A sci.crypt conversation on fundamental problems in cryptography.
There is no guarantee that any cipher will not fail, but we can use ciphers in ways which require multiple ciphers to fail before information is exposed.
We cannot know when our cipher has been broken, but we can use ciphers in ways which terminate any existing break and so protect our future messages.
We cannot know the capabilities of our opponents, but we can use ciphers in ways which force our opponents to make huge, continuing investments, just to keep up with us.
In several ways, cryptography can be seen as a contest: First and most importantly, it is a contest between cryptographers and unknown opposing cryptanalysts. Next, it is a contest between "our" academic cryptanalysts and the unknown cryptanalysts. Then it is a contest between independent cryptographers and academic cryptanalysts. And, of course, it is also a contest between the academic cryptanalysts.
Seeing cryptography as contest can help clarify the uneven nature of these events.
It has long been known that cryptography has very serious fundamental problems. Surely we all know that no cipher system is proven secure, yet we often think we can trust a cipher that has been around for a while. These positions are contradictory, and are examples of the "dirty little secrets" which most professionals know and ignore because it seems little can be done about them. Serious issues in cryptography include:
Any trust we may have in a cipher is more self-delusion than
science, based on our not being specifically told that our
cipher failed. We interpret a lack of information as
evidence of strength, and this is a serious error.
Older, more mature ciphers are generally more trusted.
They also have had more time to be attacked and broken
in secret.
As long as our opponents do not blab that they have
broken our cipher, we will probably continue to use it.
Any cipher can fail at any time.
If our opponents read the open literature they are at least as
advanced as "our guys." But they often work for organizations
which do their own research and do not share their results.
Accordingly, the academic literature does not provide a rational
basis for estimating the capabilities of our opponents.
And we will not be told when they do succeed.
Our opponents work in secret and do not announce their successes.
We know neither the number of attempted attacks, nor the number
of their successes: We thus have no basis for constructing a
probability of opponent success.
Negative academic results are generally not published:
We do not know the number of attempted attacks. We also
cannot extrapolate academic attacks to those mounted in
secret by opponents with unknown resources.
We will not know when a cipher is broken for real. Ciphers
in use for a long time may have been broken and ineffective
for a long time.
The conversations archived here start from my proposals to "fix" some of these serious problems. They ran into a great deal of debate and dispute, apparently because these ideas run counter to the currently accepted philosophy of cryptography. Briefly, that philosophy is to have a few ciphers which are analyzed as intensely as possible; if they survive some unknown amount of time or effort, they then transition into use. And while there is a general acceptance of the idea that even well-analyzed ciphers may fail, there is a remarkable lack of protocols intended to prevent such failure, or even reduce the consequences. It appears that most professionals believe in the ciphers they use, which may be more a testimony of the intimidating role of academic cryptanalysis than of any factual basis for such belief.
Note that there are repeated descriptions and arguments for this "fix package" throughout the discussion, but they do tend to be piece-by-piece rather than as a collected unit.
Kerhkoff's laws were intended to formalize the real situation of ciphers in the field. Basically, the more we use any particular cipher system, the more likely it is that it will "escape" into enemy hands. So we start out assuming that our opponents know "all the details" of the cipher system, except the key.
Part of the fix proposal is to have many different ciphers, and to select among them "at random" by a key. The particular cipher used is thus unknown to our opponents; they do know, of course, that our system uses many ciphers. And if they can simply try each possible cipher, there is not much protection (although, presumably, they could not break every cipher). But with a substantial number of ciphers (say, 1000), used in a 3-level "cascade" of multi-ciphering, we have over 10**9 different cipher possibilities. And each of these is stronger than any one cipher alone, because known plaintext and defined plaintext attacks are not possible on the individual component ciphers.
The first effect we see here is keyspace, and we already have plenty of keyspace. But the effect we really want is the partitioning and compartmentalization of our data so that a failure in one cipher means the exposure of only a small part of the data.
It is well-known and universally accepted that any cipher might be weak. When ciphers have been extensively analyzed, this possibility has generally been thought unlikely. But examination of what we know and what we cannot know shows that we have no basis for estimating such a possibility: We thus have no grounds for assuming cipher failure to be "unlikely." The immediate consequence of such a realization is that we need to do something about this in real systems.
Subject: Re: Announce - ScramDisk v2.02h Date: Fri, 02 Apr 1999 19:03:38 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3705141b.4312658@news.io.com> References: <7e2vge$o82$1@nnrp1.dejanews.com> <7e2br4$7i3$1@nnrp1.dejanews.com> Newsgroups: alt.security.pgp,sci.crypt Lines: 58 On Fri, 02 Apr 1999 17:41:35 GMT, in <7e2vge$o82$1@nnrp1.dejanews.com>, in sci.crypt ssimpson@hertreg.ac.uk wrote: >[...] >The point of that section of the document was that an adversary is not aware >of which algorithm you use....They have no method of detecting whether TEA, >Blowfish, IDEA, 3DES etc is used. Both PGPDisk & Bestcrypt plainly state the >algorithm employed. > >So, to "brute force" a ScramDisk container an adversary has to effectively >try all 10 ciphers, whereas to brute force other products containers they >only have to try 1 cipher. Is this snake oil? No. For some years I have been promoting the idea of using multiple ciphers, but my argument is different: 1. I see little keyspace (brute-force search) advantage with just a few ciphers. If we had a robust industry of replaceable cipher modules, with tens of thousands of possibilities and growing all the time, *then* we get some keyspace. But with just 10 ciphers, the keyspace advantage is lost in the noise of attacks which need 2**43 known-plaintexts. 2. The big advantage of having a huge number of ciphers is the burden it places on any Opponent, who necessarily must keep up. Opponents must distinguish each cipher, obtain it, break it, then construct software and perhaps even hardware to automate the process. Given a continuous production of large numbers of new ciphers, I believe that "keeping up" must have a terrible cost that not even a country can afford. 3. The risk of using a single popular cipher (no matter how extensively analyzed) is that a vast amount of information is protected by one cipher. This makes that cipher a special target -- a contest with a payoff far beyond the games we normally play. I think we want to avoid using such a cipher. 4. To make the cost of multiple ciphers real, we cannot keep using the same cipher, but instead must use different (new) ciphers periodically. We will want to use the same cipher-system, so our system must support "clip-in" modules for ciphers which have not yet been written. 5. One of the facts of ciphering life is that we cannot prove the strength of any cipher. Even NIST review and group-cryptanalysis does not give us proven strength in a cipher, so any cipher we select might be already broken, and we would not know. We cannot change this, but we can greatly improve our odds as a user, by multi-ciphering under different ciphers. Doing this means an Opponent must break *all* of those ciphers -- not just one -- to expose our data. I like the idea of having three layers of different cipher, each with its own key. