push is not that good. But then that is
my humble opionion.

  Go ahead and fell free to publish your stuff maybe Bruce
will bad mouth your stuff while at the same time claiming he
is to busy to have time to look at it. But he may find time
to bad mouth it. Which I guess means he is afraid it is better
than his stuff. One thing for sure write enough in this group
and you will get spam mailed to you about his book.

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 19 Oct 1998 00:47:09 -0400
From: Tim Bass <bass@silkroad.com>
Message-ID: <362AC44D.6A988225@silkroad.com>
References: <70dpbv$gal$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 50

dscott@networkusa.net strangely wrote:

>    The real truth of the matter is this. If your cipher is any good
> people like ***** will go out of there way to spread lies about it.
> It is mostly a closed group of hreatless people ....

Disagree.  If someone does their homework and puts in the very
significant time to understand iterative ciphers, understands
and practices cryptanalysis, including the major art forms,
then the community of those who have done their homework and
have put in the significant time will not be *overly* unkind
(unless of course one was having a bad day that day.)

Every person who is now "one whom has gained some fame" in this
field (or any field) was once one who knew nothing about the 
art and science.  Writing a paper which is peer reviewed takes
work, hard work.  Writing a book takes more work and discipline.
Writing a GOOD BOOK which is well accepted by peers takes even
*more* work.  

Einstein was very accurate when he quipped that genius is
1 percent inspiration and 99 percent sweat. 

Most of those whom have written strong ciphers did not write
them without very significant research into the field.  Shannon
and Feistel are good places to start.  Then there is a large
body of literature in books and notes.  I suggest all the
major work in QA 76.9.A25 and then some of the Z104 areas
of the stacks.

It always amazes me how the more I read, research, and study,
the less and less I know!!  

The peer review process is the most exciting part of professional
collaboration.  On the other hand, everyone appreciates those
whom have done the necessary background work.  It makes collaboration
much more fun!!

Best Regards,

Tim
-- 
   Tim Bass
   Principal Consultant, Systems Engineering
   Bass & Associates
   Tel: (703) 222-4243
   Fax: (703) 222-7320
   EMail: bass@silkroad.com.antispam (remove antispam tag)
   http://www.silkroad.com/consulting/technical.html

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 19 Oct 1998 11:14:49 GMT
From: dscott@networkusa.net
Message-ID: <70f6v9$jud$1@nnrp1.dejanews.com>
References: <362ACB2C.AEEA9007@null.net>
   <362AC44D.6A988225@silkroad.com>
Newsgroups: sci.crypt
Lines: 14

In article <362ACB2C.AEEA9007@null.net>,
  "Douglas A. Gwyn" <DAGwyn@null.net> wrote:
> Tim Bass wrote:
> > Einstein was very accurate when he quipped that genius is
> > 1 percent inspiration and 99 percent sweat.
>
> I think that was Edison and perspiration.
>

  John you shouldn't try to confuse a Bruce Worshiper
with facts. It might confuse them.

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 19 Oct 1998 12:04:29 GMT
From: david@davidham.demon.co.uk (David Hamilton)
Message-ID: <362b2aca.7134387@news.demon.co.uk>
References: <70dpbv$gal$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 90

-----BEGIN PGP SIGNED MESSAGE-----

dscott@networkusa.net wrote:

>In article <36292906.1151332@news.visi.com>,
>  schneier@counterpane.com (Bruce Schneier) wrote:
>> This was in the October CRYPTO-GRAM, but I thought I'd run it through
>> sci.crypt, since so many people seem to be asking questions on the
>> topic.

(snip extract)

>   The real truth of the matter is this. If your cipher is any good
>people like Bruce will go out of there way to spread lies about it.

Any evidence for Bruce spreading lies? (I don't think so.)
Any evidence for your cipher being 'any good'? (nb I said 'evidence', and
your opinion or assertions aren't evidence.) And don't forget, the onus is on
you to provide evidence; the onus isn't on others to check your offering.

Although it is possible that somebody with very little knowledge of
cryptography relevant subjects may develop a good cipher, it is unlikely that
this will happen. In your case, I don't trust your cryptographic software
because:

1) In the context of a dictionary attack, on 14th June, you said that you
had seen a dictionary attack work on a system where the attacker never
guessed the correct passphrase but he just stumbled on one that hashed to the
same value. You subsequently declined to give any information about the
passphrase, the hashing algorithm, the dictionary size or the method of word
selection. You also declined to give the odds of stumbling on a passphrase
that hashed to the same value. Your reason for declining to give this
information was that the person you were referring to 'still works for the
federal government'.

2) You designed all the algorithms and code used in your software. With one
exception, you can't remember the names of people who 'commented'. I would
suggest that 'commenting' isn't good enough anyway; what is needed is formal
inspection by competent people.  

(snip some)

>only the spooks at places like the NSA in america know something
>about it.

So the Chinese, Europeans and Indians are excluded. Presumably you're not a
spook at a place like the USA NSA and so you don't 'know something about
cryptography'. So why are you pushing your crypto software? 

>Part of the NSA job is to keep the world in the dark about
>real ctypto.

Has the USA NSA succeeded in keeping you in the dark about 'real crypto'?

(snip some)

>while at the same time claiming he
(Bruce)
>is to busy to have time to look at it.

Nobody is under any obligation to look at/comment on/inspect your software.
You seem to think that somebody owes you something. You've published your
software, anybody who wants to use it or look at it can.

>One thing for sure write enough in this group
>and you will get spam mailed to you about his book.

I'm pretty certain I haven't been spam mailed about Bruce's book. I have seen
recommendations for it and criticism of it in sci.crypt. On the other hand,
I've seen a lot more ads in sci.crypt for your software. 

David Hamilton.  Only I give the right to read what I write and PGP allows me
                           to make that choice. Use PGP now.
I have revoked 2048 bit RSA key ID 0x40F703B9. Please do not use. Do use:-
2048bit rsa ID=0xFA412179  Fp=08DE A9CB D8D8 B282 FA14 58F6 69CE D32D
4096bit dh ID=0xA07AEA5E Fp=28BA 9E4C CA47 09C3 7B8A CE14 36F3 3560 A07A EA5E
Both keys dated 1998/04/08 with sole UserID=<david@davidham.demon.co.uk>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>
Comment: Signed with RSA 2048 bit key

iQEVAwUBNisih8o1RmX6QSF5AQHonwf6AtOdhoxumP16yzPlx7jEe2DYFInBlpMV
YR4o9wQegZlIxqw1letT2jPJijSLwih+IBLr5zViodTASmwHUXUzsOM5+wqCzZXz
1lmMxYe3JpQYDnDth+xMr6azhW/jNP+Inu4mw5vlgRzNWhcGPPhLV3kumMdApHDE
T8RfE45P8iLW58zEwwDLAXOThm7auPY4qHwC58eirZ1x26UuJZeNHzDQNm7c5bXH
HUDtIZI4s6Omw7KnXO8OXhaejBt9mrLZZZrUv1Xit7+XfimztiDUdXHf5VPJ4E98
Be3dCpA3Mdq14fqEvdvyH0nvhD2/D5KXYk7kAqAoKoCFkjMTdIIewA==
=O1EJ
-----END PGP SIGNATURE-----

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 19 Oct 1998 23:12:53 GMT
From: dscott@networkusa.net
Message-ID: <70gh1l$gfo$1@nnrp1.dejanews.com>
References: <362b2aca.7134387@news.demon.co.uk>
Newsgroups: sci.crypt
Lines: 105

In article <362b2aca.7134387@news.demon.co.uk>,
  david@davidham.demon.co.uk (David Hamilton) wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> dscott@networkusa.net wrote:
>
> >In article <36292906.1151332@news.visi.com>,
> >  schneier@counterpane.com (Bruce Schneier) wrote:
> >> This was in the October CRYPTO-GRAM, but I thought I'd run it through
> >> sci.crypt, since so many people seem to be asking questions on the
> >> topic.
>
> (snip extract)
>
> >   The real truth of the matter is this. If your cipher is any good
> >people like Bruce will go out of there way to spread lies about it.
>
> Any evidence for Bruce spreading lies? (I don't think so.)

   Obviously you don't read all of crapola that Bruce puts out
there or you would notice some of his lies and comments in this
group about my code.
And yes I have been spamed at least twice by his for profit
company. I wrote each time for them to stop the SPAM but like
all spamers you don't even get a response.
If he hasn't spammed you feel fortunate.

> Any evidence for your cipher being 'any good'? (nb I said 'evidence', and
> your opinion or assertions aren't evidence.) And don't forget, the onus is on
> you to provide evidence; the onus isn't on others to check your offering.
>
> Although it is possible that somebody with very little knowledge of
> cryptography relevant subjects may develop a good cipher, it is unlikely that
> this will happen. In your case, I don't trust your cryptographic software
> because:
>
> 1) In the context of a dictionary attack, on 14th June, you said that you
> had seen a dictionary attack work on a system where the attacker never
> guessed the correct passphrase but he just stumbled on one that hashed to the
> same value. You subsequently declined to give any information about the
> passphrase, the hashing algorithm, the dictionary size or the method of word
> selection. You also declined to give the odds of stumbling on a passphrase
> that hashed to the same value. Your reason for declining to give this
> information was that the person you were referring to 'still works for the
> federal government'.
>
> 2) You designed all the algorithms and code used in your software. With one
> exception, you can't remember the names of people who 'commented'. I would
> suggest that 'commenting' isn't good enough anyway; what is needed is formal
> inspection by competent people.
>
> (snip some)
>
> >only the spooks at places like the NSA in america know something
> >about it.
>
> So the Chinese, Europeans and Indians are excluded. Presumably you're not a
> spook at a place like the USA NSA and so you don't 'know something about
> cryptography'. So why are you pushing your crypto software?
>
> >Part of the NSA job is to keep the world in the dark about
> >real ctypto.
>
> Has the USA NSA succeeded in keeping you in the dark about 'real crypto'?
>
> (snip some)
>
> >while at the same time claiming he
> (Bruce)
> >is to busy to have time to look at it.
>
> Nobody is under any obligation to look at/comment on/inspect your software.
> You seem to think that somebody owes you something. You've published your
> software, anybody who wants to use it or look at it can.
>
> >One thing for sure write enough in this group
> >and you will get spam mailed to you about his book.
>
> I'm pretty certain I haven't been spam mailed about Bruce's book. I have seen
> recommendations for it and criticism of it in sci.crypt. On the other hand,
> I've seen a lot more ads in sci.crypt for your software.
>
> David Hamilton.  Only I give the right to read what I write and PGP allows me
>                            to make that choice. Use PGP now.
> I have revoked 2048 bit RSA key ID 0x40F703B9. Please do not use. Do use:-
> 2048bit rsa ID=0xFA412179  Fp=08DE A9CB D8D8 B282 FA14 58F6 69CE D32D
> 4096bit dh ID=0xA07AEA5E Fp=28BA 9E4C CA47 09C3 7B8A CE14 36F3 3560 A07A EA5E
> Both keys dated 1998/04/08 with sole UserID=<david@davidham.demon.co.uk>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>
> Comment: Signed with RSA 2048 bit key
>
> iQEVAwUBNisih8o1RmX6QSF5AQHonwf6AtOdhoxumP16yzPlx7jEe2DYFInBlpMV
> YR4o9wQegZlIxqw1letT2jPJijSLwih+IBLr5zViodTASmwHUXUzsOM5+wqCzZXz
> 1lmMxYe3JpQYDnDth+xMr6azhW/jNP+Inu4mw5vlgRzNWhcGPPhLV3kumMdApHDE
> T8RfE45P8iLW58zEwwDLAXOThm7auPY4qHwC58eirZ1x26UuJZeNHzDQNm7c5bXH
> HUDtIZI4s6Omw7KnXO8OXhaejBt9mrLZZZrUv1Xit7+XfimztiDUdXHf5VPJ4E98
> Be3dCpA3Mdq14fqEvdvyH0nvhD2/D5KXYk7kAqAoKoCFkjMTdIIewA==
> =O1EJ
> -----END PGP SIGNATURE-----
>

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 13:15:41 GMT
From: dscott@networkusa.net
Message-ID: <711sls$4a9$1@nnrp1.dejanews.com>
References: <711fcj$m5l$1@nnrp1.dejanews.com>
   <362b2aca.7134387@news.demon.co.uk>
Newsgroups: sci.crypt
Lines: 61

In article <711fcj$m5l$1@nnrp1.dejanews.com>,
  cryptonews@my-dejanews.com wrote:
> In article <362b2aca.7134387@news.demon.co.uk>,
>   david@davidham.demon.co.uk (David Hamilton) wrote:
>
> > Has the USA NSA succeeded in keeping you in the dark about 'real
> > crypto'?
>
>    David,
>
>    Put aside the childish temper tantrums that Bruce and his
>    opponents are throwing at each other.
>
>    Folks at the NSA are in the business of building strong crypto
>    for preserving the USA national security.  This is a valid business
>    that every nation on earth is entitled to do.  I am certain that
>    similar folks here in the UK work as hard as the folks at the
>    NSA.  The NSA is also in the business of develooping efficient
>    algorithm to cryptanalyze the crypto of other countries.  Every
>    nation that respect itself must have an NSA.
>

   What you say is true. It may even be necessary. What I don't
like is the spying on Americans for political reasons that will
someday make what the Soviet Union had look like a dream of a long
lost freedom. I don't like there role in control of our future and
the dumbing down of America. I don't like the destroying of the
Bill or Rights. I have a master degree in contorl theroy the secrect
to control is measurement. If they can read everything they can
control what we see and hear and trick is into slavery. Americns
and world citizens need free open communications without fear of
big brother reading everything or else there will be a small rich
class of people running the world and the rest of mankind will
be nothing but slaves to work and live and die in fear and controled
by the few.

>    I believe that the folks at the NSA are highly respectable
>    professionals just like all of us.
>
>    My concern here is that when an agency like the NSA which is in
>    business of National Security starts Cozying with Commercial
>    developers of crypto.  I doubt there is even one company in North
>    America that is not in bed with the NSA.
>
>    If any body's company is not doing that please let us know.
>
> Cheers,
>
> Sam
>
> -----------== Posted via Deja News, The Discussion Network ==----------
> http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own
>

--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
ftp search for scott*u.zip in norway

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 20 Oct 1998 00:19:14 GMT
From: dscott@networkusa.net
Message-ID: <70gku1$md5$1@nnrp1.dejanews.com>
References: <362B8C89.52EDE3C@AECengineering.com>
   <70dpbv$gal$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 86

In article <362B8C89.52EDE3C@AECengineering.com>,
  Djim <Djim@AECengineering.com> wrote:
>
>.....

>
> Mr. Scott, I would like to talk about a few of your points.
>
> 1) You don't get famous in crypto without the blessings of the NSA.  While I
> cannot prove a negative, (It is just possible that the invisible hand of the
> secret masters of the crypto world has touched everyone competent), I can
> state that most of the best crypto research published is from academics and
> hobbyist crypto people.  There are many people who are quite respectable
> sources of info on the internet as well of whom I am aware.  I strongly
> doubt that they are all in the NSA's pocket -- especially given the efforts
> of many of them to get various patented and strong algorithms into the hands
> of the public -- and what do they gain by being pocket servants of the NSA.
> prestige? no.  respect? not if it ever gets out. money? the NSA would have
> to be paying a lot of people a lot of money to keep them in their pocket
> especially with the consideration that their reputation would be ruined if
> it got out that they were an NSA shill. Something else? Maybe, but I am hard
> pressed to think what that would be.
>
   what can I say I disagree with most of the above but so what.

> 2) Bruce has set a contest where anything that someone says about his cypher
> -- even some thing like this code will resist the following attack with the
> following strength, or given a reduced round version of twofish the

 Actually there is no gaurantee any one will win and it appears he is the
judge of what wins if anyone does. So since it is not black and white
I doubt seriously if he is capable of honest thought. If his contest
is honest he would also offer some set of data similar to mine to
break. Since many hacker types don't think the way he does and may
have trouble writting there thoughts in way his narrow mind could
comprehend. He should if he is not chicken throw a bone to the
unwashed unclean masses. He does not so as to greatly limit the
group of people to those whose thought processes are tuned to his
own. Also if he had a contest it would be embarassing to have a
rank ametur break it.

> following properties are discovered which may be of use against the full
> version, or that certain keys have interesting properties. It is even
> possible, not probable that if nothing else is published a publication of
> commentary regarding one's opinions of the algorithm with some documentation
> of the points made could win.(Its ridiculously unlikely to happen, but the
> award is for the best paper published regarding it and its weakness/strength
> vs.  attack).  From what he has said a reward WILL be given.  Your contest
> provides much less info -- Poorly documented code, and some limited
> plain/cyphertext pairs -- and sets the bar much higher. A full BREAK of the
> code -- nothing less will be enough.  Sounds to me like no reward need ever
> be given out unless someone devoted way lots of time to this project and
> frankly most of us cannot be bothered to do so.  Even 20 hours of my time
> bills for more than you offer. I feel that your code is at least secure
> enough that 50 hours of my time will not break it so why bother.
> If you are so sure of your code's security offer a real reward -- or a
> smaller prize given each - say year - for the best attacks vs your cypher.
> It would pay off in a better cypher and more respect on the group.  Think
> about it.
>

  I don't think it is fair or honest if I offered more cash than I could
gather up. But I think my contest is fairer in that the winner if there is
one is back and white. In short in my contest the answer is right or wrong
I have no lee way to back out like he does. However in some ways my contest
is less fair. In that I know for a fact mine is to hard to solve. You may
have realized that when you said 50 hours of your time most likely will
not solve it. Something that no one has noticed is that if I did not state
how I made the key the solution is not unique. In other words there exist
many many keys over 2**1000 that map the first plain text into the given
encrypted file  and some of those can unmap the second encrytped file into
a file that is different by exactly 4 characters and yet they are not the
same as the plain text file I started with. I am not sure if there is an
easy way to type a set of 4 phrases that can map to a different solution
though. I have thought about offering a 100 dollar prise to the first one
who gets a close solition. That is one who comes up with just a keyraw.key
file that maps first file set and then unmaps (maps) the second encrypted
file into a file like the first but different by 4 characters. Is this the
kind of thing you mean. Or if one finds something close to what paul onions
did I could offer 100 dollars but it would have to be something that good.

 YOUR THOUGHTS WELCOME SINCE AT LEAST YOU MAY HAVE LOOKED AT IT

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 20 Oct 1998 00:40:21 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <362bdbc6.3212829@news.io.com>
References: <36292906.1151332@news.visi.com>
Newsgroups: sci.crypt
Lines: 190

On Sat, 17 Oct 1998 23:35:28 GMT, in <36292906.1151332@news.visi.com>,
in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:

>[...]
>Congratulations.  You've just invented this great new cipher, and you
>want to do something with it.  You're new in the field; no one's heard
>of you, and you don't have any credentials as a cryptanalyst.  You
>want to get well-known cryptographers to look at your work.  What can
>you do?

Maybe some people are like this, but I doubt I would care to know
them.  If the reason for inventing a new cipher is to get someone else
to look at it -- no matter who may be looking -- there would seem to
be some small problem with goals.

In my view, the reason for inventing a new cipher -- like any new
design -- is to deliver new advantages.  If so, it advances the art,
quite independent of whether the professional chorus agrees.

After that, it is up to the professional cryptographers to stay
abreast of advances to the art, if they wish to continue to claim
expertise.  It is not the responsibility of the developers to go
around and inform all the "experts" through their chosen media outlet.
Either they keep up, or they are not experts on what they have missed,
and it's just that simple.  

>[...]
>What is hard is creating an algorithm that no one else can break, even
>after years of analysis.  And the only way to prove that is to subject
>the algorithm to years of analysis by the best cryptographers around.

That last sentence is what the profession says, but it is as false,
misleading, and self-delusional as anything in cryptography:  Even
years of analysis is not proof.  It is not close to proof.  

Lack of proof of weakness is not proof of strength.  Obviously.  

Yet we still get the same old mantra -- that every professional knows
is false -- which every newbie and security officer is encouraged to
believe.  Why is this?  Who benefits from this?  

>[...]
>It's hard to get a cryptographic algorithm published.  

This, of course, is simply false.  It is false in the assumption that
"published" means accepted by some academic journal.  And it is also
more or less false in that most reasonable papers *can* be shopped
around and placed in some academic journal eventually.  There are many
journals, and each must fill a gaping maw of pages continuously.  

It is true, however, that a *good* article is more than a new idea:  A
good article offers *insight* as opposed to mere symbology and
gobbledygook.  If someone provide a good presentation to something
exciting and new, they won't have much trouble placing it somewhere.  

>Most
>conferences and workshops won't accept designs from unknowns and
>without extensive analysis.  This may seem unfair: 

Not accepting designs from "unknowns" is well beyond just *seeming*
unfair, it *is* unfair.  It is in fact unscientific.  More than that,
this also has economic consequences.   

Any time an academic publication will not look at, accept, and publish
work based on content -- independent of its source -- that publication
is spending its academic reputation.  Journals exist to serve a larger
ideal than to simply further the academic careers of authors -- their
existence depends upon providing the best material to their readers.
They can't just reject good stuff and publish the chaff without real
audience consequences.   

To a large extent, the same thing applies to conferences and workshops
as well.  Science is not tidy, and advances often do not come from
those who feel they deserve to have made them.  Publishers and
conference leaders who do not understand this are presiding over their
own decline.  

>[...]
>When I started writing _Applied Cryptography_, I heard the maxim that
>the only good algorithm designers were people who spent years
>analyzing existing designs.  The maxim made sense, and I believed it.

Then you were fooled.  Vernam, a mere engineer in 1919:  The
mechanistic stream cipher, and the basis for the one time pad.  

>[...]
>A cryptographer friend tells the story of an amateur who kept
>bothering him with the cipher he invented.  The cryptographer would
>break the cipher, the amateur would make a change to "fix" it, and the
>cryptographer would break it again.  This exchange went on a few times
>until the cryptographer became fed up.  When the amateur visited him
>to hear what the cryptographer thought, the cryptographer put three
>envelopes face down on the table.  "In each of these envelopes is an
>attack against your cipher.  Take one and read it.  Don't come back
>until you've discovered the other two attacks."  The amateur was never
>heard from again.

Hell, I wouldn't go back if I *did* know the answer:  Your friend is a
pompous ass.  That this sort of thing is ever acceptable -- let alone
actually promoted in a public forum -- shows the depth to which this
"profession" has sunk.  

This game of "I'm better than you" is a sickness that infects the
entire field of cryptography.  It makes every discussion a contest,
every relationship a competition, and a mockery of facts and clear,
correct reasoning.  It works against development in the field, and has
got to go.  Those professionals who are actively cultivating ego cults
for their own self-gratification are part of the problem.  

In the anecdote, a better alternative would be for the cryptographer
to be helpful, to explain the issues, lay out a course of study, and
thus in a larger sense generally address why the general public has so
little understanding of this profession.  We don't of course, see
anecdotes about that.  Why?  See the above paragraph.  

>[...]
>1.  Describe your cipher using standard notation.  This doesn't mean C
>code.  There is established terminology in the literature.  Learn it
>and use it; no one will learn your specialized terminology.

Yes.  There are established notations for the design of logic systems,
and they include both "schematics" and "flow charts" as well as C.
But more than anything else, the "standard notation" includes a clear,
logical presentation in some language (but if that is not English, *I*
will have a problem!).  It is also important to give some
justification for the various design decisions which are usually
necessary.  

>[...]
>3.  Show why your cipher is immune against each of the major attacks
>known in literature.  It is not good enough just to say that it is
>secure, you have to show why it is secure against these attacks.  This
>requires, of course, that you not only have read the literature, but
>also understand it. Expect this process to take months, and result in
>a large heavily mathematical document.  And remember, statistical
>tests are not very meaningful.

That last sentence sounds a lot like statistics-envy.  Surely it
should read that "statistical tests should not be used to support
inappropriate conclusions."  But we could say the same thing about
mathematics itself.  

Even though mathematical cryptography is about 60 years old, it has
yet to produce a road map to provable security.  This means that all
the cryptanalysis and all the arguments about that analysis simply
hide the fact that unsuspected and unanalyzed attacks may yet exist. 

This does not mean that we do not analyze.  But it *does* mean that
analysis *cannot* be sufficient, and that makes *testing* important.
Testing is often inherently statistical.  But many desirable tests are
simply *impossible* to perform on a cipher of real size.  In my view,
that means that no cipher can lay claim to a "thorough" analysis
unless it has a scalable architecture, and *is* tested -- necessarily
including statistics -- at a tractable size.  Not only are statistical
tests *meaningful*, they are all that stands between us and the
unknown attack.  

Certainly it is going to be very difficult to do a good job fielding
*any* cipher system without extensive statistical testing.  

>4.  Explain why your cipher is better than existing alternatives.  It
>makes no sense to look at something new unless it has clear advantages
>over the old stuff.  Is it faster on Pentiums?  Smaller in hardware?
>What?  I have frequently said that, given enough rounds, pretty much
>anything is secure. Your design needs to have significant performance
>advantages.  And "it can't be broken" is not an advantage; it's a
>prerequisite.

Note, however, that "performance advantages" include far more than the
simple speed of an AES-style cipher box:  Large blocks can be an
advantage.  Dynamically selectable block size can be an advantage.
Dynamically variable block size to the byte can be an advantage.
Block independence can be an advantage.  Self-authentication can be an
advantage.  There are many advantages which are restricted to
particular uses, yet are real advantages in their proper context.  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: 22 Oct 1998 01:55:12 GMT
From: olson@umbc.edu (Bryan G. Olson; CMSC (G))
Message-ID: <70m3a0$e2g$1@news.umbc.edu>
References: <362bdbc6.3212829@news.io.com>
Newsgroups: sci.crypt
Lines: 21

Terry Ritter (ritter@io.com) wrote:

Bruce Schneier had written:
: >Most
: >conferences and workshops won't accept designs from unknowns and
: >without extensive analysis.  This may seem unfair: 

: Not accepting designs from "unknowns" is well beyond just *seeming*
: unfair, it *is* unfair.  It is in fact unscientific.

I have to agree with Mr. Ritter on this one.  I'll also note that the
major crypto conferences remove the author's name from submission
before they go the referees.  The system is based on good faith,
though I have heard referees talk about secure cryptographic protocols
for anonymous review of papers. :)

--Bryan

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 22 Oct 1998 11:37:42 GMT
From: dscott@networkusa.net
Message-ID: <70n5e6$kog$1@nnrp1.dejanews.com>
References: <70m3a0$e2g$1@news.umbc.edu>
Newsgroups: sci.crypt
Lines: 41

In article <70m3a0$e2g$1@news.umbc.edu>,
  olson@umbc.edu (Bryan G. Olson; CMSC (G)) wrote:
> Terry Ritter (ritter@io.com) wrote:
>
> Bruce Schneier had written:
> : >Most
> : >conferences and workshops won't accept designs from unknowns and
> : >without extensive analysis.  This may seem unfair:
>
> : Not accepting designs from "unknowns" is well beyond just *seeming*
> : unfair, it *is* unfair.  It is in fact unscientific.
>
> I have to agree with Mr. Ritter on this one.  I'll also note that the
> major crypto conferences remove the author's name from submission
> before they go the referees.  The system is based on good faith,
> though I have heard referees talk about secure cryptographic protocols
> for anonymous review of papers. :)
>
> --Bryan
>

   Well Mr Ritter in my view is a much more honest an open person than
Bruce ever will be. At least it is obvious that Ritter works had to
learn and stay abreast of current trends in crypto. SOmething Bruce
is incapable of becasue of his narrow focus and mind set.
   I have never never heard of condferences where the author name
is removed. And even if the name is removed I bet any one with have
a brain could tell mine from Bruces and from Mr Ritter since we
all 3 have different writting styles even if we all 3 write about the
exact same subject. Bruces would be acepted even if it left out
key points that Mr Ritter or me may have included since he is the
King of B.S. and he can Pile it Higher and Deeper.

--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
ftp search for scott*u.zip in norway

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Originator: markc@news.chiark.greenend.org.uk ([127.0.0.1])

Subject: Re: Memo to the Amateur Cipher Designer
Date: 22 Oct 1998 13:56:30 +0100 (BST)
From: markc@chiark.greenend.org.uk (Mark Carroll)
Message-ID: <+au*FR8In@news.chiark.greenend.org.uk>
References: <70n5e6$kog$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 47

In article <70n5e6$kog$1@nnrp1.dejanews.com>,  <dscott@networkusa.net> wrote:
(snip)
>   Well Mr Ritter in my view is a much more honest an open person than
>Bruce ever will be. At least it is obvious that Ritter works had to
>learn and stay abreast of current trends in crypto. SOmething Bruce
>is incapable of becasue of his narrow focus and mind set.

What current trends in crypto do you think that Bruce isn't abreast of?

>   I have never never heard of condferences where the author name
>is removed. And even if the name is removed I bet any one with have

In artificial intelligence (my field) it's very common indeed, even
for the big conferences (as AAAI-98 was). To be honest, I'd be
surprised if it was uncommon in most fields, but I'm open to
correction. What policy do, say, CRYPTO, EUROCRYPT, ASIACRYPT, the
Fast Software Encryption conferences, etc. have? I'd be quite
curious to find out. (-:

>a brain could tell mine from Bruces and from Mr Ritter since we
>all 3 have different writting styles even if we all 3 write about the
>exact same subject. Bruces would be acepted even if it left out

With your Usenet writing style you probably wouldn't get published
anyway, though. The written English in conference proceedings rarely
has copious spelling and grammatical errors; if you were writing a
conference paper, you would no doubt be sensible enough to improve the
English a lot to increase its chances of acceptance. Correct English -
especially in the style of most academic papers - has much less scope
for obvious personal idiosyncrasies (though with rigorous analysis
it's still amazing how personal it turns out to be!).

Certainly, it's sometimes the case that the reviewers guess who the
author(s) might be, but AFAIK it's usually for a tiny minority of
papers, and more from the content than the writing style. (e.g.
X is the only person working on this, and lo and behold here's a
paper about it...)

>key points that Mr Ritter or me may have included since he is the
>King of B.S. and he can Pile it Higher and Deeper.

What interests would the review panel have in choosing Bruce's paper
over yours if yours is so much better? If they start publishing
rubbish, then they'll quickly stop being a major conference (or
jettison any chances of ever becoming one)...

