The Value of Cryptanalysis

A Ciphers By Ritter Page

This huge conversation starts out with the article by Schneier. That article is controversial in various ways:

the path to success in cryptography is cryptanalysis, and the path to that is academic publication.
cryptanalysis is how we know the strength of ciphers,
a cipher with an "impractical break" should be seen as weaker than ciphers without such a break.

These arguments bring out fundamental issues in cryptography which are generally assumed to have been resolved long ago, with the answers now obvious. See my response, my later response and someone else's response and math descriptions.

1998-10-17 Bruce Schneier: "Congratulations. You've just invented this great new cipher, and you want to do something with it. You're new in the field; no one's heard of you, and you don't have any credentials as a cryptanalyst. You want to get well-known cryptographers to look at your work. What can you do?
"Unfortunately, you have a tough road ahead of you."
1998-10-18 George Barwood: "I disagree - some time ago I posted an algorithm to sci.crypt, and recieved a quick (and useful) analysis from David Wagner."
1998-10-18 Karl-Friedrich Lenz: "Probably Mr. Schneier intended to say 'not a second glance by professionals in scientific papers', which might be true. But the level of sci.crypt is not that low, and there seem to be quite a lot of people ready to have a swing at new ideas."
1998-10-18 Bruce Schneier: "You're right. There are exceptions to this. Agreed."
1998-10-18 Jon Haugsand: "Actually, wouldn't this be a good way to train oneself with cryptoanalyzing? Breaking amateur ciphers posted to the usenet?"
1998-10-19 Bruce Schneier: "Definitely. I think it's the best way. Not only do you get experience breaking ciphers, but you get some very easy ones to start on."
1998-10-17 W T Shaw: "A contrived obstacle course means being sure that few can finish, and more are discouraged from even trying."
1998-10-18 Lloyd Miller: "Bruce's religion makes a lot more sense to me than your's."
1998-10-18 Jay Holovacs: "If you can't break codes that are out there, why should anyone believe that you have an answer."
1998-10-18 W T Shaw: "In Bruce's work, there are sinful omissions and comissions, but the subject is so large that this would always be a surity in some form. To judge his character, we will see if he mentions in the future any things he has previously ignored and have been pointed out directly to him."
1998-10-18 dscott@networkusa.net: "I like your chemsitry example it fits well witht the load of stuff Bruce is trying to pass off."
1998-10-19 : "...cryptanalysis is a discipline of its own, and requires either considerable stamina or advanced mathematical skills. One does not quite need these qualifications to design a secure cipher, particularly if one is following your earlier advice and not ignoring the lessons of previous designs."
1998-10-19 Mark Tillotson: "Nonsense! How on earth can you claim to design a secure cipher if you are _incapable_ of distinquishing a weak cipher from a strong cipher???"
1998-10-22 John Savard: "...while a _knowledge_ of cryptanalysis is needed, actually being a cryptanalyst - actually being able to carry out, in full, the cryptanalysis of a difficult cipher, or being able to make theoretical contributions to the field - is not, strictly speaking, necessary...."
1998-10-22 W T Shaw: "Many imply that if you simply follow their rules for cipher construction, you need not do much of the analysis yourself."
1998-10-26 Bruce Schneier: "Many are wrong."
1998-10-25 W T Shaw: "...the AES process is *designed* as a big feedback mechanism, the quicker acting the better."
1998-10-26 Bruce Schneier: "Rah rah."
1998-10-26 cryptonews@my-dejanews.com: "This is not about crypto and security, it is rather becoming about Bruce Schneir BIG EGO and what he thinks the world should be."
1998-10-26 dscott@networkusa.net: "For a while I thought I was the only one intelligent enough to notice Mr B.S. is nothing but a big BLOWHART it seems that every one else was following him like a god."
1998-10-26 John Savard: "No, that is not at all true or fair." "Actually, if there were 10,000 amateur cipher designs published, the harm would be mainly to amateur cipher designers...."
1998-10-28 Gurripato (x=nospam): "If those 10.000 amateur cipher existed and were published, crypto vendors would start incorporating them into their products. How would the customers react when 9.990 of those ciphers are proved to be weak?"
1998-10-28 Terry Ritter: "This is a legitimate concern, but it applies to everything we have." "The problem is that we cannot measure the strength of a cipher. But that means *any* cipher, even the well-regarded ones."
1998-10-28 Patrick Juola: "This is untrue. It's fairly easy to come up with a measurement of the strength of a cypher...."
1998-11-02 Terry Ritter: "From the user's standpoint, an upper bound is *not* the strength, and is not even a useful estimate." "To the user, since we have *neither* the real strength, *nor* the lower bound, we have no useful measure of strength at all."
1998-11-02 Patrick Juola: "I have an upper bound, I insure against the lower bound being smaller than I envision, and the risk becomes Lloyd's."
1998-11-10 Terry Ritter: "When cryptanalysis identifies a practical break, it provides very useful information." "But most cryptanalysis does not do this, but instead produces yet another impractical break."
1998-11-10 John Savard: "...since differential, meet-in-the-middle attacks, etc., require enormous quantities of known plaintext, either it is not clear they invalidate a system for practical use...."
1998-11-10 Bruce Schneier: "To many of us, impractical breaks provide very useful information to judge between ciphers."
1998-11-11 Douglas A. Gwyn: "They provide information, which you may *choose* to use in judging, but that is not necessarily a rational choice. To be rational, its *relevance* to the functional criteria needs to be established."
1998-11-12 Terry Ritter: "Finding a successful attack certainly tells us that "strength" can be no higher than that attack. But it does not tell us what the strength really is. So the attack tells us *nothing* about the real strength of the cipher."
1998-11-03 Sandy Harris: "I think that for good ciphers, lower bounds on the resources required for most or all of those can be proved."
1998-11-03 dscott@networkusa.net: "...how much information is needed by the guy breaking to know if he his decoded the file."
1998-11-03 Mike McCarty: "This principle seems good to me."
1998-11-03 Terry Ritter: "...if it were practical to know lower bounds for these attacks, why would we ever see improved versions in the literature?"
1998-11-06 Bryan G. Olson; CMSC (G): "You've talked yourself into a bunch of nonsense."
1998-11-02 John Savard: "I feel, on the other hand, that this isn't a problem one *can* work on specifically."
1998-11-03 Terry Ritter: "The whole point of the actual use of cryptography is to *enforce* security. Without at least a minimum value for strength, the user has no guarantee -- or even a useful probability -- of that."
1998-11-03 John Savard: "I don't contradict your statement that this is a serious problem for cryptography... but if there is no realistic prospect of obtaining it... however badly we need it, is _still_ a waste of time." "...on a very high level, cryptanalysis can be divided into three types of operation:...."
1998-11-04 Douglas A. Gwyn: "It's nice to try to bring order to the subject, but the above is not complete."
1998-11-04 dscott@networkusa.net: "...sometimes the encryption program itself does not use or solve for the key that the method is based on."
1998-11-10 Terry Ritter: "It was suggested that cryptanalysis is the way users know the strength of their ciphers. That suggestion is false." "In reality, cryptanalysis only benefits *users* when their particular cipher is actually shown to be weak in practice *and* the user can switch to something else."
1998-11-10 John Savard: "...between two closely similar ciphers, the one protected against the impractical break but not otherwise different is likely to be stronger."
1998-11-04 Jerry Leichter: "There is no proof of security for key locks, combination locks, or any other means of providing physical security." "With any of the well-studied cipher systems out there today, it's unlikely that the mathematical structure of the cipher will be the weakest component of a real-world system in which it is embedded."
1998-11-06 Bruce Schneier: "Profoundly true."
1998-11-10 Terry Ritter: "But we can be more sure about these simple devices than the vast majority of far-more-complex ciphers." "The problem is these 'special understandings.' As long as we produce ciphers that admit new cryptanalysis, we cannot be sure of their true strength. If we cannot somehow confine or bound the unknown 'special understandings,' we will never have factual grounds to state that cipher strength is 'unlikely' to be the weakest part of the system."
1998-11-10 Jerry Leichter: "...there are *no* published attacks with any real-world significance - except for brute force relying on limited key spaces - against any of, say, DES, RC4, IDEA, or RSA." "You can explain this difference in three ways:"
1998-11-11 Douglas A. Gwyn: "More than three."
1998-11-11 Jerry Leichter: "Well, OK."
1998-10-18 dscott@networkusa.net: "Part of the NSA job is to keep the world in the dark about real ctypto. Think about it. What better way to do it than by creating crypto preists for people to whorship."
1998-10-19 Tim Bass: "Most of those whom have written strong ciphers did not write them without very significant research into the field."
1998-10-19 dscott@networkusa.net: "John you shouldn't try to confuse a Bruce Worshiper with facts."
1998-10-19 David Hamilton: "Has the USA NSA succeeded in keeping you in the dark about 'real crypto'?"
1998-10-19 dscott@networkusa.net: "Obviously you don't read all of crapola...."
1998-10-26 dscott@networkusa.net: "What I don't like is the spying on Americans for political reasons that will someday make what the Soviet Union had look like a dream of a long lost freedom."
1998-10-20 dscott@networkusa.net: "...if he had a contest it would be embarassing to have a rank ametur break it."
1998-10-20 Terry Ritter: "It is not the responsibility of the developers to go around and inform all the 'experts' through their chosen media outlet. Either they keep up, or they are not experts on what they have missed, and it's just that simple.
1998-10-22 Bryan G. Olson; CMSC (G): "I have to agree with Mr. Ritter on this one."
1998-10-22 dscott@networkusa.net: "...even if the name is removed I bet any one with have a brain could tell mine from Bruces and from Mr Ritter since we all 3 have different writting styles even if we all 3 write about the exact same subject."
1998-10-22 Mark Carroll: "What interests would the review panel have in choosing Bruce's paper over yours if yours is so much better?"
1998-10-23 dscott@networkusa.net: "...they may be aready attuned to his narrow closed style of thinking since the reveiwers most like got to there positions in the same way he did and they may not be any more cabable of objective thought than he is."
1998-10-22 Andrew Haley: "Why should anyone be bothered to read what you write if you can't be bothered to correct any of your mistakes?"
1998-10-22 Patrick Juola: "...for most major conferences, it's expected."
1998-10-22 Terry Ritter: "...this entire thread is a response to the original article by Schneier...." "...he clearly *did* imply that *something* prevents "unknowns" from publishing in conferences and workshops."
1998-10-23 Patrick Juola: "...if you're a total unknown, you probably won't get workshop invitations. You can, however, easily get into conferences *if* you can write a good enough paper...."
1998-10-26 Bruce Schneier: "...'hard' is not impossible."
1998-10-26 Terry Ritter: "...it is largely the lack of a broad and robust literature on breaks of all types which makes 'the newbie problem' as bad as it is. The process of selecting only good designs for the archival literature leaves us with little description of the bad ones, and less archived reasoning about their weaknesses. I claim we would be better off if every newbie cipher was presented and broken in the literature."
1998-10-27 dscott@networkusa.net: "Mr RItter I feel that Bruce is one of those self inflated people incapable of understanding your writting. He is afraid of real competition so will attempt to put it done with jokes and such...."
1998-10-26 John Savard: "But we can be very thankful he published his design."
1998-10-27 "Keith Lockstone": "This idea has been published before on sci.crypt...."
1998-10-23 dscott@networkusa.net: "REAL CRYPTO conferences should have executable program or functions where the input and output can be analysed and various real testing done on computers."
1998-10-22 W T Shaw: "You are confusing narrow mindedness with focus."
1998-10-23 Patrick Juola: "I suspect that his ability to master English will be a more vital asset for his eventual programming abilities."
1998-10-23 Andrew Haley: "...you can gain some idea of the level of a programmer's skill just by listening to them."
1998-10-26 Mok-Kong Shen: "I am however anyway convinced that if one has acquired sufficient proficiency in a foreign language, the difference between a foreign language and one's mother tongue disappears."