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Announce - ScramDisk v2.02h Date: Fri, 02 Apr 1999 18:37:41 -0500 From: Boris Kazak <bkazak@worldnet.att.net> Message-ID: <370554C5.156E@worldnet.att.net> References: <3705141b.4312658@news.io.com> Newsgroups: alt.security.pgp,sci.crypt Lines: 65 Terry Ritter wrote: > > >The point of that section of the document was that an adversary is not aware > >of which algorithm you use....They have no method of detecting whether TEA, > >Blowfish, IDEA, 3DES etc is used. Both PGPDisk & Bestcrypt plainly state the > >algorithm employed. > > > >So, to "brute force" a ScramDisk container an adversary has to effectively > >try all 10 ciphers, whereas to brute force other products containers they > >only have to try 1 cipher. Is this snake oil? No. > /...../ > 2. The big advantage of having a huge number of ciphers is the burden > it places on any Opponent, who necessarily must keep up. Opponents > must distinguish each cipher, obtain it, break it, then construct > software and perhaps even hardware to automate the process. Given a > continuous production of large numbers of new ciphers, I believe that > "keeping up" must have a terrible cost that not even a country can > afford. -------------------- And how about a "variable" cipher? The one which philosophy will be based on 1. a *big* number of key-derived S-boxes 2. a plaintext-dependent sequence of invocation for these S-boxes. In case where there will be enough plaintext-dependent variability, no two plaintexts will be encrypted along the same sequence. This will be essentially equivalent to adding the plaintext space and the key space together. With all the additional effort for the attacker. ----------------------- > > 3. The risk of using a single popular cipher (no matter how > extensively analyzed) is that a vast amount of information is > protected by one cipher. This makes that cipher a special target -- a > contest with a payoff far beyond the games we normally play. I think > we want to avoid using such a cipher. > > 4. To make the cost of multiple ciphers real, we cannot keep using > the same cipher, but instead must use different (new) ciphers > periodically. We will want to use the same cipher-system, so our > system must support "clip-in" modules for ciphers which have not yet > been written. ------------------------ A long overdue problem - standard cipher-to-application interface. ------------------------ > 5. One of the facts of ciphering life is that we cannot prove the > strength of any cipher. Even NIST review and group-cryptanalysis does > not give us proven strength in a cipher, so any cipher we select might > be already broken, and we would not know. We cannot change this, but > we can greatly improve our odds as a user, by multi-ciphering under > different ciphers. Doing this means an Opponent must break *all* of > those ciphers -- not just one -- to expose our data. I like the idea > of having three layers of different cipher, each with its own key. > ------------------------ Have a little pity for the export bureaucrats! They are kind enough to allow exporting three different ciphers, and now you want to use their kindness to show all the world that their export regulations can be circumvented and that they are not worth the paper they are printed on. > ---------------------- > Terry Ritter ritter@io.com http://www.io.com/~ritter/ > Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM Best wishes BNK
Subject: Re: Announce - ScramDisk v2.02h Date: Sun, 04 Apr 1999 03:46:48 GMT From: lyeoh@pop.jaring.nospam.my (Lincoln Yeoh) Message-ID: <3706da06.2109438@nntp.jaring.my> References: <3705141b.4312658@news.io.com> Newsgroups: alt.security.pgp,sci.crypt Lines: 47 On Fri, 02 Apr 1999 19:03:38 GMT, ritter@io.com (Terry Ritter) wrote: >5. One of the facts of ciphering life is that we cannot prove the >strength of any cipher. Even NIST review and group-cryptanalysis does >not give us proven strength in a cipher, so any cipher we select might >be already broken, and we would not know. We cannot change this, but >we can greatly improve our odds as a user, by multi-ciphering under >different ciphers. Doing this means an Opponent must break *all* of >those ciphers -- not just one -- to expose our data. I like the idea >of having three layers of different cipher, each with its own key. Yeah. I like the idea of superencryption too, and I don't know why so few people seem to like it. So far I have not had a good answer to how an attacker would know if he or she has succeeded. In fact I'd go further- by having layers of many and not just 3 layers of encryption, and each layer not leaking any headers at all, the attacker's work will be very much harder, even if each layer is just 40 bit crypto. I would think if we use ciphers A, B, C in such a headerless manner, A.B.C is unlikely to be weaker than either A or B or C alone, despite some FUD about "cipher interaction", heck if such an effect was likely we'd see more cryptographers encrypting stuff with various other ciphers to decrypt it. Since no one can prove a single cipher is secure, it is hubris to assume that one cipher is better than the rest or that one can even select a single preferred one. For high confidentiality one could perhaps super encrypt data with the top 6 AES contenders. As for cpu consumption, I'm wondering if chaining reduced round ciphers together would be too risky. But your point about having a large pool of ciphers can help here. With the number of possibilities, analysis could be come prohibitive. The opponent may just have to resort to brute force - trying out various keys with various ciphers. I'm wondering if cryptanalysis of plaintext encrypted with ABCDEFG be different from analysis of AGDCBEF? Have fun! Link. **************************** Reply to: @Spam to lyeoh at @people@uu.net pop.jaring.my @ *******************************
Subject: Re: Announce - ScramDisk v2.02h Date: 9 Apr 1999 11:10:56 GMT From: aph@cygnus.remove.co.uk (Andrew Haley) Message-ID: <7ekn80$kc1$1@korai.cygnus.co.uk> References: <3706da06.2109438@nntp.jaring.my> Newsgroups: sci.crypt Lines: 16 [ Newsgroups list trimmed ] Lincoln Yeoh (lyeoh@pop.jaring.nospam.my) wrote: : I like the idea of superencryption too, and I don't know why so few : people seem to like it. So far I have not had a good answer to how : an attacker would know if he or she has succeeded. The answer is simple. Kerckhoff's maxim says that your attacker knows the cryptosystem you're using, but does not know the key. If you're using superencryption, your attacker knows which systems you're using. Of course, your attacker must now analyze the compound cipher, which is almost certainly harder to do than than attacking a single cipher. Andrew.
Subject: Re: Announce - ScramDisk v2.02h Date: Fri, 09 Apr 1999 17:10:12 GMT From: ritter@io.com (Terry Ritter) Message-ID: <370e33ea.2675997@news.io.com> References: <7ekn80$kc1$1@korai.cygnus.co.uk> Newsgroups: sci.crypt Lines: 39 On 9 Apr 1999 11:10:56 GMT, in <7ekn80$kc1$1@korai.cygnus.co.uk>, in sci.crypt aph@cygnus.remove.co.uk (Andrew Haley) wrote: >[ Newsgroups list trimmed ] > >Lincoln Yeoh (lyeoh@pop.jaring.nospam.my) wrote: > >: I like the idea of superencryption too, and I don't know why so few >: people seem to like it. So far I have not had a good answer to how >: an attacker would know if he or she has succeeded. > >The answer is simple. Kerckhoff's maxim says that your attacker knows >the cryptosystem you're using, but does not know the key. If you're >using superencryption, your attacker knows which systems you're using. That's fine if you always use the same ciphers in the same order. But if the ciphers are dynamically selected by keying, or just dynamically selected frequently by communications under cipher, the attacker does *not* know "which systems you're using." Kerckhoff's maxim does not apply. I suggest that each communication include a small encrypted control channel, over which a continuous conversation of what ciphers to use next takes place. This would be an automatic negotiation, somewhat like occurs in modern modems, from cipher selections approved by the users (or their security people). >Of course, your attacker must now analyze the compound cipher, which >is almost certainly harder to do than than attacking a single cipher. Yes. Even if each cipher used has known weaknesses, those may not be exploitable in the multi-ciphering case. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Announce - ScramDisk v2.02h Date: 9 Apr 1999 13:16:35 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <7elg63$eeq$1@quine.mathcs.duq.edu> References: <370e33ea.2675997@news.io.com> Newsgroups: sci.crypt Lines: 32 In article <370e33ea.2675997@news.io.com>, Terry Ritter <ritter@io.com> wrote: > >On 9 Apr 1999 11:10:56 GMT, in <7ekn80$kc1$1@korai.cygnus.co.uk>, in >sci.crypt aph@cygnus.remove.co.uk (Andrew Haley) wrote: > >>[ Newsgroups list trimmed ] >> >>Lincoln Yeoh (lyeoh@pop.jaring.nospam.my) wrote: >> >>: I like the idea of superencryption too, and I don't know why so few >>: people seem to like it. So far I have not had a good answer to how >>: an attacker would know if he or she has succeeded. >> >>The answer is simple. Kerckhoff's maxim says that your attacker knows >>the cryptosystem you're using, but does not know the key. If you're >>using superencryption, your attacker knows which systems you're using. > >That's fine if you always use the same ciphers in the same order. But >if the ciphers are dynamically selected by keying, or just dynamically >selected frequently by communications under cipher, the attacker does >*not* know "which systems you're using." Kerckhoff's maxim does not >apply. Unfortunately, this isn't the case. If the system is dynamically selected by keying, then the exact selection becomes part of the key. If you are taking a set of cyphers and reordering them, Kerchoff's maxim suggests that you have to assume that the attacker knows the set of cyphers and just doesn't know the order. -kitten
Subject: Re: Announce - ScramDisk v2.02h Date: Fri, 09 Apr 1999 18:06:51 -0400 From: Boris Kazak <bkazak@worldnet.att.net> Message-ID: <370E79FB.5B1C@worldnet.att.net> References: <7elg63$eeq$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 27 Patrick Juola wrote: > > In article <370e33ea.2675997@news.io.com>, Terry Ritter <ritter@io.com> wrote: > >But > >if the ciphers are dynamically selected by keying, or just dynamically > >selected frequently by communications under cipher, the attacker does > >*not* know "which systems you're using." Kerckhoff's maxim does not > >apply. > > Unfortunately, this isn't the case. > > If the system is dynamically selected by keying, then the exact > selection becomes part of the key. If you are taking a set of cyphers > and reordering them, Kerchoff's maxim suggests that you have to assume > that the attacker knows the set of cyphers and just doesn't know > the order. > > -kitten --------------------- It all depends on the numbers in question. If there are 2,3,10, even 100 ciphers, you can afford an exhaustive search, but what if there are 2^16 ciphers (or 2^16 variations of the base cipher), what then? Essentially you are adding together the key space and the ciphers space, with the corresponding increase of problems for an attacker. Best wishes BNK
Subject: Re: Announce - ScramDisk v2.02h Date: Fri, 09 Apr 1999 22:24:20 GMT From: ritter@io.com (Terry Ritter) Message-ID: <370e7e04.21648784@news.io.com> References: <7elg63$eeq$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 47 On 9 Apr 1999 13:16:35 -0500, in <7elg63$eeq$1@quine.mathcs.duq.edu>, in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote: >In article <370e33ea.2675997@news.io.com>, Terry Ritter <ritter@io.com> wrote: >> >>On 9 Apr 1999 11:10:56 GMT, in <7ekn80$kc1$1@korai.cygnus.co.uk>, in >>sci.crypt aph@cygnus.remove.co.uk (Andrew Haley) wrote: >>>[...] >>>The answer is simple. Kerckhoff's maxim says that your attacker knows >>>the cryptosystem you're using, but does not know the key. If you're >>>using superencryption, your attacker knows which systems you're using. >> >>That's fine if you always use the same ciphers in the same order. But >>if the ciphers are dynamically selected by keying, or just dynamically >>selected frequently by communications under cipher, the attacker does >>*not* know "which systems you're using." Kerckhoff's maxim does not >>apply. > >Unfortunately, this isn't the case. > >If the system is dynamically selected by keying, then the exact >selection becomes part of the key. Which of course means that the dynamic selection is not subject to Kerckhoff's maxim. End case 1. >If you are taking a set of cyphers >and reordering them, Kerchoff's maxim suggests that you have to assume >that the attacker knows the set of cyphers and just doesn't know >the order. First of all, this is not true if we have a dynamically-expanding set of ciphers. Every cipher is only "known" to the Opponents after they have identified it, acquired it, analyzed it, and, presumably, broken it. All this necessarily takes time, and this time works for the user and against the attacker. But even if The Opponents *do* know the set of existing ciphers, when the ciphers used are selected by some periodic random selection, there is secret information which is not exposed. This is a sort of keying. We cannot simply assume that it *is* exposed. End case 2. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Announce - ScramDisk v2.02h Date: Fri, 9 Apr 1999 11:31:40 -0700 From: "Harvey Rook" <redrook@someyahoo.com> Message-ID: <7elhhc$ic6@news.dns.microsoft.com> References: <370e33ea.2675997@news.io.com> Newsgroups: sci.crypt Lines: 65 Terry Ritter <ritter@io.com> wrote in message news:370e33ea.2675997@news.io.com... > > On 9 Apr 1999 11:10:56 GMT, in <7ekn80$kc1$1@korai.cygnus.co.uk>, in > sci.crypt aph@cygnus.remove.co.uk (Andrew Haley) wrote: > > >The answer is simple. Kerckhoff's maxim says that your attacker knows > >the cryptosystem you're using, but does not know the key. If you're > >using superencryption, your attacker knows which systems you're using. > > That's fine if you always use the same ciphers in the same order. But > if the ciphers are dynamically selected by keying, or just dynamically > selected frequently by communications under cipher, the attacker does > *not* know "which systems you're using." Kerckhoff's maxim does not > apply. > This is incorrect. By Kerchhoff's maxim, you have to assume your attacker has a copy of your deciphering machine. If he has a copy of your deciphering machine, the attacker can figure out the algorithm you use to select ciphers. Once he knows the algorithm used to select ciphers, super-encipherment only doubles or triples the amount of time needed to brute force. You'd be much better off adding an extra byte to your key. > I suggest that each communication include a small encrypted control > channel, over which a continuous conversation of what ciphers to use > next takes place. This would be an automatic negotiation, somewhat > like occurs in modern modems, from cipher selections approved by the > users (or their security people). > > >Of course, your attacker must now analyze the compound cipher, which > >is almost certainly harder to do than than attacking a single cipher. > > Yes. Even if each cipher used has known weaknesses, those may not be > exploitable in the multi-ciphering case. > It's only harder by one or two orders of magnitude. Computers built 3 years from now will have enough power to compensate for this difference. Adding an extra byte to your key makes the problem harder by 4 to 8 orders of magnitude. This is much harder to attack, yet it's simpler and cleaner to analyze. Simple clean systems, are much less likely to have holes. Unexpected weaknesses in ciphers designed by good cryptographers (Say Rivest, or Schneier) are very unlikely to appear. Remember DES, after 25 years of analysis, is still only vulnerable to a brute force attack. I'd be willing to bet that RC-6 and TwoFish will withstand the same scrutiny. Security breaks down because of bad passwords and poor protocols. Not because of cipher weakness. Plan your system accordingly, or you are deluding yourself. Harv RedRook At Zippy The Yahoo Dot Com Remove the Zippy The to send email.