-- Mark

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 23 Oct 1998 00:01:05 GMT
From: dscott@networkusa.net
Message-ID: <70oh01$2o2$1@nnrp1.dejanews.com>
References: <+au*FR8In@news.chiark.greenend.org.uk>
Newsgroups: sci.crypt
Lines: 93

In article <+au*FR8In@news.chiark.greenend.org.uk>,
  markc@chiark.greenend.org.uk (Mark Carroll) wrote:
> In article <70n5e6$kog$1@nnrp1.dejanews.com>,  <dscott@networkusa.net> wrote:
> (snip)
> >   Well Mr Ritter in my view is a much more honest an open person than
> >Bruce ever will be. At least it is obvious that Ritter works had to
> >learn and stay abreast of current trends in crypto. SOmething Bruce
> >is incapable of becasue of his narrow focus and mind set.
>
> What current trends in crypto do you think that Bruce isn't abreast of?
>

    Well I think the method I use is beyond his tiny limited brain
since I don't use the big words he does. I for one fill if you can
write in C then that should be enough of an explantion of what is
going on in my method. To put it in words gives the wrong impression
of it since my use of words will never really say what I want. And
then people would enterpit the words differently than I mean.

  Bruce only has access to a narrow field of encryption that
acidemia uses. I doubt if he understands what Ritter has done
either. Even though Ritter is a prolific writter. Bruce might be
a phony in only playiing at encryption I have meet many so called
Phd where I use to work that lacked any real knowledge of the field
they got there degree in. I would've got a Phd in mathematics no
sweet but Could not pass all the English stuff that normals could
that is why I went into Fields and Waves in Electrical Engineering
it had less english crapola.

> >   I have never never heard of condferences where the author name
> >is removed. And even if the name is removed I bet any one with have
>
> In artificial intelligence (my field) it's very common indeed, even
> for the big conferences (as AAAI-98 was). To be honest, I'd be
> surprised if it was uncommon in most fields, but I'm open to
> correction. What policy do, say, CRYPTO, EUROCRYPT, ASIACRYPT, the
> Fast Software Encryption conferences, etc. have? I'd be quite
> curious to find out. (-:
>
> >a brain could tell mine from Bruces and from Mr Ritter since we
> >all 3 have different writting styles even if we all 3 write about the
> >exact same subject. Bruces would be acepted even if it left out
>
> With your Usenet writing style you probably wouldn't get published
> anyway, though. The written English in conference proceedings rarely
> has copious spelling and grammatical errors; if you were writing a
> conference paper, you would no doubt be sensible enough to improve the
> English a lot to increase its chances of acceptance. Correct English -
> especially in the style of most academic papers - has much less scope
> for obvious personal idiosyncrasies (though with rigorous analysis
> it's still amazing how personal it turns out to be!).
>

  Trust me I can use spell checkers and finally come to correctly
spelled words but they wont be the right words anyway so spell
checkers don't really add much especially when you think your close
to a word and they don't find the one you want or the one they
find may be farther than the one you want so you are either stuck
with that word or use one you feel is more wrong an a vain attempt
to convey your idea. In which your train if thought is lost or broken
becasue of the tremendous focus to try to get words in to written
form that you can't focus on what you wanted to say in the first
place. I hope some day the need for the written word becomes less
or that english becomes more like speech and thought.

> Certainly, it's sometimes the case that the reviewers guess who the
> author(s) might be, but AFAIK it's usually for a tiny minority of
> papers, and more from the content than the writing style. (e.g.
> X is the only person working on this, and lo and behold here's a
> paper about it...)
>
> >key points that Mr Ritter or me may have included since he is the
> >King of B.S. and he can Pile it Higher and Deeper.
>
> What interests would the review panel have in choosing Bruce's paper
> over yours if yours is so much better? If they start publishing
> rubbish, then they'll quickly stop being a major conference (or
> jettison any chances of ever becoming one)...
>

  Not sure you really want to ask but they may be aready attuned
to his narrow closed style of thinking since the reveiwers most like
got to there positions in the same way he did and they may not
be any more cabable of objective thought than he is.

--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
ftp search for scott*u.zip in norway

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: 22 Oct 1998 19:28:15 GMT
From: aph@cygnus.remove.co.uk (Andrew Haley)
Message-ID: <70o10f$js7$1@korai.cygnus.co.uk>
References: <70n5e6$kog$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 26

dscott@networkusa.net wrote:
:    I have never never heard of condferences where the author name
: is removed. 

It's normal procedure.

: And even if the name is removed I bet any one with have a brain
: could tell mine from Bruces and from Mr Ritter

Indeed.  They use commas, and can string together two or more
grammatically correct sentences.

Why should anyone be bothered to read what you write if you can't be
bothered to correct any of your mistakes?  No publication would put up
with your abysmal English.

Andrew.

Subject: Re: Memo to the Amateur Cipher Designer
Date: 22 Oct 1998 15:58:29 -0500
From: juola@mathcs.duq.edu (Patrick Juola)
Message-ID: <70o69l$291$1@quine.mathcs.duq.edu>
References: <70o10f$js7$1@korai.cygnus.co.uk>
Newsgroups: sci.crypt
Lines: 15

In article <70o10f$js7$1@korai.cygnus.co.uk>,
Andrew Haley <aph@cygnus.remove.co.uk> wrote:
>dscott@networkusa.net wrote:
>:    I have never never heard of condferences where the author name
>: is removed. 
>
>It's normal procedure.

Shall I add my voice to the chorus of people pointing out how common
it is?  In fact, Mr. Scott, I suspect that part of the reason you
haven't heard of such things is because for most major conferences,
it's expected.  I suspect you've never seen a warning label on a
jar of peanut butter stating "warning : will break if dropped," either.

	-kitten

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 22 Oct 1998 23:16:52 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <362fbcde.3893888@news.io.com>
References: <70o69l$291$1@quine.mathcs.duq.edu>
Newsgroups: sci.crypt
Lines: 35

On 22 Oct 1998 15:58:29 -0500, in <70o69l$291$1@quine.mathcs.duq.edu>,
in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:

>In article <70o10f$js7$1@korai.cygnus.co.uk>,
>Andrew Haley <aph@cygnus.remove.co.uk> wrote:
>>dscott@networkusa.net wrote:
>>:    I have never never heard of condferences where the author name
>>: is removed. 
>>
>>It's normal procedure.
>
>Shall I add my voice to the chorus of people pointing out how common
>it is?  [...]

Shall I point out that this entire thread is a response to the
original article by Schneier, who wrote:

>[...]
>It's hard to get a cryptographic algorithm published.  Most
>conferences and workshops won't accept designs from unknowns and
>without extensive analysis.  

Now, presumably Schneier knows something about crypto conferences.  He
did *not* say that the practice of removing the author's name for
reviewers was not followed.  But he clearly *did* imply that
*something* prevents "unknowns" from publishing in conferences and
workshops.  Maybe he is right.  If he is, that is the real issue.  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: 23 Oct 1998 09:33:34 -0500
From: juola@mathcs.duq.edu (Patrick Juola)
Message-ID: <70q43u$3tp$1@quine.mathcs.duq.edu>
References: <362fbcde.3893888@news.io.com>
Newsgroups: sci.crypt
Lines: 45

In article <362fbcde.3893888@news.io.com>, Terry Ritter <ritter@io.com> wrote:

[Re: Anonymous review]

>Shall I point out that this entire thread is a response to the
>original article by Schneier, who wrote:
>
>>[...]
>>It's hard to get a cryptographic algorithm published.  Most
>>conferences and workshops won't accept designs from unknowns and
>>without extensive analysis.  
>
>Now, presumably Schneier knows something about crypto conferences.  He
>did *not* say that the practice of removing the author's name for
>reviewers was not followed.  But he clearly *did* imply that
>*something* prevents "unknowns" from publishing in conferences and
>workshops.  Maybe he is right.  If he is, that is the real issue.  

Funny how when you eliminate all the "ands" it's very possible to
misinterpret sentences, ya know?

Workshops are generally not reviewed anonymously -- but workshops are
generally not put together as the primary distribution of results;
instead, it's generally a group of people who know each other, or
at least know of each other, getting together to talk shop.  In
this sense, they *are*, or can be, closed shops -- which would be
a lot more bothersome if they were taken at all seriously by
professionals.

Conferences are generally reviewed anonymously, especially important
ones.  But the standards for conferences are generally much higher --
for instance, most technical conferences require you to submit a 
paper, sometimes as much as 10 pages or so, while most workshops only
want an abstract or a one-page summary of what you intend to talk
about.  And part of what is expected in the extra nine pages is
a lot more detail about the strengths and weaknesses of what you're
doing.

So if you're a total unknown, you probably won't get workshop invitations.
You can, however, easily get into conferences *if* you can write
a good enough paper -- good enough referring not only to ability to
write decent English but also to the quality of your methodology and
the amount of results.  

	-kitten

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 04:11:12 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <3633f47d.2601979@news.visi.com>
References: <362fbcde.3893888@news.io.com>
Newsgroups: sci.crypt
Lines: 72

On Thu, 22 Oct 1998 23:16:52 GMT, ritter@io.com (Terry Ritter) wrote:

>
>On 22 Oct 1998 15:58:29 -0500, in <70o69l$291$1@quine.mathcs.duq.edu>,
>in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote:
>
>>In article <70o10f$js7$1@korai.cygnus.co.uk>,
>>Andrew Haley <aph@cygnus.remove.co.uk> wrote:
>>>dscott@networkusa.net wrote:
>>>:    I have never never heard of condferences where the author name
>>>: is removed. 
>>>
>>>It's normal procedure.
>>
>>Shall I add my voice to the chorus of people pointing out how common
>>it is?  [...]
>
>Shall I point out that this entire thread is a response to the
>original article by Schneier, who wrote:
>
>>[...]
>>It's hard to get a cryptographic algorithm published.  Most
>>conferences and workshops won't accept designs from unknowns and
>>without extensive analysis.  
>
>Now, presumably Schneier knows something about crypto conferences.  He
>did *not* say that the practice of removing the author's name for
>reviewers was not followed.  But he clearly *did* imply that
>*something* prevents "unknowns" from publishing in conferences and
>workshops.  Maybe he is right.  If he is, that is the real issue.  

Crypto and Eurocrypt use anonymous refereeing.  With a few possible
exceptions (I don't know about them all, and Asiacrypt especially) the
other crypto conferences keep authors names on the papers during
refereeing.

And "hard" is not impossible.  Pulling a random (well, pseudorandom)
Fast Software Encryption proceedings off my shelf (1997), I see six
cipher designs:

	MISTY, by Mitsuru Matsui, the man who intented linear
	cryptanalysis.  It is still unbroken, and I am sorry a variant
	was not submitted to AES.

	ICE, by Matthew Kwan, who has not cryptanalyzed much of
	anything.  Broken in FSE 1998.

	TWOPRIME, by Ding, Niemi, Renvall, and Salomaa.  Some of
	these people are good cryptographers, but they are much more
	mathematicians.  I don't think they have ever written a real
	cryptanalysis paper. TWOPRIME was broken in FSE 1998.

	Chameleon, by Ross Anderson and Charalampos Manifavas.
	Ross has many scalps under his belt.  Unbroken.

	Square, by Joan Daemen, Lars Knudsen, and Vincent Rijmen,
	a team that shoud strike fear in the hearts of cipher
 	designers everywhere.  Unbroken, and the basis for the AES
	submission Rijndael.

	xmx, by David M'Raihi, David Naccache, Jacques Stern, and
	Serge Vaudenay.  Serge has done some excellent block
	cipher cryptanalytic work.  His design, DFC, has been
	submitted to AES.  Unbroken.

See the pattern?

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 16:46:05 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <3634a746.2458264@news.io.com>
References: <3633f47d.2601979@news.visi.com>
Newsgroups: sci.crypt
Lines: 51

On Mon, 26 Oct 1998 04:11:12 GMT, in <3633f47d.2601979@news.visi.com>,
in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:

>>[...]
>>Now, presumably Schneier knows something about crypto conferences.  He
>>did *not* say that the practice of removing the author's name for
>>reviewers was not followed.  But he clearly *did* imply that
>>*something* prevents "unknowns" from publishing in conferences and
>>workshops.  Maybe he is right.  If he is, that is the real issue.  
>
>Crypto and Eurocrypt use anonymous refereeing.  With a few possible
>exceptions (I don't know about them all, and Asiacrypt especially) the
>other crypto conferences keep authors names on the papers during
>refereeing.
>
>And "hard" is not impossible.  Pulling a random (well, pseudorandom)
>Fast Software Encryption proceedings off my shelf (1997), I see six
>cipher designs:
>[...]
>
>See the pattern?

First of all, this is the usual sort of rationalization for treating
individuals similarly according to their membership in some sort of
despised group.  And while clearly unfair and unscientific, it *is* an
all-too-American activity.

Next, your argument assumes that science is best served by
descriptions of unbreakable cipher designs.  But I suggest that they
also serve who present new designs of any sort.  In fact, it is
largely the lack of a broad and robust literature on breaks of all
types which makes "the newbie problem" as bad as it is.  The process
of selecting only good designs for the archival literature leaves us
with little description of the bad ones, and less archived reasoning
about their weaknesses.  I claim we would be better off if every
newbie cipher was presented and broken in the literature. 

But the original issue wasn't whether limiting crypto conferences to
known experts was a reasonable expedient that could be supported by
the evidence:  The issue instead was whether this occurs.  If it does,
it is bad science, and if you are participating in this, you are part
of the problem.  

See the pattern now?

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 27 Oct 1998 00:46:37 GMT
From: dscott@networkusa.net
Message-ID: <71355d$ias$1@nnrp1.dejanews.com>
References: <3634a746.2458264@news.io.com>
Newsgroups: sci.crypt
Lines: 68

In article <3634a746.2458264@news.io.com>,
  ritter@io.com (Terry Ritter) wrote:
>
> On Mon, 26 Oct 1998 04:11:12 GMT, in <3633f47d.2601979@news.visi.com>,
> in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:
>
> >>[...]
> >>Now, presumably Schneier knows something about crypto conferences.  He
> >>did *not* say that the practice of removing the author's name for
> >>reviewers was not followed.  But he clearly *did* imply that
> >>*something* prevents "unknowns" from publishing in conferences and
> >>workshops.  Maybe he is right.  If he is, that is the real issue.
> >
> >Crypto and Eurocrypt use anonymous refereeing.  With a few possible
> >exceptions (I don't know about them all, and Asiacrypt especially) the
> >other crypto conferences keep authors names on the papers during
> >refereeing.
> >
> >And "hard" is not impossible.  Pulling a random (well, pseudorandom)
> >Fast Software Encryption proceedings off my shelf (1997), I see six
> >cipher designs:
> >[...]
> >
> >See the pattern?
>
> First of all, this is the usual sort of rationalization for treating
> individuals similarly according to their membership in some sort of
> despised group.  And while clearly unfair and unscientific, it *is* an
> all-too-American activity.
>
> Next, your argument assumes that science is best served by
> descriptions of unbreakable cipher designs.  But I suggest that they
> also serve who present new designs of any sort.  In fact, it is
> largely the lack of a broad and robust literature on breaks of all
> types which makes "the newbie problem" as bad as it is.  The process
> of selecting only good designs for the archival literature leaves us
> with little description of the bad ones, and less archived reasoning
> about their weaknesses.  I claim we would be better off if every
> newbie cipher was presented and broken in the literature.
>
> But the original issue wasn't whether limiting crypto conferences to
> known experts was a reasonable expedient that could be supported by
> the evidence:  The issue instead was whether this occurs.  If it does,
> it is bad science, and if you are participating in this, you are part
> of the problem.
>
> See the pattern now?
>

  Mr RItter I feel that Bruce is one of those self inflated people
incapable of understanding your writting. He is afraid of real
competition so will attempt to put it done with jokes and such
but don't except him to see such an obvious easy pattern in logic
it mat be beyond his brain power.

> ---
> Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
> Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM
>
>

--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
ftp search for scott*u.zip in norway

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 18:03:49 GMT
From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard)
Message-ID: <3634b8f5.7503638@news.prosurfr.com>
References: <3633f47d.2601979@news.visi.com>
Newsgroups: sci.crypt
Lines: 16

schneier@counterpane.com (Bruce Schneier) wrote, in part:

>	ICE, by Matthew Kwan, who has not cryptanalyzed much of
>	anything.  Broken in FSE 1998.

But we can be very thankful he published his design. The principle of
using a mask to control swapping bits between words is a very useful
principle, and can efficiently contribute to a cipher's security.

If ICE hadn't come along, some other cipher designer might have come
up with that particular principle, and patented its use in a block
cipher.

John Savard
http://members.xoom.com/quadibloc/index.html

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 27 Oct 1998 20:39:45 GMT
From: klockstone@cix.compulink.co.uk ("Keith Lockstone")
Message-ID: <F1I6qA.L1u@cix.compulink.co.uk>
References: <3634b8f5.7503638@news.prosurfr.com>
Newsgroups: sci.crypt
Lines: 89

> But we can be very thankful he published his design. The 
> principle of using a mask to control swapping bits between 
> words is a very useful principle, and can efficiently 
> contribute to a cipher's security. 
>
> If ICE hadn't come along, some other cipher designer might have 
> come up with that particular principle, and patented its use in 
> a block cipher. 

This idea has been published before on sci.crypt although its 
significance probably went unnoticed.  It was originally 
conceived after I read a Friedman publication that described 
swapping the most significant halves of two indices.  There's 
little new under the Sun!

Keith.

> From: Keith Lockstone <keith.lockstone@gecm.com>
> Newsgroups: sci.crypt
> Subject: Re: New Dynamic Substitution Implications
> Date: 20 Dec 1996 16:48:06 GMT
> Organization: GEC Marconi Radar and Defence Systems Ltd
> To: ritter@io.com
> Lines: 81
> 
>  In <850598749.26798@dejanews.com>, Terry Ritter said:
>  > A better approach would be to use two Dynamic Substitution
>  > operations in sequence. 
>  and:
>  > Another approach would be to make a pseudo-random selection
>  > among multiple Dynamic Substitution combiners. 
> 
> A further approach could make use of 4 lookup tables.  (Related
> to: Playfair cipher, 4 table ciphers - see William Friedman's
> books on Military Cryptanalysis)  This helps to break up patterns
> in the plaintext and the PRNGs.
> 
> The basis of this approach is to take pairs of plaintext bytes,
> use them to look up 2 intermediate values, randomly 'splice'
> these to form 2 further intermediate values - which are then used
> to look up the final pair of ciphertext bytes.
> 
> All 4 tables are then updated by swapping the used entry with a
> randomly chosen one.
> 
> This system has the disadvantage of a random to plaintext ratio
> of 5:2.
> 
> Note: if the splicing stage uses 2 random bytes instead of one
> for multiplexing then the system becomes non-reversible - but
> still usable as a mixer for PRNGs.
> 
> Keith.
> 
> ----------------------------------------------------------------
> #define BYTE unsigned char
>                          /* tables for encoding (and decoding) */
> BYTE W[256], X[256], Y[256], Z[256];
> 
> BYTE p1, p2,                 /* 2 plaintext input/output bytes */
>      c1, c2;                /* 2 ciphertext input/output bytes */
> 
> /***************************************************************/
> void encrypt(void)
> {   BYTE r1, r2, r3, r4, r5,                   /* random bytes */
>          a, b, f, g;                   /* intermediate results */
> 
>     r1 = getrand(1);              /* get 5 random bytes from 5 */
> 
>     r2 = getrand(2);  r3 = getrand(3); /* different generators */
>     r4 = getrand(4);  r5 = getrand(5);
> 
>     a = W[p1];         /* plaintext 1 -> intermediate result 1 */
>     b = X[p2];         /* plaintext 2 -> intermediate result 2 */
> 
>     f = a & r5 | b & ~r5; /* multiplex intermediate results: 1 */
>     g = b & r5 | a & ~r5; /* multiplex intermediate results: 2 */
> 
>     c1 = Y[f];           /* intermediate mix 1 -> ciphertext 1 */
>     c2 = Z[g];           /* intermediate mix 2 -> ciphertext 2 */
> 
>     W[p1] = W[r1];  W[r1] = a;               /* update table W */
>     X[p2] = X[r2];  X[r2] = b;               /* update table X */
>     Y[f]  = Y[r3];  Y[r3] = c1;              /* update table Y */
>     Z[g]  = Z[r4];  Z[r4] = c2;              /* update table Z */
> }

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 23 Oct 1998 00:24:58 GMT
From: dscott@networkusa.net
Message-ID: <70oicq$3qo$1@nnrp1.dejanews.com>
References: <70o10f$js7$1@korai.cygnus.co.uk>
Newsgroups: sci.crypt
Lines: 52

In article <70o10f$js7$1@korai.cygnus.co.uk>,
  aph@cygnus.remove.co.uk (Andrew Haley) wrote:
> dscott@networkusa.net wrote:
> :    I have never never heard of condferences where the author name
> : is removed.
>
> It's normal procedure.

   Well it is a phony procedure to have the air of respectibility
when in reality it hids nothing. REAL CRYPTO conferences should
have executable program or functions where the input and output
can be analysed and various real testing done on computers.
Since in the real world that is where it has to stand up.
But that might be to difficult and to different for the stuff
onces use to not being creative.

>
> : And even if the name is removed I bet any one with have a brain
> : could tell mine from Bruces and from Mr Ritter
>
> Indeed.  They use commas, and can string together two or more
> grammatically correct sentences.
>

 still I meant you could tell Mr Ritter from B.S. by there
styles even though they both like ,s in there stuff.

> Why should anyone be bothered to read what you write if you can't be
> bothered to correct any of your mistakes?  No publication would put up
> with your abysmal English.

   Then I guess I can just continue to write the worlds greatest
crypto for the unwashed masses while the one how write can fool
themselves. I don't have to write I can program. May be like
Heavyside some one else will write it in terms that even narrow
minded individuals like Bruce can understand. But I am not
that person.

>
> Andrew.
>
>

--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
ftp search for scott*u.zip in norway

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 22 Oct 1998 21:58:09 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-2210982158250001@207.101.116.111>
References: <70oicq$3qo$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 22

In article <70oicq$3qo$1@nnrp1.dejanews.com>, dscott@networkusa.net wrote:

.... even narrow
> minded individuals like Bruce can understand...
> 

You are confusing narrow mindedness with focus.  I can respect him on
that.  Certain algorithms are prehaps too demanding of intricate
attention, leaving little time for much else.

Each of us is faced with economy of time.  These discussions are
important, so I spend some effort it them.  It is not that I don't have
other competing things to do.  To keep up seems to take from 20 minutes to
several hours per day, but the yield can be much more rapid than running
through some sluggish formal procedure.   Expanding the fundamental
process for introducing and exploring algorithms, prying open the process
as far as possible, is more important than any one cryptosystem.
-- 
---
Passing a budgit with obscure items is bad;  preventing government payment for birth control while authorizing millions for viagra lets us focus on the hard facts of prevalent sexism.
---
Decrypt with ROT13 to get correct email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: 23 Oct 1998 09:38:24 -0500
From: juola@mathcs.duq.edu (Patrick Juola)
Message-ID: <70q4d0$3up$1@quine.mathcs.duq.edu>
References: <W%QX1.340$4a.1584242@news20.bellglobal.com>
   <70oicq$3qo$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 30

In article <W%QX1.340$4a.1584242@news20.bellglobal.com>,
Sandy Harris <sandy.harris@sympatico.ca> wrote:
>dscott@networkusa.net wrote:
>
>>   Then I guess I can just continue to write the worlds greatest
>>crypto for the unwashed masses while the one how write can fool
>>themselves. I don't have to write I can program. . . .
>
>"Besides a mathematical inclination, an exceptionally good mastery of
>"one's native tongue is the most vital asset of a competent programmer.
>
>                        Edsger W.Dijkstra

It probably helps that Dr. Dijkstra's native tongue is Dutch, where
there is a large programming community.  It probably also helps
that Dr. Dijkstra's command of English is astonishing.

I think he's overstating the case -- I remember a brilliant student
I had the pleasure to teach once whos native language was spoken
by about two hundred people in a mountain valley in New Guinea
or something like that.  I suspect that his ability to master
English will be a more vital asset for his eventual programming
abilities.

But overall, I agree with Dr. Dijkstra's sentiments -- which is itself
astonishing, as normally when Dr. Dijkstra states that the sun is
shining, my initial reaction is to turn on my headlights. 8-)

	-kitten

Subject: Re: Memo to the Amateur Cipher Designer
Date: 23 Oct 1998 15:59:40 GMT
From: aph@cygnus.remove.co.uk (Andrew Haley)
Message-ID: <70q95c$au2$2@korai.cygnus.co.uk>
References: <70q4d0$3up$1@quine.mathcs.duq.edu>
Newsgroups: sci.crypt
Lines: 28

Patrick Juola (juola@mathcs.duq.edu) wrote:
: In article <W%QX1.340$4a.1584242@news20.bellglobal.com>,
: Sandy Harris <sandy.harris@sympatico.ca> wrote:
: >dscott@networkusa.net wrote:
: >
: >"Besides a mathematical inclination, an exceptionally good mastery of
: >"one's native tongue is the most vital asset of a competent programmer.
: >
: >                        Edsger W.Dijkstra

Dijkstra goes on to explain that in his experience a competent
programmer always has such a mastery of his own tongue; in other
words, you can gain some idea of the level of a programmer's skill
just by listening to them.  This tallies with my experience.

: I think he's overstating the case -- I remember a brilliant student
: I had the pleasure to teach once whos native language was spoken
: by about two hundred people in a mountain valley in New Guinea
: or something like that.  I suspect that his ability to master
: English will be a more vital asset for his eventual programming
: abilities.

I doubt it; Dijkstra isn't talking about a language skill that someone
will actually use to communicate, but is using skill in one's native
language as an indicator of linguistic skills in general.  After all,
one generally thinks in one's native language.

Andrew.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 13:42:51 +0100
From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
Message-ID: <36346E4B.9720682F@stud.uni-muenchen.de>
References: <70r9tt$i7f$1@nnrp1.dejanews.com>
   <3630BE5C.5B765F9B@stud.uni-muenchen.de>
   <70q95c$au2$2@korai.cygnus.co.uk>
Newsgroups: sci.crypt
Lines: 26

dscott@networkusa.net wrote:
> 

>   If you really think in more than one language do you do certain
> things better in one language than the other. Are you using language
> when you play a game like chess. If so do you do better in one than
> the other. Are your politics and views on religion a function some
> what of the language you use at the time your thinking. Just
> wondered.

I can't say that my personal experience generalize. I am however 
anyway convinced that if one has acquired sufficient proficiency in a
foreign language, the difference between a foreign language and
one's mother tongue disappears. At that point it is somehow
'uneconomical' to speak or write in one language while thinking
partly in another (and then mentally translate before speaking out
or writing down) and one tends therefore to work (for convenience) 
in one single language only. Language proficiency has to be maintained 
through practice. To my dismay I find my proficiency in my native 
language (especially in writing) is deteriorating due to lack of 
practice. Language is neutral to its use. It has no influence on what 
is expressed, I am convinced, since all natural languages (at least 
those of the civilized world) are of sufficient expressive power to 
formulate everything imaginable.

M. K. Shen

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 27 Oct 1998 14:35:46 +0100
From: fungus <spam@egg.chips.and.spam.com>
Message-ID: <3635CC32.F1A238CF@egg.chips.and.spam.com>
References: <36346E4B.9720682F@stud.uni-muenchen.de>
Newsgroups: sci.crypt
Lines: 39

Mok-Kong Shen wrote:
> 
> dscott@networkusa.net wrote:
> >
> 
> > If you really think in more than one language do you do certain
> > things better in one language than the other.
> 
> It has no influence on what is expressed, I am convinced, since
> all natural languages (at least those of the civilized world)
> are of sufficient expressive power to formulate everything
> imaginable.
> 

If you actually learn a foreign language you'll find that there
are some concepts which have a word in one language but not
in another. Sometimes you find yourself arrive at the middle
of a sentence wanting to use a word from the other language
because no equivalent exists in the language you're speaking.

You'll also notice this in films with subtitles. Sometimes the
subtitles are saying a completely different thing than the
people on the screen, and, if you think about it, it's very
hard to translate directly.

And then there's cultural differences. The concept of swearing
(as in "bad language") doesn't really exist in Spain. Over here
you'll see Disney films with the characters saying "Oh Shit!",
and people say the equivalent of "fuck" all the time on TV chat
shows. In the UK you'll have *big* problems to find somebody
saying "fuck" on TV. Beverly Hills Cop had all the words changed
to "hell" when it was shown....

-- 
<\___/>
/ O O \
\_____/  FTB.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 27 Oct 1998 16:26:40 +0100
From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
Message-ID: <3635E630.DB9FF944@stud.uni-muenchen.de>
References: <3635CC32.F1A238CF@egg.chips.and.spam.com>
Newsgroups: sci.crypt
Lines: 27

fungus wrote:
> 

> If you actually learn a foreign language you'll find that there
> are some concepts which have a word in one language but not
> in another. Sometimes you find yourself arrive at the middle
> of a sentence wanting to use a word from the other language
> because no equivalent exists in the language you're speaking.

That's why good translations of master pieces are rare. But I am
not convinced that languages can influence thought or behaviour.
There are always more or less good equivalents. (Though I heard
that in one language one can count up to 5 only.) A language may
be superior in certain expressions but inferior in others. (There
are 'fanatics' who believe that their native languages are the
best.)

> And then there's cultural differences. The concept of swearing
> (as in "bad language") doesn't really exist in Spain. 

My respect for Spain. But other languages, including French, long time
the chosen language of the diplomats, are abundant in words
expressing such strong sentiments. I find it difficult to imagine
what happens when two persons get very angry with each other in Spain.

M. K. Shen

Subject: Re: Memo to the Amateur Cipher Designer
Date: 27 Oct 1998 10:35:31 -0500
From: juola@mathcs.duq.edu (Patrick Juola)
Message-ID: <714p83$i54$1@quine.mathcs.duq.edu>
References: <3635CC32.F1A238CF@egg.chips.and.spam.com>
Newsgroups: sci.crypt
Lines: 34

In article <3635CC32.F1A238CF@egg.chips.and.spam.com>,
fungus  <spam@egg.chips.and.spam.com> wrote:
>Mok-Kong Shen wrote:
>> 
>> dscott@networkusa.net wrote:
>> >
>> 
>> > If you really think in more than one language do you do certain
>> > things better in one language than the other.
>> 
>> It has no influence on what is expressed, I am convinced, since
>> all natural languages (at least those of the civilized world)
>> are of sufficient expressive power to formulate everything
>> imaginable.
>> 
>
>If you actually learn a foreign language you'll find that there
>are some concepts which have a word in one language but not
>in another. Sometimes you find yourself arrive at the middle
>of a sentence wanting to use a word from the other language
>because no equivalent exists in the language you're speaking.

True but irrelevant.  Translation doesn't necessarily require
that every word be replaced with an equivalent word, but that
every concept be somehow represented with a word or phrase.

French, for example, has no single word meaning "shallow."

This does NOT, however, mean that the French don't understand
the distinction between deep and shallow water, or even that
they can't talk about it.