1998-10-27 fungus: "...there are some concepts which have a word in one language but not in another. Sometimes you find yourself arrive at the middle of a sentence wanting to use a word from the other language because no equivalent exists in the language you're speaking."
1998-10-27 Mok-Kong Shen: "That's why good translations of master pieces are rare."
1998-10-27 Patrick Juola: "French, for example, has no single word meaning 'shallow.'" "This does NOT, however, mean that the French don't understand the distinction between deep and shallow water, or even that they can't talk about it."
1998-10-25 W T Shaw: "Prejudice by language, life style, heritage, anything you want to throw in. Concentrating on style rather that substance is easy, and wrong."
1998-10-26 Bruce Schneier: "You can figure out the authors of some papers without the authors' names, but not all of them. You can easily figure out who is schooled in the mathematics of cryptography and who isn't."
1998-10-26 Bruce Schneier: "...even the conferences that referee papers anonymously don't publish design papers unless they are REALLY impressive."
1998-10-26 Bryan G. Olson; CMSC (G): "...here's how to really get a design published in the crypto lit: Find some new and interesting fact, develop a design that incorporates the result, then write a paper that presents both the theorem and the system."
1998-10-26 Bruce Schneier: I invite you to submit a paper, based on your patent #5,727,062 ('Variable Size Block Ciphers') to the 1999 Fast Software Encryption workshop. I believe it will be published." (Ed. Note: This public invitation was later retracted in private email./TFR)
1998-10-26 Bruce Schneier: "Please submit your good ideas to cryptography workshops. FSE and SAC are good places to start." "Statistical tests are not very meaningful. If you saw a cipher design that was accompanied by nothing other than statistical tests of randomness, wouldn't your snake-oil detector go off?"
1998-10-26 W T Shaw: "Statistics can measure more things than randomness."
1998-10-26 John Savard: "That's all Bruce was saying; statistics aren't enough - although specialized statistical tests, directly related to the possible forms of cryptanalysis that a cipher may face, can, of course, be very applicable."
1998-10-26 Terry Ritter: "We *never* know that a cipher is strong. Ever." "Now, we might 'consider' a cipher strong when all *our* guys have looked at it and found no break. But, quite frankly, the *other* guys have more training, more experience, more resources, more time, and they may even be smarter than our guys." "I claim it is more important to have many different ciphers than to have a few which are 'considered strong.' Why? Because we *can't* know how strong our ciphers *really* are to the other guy. But we *can* -- guaranteed -- make The Opponent pay dearly to keep up."
1998-10-27 John Savard: "This is something I basically agree with."
1998-10-28 Christopher Browne: "As far as I can tell, the only reasonably universal such language is that of mathematical notation."
1998-10-28 Terry Ritter: "I see nothing wrong with ordinary people making their own decisions on cryptography -- or anything else -- based on whatever information they wish to use."
1998-10-28 W T Shaw: "You could run the risk of producing some interference pattern in the combination of algorithms that could produce a poor result...."
1998-10-28 Terry Ritter: "While *possible*, in the context of structurally-different ciphers it is *extremely* unlikely."
1998-10-29 dscott@networkusa.net: "It is obvious that mixinf three different types of ciphers would be better than Triple DES...."
1998-10-29 Terry Ritter: "...in practice, most of the time, ciphers only need oppose direct technical attacks which are cheaper than bribery, and that will be a pretty weak attack. In that sense, weak ciphers may be less of a problem than having a single fixed cipher that might be cryptanalyzed once and used to expose everybody." "Since we can't know what NSA can do, I think it can be a waste of time to worry about it."
1998-10-29 Tim Bass: "From an intellectual perspective, I've read nothing which is remotely enlightening from this entire thread."
1998-10-29 Andrew Haley: "How do you expect a female cryptographer feels when told to conduct herself like a gentleman?"
1998-10-30 Douglas A. Gwyn: "...some of my best friends are women -- but I wouldn't want my sister to marry one!"
1998-10-30 dscott@networkusa.net: "That is a sexist statement if I ever saw one."
1998-10-30 Tim Bass: "'Please Little Boys, Be Nice, Stop Fighting and Play Together!'"
1998-10-30 Tim Bass: "Restraint from harsh and offensive speech would make sci.crypt a much more positive experience for everyone, IMHO."
1998-10-31 dscott@networkusa.net: "Are you for real."
1998-10-31 Douglas A. Gwyn: "...trying to change the language to force one's political views on the world is sickening."
1998-10-30 dscott@networkusa.net: "I liked your answer...."
1998-10-29 Jerry Leichter: "Not only is it extremely unlikely - it would be a direct indication that *both* of the ciphers involved were weaker than expected."
1998-10-29 Bruce Schneier: "Indeed. You cannot prove that a cascade of several ciphers is stronger than any individual cipher, but is seems reasonable that it is the case."
1998-10-29 W T Shaw: "Reason requires consideration of details."
1998-10-29 Bruce Schneier: "I know of various efforts to look at the AES submmissions with respect to different attacks, but I have never heard of anyone looking at the possibilty of short cycles or group structure."
1998-10-29 W T Shaw: "You can only mix a few things in so many ways in a fixed length block until your ciphertext is identical with one of your previous plaintexts."
1998-10-29 Terry Ritter: "If these 'short cycles' are just those which naturally appear in random permutations, surely a large block is a prescription to make it unlikely that we could ever find one, or encounter one by chance."
1998-10-30 dscott@networkusa.net: "...the Paul Onion attack for a choosen plain test file if allowed shows that if cycle length known you can taylor an attack against a pure iterating cipher."
1998-10-30 Jerry Leichter: "What we need to know is that the short cycles - all of whose members correspond to "weak keys" of a sort - amount to only an insignificant fraction of the group."
1998-10-30 Terry Ritter: "...a random permutation of reasonable size should not have this difficulty."
1998-11-02 Jerry Leichter: "That's easy to prove...."
1998-10-29 W T Shaw: "And, we find that the effective keylength is somewhat less than 3 times DES."
1998-10-29 ssimpson@hertreg.ac.uk: "The best we can hope to do is use our complete arsenal of analysis tools to prove that a cipher is insecure. If it fails to succumb to these tools then it is not _proven_ to be secure, but it indicates that a degree of faith can be placed in the cipher."
1998-10-30 Terry Ritter: "Concluding that a cipher which has not been shown weak is therefore strong is surely incorrect reasoning. So the cipher may be weak. And if the cipher *is* weak, we surely would be fools to have faith in it, no matter how much analysis was done previously."
1998-10-30 ssimpson@hertreg.ac.uk: "But we have to have faith in one (or possibly more) block ciphers. Rather than pick this cipher at 'random' it is surely better to pick the a block cipher that has been subjected to and resisted all known attacks."
1998-10-30 Terry Ritter: "I guess faith is about the only thing we *can* have. But that's religion, not science. We may use a cipher, but we *cannot* trust it." "...I have come to believe that it may be more important to use a multiplicity of ciphers -- accepting their possible weaknesses -- than to use a single cipher -- and accepting its possible weakness."
1998-10-30 Douglas A. Gwyn: "...I can exhibit the design for a block cipher that is demonstrably secure according to the rules of the game, although it wouldn't be *practical*."
1998-10-30 Bruce Schneier: "While it is certainly possible to, in theory, give a proof of security that does not also prove that P != NP, most formulations of such a proof--which, of course, does not exist--hinge on proving P != NP."
1998-10-31 Douglas A. Gwyn: "I don't think *any* block ciphers have anything to do with P?=NP."
1998-11-02 John Savard: "...if a proof that P=NP is interpreted as indicating there are no mathematical problems that get really intractable to solve, compared to the effort required to verify the solution, then that would seem to affect everything - even if the application to secret-key ciphers would still be awkwards."
1998-11-02 Patrick Juola: "In the case of any *particular* block cypher, with any *particular* key-space and any *particular* block size, &c, then the problem size is probably fixed (and P/NP is indeed a red herring). So proving that P == NP probably wouldn't affect the solution of DES much."
1998-11-03 Douglas A. Gwyn: "But the issue is not whether there is an *effective algorithm* for inverting *every* system of equations, which might bear on P?=NP. The statement was that proof of security of *any particular example* of a block cipher system would imply P=NP. That's what I doubt."
1998-11-02 Nicol So: "Whether a proof of security of a block cipher has anything to do with the question of P?=NP depends on how you formalize the notion of security."
1998-11-03 Nicol So: "...I meant to say...."
1998-11-03 Patrick Juola: "If I could prove that DES (or any particular sub-class of the general problem) *were* solvable in polynomial time, this would NOT prove that P == NP."
1998-11-03 bobs@rsa.com: "It is well known that problems exist that are HARDER than any problems in NP."
1998-11-03 Douglas A. Gwyn: "Please, check the attributions before posting."
1998-10-30 ssimpson@hertreg.ac.uk: "Are Schneier et al wrong?"
1998-10-30 Sandy Harris: "Methinks this argument is hopelessly flawed because the keylength in most ciphers cannot vary beyond a certain range & the whole P/NP distinction depends on reasoning for "in the limit" & "for sufficiently large N", so it cannot reasonably be applied."
1998-10-30 bobs@rsa.com: "Merely showing that breaking the key takes exponential time is NOT equivalent to proving it is NP-Complete."
1998-10-30 Patrick Juola: "Showing that breaking the key takes *provably* exponential time would suffice to show that P != NP."
1998-10-30 Paul Rubin: "If you can prove that *only* brute force works, the cipher is not in P."
1998-11-02 John Savard: "I think the idea is that while a _proof_ that only brute force works would indeed catapult cryptanalyzing it out of P, in general the fact that only brute force is known at present (which some people might take for a proof) certainly doesn't have anything to do with P versus NP."
1998-11-03 Shawn Willden: "Let me see if I can lay this out clearly and thoroughly enough that someone can point out the flaw in the reasoning...."
1998-11-02 John Savard: "Proving that brute force was not necessary would not prove P=NP...."
1998-10-31 Douglas A. Gwyn: "No, that's not even close to a proof...."
1998-11-02 Bryan G. Olson; CMSC (G): "Hmmm, I see it as kind of close."
1998-10-28 Bryan G. Olson; CMSC (G): "There are very few on this group who actually devote time and effort to looking into other peoples suggestions."
1998-10-21 dianelos@tecapro.com: "I would rather not use the word "break" to describe the successful cryptanalysis of a cipher." "...in the future Internet newsgroups will be the most important medium for communicating ideas while peer reviewed publications, as we know them today, will be less and less important."
1998-10-22 John Savard: "...with specific reference to the AES process, a cryptanalytic result that indicates a proposed cipher is less than _perfect_ is, quite properly, considered significant."
1998-10-23 W T Shaw: "...he said the describing a cipher in C would be OK with him, but not in a traditional *hardware* schematic."
1998-10-24 dianelos@tecapro.com: "What representation you choose is not a trivial matter. If a cipher designer always works sketching diagrams, in praxis he will artificially limit the range of ideas that he will consider."
1998-10-25 W T Shaw: "Having to work things out in solely by careful appearing and impressive sounding logic that may not be applicable to the real world is the essence of the scientific Greek Tragedy."
1998-10-26 Bruce Schneier: "I agree that 'break' is overused." "In a world where everyone is a publisher, editors become even more important."
1998-10-26 Mok-Kong Shen: "I think that the economy of description decides to some extent which way of presentation is to be prefered."
1998-10-26 Terry Ritter: "I recently posted a quote about this from the current IEEE Spectrum in another thread. Basically the idea is that the world is moving *away* from intermediaries who filter and decide for us, to the end-user (of clothes, of technical articles, etc.) surveying it all, and making the decision on what to select." "If math is a great advantage in understanding logic machines, why are logic machines not generally described that way? Why? Because schematics can be clearer, that's why."
1998-10-28 Frank O'Dwyer: "In a world where everyone can be a publisher, everyone can be an editor too."
1998-10-28 Patrick Juola: "Which implies that the value of good, worthwhile editing will continue to climb, just as the value of good *writing* has been climbing since the development of the Internet."
1998-10-28 Gurripato (x=nospam): "How would you then best describe Dobbertin�s attack on the compression function of MD5? Does it go all the way to demolition, plan brack, or just academic break?"