Subject: Re: Announce - ScramDisk v2.02h Date: Fri, 09 Apr 1999 22:24:44 GMT From: ritter@io.com (Terry Ritter) Message-ID: <370e7e29.21686311@news.io.com> References: <7elhhc$ic6@news.dns.microsoft.com> Newsgroups: sci.crypt Lines: 104 On Fri, 9 Apr 1999 11:31:40 -0700, in <7elhhc$ic6@news.dns.microsoft.com>, in sci.crypt "Harvey Rook" <redrook@someyahoo.com> wrote: >Terry Ritter <ritter@io.com> wrote in message >news:370e33ea.2675997@news.io.com... >> >> On 9 Apr 1999 11:10:56 GMT, in <7ekn80$kc1$1@korai.cygnus.co.uk>, in >> sci.crypt aph@cygnus.remove.co.uk (Andrew Haley) wrote: >> >> >The answer is simple. Kerckhoff's maxim says that your attacker knows >> >the cryptosystem you're using, but does not know the key. If you're >> >using superencryption, your attacker knows which systems you're using. >> >> That's fine if you always use the same ciphers in the same order. But >> if the ciphers are dynamically selected by keying, or just dynamically >> selected frequently by communications under cipher, the attacker does >> *not* know "which systems you're using." Kerckhoff's maxim does not >> apply. >> >This is incorrect. By Kerchhoff's maxim, you have to assume your attacker >has a copy of your deciphering machine. If he has a copy of your deciphering >machine, the attacker can figure out the algorithm you use to select >ciphers. That is no more true than saying that the attacker can figure out the message key or the initialization vector. We assume the system has some reliable random source to make such values. Similar values select what ciphers to use in what order. And this should change frequently. >Once he knows the algorithm used to select ciphers, super-encipherment >only doubles or triples the amount of time needed to brute force. You'd >be much better off adding an extra byte to your key. The issue is far beyond increasing the keyspace, since that would take a huge number of ciphers. The issue instead is about spreading messages among many different ciphers, thus forcing The Opponents to "keep up" by identifying, acquiring, attacking, and breaking a continuing flow of new ciphers. This forces The Opponents to invest far more, and breaking any of these gains them far less. Note the contrast to the current situation, where only a few main ciphers are used, so only those need be broken. >>[...] >> Yes. Even if each cipher used has known weaknesses, those may not be >> exploitable in the multi-ciphering case. >> >It's only harder by one or two orders of magnitude. Well, let's see: Suppose we have about 4K ciphers. By selecting 3 at random so we have about 4k**3 selections. This is somewhat larger than "two orders of magnitude." But, again, the issue is not really the increase in keyspace. The issue is that The Opponents have to increase their analysis budget by, say, a factor of 1k. And even when they are successful, they get at most 1 message out of 1k. And we reduce that to 1 in 1k*1k*1k by using 3 layers of cipher. >Computers built 3 years >from now >will have enough power to compensate for this difference. Adding an extra >byte >to your key makes the problem harder by 4 to 8 orders of magnitude. This is >much >harder to attack, yet it's simpler and cleaner to analyze. Simple clean >systems, are >much less likely to have holes. Using a layered structure is far, far simpler than trying to analyze a cipher to the degree of predicting that one cipher is stronger than another by n orders of magnitude. Neither value is known, so we can hardly compare them. >Unexpected weaknesses in ciphers designed by good cryptographers (Say >Rivest, or Schneier) >are very unlikely to appear. Sorry. That is an insupportable statement (and of course unprovable). Being a crypto god does not prevent mistakes. >Remember DES, after 25 years of analysis, is >still only >vulnerable to a brute force attack. Also insupportable: DES may have a fast break right now, and if it does, would those who have it have told you? Yet you feel free to assume that there is no break. Good for you. Now prove it. >I'd be willing to bet that RC-6 and >TwoFish will withstand >the same scrutiny. But that is hardly science or even rational reasoning, is it? --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Announce - ScramDisk v2.02h Date: Fri, 9 Apr 1999 18:58:49 -0700 From: "Harvey Rook" <redrook@someyahoo.com> Message-ID: <7emb5m$iq2@news.dns.microsoft.com> References: <370e7e29.21686311@news.io.com> Newsgroups: sci.crypt Lines: 161 My comments withing... Terry Ritter <ritter@io.com> wrote in message news:370e7e29.21686311@news.io.com... > > On Fri, 9 Apr 1999 11:31:40 -0700, in > <7elhhc$ic6@news.dns.microsoft.com>, in sci.crypt "Harvey Rook" > <redrook@someyahoo.com> wrote: > > >> > >This is incorrect. By Kerchhoff's maxim, you have to assume your attacker > >has a copy of your deciphering machine. If he has a copy of your deciphering > >machine, the attacker can figure out the algorithm you use to select > >ciphers. > > That is no more true than saying that the attacker can figure out the > message key or the initialization vector. We assume the system has > some reliable random source to make such values. Similar values > select what ciphers to use in what order. And this should change > frequently. > The reliable random source must be communicated to both the encryptor, and the decryptor. Because it's transmitted or shared, you must assume the attacker has intercepted it. Because the attacker has intercepted the it, the attacker knows what ciphers you are using. > > >Once he knows the algorithm used to select ciphers, super-encipherment > >only doubles or triples the amount of time needed to brute force. You'd > >be much better off adding an extra byte to your key. > > The issue is far beyond increasing the keyspace, since that would take > a huge number of ciphers. The issue instead is about spreading > messages among many different ciphers, thus forcing The Opponents to > "keep up" by identifying, acquiring, attacking, and breaking a > continuing flow of new ciphers. This forces The Opponents to invest > far more, and breaking any of these gains them far less. Note the > contrast to the current situation, where only a few main ciphers are > used, so only those need be broken. > Good ciphers cannot be instantly generated. They must be individually scrutinized and tested. If you don't do that, you are setting yourself up for failure. > >>[...] > >> Yes. Even if each cipher used has known weaknesses, those may not be > >> exploitable in the multi-ciphering case. > >> > >It's only harder by one or two orders of magnitude. > > Well, let's see: Suppose we have about 4K ciphers. By selecting 3 at > random so we have about 4k**3 selections. This is somewhat larger > than "two orders of magnitude." > > But, again, the issue is not really the increase in keyspace. The > issue is that The Opponents have to increase their analysis budget by, > say, a factor of 1k. And even when they are successful, they get at > most 1 message out of 1k. And we reduce that to 1 in 1k*1k*1k by > using 3 layers of cipher. > Why is this not the same as increasing key space? The algorithms you use to choose the ciphers, must be transmitted to the decriptor. Once the attacker intercepts this, he can deduce the ciphers used. Which would you rather trust, one well analyzed cipher with 140 bits of key, or 4096 ciphers that probably aren't well analyzed, 128 bits of key, and some mechanism to flip between the ciphers. > > >Computers built 3 years > >from now > >will have enough power to compensate for this difference. Adding an extra > >byte > >to your key makes the problem harder by 4 to 8 orders of magnitude. This is > >much > >harder to attack, yet it's simpler and cleaner to analyze. Simple clean > >systems, are > >much less likely to have holes. > > Using a layered structure is far, far simpler than trying to analyze a > cipher to the degree of predicting that one cipher is stronger than > another by n orders of magnitude. Neither value is known, so we can > hardly compare them. > > > >Unexpected weaknesses in ciphers designed by good cryptographers (Say > >Rivest, or Schneier) > >are very unlikely to appear. > > Sorry. That is an insupportable statement (and of course unprovable). > Being a crypto god does not prevent mistakes. > Correct. However, because many ciphers have a similar structure. An advance in discreet mathematics needed to crack one well designed cipher would most likely apply to many ciphers. If you have some kind of scheme that allowed you to generate thousands of ciphers, then it is very likely that the weakness would apply to all. I think it's very unlikely that some one could generate 4096 ciphers that don't share a common weakness, and still properly analyzed all of them. Even if they did, the selection of which ciphers to use, is part of the key. Brute forcing an N bit key plus K bits of which-cipher materical takes O(2^(N+K)) Bruit forcing an N+K bit key also takes O(2^(N+K+b)) See, for every cipher you add, there is an equivalent scheme with only one cipher that has the same keys size. I dare you to name a relevent security breakdown in the past 20 years that was not the result poor key managment, or poor protocol design. We have good algorithms. Good security comes not form flipping between the algorithms, but from using the algorithms properly. > >Remember DES, after 25 years of analysis, is > >still only > >vulnerable to a brute force attack. > > Also insupportable: DES may have a fast break right now, and if it > does, would those who have it have told you? Yet you feel free to > assume that there is no break. Good for you. Now prove it. In the same vein, prove to me that a significant percentage of your 4096 ciphers will be strong. Unless a cipher is widely scrutinized, by many intelligent people, you must assume it is weak. A solid analysis of 4096 ciphers would take decades. We need good security now. It usually impossible to prove an impossibility. In the absense of proof you have to bet on the evidence. We have evidence that a few ciphers are strong. We also have evidence that most ciphers are weak. > >I'd be willing to bet that RC-6 and > >TwoFish will withstand > >the same scrutiny. > > But that is hardly science or even rational reasoning, is it? > The scientific prinipal is observe, hypothesize, experiment, repeat. I can observe that one cipher looks strong. I can form hypothesis about it's strengths and weaknesses. I can test these hypothesis, and I can repeat until I trust. With thousands of ciphers, I probably could not observe that they all look strong. There are too many of them. The analysis would be over whelming. How can I go from this state, to hypothesizing that combining them would be secure? Harv RedRook At Some Yahoo Dot Com Remove the Some to send email.