	-kitten

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sun, 25 Oct 1998 23:20:50 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-2510982320500001@207.22.198.192>
References: <5LHY1.278$MY4.2154610@news.goodnet.com>
   <jgfunj-2510981033500001@dialup126.itexas.net>
Newsgroups: sci.crypt
Lines: 23

In article <5LHY1.278$MY4.2154610@news.goodnet.com>, "Steve Sampson"
<ssampson@access.usa-site.net> wrote:

> W T Shaw wrote 
> 
> >I went to Oklahoma yesterday, so on returning to Texas, the contrast with
> >the dimension of past dominated experiences makes me want to confirm my
> >salvation that I recovered by nightfall and express myself in a more
> >linguisting challenging way, at for a little while.  Is this prejudice
> >justifed so that I should disregard anything Okie in nature?  Perhaps, but
> >I should not bend so easily to such a feeling if I believe that reality is
> >even expressed there.
> 
> 
> What the hell are you talking about?

Prejudice by language, life style, heritage, anything you want to throw
in.  Concentrating on style rather that substance is easy, and wrong.
-- 
---
Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver.
---
Decrypt with ROT13 to get correct email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 04:02:03 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <3633f403.2480424@news.visi.com>
References: <70n5e6$kog$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 18

On Thu, 22 Oct 1998 11:37:42 GMT, dscott@networkusa.net wrote:
I have never never heard of condferences where the author name
>is removed. And even if the name is removed I bet any one with have
>a brain could tell mine from Bruces and from Mr Ritter since we
>all 3 have different writting styles even if we all 3 write about the
>exact same subject. Bruces would be acepted even if it left out
>key points that Mr Ritter or me may have included since he is the
>King of B.S. and he can Pile it Higher and Deeper.

You can figure out the authors of some papers without the authors'
names, but not all of them.  You can easily figure out who is schooled
in the mathematics of cryptography and who isn't.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 04:00:47 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <3633f3c2.2415094@news.visi.com>
References: <70m3a0$e2g$1@news.umbc.edu>
Newsgroups: sci.crypt
Lines: 28

On 22 Oct 1998 01:55:12 GMT, olson@umbc.edu (Bryan G. Olson; CMSC (G))
wrote:

>Terry Ritter (ritter@io.com) wrote:
>
>Bruce Schneier had written:
>: >Most
>: >conferences and workshops won't accept designs from unknowns and
>: >without extensive analysis.  This may seem unfair: 
>
>: Not accepting designs from "unknowns" is well beyond just *seeming*
>: unfair, it *is* unfair.  It is in fact unscientific.
>
>I have to agree with Mr. Ritter on this one.  I'll also note that the
>major crypto conferences remove the author's name from submission
>before they go the referees.  The system is based on good faith,
>though I have heard referees talk about secure cryptographic protocols
>for anonymous review of papers. :)

Agreed that it is unfair.  But even the conferences that referee
papers anonymously don't publish design papers unless they are REALLY
impressive.  Different for the sake of difference just doens't cut it.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: 26 Oct 1998 07:52:04 GMT
From: olson@umbc.edu (Bryan G. Olson; CMSC (G))
Message-ID: <7119n4$7hu$1@news.umbc.edu>
References: <3633f3c2.2415094@news.visi.com>
Newsgroups: sci.crypt
Lines: 21

Bruce Schneier wrote:

: Agreed that it is unfair.  But even the conferences that referee
: papers anonymously don't publish design papers unless they are REALLY
: impressive.  Different for the sake of difference just doens't cut it.

Oh absolutely.  There seems to be a sci.crypt myth that cryptology
is primarily concerned with inventing ciphers, and the crypto 
literature with publishing them.  In reality cryptologists are
pursuing knowledge within the science of secrecy.  The journals
and conferences are looking for papers that establish results not 
previously known.

So here's how to really get a design published in the crypto lit:
Find some new and interesting fact, develop a design that 
incorporates the result, then write a paper that presents both the
theorem and the system.  I'm still working on mine, but from what
I've read, that's how it's usually done.

--Bryan

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 03:59:50 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <3633f37a.2343159@news.visi.com>
References: <362bdbc6.3212829@news.io.com>
Newsgroups: sci.crypt
Lines: 9

I invite you to submit a paper, based on your patent #5,727,062
("Variable Size Block Ciphers") to the 1999 Fast Software Encryption
workshop.  I believe it will be published.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 04:20:14 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <3633f6f6.3235025@news.visi.com>
References: <362bdbc6.3212829@news.io.com>
Newsgroups: sci.crypt
Lines: 143

On Tue, 20 Oct 1998 00:40:21 GMT, ritter@io.com (Terry Ritter) wrote:
>In my view, the reason for inventing a new cipher -- like any new
>design -- is to deliver new advantages.  If so, it advances the art,
>quite independent of whether the professional chorus agrees.

Security is orthogonal to functionality.  A cipher cannot deliver any
new advantages until it is considered strong.  That's what makes this
discipline complicated.

>>What is hard is creating an algorithm that no one else can break, even
>>after years of analysis.  And the only way to prove that is to subject
>>the algorithm to years of analysis by the best cryptographers around.
>
>That last sentence is what the profession says, but it is as false,
>misleading, and self-delusional as anything in cryptography:  Even
>years of analysis is not proof.  It is not close to proof.  
>
>Lack of proof of weakness is not proof of strength.  Obviously.  

Agreed.  "Proof" was a bad word choice.  You are, of course, correct.

>>It's hard to get a cryptographic algorithm published.  
>
>This, of course, is simply false.  It is false in the assumption that
>"published" means accepted by some academic journal.  And it is also
>more or less false in that most reasonable papers *can* be shopped
>around and placed in some academic journal eventually.  There are many
>journals, and each must fill a gaping maw of pages continuously.  
>
>It is true, however, that a *good* article is more than a new idea:  A
>good article offers *insight* as opposed to mere symbology and
>gobbledygook.  If someone provide a good presentation to something
>exciting and new, they won't have much trouble placing it somewhere.  

Agreed.  Please submit your good ideas to cryptography workshops.  FSE
and SAC are good places to start.

>>Most
>>conferences and workshops won't accept designs from unknowns and
>>without extensive analysis.  This may seem unfair: 
>
>Not accepting designs from "unknowns" is well beyond just *seeming*
>unfair, it *is* unfair.  It is in fact unscientific.  More than that,
>this also has economic consequences.   
>
>Any time an academic publication will not look at, accept, and publish
>work based on content -- independent of its source -- that publication
>is spending its academic reputation.  Journals exist to serve a larger
>ideal than to simply further the academic careers of authors -- their
>existence depends upon providing the best material to their readers.
>They can't just reject good stuff and publish the chaff without real
>audience consequences.   

Agreed. The work is accepted and rejected based on the work, not on
the name.  If there are errors based on name, it is when a work by a
well-known name is refereed less stringently because of who they are.
I don't believe the reverse happens anywhere near as often.

>>When I started writing _Applied Cryptography_, I heard the maxim that
>>the only good algorithm designers were people who spent years
>>analyzing existing designs.  The maxim made sense, and I believed it.
>
>Then you were fooled.  Vernam, a mere engineer in 1919:  The
>mechanistic stream cipher, and the basis for the one time pad.  

Yes.  I believe my point still stands.

>This game of "I'm better than you" is a sickness that infects the
>entire field of cryptography.  It makes every discussion a contest,
>every relationship a competition, and a mockery of facts and clear,
>correct reasoning.  It works against development in the field, and has
>got to go.  Those professionals who are actively cultivating ego cults
>for their own self-gratification are part of the problem.  

No.  The adversarial game of making and breaking is what makes
cryptography cryptography.  I design; you break.  You design; I break.
This is what cryptography is.

>In the anecdote, a better alternative would be for the cryptographer
>to be helpful, to explain the issues, lay out a course of study, and
>thus in a larger sense generally address why the general public has so
>little understanding of this profession.  We don't of course, see
>anecdotes about that.  Why?  See the above paragraph.  

I believe we do this.  There are excellent courses of study in
cryptography that have turned out some excellent cryptographers.

>>1.  Describe your cipher using standard notation.  This doesn't mean C
>>code.  There is established terminology in the literature.  Learn it
>>and use it; no one will learn your specialized terminology.
>
>Yes.  There are established notations for the design of logic systems,
>and they include both "schematics" and "flow charts" as well as C.
>But more than anything else, the "standard notation" includes a clear,
>logical presentation in some language (but if that is not English, *I*
>will have a problem!).  It is also important to give some
>justification for the various design decisions which are usually
>necessary.  

I don't mean established notations for the design of logic systems.
This is mathematics after all.  I mean standard mathematical notation.

>>3.  Show why your cipher is immune against each of the major attacks
>>known in literature.  It is not good enough just to say that it is
>>secure, you have to show why it is secure against these attacks.  This
>>requires, of course, that you not only have read the literature, but
>>also understand it. Expect this process to take months, and result in
>>a large heavily mathematical document.  And remember, statistical
>>tests are not very meaningful.
>
>That last sentence sounds a lot like statistics-envy.  Surely it
>should read that "statistical tests should not be used to support
>inappropriate conclusions."  But we could say the same thing about
>mathematics itself.  

No.  I stand by my sentence.  Statistical tests are not very
meaningful.  If you saw a cipher design that was accompanied by
nothing other than statistical tests of randomness, wouldn't  your
snake-oil detector go off?

>>4.  Explain why your cipher is better than existing alternatives.  It
>>makes no sense to look at something new unless it has clear advantages
>>over the old stuff.  Is it faster on Pentiums?  Smaller in hardware?
>>What?  I have frequently said that, given enough rounds, pretty much
>>anything is secure. Your design needs to have significant performance
>>advantages.  And "it can't be broken" is not an advantage; it's a
>>prerequisite.
>
>Note, however, that "performance advantages" include far more than the
>simple speed of an AES-style cipher box:  Large blocks can be an
>advantage.  Dynamically selectable block size can be an advantage.
>Dynamically variable block size to the byte can be an advantage.
>Block independence can be an advantage.  Self-authentication can be an
>advantage.  There are many advantages which are restricted to
>particular uses, yet are real advantages in their proper context.  

Of course.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 09:34:59 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-2610980935000001@dialup165.itexas.net>
References: <3633f6f6.3235025@news.visi.com>
Newsgroups: sci.crypt
Lines: 28

In article <3633f6f6.3235025@news.visi.com>, schneier@counterpane.com
(Bruce Schneier) wrote:

> 
> I don't mean established notations for the design of logic systems.
> This is mathematics after all.  I mean standard mathematical notation.
> 
>..... Statistical tests are not very
> meaningful.  If you saw a cipher design that was accompanied by
> nothing other than statistical tests of randomness, wouldn't  your
> snake-oil detector go off?
> 
Statistics can measure more things than randomness.  Good logic should be
inclusive rather than exclusive.  Calling something snake-oil might mean
that you merely chose not to explore the idea in full, but chose to look
for an excuse to dismiss it, granted that it could be easily applied when
an author will not settle down and converse legitimately about a
particular algorithm; both have nothing to do with whether something is
good or bad.

Randomness would be hard to determine since it includes even things that
don't look random.  This is where I start questioning some of the tests
that are touted.
-- 
---
Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver.
---
Decrypt with ROT13 to get correct email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 18:09:47 GMT
From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard)
Message-ID: <3634ba1b.7797506@news.prosurfr.com>
References: <jgfunj-2610980935000001@dialup165.itexas.net>
Newsgroups: sci.crypt
Lines: 28

jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote, in part:
>In article <3633f6f6.3235025@news.visi.com>, schneier@counterpane.com
>(Bruce Schneier) wrote:

>>..... Statistical tests are not very
>> meaningful.  If you saw a cipher design that was accompanied by
>> nothing other than statistical tests of randomness, wouldn't  your
>> snake-oil detector go off?

>Randomness would be hard to determine since it includes even things that
>don't look random.  This is where I start questioning some of the tests
>that are touted.

And the other way around, things can look nice and random, and even
appear very random to conventional statistical tests, and yet be
vulnerable to the right attack.

For example, I could use the digits of pi as if they were a "one-time
pad", and the result would be beautifully random, but crackable
immediately if someone decided to compare it to pi.

That's all Bruce was saying; statistics aren't enough - although
specialized statistical tests, directly related to the possible forms
of cryptanalysis that a cipher may face, can, of course, be very
applicable.

John Savard
http://members.xoom.com/quadibloc/index.html

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 16:46:15 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <3634a751.2469260@news.io.com>
References: <3633f6f6.3235025@news.visi.com>
Newsgroups: sci.crypt
Lines: 143

On Mon, 26 Oct 1998 04:20:14 GMT, in <3633f6f6.3235025@news.visi.com>,
in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:

>On Tue, 20 Oct 1998 00:40:21 GMT, ritter@io.com (Terry Ritter) wrote:
>>In my view, the reason for inventing a new cipher -- like any new
>>design -- is to deliver new advantages.  If so, it advances the art,
>>quite independent of whether the professional chorus agrees.
>
>Security is orthogonal to functionality.  A cipher cannot deliver any
>new advantages until it is considered strong.  That's what makes this
>discipline complicated.

Apparently I have been unable to communicate the issue:

We *never* know that a cipher is strong.  Ever.  

Now, we might "consider" a cipher strong when all *our* guys have
looked at it and found no break.  But, quite frankly, the *other* guys
have more training, more experience, more resources, more time, and
they may even be smarter than our guys.  So what does it mean when our
guys have anointed a cipher?  For the user, it means that even ciphers
with a good reputation are *not* guaranteed secure -- and this is the
*same* situation they have with unknown ciphers.  

I will agree that new cipher designs often have silly errors, and we
don't need to be using those ciphers.  But if we must greatly reduce
the number of ciphers users might have because we don't have the
resources to analyze them all, I think we are missing a bet.  I claim
it is more important to have many different ciphers than to have a few
which are "considered strong."  Why?  Because we *can't* know how
strong our ciphers *really* are to the other guy.  But we *can* --
guaranteed -- make The Opponent pay dearly to keep up.  

>[...]
>>This game of "I'm better than you" is a sickness that infects the
>>entire field of cryptography.  It makes every discussion a contest,
>>every relationship a competition, and a mockery of facts and clear,
>>correct reasoning.  It works against development in the field, and has
>>got to go.  Those professionals who are actively cultivating ego cults
>>for their own self-gratification are part of the problem.  
>
>No.  The adversarial game of making and breaking is what makes
>cryptography cryptography.  I design; you break.  You design; I break.
>This is what cryptography is.

I am not referring to legitimate thrust and parry of design and
analysis, I am referring to exactly the sort of behavior in your (now
deleted) anecdote.  I claim:

* The legitimate response to a design is a break.  
* The legitimate response to a fixed design is a break.  
* The legitimate response to a fixed fixed design is a break.  

A humiliating response is never appropriate.  And while I am sure we
all fail at this goal, we don't all laugh about it, nor do we provide
it as an example for others to follow.  

Life is tough for cipher analyzers.  It must be frustrating when
newbies simply do not (no doubt interpreted as "will not") get the
point.  But *I* am no newbie, and *I* often miss *my* own errors, so I
have some sympathy for these guys.  I am sure that very few designers
quit designing until they are satisfied; almost nobody brings you weak
ciphers on purpose.  

A big reason that newbies are such a problem is that *we* have failed
to communicate cryptography to them.  If we had a literature of newbie
ciphers and their breaks, we could avoid much of this.  But we don't
have such a literature specifically because those who complain most
about the newbie problem have not allowed that literature to develop.
Well, they can't have it both ways.  

>[...]
>>>1.  Describe your cipher using standard notation.  This doesn't mean C
>>>code.  There is established terminology in the literature.  Learn it
>>>and use it; no one will learn your specialized terminology.
>>
>>Yes.  There are established notations for the design of logic systems,
>>and they include both "schematics" and "flow charts" as well as C.
>>But more than anything else, the "standard notation" includes a clear,
>>logical presentation in some language (but if that is not English, *I*
>>will have a problem!).  It is also important to give some
>>justification for the various design decisions which are usually
>>necessary.  
>
>I don't mean established notations for the design of logic systems.
>This is mathematics after all.  I mean standard mathematical notation.

No, cryptography is *not* mathematics.  

I suppose that all cryptography can be *described* by mathematics, but
that is a far different situation.  It is different in the same way
that trees can be described by mathematics, but such a description
will not contain the essence of "tree-ness," or at least not clearly.

Math descriptions *are* appropriate for essentially mathematical
ciphers like number-theoretic designs.  But math descriptions are
*less* appropriate for logic systems.  There is a *reason* most logic
designers communicate by schematic:  That reason is clarity.  Most
symmetric ciphers are before all else logic systems, not theorems.  

I also note that a math description is hardly a panacea, since 50
years of mathematical cryptography have yet to give us strength.  It
would be different if we could just take the math description, crank
the numbers, and get the answer we want.  But we can't.  It may be
time for a change.  

>>>3.  Show why your cipher is immune against each of the major attacks
>>>known in literature.  It is not good enough just to say that it is
>>>secure, you have to show why it is secure against these attacks.  This
>>>requires, of course, that you not only have read the literature, but
>>>also understand it. Expect this process to take months, and result in
>>>a large heavily mathematical document.  And remember, statistical
>>>tests are not very meaningful.
>>
>>That last sentence sounds a lot like statistics-envy.  Surely it
>>should read that "statistical tests should not be used to support
>>inappropriate conclusions."  But we could say the same thing about
>>mathematics itself.  
>
>No.  I stand by my sentence.  Statistical tests are not very
>meaningful.  If you saw a cipher design that was accompanied by
>nothing other than statistical tests of randomness, wouldn't  your
>snake-oil detector go off?

Not all statistics is frequency testing.  

Presumably, one goal in cryptography *ought* to be the coordinated
construction of both ciphering structures and statistical tests of
those structures which could argue for overall strength.  This is a
laudable goal, and could be meaningful as hell.  But we aren't going
to see very much of it if we first discourage everyone from taking
that path.  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 27 Oct 1998 17:37:47 GMT
From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard)
Message-ID: <3635fffc.3625753@news.prosurfr.com>
References: <3634a751.2469260@news.io.com>
Newsgroups: sci.crypt
Lines: 63

ritter@io.com (Terry Ritter) wrote, in part:

>I will agree that new cipher designs often have silly errors, and we
>don't need to be using those ciphers.  But if we must greatly reduce
>the number of ciphers users might have because we don't have the
>resources to analyze them all, I think we are missing a bet.  I claim
>it is more important to have many different ciphers than to have a few
>which are "considered strong."  Why?  Because we *can't* know how
>strong our ciphers *really* are to the other guy.  But we *can* --
>guaranteed -- make The Opponent pay dearly to keep up.  

This is something I basically agree with. Supposing one, or a small
handful of ciphers, are so popular that nobody uses anything else:
DES, IDEA, Blowfish.

Down the road, despite all the work that has gone into studying them,
a weakness that had been overlooked is discovered.

But the recommendations you appear to be making to avoid this danger
all seem to have a worse danger: removing the barriers to less
credible cipher designers will result in an awful lot of cipher
designs with 'silly errors' floating around, with fewer signposts to
indicate how to avoid them.

An argument that the barriers are currently too high - that the
cryptographic community, as far as symmetric-key systems is concerned,
is focused too much on conventional block ciphers to the exclusion of
all else - is something I would be glad to agree with. A radical call
to dispense with all barriers, though, doesn't make sense. It makes it
look like you think David A. Scott, and others like him, are right;
and creating that impression is not going to help your own struggle
for a fair hearing.

My own viewpoint is that even if only a limited number of ciphers are
analyzed, if these ciphers are representative of a number of basic
types, it should be possible to establish groundwork on which
essentially trivial variations of these ciphers could be made safely.
So that The Opponent doesn't get to attack DES, but DES-alike number
1,394,442.

Symmetric ciphers that don't lengthen the input text don't have much
opportunity to leak data and make things worse in a multiple-cipher
chain, therefore:

I'd tend to advocate the following as a standard high-security
practice: use three ciphers, each from a different tier, on one's
secret message. One that is of a type that is very thoroughly
analyzed, another one that is different but has recieved some
analysis, and something from out in left field - but yet showing some
evidence of care in its design, so that it will not be a waste of
time.

Even if the less-analyzed cipher does turn out to be weak, one has the
example of DESX - certainly XOR by a 64-bit constant is weak - to show
that the weak cipher, acting as whitening for the strong one, could
still contribute security fully proportionate to (the lesser of) its
key size (and that of the stronger cipher).

Making the Opponent work harder is not the same thing as providing the
Opponent with an opportunity to get lucky.

John Savard
http://members.xoom.com/quadibloc/index.html

Subject: Re: Memo to the Amateur Cipher Designer
Date: 28 Oct 1998 04:32:35 GMT
From: cbbrowne@news.hex.net (Christopher Browne)
Message-ID: <7166p3$s7p$4@blue.hex.net>
References: <3635fffc.3625753@news.prosurfr.com>
Newsgroups: sci.crypt
Lines: 164

On Tue, 27 Oct 1998 17:37:47 GMT, John Savard
<jsavard@tenMAPSONeerf.edmonton.ab.ca> wrote: 
>ritter@io.com (Terry Ritter) wrote, in part:
>
>>I will agree that new cipher designs often have silly errors, and we
>>don't need to be using those ciphers.  But if we must greatly reduce
>>the number of ciphers users might have because we don't have the
>>resources to analyze them all, I think we are missing a bet.  I claim
>>it is more important to have many different ciphers than to have a few
>>which are "considered strong."  Why?  Because we *can't* know how
>>strong our ciphers *really* are to the other guy.  But we *can* --
>>guaranteed -- make The Opponent pay dearly to keep up.  
>
>This is something I basically agree with. Supposing one, or a small
>handful of ciphers, are so popular that nobody uses anything else:
>DES, IDEA, Blowfish.
>
>Down the road, despite all the work that has gone into studying them,
>a weakness that had been overlooked is discovered.

And these are quite valid reasons to encourage as much participation
*as possible.*

Note that *as possible* does not necessarily imply that *everyone* that
wishes that they could "play the game" gets into the game. 

>But the recommendations you appear to be making to avoid this danger
>all seem to have a worse danger: removing the barriers to less
>credible cipher designers will result in an awful lot of cipher
>designs with 'silly errors' floating around, with fewer signposts to
>indicate how to avoid them.

And this is to some extent self-correcting.

In order to be able to *communicate* whether designs are competently
done, it is necessary to have credible *communications* of designs.

That requires having some reasonably expressive common language.

As far as I can tell, the only reasonably universal such language is
that of mathematical notation.

The situation is self-correcting in that those that do not have enough
grasp of common notations such that they can communicate their ideas
will not be heard.

The same is true in various areas of science; there may be some neat
ideas being found out in obscure places relating to many disciplines.
And if those ideas cannot be communicated using the common languages and
notations in use, they will not "make it" whether they have merit or
not.

The point is that whatever notations get used to describe cryptographic
algorithms and systems, they *will* represent isomorphisms to *some*
form of mathematical notation.  

And if someone is so "independent" of any "established" community that
they have notation that is, or nearly is, incomprehensible to the rest
of the community, there are several possible causes/effects:

a) Perhaps there is a previously-used notation that nicely represents
the algorithm or protocol.  "That's a minor variant of Scheider's
Feistel cipher.../"

In which case it is preferable for the newcomer to learn the existing
notation, so as to be able to fit whatever is new about the cipher into
the existing taxonomy. 

b) Perhaps the idea really is new and crucial to the community, and
should add to the taxonomy.

Which is difficult to determine without having a previous attempt to
find isomorphisms that would allow the cipher features to be mapped onto
existing notations. 

c) The ideas might *not* be crucial or new, and it is thus *not*
important for the the community at large to understand the new notation. 

There *are* crackpots out there, and lots of them, in virtually any area
of scientific endeavor. 

In scientific study, it seems to be considered appropriate for people
initiating research to try to figure out the common features that new
work has with old work.  

In the context of crypto research, this implies that a good deal of
responsibility for figuring out "where their work fits in" falls to
those that come up with new algorithms.  

It is all well and good to suggest that those already knowledgeable can
help determine taxonomy; Bruce Schneier has done a pretty good job of
assisting with this via having written a relatively approachable book
that explains many existing ciphers. 

>An argument that the barriers are currently too high - that the
>cryptographic community, as far as symmetric-key systems is concerned,
>is focused too much on conventional block ciphers to the exclusion of
>all else - is something I would be glad to agree with. 

And they may be focusing that way as:
- Network protocols work with "blocks" of data
- File systems work with "blocks" of data
which all implies that blocks are of fundamental importance.

Further, even a single byte represents a block of 8 bits.   

And CPUs are getting increasingly large registers, such that it makes
little sense to work with quantities of data much smaller than 64 bits
at a time. 

In effect, there are many reasons to think blocks are important. 

>A radical call
>to dispense with all barriers, though, doesn't make sense. It makes it
>look like you think David A. Scott, and others like him, are right;
>and creating that impression is not going to help your own struggle
>for a fair hearing.

Unfortunately, an algorithm presentation that can't be read due to the
use of unconventional notation will be given less attention than one
that uses more conventional notation. 

And in an area of study where being off by a single bit is expected to
make a message into a seemingly random jumble, spelling really does
count. 

>My own viewpoint is that even if only a limited number of ciphers are
>analyzed, if these ciphers are representative of a number of basic
>types, it should be possible to establish groundwork on which
>essentially trivial variations of these ciphers could be made safely.
>So that The Opponent doesn't get to attack DES, but DES-alike number
>1,394,442.

Evidence in the area of construction of random number generators
suggests some contrary evidence; the composition of artificial
randomness does not necessarily make things look more random. 

Not so incidentally, that suggests further the importance of
mathematical analysis and the validity of the use of mathematical
notation as the "lingua franca" for cryptography. 

>I'd tend to advocate the following as a standard high-security
>practice: use three ciphers, each from a different tier, on one's
>secret message. One that is of a type that is very thoroughly
>analyzed, another one that is different but has recieved some
>analysis, and something from out in left field - but yet showing some
>evidence of care in its design, so that it will not be a waste of
>time.

This isn't an outrageous idea; I would suggest also that it is important
to make sure that each "tier" is suitably associated with protocols and
(perhaps) appropriate "salting" so that security is not lost via the
interfacing of the "tiers."  That is, the tiers should be kept as
independent as possible so that the evidence found by breaking one level
is minimally helpful for attacking other levels.  

Otherwise, you may wind up effectively depending on the weakest of the
three ciphers... 

-- 
"There are two types of hackers working on Linux: those who can spell,
and those who can't.  There is a constant, pitched battle between the
two camps."  --Russ Nelson (Linux Kernel Summary, Ver. 1.1.75 -> 1.1.76)
cbbrowne@ntlug.org- <http//www.hex.net/~cbbrowne/lsf.html>

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 28 Oct 1998 05:21:13 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <3636a99a.11757150@news.io.com>
References: <3635fffc.3625753@news.prosurfr.com>
Newsgroups: sci.crypt
Lines: 156

On Tue, 27 Oct 1998 17:37:47 GMT, in
<3635fffc.3625753@news.prosurfr.com>, in sci.crypt
jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

>[...]
>But the recommendations you appear to be making to avoid this danger
>all seem to have a worse danger: removing the barriers to less
>credible cipher designers will result in an awful lot of cipher
>designs with 'silly errors' floating around, with fewer signposts to
>indicate how to avoid them.

I see nothing wrong with ordinary people making their own decisions on
cryptography -- or anything else -- based on whatever information they
wish to use.  If the academics find weakness in particular designs,
they can announce that.  After some real-world interpretation of those
results, people may take steps to move to another cipher.  

But this implies that users *have* another cipher, and that it is
fairly easy to make a change.  Neither of these is likely to be true
currently, and I would like to see that change.  

>An argument that the barriers are currently too high - that the
>cryptographic community, as far as symmetric-key systems is concerned,
>is focused too much on conventional block ciphers to the exclusion of
>all else - is something I would be glad to agree with. 

I do think "the barriers are too high" in the sense that the archival
literature tends to avoid what we really want to know.  The current
ideal article is a cipher with lots of mathematical manipulation --
yet no overall proof of strength -- which rarely if ever supports a
reasonable attack. 

But I think we generally learn more from attacks than we do from new
ciphers.  We would thus be better served to have more designs --
including weaker ciphers -- in the archival literature, which would
support attacks and so deliver insight not otherwise apparent.  

Allowing "weaker" designs into the archival literature would also give
us a reasonable way first to handle the unique designs that academics
now actively avoid, and second to serve as a roadmap to knowledge for
most newbies.  

I think a desire to keep the academic literature "pristine" is
misguided with respect to cipher designs.  Cipher designs cannot be
considered "science" in the usual sense anyway, because no new facts
are developed and no conclusions proven.  This is a design literature,
and what we want to know for the future are the failures of the past,
in great detail.  

>A radical call
>to dispense with all barriers, though, doesn't make sense. 

Information security necessarily requires personal commitment.  Making
individuals (or corporate departments) responsible for using their
best judgment on cipher selection seems a very worthwhile tool to get
people to pay attention.  The cipher itself is almost never the real
problem, and paying attention to security can help a lot.  

>It makes it
>look like you think David A. Scott, and others like him, are right;
>and creating that impression is not going to help your own struggle
>for a fair hearing.

(I would normally ignore this, but it is a repeat.)  If someone is
going to judge me by which "side" I seem to be taking, I have little
hope that *anything* I *could* present would be received "fairly."
The issue is the argument, not who presents it, nor who their
acquaintances might be, nor what "side" they are on.  

[With respect to "sides," I note that reality is not subject to a
popular vote.  And I don't think I *have* a "struggle for a fair
hearing" -- none of this is about me.]

Many newbies act as they do because they think they are ignored.  This
is not their delusion, they really *are* ignored.  Now, academics may
feel that this separates the great unwashed from those of worth, but I
think a professor with that point of view should be fired.  There
really needs to be a better way to help newbies understand where their
designs fit in the overall scheme of things.  In my view, a "putdown"
shows more about the "put-er" than the "put-ee."  Experts who cannot
explain something simply probably don't really know the subject.

>My own viewpoint is that even if only a limited number of ciphers are
>analyzed, if these ciphers are representative of a number of basic
>types, it should be possible to establish groundwork on which
>essentially trivial variations of these ciphers could be made safely.
>So that The Opponent doesn't get to attack DES, but DES-alike number
>1,394,442.

It would be nice if different cipher versions required significantly
different attacks.  But since we don't know "the" weakness of a cipher
in the first place, it would seem difficult to know which weakness
each variation has.  

I guess DES-like ciphers might have different tables, and we could
index those tables and select among them for each "different" cipher,
which might be good enough.  

>Symmetric ciphers that don't lengthen the input text don't have much
>opportunity to leak data and make things worse in a multiple-cipher
>chain, therefore:

That is a very good point.

>I'd tend to advocate the following as a standard high-security
>practice: use three ciphers, each from a different tier, on one's
>secret message. One that is of a type that is very thoroughly
>analyzed, another one that is different but has recieved some
>analysis, and something from out in left field - but yet showing some
>evidence of care in its design, so that it will not be a waste of
>time.

