A recurring theme in these conversations is that cryptanalysis is how we know the strength of a cipher. Of course we want all the cryptanalysis we can get, and we do not use ciphers which are known to be weak. Still, the ciphers we do use have at best been analyzed with respect to attacks in the academic literature, but our opponents are not academics, and are not limited to those attacks. Accordingly, cryptanalysis does not tell us whether or not our data are hidden from our opponents. Since hiding data from our opponents is the whole reason to use cryptography, this issue is not a minor detail.
The intent of this is not to place a cloud over cryptography, but instead to reveal the cloud which is already there. Once we accept reality as it is, no matter how disturbing to our previous beliefs, we can begin to think about doing things beyond conventional cryptography, and so improve our situation. I have many times proposed ciphering with "stacks" of three ciphers which change frequently, and I think that would give us significant benefit. But if someone else can come up with a better solution, I would be glad to hear it.
Subject: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 07:31:40 -0700 From: Sundial Services <info@sundialservices.com> Message-ID: <371749CC.4779@sundialservices.com> Newsgroups: sci.crypt Lines: 18 When I look at most publicly-available cryptographic algorithms, I see that nearly all of them consist of round upon round of simple operations like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are readily reversible. About the only "original idea" I've seen, since reading discussions of older machines like SIGABA, is Terry Ritter's "Dynamic Substitution" patent. At least he is using a more complex transformation than 99.9% of the things I've seen ... since SIGABA ... and he's burying a lot more information than most designs do. My question is, aside from possible requirements for constructing their ciphers in hardware, why do designers routinely limit themselves to these simple bitwise operators in designing ciphers? It seems to me as a layman that the older, more complex designs were also far more secure than what we have now, and that a computer program would have no particular difficulty implementing them. We are not building hardware devices; we are not limited to LFSR's.
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 17:28:13 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <37176a30.4219613@news.prosurfr.com> References: <371749CC.4779@sundialservices.com> Newsgroups: sci.crypt Lines: 111 Sundial Services <info@sundialservices.com> wrote, in part: >When I look at most publicly-available cryptographic algorithms, I see >that nearly all of them consist of round upon round of simple operations >like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are >readily reversible. Looking at this paragraph, and your title, my initial reaction was to say that you were wrong - block cipher designers do recognize the importance of nonlinearity, and thus in virtually every block cipher you will find an S-box. >About the only "original idea" I've seen, since reading discussions of >older machines like SIGABA, is Terry Ritter's "Dynamic Substitution" >patent. At least he is using a more complex transformation than 99.9% >of the things I've seen ... since SIGABA ... and he's burying a lot more >information than most designs do. Dynamic Substitution is a good idea, and an original one. And since I consider the SIGABA to be an admirable design, I started to warm to you at this point. >My question is, aside from possible requirements for constructing their >ciphers in hardware, why do designers routinely limit themselves to >these simple bitwise operators in designing ciphers? It seems to me as >a layman that the older, more complex designs were also far more secure >than what we have now, and that a computer program would have no >particular difficulty implementing them. We are not building hardware >devices; we are not limited to LFSR's. Now this is a question I've been asking myself. But there are answers to it. - For one thing, not everyone using cryptography is simply writing a program to encipher E-mail. If, for that application, it is trivial to just throw complexity at the problem to obtain security, then there's no money to be made from designing a cipher which is secure in that situation...anyone can do it. What about securely encrypting real-time digital video? - Also, since there are many insecure cipher designs floating around, one can't just accept that a cipher is secure based on its designer's say-so. Instead, what gives real confidence in a cipher design is that it has been studied by experts who have failed to crack it, but who have come away from their attempts with an understanding of the source of the design's strengths. But an academic researcher isn't going to take time studying a cipher that is so big and complicated that there is no hope of coming away with an impressive result - and so big and complicated that even trying to understand it would consume an enormous amount of time and effort. Thus, designs that are intentionally limited - to one basic type of round, to one underlying principle - have an advantage over designs based on the principle that security is the only goal. They might be less intrinsically secure, but they have a better chance of being able to (appear to) _prove_ (indicate with some tendency to confidence) that they do have a certain level of security. Although I do understand the rationale behind the "recieved wisdom", that doesn't mean I fully accept it. In practice, when using cryptography, security is what counts; and advances are being made both in the theory of cryptanalysis and in the speed and power of computer chips at a great rate. Plus, the risk that one's adversary is a hacker of the future with a very powerful desktop computer seems much greater than the risk that one's adversary will be an accomplished cryptanalyst, able to exploit the most subtle flaws in an over-elaborate design. Hence, I have played with designs that don't just use "simple operations". They do incorporate a lot from the designs of the real experts in the field, compared to which I am a mere amateur, but they go on from there to pile on a higher level of complication than seen in the well-known designs. Take a look at my Quadibloc II and Quadibloc III designs, in http://members.xoom.com/quadibloc/co040705.htm http://members.xoom.com/quadibloc/co040705.htm for example. I think they may address your concern - although they may not go far enough. One thing I _very definitely_ don't want to do is to go around like certain posters on this NG, and claim that a cipher *must* be as complicated as these designs of mine in order to be secure. That simply isn't true. And it is also true that a strong cipher isn't a guarantee of security; designing ciphers may be fun, but preventing data from leaking out the back door is hard work. While I respect the knowledge and ability of the acknowledged experts in the field, where I think I part company with Bruce Schneier and others is in the following: I believe it to be possible and useful to develop a design methodology - mainly involving the cutting and pasting of pieces from proven cipher designs - to enable a reasonably qualified person who, however, falls short of being a full-fleged cryptographer, to design his own block cipher, and thereby obtain additional and significant benefits in resistance to cryptanalytic attack by having an unknown and unique algorithm. I don't deny that there are pitfalls looming in such an approach; if something is left out of the methodology, or if it isn't conscientiously used, people could easily wind up using weak designs and having a false sense of security. I just think the problems can be addressed, and the potential benefits are worth the attempt. John Savard (teneerf is spelled backwards) http://members.xoom.com/quadibloc/index.html
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 20:20:24 GMT From: ritter@io.com (Terry Ritter) Message-ID: <37179b67.12809750@news.io.com> References: <37176a30.4219613@news.prosurfr.com> Newsgroups: sci.crypt Lines: 129 On Fri, 16 Apr 1999 17:28:13 GMT, in <37176a30.4219613@news.prosurfr.com>, in sci.crypt jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: >[...] >- Also, since there are many insecure cipher designs floating around, one >can't just accept that a cipher is secure based on its designer's say-so. >Instead, what gives real confidence in a cipher design is that it has been >studied by experts who have failed to crack it, but who have come away from >their attempts with an understanding of the source of the design's >strengths. I dispute this. This is essentially what Schneier would have us believe, and it is false. The truth is that we *never* know the "real" strength of a cipher. No matter how much review or cryptanalysis a cipher gets, we only have the latest "upper bound" for strength. The lower bound is zero: Any cipher can fail at any time. Since we have only an upper bound for the strength of any cipher, any confidence we may have is no more than our own delusion. We wish and hope for cipher strength, and -- absent a specific proof otherwise -- we gradually come to believe in it. But that does not make it true. We would like to think that the more we use a cipher, the more confidence we can have in it. We *can* build confidence in a ciphering program, as to whether or not it crashes and so on. But since our Opponents do not tell us of their success, we do not know that our cipher was successful at hiding data. And we cannot have confidence in a result without knowing what that result is. >[...] >But an academic researcher isn't going to take time studying a cipher that >is so big and complicated that there is no hope of coming away with an >impressive result - and so big and complicated that even trying to >understand it would consume an enormous amount of time and effort. It is always nice to find something important which is easy to do. That would be the academic equivalent of "Make Easy Money Now." It may be unfortunate for academic cryptographers that a wide variety of new techniques are pioneered by non-academics. But those techniques exist nevertheless, and to the extent that academics do not investigate them, those academics are not up with the state of the art. It is not, frankly, the role of the innovator to educate the academics, or even to serve technology to them on a silver platter. In the end, academic reputation comes from reality, and the reality is that many crypto academics avoid anything new which does not have an academic source. The consequence is that they simply do not have the background to judge really new designs. >Thus, designs that are intentionally limited - to one basic type of round, >to one underlying principle - have an advantage over designs based on the >principle that security is the only goal. They might be less intrinsically >secure, but they have a better chance of being able to (appear to) _prove_ >(indicate with some tendency to confidence) that they do have a certain >level of security. Upon encountering a new design, anyone may choose to simplify that design and then report results from that simplification. This is done all the time. It is not necessary for an innovator to make a simplified design for this purpose. On the other hand, I have been pioneering the use of scalable technology which, presumably, can be scaled down to a level which can be investigated experimentally. The last I heard, experimentation was still considered a rational basis for the understanding of reality. Indeed, one might argue that in the absence of theoretical strength for *any* cipher, experimentation is about all we have. But note how little of it we see. >[...] >Plus, the risk that one's adversary is a hacker of the future with a very >powerful desktop computer seems much greater than the risk that one's >adversary will be an accomplished cryptanalyst, able to exploit the most >subtle flaws in an over-elaborate design. But we don't know our Opponents! If we have to estimate their capabilities, I think we are necessarily forced into assuming that they are more experienced, better equipped, have more time, are better motivated, and -- yes -- are even smarter than we are. There is ample opportunity for them to exploit attacks of which we have no inkling at all. >[...] >While I respect the knowledge and ability of the acknowledged experts in >the field, where I think I part company with Bruce Schneier and others is >in the following: > >I believe it to be possible and useful to develop a design methodology - >mainly involving the cutting and pasting of pieces from proven cipher >designs - to enable a reasonably qualified person who, however, falls short >of being a full-fleged cryptographer, to design his own block cipher, and >thereby obtain additional and significant benefits in resistance to >cryptanalytic attack by having an unknown and unique algorithm. And in this way we can have hundreds or thousands of different ciphers, with more on the way all the time. That means that we can divide the worth of our information into many different ciphers, so that if any one fails, only a fraction of messages are exposed. It also means that *any* Opponent must keep up with new ciphers and analyze and possibly break each, then design a program, or build new hardware to exploit it. We can make good new ciphers cheaper than they can possibly be broken. The result is that our Opponents must invest far more to get far less, and this advantage does not depend upon the delusion of strength which is all that cryptanalysis can provide. >I don't deny that there are pitfalls looming in such an approach; if >something is left out of the methodology, or if it isn't conscientiously >used, people could easily wind up using weak designs and having a false >sense of security. I just think the problems can be addressed, and the >potential benefits are worth the attempt. Neat. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 14:06:57 -0700 From: "Steven Alexander" <steve@cell2000.net> Message-ID: <jKNR2.591$%L2.8044@news6.ispnews.com> References: <37179b67.12809750@news.io.com> Newsgroups: sci.crypt Lines: 32 >>- Also, since there are many insecure cipher designs floating around, one >>can't just accept that a cipher is secure based on its designer's say-so. >>Instead, what gives real confidence in a cipher design is that it has been >>studied by experts who have failed to crack it, but who have come away from >>their attempts with an understanding of the source of the design's >>strengths. > >I dispute this. This is essentially what Schneier would have us >believe, and it is false. > >The truth is that we *never* know the "real" strength of a cipher. No..... I don't think that you understand the point that Schneier and others have made. If I(a nobody) create a new cryptosystem tommorrow, nobody will have any confidence in it. But, If I learn to break the ciphers of others and use my experience to create a new cipher that others cannot break it will be listened to because I am known to be knowledgeable in how ciphers work. But, it will still not be trusted. Only after many people have analyzed and failed to break my cipher will people say..."his cipher has held up to five(ten) years of cryptanalysis by very knowledgeable cryptanalysts. We can assume with an adequate level of confidence that the cipher will protect our information." However, it is still realized that at any time someone can invent a new cryptanalytic attack and my cipher will be rendered useless. Schneier and others have acknowledged that any cipher can be broken at any time. my $.02...-steven
