Can We Trust the Experts?


Terry Ritter


A Ciphers By Ritter Page


In most areas of life, when we ourselves do not have expertise, we can get advice from someone who does. But if we define the purpose of cryptography as hiding information from opponents, only the opponents know whether our cipher works or not, and they are not talking. In the usual sense of the word, the open community simply cannot have "expertise" in cipher strength against our real opponents. The only available expertise is limited to cipher strength against academics.

One way to look at this is that if a boat designer only knows about the water in the harbor and bay, the skipper of that boat will have an exciting experience when he gets to the ocean!

In cryptography, what the conditions are like in the wild simply cannot be known. Nobody has that expertise.

The point of this is not to cast a cloud over all cryptography, but instead to reveal that the cloud is already there. Once we accept that things are not all right and that change is necessary, then we can get on with dealing with the situation as best we can. But until the need for change is accepted, nothing will be done.


Contents


Subject: where to put the trust Date: Mon, 11 Oct 1999 23:01:32 GMT From: Tom St Denis <tomstdenis@my-deja.com> Message-ID: <7ttq86$kda$1@nnrp1.deja.com> Newsgroups: sci.crypt Lines: 29 I have been getting alot of flak about 'how do you KNOW that 'place cipher here' is actually this strong'. I admit there is no honest PROOF to it. No cipher is unconditionally strong, none, zippo, zilch. If you use an OTP wrong it can become weak. (Yes even the infamous Scottu19 has not been proven to be strong). So what do we do? Well we trust experts. Let's take a survey... If you do any of the follwing post a short reply... drive a car, goto the doctors, eat fast-food, use a computer, drive on bridges, live in an apartment, work in an office, gone to school ... You have probably relied on an experience expert. Do we trust them? Hell yes. Do they do good jobs? 99.99% of the time yes. So does this apply to cryptography? Yes I think so. So although (for example) Twofish has not been proven to be strong, it has been designed by people in the know, and I would trust it, just like I trust my doctor to give a good evaluation of my health. Tom Sent via Deja.com http://www.deja.com/ Before you buy.
Subject: Re: where to put the trust Date: Mon, 11 Oct 1999 20:39:20 -0400 From: "Adam Durana" <echo@wizard.net> Message-ID: <wovM3.96$BG2.99@newsfeed.slurp.net> References: <7ttq86$kda$1@nnrp1.deja.com> Newsgroups: sci.crypt Lines: 12 It is silly to blindly believe an expert. Comparing doctors to 'the experts' is a bad comparison at best. Doctors provide you with proof and explainations for thier diaginosis. People who publish algorithms provide the details to them, and reasons they believe it to be secure. But there are so many possiblities in this field. Also authors of algorithms are not required to be truthful with you like Doctors are. Doctors provide you with information which has been proven by the test of time in most cases. Many algorithms use new ideas and methods which have been around for a while and are considered secure. So its foolish to just believe someone because of thier reputation.
Subject: Re: where to put the trust Date: Tue, 12 Oct 1999 02:43:37 GMT From: Tom St Denis <tomstdenis@my-deja.com> Message-ID: <7tu78n$tgs$1@nnrp1.deja.com> References: <wovM3.96$BG2.99@newsfeed.slurp.net> Newsgroups: sci.crypt Lines: 36 In article <wovM3.96$BG2.99@newsfeed.slurp.net>, "Adam Durana" <echo@wizard.net> wrote: > It is silly to blindly believe an expert. Comparing doctors to 'the > experts' is a bad comparison at best. Doctors provide you with proof and > explainations for thier diaginosis. People who publish algorithms provide > the details to them, and reasons they believe it to be secure. But there > are so many possiblities in this field. Also authors of algorithms are not > required to be truthful with you like Doctors are. Doctors provide you with > information which has been proven by the test of time in most cases. Many > algorithms use new ideas and methods which have been around for a while and > are considered secure. So its foolish to just believe someone because of > thier reputation. > It's funny you say that. Most of what doctors know is based on time tested trial and errors procedures. Some of it's educated guesses and approaches... The same is true for cryprography. You say doctors know what they are doing, the truth of the matter is there is still lots to learn. We may know mainly 1% of how the body works with elements of nature. That's about it. When a doctor says 'use this' it will fix it. The truth is '99% of the time' in trials it works, and the patients don't die. It must be good. For example doctors 30 years ago and today would not really be compatible. What was fact 30 years ago is myth today. The same is for crypto. Your blind faith in doctors is un-nerving to say the least. My point was though, cryptography has experts just like any field, and to get good crypto, you look at the experts. Tom Sent via Deja.com http://www.deja.com/ Before you buy.
Subject: Re: where to put the trust Date: Tue, 12 Oct 1999 02:18:23 -0400 From: "Adam Durana" <echo@wizard.net> Message-ID: <rmAM3.777$BG2.3521@newsfeed.slurp.net> References: <7tu78n$tgs$1@nnrp1.deja.com> Newsgroups: sci.crypt Lines: 13 Again, Its silly to blindly believe an expert. I never said I always put my trust in doctors or anyone for that matter. Most people don't get exposed to doctor's guesses or trial and error procedures, on the other hand so called expert cryptographers do exactly this. They devise a method study it, refine it then release it. People use it, test it, and in many cases its not the creator of the method who find the weakness. Also if you trust the 'experts' to make good ciphers, and I created a strong cipher, that wouldn't make an expert would it? This goes for any field of study, you just can't accept someone's idea because they have been right in the past. We make mistakes all the time.
Subject: Re: where to put the trust Date: Tue, 12 Oct 1999 11:18:26 GMT From: Tom St Denis <tomstdenis@my-deja.com> Message-ID: <7tv5dq$i69$1@nnrp1.deja.com> References: <rmAM3.777$BG2.3521@newsfeed.slurp.net> Newsgroups: sci.crypt Lines: 30 In article <rmAM3.777$BG2.3521@newsfeed.slurp.net>, "Adam Durana" <echo@wizard.net> wrote: > Again, Its silly to blindly believe an expert. I never said I always put my > trust in doctors or anyone for that matter. Most people don't get exposed > to doctor's guesses or trial and error procedures, on the other hand so > called expert cryptographers do exactly this. They devise a method study > it, refine it then release it. People use it, test it, and in many cases > its not the creator of the method who find the weakness. Also if you trust > the 'experts' to make good ciphers, and I created a strong cipher, that > wouldn't make an expert would it? This goes for any field of study, you > just can't accept someone's idea because they have been right in the past. > We make mistakes all the time. I think you need to be more objective. People like Charlisie Adams (spelling?) do not just throw ciphers together. The CAST design procedure has been designed and studied for quite some time. It's only thru trial and error that most experts learn anything, including medicine. I think the experts in cryptography (the press guru ones anyways) are self evident... Scheneir, Rivest, Rijnmen, Daemon, Vaudenay, etc... However I also believe if you have a math degree, some comp-sci, are objective you could be a good cryptography guru as well. Tom Sent via Deja.com http://www.deja.com/ Before you buy.