And that is another good point, which I intend to adopt.  In the past
I have not seriously considered multiple ciphering for a production
environment, but it may be time to change that.  Because the
mathematicians among us have not delivered provable strength in
practical ciphers, it may be time to argue that multi-ciphering
*should* be considered the *expected* operation.  We don't need to
depend on a single cipher.  

Multi-ciphering does seem to require three levels to gain the full
strength benefit, and having three different ciphers should be pretty
nice.  Slow, but nice.  

>Even if the less-analyzed cipher does turn out to be weak, one has the
>example of DESX - certainly XOR by a 64-bit constant is weak - to show
>that the weak cipher, acting as whitening for the strong one, could
>still contribute security fully proportionate to (the lesser of) its
>key size (and that of the stronger cipher).
>
>Making the Opponent work harder is not the same thing as providing the
>Opponent with an opportunity to get lucky.

There are several types of "working harder" here.  One is the actual
deciphering of messages, which I assume you mean.

Another type of "working harder" is the identification, acquisition,
and analysis of each cipher variant.  And since "many ciphers" means
distributing information of value among them, breaking any one means
getting only a subset of the information.  So with "many ciphers,"
"attacking" costs more and produces less, an approach which naturally
favors the user over the attacker.  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 28 Oct 1998 12:47:39 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-2810981247390001@dialup136.itexas.net>
References: <3636a99a.11757150@news.io.com>
Newsgroups: sci.crypt
Lines: 21

In article <3636a99a.11757150@news.io.com>, ritter@io.com (Terry Ritter) wrote:

> 
> >Symmetric ciphers that don't lengthen the input text don't have much
> >opportunity to leak data and make things worse in a multiple-cipher
> >chain, therefore:
> 
> That is a very good point.
> 
It's a good point to consider since it is not accurate.  It all depends on
what is happening in the algorithms themselves.

You could run the risk of producing some interference pattern in the
combination of algorithms that could produce a poor result, less than what
you want; there are many good examples.
-- 
---
Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver.
---
Decrypt with ROT13 to get correct email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 28 Oct 1998 19:13:12 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <36376cba.5685292@news.io.com>
References: <jgfunj-2810981247390001@dialup136.itexas.net>
Newsgroups: sci.crypt
Lines: 30

On Wed, 28 Oct 1998 12:47:39 -0600, in
<jgfunj-2810981247390001@dialup136.itexas.net>, in sci.crypt
jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote:

>In article <3636a99a.11757150@news.io.com>, ritter@io.com (Terry Ritter) wrote:
>
>> >Symmetric ciphers that don't lengthen the input text don't have much
>> >opportunity to leak data and make things worse in a multiple-cipher
>> >chain, therefore:
>> 
>> That is a very good point.
>> 
>It's a good point to consider since it is not accurate.  It all depends on
>what is happening in the algorithms themselves.
>
>You could run the risk of producing some interference pattern in the
>combination of algorithms that could produce a poor result, less than what
>you want; there are many good examples.

While *possible*, in the context of structurally-different ciphers it
is *extremely* unlikely.  Indeed, exactly the type of thing we might
be most suspicious of -- encipher, decipher, encipher, using the exact
same cipher -- is widely accepted as Triple DES.  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 29 Oct 1998 00:07:54 GMT
From: dscott@networkusa.net
Message-ID: <718bkq$t1i$1@nnrp1.dejanews.com>
References: <36376cba.5685292@news.io.com>
Newsgroups: sci.crypt
Lines: 49

In article <36376cba.5685292@news.io.com>,
  ritter@io.com (Terry Ritter) wrote:
>
> On Wed, 28 Oct 1998 12:47:39 -0600, in
> <jgfunj-2810981247390001@dialup136.itexas.net>, in sci.crypt
> jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote:
>
> >In article <3636a99a.11757150@news.io.com>, ritter@io.com (Terry Ritter)
wrote:
> >
> >> >Symmetric ciphers that don't lengthen the input text don't have much
> >> >opportunity to leak data and make things worse in a multiple-cipher
> >> >chain, therefore:
> >>
> >> That is a very good point.
> >>
> >It's a good point to consider since it is not accurate.  It all depends on
> >what is happening in the algorithms themselves.
> >
> >You could run the risk of producing some interference pattern in the
> >combination of algorithms that could produce a poor result, less than what
> >you want; there are many good examples.
>
> While *possible*, in the context of structurally-different ciphers it
> is *extremely* unlikely.  Indeed, exactly the type of thing we might
> be most suspicious of -- encipher, decipher, encipher, using the exact
> same cipher -- is widely accepted as Triple DES.
>

  I don't see why this is not obvious to the socalled experts.
I think they speak highly of Triple DES so as to stay on good terms
with there handlers. It is obvious that mixinf three different types
of ciphers would be better than Triple DES my feelings are that
the NSA can most likely break it easily.
  What do you think Ritter.

> ---
> Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
> Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM
>
>

--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
ftp search for scott*u.zip in norway

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 29 Oct 1998 18:40:17 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <3638b653.7408218@news.io.com>
References: <718bkq$t1i$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 42

On Thu, 29 Oct 1998 00:07:54 GMT, in
<718bkq$t1i$1@nnrp1.dejanews.com>, in sci.crypt dscott@networkusa.net
wrote:

>[...]
>  I don't see why this is not obvious to the socalled experts.
>I think they speak highly of Triple DES so as to stay on good terms
>with there handlers. It is obvious that mixinf three different types
>of ciphers would be better than Triple DES my feelings are that
>the NSA can most likely break it easily.
>  What do you think Ritter.

I was briefly involved in ANSI X9F3 banking security standards
discussions some years ago, and as I recall there was pressure from
NSA to use only registered ciphers, to avoid Triple DES, and to
prevent multi-ciphering.  But maybe that was just disinformation to
make us think Triple DES was strong.  

We don't know what NSA can do, and I am not sure it is useful to
speculate.  Can they break our strongest ciphers?  Well, we really do
desperately need some way to measure or prove cipher strength.
Lacking that, I think large blocks, many ciphers, and multi-ciphering
make a lot of sense, especially if the goal is to achieve
cryptographic levels of assured strength.  

But in practice, most of the time, ciphers only need oppose direct
technical attacks which are cheaper than bribery, and that will be a
pretty weak attack.  In that sense, weak ciphers may be less of a
problem than having a single fixed cipher that might be cryptanalyzed
once and used to expose everybody.  

Since we can't know what NSA can do, I think it can be a waste of time
to worry about it.  (Of course, if NSA is doing things a democracy
should not do, that's something else.)  I think the danger is less in
what NSA can do, and more in what we refuse to do to help ourselves.  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 29 Oct 1998 14:10:50 -0500
From: Tim Bass <bass@silkroad.com>
Message-ID: <3638BDBA.7D31E61@silkroad.com>
References: <3638b653.7408218@news.io.com>
Newsgroups: sci.crypt
Lines: 45

> We don't know what NSA can do, and I am not sure it is useful to
> speculate.  Can they break our strongest ciphers?  Well, we really do
> desperately need some way to measure or prove cipher strength. ...
> Since we can't know what NSA can do, I think it can be a waste of time
> to worry about it. 

On a lighter but related note.  If all the brainpower used on this
and similar threads (both reading and writing and deleting) were
converted to useful crypto' teamwork, analysis, model development,
etc. NSA or any organization would have little in the way of
'greater abilities and technological advancement'.

From an intellectual perspective, I've read nothing which is
remotely enlightening from this entire thread.  The posts with
personal attacks on others and the harsh opinions without
facts are not the words of gentlemen, IMHO.  It speaks very
poorly for sci.crypt that those of diverse backgrounds and
opinions cannot discuss relative trivia without resorting
to 'angry hate mail'.

There is no cryptographic algorithm, cipher, or mathematical
implementation which is more important that conducting oneselves
as gentlemen in the face of controversy.  My hats off to the many
on sci.crypt who enjoy the pleasure of conducting yourselves
as gentlemen as you are being attacked by the angry and
frustrated minority. 

That's all I have to say on this thread.  It would be very
pleasurable if we could find a way to harness anger, frustration,
and all the negative energy and create useful, meaningful work
in sci.crypt.  Just think of what we could accomplish as
collaborators vis-a-vis antagonists! 

My apologies for the raw idealism....

-Tim

-- 
   Tim Bass
   Principal Consultant, Systems Engineering
   Bass & Associates
   Tel: (703) 222-4243
   Fax: (703) 222-7320
   EMail: bass@silkroad.com.antispam (remove antispam tag)
   http://www.silkroad.com/consulting/technical.html

Subject: Re: Memo to the Amateur Cipher Designer
Date: 29 Oct 1998 19:59:12 GMT
From: aph@cygnus.remove.co.uk (Andrew Haley)
Message-ID: <71aheg$phd$2@korai.cygnus.co.uk>
References: <3638BDBA.7D31E61@silkroad.com>
Newsgroups: sci.crypt
Lines: 10

Tim Bass (bass@silkroad.com) wrote:
: There is no cryptographic algorithm, cipher, or mathematical
: implementation which is more important that conducting oneselves
: as gentlemen in the face of controversy.

How do you expect a female cryptographer feels when told to conduct
herself like a gentleman?  That's crude sexism, not raw idealism.
First take the mote from your own eye...

Andrew.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 30 Oct 1998 05:23:01 GMT
From: "Douglas A. Gwyn" <DAGwyn@null.net>
Message-ID: <36394CD6.333B43BC@null.net>
References: <71aheg$phd$2@korai.cygnus.co.uk>
Newsgroups: sci.crypt
Lines: 8

Andrew Haley wrote:
> How do you expect a female cryptographer feels when told to conduct
> herself like a gentleman?

He didn't address an individual, he addressed an entire anonymous group.
"Gentlemen" was correct English in that context.
And yes, some of my best friends are women -- but I wouldn't want my
sister to marry one!

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 30 Oct 1998 12:36:42 GMT
From: dscott@networkusa.net
Message-ID: <71cbsq$ahc$1@nnrp1.dejanews.com>
References: <36394CD6.333B43BC@null.net>
Newsgroups: sci.crypt
Lines: 27

In article <36394CD6.333B43BC@null.net>,
  "Douglas A. Gwyn" <DAGwyn@null.net> wrote:
> Andrew Haley wrote:
> > How do you expect a female cryptographer feels when told to conduct
> > herself like a gentleman?
>
> He didn't address an individual, he addressed an entire anonymous group.
> "Gentlemen" was correct English in that context.
> And yes, some of my best friends are women -- but I wouldn't want my
> sister to marry one!
>

   That is a sexist statement if I ever saw one. I think maybe your
sister might be better off with a woman. I know I prefer them over
men. So it makes sense to me that they might like woman better too.
   Of course of you prefer men like the best of the British crypto
people that they the brits only use during war time when the rules
are solve the problew or die that is your business. To bad the brits
don't have an open mind during peace time. Every body like a little
piece know and then.

--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
ftp search for scott*u.zip in norway

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 30 Oct 1998 17:07:25 -0500
From: Tim Bass <bass@nospam.silkroad.com>
Message-ID: <363A389D.4988F47B@nospam.silkroad.com>
References: <71d3kq$ivl$1@korai.cygnus.co.uk>
   <36394CD6.333B43BC@null.net>
Newsgroups: sci.crypt
Lines: 52

If an adult was looking at a sandbox full of children and many of
the boys were hitting, kicking, spiting, and scratching all the
other childern while other boys and girls tried to enjoy playing;
then an adult is perfectly correct to use the phrase:

"Please Little Boys, Be Nice, Stop Fighting and Play Together!"

Of course! there always seems to be an angry boy or two in the
sandbox who turns their mischief to annoying the one who
asked them to be nice :):)  

Enlightened adults with sensibility who reads sci.crypt and the
personal attacks on many of the good folks during this
and other threads, can see whom in the sci.crypt sandbox
wants to play together and who wants go throw mud
at everyone else.

If "the mudslingers" want to continue to attack others in
this sandbox, I suggest they attack them in private email
and not in public.  And yes, it would be good to behave
as "gentlemen".  (I have not read any negative comments,
harsh speech, nor personal attacks by any of the fairer
kinder, calmer, mature, sensible, and more enlightened 
sex in sci.crypt. woman are far too enlightened, IHMO).  

Also, if those whom have been picking on and attacking Mr. Schneier
would kindly stop and conduct themselves as gentlemen, it would be
much appreciated by many of us.  It is really uncalled for and
of very poor taste to attack out of malice with the intent to
discredit and destroy others.  

All restraint from harsh and offensive speech would make sci.crypt
a much more positive experience for everyone, IMHO. 

- Best Regards,
  Tim

-- 
   Tim Bass
   Principal Consultant, Systems Engineering
   Bass & Associates
   Tel: (703) 222-4243
   Fax: (703) 222-7320
   EMail: bass@silkroad.com.antispam (remove antispam tag)
   http://www.silkroad.com/consulting/technical.html

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 30 Oct 1998 17:11:35 -0500
From: Tim Bass <bass@nospam.silkroad.com>
Message-ID: <363A3997.93DE323@nospam.silkroad.com>
References: <363A389D.4988F47B@nospam.silkroad.com>
Newsgroups: sci.crypt
Lines: 13

> All restraint from harsh and offensive speech would make sci.crypt
> a much more positive experience for everyone, IMHO.

Obviously, the above sentence should read (my humble apologies):

 Restraint from harsh and offensive speech would make sci.crypt
 a much more positive experience for everyone, IMHO.

Thank you for your cooperation in making sci.crypt a good
experience for everyone!!

-Tim

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sat, 31 Oct 1998 03:34:30 GMT
From: dscott@networkusa.net
Message-ID: <71e0g6$m8p$1@nnrp1.dejanews.com>
References: <363A3997.93DE323@nospam.silkroad.com>
Newsgroups: sci.crypt
Lines: 31

In article <363A3997.93DE323@nospam.silkroad.com>,
  Tim Bass <bass@nospam.silkroad.com> wrote:
> > All restraint from harsh and offensive speech would make sci.crypt
> > a much more positive experience for everyone, IMHO.
>
> Obviously, the above sentence should read (my humble apologies):
>
>  Restraint from harsh and offensive speech would make sci.crypt
>  a much more positive experience for everyone, IMHO.
>
> Thank you for your cooperation in making sci.crypt a good
> experience for everyone!!
>
> -Tim
>

  Are you for real. Or not I supect a troll if I didn't
know better I would think your last name BASS was a BS clever
attempt since it does sound a little fishy to me. And Bruce
is a Spammer and he laughingly admits it. So what is wrong with
telling him the truth about his self. He is nothing but a
pompous phony.
  At least Ritter has more integrity.

--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
ftp search for scott*u.zip in norway

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sat, 31 Oct 1998 06:59:50 GMT
From: "Douglas A. Gwyn" <DAGwyn@null.net>
Message-ID: <363AB508.9E02F0A9@null.net>
References: <71d3kq$ivl$1@korai.cygnus.co.uk>
   <36394CD6.333B43BC@null.net>
Newsgroups: sci.crypt
Lines: 5

Andrew Haley wrote:
> Think about it.

I have thought about it, and trying to change the language
to force one's political views on the world is sickening.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 30 Oct 1998 01:08:16 GMT
From: dscott@networkusa.net
Message-ID: <71b3i1$p14$1@nnrp1.dejanews.com>
References: <3638b653.7408218@news.io.com>
Newsgroups: sci.crypt
Lines: 56

In article <3638b653.7408218@news.io.com>,
  ritter@io.com (Terry Ritter) wrote:
>
> On Thu, 29 Oct 1998 00:07:54 GMT, in
> <718bkq$t1i$1@nnrp1.dejanews.com>, in sci.crypt dscott@networkusa.net
> wrote:
>
> >[...]
> >  I don't see why this is not obvious to the socalled experts.
> >I think they speak highly of Triple DES so as to stay on good terms
> >with there handlers. It is obvious that mixinf three different types
> >of ciphers would be better than Triple DES my feelings are that
> >the NSA can most likely break it easily.
> >  What do you think Ritter.
>
> I was briefly involved in ANSI X9F3 banking security standards
> discussions some years ago, and as I recall there was pressure from
> NSA to use only registered ciphers, to avoid Triple DES, and to
> prevent multi-ciphering.  But maybe that was just disinformation to
> make us think Triple DES was strong.
>
> We don't know what NSA can do, and I am not sure it is useful to
> speculate.  Can they break our strongest ciphers?  Well, we really do
> desperately need some way to measure or prove cipher strength.
> Lacking that, I think large blocks, many ciphers, and multi-ciphering
> make a lot of sense, especially if the goal is to achieve
> cryptographic levels of assured strength.
>
> But in practice, most of the time, ciphers only need oppose direct
> technical attacks which are cheaper than bribery, and that will be a
> pretty weak attack.  In that sense, weak ciphers may be less of a
> problem than having a single fixed cipher that might be cryptanalyzed
> once and used to expose everybody.
>
> Since we can't know what NSA can do, I think it can be a waste of time
> to worry about it.  (Of course, if NSA is doing things a democracy
> should not do, that's something else.)  I think the danger is less in
> what NSA can do, and more in what we refuse to do to help ourselves.
>
> ---
> Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
> Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM
>
>

 I liked your answer I just thought I would say so for these
that like to read my posts in case they miss your response.
I have to admit you write better than me. Which of course
is an understatment.

--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
ftp search for scott*u.zip in norway

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 29 Oct 1998 10:32:50 -0500
From: Jerry Leichter <leichter@smarts.com>
Message-ID: <36388AA2.3E87@smarts.com>
References: <36376cba.5685292@news.io.com>
Newsgroups: sci.crypt
Lines: 36

| >You could run the risk of producing some interference pattern in the
| >combination of algorithms that could produce a poor result, less 
| >than what you want; there are many good examples.
|
| While *possible*, in the context of structurally-different ciphers it
| is *extremely* unlikely.

Not only is it extremely unlikely - it would be a direct indication that
*both* of the ciphers involved were weaker than expected.

After all, if an attacker has an easier time of attacking E1(E2(X)) than
E2(X), then against a target using E2 he can simply apply E1 himself! 
This works for any class of attack, all the way from ciphertext only to
chosen plaintext.  (Things are only slightly more subtle for an attack
against E1.)

It *is* essential for this argument that the keys for the two
encryptions be uncorrelated.  Then again, you can see that's essential
anyway.  As a trivial example, if there were a ciphertext-only attack
against E1, and the key used for E2 could be computed from the one used
from E1, an attack will have no problem with E1(E2(X)).

|                          Indeed, exactly the type of thing we might
| be most suspicious of -- encipher, decipher, encipher, using the exact
| same cipher -- is widely accepted as Triple DES.

The same argument (with the same restriction) goes through here. 
Iterating a cipher is often the start of an attack - it's essential that
there be no (well, almost no) short cycles under iteration.  This has
been tested for DES.  Interestingly, it doesn't seem to be among the
standard list of things that new ciphers get tested against.  I'm
unaware of any general results about, say, Feistel ciphers with certain
kinds of F functions, that guarantee no short cycles.  Is this a
potential (if unlikely) vulnerability that's being overlooked?

							-- Jerry

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 29 Oct 1998 16:31:12 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <36389829.6513924@news.visi.com>
References: <36388AA2.3E87@smarts.com>
Newsgroups: sci.crypt
Lines: 22

On Thu, 29 Oct 1998 10:32:50 -0500, Jerry Leichter
<leichter@smarts.com> wrote:

>| >You could run the risk of producing some interference pattern in the
>| >combination of algorithms that could produce a poor result, less 
>| >than what you want; there are many good examples.
>|
>| While *possible*, in the context of structurally-different ciphers it
>| is *extremely* unlikely.
>
>Not only is it extremely unlikely - it would be a direct indication that
>*both* of the ciphers involved were weaker than expected.

Indeed.  You cannot prove that a cascade of several ciphers is
stronger than any individual cipher, but is seems reasonable that it
is the case.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 29 Oct 1998 15:43:28 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-2910981543280001@dialup105.itexas.net>
References: <36389829.6513924@news.visi.com>
Newsgroups: sci.crypt
Lines: 26

In article <36389829.6513924@news.visi.com>, schneier@counterpane.com
(Bruce Schneier) wrote:

> On Thu, 29 Oct 1998 10:32:50 -0500, Jerry Leichter
> <leichter@smarts.com> wrote:
> 
> >| >You could run the risk of producing some interference pattern in the
> >| >combination of algorithms that could produce a poor result, less 
> >| >than what you want; there are many good examples.
> >|
> >| While *possible*, in the context of structurally-different ciphers it
> >| is *extremely* unlikely.
> >
> >Not only is it extremely unlikely - it would be a direct indication that
> >*both* of the ciphers involved were weaker than expected.
> 
> Indeed.  You cannot prove that a cascade of several ciphers is
> stronger than any individual cipher, but is seems reasonable that it
> is the case.
> 
Reason requires consideration of details.
-- 
---
Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver.
---
Decrypt with ROT13 to get correct email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 29 Oct 1998 20:56:54 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <3638d619.22372027@news.visi.com>
References: <36388AA2.3E87@smarts.com>
Newsgroups: sci.crypt
Lines: 26

On Thu, 29 Oct 1998 10:32:50 -0500, Jerry Leichter
<leichter@smarts.com> wrote:
>The same argument (with the same restriction) goes through here. 
>Iterating a cipher is often the start of an attack - it's essential that
>there be no (well, almost no) short cycles under iteration.  This has
>been tested for DES.  Interestingly, it doesn't seem to be among the
>standard list of things that new ciphers get tested against.  I'm
>unaware of any general results about, say, Feistel ciphers with certain
>kinds of F functions, that guarantee no short cycles.  Is this a
>potential (if unlikely) vulnerability that's being overlooked?

I think people are thinking about this, but with long key lengths like
128- and 256 bits, it's hard to make any difinitive statements about
short cycles.

This would be an excellent criterion for someone to analyze at the AES
submissions against.  I know of various efforts to look at the AES
submmissions with respect to different attacks, but I have never heard
of anyone looking at the possibilty of short cycles or group
structure.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 29 Oct 1998 15:41:00 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-2910981541010001@dialup105.itexas.net>
References: <36388AA2.3E87@smarts.com>
Newsgroups: sci.crypt
Lines: 35

In article <36388AA2.3E87@smarts.com>, Jerry Leichter
<leichter@smarts.com> wrote:
> 
> The same argument (with the same restriction) goes through here. 
> Iterating a cipher is often the start of an attack - it's essential that
> there be no (well, almost no) short cycles under iteration.  This has
> been tested for DES.  Interestingly, it doesn't seem to be among the
> standard list of things that new ciphers get tested against.  I'm
> unaware of any general results about, say, Feistel ciphers with certain
> kinds of F functions, that guarantee no short cycles.  Is this a
> potential (if unlikely) vulnerability that's being overlooked?
> 
I seems to be all important.  Not testing for this out of fear that you a
weakness would be found seems irresponsible.  If you work from certain
premises, in this case that some ciphers are imune to this problem, then
you should want to test to some extent that those ideas actually do hold.

You can only mix a few things in so many ways in a fixed length block
until your ciphertext is identical with one of your previous plaintexts. 
Using bigger and more complicated keystructures merely lengthens the
cycle.

Strangely, it does not matter as to which one or several ciphers you use,
the same phenomena must occur as it is axiomatic; only the period will
change, like different structured pseudorandom generators.

To counter the phenomena, I cheat: I change the amount of information in
the block; an interated output can never the the same as a previous
input.  Remember, Insanity is  doing the same thing over and over again
and expecting a different result; cryptographically, this still holds.
-- 
---
Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver.
---
Decrypt with ROT13 to get correct email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 29 Oct 1998 21:51:53 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <3638e349.18919442@news.io.com>
References: <36388AA2.3E87@smarts.com>
Newsgroups: sci.crypt
Lines: 32

On Thu, 29 Oct 1998 10:32:50 -0500, in <36388AA2.3E87@smarts.com>, in
sci.crypt Jerry Leichter <leichter@smarts.com> wrote:

>[...]
>Iterating a cipher is often the start of an attack - it's essential that
>there be no (well, almost no) short cycles under iteration.  

I'm not sure I understand this.  Presumably "iterating a cipher" means
taking some block, then ciphering it repeatedly until some block value
shows up again, which of course locks us in fixed cycle of states.  

A conventional block cipher is a simulated huge Simple Substitution.
So if we look to substitution tables we may see the same issue there.
Certainly Scott has been talking about "single-cycle" tables for a
long time, and I have equally long been questioning what such a
construction would buy.  Some attacks are even *defeated* by
multi-cycle tables.

If these "short cycles" are just those which naturally appear in
random permutations, surely a large block is a prescription to make it
unlikely that we could ever find one, or encounter one by chance.  

But if the whole purpose here is to make a stream cipher RNG, surely
it would be better to feed the thing from a polynomial counter than to
have it eat its own tail.  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 30 Oct 1998 02:05:08 GMT
From: dscott@networkusa.net
Message-ID: <71b6sk$t5b$1@nnrp1.dejanews.com>
References: <3638e349.18919442@news.io.com>
Newsgroups: sci.crypt
Lines: 63

In article <3638e349.18919442@news.io.com>,
  ritter@io.com (Terry Ritter) wrote:
>
> On Thu, 29 Oct 1998 10:32:50 -0500, in <36388AA2.3E87@smarts.com>, in
> sci.crypt Jerry Leichter <leichter@smarts.com> wrote:
>
> >[...]
> >Iterating a cipher is often the start of an attack - it's essential that
> >there be no (well, almost no) short cycles under iteration.
>
> I'm not sure I understand this.  Presumably "iterating a cipher" means
> taking some block, then ciphering it repeatedly until some block value
> shows up again, which of course locks us in fixed cycle of states.
>
> A conventional block cipher is a simulated huge Simple Substitution.
> So if we look to substitution tables we may see the same issue there.
> Certainly Scott has been talking about "single-cycle" tables for a
> long time, and I have equally long been questioning what such a
> construction would buy.  Some attacks are even *defeated* by
> multi-cycle tables.
>

   Yes the Paul Onion attack for a choosen plain test file if
allowed shows that if cycle length known you can taylor an attack
against a pure iterating cipher. If the cycle length not known
one could still use the attack with multipe length choosen files
shorter than the longer one needed for the longer cycle. So if
one was to base it in that it might be best to have 2 or 3 cycles
which is kind of what SKIPJACK used in its S table. However there
are various ways to defeat Maack of X8.zip tried several I think
the round keys was his best and he did not limit his self to a
single cycle. I still feel a single cycle best from an information
point of view and my method of breaking this kind of attack was
to use the Paul routine and for bit rotations on the passes.
If Bruce coughs up his money (follow thread on RE: BOOK RECOM)
then when Joes get it. Someone may win a thousand dollars.
But most millionars are penny pinchers so don't expect to much.

> If these "short cycles" are just those which naturally appear in
> random permutations, surely a large block is a prescription to make it
> unlikely that we could ever find one, or encounter one by chance.
>
> But if the whole purpose here is to make a stream cipher RNG, surely
> it would be better to feed the thing from a polynomial counter than to
> have it eat its own tail.

   But you do like to eat tail don't you Terry?

>
> ---
> Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
> Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM
>
>

--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
ftp search for scott*u.zip in norway

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 30 Oct 1998 09:59:32 -0500
From: Jerry Leichter <leichter@smarts.com>
Message-ID: <3639D454.23D5@smarts.com>
References: <3638e349.18919442@news.io.com>
Newsgroups: sci.crypt
Lines: 51

| >[...]
| >Iterating a cipher is often the start of an attack - it's essential 
| >that there be no (well, almost no) short cycles under iteration.
| 
| I'm not sure I understand this.  Presumably "iterating a cipher" means
| taking some block, then ciphering it repeatedly until some block value
| shows up again, which of course locks us in fixed cycle of states.

Assuming an invertible cipher, that cycle must contain the original
plaintext.  Suppose you knew that fairly short cycles were common.  Then
a chosen-plaintext attack against a given cipher block X is to feed it
back to the encryptor, feed the result, etc.  If you're in a short
cycle, you'll eventually see X again.  The value you saw just before
seeing X is the original plaintext.

| A conventional block cipher is a simulated huge Simple Substitution.
| So if we look to substitution tables we may see the same issue there.
| Certainly Scott has been talking about "single-cycle" tables for a
| long time, and I have equally long been questioning what such a
| construction would buy.  Some attacks are even *defeated* by
| multi-cycle tables.
| 
| If these "short cycles" are just those which naturally appear in
| random permutations, surely a large block is a prescription to make it
| unlikely that we could ever find one, or encounter one by chance.

I can't recall the form of the results on this, but in a truely random
subgroup of the permutation group, at least some cycles are certain to
be very long.  Note that the issue is not the *existence* of short
cycles:  In a random group, there will be some, but if there aren't
many, they can't involve more than a tiny fraction of the elements in
the group.  (If there is even one cycle of length 1/2 the group, then
your chance of picking a key that gives you a short cycle is at most
50%:  Half the elements are "already spoken for" by the single long
cycle.)  What we need to know is that the short cycles - all of whose
members correspond to "weak keys" of a sort - amount to only an
insignificant fraction of the group.  (If there is only one cycle, of
course, we know this for certain.  Then again, cyclic groups have other
limitations for cryptographic purposes.)

Of course, we usually choose subsets of the permutation group that are
not actually groups (hence not subgroups).  However, the same
requirement - not too many short cycles - continues to apply over the
group generated by the subset.

| But if the whole purpose here is to make a stream cipher RNG, surely
| it would be better to feed the thing from a polynomial counter than to
| have it eat its own tail.

I don't understand the connection.
							-- Jerry

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 30 Oct 1998 18:23:27 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <363a0414.6595253@news.io.com>
References: <3639D454.23D5@smarts.com>
Newsgroups: sci.crypt
Lines: 85

On Fri, 30 Oct 1998 09:59:32 -0500, in <3639D454.23D5@smarts.com>, in
sci.crypt Jerry Leichter <leichter@smarts.com> wrote:

>| >[...]
>| >Iterating a cipher is often the start of an attack - it's essential 
>| >that there be no (well, almost no) short cycles under iteration.
>| 
>| I'm not sure I understand this.  Presumably "iterating a cipher" means
>| taking some block, then ciphering it repeatedly until some block value
>| shows up again, which of course locks us in fixed cycle of states.
>
>Assuming an invertible cipher, that cycle must contain the original
>plaintext.  

[ This is not a set-up for future attack: ]  Is it shown that there
can be no "lead in" to the short cycles?

>Suppose you knew that fairly short cycles were common.  Then
>a chosen-plaintext attack against a given cipher block X is to feed it
>back to the encryptor, feed the result, etc.  If you're in a short
>cycle, you'll eventually see X again.  The value you saw just before
>seeing X is the original plaintext.

Ah, I see.  Chosen-plaintext.