1998-10-27 Stefek Zaba: "'I Was A Chinese Sex Slave'"
1998-10-22 Mr. I. O. Yankle: "When I first read "Memo to the Amateur Cipher Designer" in Bruce Schneier's CRYPTO-GRAM, it was so clearly true and sensible to me that I expected it to gain immediate acceptance on sci.crypt and to even gain the status of 'required reading'. I still hope that this will be the case, but I can see now that it will take some time."
1998-10-22 W T Shaw: "...many of the thoughts have been expressed before."
1998-10-26 Terry Ritter: "I would hope that anyone reading Schneier's article would recognize that it is seriously flawed in many ways."
1998-10-27 Kery Minola: "You are really grasping at straws...."
1998-10-27 Xcott Craver: "!!! It's obvious that the memo did not mean 'prove' in the strict mathematical sense, but in the empirical sense."
1998-10-27 Douglas A. Gwyn: "The 'empirical proof' means very little since it can't allow for the eavesdropper's cryptanalytic abilities."
1998-10-27 Xcott Craver: "Are you suggesting that we should use something other than the scientific method?"
1998-10-27 W T Shaw: "To demand a single route to the truth is to prejudice against truths that may not be so conform to that path. This is the essence of what is wrong with what Bruce advocates, which is the same old tired argument we have heard for ages."
t 98-10-02 Mike Zorn: "As an example, the benzene ring was not discovered by the 'scientific method'."
1998-10-28 Stefek Zaba: "Kekule's *intuition* about a possible structure for benzene may be implausible to explain as a deductive process...."
1998-10-28 Terry Ritter: "In normal science we innovate experiments to prove a result and get a new fact. In cryptography, we innovate experiments to prove a failure, and with a lack of failure we somehow leap to a conclusion of strength. This is a faulty leap. Crucially, the inability to break a cipher after much effort says nothing about its 'real' strength."
1998-10-28 dscott@networkusa.net: "ACtually if you come up with a good cipher you will not get it tested since they try to keep the rank of phony experts quite small."
1998-10-28 Douglas A. Gwyn: "...the so-called 'scientific method' is but one tool in our epistemological arsenal and ought not to be applied where it is ineffective."
1998-10-28 Xcott Craver: "Well, so what do you suggest as an alternative?"
1998-10-28 Bryan G. Olson; CMSC (G): "I agreed with Mr. Ritter on one point, but clearly Bruce got at least a 95%."
1998-10-26 Patrick Juola: "It's quite reasonable to use a person's ability to write clearly as a gauge for his/her ability to *think* clearly, given the observed high correlation between the two."
1998-10-27 Mok-Kong Shen: "In all fields of knowledge (including handcrafts) there are professionals and amateurs, the one group can't exist (by definition) without the other."
1998-10-27 Bruce Schneier: "While it is true that not every application need strong cryptography, this does not mean that these applications should look towards weak cryptography." "I think cryptography is one of the few branches of mathematics where the amateur can definitely compete with the professional."
1998-10-27 W T Shaw: "What you said above suggests the importance of diversity of method and manner which is opposed to the message of the Memo."
1998-10-27 W T Shaw: "Experience with a weaker version of an algorithm can teach you many things. If true scalable algorithms are involved, it remains the question of how strong do you want some implementation to be, always being able to make it infinitely stronger."
1998-10-28 Mok-Kong Shen: "The easier jobs have probably already all been discovered by the more capable professionals and done earlier, leaving the newcommers little chance. Thus I think the requirement of proving ones 'better' analysis capability is suppressive for novel design ideas from coming up."
1998-10-28 Bruce Schneier: "...people who have not demonstrated their ability to break algorithms are unlikely to develop algorithms that cannot easily be broken. I don't believe the easier jobs havae all been taken."
1998-10-28 Mok-Kong Shen: "These are so to say 'ready foods' for the would-be professionals on the way to their true professional status. Why have these been so rarely attacked? Or are there barely any would-be professionals around perhaps?"
1998-10-28 Bruce Schneier: "Because people are busy. Because not everyone has time to spend weeks (or days or even hours) analyzing every random cipher that comes across their desk. Because the designs are not pubished, so the breaks are not publishable."
1998-10-29 Mok-Kong Shen: "I disagree. The would-be professionals are busy in attempting to proving their 'better'... analyis capability through cracking algorithms that are presumably hard."
1998-10-29 Bruce Schneier: "Many of us have breaks of amateur ciphers, ones that appear on sc.crypt, get patents, or are used opterationally, that we just don't have time to write up or flesh out. It's just not worth the bother."
1998-10-29 Mok-Kong Shen: "You said that because people are busy no one has the time to look at the amateur ciphers that are unpublished, etc. etc. I argued, hopefully convincingly and clearly, that at least Terry Ritter's designs do deserve being analyzed...."
1998-10-29 Bruce Schneier: "You know, I don't want to pick on Ritter in particular here. I don't know about whether his designs "deserve" to be analyzed; that is a value judgment. I don't know if they are strong or weak."
1998-10-30 dscott@networkusa.net: "...I guess I sometimes do agree with limited parts of what Bruce Babels out."
1998-10-30 Mok-Kong Shen: "Very sorry that I am not on your side. Quite a lot of what Bruce Schneier said does correspond to the reality (a sad reality though)...."
1998-10-30 : "I'd like to see a group that tries to develop and to break amateur ciphers - not as a group of cryptographers that develope strong ciphers, but as cryptanalyticers (something like the ACA but working with computers and modern cryptanalysis)."
1998-10-30 W T Shaw: "Many in the ACA are working with computers and extending their capabilities. The first hurdle has been in developing automated means of solving all ciphers in the ACA stable."
1998-10-31 Douglas A. Gwyn: "Actually, the ACA does have a section devoted to computers. But it needs more members!"
1998-10-30 Mok-Kong Shen: "Are you saying that the academia neglects the patent publications?"
1998-10-30 dscott@networkusa.net: "I guess then you greatly underestamate the EGO of the phony crypto gods."
1998-10-30 Bruce Schneier: "Ritter is an example of someone who does not publish (in an academic sense) but does patent. His writings are generally ignored by the academic community. I'm sorry this is true; I'd like it to be different."
1998-10-30 Mok-Kong Shen: "Patents cannot be ignored by the academic community. If one develops a new cipher, he needs to know whether he doesn't infringe on someone's patents."
1998-10-30 Bruce Schneier: "Patents are not considered peer-reviewed publications in academia."
1998-11-02 Mok-Kong Shen: "In A. J. Menezes et al. a whole chapter, Chap. 15, is devoted to 'Patents and Standards'. There they write: 'This chapter discusses two topics which have significant impact on the use of cryptology in practice: patents and standards.'"
1998-11-02 Patrick Juola: "The overall standing of patent review is sufficiently low that the people who have the authority to decide what does and doesn't constitute 'peer review' have decided that patents don't cut it."
1998-11-02 JPeschel: "Why not go here and look around...."
1998-11-03 Mok-Kong Shen: "There are scientific conferences where the majority of the program committe, even including the chair, are not from universities. Are those who are not academics not 'peers' doing the review and are not equivalent to those who have university positions in the process?"
1998-11-06 Bruce Schneier: "I believe you would be amazed by what gets through the patent office. The only thing they regularly catch are perpetual motion machines...."
1998-11-06 Bruce Schneier: "Oops. I meant 'community.'"
1998-11-10 Mok-Kong Shen: "My sincere apology all to readers of the group for having wasted bandwidth."
1998-11-11 Mok-Kong Shen: "If the academics choose to ignore the patent publications and claim that only the papers in journals edited by them are scientific contributions (I doubt this), then they are not practicizing science but 'religion'!"
1998-11-11 Stefan Axelsson: "...the majority of researchers recognise that there are difficult, and fundamental problems with referring to URL:s, or other forms of transient communication."
1998-11-11 W T Shaw: "Scientific truth is what is valuable, preferable to that of a paper published through a process that might ignore aspects by limiting debate of the particulars."
1998-11-12 Stefan Axelsson: "Now, of course there are references, and references, but if one resorts to to building ones argument on a reference that the reader cannot himself verify, then of course one must question why...."
1998-11-12 Joseph K. Nilaad: "I can see that URL may be short life, but as long as it lives, it should be considered valid reference."
1998-11-12 Patrick Juola: "But http://www.bedrock.com/~fleems isn't nearly as helpful if the domain no longer exists and I can't even tell who did the work to phone him."
1998-11-18 Joseph K. Nilaad: "Likewise, what if the publishers like Random house no longer exist. So what If referenced URL no longer exist. At least you're being *honest* about it."
1998-11-18 Patrick Juola: "The basic problem is that telling him that it's at http:[...]/~fleems is borderline useless."
1998-11-23 Coen L.S. Visser: "The problem is more serious than just a disappearing URL. What if the URL still exists, but the content has changed."
1998-11-23 Arnoud "Galactus" Engelfriet: "How about downloading the relevant documents from the Web and putting them on a CD-ROM, which is distributed together with the report?"
1998-11-23 Coen L.S. Visser: "That would be really nice of course but as you already state it has a lot of practical problems."
1998-11-23 Stefan Axelsson: "What is needed, is some other, resilient, long lasting, redundant third party storage of references, such as a library is for printed material today."
1998-11-23 Coen L.S. Visser: "Libraries would be ideal for that task...."
1998-11-14 Stefan Axelsson: "...the average time from research to publication in a refereed journal today is two years. Many/most of those URL:s will be dead by the time the paper leaves the presses."
1998-11-16 Joseph K. Nilaad: "By the time it is published, the matterial may not be applicable 2-3 years later." "...just because publishing via URL is relatively short life comparing with hard copies, it doesn't mean we should not give publishers their credits. Unless, if you think that swindling someone's idea is OK."
1998-11-17 W T Shaw: "If you can give credit, fine."
1998-11-17 Stefan Axelsson: "...If your only motivation for including a reference is to acknowledge someone else's, idea, then the name of said person would (in general) do nicely. If you include a URL, it should be with the knowledge that it is/will become useless to the reader in a very short period of time."
1998-11-12 Terry Ritter: "This addresses the *convenience* of Science to the reader. But it ignores the *responsibility* of the author and the *requirement* of scientific publication to acknowledge the previous work, the source of the inspiration (rarely is any work completely original). If that previous work came in a private letter, so be it."
1998-11-14 Stefan Axelsson: "...if you *build* your argument on something you reference, then this reference should be reliably available to your peers."
1998-11-11 Bruce Schneier: "...I consider myself avant guard by citing email messages, URLs, and patents in my papers. I take some flak for it, but I do it anyway. Most others don't bother...."
1998-11-11 Mok-Kong Shen: "To be an avantguard is one thing yet not to mention a relevant fact that a scientist himself is MOST familiar...."
1998-11-11 Bruce Schneier: "Yeah. Sure. You're right. Whatever."
1998-11-11 W T Shaw: "You have that in common with Ritter, as I recall."
1998-11-11 Bruce Schneier: "There are others, too. Currently the academic community is still trying to figure out how to handle URL references."
1998-11-12 W T Shaw: "Fair use should mean that you could post the reference if it disappeared. Important things change from what is printed in journals and books too, job titles, mailing addresses and phone numbers. Actual technical mistakes are rather hard to reverse as well in fixed media; note the increased leaning on the web for current updates."
1998-11-12 Bruce Schneier: "The page I look at when I write my paper may or may not be the same page you look at when you check my reference."
1998-11-12 Tim Bass: "With the current state of the network, it is quite unprofessional to reference URLS."
1998-11-12 Terry Ritter: "...I often find myself dealing with an different version of a well-known work than someone else is quoting. I handle this, when necessary, by going to the library and getting 'the' reference."
1998-11-13 Mok-Kong Shen: "Informations on the internet, in particular Web, is getting archived."
1998-11-13 Patrick Juola: "...assuming the average document half-life is about six months (which I pulled out of thin air, but seems about right), then you'll need to buy the entire Web in terms of disk capacity EVERY YEAR."