Subject: Re: where to put the trust Date: Tue, 12 Oct 1999 16:01:33 -0400 From: "Adam Durana" <echo@wizard.net> Message-ID: <fqMM3.203$O5.2981@newsfeed.slurp.net> References: <7u01oh$60p$1@quine.mathcs.duq.edu> <WcLM3.145$O5.963@newsfeed.slurp.net> <7tv5dq$i69$1@nnrp1.deja.com> Newsgroups: sci.crypt Lines: 29 All you really have to do is think about it. If a doctor makes a mistake and never realizes or admits the mistake the consequences will be far worse than if the doctor realizes the mistake admits it and works to correct it. As for 'snake oil' in medicine we currently have the FDA and other agencies to prevent such products or treatments from getting sold. But guess what? Theres no such thing for cryptography. Patrick Juola <juola@mathcs.duq.edu> wrote in message news:7u01oh$60p$1@quine.mathcs.duq.edu... > In article <WcLM3.145$O5.963@newsfeed.slurp.net>, > Adam Durana <echo@wizard.net> wrote: > >> It's only thru trial and error that most experts learn anything, including > >> medicine. > > > >With medicine if you make an error you pay for it big time, and its in your > >best interest to correct things as soon as you realize you have made an > >error. > > Really? > > Hmm, I wonder, then, where the term "snake oil" came from to describe weak > and overhyped cryptographic systems. > > -kitten
Subject: Re: where to put the trust Date: Tue, 12 Oct 1999 22:37:13 GMT From: Tom St Denis <tomstdenis@my-deja.com> Message-ID: <7u0d6o$hbg$1@nnrp1.deja.com> References: <fqMM3.203$O5.2981@newsfeed.slurp.net> Newsgroups: sci.crypt Lines: 22 In article <fqMM3.203$O5.2981@newsfeed.slurp.net>, "Adam Durana" <echo@wizard.net> wrote: > All you really have to do is think about it. If a doctor makes a mistake > and never realizes or admits the mistake the consequences will be far worse > than if the doctor realizes the mistake admits it and works to correct it. > > As for 'snake oil' in medicine we currently have the FDA and other agencies > to prevent such products or treatments from getting sold. But guess what? > Theres no such thing for cryptography. You really believe that? Oh go take your fat trapper, echinchea, diet magic pills, reverse negative ion rings and etc...... There is a lot of hyped up magicall drugs out there. You apparently are oblivious to them. The bottled water I buy from time to time has been processed thru 'reverse osmosis'.... now think about that for a while. Tom Sent via Deja.com http://www.deja.com/ Before you buy.
Subject: Re: where to put the trust Date: Tue, 12 Oct 1999 22:34:13 GMT From: Tom St Denis <tomstdenis@my-deja.com> Message-ID: <7u0d15$h93$1@nnrp1.deja.com> References: <WcLM3.145$O5.963@newsfeed.slurp.net> <7tv5dq$i69$1@nnrp1.deja.com> Newsgroups: sci.crypt Lines: 58 In article <WcLM3.145$O5.963@newsfeed.slurp.net>, "Adam Durana" <echo@wizard.net> wrote: > No matter how refined a design is there is always possiblities for mistakes. > And in this field a tiny mistake can reduce a cipher's strength to nothing. > And this tiny mistake can go unnoticed for a very long time, say until its > been worked into numerous amounts of hardware and software. You think then > if the creator found the mistake, he or she would come running to the public > telling them that all the money and time they spent on integrating this > cipher into thier products was wasted because of a mistake the creator made? > > > It's only thru trial and error that most experts learn anything, including > > medicine. > > With medicine if you make an error you pay for it big time, and its in your > best interest to correct things as soon as you realize you have made an > error. In cryptography if you make an error and you happen to realize it, > its probally in your best interest to keep it a secret and let someone else > discover it, if they ever do. Thats if you are directly profiting from it. So you are saying doctors have never made a mistake? So keep putting that butter on your burns, um what else... I dunno I wasn't alive 30 years ago... someone help out here.... Basically anyone could tell you that many things have changed in the past few decades.... This includes medicin, transportation, etc... > Okay, this is even worse than before. Not only are you going to blindly > have faith in these people's work, you are letting the media decide who you > consider an expert? Well I know those people thru their works as well. I only mentioned them because they are well known gurus. There are plenty others. I would for example be a novice 'cryptographer'. I know enough to be dangerous (ala peekboo) but not enough to really break any real systems or to invent new ones. > I don't see anything being said that will change your view. You seem to be > saying I'll take what the experts give me and assume its good and I'll keep > using it until an expert tells me its not safe any more. > > I'm not saying you need to do a full study of every cipher before you use > it. For example AES, if the government was not so involved with the > selection process, I would accept the cipher as most likely secure by > today's standards. Since the candidates will be reviewed by many people. I > would review the method to see how it worked, but I would not spend weeks > studying it. I would also look at papers on the cipher before I passed my > final judgement on the cipher. So you are basically a hypocrite. You will accept AES because someone reviews it. But you don't think there are experts in the field. So who do you want examining AES? 12 year old kids? BTW so do you work in an office, see a doctor, drive on bridges ??? Tom Sent via Deja.com http://www.deja.com/ Before you buy.