>| A conventional block cipher is a simulated huge Simple Substitution.
>| So if we look to substitution tables we may see the same issue there.
>| Certainly Scott has been talking about "single-cycle" tables for a
>| long time, and I have equally long been questioning what such a
>| construction would buy.  Some attacks are even *defeated* by
>| multi-cycle tables.
>| 
>| If these "short cycles" are just those which naturally appear in
>| random permutations, surely a large block is a prescription to make it
>| unlikely that we could ever find one, or encounter one by chance.
>
>I can't recall the form of the results on this, but in a truely random
>subgroup of the permutation group, at least some cycles are certain to
>be very long.  Note that the issue is not the *existence* of short
>cycles:  In a random group, there will be some, but if there aren't
>many, they can't involve more than a tiny fraction of the elements in
>the group.  (If there is even one cycle of length 1/2 the group, then
>your chance of picking a key that gives you a short cycle is at most
>50%:  Half the elements are "already spoken for" by the single long
>cycle.)  What we need to know is that the short cycles - all of whose
>members correspond to "weak keys" of a sort - amount to only an
>insignificant fraction of the group.  (If there is only one cycle, of
>course, we know this for certain.  Then again, cyclic groups have other
>limitations for cryptographic purposes.)

OK, with the implication being that a random permutation of reasonable
size should not have this difficulty.

On the other hand, it seems like we could traverse permutations of
modest size and collect cycle-length probability statistics.  Then we
could measure maximum or minimum cycle lengths, or the distribution
itself.  Experimental success should improve our confidence that
constructions do indeed behave like random permutations.  This is
probably orthogonal to Boolean function nonlinearity, and may be
another reasonable test.  

>Of course, we usually choose subsets of the permutation group that are
>not actually groups (hence not subgroups).  However, the same
>requirement - not too many short cycles - continues to apply over the
>group generated by the subset.
>
>| But if the whole purpose here is to make a stream cipher RNG, surely
>| it would be better to feed the thing from a polynomial counter than to
>| have it eat its own tail.
>
>I don't understand the connection.

I was just casting about to find the intent of this.  Short cycles are
a problem in a stream cipher confusion RNG (even for ciphertext only),
so maybe the point of not having short cycles was to support that
usage.  Now I see that was not your point.

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 02 Nov 1998 11:23:00 -0500
From: Jerry Leichter <leichter@smarts.com>
Message-ID: <363DDC64.412@smarts.com>
References: <363a0414.6595253@news.io.com>
Newsgroups: sci.crypt
Lines: 24

| >Assuming an invertible cipher, that cycle must contain the original
| >plaintext.
| 
| [ This is not a set-up for future attack: ]  Is it shown that there
| can be no "lead in" to the short cycles?

That's easy to prove:  Suppose there were such a lead in, so that
(writing F for the particular encryption under the given key)

  A -F-> B -F-> C ...-F-> L -F-> X -F-> X' -F-> Xn+
			         ^	          |
				 +--------F-------+

That is, there's a cycle (X, X', ..., Xn), and there's a lead-in
starting A, leading to L, and then L "falls into the cycle" at X.

But then what's F^-1 (F inverse) of X?  According to the diagram, both L
and Xn map to X under F.  But F is supposed to be invertible - it's an
encryption algorithm after all, and we'd like to be able to get our
plaintext back uniquely!  So this diagram is impossible - there cannot
be a "lead-in".  Rather, L must actually equal Xn (and, working
backwards, A must equal one of the Xi's, i.e., must actually *be in* the
cycle.)
							-- Jerry

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 29 Oct 1998 15:19:03 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-2910981519030001@dialup105.itexas.net>
References: <36376cba.5685292@news.io.com>
Newsgroups: sci.crypt
Lines: 22

In article <36376cba.5685292@news.io.com>, ritter@io.com (Terry Ritter) wrote:

> On Wed, 28 Oct 1998 12:47:39 -0600, in
> <jgfunj-2810981247390001@dialup136.itexas.net>, in sci.crypt
> jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote:
> 
> >
> >You could run the risk of producing some interference pattern in the
> >combination of algorithms that could produce a poor result, less than what
> >you want; there are many good examples.
> 
> While *possible*, in the context of structurally-different ciphers it
> is *extremely* unlikely.  Indeed, exactly the type of thing we might
> be most suspicious of -- encipher, decipher, encipher, using the exact
> same cipher -- is widely accepted as Triple DES.  
> 
And, we find that the effective keylength is somewhat less than 3 times DES.
-- 
---
Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver.
---
Decrypt with ROT13 to get correct email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 29 Oct 1998 17:24:13 GMT
From: ssimpson@hertreg.ac.uk
Message-ID: <71a8bt$fm9$1@nnrp1.dejanews.com>
References: <3636a99a.11757150@news.io.com>
Newsgroups: sci.crypt
Lines: 66

In article <3636a99a.11757150@news.io.com>,
  ritter@io.com (Terry Ritter) wrote:

>
> On Tue, 27 Oct 1998 17:37:47 GMT, in
> <3635fffc.3625753@news.prosurfr.com>, in sci.crypt
> jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:
>
> >[...]
> >But the recommendations you appear to be making to avoid this danger
> >all seem to have a worse danger: removing the barriers to less
> >credible cipher designers will result in an awful lot of cipher
> >designs with 'silly errors' floating around, with fewer signposts to
> >indicate how to avoid them.
>
> I see nothing wrong with ordinary people making their own decisions on
> cryptography -- or anything else -- based on whatever information they
> wish to use.  If the academics find weakness in particular designs,
> they can announce that.  After some real-world interpretation of those
> results, people may take steps to move to another cipher.
>
> But this implies that users *have* another cipher, and that it is
> fairly easy to make a change.  Neither of these is likely to be true
> currently, and I would like to see that change.
>
> >An argument that the barriers are currently too high - that the
> >cryptographic community, as far as symmetric-key systems is concerned,
> >is focused too much on conventional block ciphers to the exclusion of
> >all else - is something I would be glad to agree with.
>
> I do think "the barriers are too high" in the sense that the archival
> literature tends to avoid what we really want to know.  The current
> ideal article is a cipher with lots of mathematical manipulation --
> yet no overall proof of strength -- which rarely if ever supports a
> reasonable attack.

"Proving" the general security of a block cipher would also prove that P != NP
- something that I don't expect will happen in the near future!  If you can
prove it then I'm sure a university or two would like to hear from you :-)

The best we can hope to do is use our complete arsenal of analysis tools to
prove that a cipher is insecure.  If it fails to succumb to these tools then
it is not _proven_ to be secure, but it indicates that a degree of faith can
be placed in the cipher.

What other methods would you use to test block ciphers? (e.g. other than all
currently known and published techniques).

If a person presenting a new cipher (e.g. Scott) can't even apply all of the
standard analysis tools then the cipher surely has to be considered "weaker"
than a cipher which passes all of the tests (e.g. TwoFish - which is currently
the object of Scotts hate).

It may be stronger, but empirical evidence suggests not.

Regards,

Sam Simpson
Comms Analyst
-- See http://www.hertreg.ac.uk/ss/ for ScramDisk, a free virtual disk
encryption for Windows 95/98.  PGP Keys available at the same site.

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 30 Oct 1998 04:19:54 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <36393e18.1633145@news.io.com>
References: <71a8bt$fm9$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 89

On Thu, 29 Oct 1998 17:24:13 GMT, in
<71a8bt$fm9$1@nnrp1.dejanews.com>, in sci.crypt ssimpson@hertreg.ac.uk
wrote:

>In article <3636a99a.11757150@news.io.com>,
>  ritter@io.com (Terry Ritter) wrote:

>>[...]
>> I do think "the barriers are too high" in the sense that the archival
>> literature tends to avoid what we really want to know.  The current
>> ideal article is a cipher with lots of mathematical manipulation --
>> yet no overall proof of strength -- which rarely if ever supports a
>> reasonable attack.
>
>"Proving" the general security of a block cipher would also prove that P != NP
>- something that I don't expect will happen in the near future!  If you can
>prove it then I'm sure a university or two would like to hear from you :-)

Most block ciphers are not number-theoretic, and I doubt that a proof
of block cipher strength necessarily implies that P <> NP.  Indeed, a
block cipher of limited strength may be all we will ever need, if we
could only prove that it has *enough* strength.

>The best we can hope to do is use our complete arsenal of analysis tools to
>prove that a cipher is insecure.  If it fails to succumb to these tools then
>it is not _proven_ to be secure, but it indicates that a degree of faith can
>be placed in the cipher.

Concluding that a cipher which has not been shown weak is therefore
strong is surely incorrect reasoning.  So the cipher may be weak.  And
if the cipher *is* weak, we surely would be fools to have faith in it,
no matter how much analysis was done previously.  

The evidence we get from analysis simply does not support a conclusion
that a worked-on cipher is more deserving of "faith" than a new
cipher.  I think we make this logical leap because the result is
comforting, because it seems to reward the effort spent in analysis,
and because we seem to have little choice.  But that does not make the
reasoning right, or the conclusion correct.  

Indeed, for all we know, there may *be* no strong cipher.  And that
would mean that the partitioning of ciphers into "weak" and "strong"
is an irrelevant illusion.  

>What other methods would you use to test block ciphers? (e.g. other than all
>currently known and published techniques).

We should test everything we can, and then understand that everything
we have not tested is in an unknown state.  If we can't test it, we
can't control it.  And in ciphers, we cannot test strength.  

>If a person presenting a new cipher (e.g. Scott) can't even apply all of the
>standard analysis tools then the cipher surely has to be considered "weaker"
>than a cipher which passes all of the tests (e.g. TwoFish - which is currently
>the object of Scotts hate).

That is the reasoning which is generally applied, but that reasoning
is false.  This is precisely the point I have been addressing:  When
we don't know, we *really* don't know.  And we can't draw correct
conclusions from not knowing.  

The only thing we can prove with analysis is a limit on strength; that
the real strength could not exceed the effort of a given break.  But
it does not say that there is not a weaker break, somewhere, if we
only could see deeper, or understand more.  Analysis cannot say that
the analyzed cipher is stronger than an unanalyzed cipher.  

In fact, the regrettable situation with regard to the academic
literature implies that analysis results generally will not be
published if no attack is found.  This means that any cipher we call
"analyzed" will have a break of some sort.  Do we really trust a
cipher which has a known break more than one which does not?  

>It may be stronger, but empirical evidence suggests not.

There is no such "evidence."  There is no support for a correct
conclusion one way or the other.  When we choose rumor and innuendo to
support a conclusion, we have no reason to expect a correct result.

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 30 Oct 1998 09:51:46 GMT
From: ssimpson@hertreg.ac.uk
Message-ID: <71c27h$ue1$1@nnrp1.dejanews.com>
References: <36393e18.1633145@news.io.com>
Newsgroups: sci.crypt
Lines: 104

In article <36393e18.1633145@news.io.com>,
  ritter@io.com (Terry Ritter) wrote:
>
> On Thu, 29 Oct 1998 17:24:13 GMT, in
> <71a8bt$fm9$1@nnrp1.dejanews.com>, in sci.crypt ssimpson@hertreg.ac.uk
> wrote:
>
> >In article <3636a99a.11757150@news.io.com>,
> >  ritter@io.com (Terry Ritter) wrote:
>
> >>[...]
> >> I do think "the barriers are too high" in the sense that the archival
> >> literature tends to avoid what we really want to know.  The current
> >> ideal article is a cipher with lots of mathematical manipulation --
> >> yet no overall proof of strength -- which rarely if ever supports a
> >> reasonable attack.
> >
> >"Proving" the general security of a block cipher would also prove that P !=
NP
> >- something that I don't expect will happen in the near future!  If you can
> >prove it then I'm sure a university or two would like to hear from you :-)
>
> Most block ciphers are not number-theoretic, and I doubt that a proof
> of block cipher strength necessarily implies that P <> NP.  Indeed, a
> block cipher of limited strength may be all we will ever need, if we
> could only prove that it has *enough* strength.
>

I was quoting pg 52 (right column) of the paper "Twofish: A 128-bit Block
Cipher" by Schneier, Kelsey, Whiting, Wagner, Hall & Ferguson.

> >The best we can hope to do is use our complete arsenal of analysis tools to
> >prove that a cipher is insecure.  If it fails to succumb to these tools then
> >it is not _proven_ to be secure, but it indicates that a degree of faith can
> >be placed in the cipher.
>
> Concluding that a cipher which has not been shown weak is therefore
> strong is surely incorrect reasoning.  So the cipher may be weak.  And
> if the cipher *is* weak, we surely would be fools to have faith in it,
> no matter how much analysis was done previously.

But we have to have faith in one (or possibly more) block ciphers.  Rather
than pick this cipher at "random" it is surely better to pick the a block
cipher that has been subjected to and resisted all known attacks.

For example I would pick Blowfish over ICE.  Wouldn't you?

> Indeed, for all we know, there may *be* no strong cipher.  And that
> would mean that the partitioning of ciphers into "weak" and "strong"
> is an irrelevant illusion.

Quite.	It may be true that no strong ciphers are strong or weak.  But at the
moment we can certainly point our fingers at ciphers that *are* weak and
others that are relatively secure.  (e.g. ICE *is* weak and should not be
used. Blowfish has not been shown to be weak and as such can be trusted).

> >What other methods would you use to test block ciphers? (e.g. other than all
> >currently known and published techniques).
>
> We should test everything we can, and then understand that everything
> we have not tested is in an unknown state.  If we can't test it, we
> can't control it.  And in ciphers, we cannot test strength.

Indeed.  But more faith has to be placed in a block cipher that has undergone
all tests (and passed) rather than a cipher that has not been tested
thoroughly.

If you disagree on this point then I think we'll just have to "agree to
disagree".

For now, I'm not putting untested ciphers into ScramDisk :-)

>
> >If a person presenting a new cipher (e.g. Scott) can't even apply all of the
> >standard analysis tools then the cipher surely has to be considered "weaker"
> >than a cipher which passes all of the tests (e.g. TwoFish - which is
currently
> >the object of Scotts hate).
>
<SNIP>
>
> The only thing we can prove with analysis is a limit on strength; that
> the real strength could not exceed the effort of a given break.  But
> it does not say that there is not a weaker break, somewhere, if we
> only could see deeper, or understand more.  Analysis cannot say that
> the analyzed cipher is stronger than an unanalyzed cipher.
>

No.  But they can say that the analysed cipher (that has passed the tests) has
more credibility.

<SNIP>

Regards,

Sam Simpson
Comms Analyst
-- See http://www.hertreg.ac.uk/ss/ for ScramDisk, a free virtual disk
encryption for Windows 95/98.  PGP Keys available at the same site.

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 30 Oct 1998 19:02:45 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <363a0d51.8960237@news.io.com>
References: <71c27h$ue1$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 127

On Fri, 30 Oct 1998 09:51:46 GMT, in
<71c27h$ue1$1@nnrp1.dejanews.com>, in sci.crypt ssimpson@hertreg.ac.uk
wrote:

>>[...]
>> Concluding that a cipher which has not been shown weak is therefore
>> strong is surely incorrect reasoning.  So the cipher may be weak.  And
>> if the cipher *is* weak, we surely would be fools to have faith in it,
>> no matter how much analysis was done previously.
>
>But we have to have faith in one (or possibly more) block ciphers.  

I guess faith is about the only thing we *can* have.  But that's
religion, not science.  We may use a cipher, but we *cannot* trust it.

>Rather
>than pick this cipher at "random" it is surely better to pick the a block
>cipher that has been subjected to and resisted all known attacks.

Frankly, I have come to believe that it may be more important to use a
multiplicity of ciphers -- accepting their possible weaknesses -- than
to use a single cipher -- and accepting its possible weakness.  

I think what we gain from an analysis, and from wide use, is that
successful attacks are unlikely from people like us, or those who
tried to break the cipher.  So if the purpose of the cipher is to
prevent people like us from getting in, there is some reason to think
that analysis has given us that assurance.  

But if we intend to stop people who are better trained, better funded,
and who have more experience, time, and equipment than us -- and who
may even be smarter than we are -- our attempts at analysis tell us
nothing at all.  They may in fact delude us into the belief that
nobody can be better at doing what we try to do than we are.  

This is why we need to innovate and use protocols which allow us to
accept cipher weakness, yet continue to get the job done.  

>For example I would pick Blowfish over ICE.  Wouldn't you?

Not if picking Blowfish means that I have no access to other ciphers. 

Since any cipher may have weakness, a widely used cipher is asking for
weakness to be found.  And using any cipher for a large amount of data
is asking for weakness to be exploited.  

The exploitation of our data is the risk.  How can we possibly "put
all our eggs in one basket" when we know that it is *impossible* to
"watch that basket"?  

>> Indeed, for all we know, there may *be* no strong cipher.  And that
>> would mean that the partitioning of ciphers into "weak" and "strong"
>> is an irrelevant illusion.
>
>Quite.	It may be true that no strong ciphers are strong or weak.  But at the
>moment we can certainly point our fingers at ciphers that *are* weak and
>others that are relatively secure.  (e.g. ICE *is* weak and should not be
>used. Blowfish has not been shown to be weak and as such can be trusted).

Fine.  But not being shown weak still does not mean we can trust it.
How can we possible trust something to be strong which admittedly may
be weak?

>> >What other methods would you use to test block ciphers? (e.g. other than all
>> >currently known and published techniques).
>>
>> We should test everything we can, and then understand that everything
>> we have not tested is in an unknown state.  If we can't test it, we
>> can't control it.  And in ciphers, we cannot test strength.
>
>Indeed.  But more faith has to be placed in a block cipher that has undergone
>all tests (and passed) rather than a cipher that has not been tested
>thoroughly.
>
>If you disagree on this point then I think we'll just have to "agree to
>disagree".

I do indeed disagree.  One cannot gain faith about untested things by
testing other things.  There is no reason to expect that the outcome
of future tests will be like past successes.  If this were generally
true, we would never need complex tests.  

>For now, I'm not putting untested ciphers into ScramDisk :-)

I did say "test everything we can."  But I think the idea of selecting
some subset of ciphers for inclusion in a program should gradually
fade away.  (All but one of these will be unused at any particular
time anyway.) 

>>[...]
>> The only thing we can prove with analysis is a limit on strength; that
>> the real strength could not exceed the effort of a given break.  But
>> it does not say that there is not a weaker break, somewhere, if we
>> only could see deeper, or understand more.  Analysis cannot say that
>> the analyzed cipher is stronger than an unanalyzed cipher.
>>
>
>No.  But they can say that the analysed cipher (that has passed the tests) has
>more credibility.

There is a lot to be said for experience.  By experiencing many of the
ways things can go wrong, one can take steps to avoid those problems.
And this extends far beyond the cipher into the design and
implementation of the cipher system.  I suspect that problems in the
cipher system are likely to be more easily exploited than any
publicly-described cipher.  

When we first install a normal program, we may not trust it.  After we
use it for a while, and it has not failed, we may develop trust.  And
certainly we can trust a cipher system in the same way when we talk
about data not being lost or scrambled.  But we can't trust strength,
because use does not stress that, and its failure is not reported to
us.  We have no idea whether the program really is delivering strength
or not, so we cannot develop a trust of strength.  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 30 Oct 1998 05:15:28 GMT
From: "Douglas A. Gwyn" <DAGwyn@null.net>
Message-ID: <36394B11.2DDFF3CE@null.net>
References: <71a8bt$fm9$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 7

ssimpson@hertreg.ac.uk wrote:
> "Proving" the general security of a block cipher would also prove that P != NP

I wonder on what basis you could make that claim.
In other words, I don't think that's right -- I can exhibit the design
for a block cipher that is demonstrably secure according to the rules of
the game, although it wouldn't be *practical*.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 30 Oct 1998 05:22:15 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <36394cbf.326485@news.visi.com>
References: <36394B11.2DDFF3CE@null.net>
Newsgroups: sci.crypt
Lines: 19

On Fri, 30 Oct 1998 05:15:28 GMT, "Douglas A. Gwyn" <DAGwyn@null.net>
wrote:
>ssimpson@hertreg.ac.uk wrote:
>> "Proving" the general security of a block cipher would also prove that P != NP
>
>I wonder on what basis you could make that claim.
>In other words, I don't think that's right -- I can exhibit the design
>for a block cipher that is demonstrably secure according to the rules of
>the game, although it wouldn't be *practical*.

While it is certainly possible to, in theory, give a proof of security
that does not also prove that P != NP, most formulations of such a
proof--which, of course, does not exist--hinge on proving P != NP.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sat, 31 Oct 1998 06:34:34 GMT
From: "Douglas A. Gwyn" <DAGwyn@null.net>
Message-ID: <363AAF1C.AF37BF7F@null.net>
References: <36394cbf.326485@news.visi.com>
Newsgroups: sci.crypt
Lines: 15

Bruce Schneier wrote:
> On Fri, 30 Oct 1998 05:15:28 GMT, "Douglas A. Gwyn" <DAGwyn@null.net>
> wrote:
> >ssimpson@hertreg.ac.uk wrote:
> >> "Proving" the general security of a block cipher would also prove that P != NP
> >I wonder on what basis you could make that claim.
> >In other words, I don't think that's right -- I can exhibit the design
> >for a block cipher that is demonstrably secure according to the rules of
> >the game, although it wouldn't be *practical*.
> While it is certainly possible to, in theory, give a proof of security
> that does not also prove that P != NP, most formulations of such a
> proof--which, of course, does not exist--hinge on proving P != NP.

This is getting weirder -- I still would like a reference.
I don't think *any* block ciphers have anything to do with P?=NP.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 02 Nov 1998 20:07:17 GMT
From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard)
Message-ID: <363e0fff.13076835@news.prosurfr.com>
References: <363AAF1C.AF37BF7F@null.net>
Newsgroups: sci.crypt
Lines: 19

"Douglas A. Gwyn" <DAGwyn@null.net> wrote, in part:

>This is getting weirder -- I still would like a reference.
>I don't think *any* block ciphers have anything to do with P?=NP.

Not in the simple way that some public-key systems do.

But someone did note that he had converted DES into a gigantic Boolean
expression ... in hopes that it could be, at least partly, inverted. I
think inverting logic equations does touch on P versus NP.

Essentially, if a proof that P=NP is interpreted as indicating there
are no mathematical problems that get really intractable to solve,
compared to the effort required to verify the solution, then that
would seem to affect everything - even if the application to
secret-key ciphers would still be awkwards.

John Savard
http://members.xoom.com/quadibloc/index.html

Subject: Re: Memo to the Amateur Cipher Designer
Date: 2 Nov 1998 15:31:14 -0500
From: juola@mathcs.duq.edu (Patrick Juola)
Message-ID: <71l4qi$rmv$1@quine.mathcs.duq.edu>
References: <363e0fff.13076835@news.prosurfr.com>
Newsgroups: sci.crypt
Lines: 40

In article <363e0fff.13076835@news.prosurfr.com>,
John Savard <jsavard@tenMAPSONeerf.edmonton.ab.ca> wrote:
>"Douglas A. Gwyn" <DAGwyn@null.net> wrote, in part:
>
>>This is getting weirder -- I still would like a reference.
>>I don't think *any* block ciphers have anything to do with P?=NP.
>
>Not in the simple way that some public-key systems do.
>
>But someone did note that he had converted DES into a gigantic Boolean
>expression ... in hopes that it could be, at least partly, inverted. I
>think inverting logic equations does touch on P versus NP.

Only if the size of the problem varies.

In the case of any *particular* block cypher, with any *particular*
key-space and any *particular* block size, &c, then the problem size
is probably fixed (and P/NP is indeed a red herring).  So proving
that P == NP probably wouldn't affect the solution of DES much.

*However*, a lot of cyphers are in fact cypher schemes with variable
size.  An obvious example is creating an LFSR-based stream cypher,
where the difficulty of recreating the stream can be related to the
size of the LFSR-state (and hence to the size of the secret key).

If I were to develop a clever trick with N-bit LFSRs and prove that to
recover the internal state or decrypt the cyphertext  *required* at
least 2^N operations, then I would indeed have proven that P != NP.

A similar example, this one involving a block cypher, would be if
I used N-bit RSA, but kept both factors secret (and part of the key).
This, of course, means that I lose the advantages of public-key
encryption.  On the other hand, it also means that I have a symmetric
algorithm with a variable problem size.

If I could then *prove* that the only way to decrypt my messages
required exponential time (in the size of the RSA keys), then I would,
again, have proven P < NP.

	-kitten

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 03 Nov 1998 00:21:06 GMT
From: "Douglas A. Gwyn" <DAGwyn@null.net>
Message-ID: <363E4C10.C05E0898@null.net>
References: <363e0fff.13076835@news.prosurfr.com>
Newsgroups: sci.crypt
Lines: 9

John Savard wrote:
> But someone did note that he had converted DES into a gigantic Boolean
> expression ... in hopes that it could be, at least partly, inverted. I
> think inverting logic equations does touch on P versus NP.

But the issue is not whether there is an *effective algorithm* for
inverting *every* system of equations, which might bear on P?=NP.
The statement was that proof of security of *any particular example*
of a block cipher system would imply P=NP.  That's what I doubt.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 02 Nov 1998 20:49:04 -0500
From: Nicol So <nobody@no.spam.please>
Message-ID: <363E6110.9D3FF87@no.spam.please>
References: <363E4C10.C05E0898@null.net>
Newsgroups: sci.crypt
Lines: 48

Douglas A. Gwyn wrote:

> But the issue is not whether there is an *effective algorithm* for
> inverting *every* system of equations, which might bear on P?=NP.
> The statement was that proof of security of *any particular example*
> of a block cipher system would imply P=NP.  That's what I doubt.

Whether a proof of security of a block cipher has anything to do with the
question of P?=NP depends on how you formalize the notion of security.
Theoreticians (I mean theoretical computer scientists) like to define
security in terms of asymptotic properties.  For the purpose of this
discussion, ignore whether such definitions properly capture the notion of
security for practical ciphers.  There are different formalizations of
security, some of which are not applicable to (deterministic) block
ciphers.  For example, no deterministic ciphers can be semantically secure.
A probably more applicable notion of security for block ciphers is that of
superpseudorandom permutation generator, as introduced in a 1986 paper by
Luby and Rackoff.

To use the definition, a block cipher is modeled as a (uniform) family of
polynomial-time computable permutations, indexed by a security parameter k.
The intuition behind superpseudorandom permutation generator is that a block
cipher is secure if it passes off as a (length-preserving) permutation on
{0,1}^k, and no (non-uniform) polynomial-time algorithm can distinguish
them.  The (non-uniform) algorithm here takes two oracles: a "normal" one
computing a function f, and an "inverse" one computing the inverse of f.
"Distinguish", as used in the definition, means "distinguishes with a
non-negligible advantage".  (If you make random guesses, you already have a
50% success rate of saying whether a given permutation is truly random or
just pseudorandom).  "Negligible" here has the conventional meaning of
"converging to 0 faster than the inverse of any polynomial k^c (where c>0),
as the security parameter k tends to infinity.

So much for the background definitions.  Now consider a particular block
cipher (modeled as a family of ciphers of variable block sizes and key
lengths).  In non-deterministic polynomial time, an algorithm can determine,
with good success probability, whether a given pair of encryption/decryption
functions could have been an instance of our block cipher (with some
appropriate key).  This can be done by by guessing a key and perform a
number of trial encryptions and decryptions.

If P=NP, the above computation can also be performed in polynomial-time.
That means, for any given cipher, there is always a polynomial-time
algorithm that can "distinguish" the cipher from permutations chosen
uniformly at random from the appropriate space.  And therefore, no
deterministic block cipher can be secure under such a definition of
security.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 03 Nov 1998 20:25:23 -0500
From: Nicol So <nobody@no.spam.please>
Message-ID: <363FAD03.75C29461@no.spam.please>
References: <363E6110.9D3FF87@no.spam.please>
Newsgroups: sci.crypt
Lines: 14

Nicol So wrote:

> ...
> The intuition behind superpseudorandom permutation generator is that a block
> cipher is secure if it passes off as a (length-preserving) permutation on
> {0,1}^k, and no (non-uniform) polynomial-time algorithm can distinguish
> them.  ...

When I wrote "permutation on {0,1}^k", I meant to say "permutation on {0,1}^k
chosen uniformly at random".  Despite the accidental omission, the intended
meaning should be obvious from the ensuing text.

Nicol

Subject: Re: Memo to the Amateur Cipher Designer
Date: 3 Nov 1998 09:32:34 -0500
From: juola@mathcs.duq.edu (Patrick Juola)
Message-ID: <71n462$sgp$1@quine.mathcs.duq.edu>
References: <363E4C10.C05E0898@null.net>
Newsgroups: sci.crypt
Lines: 35

In article <363E4C10.C05E0898@null.net>,
Douglas A. Gwyn <DAGwyn@null.net> wrote:
>John Savard wrote:
>> But someone did note that he had converted DES into a gigantic Boolean
>> expression ... in hopes that it could be, at least partly, inverted. I
>> think inverting logic equations does touch on P versus NP.
>
>But the issue is not whether there is an *effective algorithm* for
>inverting *every* system of equations, which might bear on P?=NP.
>The statement was that proof of security of *any particular example*
>of a block cipher system would imply P=NP.  That's what I doubt.

The demonstration of a particular category of equations, such that

a) "size" is meaningful
and
b) to determine whether or not they are satisfiable provably
requires exponential time

would indeed prove that P < NP.  The reason, of course, is that
the general case encompasses the specific case, and no general
equation-solver could solve these particular problems faster than
the provable bound -- so the general equation solver would also
require exponential time.

However, this is a one-way implication.  If I could prove that DES
(or any particular sub-class of the general problem) *were* solvable
in polynomial time, this would NOT prove that P == NP.

	-kitten

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 03 Nov 1998 17:00:14 GMT
From: bobs@rsa.com
Message-ID: <71ncqv$j7d$1@nnrp1.dejanews.com>
References: <363e0fff.13076835@news.prosurfr.com>
Newsgroups: sci.crypt
Lines: 17

In article <363e0fff.13076835@news.prosurfr.com>,
  jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:
> "Douglas A. Gwyn" <DAGwyn@null.net> wrote, in part:

> Essentially, if a proof that P=NP is interpreted as indicating there
> are no mathematical problems that get really intractable to solve,
> compared to the effort required to verify the solution, then that
> would seem to affect everything - even if the application to
> secret-key ciphers would still be awkwards.

Such an interpretation would be grossly wrong.

It is well known that problems exist that are HARDER than any problems
in NP.   See Garey & Johnson, for example.

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 03 Nov 1998 23:05:41 GMT
From: "Douglas A. Gwyn" <DAGwyn@null.net>
Message-ID: <363F8BE2.7469BAAF@null.net>
References: <71ncqv$j7d$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 17

bobs@rsa.com wrote:
> In article <363e0fff.13076835@news.prosurfr.com>,
>   jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:
> > "Douglas A. Gwyn" <DAGwyn@null.net> wrote, in part:
> 
> > Essentially, if a proof that P=NP is interpreted as indicating there
> > are no mathematical problems that get really intractable to solve,
> > compared to the effort required to verify the solution, then that
> > would seem to affect everything - even if the application to
> > secret-key ciphers would still be awkwards.
> 
> Such an interpretation would be grossly wrong. ...