1998-11-18 Coen L.S. Visser: "I think the author making the reference should be responsible for archiving the particular web page in case the original reference becomes invalid."
1998-11-18 Patrick Juola: "I think that's about the fourth most unreasonable assertion I've heard in my life."
1998-11-23 Coen L.S. Visser: "...if you write books for a living and you have a web page, I believe the chances are quite high that your (new) web page can be found."
1998-11-13 Joseph K. Nilaad: "This is just a thought of handling referred URL documents: If a document has references from any URL, those URL referrences must be electronically signed."
1998-11-17 Mok-Kong Shen: "...paper publications actually also have the same problem."
1998-11-17 Stefan Axelsson: "...if the IEEE for example where to say, OK, to h*ll with the dead trees, let there be business as usual, but on the web instead, then of course, (almost) all that which is the IEEE would transfer to the electronic medium, and little would have to change." "The situation with everyone "publishing" their material is so far removed from this that I don't know where to start."
1998-11-17 Mok-Kong Shen: "How do we know that this document is really from the person having the name X?"
1998-11-17 Patrick Juola: "The IEEE (for example) has implicitly 'signed' or 'authenticated' the claims made in its published work."
1998-11-23 Stefan Axelsson: "...the beauty of there being several hard copies made of each publication, makes it trivial for the reader to get his material from several sources, should he lack trust in any single one of them."
1998-11-17 W T Shaw: "You could mail or email a question to the author."
1998-11-17 Patrick Juola: "...even if you send mail and get a response back, how do you know that you're getting the right person?"
1998-11-22 W T Shaw: "There is something said for meeting people physically, creating a history on which verification can be based."
1998-11-11 Bruce Schneier: "Almost all patents are examined by almost nobody."
1998-11-11 Mok-Kong Shen: "...large chemical firms need people knowledgeable in such patents in order that they can do their business properly."
1998-11-11 Bruce Schneier: "I'm going to drop the thread."
1998-11-12 Mok-Kong Shen: "That patents are important in the 'practice' (as against pure theory) of a large number of professions should be well-known."
1998-11-13 Mok-Kong Shen: "...only three days after the issue of the patent it is already to be found on a Web page...."
1998-11-18 Mok-Kong Shen: "Patents play in science and technology a significant role which cannot be and is not ignored by the academic community...."
1998-11-19 Mok-Kong Shen: "I was only arguing about the VALUE of patent documents which Bruce Schneier negated, saying that these are not even publications."
1998-11-12 Joseph K. Nilaad: "...why should one work for someone for free? The patents are owned by somebody!"
1998-11-16 Denning Langston: "Processes that create useful chemical compounds efficiently or cheaply are patentable, and specific uses of chemical compounds are patentable (pharmaceuticals, pesticides, herbicides, etc.), but chemical compounds in and of themselves are not patentable."
1998-11-16 Mok-Kong Shen: "...patents... contain... essential and valuable scientific informations which should not be ignored by the academics (those at the universities and the academies of sciences) and, as far as I can make out, are indeed not largely ignored by them (the converse was argued by Bruce Schneier.)"
1998-11-10 Joseph K. Nilaad: "My point is that it doesn't matter whether it is amateur or expert who design the crypto, patent or not, we all want the best crypto possible. If AES confine to non patent algorithm, I think it is very narrow minded."
1998-11-10 Patrick Juola: "No apologies for patent agents should be necessary -- they're overworked civil servants doing the best they can under adverse conditions. But they're certainly not the peers of the authors of papers at CRYPTO'97."
1998-11-10 : "Without patents all new inventions would have to be kept secret to keep others from copying it." "But it is really not their job to test an encryption algorithm for strength."
1998-11-10 Andrew Haley: "If the AES is to be universally used, it must not be encumbered by royalties."
1998-11-11 W T Shaw: "AES has several implications, only one of them be that could replace lots of others."
1998-11-10 Bruce Schneier: "I have nothing against patented algorithms. People are welcome to patent algorithms. I see no reason to implement patented algorithms when there are unpatented alternatifves. This is just good economics. I see no reason to perform free analysis on patented algorithms unless there is a good reason to do so."
1998-11-11 malinov@mindless.com: "Last I checked, cryptography is examined at the USPTO in art unit 2766 by three primary examiners, two juniors on the verge of becoming primaries and four juniors still in their first six months."
1998-11-12 Terry Ritter: "This is *temporary* economics. By failing to compensate the work actually performed, we fail to build a profit-based business of cipher design. We have ciphers, yes. But we do not have a continuing business of cipher design, along with the expensive expertise and corporate history associated with other technologies."
1998-11-13 : "Free software has a long tradition and no other software is developed faster and more continuous than free software."
1998-11-13 Andrew Haley: "A successful AES candidate must be universal. This means that it must be used everywhere, in both free and unfree software. A patented algorithm may not be used in free software, so cannot be used universally."
1998-11-13 Bryan G. Olson; CMSC (G): "If Bob works on an algorithm for free, then if he finds a weakness he gets to publish, and if he doesn't he never has reveal he tried."
1998-11-13 Bruce Schneier: "Occasionally a company hires us to review an open cryptographic primitive, and allows us to publish our results."
1998-11-16 John Savard: "...the absence of a thriving cryptography industry means that the ciphers available for use are not as strong, or as well-analyzed, as they might be."
1998-11-11 Joseph K. Nilaad: "This really bothers me."
1998-10-30 Patrick Juola: "The existence of embarassingly large numbers of thoroughly ludicrous patents is well-documented."
1998-11-04 W T Shaw: "Cryptography is a special class...."
1998-11-05 dscott@networkusa.net: "If the NSA is doing its job at all any encryption that is used at all on the net would be analyzed by them."
1998-11-04 Andrew Carol: "In my military comm days, we had a custom IO proccessor which could handle word sizes from 5 upto 32 bits, in either big or little endian, in either positive or negative logic, with any parity (or even multiple parity per word)."
1998-11-05 dscott@networkusa.net: "...I still feel that having a non mulitple of 8 makes it even safer."
1998-11-05 Andrew Carol: "One's complement is, in my humble opinion, a real waste."
1998-11-05 dscott@networkusa.net: "At least the 1's complement had the same range of numbers in the positive and negative direction...."
1998-11-05 Andrew Carol: "...I end up using features of 2's complement almost everyday, and can't think of the last time I wished I was using the 1's complement"
1998-11-5 R H Braddam: "Your post reminds me of the AN/FST-2B data processor."
1998-11-05 Andrew Carol: "I worked on the follow-on system, FYQ-9?"
1998-11-06 Douglas A. Gwyn: "The right to privacy is not explicitly spelled out...."
1998-11-06 David Sternlight: "...the government may compel productions of one's private papers via lawful subpoena despite the Constitutional 'right to be secure in one's papers'."
1998-11-11 Scott Nelson: "The existence of the general right to privacy has never seriously been questioned."
1998-11-12 pstromer@my-dejanews.com: "'We recently referred [p*485] in Mapp v. Ohio, 367 U.S. 643, 656, to the Fourth Amendment as creating a 'right to privacy, no less important than any other right carefully an particularly reserved to the people.'"
1998-11-12 R H Braddam: "I hope this ends the discussion about the right to privacy -- whether it exists or not. It does, not just in my opinion, but in the opinion of the Congress and the Supreme Court."
1998-11-18 lamontg@bite.me.spammers: "It has never, however, been an explicit part of the Constitition."
1998-11-06 Bryan G. Olson; CMSC (G): "Two's complement is simply arithmetic mod 2^WordSize, while one's complement is mod (2^WordSize)-1."
1998-11-07 : "...it is true that less circuitry is required to add a negative integer to a positive integer in two's complement...."
1998-11-08 Douglas A. Gwyn: "I've programmed both, and either representation is reasonable for most purposes."
1998-11-04 W T Shaw: "I expect they already have looked at your various algorithms. After all it is their job to do this sort of thing."
1998-11-06 Bruce Schneier: "The NSA does not comment on patentability. Actually, I'm pretty sure they don't review crypto patent apps anymore."
1998-11-06 W T Shaw: "I don't expect NSA to be incompetent, which means it should it sops up and funnels ALL the easy leads to the company store for analysis."
1998-11-10 Terry Ritter: "It is my understanding that there is "a NSA desk" in the PTO which does review crypto applications. If so, it must be a tough job." "My Dynamic Substitution patent file actually *disappeared* from the PTO for a while in 1990."
1998-11-10 malinov@mindless.com: "Applications by US citizens which involve real cryptography are copied; the copy is sent to someone at NSA for review."
1998-11-10 Terry Ritter: "I was eventually bucked up to the department head Herself and she wouldn't tell me where the file was or why, which seems unusual to this day."
1998-11-11 malinov@mindless.com: "Secrecy orders are only imposed on government owned systems, usually classified from birth."
1998-11-10 John Savard: "...unbreakable encryption is already a reality for anyone who wants it."
1998-11-10 Bo D�mstedt: "What would happen if some foreigner, such as me, would file a cipher patent application?"
1998-11-11 malinov@mindless.com: "If you filed an application from Sweden in the US, it would not even be shown to NSA."
1998-10-30 Terry Ritter: "I have no doubt that understanding the patent literature is substantially more difficult than understanding academic papers. Still, it *is* published technology. Failing to know published technology means failing to be an expert in the field." "It's *not* true that I don't publish; I just don't publish in a particular form and outlet."
1998-10-30 Bruce Schneier: "Perhaps it is true that someone who does not regularly read the patent output stream should not be considered an expert in the field. I don't know. None of this is related to my point, which is about what actually does happen."
1998-10-31 dscott@networkusa.net: "How political correct."
1998-10-31 JPeschel: "Look, Dave, you aren't helping your cause...."
1998-10-31 Remo A. Linky: "Thanks for hanging in there!"
1998-10-31 Bruce Schneier: "Thanks."
1998-10-31 dscott@networkusa.net: "...even though my rules are unfair to bad for you other guys and I don't mind telling about these unfair rules of mine."
1998-10-31 W T Shaw: "...please don't consider our academic and philosophical criticisms as personal attacks; heated debate can merely mean that people are getting down to the most important aspects of their differences...."
1998-10-31 Bruce Schneier: "I like the academic and philosophical criticisms; that's why I stay here."
1998-10-31 W T Shaw: "Sometimes it is best to see how far you can go on your own without tainting your thoughts with the misgivings of others."
1998-10-30 John Savard: "It should be noted, though, that Terry Ritter has had academic publications in the past; three or so papers in Cryptologia on Dynamic Substitution and related topics."
1998-10-30 Bruce Schneier: "Thanks for pointing that out. I had meant to, but forgot."
1998-10-31 dscott@networkusa.net: "Get real your iragance is showing through."
1998-10-31 dscott@networkusa.net: "John Bruce most likely was in his usual put people down mode...."
1998-10-31 Terry Ritter: "Let's just try to hold it down a little."
1998-10-28 Terry Ritter: "...my stuff is *scalable*: We have *no* *doubt* that the ultimate scaled-down versions will be weak. By using few component types and an overall regular structure, I hope to *expose* every avenue into the design."
1998-10-28 Bruce Schneier: "It would be better if you would put up strawman designs, so that people would have something concrete to analyze...."
1998-10-30 John Savard: "...the quote as I saw it in later posts, out of context, seems to say that here are designs that even amateurs can break."
1998-10-28 Douglas A. Gwyn: "...occasionally breakthroughs in knowledge are made by 'dabblers' who work outside the mainstream. However, the odds are still that in any given case a dabbler is wasting his time."
1998-10-29 W T Shaw: "I suppose I am an optomist, but fairness seems to mean giving someone the benefit of the doubt, whether you want to or not."
1998-10-29 Bruce Schneier: "If someone tries hard enough, he will wear his 'benefit of the doubt' out."
1998-10-30 dscott@networkusa.net: "Not sure if I should give you the benefit of the doubt since you only tend to look down on the masses and prevent any one with a good idea to get a fair chance."
1998-10-31 fungus: "A serious analysis of something like ScottXX is a serious undertaking, probably a couple of months of hard work."
1998-11-09 newWebsite: "The website is ready for you!"