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 22:32:57 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3717ba72.20758328@news.io.com> References: <jKNR2.591$%L2.8044@news6.ispnews.com> Newsgroups: sci.crypt Lines: 87 On Fri, 16 Apr 1999 14:06:57 -0700, in <jKNR2.591$%L2.8044@news6.ispnews.com>, in sci.crypt "Steven Alexander" <steve@cell2000.net> wrote: >>[...] >>I dispute this. This is essentially what Schneier would have us >>believe, and it is false. >> >>The truth is that we *never* know the "real" strength of a cipher. No..... > >I don't think that you understand the point that Schneier and others have >made. >If I(a nobody) create a new cryptosystem tommorrow, nobody will have >any confidence in it. This is seriously disturbing: The issue is not who makes a thing, but instead what the thing actually is. Deliberately judging a design in the context of who made it is actually anti-scientific, and should be widely denounced as the superstition it is. >But, If I learn to break the ciphers of others and >use my experience to create a new cipher that others cannot break it will be >listened to because I am known to be knowledgeable in how ciphers work. Nonsense. Knowing how to break some ciphers does not mean that you know how ciphers work. That idea *is* the point "that Schneier and others have made" and it is a fantasy. It is especially fantastic when ciphers use technology which academics have ignored. But in any case, without a LOWER bound on strength, academics REALLY do not even know that ciphers work *at* *all*, let alone how. >But, it will still not be trusted. Only after many people have analyzed and >failed to break my cipher will people say..."his cipher has held up to >five(ten) years of cryptanalysis by very knowledgeable cryptanalysts. Nonsense. There is no such conclusion. Ciphers do not ripen like cheese. We first of all do not know how many attacks were made (if any), nor how much effort was placed into them. Attacks made by experienced, well-paid, well-motivated teams with all the equipment they need are quite different from those of single individuals working at a desk at night and coming up with a new mathematical equation. Not finding an equation does not mean some team has not had success. We only know what success is reported in the academic literature. Unfortunately, when we use a cipher, we are very rarely concerned whether academics can break our cipher or not. We are instead concerned about "bad guys," and they don't tell us when they have been successful. So this delay -- supposedly for gaining confidence -- in reality tells us nothing at all about the strength of the cipher. >We >can assume with an adequate level of confidence that the cipher will protect >our information." However, it is still realized that at any time someone >can invent a new cryptanalytic attack and my cipher will be rendered >useless. Schneier and others have acknowledged that any cipher can be >broken at any time. As I recall, Schneier and others claim that cryptanalysis is how we know the strength of a cipher. It is not. Cryptanalysis can only show weakness, only that when it is successful, and even then it only gives us the latest upper bound. But the main problem is not knowing the strength of *new* ciphers, but rather knowing the strength of *old* ciphers: we are actually using the old ciphers. When ciphers have been in long use there is a delusion that we know their strength and can use them as a benchmark against new ciphers. Absent a non-zero LOWER bound on strength, this is false on both counts. As I recall, in his comments on AES, Schneier has said that simply finding a cryptanalytic weakness in one of the designs would be sufficient to remove it from competition, even if the weakness was impractical. He would thus have us believe that the lack of information about weakness in one cipher is superior to information of impractical weakness in another cipher. I disagree. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 15:41:12 -0700 From: "Steven Alexander" <steve@cell2000.net> Message-ID: <X6PR2.1145$5E.10730@news7.ispnews.com> References: <3717ba72.20758328@news.io.com> Newsgroups: sci.crypt Lines: 18 I think the point that Schneier and others have made, which I personally agree with, is that no cipher is "secure". We can however put more trust into an algorithm that has undergone more cryptanalysis and has been tested against the newest cryptanalytic techniques because we know what will not break the cipher. I personally would not trust any algorithm that I and other motivated people had not tested. I also think that understanding how to break ciphers gives a better knowledge of how to build ciphers because you know what can break them. This is why some of the best security experts are hackers...they know how to get in. You cannot prevent your computer from being hacked if you do not know what means someone will use to break in. It would be like building large stone walls around a military base and not expecting someone to fly over and drop a bomb...if you don't know that airplanes and bombs can destroy your base as well as ground troops...you've already lost. -steven
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 23:53:14 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3717cd62.25607206@news.io.com> References: <X6PR2.1145$5E.10730@news7.ispnews.com> Newsgroups: sci.crypt Lines: 61 On Fri, 16 Apr 1999 15:41:12 -0700, in <X6PR2.1145$5E.10730@news7.ispnews.com>, in sci.crypt "Steven Alexander" <steve@cell2000.net> wrote: >I think the point that Schneier and others have made, which I personally >agree with, is that no cipher is "secure". *I* think you are being selective in stating "the" point Schneier has made. While he may have conceded that no cipher is secure after long discussion, his point often is that cryptanalysis is necessary to know the strength of a cipher. Of course, the fact that he sells such services would have nothing to do with it. >We can however put more trust >into an algorithm that has undergone more cryptanalysis and has been tested >against the newest cryptanalytic techniques because we know what will not >break the cipher. Nope. Simply because "we" cannot break it does not mean that others cannot break it. We are not confronting our clones: our Opponents know more than we do, and are probably smarter as well. >I personally would not trust any algorithm that I and >other motivated people had not tested. But there *is* no test for strength. >I also think that understanding how >to break ciphers But there is no one way, nor any fixed set of ways, which are "how to break ciphers." No matter how much you "understand," there is more to know. That is the problem. >gives a better knowledge of how to build ciphers because >you know what can break them. One proper role for cryptanalysis is to support the design of ciphers. >This is why some of the best security experts >are hackers...they know how to get in. You cannot prevent your computer >from being hacked if you do not know what means someone will use to break >in. It would be like building large stone walls around a military base and >not expecting someone to fly over and drop a bomb...if you don't know that >airplanes and bombs can destroy your base as well as ground troops...you've >already lost. Then you are lost. Neither you nor anybody else can predict every possible way to attack a cipher or a base. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 17:05:05 -0700 From: "Steven Alexander" <steve@cell2000.net> Message-ID: <xlQR2.1311$5E.12276@news7.ispnews.com> References: <3717cd62.25607206@news.io.com> Newsgroups: sci.crypt Lines: 19 What exactly is your suggestion for the creation of a cipher in which we can place our trust? The best we can do at any one point is to create a cipher that is secure against the attacks that we know of . If we do not know of many attacks this will not entail much. If we have a group of the best cryptanalysts who analyze a cipher and find no vulnerabilities, this does not mean that any vulnerabilities do not exist...it only means that those that we know of...and variations thereof do not exist in that cipher. This gives us a degree of trust in the cipher. In RSA for example, we believe that the only way to break the cipher is to factor n. If I find a new way to factor n in just a couple of minutes on your typical PC the cipher is broken. However, the odds that someone will invent a way to factor that is so phenomenally better is very unlikely. If I try to build a cipher and do not understand cryptanalysis I will not ahve any idea how to protect my cipher. If you have a better way to design ciphers, please share. -steven
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 04:39:12 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3718105d.5227815@news.io.com> References: <xlQR2.1311$5E.12276@news7.ispnews.com> Newsgroups: sci.crypt Lines: 58 On Fri, 16 Apr 1999 17:05:05 -0700, in <xlQR2.1311$5E.12276@news7.ispnews.com>, in sci.crypt "Steven Alexander" <steve@cell2000.net> wrote: >What exactly is your suggestion for the creation of a cipher in which we can >place our trust? Absent a theory or overall test of strength, there can be no trust in a cipher. All the trust one can have is delusion. >The best we can do at any one point is to create a cipher >that is secure against the attacks that we know of . If we do not know of >many attacks this will not entail much. If we have a group of the best >cryptanalysts who analyze a cipher and find no vulnerabilities, this does >not mean that any vulnerabilities do not exist...it only means that those >that we know of...and variations thereof do not exist in that cipher. Exactly. >This >gives us a degree of trust in the cipher. What most people want is a strong cipher. Absent evidence of strength there is no basis for such trust. >In RSA for example, we believe >that the only way to break the cipher is to factor n. If I find a new way >to factor n in just a couple of minutes on your typical PC the cipher is >broken. However, the odds that someone will invent a way to factor that is >so phenomenally better is very unlikely. This is a disturbingly-unwarranted statement: Nobody has any idea what the true odds are, so we cannot infer that they are good or bad. >If I try to build a cipher and do >not understand cryptanalysis I will not ahve any idea how to protect my >cipher. If you have a better way to design ciphers, please share. Actually, I think there are better ways. For one thing we can use very simple constructs with few types of component, each of which can be fully understood for what it does. For another we can design scalable ciphers that can be scaled down to experimental size. However, the real issue is that while supposedly everyone knows that any cipher can be weak, there has been essentially no attention given to protocols which deal with this problem. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 22:09:10 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <371a5737.341699@news.prosurfr.com> References: <xlQR2.1311$5E.12276@news7.ispnews.com> Newsgroups: sci.crypt Lines: 18 "Steven Alexander" <steve@cell2000.net> wrote, in part: >If I try to build a cipher and do >not understand cryptanalysis I will not ahve any idea how to protect my >cipher. If you have a better way to design ciphers, please share. You are right that avoiding known weaknesses is important, and understanding cryptanalysis is important. However, I think that there is a "better way to design ciphers" than to place too much faith in the _present_ knowledge of cryptanalysis. A cipher should be designed conservatively: not just in the sense of having a few extra rounds, but in the sense of having extra complexities in its design _far beyond_ those needed (nonlinear S-boxes, irregularities in the key schedule) to frustrate _known_ methods of attack. John Savard ( teenerf<- ) http://members.xoom.com/quadibloc/index.html
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 23:55:28 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: <jgfunj-1804992355290001@dial-243-098.itexas.net> References: <371a5737.341699@news.prosurfr.com> Newsgroups: sci.crypt Lines: 26 In article <371a5737.341699@news.prosurfr.com>, jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: > "Steven Alexander" <steve@cell2000.net> wrote, in part: > > >If I try to build a cipher and do > >not understand cryptanalysis I will not ahve any idea how to protect my > >cipher. If you have a better way to design ciphers, please share. > > You are right that avoiding known weaknesses is important, and > understanding cryptanalysis is important. > > However, I think that there is a "better way to design ciphers" than to > place too much faith in the _present_ knowledge of cryptanalysis. A cipher > should be designed conservatively: not just in the sense of having a few > extra rounds, but in the sense of having extra complexities in its design > _far beyond_ those needed (nonlinear S-boxes, irregularities in the key > schedule) to frustrate _known_ methods of attack. > A good trick is to telescope complexities into new primatives if you can. Multiple layers of appropriate complexity do work, but the cost is diversified in several directions. -- A new random permutation generator: You put X windoze machines in a room, merely start them up, and record the order in which they eventually crash on their own.