Please, check the attributions before posting.
You posted "Douglas A. Gwyn wrote:" followed by
text that I certainly did not write.
(Presumably it was written by John Savard.)

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 30 Oct 1998 10:38:15 GMT
From: ssimpson@hertreg.ac.uk
Message-ID: <71c4ul$1fl$1@nnrp1.dejanews.com>
References: <36394B11.2DDFF3CE@null.net>
Newsgroups: sci.crypt
Lines: 30

In article <36394B11.2DDFF3CE@null.net>,
  "Douglas A. Gwyn" <DAGwyn@null.net> wrote:
> ssimpson@hertreg.ac.uk wrote:
> > "Proving" the general security of a block cipher would also prove that P !=
NP
>
> I wonder on what basis you could make that claim.
> In other words, I don't think that's right -- I can exhibit the design
> for a block cipher that is demonstrably secure according to the rules of
> the game, although it wouldn't be *practical*.

I was quoting pg 52 (right-hand column) of the paper "Twofish: A 128-bit Block
Cipher" by Schneier, Kelsey, Whiting, Wagner, Hall & Ferguson.

I would be interested in your views on this.  Are Schneier et al wrong?  Have
I miss something?  Did I (gasp!) take the quote out of context?

I am honestly interested in an answer if the statement was wrong as I'm
relatively new to encryption e.g. less than 7 years, so am still learning.

Thanks,

Sam Simpson
Comms Analyst
-- See http://www.hertreg.ac.uk/ss/ for ScramDisk, a free virtual disk
encryption for Windows 95/98.  PGP Keys available at the same site.

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 30 Oct 1998 12:51:38 GMT
From: sandy.harris@sympatico.ca (Sandy Harris)
Message-ID: <uDi_1.603$Gh4.1162471@news21.bellglobal.com>
References: <71c4ul$1fl$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 25

ssimpson@hertreg.ac.uk wrote:

>  "Douglas A. Gwyn" <DAGwyn@null.net> wrote:
>> ssimpson@hertreg.ac.uk wrote:
>> > "Proving" the general security of a block cipher would also prove that P !=
>NP
>>
>> I wonder on what basis you could make that claim.

Encryption/decryption with known key is presumably not worse than
polynomial in keylength or the cipher's wildly impractical.

If "proving the security" of the cipher means showing that no attack
is better than brute force, i.e. all possible attacks are exponential in
keylength, & if this applies for any keylength, then QED.

Methinks this argument is hopelessly flawed because the keylength
in most ciphers cannot vary beyond a certain range & the whole
P/NP distinction depends on reasoning for "in the limit" & "for
sufficiently large N", so it cannot reasonably be applied.

Of course if you consider an iterated block cipher with independent
round keys & a variable # of rounds, then the total key can be
arbitrarily large, so perhaps the argument is salvagable for such
ciphers.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 30 Oct 1998 16:29:15 GMT
From: bobs@rsa.com
Message-ID: <71cpgq$uqd$1@nnrp1.dejanews.com>
References: <uDi_1.603$Gh4.1162471@news21.bellglobal.com>
Newsgroups: sci.crypt
Lines: 29

In article <uDi_1.603$Gh4.1162471@news21.bellglobal.com>,
  sandy.harris@sympatico.ca (Sandy Harris) wrote:
> ssimpson@hertreg.ac.uk wrote:
>
> >  "Douglas A. Gwyn" <DAGwyn@null.net> wrote:
> >> ssimpson@hertreg.ac.uk wrote:
> >> > "Proving" the general security of a block cipher would also prove that P !=
> >NP
> >>
> >> I wonder on what basis you could make that claim.
>
> Encryption/decryption with known key is presumably not worse than
> polynomial in keylength or the cipher's wildly impractical.
>
> If "proving the security" of the cipher means showing that no attack
> is better than brute force, i.e. all possible attacks are exponential in
> keylength, & if this applies for any keylength, then QED.

No! No! No!

Proving that only brute force could work would NOT,  repeat NOT
prove P != NP      ***  unless  ****   you first proved that breaking the key
was an NP-Complete problem.

Merely showing that breaking the key takes exponential time is NOT
equivalent to proving it is NP-Complete.

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: 30 Oct 1998 14:44:46 -0500
From: juola@mathcs.duq.edu (Patrick Juola)
Message-ID: <71d4ve$p8o$1@quine.mathcs.duq.edu>
References: <71cpgq$uqd$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 37

In article <71cpgq$uqd$1@nnrp1.dejanews.com>,  <bobs@rsa.com> wrote:
>In article <uDi_1.603$Gh4.1162471@news21.bellglobal.com>,
>  sandy.harris@sympatico.ca (Sandy Harris) wrote:
>> ssimpson@hertreg.ac.uk wrote:
>>
>> >  "Douglas A. Gwyn" <DAGwyn@null.net> wrote:
>> >> ssimpson@hertreg.ac.uk wrote:
>> >> > "Proving" the general security of a block cipher would also prove that P !=
>> >NP
>> >>
>> >> I wonder on what basis you could make that claim.
>>
>> Encryption/decryption with known key is presumably not worse than
>> polynomial in keylength or the cipher's wildly impractical.
>>
>> If "proving the security" of the cipher means showing that no attack
>> is better than brute force, i.e. all possible attacks are exponential in
>> keylength, & if this applies for any keylength, then QED.
>
>No! No! No!
>
>Proving that only brute force could work would NOT,  repeat NOT
>prove P != NP      ***  unless  ****   you first proved that breaking the key
>was an NP-Complete problem.
>
>Merely showing that breaking the key takes exponential time is NOT
>equivalent to proving it is NP-Complete.

Nope.  Showing that breaking the key takes *provably* exponential time
would suffice to show that P != NP.  If there exists a subset S of NP
such that P < S <= NP, that proves P < NP. (S, in this case, is the
class of problems to which this cypher belongs.)

And of course, the problem is "obviously" in NP because you can verify
a correct solution in polynomial time.

	-kitten

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 30 Oct 1998 21:49:07 GMT
From: phr@netcom.com (Paul Rubin)
Message-ID: <phrF1ntxv.4ys@netcom.com>
References: <71cpgq$uqd$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 24

In article <71cpgq$uqd$1@nnrp1.dejanews.com>,  <bobs@rsa.com> wrote:
>Proving that only brute force could work would NOT,  repeat NOT
>prove P != NP      ***  unless  ****   you first proved that breaking the key
>was an NP-Complete problem.
>
>Merely showing that breaking the key takes exponential time is NOT
>equivalent to proving it is NP-Complete.

Bob, are you sure of this?  If the statement came from someone less
knowledgeable than you, I'd have shrugged it off as wrong rather
than paying attention.

If brute force works, then cryptanalizing the cipher is in NP.  Once
you have guessed the key by brute force, you can validate the guess by
showing it properly encrypts the known plaintext to the known
ciphertext.

If you can prove that *only* brute force works, the cipher is not in P.
Brute force means exponential search through the keyspace.  It is true
that cryptanalyzing the cipher may not be NP-hard, but it is not in P.

If something is in NP but not in P, it follows that P != NP.

Did I miss something??!!

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 02 Nov 1998 20:12:24 GMT
From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard)
Message-ID: <363e112c.13377666@news.prosurfr.com>
References: <phrF1ntxv.4ys@netcom.com>
Newsgroups: sci.crypt
Lines: 22

phr@netcom.com (Paul Rubin) wrote, in part:

>If you can prove that *only* brute force works, the cipher is not in P.
>Brute force means exponential search through the keyspace.  It is true
>that cryptanalyzing the cipher may not be NP-hard, but it is not in P.

I think the idea is that while a _proof_ that only brute force works
would indeed catapult cryptanalyzing it out of P, in general the fact
that only brute force is known at present (which some people might
take for a proof) certainly doesn't have anything to do with P versus
NP.

And secret-key designs can easily be made much too messy for anything
to be proven about them...

So, at present I think you're right and they're not expressing
themselves clearly (they're right too about what they're trying to
say). If I'm wrong, and there is a reason why the P=NP question
doesn't apply, even in theory, that would be interesting.

John Savard
http://members.xoom.com/quadibloc/index.html

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 03 Nov 1998 11:21:42 -0700
From: Shawn Willden <shawn@willden.org>
Message-ID: <363F49B6.8CE95B8@willden.org>
References: <363e112c.13377666@news.prosurfr.com>
Newsgroups: sci.crypt
Lines: 34

John Savard wrote:

> So, at present I think you're right and they're not expressing
> themselves clearly (they're right too about what they're trying to
> say). If I'm wrong, and there is a reason why the P=NP question
> doesn't apply, even in theory, that would be interesting.

Let me see if I can lay this out clearly and thoroughly enough that someone
can point out the flaw in the reasoning (Douglas Gwyn?  Bob Silverman?).

P is the set of all problems that are solvable in polynomial time.

NP is the set of all problems for which candidate solutions can be tested in
polynomial time.

P is a subset of NP.  To see this, choose a problem p in P and a candidate
solution c, run the polynomial-time algorithm to solve p which yields a
solution s, then test if c=s.

So, P=NP iff NP is a subset of P.  Therefore, to show P!=NP, it is
sufficient to show that there exists a problem p s.t. p is an element of NP
but p is not an element of P.

Let p be a problem whose candidate solutions can be tested in polynomial
time (p is an element of NP) but which requires (provably) that an
exponentially growing solution space be brute force searched to find a
solution.  This implies that p is not an element of P, which shows that P !=
NP.

What's wrong with that argument?  Or is there something wrong with my
definitions of P and NP?

Shawn.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 02 Nov 1998 20:16:46 GMT
From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard)
Message-ID: <363e1282.13719546@news.prosurfr.com>
References: <71cpgq$uqd$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 23

bobs@rsa.com wrote, in part:

>Proving that only brute force could work would NOT,  repeat NOT
>prove P != NP      ***  unless  ****   you first proved that breaking the key
>was an NP-Complete problem.

>Merely showing that breaking the key takes exponential time is NOT
>equivalent to proving it is NP-Complete.

Proving that brute force was not necessary would not prove P=NP,
unless you proved that breaking the key was NP-complete, since there
are problems that aren't known to be in P, but aren't known to be
NP-complete either, like factoring.

But the converse _is_ valid, unless my memory is very faulty:
NP-complete problems are supposed to be the hardest kind of scalable
problems; thus, if some problem was shown not to be in P, even if that
problem was _not_ NP complete, that would only mean that the
NP-complete problems were as hard, or even harder, and therefore not
in P either.

John Savard
http://members.xoom.com/quadibloc/index.html

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sat, 31 Oct 1998 06:47:39 GMT
From: "Douglas A. Gwyn" <DAGwyn@null.net>
Message-ID: <363AB22D.D9725C8@null.net>
References: <uDi_1.603$Gh4.1162471@news21.bellglobal.com>
Newsgroups: sci.crypt
Lines: 11

Sandy Harris wrote:
> Encryption/decryption with known key is presumably not worse than
> polynomial in keylength or the cipher's wildly impractical.

Granted.

> If "proving the security" of the cipher means showing that no attack
> is better than brute force, i.e. all possible attacks are exponential in
> keylength, & if this applies for any keylength, then QED.

No, that's not even close to a proof of: <given cipher secure> => P!=NP.

Subject: Re: Memo to the Amateur Cipher Designer
Date: 2 Nov 1998 07:31:30 GMT
From: olson@umbc.edu (Bryan G. Olson; CMSC (G))
Message-ID: <71jn4i$510$1@news.umbc.edu>
References: <363AB22D.D9725C8@null.net>
Newsgroups: sci.crypt
Lines: 67

Douglas A. Gwyn (DAGwyn@null.net) wrote:
: Sandy Harris wrote:
: > Encryption/decryption with known key is presumably not worse than
: > polynomial in keylength or the cipher's wildly impractical.

: Granted.

: > If "proving the security" of the cipher means showing that no attack
: > is better than brute force, i.e. all possible attacks are exponential in
: > keylength, & if this applies for any keylength, then QED.

: No, that's not even close to a proof of: <given cipher secure> => P!=NP.

Hmmm, I see it as kind of close.  From the assumption that
(en/de)cryption is polytime and attack is exponential in key
length, we must be talking about a cipher with a variable size
and arbitrarily large key.  Now let's define encryption as

   f(K,M) = C

Where K is the key, M is the plaintext, and C is the ciphertext.
Lets say K is an integer, since any key can be coded in that
form.

Now we define language L as the set of all strings of the form:

   [m,c,x]

Where there exists some key k such that:

   k < x  and  f(k,m) = c.

L is in NP.  We assumed (en/de)cryption is polytime, so for any
string in L, there is a short certifier - namely a value for k 
that satisfies the "such that: ...CRYPHTML.HTM" above.

L is not in P.  I'll prove this by contradiction.  If L is in P,
then given plaintext m and ciphertext c, I can recover k such 
that f(m,k)=p using the following procedure:

    Test the strings [m,c,2], [m,c,4], [m,c,8]...
    for membership in L until I find the first that is in L.

    Now I have two strings [m,c,x1] and [m,c,x2] where x1<x2,
    [m,c,x1] is not in L, and [m,c,x2] is in L.  I now test
    whether [m,c,floor((x1+x2)/2)] is in L.  Either way, I can
    divide in half the interval containing the lowest x' such
    that [m,c,x'] is in L.  I repeat this procedure to form a
    binary search for x', and when I find it I return k=x'.

The procedure takes time proportional to the time to test whether
a string is in L times the length of K.  Since we assumed L in
in P, this gives me a sub-exponential break of the cipher, and
since our premise says such a break doesn't exist, the assumption
that L is in P must be false.

Given the cipher, we can construct a language that is in NP
but not in P.  Thus, this particular form of cipher security - 
where we can use an arbitrarily large key, encryption and 
decryption are polytime in the key size and cryptanalysis is 
exponential in the key size - requires that P != NP.

--Bryan

Subject: Re: Memo to the Amateur Cipher Designer
Date: 28 Oct 1998 08:43:07 GMT
From: olson@umbc.edu (Bryan G. Olson; CMSC (G))
Message-ID: <716ler$h90$1@news.umbc.edu>
References: <3634a751.2469260@news.io.com>
Newsgroups: sci.crypt
Lines: 42

Terry Ritter wrote:

: Bruce Schneier wrote:
: >Security is orthogonal to functionality.  A cipher cannot deliver any
: >new advantages until it is considered strong.  That's what makes this
: >discipline complicated.

: Apparently I have been unable to communicate the issue:

That may be, but Bruce understands the issues anyway.

[...]
: >No.  The adversarial game of making and breaking is what makes
: >cryptography cryptography.  I design; you break.  You design; I break.
: >This is what cryptography is.

: I am not referring to legitimate thrust and parry of design and
: analysis, I am referring to exactly the sort of behavior in your (now
: deleted) anecdote.  I claim:

: * The legitimate response to a design is a break.  
: * The legitimate response to a fixed design is a break.  
: * The legitimate response to a fixed fixed design is a break.  

Absolutely.  Please, please, start responding that way.  Enough
of all the posts that respond to someone else's design by 
pointing out features of your own designs.  There are very few on 
this group who actually devote time and effort to looking into 
other peoples suggestions.

: Life is tough for cipher analyzers.  It must be frustrating when
: newbies simply do not (no doubt interpreted as "will not") get the
: point.

Yes it is.  The major "point" is that a cipher designer must
_be_ a cipher analyzer.  That's what good designers spend most 
of their time doing.

--Bryan

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 21 Oct 1998 05:22:08 GMT
From: dianelos@tecapro.com
Message-ID: <70jr20$k0l$1@nnrp1.dejanews.com>
References: <36292906.1151332@news.visi.com>
Newsgroups: sci.crypt
Lines: 99

In article <36292906.1151332@news.visi.com>,
  schneier@counterpane.com (Bruce Schneier) wrote:
>[...]
> "The best cryptographers around" break a lot of ciphers.  The academic
> literature is littered with the carcasses of ciphers broken by their
> analyses.

    I would rather not use the word "break" to describe the successful
    cryptanalysis of a cipher. If somebody found an attack against
    3DES with 2^60 chosen plaintexts it would certainly be a great
    piece of cryptanalytic work but it would *not* mean that bank wire
    transfers could be BROKEN in any reasonable sense of the word.
    Again: if somebody found a way to compute the 3DES key with two
    known plaintexts and 15 seconds on a PC, how would we describe
    this attack - a "demolition" of 3DES or what? I think it would be
    better to say that a successful cryptanalysis discovered a
    weakness in a cipher. Any weakness can or should be mortal for a
    cipher, particularly if discovered with little effort or if that
    cipher can show no other advantages. Even so, the word "break" we
    should reserve for what the British did to the Enigma machine.

    I know this is only semantics but still I think it is important.
    Security issues are slowly seeping into public awareness and it
    would be best not to use common words in a way that is contrary to
    their normal meaning.

> [...] Algorithms
> posted to Internet newsgroups by unknowns won't get a second glance.

    My personal opinion is that in the future Internet newsgroups will
    be the most important medium for communicating ideas while peer
    reviewed publications, as we know them today, will be less and
    less important. This is not an either-or proposition. Stuffy,
    paper-based publications and chaotic, unstructured newsgroups will
    gravitate towards a medium that combines the best of the two
    worlds. Newsgroups do have enormous advantages: immediate and free
    movement of ideas is one of them. The other, I think, is that it
    is much cheaper for an author to be proven wrong in a newsgroup
    post; therefore people feel more free to publish crazy, less well
    thought out ideas. One of the seminal books in my life was
    Minsky's "Society of Mind". I think newsgroups will evolve to what
    is functionally a bigger mind. When I started toying with the idea
    of participating in the AES competition, I intended to post my
    basic idea and invite the sci.crypt crowd to participate as a
    group in the competition. When I finally started working on the
    submission it was too late. Pity - it would have been an
    interesting experiment of the BIG MIND paradigm.

> [...] The
> cipher's strength is not in its design; anyone could design something
> like that.  The strength is in its analysis.

    Clearly there is no known formula or experiment that measures a
    cipher's strength. This leaves human based analysis as the only
    way to validate a cipher's strength today. Still, I see a problem
    here: Suppose cipher A is analyzed by good cryptographers and many
    interesting results are published even though no weakness is
    found. Cipher B is analyzed even more intensely by the same
    people, no weakness is found but neither is there anything
    interesting to report. B should be considered stronger than A, but
    in the current state of affairs the opposite would happen. My
    point is that published results do not necessarily indicate the
    quantity or quality of analysis done on a cipher.

    Successful analysis depends not only on the cryptographer's
    previous experience or effort invested, but also on
    uncontrollable, unquantifiable factors such as inspiration or even
    luck. There is a real possibility that somebody will have an
    ingenious idea tomorrow that will demolish many ciphers we
    consider secure today. This is a terribly unfortunate situation: we
    are betting a significant part of tomorrows stability not so much
    on technology that is not *proven* but rather on technology we
    have no way to *test*. Meanwhile, NSA is not allowed to talk, and
    this, I think, is not wise.

>[...]
> 1.  Describe your cipher using standard notation.  This doesn't mean C
> code.  There is established terminology in the literature.  Learn it
> and use it; no one will learn your specialized terminology.

    I don't completely agree. A standard representation often
    restricts the group of ideas that can comfortably be expressed.
    For example, FROG cannot be represented with the traditional
    hardware schematic; some algorithms can be represented more
    elegantly with unstructured pseudocode filled with GOTOs. A cipher
    is an algorithm - traditionally algorithms are described with
    pseudo-code or even with documented code written in Pascal, Lisp,
    C or some other well known language. I don't quite see why using C
    to describe a cipher is a bad idea. Anyway, I am splitting hairs
    here. It is self-evident that a cipher should be described in a
    clear way and that no specialized terminology should be used when
    none is needed.

--
http://www.tecapro.com
email: dianelos@tecapro.com

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 22 Oct 1998 15:20:06 GMT
From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard)
Message-ID: <362f4c6d.832631@news.prosurfr.com>
References: <70jr20$k0l$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 15

dianelos@tecapro.com wrote, in part:

>    I would rather not use the word "break" to describe the successful
>    cryptanalysis of a cipher. If somebody found an attack against
>    3DES with 2^60 chosen plaintexts it would certainly be a great
>    piece of cryptanalytic work but it would *not* mean that bank wire
>    transfers could be BROKEN in any reasonable sense of the word.

Well, that's a valid enough comment on terminology. However, with
specific reference to the AES process, a cryptanalytic result that
indicates a proposed cipher is less than _perfect_ is, quite properly,
considered significant.

John Savard
http://members.xoom.com/quadibloc/index.html

Subject: Re: Memo to the Amateur Cipher Designer
Date: Fri, 23 Oct 1998 10:53:08 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-2310981053080001@dialup133.itexas.net>
References: <36305059.CAE8032F@stud.uni-muenchen.de>
   <jgfunj-2210981318390001@207.22.198.187>
Newsgroups: sci.crypt
Lines: 43

In article <36305059.CAE8032F@stud.uni-muenchen.de>, Mok-Kong Shen
<mok-kong.shen@stud.uni-muenchen.de> wrote:

> W T Shaw wrote:
> > 
> > In article <362F34E7.118E41AC@stud.uni-muenchen.de>, Mok-Kong Shen
> > <mok-kong.shen@stud.uni-muenchen.de> wrote:
> > >
> > > dianelos@tecapro.com wrote:
> > > >     For example, FROG cannot be represented with the traditional
> > > >     hardware schematic; some algorithms can be represented more
> > > >     elegantly with unstructured pseudocode filled with GOTOs. A cipher
> > > >     is an algorithm - traditionally algorithms are described with
> > > >     pseudo-code or even with documented code written in Pascal, Lisp,
> > > >     C or some other well known language. I don't quite see why using C
> > > >     to describe a cipher is a bad idea. 
> > >
> > I get his idea, that to predicate a description or demonstration to an
> > artificially restrictive set of circumstances might preclude the simplest
> > or the most most meaningful one.  Each media has its own built in
> > prejudices which might make things look harder than they are.  I challenge
> > you to build a DES encryption machine with no electronics in it.
> 
> Sorry that I don't yet understand. I thought what Dianelos wrote
> amounts to the following: FROG cannot be described with a program
> written in any of the currently used programming languages. 

See above; clearly he said the describing a cipher in C would be OK with
him, but not in a traditional *hardware* schematic.  

> But
> with what should FROG be properly described? Does one need a
> real-time programming language? There are hardware design languages,
> VHDL. Should FROG be described using these? I think we should
> await the answer from the designer of FROG rather than making
> speculations ourselves.
> 
I expect him to agree with what he has said already as he is consistent.
-- 
---
Security by obscurity is a good description of bureaucratic spending.
---
Decrypt with ROT13 to get correct email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sat, 24 Oct 1998 03:31:06 GMT
From: dianelos@tecapro.com
Message-ID: <70rhlq$ock$1@nnrp1.dejanews.com>
References: <36305059.CAE8032F@stud.uni-muenchen.de>
   <jgfunj-2210981318390001@207.22.198.187>
Newsgroups: sci.crypt
Lines: 65

In article <36305059.CAE8032F@stud.uni-muenchen.de>,
  Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote:
> W T Shaw wrote:
> >
> > In article <362F34E7.118E41AC@stud.uni-muenchen.de>, Mok-Kong Shen
> > <mok-kong.shen@stud.uni-muenchen.de> wrote:
> > >
> > > dianelos@tecapro.com wrote:
> > > >     For example, FROG cannot be represented with the traditional
> > > >     hardware schematic; some algorithms can be represented more
> > > >     elegantly with unstructured pseudocode filled with GOTOs. A cipher
> > > >     is an algorithm - traditionally algorithms are described with
> > > >     pseudo-code or even with documented code written in Pascal, Lisp,
> > > >     C or some other well known language. I don't quite see why using C
> > > >     to describe a cipher is a bad idea. Anyway, I am splitting hairs
> > >
> > > I don't quite catch your point. Does the sentence 'FROG cannot be ...'
> > > imply that it can't be described fully in C etc.?
> > >
> > I get his idea, that to predicate a description or demonstration to an
> > artificially restrictive set of circumstances might preclude the simplest
> > or the most most meaningful one.  Each media has its own built in
> > prejudices which might make things look harder than they are.  I challenge
> > you to build a DES encryption machine with no electronics in it.
>
> Sorry that I don't yet understand. I thought what Dianelos wrote
> amounts to the following: FROG cannot be described with a program
> written in any of the currently used programming languages. But
> with what should FROG be properly described? Does one need a
> real-time programming language? There are hardware design languages,
> VHDL. Should FROG be described using these? I think we should
> await the answer from the designer of FROG rather than making
> speculations ourselves.

In my original post I mentioned two examples of cases where the
traditional representation of an idea turns out not to be simplest.
Mok-kong thought the two examples are related - they are not.
Sorry for the ambiguity.

FROG cannot easily be represented by a hardware diagram because it
uses key dependent addresses. Hardware diagrams have fixed data paths.
In principle, of course, you can represent *any* algorithm either in
C or as hardware diagram. Sometimes a hardware diagram is the better
option. For example, it is easier to express a permutation using a
hardware diagram rather than in C. In general it is easier to express
concurrency with diagrams.

What representation you choose is not a trivial matter. If a cipher
designer always works sketching diagrams, in praxis he will
artificially limit the range of ideas that he will consider.
Also, changing back and forth from one representation to another
can be very useful sometimes. I recall how in school exams
I had to solve geometry problems using only Euclidean reasoning.
Well, I found out that I could often translate the problem into
vector algebra, easily solve it in this representation, and then
translate my proof, step by step, back into pure geometry.

--
http://www.tecapro.com
email: dianelos@tecapro.com

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sun, 25 Oct 1998 10:39:00 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-2510981039000001@dialup126.itexas.net>
References: <70rhlq$ock$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 21

In article <70rhlq$ock$1@nnrp1.dejanews.com>, dianelos@tecapro.com wrote:
> 
> What representation you choose is not a trivial matter. If a cipher
> designer always works sketching diagrams, in praxis he will
> artificially limit the range of ideas that he will consider.
> Also, changing back and forth from one representation to another
> can be very useful sometimes. I recall how in school exams
> I had to solve geometry problems using only Euclidean reasoning.
> Well, I found out that I could often translate the problem into
> vector algebra, easily solve it in this representation, and then
> translate my proof, step by step, back into pure geometry.
> 
Hook or crook means anything that works is open for use.  Having to work
things out in solely by careful appearing and impressive sounding logic
that may not be applicable to the real world is the essence of the
scientific Greek Tragedy.
-- 
---
Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver.
---
Decrypt with ROT13 to get correct email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 03:56:39 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <3633f23c.2025257@news.visi.com>
References: <70jr20$k0l$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 61

On Wed, 21 Oct 1998 05:22:08 GMT, dianelos@tecapro.com wrote:
>    I would rather not use the word "break" to describe the successful
>    cryptanalysis of a cipher. If somebody found an attack against
>    3DES with 2^60 chosen plaintexts it would certainly be a great
>    piece of cryptanalytic work but it would *not* mean that bank wire
>    transfers could be BROKEN in any reasonable sense of the word.
>    Again: if somebody found a way to compute the 3DES key with two
>    known plaintexts and 15 seconds on a PC, how would we describe
>    this attack - a "demolition" of 3DES or what? I think it would be
>    better to say that a successful cryptanalysis discovered a
>    weakness in a cipher. Any weakness can or should be mortal for a
>    cipher, particularly if discovered with little effort or if that
>    cipher can show no other advantages. Even so, the word "break" we
>    should reserve for what the British did to the Enigma machine.

I agree that "break" is overused.  No one will argue that most of the
breaks in the literature are what some of us call "academic breaks":
attacks that show theoretical weakness but cannot be used in real life
to break operational traffic.  Prudence, of course, teaches that if
you have to choose between two ciphers, one with an academic break and
one without, you choose the one without.

>> [...] Algorithms
>> posted to Internet newsgroups by unknowns won't get a second glance.
>
>    My personal opinion is that in the future Internet newsgroups will
>    be the most important medium for communicating ideas while peer
>    reviewed publications, as we know them today, will be less and
>    less important. 

Not a chance.  In a world where everyone is a publisher, editors
become even more important.

>> 1.  Describe your cipher using standard notation.  This doesn't mean C
>> code.  There is established terminology in the literature.  Learn it
>> and use it; no one will learn your specialized terminology.
>
>    I don't completely agree. A standard representation often
>    restricts the group of ideas that can comfortably be expressed.
>    For example, FROG cannot be represented with the traditional
>    hardware schematic; some algorithms can be represented more
>    elegantly with unstructured pseudocode filled with GOTOs. A cipher
>    is an algorithm - traditionally algorithms are described with
>    pseudo-code or even with documented code written in Pascal, Lisp,
>    C or some other well known language. I don't quite see why using C
>    to describe a cipher is a bad idea. Anyway, I am splitting hairs
>    here. It is self-evident that a cipher should be described in a
>    clear way and that no specialized terminology should be used when
>    none is needed.

I disagree with your disagreement, but I expect it is a semantic
distinction.  "The established terminology in the literature" is not C
code, assembly code, a hardware schematic, or any implementation
language. The established terminology for cryptography is mathematics.
I can describe FROG mathematically, and so can you.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 14:21:00 +0100
From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
Message-ID: <3634773C.B78AB011@stud.uni-muenchen.de>
References: <3633f23c.2025257@news.visi.com>
Newsgroups: sci.crypt
Lines: 21

Bruce Schneier wrote:
> 
> On Wed, 21 Oct 1998 05:22:08 GMT, dianelos@tecapro.com wrote:

> >    here. It is self-evident that a cipher should be described in a
> >    clear way and that no specialized terminology should be used when
> >    none is needed.
> 
> I disagree with your disagreement, but I expect it is a semantic
> distinction.  "The established terminology in the literature" is not C
> code, assembly code, a hardware schematic, or any implementation
> language. The established terminology for cryptography is mathematics.
> I can describe FROG mathematically, and so can you.

I think that the economy of description decides to some extent
which way of presentation is to be prefered. As far as I know, in 
mathematics one rarely (almost never) writes proofs in terms of 
formal logic calculus, because that, although more rigorous, is much
more tedious.

M. K. Shen

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 16:46:24 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <3634a75a.2478727@news.io.com>
References: <3633f23c.2025257@news.visi.com>
Newsgroups: sci.crypt
Lines: 72

On Mon, 26 Oct 1998 03:56:39 GMT, in <3633f23c.2025257@news.visi.com>,
in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:

>[...]
>>> [...] Algorithms
>>> posted to Internet newsgroups by unknowns won't get a second glance.
>>
>>    My personal opinion is that in the future Internet newsgroups will
>>    be the most important medium for communicating ideas while peer
>>    reviewed publications, as we know them today, will be less and
>>    less important. 
>
>Not a chance.  In a world where everyone is a publisher, editors
>become even more important.