Subject: Re: where to put the trust Date: Mon, 11 Oct 1999 22:25:24 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: <jgfunj-1110992225240001@dial-243-062.itexas.net> References: <wovM3.96$BG2.99@newsfeed.slurp.net> Newsgroups: sci.crypt Lines: 9 In article <wovM3.96$BG2.99@newsfeed.slurp.net>, "Adam Durana" <echo@wizard.net> wrote: >.. So its foolish to just believe someone because of > thier reputation. As the old saying goes, trust everbody but cut the cards. -- Figures lie, and liars figure.--Daria Dolan
Subject: Re: where to put the trust Date: 12 Oct 1999 09:55:37 -0400 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <7tvekp$562$1@quine.mathcs.duq.edu> References: <wovM3.96$BG2.99@newsfeed.slurp.net> Newsgroups: sci.crypt Lines: 32 In article <wovM3.96$BG2.99@newsfeed.slurp.net>, Adam Durana <echo@wizard.net> wrote: >It is silly to blindly believe an expert. Comparing doctors to 'the >experts' is a bad comparison at best. Doctors provide you with proof and >explainations for thier diaginosis. They do not. I don't think I've ever seen a doctor provide "proof", nor can I imagine what any doctor could provide as a "proof" with the possible exception of a pathologist -- at which point, it's too late. I walk into a doctor with a collection of symptoms, and the doctor will make his best guess as to what I have, based on his observations, my descriptions, and some test results (which are rarely conclusive, but often informative). Then he will prescribe a course of treatment which has been shown to be effective most of the time, assuming of course that I don't have any particular difficulties with the treatment -- "Oh, didn't I tell you, I'm a penicillin-allergic." They can easily provide you with explanations. So can cryptographers. Doctors cannot provide you with proof, but they've usually got an extensive literature and experience to back up their opinions. So have cryptographers. Doctors can also make mistakes and misdiagnosis or mis-read clinical signs. They can even be flat out wrong, without making any particular mistake. So can cryptographers. Why are you holding cryptographers to a higher standard than medical doctors? Is your information more important than your life? -kitten
Subject: Re: where to put the trust Date: Tue, 12 Oct 1999 08:56:22 +0200 From: Michael =?iso-8859-1?Q?Str=F6der?= <michael.stroeder@inka.de> Message-ID: <3802DB96.AE51E42F@inka.de> References: <7ttq86$kda$1@nnrp1.deja.com> Newsgroups: sci.crypt Lines: 18 Tom St Denis wrote: > > So what do we do? > > Well we trust experts. > [..] > Do they do good jobs? 99.99% of the time yes. The question is: Why are they doing good jobs in 99.9% of the cases? (I doubt that number is right but let's abstract of this.) Well, the jobs of doctors, bridge constructing engineers etc. are embedded in a legal system. They will be punished by law if things are going wrong. Actually there are some legal systems for applied cryptography (e.g. SigG in Germany) but the legal systems are still not full-featured to cover all aspects. Ciao, Michael.
Subject: Re: where to put the trust Date: Tue, 12 Oct 1999 11:22:13 GMT From: Tom St Denis <tomstdenis@my-deja.com> Message-ID: <7tv5ku$i8c$1@nnrp1.deja.com> References: <3802DB96.AE51E42F@inka.de> Newsgroups: sci.crypt Lines: 32 In article <3802DB96.AE51E42F@inka.de>, Michael =?iso-8859-1?Q?Str=F6der?= <michael.stroeder@inka.de> wrote: > Tom St Denis wrote: > > > > So what do we do? > > > > Well we trust experts. > > [..] > > Do they do good jobs? 99.99% of the time yes. > > The question is: Why are they doing good jobs in 99.9% of the cases? > (I doubt that number is right but let's abstract of this.) > > Well, the jobs of doctors, bridge constructing engineers etc. are > embedded in a legal system. They will be punished by law if things are > going wrong. Actually there are some legal systems for applied > cryptography (e.g. SigG in Germany) but the legal systems are still not > full-featured to cover all aspects. While I trust (for example) my doctors opinion, am I to take anything he says as the pure simple truth. I don't think so. If for example I have blurry vision, headaches and nausea and he tells it's a head cold, I will want a second opinion, possibly even a CAT scan. [this is just an example, in case you don't know, these are symptoms for circulation problems in the head]. Tom Sent via Deja.com http://www.deja.com/ Before you buy.
Subject: Re: where to put the trust Date: Tue, 12 Oct 1999 07:37:44 -0400 From: "Trevor Jackson, III" <fullmoon@aspi.net> Message-ID: <38031D88.A9AEB02B@aspi.net> References: <3802DB96.AE51E42F@inka.de> Newsgroups: sci.crypt Lines: 24 Michael Ströder wrote: > Tom St Denis wrote: > > > > So what do we do? > > > > Well we trust experts. > > [..] > > Do they do good jobs? 99.99% of the time yes. > > The question is: Why are they doing good jobs in 99.9% of the cases? > (I doubt that number is right but let's abstract of this.) > > Well, the jobs of doctors, bridge constructing engineers etc. are > embedded in a legal system. They will be punished by law if things are > going wrong. Actually there are some legal systems for applied > cryptography (e.g. SigG in Germany) but the legal systems are still not > full-featured to cover all aspects. One of the most important differences is that you usually tell when a doctor or engineer fails. You may not be able to tell when a cipher designer fails because the people who profit by the failure profit by keeping it secret.