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 02:22:42 GMT From: fqkhuo@gmrvavvrcd.fl (ybizmt) Message-ID: <slrn7hfs2u.cc.fqkhuo@tpep.nofsozwovh.yq> References: <3717cd62.25607206@news.io.com> Newsgroups: sci.crypt Lines: 9 On Fri, 16 Apr 1999 23:53:14 GMT, Terry Ritter <ritter@io.com> wrote: > *I* think you are being selective in stating "the" point Schneier has > made. While he may have conceded that no cipher is secure after long > discussion, his point often is that cryptanalysis is necessary to know > the strength of a cipher. Of course, the fact that he sells such > services would have nothing to do with it. Refresh my memory. What do you sell?
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 04:39:19 GMT From: ritter@io.com (Terry Ritter) Message-ID: <37181072.5248874@news.io.com> References: <slrn7hfs2u.cc.fqkhuo@tpep.nofsozwovh.yq> Newsgroups: sci.crypt Lines: 26 On Sat, 17 Apr 1999 02:22:42 GMT, in <slrn7hfs2u.cc.fqkhuo@tpep.nofsozwovh.yq>, in sci.crypt fqkhuo@gmrvavvrcd.fl (ybizmt) wrote: >On Fri, 16 Apr 1999 23:53:14 GMT, Terry Ritter <ritter@io.com> wrote: >> *I* think you are being selective in stating "the" point Schneier has >> made. While he may have conceded that no cipher is secure after long >> discussion, his point often is that cryptanalysis is necessary to know >> the strength of a cipher. Of course, the fact that he sells such >> services would have nothing to do with it. > >Refresh my memory. What do you sell? Just the truth, lately. I just find it an interesting coincidence when people promote errors in reasoning which just happen to benefit their business. On the other hand, promoting truths which also happen to benefit one's business seems not nearly as disturbing. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 18 Apr 99 01:49:42 GMT From: jsavard@ecn.ab.ca () Message-ID: <37193a36.0@ecn.ab.ca> References: <3717ba72.20758328@news.io.com> Newsgroups: sci.crypt Lines: 15 Terry Ritter (ritter@io.com) wrote: : This is seriously disturbing: The issue is not who makes a thing, but : instead what the thing actually is. Deliberately judging a design in : the context of who made it is actually anti-scientific, and should be : widely denounced as the superstition it is. That's true *if* judging a cipher that way is used as a substitute for actual analytical study of the cipher itself by a competent individual. Where the services of an expert are not available, or there is insufficient time to fully evaluate all candidate ciphers for an application, choosing a cipher from a respected source is not "superstition", and it is the kind of choice people make all the time: i.e., when shopping for a new computer. John Savard
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 22:03:24 GMT From: ritter@io.com (Terry Ritter) Message-ID: <371cf99f.7573878@news.io.com> References: <37193a36.0@ecn.ab.ca> Newsgroups: sci.crypt Lines: 33 On 18 Apr 99 01:49:42 GMT, in <37193a36.0@ecn.ab.ca>, in sci.crypt jsavard@ecn.ab.ca () wrote: >Terry Ritter (ritter@io.com) wrote: >: This is seriously disturbing: The issue is not who makes a thing, but >: instead what the thing actually is. Deliberately judging a design in >: the context of who made it is actually anti-scientific, and should be >: widely denounced as the superstition it is. > >That's true *if* judging a cipher that way is used as a substitute for >actual analytical study of the cipher itself by a competent individual. >Where the services of an expert are not available, or there is >insufficient time to fully evaluate all candidate ciphers for an >application, choosing a cipher from a respected source is not >"superstition", and it is the kind of choice people make all the time: >i.e., when shopping for a new computer. Is shopping for a cipher like shopping for a new computer? Yes, I think so, but this situation is not a technical discussion between people of expertise but, rather, ordinary users who really have no choice but to rely upon promotion and rumor. When experts themselves cannot fully characterize the strength of a system specifically designed to produce strength, we know we are in trouble. It's just that this is the way it's always been, and most of us forgot what it means. It does not mean that we must rely upon the same promotion and rumor as ordinary users. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 22:50:19 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: <jgfunj-2004992250200001@dial-243-073.itexas.net> References: <371cf99f.7573878@news.io.com> Newsgroups: sci.crypt Lines: 14 In article <371cf99f.7573878@news.io.com>, ritter@io.com (Terry Ritter) wrote: > > Is shopping for a cipher like shopping for a new computer? Yes, I > think so, but this situation is not a technical discussion between > people of expertise but, rather, ordinary users who really have no > choice but to rely upon promotion and rumor. > I wonder if the FTC has a role in determining if claims are reasonable. They would have to yield to NSA for expertise? Perhaps we can try to shift burden directly to government to prove strength, therefore making them show their hand. -- Life's battles do not always go to the stronger of faster man... But, sooner or later always go to the fellow who thinks he can.
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 00:28:46 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: <jgfunj-1704990028460001@dial-243-079.itexas.net> References: <jKNR2.591$%L2.8044@news6.ispnews.com> Newsgroups: sci.crypt Lines: 35 In article <jKNR2.591$%L2.8044@news6.ispnews.com>, "Steven Alexander" <steve@cell2000.net> wrote: > > I don't think that you understand the point that Schneier and others have > made. If I(a nobody) create a new cryptosystem tommorrow, nobody will have > any confidence in it. But, If I learn to break the ciphers of others and > use my experience to create a new cipher that others cannot break it will be > listened to because I am known to be knowledgeable in how ciphers work. > But, it will still not be trusted. Only after many people have analyzed and > failed to break my cipher will people say..."his cipher has held up to > five(ten) years of cryptanalysis by very knowledgeable cryptanalysts. We > can assume with an adequate level of confidence that the cipher will protect > our information." However, it is still realized that at any time someone > can invent a new cryptanalytic attack and my cipher will be rendered > useless. Schneier and others have acknowledged that any cipher can be > broken at any time. > You are still living in the same furrow. What matters is whether a cipher is good, and it will be so regardless of confidence bestowed by some select group fixated on a remarkedly few, perhaps some wrong, design criteria. Converting unearned trust into acceptability can make a poor cipher pass for more than it is, and cause a great cipher to not get any attention. Your statement unfortunately often is a self-fulfilling prophesy that certain ciphers of a narrow nature will be given undue attention and consequently are more likely to get accepted. I would rather that people learn to not follow the leader so closely; it's a big world out there worth exploring cryptologically. One thing I do like about the AES process is that there was some diversity, not enough, but some. Unfortunately, the target was more influenced by those who were creatures of the furrow. -- Too much of a good thing can be much worse than none.
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 20:36:40 -0400 From: "Trevor Jackson, III" <fullmoon@aspi.net> Message-ID: <37192918.13924DDE@aspi.net> References: <jKNR2.591$%L2.8044@news6.ispnews.com> Newsgroups: sci.crypt Lines: 50 Steven Alexander wrote: > > >>- Also, since there are many insecure cipher designs floating around, one > >>can't just accept that a cipher is secure based on its designer's say-so. > >>Instead, what gives real confidence in a cipher design is that it has been > >>studied by experts who have failed to crack it, but who have come away > from > >>their attempts with an understanding of the source of the design's > >>strengths. > > > >I dispute this. This is essentially what Schneier would have us > >believe, and it is false. > > > >The truth is that we *never* know the "real" strength of a cipher. No..... > > I don't think that you understand the point that Schneier and others have > made. If I(a nobody) create a new cryptosystem tommorrow, nobody will have > any confidence in it. But, If I learn to break the ciphers of others and > use my experience to create a new cipher that others cannot break it will be > listened to because I am known to be knowledgeable in how ciphers work. > But, it will still not be trusted. Only after many people have analyzed and > failed to break my cipher will people say..."his cipher has held up to > five(ten) years of cryptanalysis by very knowledgeable cryptanalysts. We > can assume with an adequate level of confidence that the cipher will protect > our information." However, it is still realized that at any time someone > can invent a new cryptanalytic attack and my cipher will be rendered > useless. Schneier and others have acknowledged that any cipher can be > broken at any time. > There's a name for this attitude. It's called the Aristotelean Fallacy -- the appeal to authority. It dominated science for centuries, and science suffered for it. But even granting that I would prefer to purchase cryptographic products from a professional rather than an amateur, all this changes is the unit of measure. Instead of measuring the quality of the product we'll end up measuring the quality of the author. Now it's hard enough to define a unit of measure for ciphers. Imagine defining the unit of measure for cipher designers. The fact that the best (only) standard we have for judging ciphers and their implementations is that of Brand Names indicates just how young/volatile/immature the field is. We've got good mathematical tools and good software engineering tools, but the toolbox for the crypto designer is mostly defined in the negative; by the toolbox of the crypto analyst. When we have crypto-engineering standards similar to civil-engineering standards, we'll have a mature science (and very little excitement :-).