Subject: Memo to the Amateur Cipher Designer
Date: Sat, 17 Oct 1998 23:35:28 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <36292906.1151332@news.visi.com>
Newsgroups: sci.crypt
Lines: 152

This was in the October CRYPTO-GRAM, but I thought I'd run it through
sci.crypt, since so many people seem to be asking questions on the
topic.

Bruce

      Memo to the Amateur Cipher Designer

Congratulations.  You've just invented this great new cipher, and you
want to do something with it.  You're new in the field; no one's heard
of you, and you don't have any credentials as a cryptanalyst.  You
want to get well-known cryptographers to look at your work.  What can
you do?

Unfortunately, you have a tough road ahead of you.  I see about two
new cipher designs from amateur cryptographers every week.  The odds
of any of these ciphers being secure are slim.  The odds of any of
them being both secure and efficient are negligible.  The odds of any
of them being worth actual money are virtually non-existent.

Anyone, from the most clueless amateur to the best cryptographer, can
create an algorithm that he himself can't break.  It's not even hard.
What is hard is creating an algorithm that no one else can break, even
after years of analysis.  And the only way to prove that is to subject
the algorithm to years of analysis by the best cryptographers around.

"The best cryptographers around" break a lot of ciphers.  The academic
literature is littered with the carcasses of ciphers broken by their
analyses.  But they're a busy bunch; they don't have time to break
everything.  How do they decide what to look at?

Ideally, cryptographers should only look at ciphers that have a
reasonable chance of being secure.  And since anyone can create a
cipher that he believes to be secure, this means that cryptographers
should only look at ciphers created by people whose opinions are worth
something.  No one is impressed if a random person creates an cipher
he can't break; but if one of the world's best cryptographers creates
an cipher he can't break, now that's worth looking at.

The real world isn't that tidy.  Cryptographers look at algorithms
that are either interesting or are likely to yield publishable
results.  This means that they are going to look at algorithms by
respected cryptographers, algorithms fielded in large public systems
(e.g., cellular phones, pay-TV decoders, Microsoft products), and
algorithms that are published in the academic literature.  Algorithms
posted to Internet newsgroups by unknowns won't get a second glance.
Neither will patented but unpublished algorithms, or proprietary
algorithms embedded in obscure products.

It's hard to get a cryptographic algorithm published.  Most
conferences and workshops won't accept designs from unknowns and
without extensive analysis.  This may seem unfair: unknowns can't get
their ciphers published because they are unknowns, and hence no one
will ever see their work.  In reality, if the only "work" someone ever
does is in design, then it's probably not worth publishing.  Unknowns
can become knowns by publishing cryptanalyses of existing ciphers;
most conferences accept these papers.

When I started writing _Applied Cryptography_, I heard the maxim that
the only good algorithm designers were people who spent years
analyzing existing designs.  The maxim made sense, and I believed it.
Over the years, as I spend more time doing design and analysis, the
truth of the maxim has gotten stronger and stronger.  My work on the
Twofish design has made me believe this even more strongly.  The
cipher's strength is not in its design; anyone could design something
like that.  The strength is in its analysis.  We spent over 1000
man-hours analyzing Twofish, breaking simplified versions and
variants, and studying modifications.  And we could not have done that
analysis, nor would we have had any confidence in that analysis, had
not the entire design team had experience breaking many other
algorithm designs.

A cryptographer friend tells the story of an amateur who kept
bothering him with the cipher he invented.  The cryptographer would
break the cipher, the amateur would make a change to "fix" it, and the
cryptographer would break it again.  This exchange went on a few times
until the cryptographer became fed up.  When the amateur visited him
to hear what the cryptographer thought, the cryptographer put three
envelopes face down on the table.  "In each of these envelopes is an
attack against your cipher.  Take one and read it.  Don't come back
until you've discovered the other two attacks."  The amateur was never
heard from again.

I don't mean to be completely negative.  People occasionally design
strong ciphers.  Amateur cryptographers even design strong ciphers.
But if you are not known to the cryptographic community, and you
expect other cryptographers to look at your work, you have to do
several things:

1.  Describe your cipher using standard notation.  This doesn't mean C
code.  There is established terminology in the literature.  Learn it
and use it; no one will learn your specialized terminology.

2.  Compare your cipher with other designs.  Most likely, it will use
some ideas that have been used before.  Reference them.  This will
make it easier for others to understand your work, and shows that you
understand the literature.

3.  Show why your cipher is immune against each of the major attacks
known in literature.  It is not good enough just to say that it is
secure, you have to show why it is secure against these attacks.  This
requires, of course, that you not only have read the literature, but
also understand it. Expect this process to take months, and result in
a large heavily mathematical document.  And remember, statistical
tests are not very meaningful.

4.  Explain why your cipher is better than existing alternatives.  It
makes no sense to look at something new unless it has clear advantages
over the old stuff.  Is it faster on Pentiums?  Smaller in hardware?
What?  I have frequently said that, given enough rounds, pretty much
anything is secure. Your design needs to have significant performance
advantages.  And "it can't be broken" is not an advantage; it's a
prerequisite.

5.  Publish the cipher.  Experience shows that ciphers that are not
published are most often very weak.  Keeping the cipher secret does
not improve the security once the cipher is widely used, so if your
cipher has to be kept secret to be secure, it is useless anyway.

6.  Don't patent the cipher.  You can't make money selling a cipher.
There are just too many good free ones.  Everyone who submitted a
cipher to the AES is willing to just give it away; many of the
submissions are already in the public domain.  If you patent your
design, everyone will just use something else.  And no one will
analyze it for you (unless you pay them); why should they work for you
for free?

7.  Be patient.  There are a lot of algorithms to look at right now.
The AES competition has given cryptographers 15 new designs to
analyze, and we have to pick a winner by Spring 2000.  Any good
cryptographer with spare time is poking at those designs.

If you want to design algorithms, start by breaking the ones out
there. Practice by breaking algorithms that have already been broken
(without peeking at the answers).  Break something no one else has
broken.  Break another.  Get your breaks published.  When you have
established yourself as someone who can break algorithms, then you can
start designing new algorithms.  Before then, no one will take you
seriously.

Creating a cipher is easy.  Analyzing it is hard.

See "Self-Study Course in Block Cipher Cryptanalysis":
http://www.counterpane.com/self-study.html
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sun, 18 Oct 1998 04:20:15 GMT
From: george.barwood@dial.pipex.com (George Barwood)
Message-ID: <362967c9.4415110@news.dial.pipex.com>
References: <36292906.1151332@news.visi.com>
Newsgroups: sci.crypt
Lines: 14

On Sat, 17 Oct 1998 23:35:28 GMT, schneier@counterpane.com (Bruce
Schneier) wrote in part:

> Algorithms posted to Internet newsgroups by unknowns won't get a second glance.

I disagree - some time ago I posted an algorithm to sci.crypt, and
recieved a quick (and useful) analysis from David Wagner. The
algorithm was not strong against known-plaintext attack, but this was
as expected (the design aim was speed at all costs).

Not that I disagree with the intent or conclusions of your article -
but I don't this statement holds up. 

George

Subject: Re: Memo to the Amateur Cipher Designer
Date: 18 Oct 1998 06:07:01 -0700
From: Karl-Friedrich Lenz
Message-ID: <70cp5l$jbu@edrn.newsguy.com>
References: <362967c9.4415110@news.dial.pipex.com>
Newsgroups: sci.crypt
Lines: 22

In article , george.barwood@dial.pipex.com says...
>
>On Sat, 17 Oct 1998 23:35:28 GMT, schneier@counterpane.com (Bruce
>Schneier) wrote in part:
>
>>Algorithms posted to Internet newsgroups by unknowns won't get a second glance.
>
>I disagree - some time ago I posted an algorithm to sci.crypt, and
>recieved a quick (and useful) analysis from David Wagner. The
>algorithm was not strong against known-plaintext attack, but this was
>as expected (the design aim was speed at all costs).
>
>Not that I disagree with the intent or conclusions of your article -
>but I don't this statement holds up. 

Probably Mr. Schneier intended to say "not a second glance by professionals in
scientific papers", which might be true. But the level of sci.crypt is not that
low, and there seem to be quite a lot of people ready to have a swing at new
ideas.

Karl-Friedrich Lenz :-)
www.toptext.com/crypto

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sun, 18 Oct 1998 15:00:36 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <362a0287.3103532@news.visi.com>
References: <362967c9.4415110@news.dial.pipex.com>
Newsgroups: sci.crypt
Lines: 23

On Sun, 18 Oct 1998 04:20:15 GMT, george.barwood@dial.pipex.com
(George Barwood) wrote:

>On Sat, 17 Oct 1998 23:35:28 GMT, schneier@counterpane.com (Bruce
>Schneier) wrote in part:
>
>> Algorithms posted to Internet newsgroups by unknowns won't get a second glance.
>
>I disagree - some time ago I posted an algorithm to sci.crypt, and
>recieved a quick (and useful) analysis from David Wagner. The
>algorithm was not strong against known-plaintext attack, but this was
>as expected (the design aim was speed at all costs).
>
>Not that I disagree with the intent or conclusions of your article -
>but I don't this statement holds up. 