Subject: Re: where to put the trust Date: Tue, 12 Oct 1999 13:08:01 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3803329c.852311@news.io.com> References: <7ttq86$kda$1@nnrp1.deja.com> Newsgroups: sci.crypt Lines: 59 On Mon, 11 Oct 1999 23:01:32 GMT, in <7ttq86$kda$1@nnrp1.deja.com>, in sci.crypt Tom St Denis <tomstdenis@my-deja.com> wrote: >I have been getting alot of flak about 'how do you KNOW that 'place cipher >here' is actually this strong'. I admit there is no honest PROOF to it. No >cipher is unconditionally strong, none, zippo, zilch. If you use an OTP >wrong it can become weak. (Yes even the infamous Scottu19 has not been >proven to be strong). > >So what do we do? > >Well we trust experts. > >Let's take a survey... If you do any of the follwing post a short reply... > >drive a car, goto the doctors, eat fast-food, use a computer, drive on >bridges, live in an apartment, work in an office, gone to school ... > >You have probably relied on an experience expert. Do we trust them? Hell >yes. Do they do good jobs? 99.99% of the time yes. > >So does this apply to cryptography? Yes I think so. And I think you are fooling yourself. Cryptography is different from the areas in which we trust expertise because in cryptography there is no way for anyone to know whether any particular approach is successful. Would you really trust a doctor who could not know whether the patients, having been treated, were alive or dead? Would you trust a computer if you knew there was no way to check the results? Would you drive on bridges if you did not know that bridges generally stay up? Bridges generally stay up precisely because engineers can unarguably distinguish between a bridge which falls and one that does not. Without this, there is no way to measure prediction, and no way to develop the knowledge to make predictions correspond to reality. There are many predictions in cryptography, but no similarly apparent result. There simply is no way to know when cryptography keeps things secret from opponents who are themselves secret. There is thus no way to judge risk, and similarly no way to judge expertise. In a very essential way, there can be no real experts on cryptographic strength. >So although (for example) Twofish has not been proven to be strong, it has >been designed by people in the know, and I would trust it, just like I trust >my doctor to give a good evaluation of my health. And that is the same sort of argument that led Germany and Japan to assume their codes were secure in WWII. They were both wrong. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: where to put the trust Date: 12 Oct 1999 10:01:49 -0400 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <7tvf0d$56o$1@quine.mathcs.duq.edu> References: <3803329c.852311@news.io.com> Newsgroups: sci.crypt Lines: 30 In article <3803329c.852311@news.io.com>, Terry Ritter <ritter@io.com> wrote: >And I think you are fooling yourself. > >Cryptography is different from the areas in which we trust expertise >because in cryptography there is no way for anyone to know whether any >particular approach is successful. > >Would you really trust a doctor who could not know whether the >patients, having been treated, were alive or dead? That's most of the doctors, actually. Once you leave the office, very few of them will follow you around to confirm that you stayed alive. Similarly, very few bridge designers hang around their work watching it for years lest it should suddenly fall over. >Bridges generally stay up precisely because engineers can unarguably >distinguish between a bridge which falls and one that does not. ... Yeah. *After it has happened*, assuming there was anyone around to witness the fall. And even then, you need a team of experts to examine the wreckage to figure out if it was a design flaw, a construction flaw, or actual sabotage/demolition. Just like cryptography. -kitten
Subject: Re: where to put the trust Date: Tue, 12 Oct 1999 12:39:05 -0400 From: "Trevor Jackson, III" <fullmoon@aspi.net> Message-ID: <38036429.D0E073A4@aspi.net> References: <7tvf0d$56o$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 47 Patrick Juola wrote: > In article <3803329c.852311@news.io.com>, Terry Ritter <ritter@io.com> wrote: > >And I think you are fooling yourself. > > > >Cryptography is different from the areas in which we trust expertise > >because in cryptography there is no way for anyone to know whether any > >particular approach is successful. > > > >Would you really trust a doctor who could not know whether the > >patients, having been treated, were alive or dead? > > That's most of the doctors, actually. Once you leave the office, very > few of them will follow you around to confirm that you stayed alive. > > Similarly, very few bridge designers hang around their work watching > it for years lest it should suddenly fall over. Hardly. When a person dies an inquest detemines the cause, and if a doctor's care was involved it will be closely scrutinized. When a bridge falls down a similar process, failure analysis, determines the cause, and if the cause was a design flaw the architect (civil engineer) is going to hear about it. From the victim's laywers if from no one else. There is a distinct difference in cipher design. In extreme cases we label the product snake oil. In less extreme cases we suffer in silence because we have nothing better to offer. Buit claims that cipher design is a science or subject to engineering discipline is a snake-oil-style claim no matter how many credentials the claimant may have. > >Bridges generally stay up precisely because engineers can unarguably > >distinguish between a bridge which falls and one that does not. > > ... Yeah. *After it has happened*, assuming there was anyone around > to witness the fall. And even then, you need a team of experts to > examine the wreckage to figure out if it was a design flaw, a construction > flaw, or actual sabotage/demolition. > > Just like cryptography. Who holds court when a cipher fails and people are damaged thereby? There is no court because the cipher fails silently. A tree falls... The sound of one hand ... What is the sound of a succcessful eavesdropper?
Subject: Re: where to put the trust Date: Tue, 12 Oct 1999 13:08:54 -0400 From: "Trevor Jackson, III" <fullmoon@aspi.net> Message-ID: <38036B26.33D46321@aspi.net> References: <7tvorl$5ha$1@quine.mathcs.duq.edu> <38036429.D0E073A4@aspi.net> Newsgroups: sci.crypt Lines: 81 Patrick Juola wrote: > In article <38036429.D0E073A4@aspi.net>, > Trevor Jackson, III <fullmoon@aspi.net> wrote: > >Patrick Juola wrote: > > > >> In article <3803329c.852311@news.io.com>, Terry Ritter <ritter@io.com> wrote: > >> >And I think you are fooling yourself. > >> > > >> >Cryptography is different from the areas in which we trust expertise > >> >because in cryptography there is no way for anyone to know whether any > >> >particular approach is successful. > >> > > >> >Would you really trust a doctor who could not know whether the > >> >patients, having been treated, were alive or dead? > >> > >> That's most of the doctors, actually. Once you leave the office, very > >> few of them will follow you around to confirm that you stayed alive. > >> > >> Similarly, very few bridge designers hang around their work watching > >> it for years lest it should suddenly fall over. > > > >Hardly. > > > >When a person dies an inquest detemines the cause, and if a doctor's care was > >involved it will be closely scrutinized. When a bridge falls down a similar > >process, failure analysis, determines the cause, and if the cause was a design > >flaw the architect (civil engineer) is going to hear about it. From the victim's > >laywers if from no one else. > > And, similarly, if your information is compromised, ... That's the critical IF. IF my information is compromised. How do I tell? I know how to tell if I am dead, and I can take action to prevent it when I notice that I am ill. I know how to tell if a bridge falls down, and when chunks of steel and concrete come loose I know how to take action to fix it. How do I tell if my cipher is "showing signs of age?" The people who know about the symptoms of failure hae a vested interested in hiding those symptoms. > you can have your lawyers > check out whether or not your cryptographic system is at fault, and sue > the hell out of the system designer. > > You'll never know if a bridge is safe *until you try to cross it*; the > Tacoma Narrows stands (or, more accurately, doesn't stand) as a monument > to everyone who thinks that engineers can by pure reason build a > safe structure. > > >There is a distinct difference in cipher design. In extreme cases we label the > >product snake oil. In less extreme cases we suffer in silence because we have > >nothing better to offer. Buit claims that cipher design is a science or subject > >to engineering discipline is a snake-oil-style claim no matter how many > >credentials the claimant may have. > > > >> >Bridges generally stay up precisely because engineers can unarguably > >> >distinguish between a bridge which falls and one that does not. > >> > >> ... Yeah. *After it has happened*, assuming there was anyone around > >> to witness the fall. And even then, you need a team of experts to > >> examine the wreckage to figure out if it was a design flaw, a construction > >> flaw, or actual sabotage/demolition. > >> > >> Just like cryptography. > > > >Who holds court when a cipher fails and people are damaged thereby? There is no > >court because the cipher fails silently. > > If people are damaged, then the cypher by definition has not failed > silently. Lawyers, at dawn, at the gates of Paris. Yes, in long retrospect we can detemine that a cipher failed by historical analysis. We can also tell by fidning the flaw by our own efforts. But we can't detemine if someone else has a break until by their actions we infer they have information we think they should not. Note that it is in the vested interest of the opponents to hide not only the fact of their break but also the fruits thereof.