I recently posted a quote about this from the current IEEE Spectrum in
another thread.  Basically the idea is that the world is moving *away*
from intermediaries who filter and decide for us, to the end-user (of
clothes, of technical articles, etc.) surveying it all, and making the
decision on what to select.  One can argue how far this will go, but
the time is past when somebody could just sit and wait for the
articles to arrive and thus be assured of knowing the field.  

>>> 1.  Describe your cipher using standard notation.  This doesn't mean C
>>> code.  There is established terminology in the literature.  Learn it
>>> and use it; no one will learn your specialized terminology.
>>
>>    I don't completely agree. A standard representation often
>>    restricts the group of ideas that can comfortably be expressed.
>>    For example, FROG cannot be represented with the traditional
>>    hardware schematic; some algorithms can be represented more
>>    elegantly with unstructured pseudocode filled with GOTOs. A cipher
>>    is an algorithm - traditionally algorithms are described with
>>    pseudo-code or even with documented code written in Pascal, Lisp,
>>    C or some other well known language. I don't quite see why using C
>>    to describe a cipher is a bad idea. Anyway, I am splitting hairs
>>    here. It is self-evident that a cipher should be described in a
>>    clear way and that no specialized terminology should be used when
>>    none is needed.
>
>I disagree with your disagreement, but I expect it is a semantic
>distinction.  "The established terminology in the literature" is not C
>code, assembly code, a hardware schematic, or any implementation
>language. The established terminology for cryptography is mathematics.
>I can describe FROG mathematically, and so can you.

Sure, we can describe *any* logic machine mathematically, but why
would one want to?  If math is a great advantage in understanding
logic machines, why are logic machines not generally described that
way?  Why?  Because schematics can be clearer, that's why.  And
clarity in the presentation is exactly what we want.  

Now, there are ciphers for which math is the appropriate description:
Number-theoretic ciphers and so on.  Math is at the heart of those
ciphers, and governs how they work.  To understand them, math is the
appropriate notation.  

Most symmetric designs, however, are not number-theoretic, nor do they
have any coherent mathematical theory.  Yes, one could cast them into
math, but why?  Without the underlying mathematical theory, where is
the advantage?  Indeed, translating the arbitrary machine from its
design notation into another notation seems likely to hide the very
issues on which the cipher is based, and those are exactly the issues
which might be most important for analysis.  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 28 Oct 1998 10:56:20 +0000
From: Frank O'Dwyer <fod@brd.ie>
Message-ID: <3636F854.65C31548@brd.ie>
References: <3633f23c.2025257@news.visi.com>
Newsgroups: sci.crypt
Lines: 16

Bruce Schneier wrote:
> On Wed, 21 Oct 1998 05:22:08 GMT, dianelos@tecapro.com wrote:
> >    My personal opinion is that in the future Internet newsgroups will
> >    be the most important medium for communicating ideas while peer
> >    reviewed publications, as we know them today, will be less and
> >    less important.
> 
> Not a chance.  In a world where everyone is a publisher, editors
> become even more important.

I think the key phrase above is "peer reviewed publications, as we know
them today". In a world where everyone can be a publisher, everyone can
be an editor too. 

Cheers,
Frank O'Dwyer.

Subject: Re: Memo to the Amateur Cipher Designer
Date: 28 Oct 1998 09:41:52 -0500
From: juola@mathcs.duq.edu (Patrick Juola)
Message-ID: <717afg$jir$1@quine.mathcs.duq.edu>
References: <3636F854.65C31548@brd.ie>
Newsgroups: sci.crypt
Lines: 25

In article <3636F854.65C31548@brd.ie>, Frank O'Dwyer  <fod@brd.ie> wrote:
>Bruce Schneier wrote:
>> On Wed, 21 Oct 1998 05:22:08 GMT, dianelos@tecapro.com wrote:
>> >    My personal opinion is that in the future Internet newsgroups will
>> >    be the most important medium for communicating ideas while peer
>> >    reviewed publications, as we know them today, will be less and
>> >    less important.
>> 
>> Not a chance.  In a world where everyone is a publisher, editors
>> become even more important.
>
>I think the key phrase above is "peer reviewed publications, as we know
>them today". In a world where everyone can be a publisher, everyone can
>be an editor too. 

Which implies that the value of good, worthwhile editing will continue
to climb, just as the value of good *writing* has been climbing since
the development of the Internet.

I suspect that peer-reviewed publications have become more and more
important over the last 20 years as information channels, as the
informal channels (e.g. Karp, p.c.) have gotten more and more clogged
by garbage.

	-kitten

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 28 Oct 1998 18:32:40 GMT
From: aquiranx@goliat.ugr.es  (Gurripato (x=nospam))
Message-ID: <36375758.26994734@news.cica.es>
References: <3633f23c.2025257@news.visi.com>
Newsgroups: sci.crypt
Lines: 13

On Mon, 26 Oct 1998 03:56:39 GMT, schneier@counterpane.com (Bruce Schneier)
wrote:

>I agree that "break" is overused.  No one will argue that most of the
>breaks in the literature are what some of us call "academic breaks":
>attacks that show theoretical weakness but cannot be used in real life
>to break operational traffic.  Prudence, of course, teaches that if
>you have to choose between two ciphers, one with an academic break and
>one without, you choose the one without.
>
	How would you then best describe Dobbertin�s attack on the
compression function of MD5?  Does it go all the way to demolition, plan
brack, or just academic break?

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 27 Oct 1998 11:16:48 GMT
From: sjmz@hplb.hpl.hp.com (Stefek Zaba)
Message-ID: <F1HGo1.GIC@hplb.hpl.hp.com>
References: <jgfunj-2210981318390001@207.22.198.187>
   <362F34E7.118E41AC@stud.uni-muenchen.de>
   <70jr20$k0l$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 23

In sci.crypt, W T Shaw (jgfunj@EnqvbSerrGrknf.pbz) wrote:
>
> I get his idea, that to predicate a description or demonstration to an
> artificially restrictive set of circumstances might preclude the simplest
> or the most most meaningful one.  Each media has its own built in
> prejudices which might make things look harder than they are.  I challenge
> you to build a DES encryption machine with no electronics in it.
>
OK: consider a city full of Chinese people, rigorously following written
instructions on the handling of small (8-byte, to be concrete) amounts of
information in particular systematic ways. (Yes, a group of individuals
running round with an internal monologue which if dragged first from
mentalese to Cantonese and thus to English might be rendered as "I'm an
S-box! I'm an S-box!", "I'm an transposer! I'm a transposer!", and the like.)
They pass the outputs of their rule-following to designated, possibly
conditionally-different, individuals. Such a small city can compute DES
encryptions/decryptions without a semiconductor in sight.

And that estimable Mr Searle will explain why each of them must be shot
after performing their role more than a few times, as they now understand
not only block cipher design but the content of the encrypted message :-)

Cheerski, Stefek "I Was A Chinese Sex Slave" Z

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 22 Oct 1998 23:31:33 GMT
From: mr.i.o.yankle@anagrams.r.us (Mr. I. O. Yankle)
Message-ID: <362fbdbc.162209710@news.alt.net>
References: <36292906.1151332@news.visi.com>
Newsgroups: sci.crypt
Lines: 8

When I first read "Memo to the Amateur Cipher Designer" in Bruce Schneier's
CRYPTO-GRAM, it was so clearly true and sensible to me that I expected it
to gain immediate acceptance on sci.crypt and to even gain the status of
"required reading". I still hope that this will be the case, but I can see
now that it will take some time.
-- 
"Mr. I. O. Yankle"     better known as 0279.654831@mail.serve.com.
 01  2  3  456789      <- Use this key to decode my email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 22 Oct 1998 21:41:08 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-2210982141230001@207.101.116.111>
References: <362fbdbc.162209710@news.alt.net>
Newsgroups: sci.crypt
Lines: 20

In article <362fbdbc.162209710@news.alt.net>, mr.i.o.yankle@anagrams.r.us
(Mr. I. O. Yankle) wrote:

> When I first read "Memo to the Amateur Cipher Designer" in Bruce Schneier's
> CRYPTO-GRAM, it was so clearly true and sensible to me that I expected it
> to gain immediate acceptance on sci.crypt and to even gain the status of
> "required reading". I still hope that this will be the case, but I can see
> now that it will take some time.

I could be that the what is so clearly true and sensible to you is not
necessarily so.  Indeed, many of the thoughts have been expressed before. 
It is rather that the devil is as always in the details, and the audience
here is not immune to nit picking at generalizations which are best
accepted by those who know little or nothing about the subject.  Such
popularistic wisdom is best spent elsewhere.
-- 
---
Passing a budgit with obscure items is bad;  preventing government payment for birth control while authorizing millions for viagra lets us focus on the hard facts of prevalent sexism.
---
Decrypt with ROT13 to get correct email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 16:45:49 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <3634a72a.2430860@news.io.com>
References: <362fbdbc.162209710@news.alt.net>
Newsgroups: sci.crypt
Lines: 35

On Thu, 22 Oct 1998 23:31:33 GMT, in
<362fbdbc.162209710@news.alt.net>, in sci.crypt
mr.i.o.yankle@anagrams.r.us (Mr. I. O. Yankle) wrote:

>When I first read "Memo to the Amateur Cipher Designer" in Bruce Schneier's
>CRYPTO-GRAM, it was so clearly true and sensible to me that I expected it
>to gain immediate acceptance on sci.crypt and to even gain the status of
>"required reading". I still hope that this will be the case, but I can see
>now that it will take some time.

I would hope that anyone reading Schneier's article would recognize
that it is seriously flawed in many ways.  Here are some interesting
points from the article:

* Someone with a good idea and presentation will have trouble getting
published if they are not part of "the crypto clique."

* The way to handle those with less knowledge is to demonstrate how
much smarter we are so they will go away.

* Extensive cryptanalysis can prove cipher strength.

From a whole list of appalling ideas, this last is perhaps the most
breathtaking, as it goes to the fundamental basis of modern
cryptography by a renowned expert in the field.

Perhaps you should review my response of Tue, 20 Oct 1998 00:40:21 GMT
in message id 362bdbc6.3212829@news.io.com.

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 27 Oct 1998 02:36:58 GMT
From: kery.minola@anagrams.r.us (Kery Minola)
Message-ID: <36352680.84964040@news.gate.net>
References: <3634a72a.2430860@news.io.com>
Newsgroups: sci.crypt
Lines: 58

ritter@io.com (Terry Ritter) wrote:

>I would hope that anyone reading Schneier's article would recognize
>that it is seriously flawed in many ways.  Here are some interesting
>points from the article:

>* Someone with a good idea and presentation will have trouble getting
>published if they are not part of "the crypto clique."   

Bruce Schneier's article does not mention a "clique", perhaps that's your
term for the scientific community. That you must show that you know what
you're talking about before people will listen to you is a fact of life.
He merely reported it.

>* The way to handle those with less knowledge is to demonstrate how
>much smarter we are so they will go away.  

The way to handle those with less knowledge is to show them how much they
have yet to learn and to point the way.

>* Extensive cryptanalysis can prove cipher strength.

I had no problem understanding what he meant. He meant that extensive
cryptanalysis of a cipher is the best evidence of strength that you can
hope for. 

>From a whole list of appalling ideas, this last is perhaps the most
>breathtaking, as it goes to the fundamental basis of modern
>cryptography by a renowned expert in the field.

Here's what he said:

>What is hard is creating an algorithm that no one else can break, even
>after years of analysis.  And the only way to prove that is to subject
>the algorithm to years of analysis by the best cryptographers around.

You are really grasping at straws if you are trying to pin him down to the
literal, mathematical meaning of "prove". Are you suggesting that Bruce
Schneier is totally oblivious to the weekly sci.crypt discussions about how
the O.T.P. is the only provably secure cipher? Obviously he meant "prove"
in the everyday sense of "beyond a reasonable doubt".

>Perhaps you should review my response of Tue, 20 Oct 1998 00:40:21 GMT
>in message id 362bdbc6.3212829@news.io.com.

Yes, I read that message as well.

My impression is that the amateur cryptologists here are currently in
denial of what they know is true. In time, I believe the document "Memo to
the Amateur Cipher Designer" will become a handy countermeasure to use
against the annoying posts of gibberish that we see here, which are always
accompanied by an arrogant challenge to break the code.

It's the truth. Face it and embrace it!
-- 
"Kery Minola"     better known as 4501.693872@mail.serve.com.
 0123 456789      <- Use this key to decode my email address.
                   5 X 5 Poker - http://www.serve.com/games/

Subject: Re: Memo to the Amateur Cipher Designer
Date: 27 Oct 1998 04:04:19 GMT
From: caj@baker.math.niu.edu (Xcott Craver)
Message-ID: <713go3$ora$1@gannett.math.niu.edu>
References: <3634a72a.2430860@news.io.com>
Newsgroups: sci.crypt
Lines: 26

Terry Ritter <ritter@io.com> wrote:
>
>I would hope that anyone reading Schneier's article would recognize
>that it is seriously flawed in many ways.  Here are some interesting
>points from the article:
>
>* Someone with a good idea and presentation will have trouble getting
>published if they are not part of "the crypto clique."   

	Well, they say that every reading is a misreading.

	Not only did the memo NOT say this, but it outlined how to
	get one's foot in the door via publishing attacks.  I
	can verify that this strategy works like a charm.  Publishing
	is not easy or perfect, but the accusation of an entrenched
	scientific clique is the stuff of UFO cover-up theories,
	creationism and flawed proofs of Fermat's last theorem.

>* Extensive cryptanalysis can prove cipher strength.

	!!!  It's obvious that the memo did not mean "prove" in the
	strict mathematical sense, but in the empirical sense.
	Cryptography being a science, I don't exactly see anything
	wrong with using the SCIENTIFIC METHOD.

							-Caj

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 27 Oct 1998 05:59:54 GMT
From: "Douglas A. Gwyn" <DAGwyn@null.net>
Message-ID: <36356103.9BC3B1FA@null.net>
References: <713go3$ora$1@gannett.math.niu.edu>
Newsgroups: sci.crypt
Lines: 15

Xcott Craver wrote:
>         !!!  It's obvious that the memo did not mean "prove" in the
>         strict mathematical sense, but in the empirical sense.

The trouble is, with cryptography the protected message seems
absolutely secure against eavesdropping, until a cryptanalytic
breakthrough occurs, after which it is horribly insecure.
The "empirical proof" means very little since it can't allow
for the eavesdropper's cryptanalytic abilities.

>         Cryptography being a science, I don't exactly see anything
>         wrong with using the SCIENTIFIC METHOD.

There is a huge difference between studying nature and
analyzing products of the mind of man.

Subject: Re: Memo to the Amateur Cipher Designer
Date: 27 Oct 1998 19:05:14 GMT
From: caj@baker.math.niu.edu (Xcott Craver)
Message-ID: <7155ha$nt3$1@gannett.math.niu.edu>
References: <36356103.9BC3B1FA@null.net>
Newsgroups: sci.crypt
Lines: 25

Douglas A. Gwyn <DAGwyn@null.net> wrote:
>Xcott Craver wrote:
>
>>         Cryptography being a science, I don't exactly see anything
>>         wrong with using the SCIENTIFIC METHOD.
>
>There is a huge difference between studying nature and
>analyzing products of the mind of man.

	Are you suggesting that we should use something other than the 
	scientific method?  Nobody claims that basing a conclusion
	on empirical evidence is perfect, or even safe; but what
	alternative?

	Further, whether or not mathematical constructs are 
	"the products of the mind of man" has been debated, hotly,
	for as long as there have been philosophers.  Mathematical
	realists would consider the study of ciphers literally the study
	of the universe around us --- just the intangible part of
	the universe.

	Finally, why on Earth should the scientific method be 
	disqualified in the case of studying the products of the human
	mind?  Do you know something that all the psychologists in the
	world don't?

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 27 Oct 1998 20:50:22 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-2710982050220001@dialup146.itexas.net>
References: <7155ha$nt3$1@gannett.math.niu.edu>
Newsgroups: sci.crypt
Lines: 42

In article <7155ha$nt3$1@gannett.math.niu.edu>, caj@baker.math.niu.edu
(Xcott Craver) wrote:

> Douglas A. Gwyn <DAGwyn@null.net> wrote:
> >Xcott Craver wrote:
> >
> >>         Cryptography being a science, I don't exactly see anything
> >>         wrong with using the SCIENTIFIC METHOD.
> >
> >There is a huge difference between studying nature and
> >analyzing products of the mind of man.
> 
>         Are you suggesting that we should use something other than the 
>         scientific method?  Nobody claims that basing a conclusion
>         on empirical evidence is perfect, or even safe; but what
>         alternative?
> 
Science uses lots of methods, including one actually called *the
scientific method*. To demand a single route to the truth is to prejudice
against truths that may not be so conform to that path.  This is the
essence of what is wrong with what Bruce advocates, which is the same old
tired argument we have heard for ages.

Sophisocated groups, like individuals, can be entirely wrong.  To use
popularity and acceptance as measures to oppose the introduction of new
ideas moves from scientific humility to politics, which is seldom a friend
to basic science.  You must realize your own prejudices before you can be
worthy of judging the motives of others; you should be ready to accept
good data, even if it conflicts with that which you have perviously
accepted. 

If anyone really is on a search for truth, they will not press artificial
hurdles in anyones way.   This means that informal means should not be
ignored, because formalism by definition tends to be prejudicial and
self-serving, rationalizing the importance of its own existence.  It even
cause well-meaning people to lose there handle on what science is all
about, if they ever considered finding truth as a lofty imperative.
-- 
---
Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver.
---
Decrypt with ROT13 to get correct email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: 28 Oct 98 05:50:37 GMT
From: rigoleto@table.jps.net (Mike Zorn)
Message-ID: <3636b0ad.0@blushng.jps.net>
References: <jgfunj-2710982050220001@dialup146.itexas.net>
Newsgroups: sci.crypt
Lines: 17

W T Shaw (jgfunj@EnqvbSerrGrknf.pbz) wrote:
: In article <7155ha$nt3$1@gannett.math.niu.edu>, caj@baker.math.niu.edu
: (Xcott Craver) wrote:
: > Douglas A. Gwyn <DAGwyn@null.net> wrote:
: > >Xcott Craver wrote:
: > >>         Cryptography being a science, I don't exactly see anything
: > >>         wrong with using the SCIENTIFIC METHOD.
: > >There is a huge difference between studying nature and
: > >analyzing products of the mind of man.
: >         Are you suggesting that we should use something other than the 
: >         scientific method?  Nobody claims that basing a conclusion
: >         on empirical evidence is perfect, or even safe; but what
: >         alternative?
     As an example, the benzene ring was not discovered by the 'scientific
method'.  (on the other hand, we can't all be Kekule.)  The SM is a powerful
tool, and it is quite useful - it's just not the olny one.
Mike Zorn

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 28 Oct 1998 17:09:04 GMT
From: stefekz@netcom.com (Stefek Zaba)
Message-ID: <stefekzF1Jrn4.HGK@netcom.com>
References: <3636b0ad.0@blushng.jps.net>
Newsgroups: sci.crypt
Lines: 23

Mike Zorn (rigoleto@table.jps.net) wrote:

:      As an example, the benzene ring was not discovered by the 'scientific
: method'.  (on the other hand, we can't all be Kekule.)  The SM is a powerful
: tool, and it is quite useful - it's just not the olny one.

Kekule's *intuition* about a possible structure for benzene may be implausible
to explain as a deductive process: however, the observational data which K
was trying to explain, and subsequent observations on the behaviour of
benzene, *are* applications of "the scientifdic method". Were Kekule doing
abstract drawing, he could doodle a hexagon with thickened vertices, and
leave appreciation to the aesthetic sense of his intended audience: but as
a falsifiable hypothesis about the structure of a benzene molecule, such a
sketch must also agree with observed data.

Similarly, you, I, or my cat can come up with a block cipher design, and
can call it "elegant", "minimal", "beautiful", "secure", or "toffee-flavoured".
As an act of private creation it's an interesting artefact. But if we want
it to be used, either in practice or as a case study of potential design
principles, we must expect that design to be subjected to inspection, testing,
analysis, attack, and other procedures which play the role of "observations".

Cheers, Stefek

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 28 Oct 1998 19:12:39 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <36376c92.5645084@news.io.com>
References: <stefekzF1Jrn4.HGK@netcom.com>
Newsgroups: sci.crypt
Lines: 34

On Wed, 28 Oct 1998 17:09:04 GMT, in <stefekzF1Jrn4.HGK@netcom.com>,
in sci.crypt stefekz@netcom.com (Stefek Zaba) wrote:

>[...]
>Similarly, you, I, or my cat can come up with a block cipher design, and
>can call it "elegant", "minimal", "beautiful", "secure", or "toffee-flavoured".
>As an act of private creation it's an interesting artefact. But if we want
>it to be used, either in practice or as a case study of potential design
>principles, we must expect that design to be subjected to inspection, testing,
>analysis, attack, and other procedures which play the role of "observations".

Note, however, that cryptographic "observations" do not have the same
flavor as the usual scientific investigation:  The thing we wish to
show -- strength -- cannot be shown by observation, and also cannot be
proven as a result of observations.  

In normal science we innovate experiments to prove a result and get a
new fact.  In cryptography, we innovate experiments to prove a
failure, and with a lack of failure we somehow leap to a conclusion of
strength.  This is a faulty leap.  Crucially, the inability to break a
cipher after much effort says nothing about its "real" strength.  

Indeed, the conclusion of strength after analysis is *so* faulty that
an old, well-accepted cipher could in fact be weaker than a new cipher
with an obvious break.  Even a broken new cipher could in fact be the
better choice.  Not being able to know strength is *really* not being
able to know, and that is what we have.  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 28 Oct 1998 23:48:40 GMT
From: dscott@networkusa.net
Message-ID: <718ago$r61$1@nnrp1.dejanews.com>
References: <stefekzF1Jrn4.HGK@netcom.com>
Newsgroups: sci.crypt
Lines: 35

In article <stefekzF1Jrn4.HGK@netcom.com>,
  stefekz@netcom.com (Stefek Zaba) wrote:
> Mike Zorn (rigoleto@table.jps.net) wrote:
> ...

> Similarly, you, I, or my cat can come up with a block cipher design, and
> can call it "elegant", "minimal", "beautiful", "secure", or
"toffee-flavoured".
> As an act of private creation it's an interesting artefact. But if we want
> it to be used, either in practice or as a case study of potential design
> principles, we must expect that design to be subjected to inspection, testing,
> analysis, attack, and other procedures which play the role of "observations".
>
> Cheers, Stefek
>

   ACtually if you come up with a good cipher you will not get it tested
since they try to keep the rank of phony experts quite small. They may toss
a bone from there high perch be decypting some easy old stuff but if it
is good they will steal it modify it a little and try to take the
credit for them selves. When did the experts start talking about all
or nothing crypto not to long ago was it?
  I have need told BS Bruce hates my guts. He can joke about my
code but I am a thron in his side. He would show that it is easy to
break mine if he could. The facts are he and his clan can't. But they
may post some babble one of these days to confuse the masses.

--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
ftp search for scott*u.zip in norway

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 28 Oct 1998 05:43:00 GMT
From: "Douglas A. Gwyn" <DAGwyn@null.net>
Message-ID: <3636AE8A.4BC508A4@null.net>
References: <7155ha$nt3$1@gannett.math.niu.edu>
Newsgroups: sci.crypt
Lines: 37

Xcott Craver wrote:
> Douglas A. Gwyn <DAGwyn@null.net> wrote:
> >Xcott Craver wrote:
> >
> >>         Cryptography being a science, I don't exactly see anything
> >>         wrong with using the SCIENTIFIC METHOD.
> >There is a huge difference between studying nature and
> >analyzing products of the mind of man.
>         Are you suggesting that we should use something other than the
>         scientific method?

Sure.  Merriam-Webster's Collegiate Dictionary says:
	scientific method n (1854): principles and procedures for the
	systematic pursuit of knowledge involving the recognition and
	formulation of a problem, the collection of data through
	observation and experiment, and the formulation and testing
	of hypotheses.
This clearly is an empirical method (observation and experiment)
and so is less relevant to mathematical disciplines than it is to
physical science.

In other words, the so-called "scientific method" is but one tool
in our epistemological arsenal and ought not to be applied where
it is ineffective.

>         Further, whether or not mathematical constructs are
>         "the products of the mind of man" has been debated, hotly,
>         for as long as there have been philosophers.

Yeah, but the Platonists are wrong.

>         Finally, why on Earth should the scientific method be
>         disqualified in the case of studying the products of the human
>         mind?  Do you know something that all the psychologists in the
>         world don't?

That would be no great trick.

Subject: Re: Memo to the Amateur Cipher Designer
Date: 28 Oct 1998 17:15:07 GMT
From: caj@baker.math.niu.edu (Xcott Craver)
Message-ID: <717jer$3c2$1@gannett.math.niu.edu>
References: <3636AE8A.4BC508A4@null.net>
Newsgroups: sci.crypt
Lines: 36

Douglas A. Gwyn <DAGwyn@null.net> wrote:

>Xcott Craver wrote:
>>
>>         Are you suggesting that we should use something other than the
>>         scientific method?
>
>Sure.  Merriam-Webster's Collegiate Dictionary says:
	[...]
>This clearly is an empirical method (observation and experiment)
>and so is less relevant to mathematical disciplines than it is to
>physical science.

	Well, so what do you suggest as an alternative?  

	Remember, this was about how one decides to trust a cipher
	as "secure."  The empirical method is to pick one most resistant
	to analysis.  Your suggestion?

>>         Further, whether or not mathematical constructs are
>>         "the products of the mind of man" has been debated, hotly,
>>         for as long as there have been philosophers.
>
>Yeah, but the Platonists are wrong.

	Care to explain why, and put half the philosophy faculty in the
	world out of business?

	'Sides, I'm talking about mathematical Realism.  Slightly different
	from Platonism, and a LARGE number of mathematicians are realists.
	Surely you're a smart guy, especially if you know a better way
	to judge a cipher's security other than empirically, but you're
	implicitly declaring yourself smarter than a large number of people.
	Call me an empiricist, but I'd like to see some data.

								-Caj

Subject: Re: Memo to the Amateur Cipher Designer
Date: 28 Oct 1998 08:23:05 GMT
From: olson@umbc.edu (Bryan G. Olson; CMSC (G))
Message-ID: <716k99$gqm$1@news.umbc.edu>
References: <3634a72a.2430860@news.io.com>
Newsgroups: sci.crypt
Lines: 67

Terry Ritter wrote:

: Mr. I. O. Yankle wrote:

: >When I first read "Memo to the Amateur Cipher Designer" in Bruce Schneier's
: >CRYPTO-GRAM, it was so clearly true and sensible to me that I expected it
: >to gain immediate acceptance on sci.crypt and to even gain the status of
: >"required reading".

Absolutely.  I agreed with Mr. Ritter on one point, but
clearly Bruce got at least a 95%.

: I would hope that anyone reading Schneier's article would recognize
: that it is seriously flawed in many ways.  Here are some interesting
: points from the article:

: * Someone with a good idea and presentation will have trouble getting
: published if they are not part of "the crypto clique."   

That's not really what he said.  He recommended beginning with
cryptanalysis which is more likely to be publishable than 
designs.  Note that he said most conferences and workshops
won't accept design from unknowns "without extensive analysis".
The only unfairness is the suggestion that the same forums
present designs from established experts without extensive 
analysis.

: * The way to handle those with less knowledge is to demonstrate how
: much smarter we are so they will go away.  

That's not in Bruce's paper.

: * Extensive cryptanalysis can prove cipher strength.

Again, what you're saying isn't what Bruce said, and I think
you know it.

Bruce wrote:

    What is hard is creating an algorithm that no one else can 
    break, even after years of analysis.  And the only way to 
    prove that is to subject the algorithm to years of analysis 
    by the best cryptographers around.

No one claimed that failure to break a cipher results in some
kind of mathematical theorem saying it's strong.  What Bruce
did say is the _only_ way we can know a cipher stands up to 
years of cryptanalysis by actually subjecting it to years of 
cryptanalysis.

: From a whole list of appalling ideas, this last is perhaps the most
: breathtaking, as it goes to the fundamental basis of modern
: cryptography by a renowned expert in the field.  

You can misinterpret it or whine about it all you want, but
what Bruce actually wrote is true.  

: Perhaps you should review my response of Tue, 20 Oct 1998 00:40:21 GMT
: in message id 362bdbc6.3212829@news.io.com.  

Or perhaps you should go back and read the memo.  There are
clues in it for you.

--Bryan

Subject: Re: Memo to the Amateur Cipher Designer
Date: 26 Oct 1998 10:57:43 -0500
From: juola@mathcs.duq.edu (Patrick Juola)
Message-ID: <71265n$sbd$1@quine.mathcs.duq.edu>
References: <jgfunj-2610980949060001@dialup165.itexas.net>
   <711sa1$f74$5@korai.cygnus.co.uk>
Newsgroups: sci.crypt
Lines: 28

In article <jgfunj-2610980949060001@dialup165.itexas.net>,
W T Shaw <jgfunj@EnqvbSerrGrknf.pbz> wrote:
>In article <711sa1$f74$5@korai.cygnus.co.uk>, aph@cygnus.remove.co.uk
>(Andrew Haley) wrote:
>> 
>> I don't see the relevance of this.  The best evidence of a
>> one-year-old's thinking is the way in which the communicate.
>> 
>The question of whether language is necessary for complex thought is one
>of ongoing debate and research; it is not simply answered.  Some would
>jump to the conclusion that problem solving could not exist in isolation. 
>I've been around too many animals that learned, even wild ones where
>instinct could not be blamed for resulting elaborate behavior.

It's also completely irrelevant to the discussion at hand, unless one
is suggesting that one's goldfish is the designer of a cryptographic
algorithm.  Whether ``language'' and ``complex thought'' are separable
in the abstract is one question -- but in practical terms, every human
is capable of both and usually does both at the same time.  It's quite
reasonable to use a person's ability to write clearly as a gauge for
his/her ability to *think* clearly, given the observed high correlation
between the two.

The actual statistics of correlation are left as an exercise to be
pulled out of any Psychology 101 textbook.  They're out there, believe
me.

	-kitten

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 27 Oct 1998 16:56:18 +0100
From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
Message-ID: <3635ED22.2F970FC3@stud.uni-muenchen.de>
References: <36292906.1151332@news.visi.com>
Newsgroups: sci.crypt
Lines: 113

Bruce Schneier wrote:
> 
> This was in the October CRYPTO-GRAM, but I thought I'd run it through
> sci.crypt, since so many people seem to be asking questions on the
> topic.