You're right.  There are exceptions to this.  Agreed.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: 18 Oct 1998 17:17:12 +0200
From: Jon Haugsand <haugsand@procyon.nr.no>
Message-ID: <yzobtn9nblz.fsf@procyon.nr.no>
References: <362a0287.3103532@news.visi.com>
Newsgroups: sci.crypt
Lines: 19

* Bruce Schneier
| >> Algorithms posted to Internet newsgroups by unknowns won't get a second glance.
| >
| >I disagree - some time ago I posted an algorithm to sci.crypt, and
| >recieved a quick (and useful) analysis from David Wagner. The
| >algorithm was not strong against known-plaintext attack, but this was
| >as expected (the design aim was speed at all costs).
| 
| You're right.  There are exceptions to this.  Agreed.

Actually, wouldn't this be a good way to train oneself with
cryptoanalyzing? Breaking amateur ciphers posted to the usenet?

-- 
Jon Haugsand
  Norwegian Computing Center, <http://www.nr.no/engelsk/> 
  <mailto:haugsand@nr.no>  Pho: +47 22852608 / +47 22852500, 
  Fax: +47 22697660, Pb 114 Blindern, N-0314 OSLO, Norway

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 19 Oct 1998 04:09:14 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <362abb52.2020632@news.visi.com>
References: <yzobtn9nblz.fsf@procyon.nr.no>
Newsgroups: sci.crypt
Lines: 25

On 18 Oct 1998 17:17:12 +0200, Jon Haugsand <haugsand@procyon.nr.no>
wrote:

>* Bruce Schneier
>| >> Algorithms posted to Internet newsgroups by unknowns won't get a second glance.
>| >
>| >I disagree - some time ago I posted an algorithm to sci.crypt, and
>| >recieved a quick (and useful) analysis from David Wagner. The
>| >algorithm was not strong against known-plaintext attack, but this was
>| >as expected (the design aim was speed at all costs).
>| 
>| You're right.  There are exceptions to this.  Agreed.
>
>Actually, wouldn't this be a good way to train oneself with
>cryptoanalyzing? Breaking amateur ciphers posted to the usenet?

Definitely.  I think it's the best way.  Not only do you get
experience breaking ciphers, but you get some very easy ones to start
on.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sat, 17 Oct 1998 22:33:44 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-1710982234000001@dialup175.itexas.net>
References: <36292906.1151332@news.visi.com>
Newsgroups: sci.crypt
Lines: 110

In article <36292906.1151332@news.visi.com>, schneier@counterpane.com
(Bruce Schneier) wrote:

> This was in the October CRYPTO-GRAM, but I thought I'd run it through
> sci.crypt, since so many people seem to be asking questions on the
> topic.
> 
> Bruce.
....

There have been many such discussions which marry some good advice with
propaganda, serving the status quo rather than being inclusive of all
attempts at improvement in the condition of man.  A contrived obstacle
course means being sure that few can finish, and more are discouraged from
even trying.  Those that do run the gauntlet and break the tape seem to
confirm its validity to the blinded faithful, not withstanding the best
intentions of those who would sit in judgement, doing the best they can to
feel that the whole process is of inordinate value.

As with any presentation, you are encouraged to find weaknesses in what is
included in the prior posting in this thread.  Authoritarianism is always
subject to incompleteness in information that conflicts with its adopted
views; and, the stronger it is the more vocal it is in denouncing whatever
differs with it.  Intolerance ain't pretty.

Since sound reasoning is essential in cryptography: If you know where your
feet are, you should be able to cut through the nonsense to glean
something even useful from the talk. Much of the content is not new at
all, but contrived decades ago, and seeks to hamstring the possibilities
of the present to the hinderances of the past, more especially in this
subject of ours, and not further the open art at all.  The scripting of
the elements is in the form of an arrangement in supportative order for
argument's sake so they sound more reasonable that they are.  The caveats
do form comfortable enclaves for those that want to excuse the rest of the
stuff. 

Remember, the only excuse for formal education is learning how to learn. 
The end ideal is to become a self-starter in your search for truth, not
requiring so many hours credit in order to have particular ability.  What
is to be acquired is being able to DO rather than always having to ask
permission and direction for your occupations.  When this honest goal of
finding your own direction is realized, it means that you are weaned.  It
means that you are no longer required to seak an academic teat, or kiss
customary areas of despoiled anatomy.  

You still have the right to seek helpful advice for its own sake, but no
obigation to bow and scrape for the priviledge.  Good information is not
to be cloistered.

You are allowed to judge legitimacy on intrinsic content rather than
whether it contradicts prior cannonized scripture.  You are encouraged in
true scientific tradition to test and inquire into the nature of anything
that has been spread before as the gospel.

If you are overly addicted to the opinons of certain people, you tend to
acquire their prejudices; afterwards, know that discovering any flaws is
prohibited, and severly punished by excommunication, which has always been
a religious act aimed at the unfaithful so as to humiliate and silence
them.  This technique is often used as well against those that do not buy
the bit up front.

So often those that tout a regimen are just saying that it worked for
them, so it can do the same for you.  You can eat the blood pudding of
tradition as long as you like, or you can graduate in informal elegancy,
freedom of thought being its own reward.

If you are not ready to fly, you may crash, which is preferable to being
stoned or shot down as a heretic in the other model. You then have the
option to dust yourself off, learn from your mistakes, and flap your wings
again. 

Reinforcing the status quo means going nowhere not on the approved map;
innovation and creativity mean taking new and unorthodox approaches, and
sometimes finding that assumed ground rules are merely generalizations
that are not always true.

Life is far more variable than anyone can realize.  It is such that you
can almost have nothing on the surface in common with whole groups of
people.  This means that methods that work for some are going to be
rejected as bad style by others.  The challenge is not to forcefully
remake everyone else in your own image, but to realize that noone has a
lock on the path to truth.  It should be self-evident that what leads you
is the greater good rather than finding a way to get more articles
published than someone else.                 

In crypto, as in many other fields, sufficient study will lead you to
agreement with lots of what passes for acceptable thought.  It can allow
you to unmask areas that have been glossed over.  I would never discourage
someone from going it alone in a quest; so much in science is the product
of the dedicated contrarians who focused on a star that others wanted to
excuse as an photographic artifact.  Be constrained only by those barriers
you show to be actually there.  Cryptography is still wide open to new
concepts, as well as novel unifying ideas that put older methods in
prospective.

Bruce is a good soldier, but some don't march to the same drummer.  I
would like to believe that anyone as intelligent as he appears to be would
serve less in the role of retelling so many false echos from the past.  He
continually tells us how difficult good cryptography is; I suppose that
reflects his experience.  I am sure that he would like to make it easier
for others to learn what he has without going down the same path, yet he
would recommend it still.

Yet, I would not discourage him either from any cryptological endeavor, as
I would not do that to anyone.
-- 
---
Insanity means doing the same thing over and over again and expecting different results...like CDA2.  
---
Decrypt with ROT13 to get correct email address.

User-Agent: tin/pre-1.4-980618 (UNIX) (AIX/4-1)
Cache-Post-Path: server.cuug.ab.ca!unknown@ibm.cuug.ab.ca

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sun, 18 Oct 1998 04:07:00 GMT
From: Lloyd Miller <millerl@cuugnet.cuug.ab.ca>
Message-ID: <908683620.523852@server.cuug.ab.ca>
References: <jgfunj-1710982234000001@dialup175.itexas.net>
Newsgroups: sci.crypt
Lines: 25

W T Shaw <jgfunj@EnqvbSerrGrknf.pbz> wrote:
: In article <36292906.1151332@news.visi.com>, schneier@counterpane.com
: (Bruce Schneier) wrote:

:> This was in the October CRYPTO-GRAM, but I thought I'd run it through
:> sci.crypt, since so many people seem to be asking questions on the
:> topic.
:> 
:> Bruce.
: ....

...
: If you are overly addicted to the opinons of certain people, you tend to
: acquire their prejudices; afterwards, know that discovering any flaws is
: prohibited, and severly punished by excommunication, which has always been
: a religious act aimed at the unfaithful so as to humiliate and silence
: them.  This technique is often used as well against those that do not buy
: the bit up front.

Bruce's religion makes a lot more sense to me than your's.

-- 
 Lloyd Miller, Calgary
 millerl@cuug.ab.ca.
 Terminal Insomniac

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sun, 18 Oct 1998 09:02:32 -0400
From: "Jay Holovacs" <holovacs@idt.net>
Message-ID: <70cs7t$kja@nnrp1.farm.idt.net>
References: <jgfunj-1710982234000001@dialup175.itexas.net>
Newsgroups: sci.crypt
Lines: 56

W T Shaw wrote in message ...
>>>
>
>There have been many such discussions which marry some good advice with
>propaganda, serving the status quo rather than being inclusive of all
>attempts at improvement in the condition of man.  A contrived obstacle
>course means being sure that few can finish, and more are discouraged from
>even trying.  Those that do run the gauntlet and break the tape seem to
>confirm its validity to the blinded faithful, not withstanding the best
>intentions of those who would sit in judgement, doing the best they can to
>feel that the whole process is of inordinate value.
>  [...etc...]

Newton said 'if I have seen farther than most, it is because I stood on the
shoulders of giants.' It has also been said 'he who will not learn from the
past is doomed to repeat it.' Bruce makes a great deal of sense. Crypto is
not a random shot in the dark, it has a long history of mistakes and
discoveries. Just as the patent office became littered with the products of
inventors of 'perpetual energy machines' not realizing what was wrong with
their great ideas, the crypto world is littered with schemes that mean
nothing.

You can't get far in chemistry without learning theory and experience of
those that went before. If you want to develop your own winning racing car,
you'd best begin by working with as many of the machines built by other
great builders as possible. Crypto is no different. If you can't break codes
that are out there, why should anyone believe that you have an answer. (In
truth, analysis is probably the more important part of the field now, even
though most beginners want to rush in and create their own
encryption algorithms.)

There is this mythology that by *not* learning how something is done, you
can come up with a radical new approach. Quaint, but it doesn't work in the
real world. Einstein learned existing physics before he shattered the
boundaries of the known physics world. Good writers, painters and composers
need to know all the rules of their art before they can break them
successfully. Only in areas where there is no history of prior art can
someone really come out of the blue and change things (as with small
computers 15-20 years ago). Crypto is not one of those areas.

Bruce offered some really good advice for getting yourself listened to,
break known codes and write up your results. These are not hard to get
published. If someone who can demonstrably analyze codes produces one, there
is much more reason to take such a person seriously.

Don't make excuses. Don't blame the 'establishment' that's out to stop you.
Listen to people who actually know something. Prove yourself if you want to
believed.

Jay

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sun, 18 Oct 1998 11:34:03 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-1810981134030001@dialup122.itexas.net>
References: <70cs7t$kja@nnrp1.farm.idt.net>
Newsgroups: sci.crypt
Lines: 76

In article <70cs7t$kja@nnrp1.farm.idt.net>, "Jay Holovacs"
<holovacs@idt.net> wrote:
> 
> Bruce offered some really good advice for getting yourself listened to,
> break known codes and write up your results. These are not hard to get
> published. If someone who can demonstrably analyze codes produces one, there
> is much more reason to take such a person seriously.
> 
> Don't make excuses. Don't blame the 'establishment' that's out to stop you.
> Listen to people who actually know something. Prove yourself if you want to
> believed.
> 
The big question is what does one actually know from knowledge delivered
in a transfusion.  In the days when some of us started working, there were
skant few resources to work with, and no open debate on any current crypto
advances. That time was distasteful, and we should not go there in any
respect.

Science is less about belief and more about evidence.  You seem to confuse
the two.  You might prejudice your results by looking for the wrong
evidence.  In the end, each observation stands or falls on its own through
replication and not by the clout of a sole documenter.  Personalities can
get involved, but true inquisitiveness should cause everyone to rise above
that.  Apprenticeships are not a universal requirement.