Subject: Re: where to put the trust Date: Fri, 15 Oct 1999 11:04:15 GMT From: ritter@io.com Message-ID: <7u71na$an4$1@nnrp1.deja.com> References: <7tvqq2$5lr$1@quine.mathcs.duq.edu> <38036B26.33D46321@aspi.net> Newsgroups: sci.crypt Lines: 175 In article <7tvqq2$5lr$1@quine.mathcs.duq.edu>, juola@mathcs.duq.edu (Patrick Juola) wrote: > In article <38036B26.33D46321@aspi.net>, > Trevor Jackson, III <fullmoon@aspi.net> wrote: > > > > > >Patrick Juola wrote: > > > >> In article <38036429.D0E073A4@aspi.net>, > >> Trevor Jackson, III <fullmoon@aspi.net> wrote: > >> >Patrick Juola wrote: > >> > > >> >> In article <3803329c.852311@news.io.com>, Terry Ritter <ritter@io.com> wrote: > >> >> >And I think you are fooling yourself. > >> >> > > >> >> >Cryptography is different from the areas in which we trust expertise > >> >> >because in cryptography there is no way for anyone to know whether any > >> >> >particular approach is successful. > >> >> > > >> >> >Would you really trust a doctor who could not know whether the > >> >> >patients, having been treated, were alive or dead? > >> >> > >> >> That's most of the doctors, actually. Once you leave the office, very > >> >> few of them will follow you around to confirm that you stayed alive. > >> >> > >> >> Similarly, very few bridge designers hang around their work watching > >> >> it for years lest it should suddenly fall over. > >> > > >> >Hardly. > >> > > >> >When a person dies an inquest detemines the cause, and if a doctor's care was > >> >involved it will be closely scrutinized. When a bridge falls down a similar > >> >process, failure analysis, determines the cause, and if the cause was a design > >> >flaw the architect (civil engineer) is going to hear about it. From the victim's > >> >laywers if from no one else. > >> > >> And, similarly, if your information is compromised, ... > > > >That's the critical IF. IF my information is compromised. How do I tell? I know how > >to tell if I am dead, and I can take action to prevent it when I notice that I am > >ill. I know how to tell if a bridge falls down, and when chunks of steel and concrete > >come loose I know how to take action to fix it. > > Yes, but you don't know when your bridge is aging, or succeptible to flood > damage, or when recent traffic has been exceeding the maximum recommended > load. Measuring or predicting strength is in fact a continuing issue of interest in the re-certification of public structures. It is a known problem and is handled in practice, in California in particular. If certification is incorrect and the structure fails, we see that on the news, which cannot be said of cryptography. > You can only tell there's something wrong when the bridge fails > catastrophically, at which point it's very difficult to tell what the > root cause of the bridge failure was. As long as the bridge is still > standing, you don't have any way of proving that the bridge will, or > will not, stand up to another truck driving over it. Nonsense. We know about the strength of materials. We know the process of failure. We are able to detect this process in many cases, and most of our failures to detect this are failures to look, not failures of interpretation. The original argument was that we trust bridges because of bridge experts, so why not trust ciphers because of cipher experts. The response was that there is no cipher expertise with respect to strength, because such expertise requires interactive knowledge of the outcome, and our opponents do not grant that to us. We thus can know quite a lot about how bridges fail. But we cannot know how our ciphers fail in the hands of our opponents, and that is all we care about. > You also won't know about a lot of other possible failure modes for the > bridge other than total collapse. Perhaps asphalt wear has made the > bridge particularly slick, so that anyone who drives across in the rain > has a high chance of skidding out of control. Of course, you *could* > sue the bridge designer every time you skid, but that would get laughed > out of court. Actually, no. If the bridge can be said to cause skids, then the state may have some liability. It is unlikely, because we know how to design acceptable roads, because we know the results. We do not know the outcome in cryptography, which is why failure is not similarly unlikely. > >How do I tell if my cipher is "showing signs of age?" The people who know about the > >symptoms of failure hae a vested interested in hiding those symptoms. > > Not all of them. "Gee, I wonder if DES is strong nowadays. I guess I'll > never know, because there's no publically available information about > the costs and difficulties of breaking DES." That is a false summary of the reasoning. We cannot know whether DES is strong, because we cannot know what capabilities our opponents possess. Twenty years of DES analysis is not comforting because it does not tell us how the cipher will stand up to unknown attacks by the only people of interest. Some would have us believe that what we do not know is just the remaining 0.1% of knowledge, and we can never expect to know it all. But of course there is no calibration for such a value. Any possible value is beside the point if it allows our opponents to read our mail in practice. That is the only issue. And there can be no expertise about it. >Yes, some people will want > to compromise security and keep it secret. Others will want to compromise > security and publicize that they can do it, for whatever reason. The > nice thing about security is that this gives a means of learning that > your cypher is weak *before* your system is compromised, because someone > can show how an identical bridge will collapse. I have no idea what this is trying to say. It would be nice if we had a mathematical proof of strength which could be applied in practice. But absent that, we must survive in an environment where every cipher is suspect. > >Note that it is in the vested interest of the opponents to hide not only the fact of > >their break but also the fruits thereof. > > However, unless they do *nothing* with the fruits of their break, then > they *will* reveal the break to a sufficiently suspicious eye. This is of course incorrect. One whole arm of military security has involved complex and costly security operations deliberately intended to assure the viewer that any security lapse was *not* due to cipher failure. To the extent that such failure is not obvious to all security professionals, it obviously has *not* been revealed. And this has very little if anything to do with private use. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM Sent via Deja.com http://www.deja.com/ Before you buy.