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 00:28:12 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: <jgfunj-1804990028130001@dial-243-094.itexas.net> References: <37192918.13924DDE@aspi.net> Newsgroups: sci.crypt Lines: 35 In article <37192918.13924DDE@aspi.net>, "Trevor Jackson, III" <fullmoon@aspi.net> wrote: > > There's a name for this attitude. It's called the Aristotelean Fallacy > -- the appeal to authority. It dominated science for centuries, and > science suffered for it. > > But even granting that I would prefer to purchase cryptographic products > from a professional rather than an amateur, all this changes is the unit > of measure. Instead of measuring the quality of the product we'll end > up measuring the quality of the author. Now it's hard enough to define > a unit of measure for ciphers. Imagine defining the unit of measure for > cipher designers. The most professional cryptographic designers, the opponents, in the world have offered of late...dung. > > The fact that the best (only) standard we have for judging ciphers and > their implementations is that of Brand Names indicates just how > young/volatile/immature the field is. We've got good mathematical tools > and good software engineering tools, but the toolbox for the crypto > designer is mostly defined in the negative; by the toolbox of the crypto > analyst. So they would have you believe. > > When we have crypto-engineering standards similar to civil-engineering > standards, we'll have a mature science (and very little excitement :-). Over standardization, regulation, formalizaton, and authoritarization has killed many a good field. Maturation is not the enemy of creative, but wheeler-dealer, power-sponges, who imagine that everyone else must follow their lead, are. -- Too much of a good thing can be much worse than none.
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 21 Apr 1999 15:43:53 -0400 From: budney@peregrine.maya.com (Leonard R. Budney) Message-ID: <m3d80xwyh2.fsf@peregrine.maya.com> References: <37192918.13924DDE@aspi.net> Newsgroups: sci.crypt Lines: 66 "Trevor Jackson, III" <fullmoon@aspi.net> writes: > Steven Alexander wrote: > > If I learn to break the ciphers of others and use my experience to > > create a new cipher that others cannot break it will be listened > > to because I am known to be knowledgeable in how ciphers work... > > There's a name for this attitude. It's called the Aristotelean Fallacy > -- the appeal to authority. It dominated science for centuries, and > science suffered for it. An appeal to authority is invalid under two conditions. First, if the claim is subject to rigorous proof--making opinion irrelevant. Second, if the authority appealed to is not a legitimate authority in a relevant area. See <http://www.nizkor.org/features/fallacies/appeal-to-authority.html>. When rigorous proof is not available, then the opinion of an expert constitutes the best information to be had. Under that condition, the best expert is the one with the longest experience and the most successes. > The fact that the best (only) standard we have for judging ciphers > and their implementations is that of Brand Names indicates just how > young/volatile/immature the field is. Perhaps, but not necessarily. It is probable that Goedel's Incompleteness Theorem implies that the strength of at least some algorithms cannot be determined, even theoretically (forgive my speculating aloud here). Further, it might turn out that all 'measurable' algorithms turn out to be weak--with some definition of weak--implying that the non-measurable algorithms are the ONLY interesting ones. Remember, Fermat's last theorem went unproven for more than 350 years. Huge quantities of number-theoretic research arose directly out of attempts to prove or disprove the theorem. Remember, too, that many mathematical cranks turned up with "proofs" of Fermat's theorem (and the four color theorem, and...). Call it arrogant, but mathematicians tend to treat them with a priori scepticism, given that 350 years of experts failed to turn up a proof. One is quite justified in seriously doubting that Joe Blow from Podunk has stumbled upon a solution. Such considerations suggest, at least to me, that "crypto-engineering", by which we might crank out ciphers of known strength, is probably a pipe-dream. BTW this example has a bearing on our confidence in RSA. It is doubted that polynomial-time factoring of primes is possible, just as it is doubted that NP = P. Further, it is conjectured that cracking RSA without factoring is not possible (absent other data, such as decryption timings). Why are these conjectures made? Because a generation or so of experts and geniuses haven't resolved these problems. If the NSA has, then they've almost certainly made one of the great discoveries of the century. Of course, they're not talking. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Len Budney | Designing a cipher takes only a Maya Design Group | few minutes. The only problem is budney@maya.com | that almost all designs are junk. | -- Prof. Dan Bernstein ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Thu, 22 Apr 1999 09:12:49 +0100 From: "Sam Simpson" <ssimpson@hertreg.ac.uk> Message-ID: <371ed9e2.0@nnrp1.news.uk.psi.net> References: <m3d80xwyh2.fsf@peregrine.maya.com> Newsgroups: sci.crypt Lines: 43 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Leonard R. Budney <budney@peregrine.maya.com> wrote in message news:m3d80xwyh2.fsf@peregrine.maya.com... <SNIP> > BTW this example has a bearing on our confidence in RSA. It is doubted > that polynomial-time factoring of primes is possible, just as it is > doubted that NP = P. Further, it is conjectured that cracking RSA > without factoring is not possible (absent other data, such as > decryption timings). Actually, certain instances of RSA cannot be equivalent to the underlying IFP (D.Boneh, R.Venkatesan, "Breaking RSA may not be equivalent to factoring"). Cheers, - -- Sam Simpson Comms Analyst http://www.scramdisk.clara.net/ for ScramDisk hard-drive encryption & Delphi Crypto Components. PGP Keys available at the same site. If you're wondering why I don't reply to Sternlight, it's because he's kill filed. See http://www.openpgp.net/FUD for why! -----BEGIN PGP SIGNATURE----- Version: 6.0.2ckt http://members.tripod.com/IRFaiad/ iQA/AwUBNx7Z/u0ty8FDP9tPEQJVjwCdElMbx8eOjPva0qOKAkCTzKte+MwAoMoE PG95Mhvh0WP9lAZT5Sw5XwRC =SIRn -----END PGP SIGNATURE-----
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 16 Apr 1999 17:21:22 -0400 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <7f89ki$gng$1@quine.mathcs.duq.edu> References: <37179b67.12809750@news.io.com> Newsgroups: sci.crypt Lines: 38 In article <37179b67.12809750@news.io.com>, Terry Ritter <ritter@io.com> wrote: > >On Fri, 16 Apr 1999 17:28:13 GMT, in ><37176a30.4219613@news.prosurfr.com>, in sci.crypt >jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: > >>[...] >>- Also, since there are many insecure cipher designs floating around, one >>can't just accept that a cipher is secure based on its designer's say-so. >>Instead, what gives real confidence in a cipher design is that it has been >>studied by experts who have failed to crack it, but who have come away from >>their attempts with an understanding of the source of the design's >>strengths. > >I dispute this. This is essentially what Schneier would have us >believe, and it is false. > >The truth is that we *never* know the "real" strength of a cipher. No >matter how much review or cryptanalysis a cipher gets, we only have >the latest "upper bound" for strength. The lower bound is zero: Any >cipher can fail at any time. > >Since we have only an upper bound for the strength of any cipher, any >confidence we may have is no more than our own delusion. We wish and >hope for cipher strength, and -- absent a specific proof otherwise -- >we gradually come to believe in it. But that does not make it true. So you're suggesting that a cypher that has withstood years of intensive analysis by professionals is *NO* better than a cypher that has not been analyzed at all? I don't believe this; in fact, I think it's total bullshit. It's certainly true that you may not be able to *formalize* the difference into a p-value, but you're committing a grievious error if you think that something doesn't exist merely because you can't quantify it. -kitten
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 16 Apr 1999 23:53:19 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3717cd6d.25617381@news.io.com> References: <7f89ki$gng$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 53 On 16 Apr 1999 17:21:22 -0400, in <7f89ki$gng$1@quine.mathcs.duq.edu>, in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote: >[...] >So you're suggesting that a cypher that has withstood years of >intensive analysis by professionals is *NO* better than a cypher >that has not been analyzed at all? It is not provably better. And not provably better admits the possibility of contradiction. So we do not know. Which means that interpreting years of intensive analysis as strength is nothing more than DELUSION. Cryptanalysis of any length whatsoever provides no rational scientific indication of strength. >I don't believe this; It is not necessary for you to believe it: It is what it is. >in fact, I think it's total bullshit. Then you need to think about it more deeply. >It's >certainly true that you may not be able to *formalize* the difference >into a p-value, but you're committing a grievious error if you >think that something doesn't exist merely because you can't quantify >it. The issue is not the "formalization" of something we know but cannot quantify, but rather something we actually do not know. When we attempt to formalize what we really do not know we commit logical error. In fact, I would say that this process is in some cases a deliberate attempt to hide these issues from management, command staff and the general user. In some cases this process is a deliberate attempt to make cryptanalysis seem more than it is, so that ciphers which have "passed" (whatever that means) will be accepted as "strong," which should never be done. We can see this in the path of the AES process, which, presumably, gets us a "strong" cipher. We see NO attempt to innovate constructions or protocols which give strength in the context of ciphers which may be weak. Yet you would have us assume that everyone knows that ciphers may be weak, and simply chooses to do nothing about it. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 02:28:52 GMT From: fqkhuo@gmrvavvrcd.fl (ybizmt) Message-ID: <slrn7hfsef.cc.fqkhuo@tpep.nofsozwovh.yq> References: <3717cd6d.25617381@news.io.com> Newsgroups: sci.crypt Lines: 26 On Fri, 16 Apr 1999 23:53:19 GMT, Terry Ritter <ritter@io.com> wrote: > It is not provably better. And not provably better admits the > possibility of contradiction. So we do not know. Which means that > interpreting years of intensive analysis as strength is nothing more > than DELUSION. Cryptanalysis of any length whatsoever provides no > rational scientific indication of strength. Nor is it intended to. Who has ever claimed that analysis equals strength in any field? It is intended to make you more confident that something is strong. No one is saying it proves strength. Not at least trying cryptanalysis on a cipher is stupid which I'm sure you agree with. > In some cases this process is a deliberate attempt to make > cryptanalysis seem more than it is, so that ciphers which have > "passed" (whatever that means) will be accepted as "strong," which > should never be done. We can see this in the path of the AES process, > which, presumably, gets us a "strong" cipher. We see NO attempt to > innovate constructions or protocols which give strength in the context > of ciphers which may be weak. Yet you would have us assume that > everyone knows that ciphers may be weak, and simply chooses to do > nothing about it. Nice rant. Where are you going with this and how does it sell your product?