There is not real establishment in crypto anymore, just truth where you
find it.  In Bruce's work, there are sinful omissions and comissions, but
the subject is so large that this would always be a surity in some form. 
To judge his character, we will see if he mentions in the future any
things he has previously ignored and have been pointed out directly to
him.  If he is a true scientist, he will include such.  I would gamble
that he in the end will chose fairness.  You should not figure that he is
doomed fail to rise to that imperative.  

We each have the option of presenting contasting and contradictory
evidence as we see it.  Look for the amount of cryptological information
to explode as growth occurs in a myrid of directions. No one person will
be able to keep it under his thumb, and we better be willing to accept
increased specialization as it does.

It might surprise you that I do considerable work in code breaking, not
necessarily the ones you would choose.  Sometimes I am more successful,
sometimes less.  The goal for me is to learn how to defeat a weakness and
apply it in a refined design.  To broadcast prematurely such results would
give others the advantage in future designs that I might reserve for
myself; and so probably it is with others.

It does not follow that a successful analysis can always to a better
design, and particularily that one known for solving a particular problem
can pose a better one. For some it is more important to learn from
failures and move on to something better than to trash anothers work as a
justification for raising a consultant fee.

Back to Bruce, he has a couple of interesting designs in a relatively
narrow defined area of crypto.  He is also a good researcher and has
assembled a certain amount of material in a convenient form.  He is a
serious organizer, and exercises great concentration to get what he
wants.  He is an excellent presenter, and most capable in matters closely
related to his work.  He can be a bear in his zeal, and he can be most
cheerful when receiving complements, we all tend to be that way at such
times.  He defends his work as he should; it is considerable, showing a
colossal amount of labor, be it like anything else pushing certain
viewpoints over others.

He is worthy of some respect and will continue to inspire lots of people. 
But, because he is a limited human being, it also follows that the
percentage of cryptography he understands will continue to slip as the
field outpaces anyones ablility to completely grasp it.  This is not a
discourteous observation, just another real one.  It could be as well said
for all others, even those who are into their work as a priority.  We
should all be humbled by the magnitude of the that problem.
-- 
---
Insanity means doing the same thing over and over again and expecting different results...like CDA2.  
---
Decrypt with ROT13 to get correct email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sun, 18 Oct 1998 22:32:14 GMT
From: dscott@networkusa.net
Message-ID: <70dq9e$jjt$1@nnrp1.dejanews.com>
References: <70cs7t$kja@nnrp1.farm.idt.net>
Newsgroups: sci.crypt
Lines: 48

In article <70cs7t$kja@nnrp1.farm.idt.net>,
  "Jay Holovacs" <holovacs@idt.net> wrote:
>
> W T Shaw wrote in message ...
> >>>
> >
> >There have been many such discussions which marry some good advice with
> >propaganda, serving the status quo rather than being inclusive of all
> >attempts at improvement in the condition of man.  A contrived obstacle
> >course means being sure that few can finish, and more are discouraged from
> >even trying.  Those that do run the gauntlet and break the tape seem to
> >confirm its validity to the blinded faithful, not withstanding the best
> >intentions of those who would sit in judgement, doing the best they can to
> >feel that the whole process is of inordinate value.
> >  [...etc...]
>
> Newton said 'if I have seen farther than most, it is because I stood on the
> shoulders of giants.' It has also been said 'he who will not learn from the
> past is doomed to repeat it.' Bruce makes a great deal of sense. Crypto is
> not a random shot in the dark, it has a long history of mistakes and
> discoveries. Just as the patent office became littered with the products of
> inventors of 'perpetual energy machines' not realizing what was wrong with
> their great ideas, the crypto world is littered with schemes that mean
> nothing.
>
> You can't get far in chemistry without learning theory and experience of
> those that went before. If you want to develop your own winning racing car,
> you'd best begin by working with as many of the machines built by other
> great builders as possible. Crypto is no different. If you can't break codes
> that are out there, why should anyone believe that you have an answer. (In
> truth, analysis is probably the more important part of the field now, even
> though most beginners want to rush in and create their own
> encryption algorithms.)
>

  I like your chemsitry example it fits well witht the load of stuff
Bruce is trying to pass off. In chemistry when I had it in school we
got to see a lovely film on the Noble gases. A bunch of PHD experts
siad lets try to make compounds useing this part of periodic table. They
do all sorts of brainy exotic things. But no compounds formed from the
Noble gases. At end of film they pompously stated how foolish it was
to even try and that there are no such compounds. Then are teacher
should us the articles how some nobodys made some. Yes the chemistry
was a good example.

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    

Subject: Re: Memo to the Amateur Cipher Designer
Date: 19 Oct 1998 02:14:15 GMT
From: jsavard@freenet.edmonton.ab.ca ()
Message-ID: <70e79n$896$1@news.sas.ab.ca>
References: <70cs7t$kja@nnrp1.farm.idt.net>
Newsgroups: sci.crypt
Lines: 35

Jay Holovacs (holovacs@idt.net) wrote:
: Newton said 'if I have seen farther than most, it is because I stood on the
: shoulders of giants.' It has also been said 'he who will not learn from the
: past is doomed to repeat it.' Bruce makes a great deal of sense. Crypto is
: not a random shot in the dark, it has a long history of mistakes and
: discoveries.

I certainly do agree with this, people wanting to design a new cipher
ought to be familiar with what has gone before.

: Bruce offered some really good advice for getting yourself listened to,
: break known codes and write up your results. These are not hard to get
: published. If someone who can demonstrably analyze codes produces one, there
: is much more reason to take such a person seriously.

Well, I certainly have to admit there is truth to that. In _two_ ways.

Certainly, a cipher design from someone like Eli Biham, one of the
academic discoverers of differential cryptanalysis, is going to be taken
seriously, as it should.

And a general familiarity with the principles of cryptanalysis, especially
as they apply to the kind of cipher one is attempting to design, is going
to be an important guide away from various pitfalls.

However, cryptanalysis is a discipline of its own, and requires either
considerable stamina or advanced mathematical skills. One does not quite
need these qualifications to design a secure cipher, particularly if one
is following your earlier advice and not ignoring the lessons of previous
designs.

Of course, if one wants a hearing, if one's qualifications are modest, one
should be modest.

John Savard

	<jgfunj-1710982234000001@dialup175.itexas.net>
	<70cs7t$kja@nnrp1.farm.idt.net> <70e79n$896$1@news.sas.ab.ca>
Cache-Post-Path: cnn!unknown@spike.long.harlequin.co.uk

Subject: Re: Memo to the Amateur Cipher Designer
Date: 19 Oct 1998 14:29:21 +0100
From: Mark Tillotson <markt@harlequin.co.uk>
Message-ID: <kxsogkfzny.fsf@harlequin.co.uk>
References: <36292906.1151332@news.visi.com>
Newsgroups: sci.crypt
Lines: 64

jsavard@freenet.edmonton.ab.ca () wrote:
| And a general familiarity with the principles of cryptanalysis, especially
| as they apply to the kind of cipher one is attempting to design, is going
| to be an important guide away from various pitfalls.
| 
| However, cryptanalysis is a discipline of its own, and requires either
| considerable stamina or advanced mathematical skills. One does not quite
| need these qualifications to design a secure cipher, particularly if one
| is following your earlier advice and not ignoring the lessons of previous
| designs.

Nonsense!  How on earth can you claim to design a secure cipher if you are
_incapable_ of distinquishing a weak cipher from a strong cipher???  It
just doesn't make any sense at all.

That's like saying a blind person can paint a scene in correct colours
despite being unable to see what they are doing!  Sure it's not
_impossible_ that it could happen, but no-one with an ounce of common sense
expects such an outrageously lucky outcome (or even for the paint to 
end up on the canvas!!)   We don't want a cipher that might well be
extremely strong, we want ciphers that are extremely likely to be
strong...

With cipher design we don't even have a way of distinquishing strong
from weak, we merely have techniques or varying sophistication for
trying to identify and measure weakness, and people more or less
highly skilled at applying them and inventing new techniques of
analysis.   The cipher designer needs to iterate the design through
more and more sophisticated analyses until it _seems_ both
appropriately secure and efficient.  Then the next step is to enlist
some more people to help in the process of searching for missed
weaknesses, and eventually publication.

Its an ongoing process of weeding out weaknesses, gradually bringing
in more and more people as one's confidence in the lack of "silly
mistakes" grows, just like any other safety-critical large-scale
engineering project.

There certainly is a lot of scope for amateurs to suggest _ideas_ to
use in cipher design, but a serious _design_ itself needs to be at the
centre of such a process of cryptanalysis, not just made up by 
inspired guesswork.

So I'd agree that experience in cryptanalysis isn't necessary to
create a plausible _looking_ design, but that it is an _absolute
necessity_ for creating an actual publishable design (unless you just
wanted to create a toy cipher).  If the 10000's of amateur
cryptographers all started publishing designs, we'd be in a total mess!

These days ciphers are expected to be used as building blocks for all
sorts of security primitives, so even "security" involves resisitance
to many different modes of attack, and the amount of work needed to
design a cipher is usually beyond the skills and patience of a single
individual anyway.

Our whole digital infrastructure is going to depend on future ciphers
being secure, and I for one don't want to see the information
superhighway made of "concrete" that's washes away the first time it
rains because its recipe was formulated by a well-meaning amateur who
didn't know anything about QA'ing concrete!!

__Mark
[ markt@harlequin.co.uk | http://www.harlequin.co.uk/ | +44(0)1954 785433 ]

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 22 Oct 1998 19:13:05 GMT
From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard)
Message-ID: <362f81e7.14525013@news.prosurfr.com>
References: <kxsogkfzny.fsf@harlequin.co.uk>
Newsgroups: sci.crypt
Lines: 31

Mark Tillotson <markt@harlequin.co.uk> wrote, in part:
>jsavard@freenet.edmonton.ab.ca () wrote:

>| However, cryptanalysis is a discipline of its own, and requires either
>| considerable stamina or advanced mathematical skills. One does not quite
>| need these qualifications to design a secure cipher, particularly if one
>| is following your earlier advice and not ignoring the lessons of previous
>| designs.

>Nonsense!  How on earth can you claim to design a secure cipher if you are
>_incapable_ of distinquishing a weak cipher from a strong cipher???  It
>just doesn't make any sense at all.

I emphatically _agree_ that if you know *nothing* about cryptanalysis,
you won't be able to design a secure cipher (except by accident, or by
copying someone else's design with trivial changes).

I thought, though, that I was being clear in what I was trying to say;
that while a _knowledge_ of cryptanalysis is needed, actually being a
cryptanalyst - actually being able to carry out, in full, the
cryptanalysis of a difficult cipher, or being able to make theoretical
contributions to the field - is not, strictly speaking, necessary
(although Bruce is still right that those sorts of qualifications will
get you taken seriously) to design a secure cipher.

Maybe you would find that position wrong-headed too, and I can
understand that. But it's not nearly the same as the position you
correctly characterized as expecting a blind person to paint.