Subject: Re: where to put the trust Date: Wed, 13 Oct 1999 10:47:21 GMT From: terry_ritter@my-deja.com Message-ID: <7u1nvn$erj$1@nnrp1.deja.com> References: <7u13l1$23l$1@nntp.itservices.ubc.ca> <7u12b6$vsg$1@nnrp1.deja.com> <7tvf0d$56o$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 45 In article <7u13l1$23l$1@nntp.itservices.ubc.ca>, unruh@physics.ubc.ca (Bill Unruh) wrote: > In <7u12b6$vsg$1@nnrp1.deja.com> dianelos@tecapro.com writes: > > >Still, the question remains: if we don't trust the experts then what is > >the better alternative? > > "Trust many experts" is better. Ie, a cypher should be public, and should > have been looked at by a number of people. If Bruce Schneier sells you a > secret algorithm that noone else has looked at you might trust it more > than if I did. But I would far rather get one that he had published, and > had been looked at by a number of independent experts. > And I would not trust one, even from him, where he did not release the > source code for it as well. While "trust many experts" may be better than trusting any one "expert," this still does not address the essence of the problem: there can be no expertise on strength which applies to our opponents. In general, we must assume that our opponents know everything in the open literature, plus whatever has been accumulated by dedicated secret organizations of many bright people over long time. Academic review simply provides no logical insight about what true opponents know or can do. We are thus forced to assume the worst. Looking for expertise which cannot exist seems a rather futile exercise, even if we collect as many opinions as we can. Reality is not a vote. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM Sent via Deja.com http://www.deja.com/ Before you buy.
Subject: Re: where to put the trust Date: Wed, 13 Oct 1999 23:18:38 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: <jgfunj-1310992318380001@dial-243-005.itexas.net> References: <7u1nvn$erj$1@nnrp1.deja.com> Newsgroups: sci.crypt Lines: 12 In article <7u1nvn$erj$1@nnrp1.deja.com>, terry_ritter@my-deja.com wrote: > Looking for expertise which cannot exist seems a rather > futile exercise, even if we collect as many opinions as we > can. Reality is not a vote. > Reality as some speak means something objective and true. Too many wish to surplant it with some form of politically defined smoke and mirrors sort of reality, forgetting the other kind. -- Truth lies in your path for you to stumble over, even if you think you can easily sidestep it.
Subject: Re: where to put the trust Date: Fri, 15 Oct 1999 10:30:56 GMT From: ritter@io.com Message-ID: <7u6vp1$9in$1@nnrp1.deja.com> References: <FJLu1v.FK5@bath.ac.uk> <7u1nvn$erj$1@nnrp1.deja.com> Newsgroups: sci.crypt Lines: 83 I appear to be losing messages in my ISP. If someone wants a reply, give me a nudge. In article <FJLu1v.FK5@bath.ac.uk>, tt@cryogen.com wrote: > terry_ritter@my-deja.com wrote: > > : While "trust many experts" may be better than trusting any > : one "expert," this still does not address the essence of the > : problem: there can be no expertise on strength which applies > : to our opponents. > > Yours seems to be a council of doom ;-( > > In reality there /is/ some feedback about whether cyphers are being > broken. Ships get sunk, troops get shot, battles get lost, etc. > > Now the enemy can do their best to avoid revealing that their information > has been obtained by compromising a cypher, but this necessarily limits > the uses to which they can put their information. > > You can sometimes test to see whether a code has been broken: change the > code to something cumbersome, but secure for a while. > > If this results in improvements to your situation, you can suspect > strongly that the cause is due to the enemy being able to break your > cypher. > > Things can be bad - but they need not always be as bad as all that. It is certainly true that security professionals should try to test cipher strength by tempting the other side in various ways. It is also true that the opposing security professionals can and do run complex operations to convince everyone that any exposure was not from cipher but instead from some other event. Now the issue is not just whether we have an effective cipher, but whether we also have the best security professionals who happen to be on top of the whole thing. Nevertheless, individual users cannot know, in most cases, when their opponents have broken their cipher. Indeed, this is compounded when everyone uses the same cipher, because only a few people will get indications of trouble, and the rest will rationalize that they were from some other exposure. > I believe your assertion that there can be no experts in cryptographic > strength seems too strong. I believe my assertion is correct in the domain of open cryptography. In military or state cryptography, there may indeed be some such expertise. It will never be the kind of expertise we expect in other areas, however. > I /know/ that there are people who know very little about cryptographic > strength. An "expert" is someone at the opposite pole. They may not know > *everything* - or even very much - but they're the best we have. I disagree. The best we have is to first realize that we have a problem, and then try to solve, or at least mitigate the problem. I have made some proposals. If anybody has a better idea, I'd be glad to hear it. And if there are no better ideas, I think we'd be well advised to go with what we have. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM Sent via Deja.com http://www.deja.com/ Before you buy.
Subject: Re: where to put the trust Date: Fri, 15 Oct 1999 11:22:38 GMT From: ritter@io.com Message-ID: <7u72pm$bek$1@nnrp1.deja.com> References: <3804967B.D666CE63@sandia.gov> <7u1nvn$erj$1@nnrp1.deja.com> Newsgroups: sci.crypt Lines: 105 My original (better) response to this apparently was lost. In article <3804967B.D666CE63@sandia.gov>, John Myre <jmyre@sandia.gov> wrote: > terry_ritter@my-deja.com wrote: > > > > While "trust many experts" may be better than trusting any > > one "expert," this still does not address the essence of the > > problem: there can be no expertise on strength which applies > > to our opponents. > > "We don't know the limits of our opponents' ability" seems a > reasonable statement. "No expertise" seems an exaggeration. > Real-world events combined with simple reasoning leads to > rational (if not iron-clad) conclusions. Military and state cryptography may have such expertise, although it can never be the sort of expertise we see in building roads or bridges. But individual users are unlikely to be able to monitor their exposure nearly as well, or assign it to cryptography. And if they must use the single "interoperable" cipher, they would be unable to do much about such exposure, even if they suspected it. > For example, the existence of U.S. export restrictions on > cryptography (and especially the embarrasment forced on public > officials who must endorse them) makes me believe that the NSA > cannot, in fact, (economically) break all of the publicly known > ciphers. While I certainly agree with the outcome, let me caution against trying to predict motive from external events. When we do, we set ourselves up to be deceived. > Of course, they might be able to break *my* favorite... > > > > > In general, we must assume that our opponents know everything > > in the open literature, plus whatever has been accumulated by > > dedicated secret organizations of many bright people over long > > time. > > Agreed. > > > Academic review simply provides no logical insight > > about what true opponents know or can do. > > Not warranted. "No logical insight"? This isn't the same > thing as incomplete knowledge. > > > We are thus forced > > to assume the worst. > > Well... > > I'm not sure what "the worst" means. Literally, it means we > must assume that there is no defense, at all. Karnak attacks > must be assumed to work, etc. In context, "the worst" is that our cipher is weak. In use, we do not care what attacks are used. > > Looking for expertise which cannot exist seems a rather > > futile exercise, even if we collect as many opinions as we > > can. > > I disagree. People must make decisions on incomplete information > all of the time. Take the experts' opinions with a grain of salt, > consider their possible bias or blind spots, but recognize that > the expert opinion is useful data. Cryptography is just different from other areas. There can be experts in cryptography, or cryptanalysis, but there can't be experts in cryptographic strength, because we have no feedback from the only interaction of interest -- between ciphertext and opponent. That is the only thing which must be assured, and we do not even know in practice whether any of our ciphers do that. Under reasonable assumptions, we suspect that many ciphers are strong, especially when they are not subject to known-plaintext attack. Under these assumptions, using a sequence of ciphers can be said to improve the situation. And changing ciphers frequently means that any existing break is terminated. > > > Reality is not a vote. > > Indeed! > --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM Sent via Deja.com http://www.deja.com/ Before you buy.