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 04:39:24 GMT From: ritter@io.com (Terry Ritter) Message-ID: <37181079.5255438@news.io.com> References: <slrn7hfsef.cc.fqkhuo@tpep.nofsozwovh.yq> Newsgroups: sci.crypt Lines: 81 On Sat, 17 Apr 1999 02:28:52 GMT, in <slrn7hfsef.cc.fqkhuo@tpep.nofsozwovh.yq>, in sci.crypt fqkhuo@gmrvavvrcd.fl (ybizmt) wrote: >On Fri, 16 Apr 1999 23:53:19 GMT, Terry Ritter <ritter@io.com> wrote: >> It is not provably better. And not provably better admits the >> possibility of contradiction. So we do not know. Which means that >> interpreting years of intensive analysis as strength is nothing more >> than DELUSION. Cryptanalysis of any length whatsoever provides no >> rational scientific indication of strength. > >Nor is it intended to. Who has ever claimed that analysis equals >strength in any field? It is intended to make you more confident >that something is strong. No one is saying it proves strength. Sure they are. As far as I know, Schneier's point has always been that cryptanalysis is the way we know a cipher's strength. I'm sure he would agree that this is not proof, but I do not agree that it says anything at all. The implication that cryptanalysis would like to promote is indeed that of tested strength. >Not at least trying cryptanalysis on a cipher is stupid which >I'm sure you agree with. I do. But there is no one cryptanalysis. Indeed, there is no end to it. But we do have to make an end before we can field anything. This in itself tells us that cryptanalysis as certification is necessarily incomplete. Our main problem is that cryptanalysis does NOT say that there is no simpler attack. It does NOT say that a well-examined cipher is secure from your kid sister. Oh, many people will offer their opinion, but you won't see many such a claims in scientific papers, because there we expect actual facts, as opposed to wishes, hopes, and dreams. Cryptanalysis does NOT give us an indication of how much effort our Opponent will have to spend to break the cipher. Yet that is exactly what the cryptanalytic process would like us to believe: That is why we have the process of: 1) design a cipher, and 2) certify the cipher by cryptanalysis. As I see it, the real opportunity for cryptanalysis is as part of a dynamic and interactive cipher design process, as opposed to final certification. >> In some cases this process is a deliberate attempt to make >> cryptanalysis seem more than it is, so that ciphers which have >> "passed" (whatever that means) will be accepted as "strong," which >> should never be done. We can see this in the path of the AES process, >> which, presumably, gets us a "strong" cipher. We see NO attempt to >> innovate constructions or protocols which give strength in the context >> of ciphers which may be weak. Yet you would have us assume that >> everyone knows that ciphers may be weak, and simply chooses to do >> nothing about it. > >Nice rant. Thanks. I suggest you learn it by heart if you intend to depend upon cryptography. >Where are you going with this and how does it sell your >product? This is my bit for public education. I have no modern products. I do offer cryptographic consulting time, and then I call it as I see it. I also own patented cryptographic technology which could be useful in a wide range of ciphers. I see no problem with someone promoting what they think is an advance in the field, even if they will benefit. But when reasoning errors are promoted which just happen to benefit one's business -- in fact, a whole sub-industry -- some skepticism seems appropriate. Just once I would like to see delusions promoted which produce *less* business. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 18 Apr 99 02:05:37 GMT From: jsavard@ecn.ab.ca () Message-ID: <37193df1.0@ecn.ab.ca> References: <37181079.5255438@news.io.com> Newsgroups: sci.crypt Lines: 16 Terry Ritter (ritter@io.com) wrote: : As I see it, the real opportunity for : cryptanalysis is as part of a dynamic and interactive cipher design : process, as opposed to final certification. Two comments are warranted here. - Since cryptanalysis represents the "hard" part of the work in designing a cipher, this is why cipher designers should themselves know something about cryptanalysis; - And I think you can see why this design process actually _increases_ the probability of a design which is strong against known attacks, but weak against a future attack someone might discover. John Savard
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 18 Apr 1999 22:04:54 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <371a56a8.198396@news.prosurfr.com> References: <37193df1.0@ecn.ab.ca> Newsgroups: sci.crypt Lines: 23 jsavard@ecn.ab.ca () wrote, in part: >Terry Ritter (ritter@io.com) wrote: >: As I see it, the real opportunity for >: cryptanalysis is as part of a dynamic and interactive cipher design >: process, as opposed to final certification. >Two comments are warranted here. >- Since cryptanalysis represents the "hard" part of the work in designing >a cipher, this is why cipher designers should themselves know something >about cryptanalysis; >- And I think you can see why this design process actually _increases_ the >probability of a design which is strong against known attacks, but weak >against a future attack someone might discover. I should note, though, that I basically agree with your point - and I do think that in the specific case of the AES, going back to the drawing board a bit would make quite a bit of sense - but I simply think that these two arguments also need to be addressed. John Savard ( teenerf<- ) http://members.xoom.com/quadibloc/index.html
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 22:03:33 GMT From: ritter@io.com (Terry Ritter) Message-ID: <371cf9af.7589747@news.io.com> References: <37193df1.0@ecn.ab.ca> Newsgroups: sci.crypt Lines: 28 On 18 Apr 99 02:05:37 GMT, in <37193df1.0@ecn.ab.ca>, in sci.crypt jsavard@ecn.ab.ca () wrote: >Terry Ritter (ritter@io.com) wrote: >: As I see it, the real opportunity for >: cryptanalysis is as part of a dynamic and interactive cipher design >: process, as opposed to final certification. > >Two comments are warranted here. > >- Since cryptanalysis represents the "hard" part of the work in designing >a cipher, this is why cipher designers should themselves know something >about cryptanalysis; I agree. >- And I think you can see why this design process actually _increases_ the >probability of a design which is strong against known attacks, but weak >against a future attack someone might discover. You lost me on that one. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Wed, 21 Apr 1999 16:12:35 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <371df7b2.320404@news.prosurfr.com> References: <371cf9af.7589747@news.io.com> Newsgroups: sci.crypt Lines: 27 ritter@io.com (Terry Ritter) wrote, in part: >On 18 Apr 99 02:05:37 GMT, in <37193df1.0@ecn.ab.ca>, in sci.crypt >jsavard@ecn.ab.ca () wrote: >>- And I think you can see why this design process actually _increases_ the >>probability of a design which is strong against known attacks, but weak >>against a future attack someone might discover. >You lost me on that one. When testing a computer system, sometimes a small number of known bugs are deliberately introduced, so that, if not all of _those_ bugs are found, one has an indication that testing should continue (on the assumption that a similar proportion of the unknown bugs really being looked for have not been found yet either). What I was thinking of here is that the cryptanalyst will find what he knows how to look for; and so, weaknesses beyond the reach of current cryptanalysis won't be found; but if a cipher designed by a non-cryptanalyst did not have a *single* known weakness (known to the cryptanalysts, not to the designer) then one might have grounds to hope (but, of course, not proof) that unknown weaknesses were scarce as well, while getting rid of the known weaknesses _specifically_ doesn't give any such hope. John Savard ( teneerf<- ) http://members.xoom.com/quadibloc/index.html
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Wed, 21 Apr 1999 18:59:11 GMT From: ritter@io.com (Terry Ritter) Message-ID: <371e1f94.6051889@news.io.com> References: <371df7b2.320404@news.prosurfr.com> Newsgroups: sci.crypt Lines: 67 On Wed, 21 Apr 1999 16:12:35 GMT, in <371df7b2.320404@news.prosurfr.com>, in sci.crypt jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: >ritter@io.com (Terry Ritter) wrote, in part: >>On 18 Apr 99 02:05:37 GMT, in <37193df1.0@ecn.ab.ca>, in sci.crypt >>jsavard@ecn.ab.ca () wrote: > >>>- And I think you can see why this design process actually _increases_ the >>>probability of a design which is strong against known attacks, but weak >>>against a future attack someone might discover. > >>You lost me on that one. > >When testing a computer system, sometimes a small number of known bugs are >deliberately introduced, so that, if not all of _those_ bugs are found, one >has an indication that testing should continue (on the assumption that a >similar proportion of the unknown bugs really being looked for have not >been found yet either). I believe this is generally called "error injection," and one problem with it is the assumption that the known errors are of the same nature as the unknown errors. Only then can we extrapolate from our results into the unknown. Basically what we measure is the effectiveness of the process which seeks that sort of error -- usually some sort of mechanical error like failing to use the result of some computation. This is not going to work very well when the errors are conceptual in the structure of the computation itself. Error injection is not very useful in asserting that we will get the correct answer to the original problem, and that is the unknown crypto area. So this doesn't really help us. >What I was thinking of here is that the cryptanalyst will find what he >knows how to look for; and so, weaknesses beyond the reach of current >cryptanalysis won't be found; but if a cipher designed by a >non-cryptanalyst did not have a *single* known weakness (known to the >cryptanalysts, not to the designer) then one might have grounds to hope >(but, of course, not proof) that unknown weaknesses were scarce as well, >while getting rid of the known weaknesses _specifically_ doesn't give any >such hope. The idea of a brand-new designer with a brand-new design in which no weakness can be found is a silly hope. I suppose it might happen, but it is not the way real things are designed and built. At the very best it is a wish, a dream, something disassociated with practical reality and the design of real things. And the failure of such exaggerated expectations often leads to a supposedly-justified demeaning of the designer as not meeting the goals of the field. This is essentially sick reasoning, because it sets up unreasonable goals, then reacts with staged regret when they are not met. I claim the main use of cryptanalysis is in the give and take of a design process, not the end game of certification, which is what cryptanalysis cannot do. In fact, academic cryptanalysis generally only reports weakness -- few reports are published that no weakness was found. There is thus no basis even in open cryptography for knowing how many cryptanalytic attempts have been made unsuccessfully, or for taking advantage of the game when a new designer actually does have a design which has no known weakness. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 17 Apr 1999 16:32:27 -0400 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <7far4r$htf$1@quine.mathcs.duq.edu> References: <3717cd6d.25617381@news.io.com> Newsgroups: sci.crypt Lines: 48 In article <3717cd6d.25617381@news.io.com>, Terry Ritter <ritter@io.com> wrote: > >On 16 Apr 1999 17:21:22 -0400, in <7f89ki$gng$1@quine.mathcs.duq.edu>, >in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote: > >>[...] >>So you're suggesting that a cypher that has withstood years of >>intensive analysis by professionals is *NO* better than a cypher >>that has not been analyzed at all? > >It is not provably better. And not provably better admits the >possibility of contradiction. But not-provable is not the same as unknown. I don't know that Pittsburgh won't be hit by a devastating hurricane in the next month. But I've got a bright crisp $20 in my pocket that says that it won't. In a philosophical sense, "knowledge" is a "justified true belief"; I don't have *proof* that Pittsburgh won't be hit by a hurricane, but I can produce lots and lots of justification. > So we do not know. Which means that >interpreting years of intensive analysis as strength is nothing more >than DELUSION. Cryptanalysis of any length whatsoever provides no >rational scientific indication of strength. Interesting. So your "rational scientific indication" is that we've got no way of figuring out which side of my Pittsburgh weather bet is the smart one? >>I don't believe this; > >It is not necessary for you to believe it: It is what it is. > > >>in fact, I think it's total bullshit. > >Then you need to think about it more deeply. I just did. It's still total bullshit. Knowledge doesn't require proof. Belief doesn't require knowledge. Confidence doesn't even require belief. -kitten