John Savard
http://members.xoom.com/quadibloc/index.html

Subject: Re: Memo to the Amateur Cipher Designer
Date: Thu, 22 Oct 1998 13:56:59 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-2210981357000001@dialup159.itexas.net>
References: <kxsogkfzny.fsf@harlequin.co.uk>
Newsgroups: sci.crypt
Lines: 131

In article <kxsogkfzny.fsf@harlequin.co.uk>, Mark Tillotson
<markt@harlequin.co.uk> wrote:

> jsavard@freenet.edmonton.ab.ca () wrote:
> | And a general familiarity with the principles of cryptanalysis, especially
> | as they apply to the kind of cipher one is attempting to design, is going
> | to be an important guide away from various pitfalls.
> | 
> | However, cryptanalysis is a discipline of its own, and requires either
> | considerable stamina or advanced mathematical skills. One does not quite
> | need these qualifications to design a secure cipher, particularly if one
> | is following your earlier advice and not ignoring the lessons of previous
> | designs.
> 
> Nonsense!  How on earth can you claim to design a secure cipher if you are
> _incapable_ of distinquishing a weak cipher from a strong cipher???  It
> just doesn't make any sense at all.

Many imply that if you simply follow their rules for cipher construction,
you need not do much of the analysis yourself.  They even suggest that
someone else do it, a catch 22.
> 
> That's like saying a blind person can paint a scene in correct colours
> despite being unable to see what they are doing!  Sure it's not
> _impossible_ that it could happen, but no-one with an ounce of common sense
> expects such an outrageously lucky outcome (or even for the paint to 
> end up on the canvas!!)   

Did you see the story on TV about the guy who is blind and bicycles.  He
has learned sonic location, and clicks his tongue as a generator.  

Out of curiosity, I once asked a blind man to describe different colors. 
The explanations he had remembered from what he had heard made sense. This
is somewhat in line with my above comments about following someone else's
crypto design strategies.

> We don't want a cipher that might well be
> extremely strong, we want ciphers that are extremely likely to be
> strong...

According to someone else's plan....
> 
> With cipher design we don't even have a way of distinquishing strong
> from weak, we merely have techniques or varying sophistication for
> trying to identify and measure weakness, and people more or less
> highly skilled at applying them and inventing new techniques of
> analysis.   The cipher designer needs to iterate....

As in a Feisal construction?  

> the design through
> more and more sophisticated analyses until it _seems_ both
> appropriately secure and efficient. 

Appropriate for whom?  Not too strong, but just about right?

Efficient? Meets the requirements of someone of few thoughts worth
encrypting or that of a government who would hide the routine from the
prying eyes of the curious? 

> Then the next step is to enlist
> some more people to help in the process of searching for missed
> weaknesses, and eventually publication.

Enlist? Easy for the military to say.  Publication? Easy for the
established press to say.
> 
> Its an ongoing process of weeding out weaknesses, gradually bringing
> in more and more people as one's confidence in the lack of "silly
> mistakes" grows, just like any other safety-critical large-scale
> engineering project.

Large scale projects can fail too...The Broken Pyramid, notable bridge
collapses(interior and exterior), numerous levee systems, multistory old
masonry buildings in earthquakes, anti-disease vaccinations pushed in
hopes that they would work in time of war, etc.

Granted, it is easy to guard against some cryptological mistakes, while
others are sort of obscure, overcoming prejudice and criticism against
concepts that are generally well know is also a hurdle.
> 
> There certainly is a lot of scope for amateurs to suggest _ideas_ to
> use in cipher design, but a serious _design_ itself needs to be at the
> centre of such a process of cryptanalysis, not just made up by 
> inspired guesswork.

All productive guesswork is inspired, it is just the nature of the
inspiration that you really question, but it does not always come in the
same form.  If you do follow someone else's ingredient list, you may, no
surprise, produce ideas in line with the common logic of that receipe.
> 
> So I'd agree that experience in cryptanalysis isn't necessary to
> create a plausible _looking_ design, but that it is an _absolute
> necessity_ for creating an actual publishable design (unless you just
> wanted to create a toy cipher).  If the 10000's of amateur
> cryptographers all started publishing designs, we'd be in a total mess!

Speak for yourself white man.
> 
> These days ciphers are expected to be used as building blocks for all
> sorts of security primitives, so even "security" involves resisitance
> to many different modes of attack, and the amount of work needed to
> design a cipher is usually beyond the skills and patience of a single
> individual anyway.

Ah, beyond the Expert Syndrome to the group-think phenomena.  And, I
suppose that such a design system would put ALL the names of the
contributers out front.  It would seem best to acknowledge even the most
meager of efforts that helped the team, as it might make a difference if
the coffee was brewed correctly.  Including all the help would make the
front people look less important, or are they not the essential ingredient
in the first place?
> 
> Our whole digital infrastructure is going to depend on future ciphers
> being secure, and I for one don't want to see the information
> superhighway made of "concrete" that's washes away the first time it
> rains because its recipe was formulated by a well-meaning amateur who
> didn't know anything about QA'ing concrete!!
> 
Roads unlike cryptographic algorithms are best built under the old Roman
model, and pavement has not improved much since.  The problem with the
whole digital infrastucture is that we have a very sick patient and the
base question should be whether we should start over beginning with the
very design of the lowest end to include historically known security
wisdom and exted it throughout, not to whether we can put it in a rest
home so as to prolong the agony.
-- 
---
Passing a budgit that no single person has fully seen is bad. Ronnie was right at least once.
---
Decrypt with ROT13 to get correct email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 03:41:23 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <3633eed3.1151576@news.visi.com>
References: <jgfunj-2210981357000001@dialup159.itexas.net>
Newsgroups: sci.crypt
Lines: 40

On Thu, 22 Oct 1998 13:56:59 -0600, jgfunj@EnqvbSerrGrknf.pbz (W T
Shaw) wrote:
>Many imply that if you simply follow their rules for cipher construction,
>you need not do much of the analysis yourself.  They even suggest that
>someone else do it, a catch 22.

Many are wrong.

>> That's like saying a blind person can paint a scene in correct colours
>> despite being unable to see what they are doing!  Sure it's not
>> _impossible_ that it could happen, but no-one with an ounce of common sense
>> expects such an outrageously lucky outcome (or even for the paint to 
>> end up on the canvas!!)   
>
>Did you see the story on TV about the guy who is blind and bicycles.  He
>has learned sonic location, and clicks his tongue as a generator.  
>
>Out of curiosity, I once asked a blind man to describe different colors. 
>The explanations he had remembered from what he had heard made sense. This
>is somewhat in line with my above comments about following someone else's
>crypto design strategies.

Remember that security is orthogonal to functionality.  A blind guy
gets feedback--from the pavement, large objects, etc--to tell him he
is succeeding or failing at bicycle riding.  An algorithm designer
gets no such feedback.

>> We don't want a cipher that might well be
>> extremely strong, we want ciphers that are extremely likely to be
>> strong...
>
>According to someone else's plan....

The totality of "someone elses" are the attackers.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Sun, 25 Oct 1998 23:31:04 -0600
From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw)
Message-ID: <jgfunj-2510982331040001@207.22.198.192>
References: <3633eed3.1151576@news.visi.com>
Newsgroups: sci.crypt
Lines: 20

In article <3633eed3.1151576@news.visi.com>, schneier@counterpane.com
(Bruce Schneier) wrote:
> 
> Remember that security is orthogonal to functionality.  A blind guy
> gets feedback--from the pavement, large objects, etc--to tell him he
> is succeeding or failing at bicycle riding.  An algorithm designer
> gets no such feedback.

Sure he does if and when what he did is discovered to be wanting. 
However, it is an oft used tactic to hide that news so that you can
continue to read his mail.

More to the point, the AES process is *designed* as a big feedback
mechanism, the quicker acting the better.
>
-- 
---
Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver.
---
Decrypt with ROT13 to get correct email address.

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 03:38:23 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <3633ee7c.1064691@news.visi.com>
References: <kxsogkfzny.fsf@harlequin.co.uk>
Newsgroups: sci.crypt
Lines: 77

On 19 Oct 1998 14:29:21 +0100, Mark Tillotson <markt@harlequin.co.uk>
wrote:

>jsavard@freenet.edmonton.ab.ca () wrote:
>| And a general familiarity with the principles of cryptanalysis, especially
>| as they apply to the kind of cipher one is attempting to design, is going
>| to be an important guide away from various pitfalls.
>| 
>| However, cryptanalysis is a discipline of its own, and requires either
>| considerable stamina or advanced mathematical skills. One does not quite
>| need these qualifications to design a secure cipher, particularly if one
>| is following your earlier advice and not ignoring the lessons of previous
>| designs.
>
>Nonsense!  How on earth can you claim to design a secure cipher if you are
>_incapable_ of distinquishing a weak cipher from a strong cipher???  It
>just doesn't make any sense at all.
>
>That's like saying a blind person can paint a scene in correct colours
>despite being unable to see what they are doing!  Sure it's not
>_impossible_ that it could happen, but no-one with an ounce of common sense
>expects such an outrageously lucky outcome (or even for the paint to 
>end up on the canvas!!)   We don't want a cipher that might well be
>extremely strong, we want ciphers that are extremely likely to be
>strong...

Good comment.

>With cipher design we don't even have a way of distinquishing strong
>from weak, we merely have techniques or varying sophistication for
>trying to identify and measure weakness, and people more or less
>highly skilled at applying them and inventing new techniques of
>analysis.   The cipher designer needs to iterate the design through
>more and more sophisticated analyses until it _seems_ both
>appropriately secure and efficient.  Then the next step is to enlist
>some more people to help in the process of searching for missed
>weaknesses, and eventually publication.
>
>Its an ongoing process of weeding out weaknesses, gradually bringing
>in more and more people as one's confidence in the lack of "silly
>mistakes" grows, just like any other safety-critical large-scale
>engineering project.
>
>There certainly is a lot of scope for amateurs to suggest _ideas_ to
>use in cipher design, but a serious _design_ itself needs to be at the
>centre of such a process of cryptanalysis, not just made up by 
>inspired guesswork.

Agreed.

>So I'd agree that experience in cryptanalysis isn't necessary to
>create a plausible _looking_ design, but that it is an _absolute
>necessity_ for creating an actual publishable design (unless you just
>wanted to create a toy cipher).  If the 10000's of amateur
>cryptographers all started publishing designs, we'd be in a total mess!

1000s of TriStratas and Ultimate Privacies.  Sounds horrible.

>These days ciphers are expected to be used as building blocks for all
>sorts of security primitives, so even "security" involves resisitance
>to many different modes of attack, and the amount of work needed to
>design a cipher is usually beyond the skills and patience of a single
>individual anyway.
>
>Our whole digital infrastructure is going to depend on future ciphers
>being secure, and I for one don't want to see the information
>superhighway made of "concrete" that's washes away the first time it
>rains because its recipe was formulated by a well-meaning amateur who
>didn't know anything about QA'ing concrete!!

Rah rah.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Subject: Re: Memo to the Amateur Cipher Designer
Date: Mon, 26 Oct 1998 08:18:40 GMT
From: cryptonews@my-dejanews.com
Message-ID: <711b90$he8$1@nnrp1.dejanews.com>
References: <3633ee7c.1064691@news.visi.com>
Newsgroups: sci.crypt
Lines: 30

In article <3633ee7c.1064691@news.visi.com>,
  schneier@counterpane.com (Bruce Schneier) wrote:
> >So I'd agree that experience in cryptanalysis isn't necessary to
> >create a plausible _looking_ design, but that it is an _absolute
> >necessity_ for creating an actual publishable design (unless you just
> >wanted to create a toy cipher).  If the 10000's of amateur
> >cryptographers all started publishing designs, we'd be in a total mess!
>
> 1000s of TriStratas and Ultimate Privacies.  Sounds horrible.

    This is not about crypto and security, it is rather becoming about
    Bruce Schneir BIG EGO and what he thinks the world should be.

The Value of Cryptanalysis

A Ciphers By Ritter Page

Contents