Subject: Re: where to put the trust Date: Wed, 13 Oct 1999 14:57:32 GMT From: ritter@io.com Message-ID: <7u26ki$pp0$1@nnrp1.deja.com> References: <7u12b6$vsg$1@nnrp1.deja.com> <7tvf0d$56o$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 31 In article <7u12b6$vsg$1@nnrp1.deja.com>, dianelos@tecapro.com wrote: >[...] > Still, the question remains: if we don't trust the experts then what is > the better alternative? I am tempted to say that in any case where the "experts" are not bound to us by contract or compensation, the expert we should first trust is ourself. Public cryptanalysis is a useful exercise. It would be even more useful if our so-called "experts" would see fit to check out the various completely new architectures which have been proposed in the past few years. But cryptanalysis can never tell us about the capabilities of our opponents, and frustrating them is our only real goal. We need to accept that *any* cipher may be weak, and think of what we can do in that environment, since that is our reality. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM Sent via Deja.com http://www.deja.com/ Before you buy.
Subject: Re: where to put the trust Date: Fri, 15 Oct 1999 00:23:26 GMT From: ritter@io.com Message-ID: <7u5s5i$guu$1@nnrp1.deja.com> References: <7u28e9$7rr$1@quine.mathcs.duq.edu> <7u26ki$pp0$1@nnrp1.deja.com> Newsgroups: sci.crypt Lines: 36 In article <7u28e9$7rr$1@quine.mathcs.duq.edu>, juola@mathcs.duq.edu (Patrick Juola) wrote: > In article <7u26ki$pp0$1@nnrp1.deja.com>, <ritter@io.com> wrote: > >In article <7u12b6$vsg$1@nnrp1.deja.com>, > > dianelos@tecapro.com wrote: > > > >>[...] > >> Still, the question remains: if we don't trust the experts then what > >is > >> the better alternative? > > > >I am tempted to say that in any case where the "experts" are > >not bound to us by contract or compensation, the expert we > >should first trust is ourself. > > I take it that if you need your cat fixed, you do the surgery yourself? > > Why does someone magically know more because he signs a contract? > All it means is that you have someone to sue -- it doesn't make > the system he designs any more secure. Giving yourself someone to sue tends to get more attention from that particular someone. I recommend it. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM Sent via Deja.com http://www.deja.com/ Before you buy.
Subject: Re: where to put the trust Date: Fri, 15 Oct 1999 10:14:41 GMT From: ritter@io.com Message-ID: <7u6uqa$8r4$1@nnrp1.deja.com> References: <FJLuM8.G70@bath.ac.uk> <7u26ki$pp0$1@nnrp1.deja.com> Newsgroups: sci.crypt Lines: 60 In article <FJLuM8.G70@bath.ac.uk>, tt@cryogen.com wrote: > ritter@io.com wrote: > : dianelos@tecapro.com wrote: > > :> Still, the question remains: if we don't trust the experts then what > :> is the better alternative? > > : I am tempted to say that in any case where the "experts" are > : not bound to us by contract or compensation, the expert we > : should first trust is ourself. > > That would be easy for you to say - you're an "expert". > > Try preaching that council to an application programmer who's been told > to add security features to his program - and watch the blank stare. > > He doesn't have /time/ to learn all about the ins and outs of > crypyanalysis before he makes his implementation decision. He needs > to trust the work of others. Yes, I know. I suspect even that most people on sci.crypt cannot or will not reason the implications for themselves. Still, who do we trust with our money? We may select someone, but it is us doing the selecting. Typically we select those who have some contractual responsibilities. But, ultimately, we are responsible. > : We need to accept that *any* cipher may be weak, and think > : of what we can do in that environment, since that is our > : reality. > > It sounds like a council of doom. Certainly spend /some/ time considering > the worst possible scenario, but don't spend /all/ your time doing so, or > you're likely to wind up in a state akin to paranoia, and fail to take > positive action. I think what we need do is first accept reality for what it is, and then see if we cannot mitigate the situation with new approaches and protocols. My suggestions are well known (3-level multiciphering, independent keys, ciphers changing frequently by automatic negotiation). If someone knows something better, let's hear about it. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM Sent via Deja.com http://www.deja.com/ Before you buy.
Subject: Re: where to put the trust Date: Sat, 16 Oct 1999 00:07:49 GMT From: bryan.olson@uptronics.com Message-ID: <7u8fkd$d76$1@nnrp1.deja.com> References: <7u6uqa$8r4$1@nnrp1.deja.com> Newsgroups: sci.crypt Lines: 33 ritter@io.com wrote: > I think what we need do is first accept reality for what it > is, and then see if we cannot mitigate the situation with > new approaches and protocols. My suggestions are well known > (3-level multiciphering, independent keys, ciphers changing > frequently by automatic negotiation). > > If someone knows something better, let's hear about it. A three-level cipher is a special case of a cipher. Three-level ciphers have no more provable security than single ciphers. The per-message change makes the problem worse. It leaves a lower chance of exposing everything, but a higher chance of exposing something. This is worse because of the diminishing returns to the attacker - the first one percent is much more valuable than the last few percent. I do agree we have too few ciphers and need more, specifically we need more _public_ key ciphers. We have scores of secret-key ciphers and new ones are easy to design. I suspect the sci.crypt obsession with symmetric ciphers is precisely because they are so easy to build. --Bryan Sent via Deja.com http://www.deja.com/ Before you buy.