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 23:40:04 GMT From: ritter@io.com (Terry Ritter) Message-ID: <37191bc9.2524456@news.io.com> References: <7far4r$htf$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 85 On 17 Apr 1999 16:32:27 -0400, in <7far4r$htf$1@quine.mathcs.duq.edu>, in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote: >In article <3717cd6d.25617381@news.io.com>, Terry Ritter <ritter@io.com> wrote: >> >>On 16 Apr 1999 17:21:22 -0400, in <7f89ki$gng$1@quine.mathcs.duq.edu>, >>in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote: >> >>>[...] >>>So you're suggesting that a cypher that has withstood years of >>>intensive analysis by professionals is *NO* better than a cypher >>>that has not been analyzed at all? >> >>It is not provably better. And not provably better admits the >>possibility of contradiction. > >But not-provable is not the same as unknown. > >I don't know that Pittsburgh won't be hit by a devastating hurricane >in the next month. > >But I've got a bright crisp $20 in my pocket that says that it won't. Which means to me that you have some understanding of the risk of hurricanes in Pittsburgh. You get this understanding from reported reality. Unfortunately, neither you nor anyone else can have a similar understanding of the risk of cipher failure -- there is no reporting of cipher failure. There is instead every effort made to keep that information secret, and in fact to generate false reporting to buoy your unfounded delusion of strength. >In a philosophical sense, "knowledge" is a "justified true belief"; >I don't have *proof* that Pittsburgh won't be hit by a hurricane, >but I can produce lots and lots of justification. Too bad we cannot do the same for a cipher. >> So we do not know. Which means that >>interpreting years of intensive analysis as strength is nothing more >>than DELUSION. Cryptanalysis of any length whatsoever provides no >>rational scientific indication of strength. > >Interesting. So your "rational scientific indication" is that we've >got no way of figuring out which side of my Pittsburgh weather bet >is the smart one? Nonsense. Knowing the past weather in Pittsbugh is possible: Knowing the past strength of a cipher is not. >>>I don't believe this; >> >>It is not necessary for you to believe it: It is what it is. >> >> >>>in fact, I think it's total bullshit. >> >>Then you need to think about it more deeply. > >I just did. It's still total bullshit. Then you need to think about it even more deeply. >Knowledge doesn't require proof. Belief doesn't require knowledge. >Confidence doesn't even require belief. Fine. I will grant that you can be confident completely independent of reality. Oddly, I assumed that we were talking Science here. RATIONAL confidence requires a quantification of risk, even if only as a handwave generality. But that is not available in ciphers. Until we have a complete theory of strength, or a complete theory of cryptanalysis, we have no basis by which to judge the risk we take by using any particular cipher. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 18 Apr 99 01:55:36 GMT From: jsavard@ecn.ab.ca () Message-ID: <37193b98.0@ecn.ab.ca> References: <3717cd6d.25617381@news.io.com> Newsgroups: sci.crypt Lines: 31 Terry Ritter (ritter@io.com) wrote: : On 16 Apr 1999 17:21:22 -0400, in <7f89ki$gng$1@quine.mathcs.duq.edu>, : in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote: : >[...] : >So you're suggesting that a cypher that has withstood years of : >intensive analysis by professionals is *NO* better than a cypher : >that has not been analyzed at all? : It is not provably better. And not provably better admits the : possibility of contradiction. So we do not know. Which means that : interpreting years of intensive analysis as strength is nothing more : than DELUSION. Cryptanalysis of any length whatsoever provides no : rational scientific indication of strength. Yes and no. Your point is valid, however, what do we do if there is no way to obtain a lower bound on the strength of a cipher? I fear this is quite possible: proving a cipher is strong against attacks we can't even imagine seems to me to be equivalent to solving the halting problem. Then it does make sense to look at the upper bound, because it's one of the few indications we have. But it also makes sense - and here, I think, we come closer to agreement - not to put too much faith in that upper bound, and to add constructs of different types, and constructs that seem like any mathematical tools to analyze them which would be useful for cryptanalysts are *far* in advance of the state of current knowledge. John Savard
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 22:03:47 GMT From: ritter@io.com (Terry Ritter) Message-ID: <371cf9b7.7597561@news.io.com> References: <37193b98.0@ecn.ab.ca> Newsgroups: sci.crypt Lines: 55 On 18 Apr 99 01:55:36 GMT, in <37193b98.0@ecn.ab.ca>, in sci.crypt jsavard@ecn.ab.ca () wrote: >Terry Ritter (ritter@io.com) wrote: > >: On 16 Apr 1999 17:21:22 -0400, in <7f89ki$gng$1@quine.mathcs.duq.edu>, >: in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote: > >: >[...] >: >So you're suggesting that a cypher that has withstood years of >: >intensive analysis by professionals is *NO* better than a cypher >: >that has not been analyzed at all? > >: It is not provably better. And not provably better admits the >: possibility of contradiction. So we do not know. Which means that >: interpreting years of intensive analysis as strength is nothing more >: than DELUSION. Cryptanalysis of any length whatsoever provides no >: rational scientific indication of strength. > >Yes and no. > >Your point is valid, however, what do we do if there is no way to obtain a >lower bound on the strength of a cipher? I fear this is quite possible: I agree. >proving a cipher is strong against attacks we can't even imagine seems to >me to be equivalent to solving the halting problem. We have the testimony of 50 years of mathematical cryptography which has not achieved the Holy Grail. I just think reality is trying to tell us something. >Then it does make sense to look at the upper bound, because it's one of >the few indications we have. No. Completely false. I see no reason why the upper bound should have any correlation at all to the lower bound. In any security audit, we have to consider the worst case attacks, not just the ones we expect, and not just the ones we tried. >But it also makes sense - and here, I think, >we come closer to agreement - not to put too much faith in that upper >bound, and to add constructs of different types, and constructs that seem >like any mathematical tools to analyze them which would be useful for >cryptanalysts are *far* in advance of the state of current knowledge. I'm not sure I understand this fully. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Wed, 21 Apr 1999 16:21:01 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <371df919.679323@news.prosurfr.com> References: <371cf9b7.7597561@news.io.com> Newsgroups: sci.crypt Lines: 37 ritter@io.com (Terry Ritter) wrote, in part: >On 18 Apr 99 01:55:36 GMT, in <37193b98.0@ecn.ab.ca>, in sci.crypt >jsavard@ecn.ab.ca () wrote: >>Then it does make sense to look at the upper bound, because it's one of >>the few indications we have. >No. Completely false. I see no reason why the upper bound should >have any correlation at all to the lower bound. It will definitely be higher than the lower bound, but yes, it doesn't prevent the lower bound from being low. >In any security audit, we have to consider the worst case attacks, not >just the ones we expect, and not just the ones we tried. Any security audit will have to include a disclaimer that the true security of the cipher systems used is essentially unknowable, but even real-world financial audits do routinely include various sorts of disclaimer. >>But it also makes sense - and here, I think, >>we come closer to agreement - not to put too much faith in that upper >>bound, and to add constructs of different types, and constructs that seem >>like any mathematical tools to analyze them which would be useful for >>cryptanalysts are *far* in advance of the state of current knowledge. >I'm not sure I understand this fully. Given that a cipher highly resistant to known attacks (i.e., differential cryptanalysis) _could_ still be very weak, as far as we know, what can we do about it? The closest thing to a sensible suggestion I can make is this: make our ciphers stronger (that is, use more rounds) and more intrinsically difficult to analyze (use complicated, highly nonlinear, constructs) than the known attacks indicate is necessary. John Savard ( teneerf<- ) http://members.xoom.com/quadibloc/index.html
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Wed, 21 Apr 1999 18:59:23 GMT From: ritter@io.com (Terry Ritter) Message-ID: <371e2003.6163199@news.io.com> References: <371df919.679323@news.prosurfr.com> Newsgroups: sci.crypt Lines: 73 On Wed, 21 Apr 1999 16:21:01 GMT, in <371df919.679323@news.prosurfr.com>, in sci.crypt jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: >ritter@io.com (Terry Ritter) wrote, in part: >>On 18 Apr 99 01:55:36 GMT, in <37193b98.0@ecn.ab.ca>, in sci.crypt >>jsavard@ecn.ab.ca () wrote: > >>>Then it does make sense to look at the upper bound, because it's one of >>>the few indications we have. > >>No. Completely false. I see no reason why the upper bound should >>have any correlation at all to the lower bound. > >It will definitely be higher than the lower bound, but yes, it doesn't >prevent the lower bound from being low. > >>In any security audit, we have to consider the worst case attacks, not >>just the ones we expect, and not just the ones we tried. > >Any security audit will have to include a disclaimer that the true security >of the cipher systems used is essentially unknowable, but even real-world >financial audits do routinely include various sorts of disclaimer. I think you will find that financial disclaimers are not to avoid responsibility for the financial service supplied. For example, an audit disclaimer might say that the audit results were correct, *provided* the supplied accounting information was correct. But that is something which is, at least in principle, verifiable. We don't have financial disclaimers which say that the audit is 90 percent certain to be correct, which is the sort of thing you might like to think that cryptanalytic certification could at least do, since it cannot provide certainty. But the very idea makes no sense. The very companies that need the best auditing might also be the most deceptive and able to hide their manipulations. There is no useful "average" company, and so no useful statistics. Every case is different. >>>But it also makes sense - and here, I think, >>>we come closer to agreement - not to put too much faith in that upper >>>bound, and to add constructs of different types, and constructs that seem >>>like any mathematical tools to analyze them which would be useful for >>>cryptanalysts are *far* in advance of the state of current knowledge. > >>I'm not sure I understand this fully. > >Given that a cipher highly resistant to known attacks (i.e., differential >cryptanalysis) _could_ still be very weak, as far as we know, what can we >do about it? The closest thing to a sensible suggestion I can make is this: >make our ciphers stronger (that is, use more rounds) and more intrinsically >difficult to analyze (use complicated, highly nonlinear, constructs) than >the known attacks indicate is necessary. We could hardly disagree more. I find "rounds" (the repeated application of the same operation) silly and I don't use them. I do use "layers" in which different operations are applied in each layer. And I think that making a cipher more difficult to analyze can only benefit the Opponents who have more resources for analysis. Personally, I try to make ciphers as conceptually *simple* as possible (though not simpler). Simple does not mean weak; simple means appropriately decomposing the cipher into relatively few types of substantial subcomponent which can be understood on their own, then using those components in clear, structured ways. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Wed, 21 Apr 1999 23:41:13 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <371e59c7.25432288@news.prosurfr.com> References: <371e2003.6163199@news.io.com> Newsgroups: sci.crypt Lines: 53 ritter@io.com (Terry Ritter) wrote, in part: >jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: >>Given that a cipher highly resistant to known attacks (i.e., differential >>cryptanalysis) _could_ still be very weak, as far as we know, what can we >>do about it? The closest thing to a sensible suggestion I can make is this: >>make our ciphers stronger (that is, use more rounds) and more intrinsically >>difficult to analyze (use complicated, highly nonlinear, constructs) than >>the known attacks indicate is necessary. >We could hardly disagree more. >I find "rounds" (the repeated application of the same operation) silly >and I don't use them. I do use "layers" in which different operations >are applied in each layer. >And I think that making a cipher more difficult to analyze can only >benefit the Opponents who have more resources for analysis. >Personally, I try to make ciphers as conceptually *simple* as possible >(though not simpler). Simple does not mean weak; simple means >appropriately decomposing the cipher into relatively few types of >substantial subcomponent which can be understood on their own, then >using those components in clear, structured ways. It certainly does make sense to understand the parts of a cipher, to ensure that the cipher is providing, as a minimum, some basic level of "security": that is, for example, one might know that one's cipher is at least as secure as DES, even if one doesn't know for sure that the effort required to break DES is not trivial. The original poster - Sundial Services - praised your Dynamic Substitution because it "buries a lot more information" than ordinary designs, and this is the sort of thing I'm thinking of. When I got past his first paragraph, where he seemed to have forgotten about S-boxes, and saw that DynSub and the SIGABA were the kinds of designs he praised, I saw that the kinds of ciphers that appeal to him were the same ones as appeal intuitively to me. Precisely because you have noted that we don't have a way to put a good lower bound on the effort required to break a cipher, I find it hard to think that I could achieve the goal, for a cipher, that is indeed appropriate for a scientific theory, of making it "as simple as possible, but no simpler"; if I am totally in the dark about how strong a cipher really is, and how astute my adversaries are, that seems an inadvisable goal, because I can never know what is necessary. Since I have an upper bound instead of a lower bound, unless there is some way to resolve that problem, and your researches may well achieve something relevant, even if not a total solution, all I can do is try for a generous margin of safety. True, it's not proof. But proof isn't available, except for the one-time pad. John Savard ( teneerf<- ) http://members.xoom.com/quadibloc/index.html
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sat, 17 Apr 1999 00:38:15 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: <jgfunj-1704990038160001@dial-243-079.itexas.net> References: <37179b67.12809750@news.io.com> Newsgroups: sci.crypt Lines: 28 In article <37179b67.12809750@news.io.com>, ritter@io.com (Terry Ritter) wrote: > > On the other hand, I have been pioneering the use of scalable > technology which, presumably, can be scaled down to a level which can > be investigated experimentally. The last I heard, experimentation was > still considered a rational basis for the understanding of reality. > Indeed, one might argue that in the absence of theoretical strength > for *any* cipher, experimentation is about all we have. But note how > little of it we see. > It's at least good science, beyond making lots of sense. ..... > > And in this way we can have hundreds or thousands of different > ciphers, with more on the way all the time. I resemble that remark. Better dust off the ole compiler again. More dumb ciphers on the way... > .....The result is that our Opponents must > invest far more to get far less, and this advantage does not depend > upon the delusion of strength which is all that cryptanalysis can > provide. > It's aways difficult to stop a wave, be it composed of hoards of combatants or algorithms. -- Too much of a good thing can be much worse than none.
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Mon, 19 Apr 1999 20:15:32 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <371b8ba8.16131590@news.prosurfr.com> References: <37179b67.12809750@news.io.com> Newsgroups: sci.crypt Lines: 116 ritter@io.com (Terry Ritter) wrote, in part: >jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: >>- Also, since there are many insecure cipher designs floating around, one >>can't just accept that a cipher is secure based on its designer's say-so. >>Instead, what gives real confidence in a cipher design is that it has been >>studied by experts who have failed to crack it, but who have come away from >>their attempts with an understanding of the source of the design's >>strengths. >I dispute this. This is essentially what Schneier would have us >believe, and it is false. >The truth is that we *never* know the "real" strength of a cipher. No >matter how much review or cryptanalysis a cipher gets, we only have >the latest "upper bound" for strength. The lower bound is zero: Any >cipher can fail at any time. I agree with you that we don't have a way to prove that a cipher really is strong. But cryptanalysis still gives the best confidence currently available. >It is not, frankly, the role of the innovator to educate the >academics, or even to serve technology to them on a silver platter. >In the end, academic reputation comes from reality, and the reality is >that many crypto academics avoid anything new which does not have an >academic source. The consequence is that they simply do not have the >background to judge really new designs. That is true: the desires of the academic community aren't a valid excuse for compromising one's cipher designs. >Upon encountering a new design, anyone may choose to simplify that >design and then report results from that simplification. This is done >all the time. It is not necessary for an innovator to make a >simplified design for this purpose. And that is one of the reasons why. >On the other hand, I have been pioneering the use of scalable >technology which, presumably, can be scaled down to a level which can >be investigated experimentally. The last I heard, experimentation was >still considered a rational basis for the understanding of reality. >Indeed, one might argue that in the absence of theoretical strength >for *any* cipher, experimentation is about all we have. But note how >little of it we see. Are you drawing a distinction between "experimental investigation" and "cryptanalysis"? If so, it would appear you are saying that there is an additional method for obtaining some additional, though still imperfect, confidence in a cipher design. >>Plus, the risk that one's adversary is a hacker of the future with a very >>powerful desktop computer seems much greater than the risk that one's >>adversary will be an accomplished cryptanalyst, able to exploit the most >>subtle flaws in an over-elaborate design. >But we don't know our Opponents! If we have to estimate their >capabilities, I think we are necessarily forced into assuming that >they are more experienced, better equipped, have more time, are better >motivated, and -- yes -- are even smarter than we are. There is >ample opportunity for them to exploit attacks of which we have no >inkling at all. Most cipher users are more worried about their communications being read by the typical computer hacker than by the NSA. I suppose it's possible that one day a giant EFT heist will be pulled off by retired NSA personnel, but that's the sort of thing which happens far more often as the plot for a movie than in real life. The problem is, of course, that if one has data that should remain secret for 100 years, one does have to face advances in cryptanalytic knowledge...as well as _unimaginable_ advances in computer power. >>I believe it to be possible and useful to develop a design methodology - >>mainly involving the cutting and pasting of pieces from proven cipher >>designs - to enable a reasonably qualified person who, however, falls short >>of being a full-fleged cryptographer, to design his own block cipher, and >>thereby obtain additional and significant benefits in resistance to >>cryptanalytic attack by having an unknown and unique algorithm. >And in this way we can have hundreds or thousands of different >ciphers, with more on the way all the time. That means that we can >divide the worth of our information into many different ciphers, so >that if any one fails, only a fraction of messages are exposed. It >also means that *any* Opponent must keep up with new ciphers and >analyze and possibly break each, then design a program, or build new >hardware to exploit it. We can make good new ciphers cheaper than >they can possibly be broken. The result is that our Opponents must >invest far more to get far less, and this advantage does not depend >upon the delusion of strength which is all that cryptanalysis can >provide. >>I don't deny that there are pitfalls looming in such an approach; if >>something is left out of the methodology, or if it isn't conscientiously >>used, people could easily wind up using weak designs and having a false >>sense of security. I just think the problems can be addressed, and the >>potential benefits are worth the attempt. >Neat. And of course, I must confess that my present efforts in this direction have not gotten to the point of providing an explicit "toolkit". I've contented myself with explaining, in my web site, a large number of historical designs - with a very limited discussion of cryptanalysis - and I've illustrated how an amateur might design a cipher only by example, with the ciphers of my Quadibloc series, as well as various ideas in the conclusions sections of the first four chapters. Right now, although my web site is educational, it's also fairly light and entertaining as well: I haven't tried to trouble the reader with any difficult math, for example. John Savard ( teenerf<- ) http://members.xoom.com/quadibloc/index.html
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 04:24:33 GMT From: ritter@io.com (Terry Ritter) Message-ID: <371c014c.3018295@news.io.com> References: <371b8ba8.16131590@news.prosurfr.com> Newsgroups: sci.crypt Lines: 107 On Mon, 19 Apr 1999 20:15:32 GMT, in <371b8ba8.16131590@news.prosurfr.com>, in sci.crypt jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: >ritter@io.com (Terry Ritter) wrote, in part: >[...] >>The truth is that we *never* know the "real" strength of a cipher. No >>matter how much review or cryptanalysis a cipher gets, we only have >>the latest "upper bound" for strength. The lower bound is zero: Any >>cipher can fail at any time. > >I agree with you that we don't have a way to prove that a cipher really is >strong. But cryptanalysis still gives the best confidence currently >available. I guess I dispute "confidence." Confidence and Trust and Reliability are exactly what we do not have. I cannot say it more clearly: cryptanalysis gives us no lower bound to strength. As an engineer growing up with an engineer dad, I have lived with bounded specifications most of my life. These bounds are what we pay for in products; this is the performance the manufacturer guarantees. I suppose like me most buyers have been caught at least once by the consequences getting the cheapest part on the basis of "typical" specs instead of "worst case." But "typical" is all cryptanalysis tells us. Depending on that will sink us, sooner or later. >[...] >>On the other hand, I have been pioneering the use of scalable >>technology which, presumably, can be scaled down to a level which can >>be investigated experimentally. The last I heard, experimentation was >>still considered a rational basis for the understanding of reality. >>Indeed, one might argue that in the absence of theoretical strength >>for *any* cipher, experimentation is about all we have. But note how >>little of it we see. > >Are you drawing a distinction between "experimental investigation" and >"cryptanalysis"? If so, it would appear you are saying that there is an >additional method for obtaining some additional, though still imperfect, >confidence in a cipher design. We were OK up to the "c" word: I assert that we *can* have no confidence in a cipher. We have no way to prove strength. Any strength we assume is based upon the conceit that all others are just as limited in their capabilities as we are. Drawing conclusions by wishing and hoping the other guy is at least as dumb as us is not my idea of good cryptography. I do make a distinction (which probably should not exist) between "theoretical" or "equation-based" or "academic" cryptography and experimental investigation. I suppose this is really much like the difference between math and applied math, with much of the same theoretically friendly antagonism. It is clear that we may never have a provable theory of strength. This may mean that our only possible avenue toward certainty is some sort of exhaustive test. Surely we cannot imagine such testing of a full-size cipher. But if we can scale that same design down, in the same way that small integers work like large ones, maybe we can work with large enough samples of the full population to be able to draw reasonable experimental