The present thread is the biggest one I have ever seen in this group.
After reading so many interesting viewpoints (maybe I missed some, due
to the shear volume), I like to also contribute a tiny little bit to 
the original theme of Bruce Schneier.

In all fields of knowledge (including handcrafts) there are
professionals and amateurs, the one group can't exist (by definition) 
without the other. There are two kinds of people, those who like to be 
professionals and those who like to be amateurs, with those who like 
to be professionals albeit necessarily have to start in the status of 
amateurs (or more appropriately appretices.) Becoming professionals 
have certian essential benefits, financial as well as social. That's 
what attract people of the first group. But people of the second group 
envisage other (individually different) advantages (of being amateurs). 
To use an analogon, a grandma may hate to learn and work as the star 
cook of the best-known restaurant but instead prefer to see her 
grandchildren enjoy her simple country dishes. In sport, Olympic 
participants are amateurs, while big money and spectacles are 
resverved for distinguished names like Boris and Steffi. Thus, 
professionals and amateurs co-exist and, I believe, should be able 
to co-exist peacefully, with each group profiting from the existence 
of the other. (In crypto, without the professionals the amateurs would 
lack general orientation for their endeavor and without the amateurs 
the would-be professionals (apprentices) wouldn't find the weak cryptos,
the cracking of which constitutes the credentials for their ascension.)

Bruce Schneier has described a route for a would-be professional to
proceed from the current amatuer status to the future professional 
status. Though this may be argued to be not the single possible route, 
I am sure that he has shown the most common and proper route. In fact 
the only way, for example, to become the world champion of boxing is 
to knock down every other competitors. There is no reason why things 
should be different in cryptology. If a cryptologist cracks all 
reputedly hard cryptos and nobody cracks his, he is duly the master 
and deserves a tenure.

However, I think it is correct to say that not all practical 
applications need the strongest crypto, not to mention that the very 
concept of the strength of crypto is subject to debate. Most secrets 
need not be kept very long, whether civil, military or political. On 
the other hand really unbreakable ciphers exist only in theory, if I 
don't err. Hence there is a wide spectrum of encryption algorithms 
conceivable, some strong, others weak, yet all applicable provided 
that they are used under the appropriate circumstances. Not always 
is the strongest crypto indicated. The best crypto may be unavailable 
due to patents, high cost, export restriction and crypto regulations, 
etc. etc. In such cases one has to look for comparatively weak cryptos.

With possible rare exceptions, amateurs can't compete with 
professionals. This is true in all fields. It follows that the design 
of the strongest ciphers is in a sense reserverd for the professional 
cryptologists. But that certainly doesn't preclude amateurs bringing 
forth good ciphers or even novel ideas. The critical issue is how this 
can happen in as favourable a manner as possible.

Being an amateur (a very humble one, due to my poor knowledge in the
field) and on the assumption that the majority of participants in this
group are amateurs (at least in the sense of Bruce Schneier), I venture
to make a few suggestions that could be useful.

1. Often discussions in the group are less subject-oriented but carry
   a certain portion of sentiments. This is common in almost all 
   internet groups I know of. However, this widening of the bandwidth 
   tends to render the material less interesting, perhaps even boring, 
   for the professionals, with the consequence that they wouldn't 
   subscribe to the group and we have thus less chance to get valuable 
   comments and critiques from them. Hence I like to suggest that 
   general attention be paid to argue sharply and unambiguously 
   without 'side-tracking' etc.

2. It appears that materials (documents) presented are often either
   difficult to understand or very incomplete (lacking details). This
   is at least my personal impression in trying recently to learn from
   two algorithms by authors of this group. A better documentation 
   would facilitate the exchange of ideas, promote the spread of 
   knowledge and thus further the progress of the group as a whole.

3. In the modern world a single person has only little chance of
   achieving very much. Collaboration is on the other hand highly
   effective in obtaining success. Dianelos mentioned recently that 
   he once intended to initiate a collective design in our group of 
   a cipher starting from an idea of him. I believe that our group 
   has enough potential to indeed successfully carry out such projects, 
   provided that these are appropriately managed in some way. 
   Eventually the heatly debated opinions of the professionals on 
   amateurs as exemplified by the Memo of Bruce Schneier could get 
   modified.

I have yet some other thoughts. However, since these are related to 
or in the same direction as the above, I believe it's better that I
cut short and await discussions (or flames).

M. K. Shen

------------------------------------------------------
M. K. Shen, Postfach 340238, D-80099 Muenchen, Germany
+49 (89) 831939   (6:00 GMT)
mok-kong.shen@stud.uni-muenchen.de
http://www.stud.uni-muenchen.de/~mok-kong.shen/ 

----------------------------------------------
The words of a man's mouth are as deep waters, and the wellspring 
of wisdom as a flowing brook.   (Proverbs 18:4)

A little that a righteous man hath is better than the riches of many
wicked.   (Psalms 37:16)

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 27 Oct 1998 21:02:07 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <36363316.8304318@news.visi.com>
References: <3635ED22.2F970FC3@stud.uni-muenchen.de>
Newsgroups: sci.crypt
Lines: 69

On Tue, 27 Oct 1998 16:56:18 +0100, Mok-Kong Shen
<mok-kong.shen@stud.uni-muenchen.de> wrote:

I agree with your distinction between amateurs and professionals, and
agree that there is room for both in cryptography.  I don't think,
though, that my comments only applied to those who wanted to become
professionals.  They applied to those who wanted to become good.
Whether they choose cryptography as a vocation or an avocation is not
particular relevent.

>However, I think it is correct to say that not all practical 
>applications need the strongest crypto, not to mention that the very 
>concept of the strength of crypto is subject to debate. Most secrets 
>need not be kept very long, whether civil, military or political. On 
>the other hand really unbreakable ciphers exist only in theory, if I 
>don't err. Hence there is a wide spectrum of encryption algorithms 
>conceivable, some strong, others weak, yet all applicable provided 
>that they are used under the appropriate circumstances. Not always 
>is the strongest crypto indicated. The best crypto may be unavailable 
>due to patents, high cost, export restriction and crypto regulations, 
>etc. etc. In such cases one has to look for comparatively weak cryptos.

While it is true that not every application need strong cryptography,
this does not mean that these applications should look towards weak
cryptography.  Unlike physical locks on physical doors, weaker
cryptographic algorithms are not cheaper.  They are not not faster,
don't take up less code, don't use less RAM, etc.  There are certainly
exceptions--the identity cipher being the most flagrant example--but
in general strong cryptography is no more expensive than weak
cryptogreaphy.  Hence, it makes sense to use the strongest
cryptography possible, regardless of the threat model.

>With possible rare exceptions, amateurs can't compete with 
>professionals. This is true in all fields. It follows that the design 
>of the strongest ciphers is in a sense reserverd for the professional 
>cryptologists. But that certainly doesn't preclude amateurs bringing 
>forth good ciphers or even novel ideas. The critical issue is how this 
>can happen in as favourable a manner as possible.

I think cryptography is one of the few branches of mathematics where
the amateur can definitely compete with the professional.  The field
is so new that anyone can learn the literature and contribute.  There
are so many conferences and workshops that there are places for any
quality piece of research.  There are a lot of amateurs out there
doing cryptography research, and many graduate students in
cryptography started out that way.

>3. In the modern world a single person has only little chance of
>   achieving very much. Collaboration is on the other hand highly
>   effective in obtaining success. Dianelos mentioned recently that 
>   he once intended to initiate a collective design in our group of 
>   a cipher starting from an idea of him. I believe that our group 
>   has enough potential to indeed successfully carry out such projects, 
>   provided that these are appropriately managed in some way. 
>   Eventually the heatly debated opinions of the professionals on 
>   amateurs as exemplified by the Memo of Bruce Schneier could get 
>   modified.

This is an interesting thought.  I don't believe a collaborative
design process would work at all--it's just too easy to propose ideas
without really knowing how good they are--a collaborative
cryptanalysis could be very interesting.  Is there an interest in
finding an algorithm and, as a group, cryptanalyzing it?

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 27 Oct 1998 20:56:40 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-2710982056400001@dialup146.itexas.net>
References: <36363316.8304318@news.visi.com>
Newsgroups: sci.crypt
Lines: 19

In article <36363316.8304318@news.visi.com>, schneier@counterpane.com
(Bruce Schneier) wrote:
> 
> I think cryptography is one of the few branches of mathematics where
> the amateur can definitely compete with the professional.  The field
> is so new that anyone can learn the literature and contribute.  There
> are so many conferences and workshops that there are places for any
> quality piece of research.  There are a lot of amateurs out there
> doing cryptography research, and many graduate students in
> cryptography started out that way.

This means more than the *Memo* you posted.  What you said above suggests
the importance of diversity of method and manner which is opposed to the
message of the Memo.
-- 
---
Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver.
---
Decrypt with ROT13 to get correct email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Tue, 27 Oct 1998 21:04:20 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-2710982104200001@dialup146.itexas.net>
References: <36363316.8304318@news.visi.com>
Newsgroups: sci.crypt
Lines: 41

In article <36363316.8304318@news.visi.com>, schneier@counterpane.com
(Bruce Schneier) wrote:

> On Tue, 27 Oct 1998 16:56:18 +0100, Mok-Kong Shen
> <mok-kong.shen@stud.uni-muenchen.de> wrote:
> 
> .... I think it is correct to say that not all practical 
> >applications need the strongest crypto, not to mention that the very 
> >concept of the strength of crypto is subject to debate. Most secrets 
> >need not be kept very long, whether civil, military or political. On 
> >the other hand really unbreakable ciphers exist only in theory, if I 
> >don't err. Hence there is a wide spectrum of encryption algorithms 
> >conceivable, some strong, others weak, yet all applicable provided 
> >that they are used under the appropriate circumstances. Not always 
> >is the strongest crypto indicated. The best crypto may be unavailable 
> >due to patents, high cost, export restriction and crypto regulations, 
> >etc. etc. In such cases one has to look for comparatively weak cryptos.
> 
> While it is true that not every application need strong cryptography,
> this does not mean that these applications should look towards weak
> cryptography.  Unlike physical locks on physical doors, weaker
> cryptographic algorithms are not cheaper.  They are not not faster,
> don't take up less code, don't use less RAM, etc.  There are certainly
> exceptions--the identity cipher being the most flagrant example--but
> in general strong cryptography is no more expensive than weak
> cryptogreaphy.  Hence, it makes sense to use the strongest
> cryptography possible, regardless of the threat model.

I agree that strong crypto is desirable, but how you get there is most
important.  Experience with a weaker version of an algorithm can teach you
many things.  If true scalable algorithms are involved, it remains the
question of how strong do you want some implementation to be, always being
able to make it infinitely stronger.

There might be a twilight zone between weak and strong with a scalable
algorithm, it all depends on how you define these terms.
-- 
---
Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver.
---
Decrypt with ROT13 to get correct email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 28 Oct 1998 11:59:03 +0100
From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
Message-ID: <3636F8F7.F8287D6B@stud.uni-muenchen.de>
References: <36363316.8304318@news.visi.com>
Newsgroups: sci.crypt
Lines: 53

Bruce Schneier wrote:
> 
> On Tue, 27 Oct 1998 16:56:18 +0100, Mok-Kong Shen
> <mok-kong.shen@stud.uni-muenchen.de> wrote:
  ............................

> 
> I agree with your distinction between amateurs and professionals, and
> agree that there is room for both in cryptography.  I don't think,
> though, that my comments only applied to those who wanted to become
> professionals.  They applied to those who wanted to become good.
> Whether they choose cryptography as a vocation or an avocation is not
> particular relevent.

Good knowledge of techniques of analysis is certainly indispensable
and I suppose everyone knows that but your Memo seems to imply that
no one should publish anything before he publishes successful analysis 
of some (presumably good, known) algorithms. Now such algorithms are 
limited in number. The easier jobs have probably already all been 
discovered by the more capable professionals and done earlier, leaving 
the newcommers little chance. Thus I think the requirement of proving
ones 'better' analysis capability is suppressive for novel design
ideas from coming up.

> 
> >However, I think it is correct to say that not all practical
> >applications need the strongest crypto, not to mention that the very
> >concept of the strength of crypto is subject to debate. Most secrets
> >need not be kept very long, whether civil, military or political. On
> >the other hand really unbreakable ciphers exist only in theory, if I
> >don't err. Hence there is a wide spectrum of encryption algorithms
> >conceivable, some strong, others weak, yet all applicable provided
> >that they are used under the appropriate circumstances. Not always
> >is the strongest crypto indicated. The best crypto may be unavailable
> >due to patents, high cost, export restriction and crypto regulations,
> >etc. etc. In such cases one has to look for comparatively weak cryptos.

> 
> While it is true that not every application need strong cryptography,
> this does not mean that these applications should look towards weak
> cryptography.  Unlike physical locks on physical doors, weaker
> cryptographic algorithms are not cheaper.  They are not not faster,
> don't take up less code, don't use less RAM, etc.  There are certainly
> exceptions--the identity cipher being the most flagrant example--but
> in general strong cryptography is no more expensive than weak
> cryptogreaphy.  Hence, it makes sense to use the strongest
> cryptography possible, regardless of the threat model.

Maybe I misunderstood you. But I don't see essential points of 
disagreement between us in this respect. (Compare our two last 
sentences.)

M. K. Shen

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 28 Oct 1998 15:32:00 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <36373706.886670@news.visi.com>
References: <3636F8F7.F8287D6B@stud.uni-muenchen.de>
Newsgroups: sci.crypt
Lines: 53

On Wed, 28 Oct 1998 11:59:03 +0100, Mok-Kong Shen
<mok-kong.shen@stud.uni-muenchen.de> wrote:

>Good knowledge of techniques of analysis is certainly indispensable
>and I suppose everyone knows that but your Memo seems to imply that
>no one should publish anything before he publishes successful analysis 
>of some (presumably good, known) algorithms. Now such algorithms are 
>limited in number. The easier jobs have probably already all been 
>discovered by the more capable professionals and done earlier, leaving 
>the newcommers little chance. Thus I think the requirement of proving
>ones 'better' analysis capability is suppressive for novel design
>ideas from coming up.

And I meant my memo to imply that: people who have not demonstrated
their ability to break algorithms are unlikely to develop algorithms
that cannot easily be broken.  I don't believe the easier jobs havae
all been taken.  Two designs from FSE 97 were easily broken in FSE 98.
Three AES designs were easily broken, and there have been small
weaknesses found in a few others.  There are designs posted on
sci.crypt regularly that can be broken without developing any new
cryptanalytic techniques.  In my "Self-Study Course" I listed some
algorithms that no one has bothered analyzing yet.  There are
commercial designs--all the digital cellular algorithms, the Firewire
algorithms, etc--that should be looked at.  There are Ritter's
designs.  Any of these algorithms could potentially be cryptanalyzed
by amateurs.  The easier jobs are not all taken, precisely becuase
there are so many of them.

>> >The best crypto may be unavailable
>> >due to patents, high cost, export restriction and crypto regulations,
>> >etc. etc. In such cases one has to look for comparatively weak cryptos.
>
>>There are certainly
>> exceptions--the identity cipher being the most flagrant example--but
>> in general strong cryptography is no more expensive than weak
>> cryptogreaphy.  Hence, it makes sense to use the strongest
>> cryptography possible, regardless of the threat model.
>
>Maybe I misunderstood you. But I don't see essential points of 
>disagreement between us in this respect. (Compare our two last 
>sentences.)

If you are going to deliberately weaken an algorithm, fix some key
bits.  Don't choose a random untested algorithm; you won't know how
strong or weak it is.  And since there are a ready supply of tested,
trusted, unpatented, and  free algorithms, I don't see this being much
of a problem.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 28 Oct 1998 17:31:59 +0100
From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
Message-ID: <363746FF.B2E33D31@stud.uni-muenchen.de>
References: <36373706.886670@news.visi.com>
Newsgroups: sci.crypt
Lines: 43

Bruce Schneier wrote:
> 

> algorithms, etc--that should be looked at.  There are Ritter's
> designs.  Any of these algorithms could potentially be cryptanalyzed
> by amateurs.  The easier jobs are not all taken, precisely becuase
> there are so many of them.

I still guess that your logical argument is probably not perfect. 
These are so to say 'ready foods' for the would-be professionals on 
the way to their true professional status. Why have these been so 
rarely attacked? Or are there barely any would-be professionals 
around perhaps?

> 
> >> >The best crypto may be unavailable
> >> >due to patents, high cost, export restriction and crypto regulations,
> >> >etc. etc. In such cases one has to look for comparatively weak cryptos.
> >
> >>There are certainly
> >> exceptions--the identity cipher being the most flagrant example--but
> >> in general strong cryptography is no more expensive than weak
> >> cryptogreaphy.  Hence, it makes sense to use the strongest
> >> cryptography possible, regardless of the threat model.
> >
> >Maybe I misunderstood you. But I don't see essential points of
> >disagreement between us in this respect. (Compare our two last
> >sentences.)
> 
> If you are going to deliberately weaken an algorithm, fix some key
> bits.  Don't choose a random untested algorithm; you won't know how
> strong or weak it is.  And since there are a ready supply of tested,
> trusted, unpatented, and  free algorithms, I don't see this being much
> of a problem.

I said if the best crypto is unavailable than one has (is forced)
to take a weaker one. This does not imply one deliberately takes 
the weakest of the available ones (only a fool would do that). You 
said that one uses the strongest possible, i.e. the strongest of the 
set of available ones. So there is no conflict between our opinions,
isn't it?

M. K. Shen

Subject: Re: Memo to the Amateur Cipher Designer
Date: Wed, 28 Oct 1998 22:41:04 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <36379ca4.2650087@news.visi.com>
References: <363746FF.B2E33D31@stud.uni-muenchen.de>
Newsgroups: sci.crypt
Lines: 46

On Wed, 28 Oct 1998 17:31:59 +0100, Mok-Kong Shen
<mok-kong.shen@stud.uni-muenchen.de> wrote:

>Bruce Schneier wrote:
>> 
>
>> algorithms, etc--that should be looked at.  There are Ritter's
>> designs.  Any of these algorithms could potentially be cryptanalyzed
>> by amateurs.  The easier jobs are not all taken, precisely becuase
>> there are so many of them.
>
>I still guess that your logical argument is probably not perfect. 
>These are so to say 'ready foods' for the would-be professionals on 
>the way to their true professional status. Why have these been so 
>rarely attacked? Or are there barely any would-be professionals 
>around perhaps?

Because people are busy.  Because not everyone has time to spend weeks
(or days or even hours) analyzing every random cipher that comes
across their desk.  Because the designs are not pubished, so the
breaks are not publishable.  Beucause they are not widely known.
Because breaking them requires no new insights and hence is
uninteresting.  For as many reasons as there are ciphers.

The argument "it's been around since 19xx and has not been broken,
therefor it is secure" is a flawed one.  It assumes that people have
analyzed it during that time.  Most ciphers are not analyzed by anyone
but the designers.  This is why random designs are risky.  And this is
also a great opportunity for someone who wants to learn.  Cryptography
is rare, and possibly unique, in that a beginner can generate new--and
possibly publishable--results right from the beginning.

>I said if the best crypto is unavailable than one has (is forced)
>to take a weaker one. This does not imply one deliberately takes 
>the weakest of the available ones (only a fool would do that). You 
>said that one uses the strongest possible, i.e. the strongest of the 
>set of available ones. So there is no conflict between our opinions,
>isn't it?

Don't think so.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 29 Oct 1998 10:05:03 +0100
From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
Message-ID: <36382FBF.7209447B@stud.uni-muenchen.de>
References: <36379ca4.2650087@news.visi.com>
Newsgroups: sci.crypt
Lines: 117

Bruce Schneier wrote:
> 
> On Wed, 28 Oct 1998 17:31:59 +0100, Mok-Kong Shen
> <mok-kong.shen@stud.uni-muenchen.de> wrote:
> 
> >Bruce Schneier wrote:
> >>
> >> algorithms, etc--that should be looked at.  There are Ritter's
> >> designs.  Any of these algorithms could potentially be cryptanalyzed
> >> by amateurs.  The easier jobs are not all taken, precisely becuase
> >> there are so many of them.
> >
> >I still guess that your logical argument is probably not perfect.
> >These are so to say 'ready foods' for the would-be professionals on
> >the way to their true professional status. Why have these been so
> >rarely attacked? Or are there barely any would-be professionals
> >around perhaps?
> 
> Because people are busy.  Because not everyone has time to spend weeks
> (or days or even hours) analyzing every random cipher that comes
> across their desk.  Because the designs are not pubished, so the
> breaks are not publishable.  Beucause they are not widely known.
> Because breaking them requires no new insights and hence is
> uninteresting.  For as many reasons as there are ciphers.

I disagree. The would-be professionals are busy in attempting to
proving their 'better' (than his colleagues and certainly the
amateurs) analyis capability through cracking algorithms that are
presumably hard. They have thus strong incentives to do that work
which according to your Memo is sort of 'must'. Now it is also
my opinion that a number of algorithms published by amateurs are 
difficult to understand (read) or very incomplete (lacking details) 
(see a previous post of mine) or even obscure or trivial (your 
'breaking requiring no new insights and hence uninteresting'). But I 
would personally make an (at least one single) exception of 
Terry Ritter's designs which you explicitly mentioned. Independent
of how easy or hard his designs can be broken, he has got patents.
Now it may well be argued whether obtaining pattens really means very 
much. However a would-be professional choosing to break his designs 
has an obvious advantage over breaking other equally weak (or harder)
algorithms. He could show off and say 'Hay, Look! I have cracked a 
couple of patented cryptos!' I can't imagine that such an advantange
could be overlooked by any would-be professionals. Further, Ritter's
work is apparently known to you to some degree. I believe that there
are quite a number of the would-be professionals researching under
your supervision and that you have very probably given to one or some
of them a tip to attack Ritter's designs. A success in that would
provide at least one very valuable 'insight' for general users of 
cryptological algorithms (and for the cryptology community as well), 
namely that the carrying of patents of cryptological algorithms is 
a very questionalbe qualification of the same and that these should 
be regarded with extreme care (suspicion) in evaluations. (Note: 
patents are published in government announcements. Scientific patents 
have at least the status of papers in established scientific journals, 
in particular can be assumed to have the same degree of 'known-ness'
to researchers in the corresponding fields.)

> 
> The argument "it's been around since 19xx and has not been broken,
> therefor it is secure" is a flawed one.  It assumes that people have
> analyzed it during that time.  Most ciphers are not analyzed by anyone
> but the designers.  This is why random designs are risky.  And this is
> also a great opportunity for someone who wants to learn.  Cryptography
> is rare, and possibly unique, in that a beginner can generate new--and
> possibly publishable--results right from the beginning.

I wholly agree with you. Let me however remark that this is all
very well known to this group. It appears time and again and repeatedly
in posts of this group (I admit that sometimes I even found this theme 
boring) and has been well accepted and acknowleged to my knowledge.
There is presently one exception, though, namely your sentence 'this 
is also a great opportunity for someone who wants to learn'. Do the 
would-be professionals (at least the beginners among them who have not 
yet accumulated too much knowledge) not want to learn? If yes, then 
there appears to be in my opinion a certain contradiction to what you 
wrote in the previous paragraph. 

> 
> >I said if the best crypto is unavailable than one has (is forced)
> >to take a weaker one. This does not imply one deliberately takes
> >the weakest of the available ones (only a fool would do that). You
> >said that one uses the strongest possible, i.e. the strongest of the
> >set of available ones. So there is no conflict between our opinions,
> >isn't it?
> 
> Don't think so.

Please be kind enough to explain with a couple of sentences rather 
than making a difficult to comprehend categorical statement.

M. K. Shen

------------------------------------------------------
M. K. Shen, Postfach 340238, D-80099 Muenchen, Germany
+49 (89) 831939   (6:00 GMT)
mok-kong.shen@stud.uni-muenchen.de
http://www.stud.uni-muenchen.de/~mok-kong.shen/     (Last updated: 
10th October 1998.  origin site of WEAK1, WEAK2, WEAK3 and WEAK3-E.
Containing 2 mathematical problems with rewards totalling US$500.)

----------------------------------------------
Apply not techniques that you haven't fully understood. Use only
subprograms that you have thoroughly verified. Never blindly trust
what your colleagues claim.   (a programmer advising novices, ~1970)

----------------------------------------------
Sunshine is the best disinfectant.
(citation of a citation in B. Schneier and D. Banisar, The Electronic
Privacy Papers. John-Wiley, New York, 1997.)

----------------------------------------------
The words of a man's mouth are as deep waters, and the wellspring 
of wisdom as a flowing brook.   (Proverbs 18:4)

A little that a righteous man hath is better than the riches of many
wicked.   (Psalms 37:16)

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 29 Oct 1998 15:09:50 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <363881dd.804381@news.visi.com>
References: <36382FBF.7209447B@stud.uni-muenchen.de>
Newsgroups: sci.crypt
Lines: 129

On Thu, 29 Oct 1998 10:05:03 +0100, Mok-Kong Shen
<mok-kong.shen@stud.uni-muenchen.de> wrote:

>Bruce Schneier wrote:
>> 
>> On Wed, 28 Oct 1998 17:31:59 +0100, Mok-Kong Shen
>> <mok-kong.shen@stud.uni-muenchen.de> wrote:
>> 
>> >Bruce Schneier wrote:
>> >>
>> >> algorithms, etc--that should be looked at.  There are Ritter's
>> >> designs.  Any of these algorithms could potentially be cryptanalyzed
>> >> by amateurs.  The easier jobs are not all taken, precisely becuase
>> >> there are so many of them.
>> >
>> >I still guess that your logical argument is probably not perfect.
>> >These are so to say 'ready foods' for the would-be professionals on
>> >the way to their true professional status. Why have these been so
>> >rarely attacked? Or are there barely any would-be professionals
>> >around perhaps?
>> 
>> Because people are busy.  Because not everyone has time to spend weeks
>> (or days or even hours) analyzing every random cipher that comes
>> across their desk.  Because the designs are not pubished, so the
>> breaks are not publishable.  Beucause they are not widely known.
>> Because breaking them requires no new insights and hence is
>> uninteresting.  For as many reasons as there are ciphers.
>
>I disagree. The would-be professionals are busy in attempting to
>proving their 'better' (than his colleagues and certainly the
>amateurs) analyis capability through cracking algorithms that are
>presumably hard. They have thus strong incentives to do that work
>which according to your Memo is sort of 'must'. Now it is also
>my opinion that a number of algorithms published by amateurs are 
>difficult to understand (read) or very incomplete (lacking details) 
>(see a previous post of mine) or even obscure or trivial (your 
>'breaking requiring no new insights and hence uninteresting'). But I 
>would personally make an (at least one single) exception of 
>Terry Ritter's designs which you explicitly mentioned. Independent
>of how easy or hard his designs can be broken, he has got patents.
>Now it may well be argued whether obtaining pattens really means very 
>much. However a would-be professional choosing to break his designs 
>has an obvious advantage over breaking other equally weak (or harder)
>algorithms. He could show off and say 'Hay, Look! I have cracked a 
>couple of patented cryptos!' I can't imagine that such an advantange
>could be overlooked by any would-be professionals. Further, Ritter's
>work is apparently known to you to some degree. I believe that there
>are quite a number of the would-be professionals researching under
>your supervision and that you have very probably given to one or some
>of them a tip to attack Ritter's designs. A success in that would
>provide at least one very valuable 'insight' for general users of 
>cryptological algorithms (and for the cryptology community as well), 
>namely that the carrying of patents of cryptological algorithms is 
>a very questionalbe qualification of the same and that these should 
>be regarded with extreme care (suspicion) in evaluations. (Note: 
>patents are published in government announcements. Scientific patents 
>have at least the status of papers in established scientific journals, 
>in particular can be assumed to have the same degree of 'known-ness'
>to researchers in the corresponding fields.)

I don't understand.  Do you disagree with reality (that there are all
these ciphers that are not being looked at) or with my reasoning as to
why they are not being looked at?  I don't know what to tell you.  I
know all of the algorithms I listed in my previous posting have not
been looked at by the academic cryptographers who I think of as the
"good cryptanalysts."  I know the reasons listed are ones that I have
heard others use or use myself.  Maybe you're right--these algorithms
have been analyzed and some of them have been broken--and the breaks
have either not been published or have been published in places I dont
know about, but I kind of doubt that.

Many of us have breaks of amateur ciphers, ones that appear on
sc.crypt, get patents, or are used opterationally, that we just don't
have time to write up or flesh out.  It's just not worth the bother.

I don't mean this to be statement of opinion, but a statement of fact.
Fact 1:  There are many unpublished, and even some published ones,
that no one has bothered trying to cryptanalyze.  Fact 2:  Some of the
reasons people give for not bothering are listed above.

>> The argument "it's been around since 19xx and has not been broken,
>> therefor it is secure" is a flawed one.  It assumes that people have
>> analyzed it during that time.  Most ciphers are not analyzed by anyone
>> but the designers.  This is why random designs are risky.  And this is
>> also a great opportunity for someone who wants to learn.  Cryptography
>> is rare, and possibly unique, in that a beginner can generate new--and
>> possibly publishable--results right from the beginning.
>
>I wholly agree with you. Let me however remark that this is all
>very well known to this group. It appears time and again and repeatedly
>in posts of this group (I admit that sometimes I even found this theme 
>boring) and has been well accepted and acknowleged to my knowledge.
>There is presently one exception, though, namely your sentence 'this 
>is also a great opportunity for someone who wants to learn'. Do the 
>would-be professionals (at least the beginners among them who have not 
>yet accumulated too much knowledge) not want to learn? If yes, then 
>there appears to be in my opinion a certain contradiction to what you 
>wrote in the previous paragraph. 

I believe that:  1) There are very few beginner cryptanalysts.  2)
They tend to try to reproduce published results, as I described in my
"Self Study Course in Block Cipher Cryptanalysis.  3) They don't know
about the random designs that appear.  (Remember, most people in the
field don't EVER read sci.crypt.)  4) Some realize that they need to
break things to learn.

>> >I said if the best crypto is unavailable than one has (is forced)
>> >to take a weaker one. This does not imply one deliberately takes
>> >the weakest of the available ones (only a fool would do that). You
>> >said that one uses the strongest possible, i.e. the strongest of the
>> >set of available ones. So there is no conflict between our opinions,
>> >isn't it?
>> 
>> Don't think so.
>
>Please be kind enough to explain with a couple of sentences rather 
>than making a difficult to comprehend categorical statement.

I do not believe there is any conflict between our opinions.  I
believe that your opinion and mine are not in conflict, meaning that
they can coexist without conflict, but strongly implying (and I mean
this too) that they are compatible and in agreement.  (Honestly, I
don't know how else to explain it.)

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 29 Oct 1998 16:58:33 +0100
From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
Message-ID: <363890A9.605EB4BF@stud.uni-muenchen.de>
References: <

The Value of Cryptanalysis

A Ciphers By Ritter Page

Contents