Subject: Re: Announce - ScramDisk v2.02h Date: Sat, 10 Apr 1999 03:56:08 GMT From: ritter@io.com (Terry Ritter) Message-ID: <370ecbaa.2845710@news.io.com> References: <7emb5m$iq2@news.dns.microsoft.com> Newsgroups: sci.crypt Lines: 252 On Fri, 9 Apr 1999 18:58:49 -0700, in <7emb5m$iq2@news.dns.microsoft.com>, in sci.crypt "Harvey Rook" <redrook@someyahoo.com> wrote: >My comments withing... >Terry Ritter <ritter@io.com> wrote in message >news:370e7e29.21686311@news.io.com... >> >> On Fri, 9 Apr 1999 11:31:40 -0700, in >> <7elhhc$ic6@news.dns.microsoft.com>, in sci.crypt "Harvey Rook" >> <redrook@someyahoo.com> wrote: >> >> >> >> >This is incorrect. By Kerchhoff's maxim, you have to assume your attacker >> >has a copy of your deciphering machine. If he has a copy of your >deciphering >> >machine, the attacker can figure out the algorithm you use to select >> >ciphers. >> >> That is no more true than saying that the attacker can figure out the >> message key or the initialization vector. We assume the system has >> some reliable random source to make such values. Similar values >> select what ciphers to use in what order. And this should change >> frequently. >> > >The reliable random source must be communicated to both the encryptor, >and the decryptor. Because it's transmitted or shared, you must assume >the attacker has intercepted it. Because the attacker has intercepted the >it, the attacker knows what ciphers you are using. That is false. It is always necessary to transport keys in some way. But whatever way this is done -- by courier, multiple channels, or authenticated public key -- random message key value are known by both ends. That keying value can be used to select ciphers. In practice, I would expect background negotiation between the cipher programs to occur with each message transmission, and produce a new cipher set with each message or every couple of messages. >> >Once he knows the algorithm used to select ciphers, super-encipherment >> >only doubles or triples the amount of time needed to brute force. You'd >> >be much better off adding an extra byte to your key. >> >> The issue is far beyond increasing the keyspace, since that would take >> a huge number of ciphers. The issue instead is about spreading >> messages among many different ciphers, thus forcing The Opponents to >> "keep up" by identifying, acquiring, attacking, and breaking a >> continuing flow of new ciphers. This forces The Opponents to invest >> far more, and breaking any of these gains them far less. Note the >> contrast to the current situation, where only a few main ciphers are >> used, so only those need be broken. >> > >Good ciphers cannot be instantly generated. They must be individually >scrutinized and tested. If you don't do that, you are setting >yourself up for failure. Look around: My guess is that we could probably point to hundreds of cipher designs which now exist. This is in an environment where there is no recognition of the value of multiple ciphers, and no common interface to handle plug-in cipher components. Were the environment to change, I think we could easily see 500 ciphers in a few years, and tens of thousands of ciphers in a couple of decades. >> >>[...] >> >> Yes. Even if each cipher used has known weaknesses, those may not be >> >> exploitable in the multi-ciphering case. >> >> >> >It's only harder by one or two orders of magnitude. >> >> Well, let's see: Suppose we have about 4K ciphers. By selecting 3 at >> random so we have about 4k**3 selections. This is somewhat larger >> than "two orders of magnitude." >> >> But, again, the issue is not really the increase in keyspace. The >> issue is that The Opponents have to increase their analysis budget by, >> say, a factor of 1k. And even when they are successful, they get at >> most 1 message out of 1k. And we reduce that to 1 in 1k*1k*1k by >> using 3 layers of cipher. >> > >Why is this not the same as increasing key space? The algorithms >you use to choose the ciphers, must be transmitted to the decriptor. >Once the attacker intercepts this, he can deduce the ciphers used. Certainly, the cipher selection amounts to a sort of key, but this would be a one-time message key or initialization vector, as opposed to a repeatedly-used user key. >Which would you rather trust, one well analyzed cipher with 140 bits of >key, or 4096 ciphers that probably aren't well analyzed, 128 bits of key, >and some mechanism to flip between the ciphers. I take the 4096 ciphers, and I have explained why: First, the multi-cipher situation forces any Opponent whatsoever to keep up in a process which is vastly more expensive for them then for us. Next, we divide our total traffic among many different ciphers. So even if an Opponent breaks a cipher, the best they can hope for is 1/n of the traffic. And in the multi-ciphering case, they don't even get that. As to "trust," you should be aware that there *is* no way to prove strength, to measure strength, to build strength or test strength. Any "trust" of a cipher is a delusion only. For example, the best cryptanalysis can do is find weakness, and this only helps if weakness is actually found. If no weakness is found, cryptanalysis does not testify to strength. Personally, I think we are better off with user selection (e.g., "I use what my friend uses," or "We bought a custom cipher subscription") than any standard picked by a central authority. >> >Computers built 3 years >> >from now >> >will have enough power to compensate for this difference. Adding an extra >> >byte >> >to your key makes the problem harder by 4 to 8 orders of magnitude. This >is >> >much >> >harder to attack, yet it's simpler and cleaner to analyze. Simple clean >> >systems, are >> >much less likely to have holes. >> >> Using a layered structure is far, far simpler than trying to analyze a >> cipher to the degree of predicting that one cipher is stronger than >> another by n orders of magnitude. Neither value is known, so we can >> hardly compare them. >> >> >> >Unexpected weaknesses in ciphers designed by good cryptographers (Say >> >Rivest, or Schneier) >> >are very unlikely to appear. >> >> Sorry. That is an insupportable statement (and of course unprovable). >> Being a crypto god does not prevent mistakes. >> > >Correct. However, because many ciphers have a similar structure. >An advance in discreet mathematics needed to crack one well >designed cipher would most likely apply to many ciphers. If you >have some kind of scheme that allowed you to generate thousands of >ciphers, then it is very likely that the weakness would apply to all. Certainly any cipher designer will have his bag of tricks. One might expect that some of those tricks would be risky, but hardly all. And the vast number of designers would be using many different approaches. It seems extremely *un*likely that a single breakthrough would affect them all. Indeed, the unexpected break would be far, far more likely (and far, far more serious) if we have just one standard cipher. >I think it's very unlikely that some one could generate 4096 ciphers that >don't share a common weakness, and still properly analyzed all of them. >Even if they did, the selection of which ciphers to use, is part of the key. >Brute forcing an N bit key plus K bits of which-cipher materical takes >O(2^(N+K)) Bruit forcing an N+K bit key also takes O(2^(N+K+b)) > >See, for every cipher you add, there is an equivalent scheme with only >one cipher that has the same keys size. Only in the sense that the meta cipher has various components, but these are unknown until they are written. That meta cipher does not exist until nobody is writing new ciphers anymore. >I dare you to name a relevent security breakdown in the past >20 years that was not the result poor key managment, or poor protocol >design. DES keyspace. >We have good algorithms. Good security comes not form flipping >between the algorithms, but from using the algorithms properly. In the present tense, it is certain that this rarely happens now. But the opportunity is available for the future. >> >Remember DES, after 25 years of analysis, is >> >still only >> >vulnerable to a brute force attack. >> >> Also insupportable: DES may have a fast break right now, and if it >> does, would those who have it have told you? Yet you feel free to >> assume that there is no break. Good for you. Now prove it. > >In the same vein, prove to me that a significant percentage of your >4096 ciphers will be strong. Unless a cipher is widely scrutinized, by >many intelligent people, you must assume it is weak. A solid analysis >of 4096 ciphers would take decades. We need good security now. First of all, ciphers should be selected by users, and your so-called strength is up to them. If a cipher is found weak in some academic paper, the users may choose to disable that cipher from further use, or not. In contrast, if the one standard cipher is found weak, there is no real alternative, and no process for making that change. Significant security is provided simply by partitioning the message space into many different ciphers; by having a continuing flow of new ciphers; and by making multi-ciphering an expected process. This is security added to any set of ciphers which may already exist. Any widely scrutinized cipher could be used in this process, and would not be weakened by it. The many-cipher situation can only improve things, not weaken what is already there. >It usually impossible to prove an impossibility. In the absense of >proof you have to bet on the evidence. We have evidence that a >few ciphers are strong. We also have evidence that most ciphers are >weak. In the absence of proof of strength, it is foolish to bet that a particular cipher is strong. The best bet is to use multiple ciphers at the same time, change ciphers often, and be prepared to disable particular ciphers at the first sign of trouble. >> >I'd be willing to bet that RC-6 and >> >TwoFish will withstand >> >the same scrutiny. >> >> But that is hardly science or even rational reasoning, is it? >> > >The scientific prinipal is observe, hypothesize, experiment, repeat. >I can observe that one cipher looks strong. I can form hypothesis about >it's strengths and weaknesses. I can test these hypothesis, and I can repeat >until I trust. No, you cannot test strength. Neither can anyone else. *That* is the problem. >With thousands of ciphers, I probably could not observe that they all >look strong. There are too many of them. The analysis would be >over whelming. How can I go from this state, to hypothesizing that >combining them would be secure? By observing that any one cipher that you do accept can be part of stack. That would give you 2 changing ciphers, the ability to switch to another if you get bad news, and the knowledge that any hidden break to your favorite cipher is protected by the rest of the stack. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Announce - ScramDisk v2.02h Date: Mon, 12 Apr 1999 10:31:55 GMT From: ssimpson@hertreg.ac.uk Message-ID: <7esi2r$cct$1@nnrp1.dejanews.com> References: <7elhhc$ic6@news.dns.microsoft.com> Newsgroups: sci.crypt Lines: 41 In article <7elhhc$ic6@news.dns.microsoft.com>, "Harvey Rook" <redrook@someyahoo.com> wrote: > > Terry Ritter <ritter@io.com> wrote in message > news:370e33ea.2675997@news.io.com... > > > > On 9 Apr 1999 11:10:56 GMT, in <7ekn80$kc1$1@korai.cygnus.co.uk>, in > > sci.crypt aph@cygnus.remove.co.uk (Andrew Haley) wrote: > > > > >The answer is simple. Kerckhoff's maxim says that your attacker knows > > >the cryptosystem you're using, but does not know the key. If you're > > >using superencryption, your attacker knows which systems you're using. > > > > That's fine if you always use the same ciphers in the same order. But > > if the ciphers are dynamically selected by keying, or just dynamically > > selected frequently by communications under cipher, the attacker does > > *not* know "which systems you're using." Kerckhoff's maxim does not > > apply. > > > This is incorrect. By Kerchhoff's maxim, you have to assume your attacker > has a copy of your deciphering machine. If he has a copy of your deciphering > machine, the attacker can figure out the algorithm you use to select > ciphers. Make the cipher selection(s) dependant on additional key material? > Once he knows the algorithm used to select ciphers, super-encipherment > only doubles or triples the amount of time needed to brute force. You'd > be much better off adding an extra byte to your key. Depends on the method of selection, range of ciphers and number we are willing to employ to encrypt one message doesn't it? Sam Simpson Comms Analyst -- http://www.scramdisk.clara.net/ for ScramDisk hard-drive encryption & Delphi Crypto Components. PGP Keys available at the same site. -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Announce - ScramDisk v2.02h Date: Fri, 09 Apr 1999 18:28:10 -0400 From: Boris Kazak <bkazak@worldnet.att.net> Message-ID: <370E7EFA.7BB2@worldnet.att.net> References: <370e33ea.2675997@news.io.com> Newsgroups: sci.crypt Lines: 19 Terry Ritter wrote: > ................. > >Of course, your attacker must now analyze the compound cipher, which > >is almost certainly harder to do than than attacking a single cipher. > > Yes. Even if each cipher used has known weaknesses, those may not be > exploitable in the multi-ciphering case. > > --- > Terry Ritter ritter@io.com http://www.io.com/~ritter/ > Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM ----------------- A practical suggestion: what if we would initialize BLOWFISH not with the digits of 'pi', but with some other constant - e, sqrt(2), sin(1)...? How many different ciphers can we generate from the same base algorithm, and how big will be the additional effort to break them all? Especially if dynamically selected... Best wishes BNK
Subject: Re: Announce - ScramDisk v2.02h Date: Mon, 12 Apr 1999 10:26:58 GMT From: ssimpson@hertreg.ac.uk Message-ID: <7eshpd$c28$1@nnrp1.dejanews.com> References: <7ekn80$kc1$1@korai.cygnus.co.uk> Newsgroups: sci.crypt Lines: 39 Why not make cipher selection for the compound cipher part of the key? The first one or two bytes of the key could be used to select 3 (or whatever number is desirable) ciphers out of a pool of equally good ciphers. This sounds (imho) like a good idea - as long as there are no disastrously weak combinations of ciphers. Comments? Sam Simpson Communications Analyst -- http://www.scramdisk.clara.net/ for ScramDisk hard-drive encryption & Delphi Crypto Components. PGP Keys available at the same site. In article <7ekn80$kc1$1@korai.cygnus.co.uk>, aph@cygnus.remove.co.uk (Andrew Haley) wrote: > [ Newsgroups list trimmed ] > > Lincoln Yeoh (lyeoh@pop.jaring.nospam.my) wrote: > > : I like the idea of superencryption too, and I don't know why so few > : people seem to like it. So far I have not had a good answer to how > : an attacker would know if he or she has succeeded. > > The answer is simple. Kerckhoff's maxim says that your attacker knows > the cryptosystem you're using, but does not know the key. If you're > using superencryption, your attacker knows which systems you're using. > > Of course, your attacker must now analyze the compound cipher, which > is almost certainly harder to do than than attacking a single cipher. > > Andrew. -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Announce - ScramDisk v2.02h Date: Mon, 12 Apr 1999 15:30:03 -0600 From: jcoffin@taeus.com (Jerry Coffin) Message-ID: <MPG.117bdb60312a13119899e2@news.rmi.net> References: <7eshpd$c28$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 16 In article <7eshpd$c28$1@nnrp1.dejanews.com>, ssimpson@hertreg.ac.uk says... > Why not make cipher selection for the compound cipher part of the key? The > first one or two bytes of the key could be used to select 3 (or whatever > number is desirable) ciphers out of a pool of equally good ciphers. > > > This sounds (imho) like a good idea - as long as there are no disastrously > weak combinations of ciphers. This might optimize speed slightly, but I don't see it helping security. If you're going to include code for a number of forms of encryption, from a viewpoint of security, you might as well just always use ALL the forms of encryption supported, and use the entire key as a key instead some of it as a key and some to select the method(s) of encryption to be used.