conclusions. >>>Plus, the risk that one's adversary is a hacker of the future with a very >>>powerful desktop computer seems much greater than the risk that one's >>>adversary will be an accomplished cryptanalyst, able to exploit the most >>>subtle flaws in an over-elaborate design. > >>But we don't know our Opponents! If we have to estimate their >>capabilities, I think we are necessarily forced into assuming that >>they are more experienced, better equipped, have more time, are better >>motivated, and -- yes -- are even smarter than we are. There is >>ample opportunity for them to exploit attacks of which we have no >>inkling at all. > >Most cipher users are more worried about their communications being read by >the typical computer hacker than by the NSA. > >I suppose it's possible that one day a giant EFT heist will be pulled off >by retired NSA personnel, but that's the sort of thing which happens far >more often as the plot for a movie than in real life. > >The problem is, of course, that if one has data that should remain secret >for 100 years, one does have to face advances in cryptanalytic >knowledge...as well as _unimaginable_ advances in computer power. I wrote in a post which I did not send that if *only* NSA could read my mail, the way it is now, I would not much care. Of course things change in politics, and my view could change as well. But for me, NSA is really just an illustration of the abstract threat. As I understand security, one of the worst things we can do is to make assumptions about our Opponents which do not represent their full threat capabilities. ("Never underestimate your opponent.") Because of this I am not interested in identifying a cipher Opponent, unless in the process I can identify them as the absolute worst threat and know their capabilities as well. This is obviously impossible. So if we are to enforce our security despite the actions and intents of others, we must assume our Opponents are far more powerful than we know, then learn to deal with that threat. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Tue, 20 Apr 1999 19:20:24 +0200 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <371CB758.E30A081B@stud.uni-muenchen.de> References: <371c014c.3018295@news.io.com> Newsgroups: sci.crypt Lines: 17 Terry Ritter wrote: > > I guess I dispute "confidence." Confidence and Trust and Reliability > are exactly what we do not have. I cannot say it more clearly: > cryptanalysis gives us no lower bound to strength. No intention to take part in the current discussion. But the word 'lower bound' raised association in my mind to an interesting sentence that A. Salomaa wrote (1990): There are no provable lower bounds for the amount of work of a cryptanalyst analyzing a public-key cryptosystem. M. K. Shen http://www.stud.uni-muenchen.de/~mok-kong.shen/ (Updated: 12 Apr 99)
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 23 Apr 1999 05:39:45 GMT From: olson@umbc.edu (Bryan G. Olson; CMSC (G)) Message-ID: <7fp131$dg1$1@news.umbc.edu> References: <37179b67.12809750@news.io.com> Newsgroups: sci.crypt Lines: 51 Terry Ritter (ritter@io.com) wrote: [...] : It may be unfortunate for academic cryptographers that a wide variety : of new techniques are pioneered by non-academics. But those : techniques exist nevertheless, and to the extent that academics do not : investigate them, those academics are not up with the state of the : art. : It is not, frankly, the role of the innovator to educate the : academics, or even to serve technology to them on a silver platter. : In the end, academic reputation comes from reality, and the reality is : that many crypto academics avoid anything new which does not have an : academic source. This impression of the academic crypto community as a closed club that ignores the work of outsiders is flat out false. Consider power and timing analysis - the entire area came from the crypto left-field and was pioneered by a recent grad with a B.A. in biology. The work was good, so now he's one of those respected cryptologists. The various attacks I've heard on academics are invariably by those whose work is simply not of the same caliber. For an example of an idea the crypto community has ignored because it is truly dreadful: [...] : And in this way we can have hundreds or thousands of different : ciphers, with more on the way all the time. That means that we can : divide the worth of our information into many different ciphers, so : that if any one fails, only a fraction of messages are exposed. Absurdly naive. In any real project or real enterprise, the same information is carried by many, many messages. The degree of protection of any piece of intelligence is that of the weakest of the systems carrying it. : It : also means that *any* Opponent must keep up with new ciphers and : analyze and possibly break each, then design a program, or build new : hardware to exploit it. We can make good new ciphers cheaper than : they can possibly be broken. The result is that our Opponents must : invest far more to get far less, and this advantage does not depend : upon the delusion of strength which is all that cryptanalysis can : provide. Nonsense. The attacker just waits for the information he wants to be transmitted under a system he can break. --Bryan
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Fri, 23 Apr 1999 21:23:23 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <3720e200.23217001@news.prosurfr.com> References: <7fp131$dg1$1@news.umbc.edu> Newsgroups: sci.crypt Lines: 51 olson@umbc.edu (Bryan G. Olson; CMSC (G)) wrote, in part: >This impression of the academic crypto community as a closed >club that ignores the work of outsiders is flat out false. >Consider power and timing analysis - the entire area came >from the crypto left-field and was pioneered by a recent grad >with a B.A. in biology. The work was good, so now he's one >of those respected cryptologists. The various attacks I've >heard on academics are invariably by those whose work is >simply not of the same caliber. I have every respect for the advanced work done by people such as Eli Biham or David Wagner. And you're absolutely right that cryptography, like many other fields, has its cranks and quacks. However, I don't think it's appropriate to automatically conclude that everyone who expresses concern about the way in which the public cryptography field is going is necessarily a crank. For example, if even a layperson looks at DES, or IDEA, or SERPENT, and expresses the opinion that these designs all seem too regular, too repetitious, so that some form of analysis at least seems like it may be someday possible - well, if that is such a silly notion, what are you going to say to the people who designed MARS, who happen to be the among the well-qualified? >For an example of an idea the crypto community has ignored >because it is truly dreadful: >[...] >: And in this way we can have hundreds or thousands of different >: ciphers, with more on the way all the time. That means that we can >: divide the worth of our information into many different ciphers, so >: that if any one fails, only a fraction of messages are exposed. >Absurdly naive. In any real project or real enterprise, the >same information is carried by many, many messages. The degree >of protection of any piece of intelligence is that of the >weakest of the systems carrying it. While that is true, that just means that, for internal encryption in an company data with ciphers their employer does not trust. For a program of the PGP type, that lets people exchange E-Mail with other private individuals, allowing each party to specify a choice of preferred ciphers, and yet interoperate within the framework of using the same program, this sort of thing is a good idea. 'Dreadful' is not the same as 'not everywhere applicable'. John Savard ( teneerf<- ) http://members.xoom.com/quadibloc/index.html
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: 25 Apr 1999 10:58:07 GMT From: olson@umbc.edu (Bryan G. Olson; CMSC (G)) Message-ID: <7fusfv$as8$1@news.umbc.edu> References: <3720e200.23217001@news.prosurfr.com> Newsgroups: sci.crypt Lines: 79 John Savard (jsavard@tenMAPSONeerf.edmonton.ab.ca) wrote: : olson@umbc.edu (Bryan G. Olson; CMSC (G)) wrote, in part: : >This impression of the academic crypto community as a closed : >club that ignores the work of outsiders is flat out false. : >Consider power and timing analysis - the entire area came : >from the crypto left-field and was pioneered by a recent grad : >with a B.A. in biology. The work was good, so now he's one : >of those respected cryptologists. The various attacks I've : >heard on academics are invariably by those whose work is : >simply not of the same caliber. : I have every respect for the advanced work done by people such as Eli Biham : or David Wagner. And you're absolutely right that cryptography, like many : other fields, has its cranks and quacks. : However, I don't think it's appropriate to automatically conclude that : everyone who expresses concern about the way in which the public : cryptography field is going is necessarily a crank. For example, if even a : layperson looks at DES, or IDEA, or SERPENT, and expresses the opinion that : these designs all seem too regular, too repetitious, so that some form of : analysis at least seems like it may be someday possible - well, if that is : such a silly notion, what are you going to say to the people who designed : MARS, who happen to be the among the well-qualified? Quite right, but as I understood Mr. Ritter's statements, he's deriding the crypto establishment for ignoring the work of outsiders. My counter is not the crypto community is right to generally ignore outsiders, but that in fact they do no such thing. : >For an example of an idea the crypto community has ignored : >because it is truly dreadful: : >[...] : >: And in this way we can have hundreds or thousands of different : >: ciphers, with more on the way all the time. That means that we can : >: divide the worth of our information into many different ciphers, so : >: that if any one fails, only a fraction of messages are exposed. : >Absurdly naive. In any real project or real enterprise, the : >same information is carried by many, many messages. The degree : >of protection of any piece of intelligence is that of the : >weakest of the systems carrying it. : While that is true, that just means that, for internal encryption in an : organization, a method should not be used that allows employees to protect : company data with ciphers their employer does not trust. I agree it means that, but certainly not that it "just means" that. Specifically, it should guide those employers in deciding how many ciphers to designate as trusted. [...] : 'Dreadful' is not the same as 'not everywhere applicable'. True, but I'm saying that in _all_ the real projects or enterprises I know of, an attacker can gain most of the intelligence value in the message traffic by compromising only a small percentage of the messages. Are there projects in which documents do not go through many revisions? In which everyone works with a mutually exclusive subset of the information? There is a situation worse than having all one's eggs in one basket. The problem with one basket is that there exists a potential failure that would be catastrophic. What's worse is a system in which any one of many possible failures would be catastrophic. If one accepts that in realistic applications of cryptography the same intelligence is available from many messages, then choosing from a thousand ciphers for each message moves us from one potential catastrophic failure to many potential catastrophic failures. --Bryan
Subject: Re: Thought question: why do public ciphers use only simple ops like shift and XOR? Date: Sun, 25 Apr 1999 07:02:01 -0700 From: Sundial Services <info@sundialservices.com> Message-ID: <37232059.4FA1@sundialservices.com> References: <7fusfv$as8$1@news.umbc.edu> Newsgroups: sci.crypt Lines: 28 > : olson@umbc.edu (Bryan G. Olson; CMSC (G)) wrote, in part: [...] > : However, I don't think it's appropriate to automatically conclude that > : everyone who expresses concern about the way in which the public > : cryptography field is going is necessarily a crank. For example, if even a > : layperson looks at DES, or IDEA, or SERPENT, and expresses the opinion that > : these designs all seem too regular, too repetitious, so that some form of > : analysis at least seems like it may be someday possible ... I think that this is basically where -I- am coming from. If you look at the design of these Feistel ciphers, well, to me they smack of Enigma, with its clockwork-like rotation of the cipher elements which ultimately proved its downfall. Compare this to SIGABA, which with its many layers of complexity "cascading" upon one another produced what is obviously an extremely strong cipher. There is a LOT more randomness for the cryptographer to figure out. I stare at this "more stages = more security" story and ponder if, given the extreme regularity of the cipher a