Subject: Re: Announce - ScramDisk v2.02h Date: 22 Apr 1999 20:02:39 -0700 From: mskala@ansuz.sooke.bc.ca. (Matthew Skala) Message-ID: <7fonsf$so3$1@ruby.ansuz.sooke.bc.ca> References: <MPG.117bdb60312a13119899e2@news.rmi.net> Newsgroups: sci.crypt Lines: 18 In article <MPG.117bdb60312a13119899e2@news.rmi.net>, Jerry Coffin <jcoffin@taeus.com> wrote: >security. If you're going to include code for a number of forms of >encryption, from a viewpoint of security, you might as well just >always use ALL the forms of encryption supported, and use the entire Speed. If you use all the ciphers to encrypt the whole file, it may take you a very long time. But here's another idea: use some sort of all-or-nothing scheme, so attackers have to attack the entire file at once, and then encrypt say the first block with IDEA, the second block with Blowfish, the third with 3DES, the fourth with SCOTT19U, and so on. I'm not fully up on how well all-or-nothing schemes work, but it seems like it should be possible to require the attackers to break all the ciphers, while still not having to do all the ciphers on all the blocks. -- Matthew Skala Ansuz BBS (250) 472-3169 http://www.islandnet.com/~mskala/ GOD HATES SPAM
Subject: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 07:31:40 -0700 From: Sundial Services <info@sundialservices.com> Message-ID: <371749CC.4779@sundialservices.com> Newsgroups: sci.crypt Lines: 18 When I look at most publicly-available cryptographic algorithms, I see that nearly all of them consist of round upon round of simple operations like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are readily reversible. About the only "original idea" I've seen, since reading discussions of older machines like SIGABA, is Terry Ritter's "Dynamic Substitution" patent. At least he is using a more complex transformation than 99.9% of the things I've seen ... since SIGABA ... and he's burying a lot more information than most designs do. My question is, aside from possible requirements for constructing their ciphers in hardware, why do designers routinely limit themselves to these simple bitwise operators in designing ciphers? It seems to me as a layman that the older, more complex designs were also far more secure than what we have now, and that a computer program would have no particular difficulty implementing them. We are not building hardware devices; we are not limited to LFSR's.
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 17:28:13 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <37176a30.4219613@news.prosurfr.com> References: <371749CC.4779@sundialservices.com> Newsgroups: sci.crypt Lines: 111 Sundial Services <info@sundialservices.com> wrote, in part: >When I look at most publicly-available cryptographic algorithms, I see >that nearly all of them consist of round upon round of simple operations >like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are >readily reversible. Looking at this paragraph, and your title, my initial reaction was to say that you were wrong - block cipher designers do recognize the importance of nonlinearity, and thus in virtually every block cipher you will find an S-box. >About the only "original idea" I've seen, since reading discussions of >older machines like SIGABA, is Terry Ritter's "Dynamic Substitution" >patent. At least he is using a more complex transformation than 99.9% >of the things I've seen ... since SIGABA ... and he's burying a lot more >information than most designs do. Dynamic Substitution is a good idea, and an original one. And since I consider the SIGABA to be an admirable design, I started to warm to you at this point. >My question is, aside from possible requirements for constructing their >ciphers in hardware, why do designers routinely limit themselves to >these simple bitwise operators in designing ciphers? It seems to me as >a layman that the older, more complex designs were also far more secure >than what we have now, and that a computer program would have no >particular difficulty implementing them. We are not building hardware >devices; we are not limited to LFSR's. Now this is a question I've been asking myself. But there are answers to it. - For one thing, not everyone using cryptography is simply writing a program to encipher E-mail. If, for that application, it is trivial to just throw complexity at the problem to obtain security, then there's no money to be made from designing a cipher which is secure in that situation...anyone can do it. What about securely encrypting real-time digital video? - Also, since there are many insecure cipher designs floating around, one can't just accept that a cipher is secure based on its designer's say-so. Instead, what gives real confidence in a cipher design is that it has been studied by experts who have failed to crack it, but who have come away from their attempts with an understanding of the source of the design's strengths. But an academic researcher isn't going to take time studying a cipher that is so big and complicated that there is no hope of coming away with an impressive result - and so big and complicated that even trying to understand it would consume an enormous amount of time and effort. Thus, designs that are intentionally limited - to one basic type of round, to one underlying principle - have an advantage over designs based on the principle that security is the only goal. They might be less intrinsically secure, but they have a better chance of being able to (appear to) _prove_ (indicate with some tendency to confidence) that they do have a certain level of security. Although I do understand the rationale behind the "recieved wisdom", that doesn't mean I fully accept it. In practice, when using cryptography, security is what counts; and advances are being made both in the theory of cryptanalysis and in the speed and power of computer chips at a great rate. Plus, the risk that one's adversary is a hacker of the future with a very powerful desktop computer seems much greater than the risk that one's adversary will be an accomplished cryptanalyst, able to exploit the most subtle flaws in an over-elaborate design. Hence, I have played with designs that don't just use "simple operations". They do incorporate a lot from the designs of the real experts in the field, compared to which I am a mere amateur, but they go on from there to pile on a higher level of complication than seen in the well-known designs. Take a look at my Quadibloc II and Quadibloc III designs, in http://members.xoom.com/quadibloc/co040705.htm http://members.xoom.com/quadibloc/co040705.htm for example. I think they may address your concern - although they may not go far enough. One thing I _very definitely_ don't want to do is to go around like certain posters on this NG, and claim that a cipher *must* be as complicated as these designs of mine in order to be secure. That simply isn't true. And it is also true that a strong cipher isn't a guarantee of security; designing ciphers may be fun, but preventing data from leaking out the back door is hard work. While I respect the knowledge and ability of the acknowledged experts in the field, where I think I part company with Bruce Schneier and others is in the following: I believe it to be possible and useful to develop a design methodology - mainly involving the cutting and pasting of pieces from proven cipher designs - to enable a reasonably qualified person who, however, falls short of being a full-fleged cryptographer, to design his own block cipher, and thereby obtain additional and significant benefits in resistance to cryptanalytic attack by having an unknown and unique algorithm. I don't deny that there are pitfalls looming in such an approach; if something is left out of the methodology, or if it isn't conscientiously used, people could easily wind up using weak designs and having a false sense of security. I just think the problems can be addressed, and the potential benefits are worth the attempt. John Savard (teneerf is spelled backwards) http://members.xoom.com/quadibloc/index.html
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 20:20:24 GMT From: ritter@io.com (Terry Ritter) Message-ID: <37179b67.12809750@news.io.com> References: <37176a30.4219613@news.prosurfr.com> Newsgroups: sci.crypt Lines: 129 On Fri, 16 Apr 1999 17:28:13 GMT, in <37176a30.4219613@news.prosurfr.com>, in sci.crypt jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: >[...] >- Also, since there are many insecure cipher designs floating around, one >can't just accept that a cipher is secure based on its designer's say-so. >Instead, what gives real confidence in a cipher design is that it has been >studied by experts who have failed to crack it, but who have come away from >their attempts with an understanding of the source of the design's >strengths. I dispute this. This is essentially what Schneier would have us believe, and it is false. The truth is that we *never* know the "real" strength of a cipher. No matter how much review or cryptanalysis a cipher gets, we only have the latest "upper bound" for strength. The lower bound is zero: Any cipher can fail at any time. Since we have only an upper bound for the strength of any cipher, any confidence we may have is no more than our own delusion. We wish and hope for cipher strength, and -- absent a specific proof otherwise -- we gradually come to believe in it. But that does not make it true. We would like to think that the more we use a cipher, the more confidence we can have in it. We *can* build confidence in a ciphering program, as to whether or not it crashes and so on. But since our Opponents do not tell us of their success, we do not know that our cipher was successful at hiding data. And we cannot have confidence in a result without knowing what that result is. >[...] >But an academic researcher isn't going to take time studying a cipher that >is so big and complicated that there is no hope of coming away with an >impressive result - and so big and complicated that even trying to >understand it would consume an enormous amount of time and effort. It is always nice to find something important which is easy to do. That would be the academic equivalent of "Make Easy Money Now." It may be unfortunate for academic cryptographers that a wide variety of new techniques are pioneered by non-academics. But those techniques exist nevertheless, and to the extent that academics do not investigate them, those academics are not up with the state of the art. It is not, frankly, the role of the innovator to educate the academics, or even to serve technology to them on a silver platter. In the end, academic reputation comes from reality, and the reality is that many crypto academics avoid anything new which does not have an academic source. The consequence is that they simply do not have the background to judge really new designs. >Thus, designs that are intentionally limited - to one basic type of round, >to one underlying principle - have an advantage over designs based on the >principle that security is the only goal. They might be less intrinsically >secure, but they have a better chance of being able to (appear to) _prove_ >(indicate with some tendency to confidence) that they do have a certain >level of security. Upon encountering a new design, anyone may choose to simplify that design and then report results from that simplification. This is done all the time. It is not necessary for an innovator to make a simplified design for this purpose. On the other hand, I have been pioneering the use of scalable technology which, presumably, can be scaled down to a level which can be investigated experimentally. The last I heard, experimentation was still considered a rational basis for the understanding of reality. Indeed, one might argue that in the absence of theoretical strength for *any* cipher, experimentation is about all we have. But note how little of it we see. >[...] >Plus, the risk that one's adversary is a hacker of the future with a very >powerful desktop computer seems much greater than the risk that one's >adversary will be an accomplished cryptanalyst, able to exploit the most >subtle flaws in an over-elaborate design. But we don't know our Opponents! If we have to estimate their capabilities, I think we are necessarily forced into assuming that they are more experienced, better equipped, have more time, are better motivated, and -- yes -- are even smarter than we are. There is ample opportunity for them to exploit attacks of which we have no inkling at all. >[...] >While I respect the knowledge and ability of the acknowledged experts in >the field, where I think I part company with Bruce Schneier and others is >in the following: > >I believe it to be possible and useful to develop a design methodology - >mainly involving the cutting and pasting of pieces from proven cipher >designs - to enable a reasonably qualified person who, however, falls short >of being a full-fleged cryptographer, to design his own block cipher, and >thereby obtain additional and significant benefits in resistance to >cryptanalytic attack by having an unknown and unique algorithm. And in this way we can have hundreds or thousands of different ciphers, with more on the way all the time. That means that we can divide the worth of our information into many different ciphers, so that if any one fails, only a fraction of messages are exposed. It also means that *any* Opponent must keep up with new ciphers and analyze and possibly break each, then design a program, or build new hardware to exploit it. We can make good new ciphers cheaper than they can possibly be broken. The result is that our Opponents must invest far more to get far less, and this advantage does not depend upon the delusion of strength which is all that cryptanalysis can provide. >I don't deny that there are pitfalls looming in such an approach; if >something is left out of the methodology, or if it isn't conscientiously >used, people could easily wind up using weak designs and having a false >sense of security. I just think the problems can be addressed, and the >potential benefits are worth the attempt. Neat. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 14:06:57 -0700 From: "Steven Alexander" <steve@cell2000.net> Message-ID: <jKNR2.591$%L2.8044@news6.ispnews.com> References: <37179b67.12809750@news.io.com> Newsgroups: sci.crypt Lines: 32 >>- Also, since there are many insecure cipher designs floating around, one >>can't just accept that a cipher is secure based on its designer's say-so. >>Instead, what gives real confidence in a cipher design is that it has been >>studied by experts who have failed to crack it, but who have come away from >>their attempts with an understanding of the source of the design's >>strengths. > >I dispute this. This is essentially what Schneier would have us >believe, and it is false. > >The truth is that we *never* know the "real" strength of a cipher. No..... I don't think that you understand the point that Schneier and others have made. If I(a nobody) create a new cryptosystem tommorrow, nobody will have any confidence in it. But, If I learn to break the ciphers of others and use my experience to create a new cipher that others cannot break it will be listened to because I am known to be knowledgeable in how ciphers work. But, it will still not be trusted. Only after many people have analyzed and failed to break my cipher will people say..."his cipher has held up to five(ten) years of cryptanalysis by very knowledgeable cryptanalysts. We can assume with an adequate level of confidence that the cipher will protect our information." However, it is still realized that at any time someone can invent a new cryptanalytic attack and my cipher will be rendered useless. Schneier and others have acknowledged that any cipher can be broken at any time. my $.02...-steven
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 22:32:57 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3717ba72.20758328@news.io.com> References: <jKNR2.591$%L2.8044@news6.ispnews.com> Newsgroups: sci.crypt Lines: 87 On Fri, 16 Apr 1999 14:06:57 -0700, in <jKNR2.591$%L2.8044@news6.ispnews.com>, in sci.crypt "Steven Alexander" <steve@cell2000.net> wrote: >>[...] >>I dispute this. This is essentially what Schneier would have us >>believe, and it is false. >> >>The truth is that we *never* know the "real" strength of a cipher. No..... > >I don't think that you understand the point that Schneier and others have >made. >If I(a nobody) create a new cryptosystem tommorrow, nobody will have >any confidence in it. This is seriously disturbing: The issue is not who makes a thing, but instead what the thing actually is. Deliberately judging a design in the context of who made it is actually anti-scientific, and should be widely denounced as the superstition it is. >But, If I learn to break the ciphers of others and >use my experience to create a new cipher that others cannot break it will be >listened to because I am known to be knowledgeable in how ciphers work. Nonsense. Knowing how to break some ciphers does not mean that you know how ciphers work. That idea *is* the point "that Schneier and others have made" and it is a fantasy. It is especially fantastic when ciphers use technology which academics have ignored. But in any case, without a LOWER bound on strength, academics REALLY do not even know that ciphers work *at* *all*, let alone how. >But, it will still not be trusted. Only after many people have analyzed and >failed to break my cipher will people say...CRYPHTML.HTM"his cipher has held up to >five(ten) years of cryptanalysis by very knowledgeable cryptanalysts. Nonsense. There is no such conclusion. Ciphers do not ripen like cheese. We first of all do not know how many attacks were made (if any), nor how much effort was placed into them. Attacks made by experienced, well-paid, well-motivated teams with all the equipment they need are quite different from those of single individuals working at a desk at night and coming up with a new mathematical equation. Not finding an equation does not mean some team has not had success. We only know what success is reported in the academic literature. Unfortunately, when we use a cipher, we are very rarely concerned whether academics can break our cipher or not. We are instead concerned about "bad guys,"