Subject: Re: where to put the trust Date: 16 Oct 99 15:15:49 GMT From: jsavard@ecn.ab.ca () Message-ID: <380896a5.0@ecn.ab.ca> References: <7u8fkd$d76$1@nnrp1.deja.com> Newsgroups: sci.crypt Lines: 48 bryan.olson@uptronics.com wrote: : A three-level cipher is a special case of a cipher. : Three-level ciphers have no more provable security : than single ciphers. This is true, but it is not the point. : The per-message change makes the problem worse. It : leaves a lower chance of exposing everything, but : a higher chance of exposing something. This is : worse because of the diminishing returns to the : attacker - the first one percent is much more : valuable than the last few percent. That is a correct objection to the use of multiple ciphers by itself. The use of three-level multiple encipherment, with independent keys, can essentially solve this problem, if done properly. The requirment for this is that we must ensure: - at least one of the three ciphers used is from a small set of ciphers which, on the basis of *conventional* criteria of having been properly studied and analyzed, could have been trusted with all one's messages, had one not opted for multiciphering, - the specific choice of ciphers used for a message must be itself conveyed by highly secure encryption, and chosen by good random methods; it must be considered an essential part of the session key. If these points are stressed, I think that multiple encipherment can be placed on a sound footing, with the choice of ciphers from a large pool genuinely making analysis much more difficult without introducing other weaknesses. : I do agree we have too few ciphers and need more, : specifically we need more _public_ key ciphers. : We have scores of secret-key ciphers and new ones : are easy to design. I suspect the sci.crypt : obsession with symmetric ciphers is precisely : because they are so easy to build. Well, designing a new public-key cipher is essentially making a new discovery in advanced mathematics. I'm not surprised it is hard to find many people who can do this, or that this doesn't happen very often. I don't think encouraging the participants in sci.crypt to think about public-key cryptography is going to result in new public-key ciphers being discovered any more quickly. John Savard
Subject: Re: where to put the trust Date: Sun, 17 Oct 1999 16:03:33 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3809f2c4.5804359@news.io.com> References: <7u8fkd$d76$1@nnrp1.deja.com> Newsgroups: sci.crypt Lines: 74 On Sat, 16 Oct 1999 00:07:49 GMT, in <7u8fkd$d76$1@nnrp1.deja.com>, in sci.crypt bryan.olson@uptronics.com wrote: >ritter@io.com wrote: > >> I think what we need do is first accept reality for what it >> is, and then see if we cannot mitigate the situation with >> new approaches and protocols. My suggestions are well known >> (3-level multiciphering, independent keys, ciphers changing >> frequently by automatic negotiation). >> >> If someone knows something better, let's hear about it. > >A three-level cipher is a special case of a cipher. >Three-level ciphers have no more provable security >than single ciphers. Sure they do: The simple use of three levels means that no individual cipher can be attacked by known-plaintext or defined-plaintext. When those attacks are the strongest known against a cipher, the simple use of a ciphering stack avoids those weaknesses. By having a multi-level "stack" of ciphers, we get exponentially more overall "cipherings" than individual ciphers (typically n**3 instead of n). This means that we can afford to frequently change the overall ciphering, and changing that is the only way to avoid a ciphering which has been thoroughly broken in secret. One alternative is to simply use AES. But if somebody does have an attack for it, they won't tell us, and our whole society will continue using that same broken cipher. We need to change ciphers to stop any such break. And the more alternatives we have to change to, the better off we are. >The per-message change makes the problem worse. It >leaves a lower chance of exposing everything, but >a higher chance of exposing something. The claim of "a lower chance" is unwarranted, unless of course you can define the probability of cipher failure. Alas, that is not possible, because the interaction of interest occurs in secret and we cannot know the result, so we cannot develop a probability from it. Indeed, if a cipher is broken already, no chance is involved: that probability of weakness is 1. You have no way to detect that, nor to say how likely that might be. Making a claim of "a lower chance" is simply unscientific. >This is >worse because of the diminishing returns to the >attacker - the first one percent is much more >valuable than the last few percent. Maybe, maybe not. The alternative is to depend upon something which cannot be depended upon. >I do agree we have too few ciphers and need more, >specifically we need more _public_ key ciphers. >We have scores of secret-key ciphers and new ones >are easy to design. I suspect the sci.crypt >obsession with symmetric ciphers is precisely >because they are so easy to build. Really? Perhaps you have built many strong ciphers which were not successfully attacked, and so naturally would think that is so easy. Where can we find examples of your work? --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: where to put the trust Date: Tue, 19 Oct 1999 18:46:41 GMT From: Tim Tyler <tt@cryogen.com> Message-ID: <FJv5Ht.I5n@bath.ac.uk> References: <3809f2c4.5804359@news.io.com> Newsgroups: sci.crypt Lines: 39 Terry Ritter <ritter@io.com> wrote: : bryan.olson@uptronics.com wrote: :>ritter@io.com wrote: :>> My suggestions are well known (3-level multiciphering, independent :>> keys, ciphers changing frequently by automatic negotiation). :> :>A three-level cipher is a special case of a cipher. :>Three-level ciphers have no more provable security :>than single ciphers. : Sure they do: The simple use of three levels means that no individual : cipher can be attacked by known-plaintext or defined-plaintext. When : those attacks are the strongest known against a cipher, the simple use : of a ciphering stack avoids those weaknesses. : By having a multi-level "stack" of ciphers, we get exponentially more : overall "cipherings" than individual ciphers (typically n**3 instead : of n). [...] If you have 3 times the key-space then you may well get more security. However in general Bryan's point appears to be valid: A three-level cipher *is* a special case of a cipher. By having independent layers you might gain some in that you can replace the sections independently - but you might lose some as well: This can be seen by considering that EORing the outputs of three RNGs together does not /necessarily/ produce as much potential for random behaviour as increasing the size of the internal state of one of them by a factor of three. If anyone has any difficulties in seeing this, consider generators with very small internal states. -- __________ |im |yler The Mandala Centre http://www.mandala.co.uk/ tt@cryogen.com It's always darkest just before it goes totally black.
Subject: Re: where to put the trust Date: Wed, 20 Oct 1999 23:51:26 GMT From: ritter@io.com (Terry Ritter) Message-ID: <380e5579.3617670@news.io.com> References: <FJv5Ht.I5n@bath.ac.uk> Newsgroups: sci.crypt Lines: 47 On Tue, 19 Oct 1999 18:46:41 GMT, in <FJv5Ht.I5n@bath.ac.uk>, in sci.crypt Tim Tyler <tt@cryogen.com> wrote: >Terry Ritter <ritter@io.com> wrote: >: bryan.olson@uptronics.com wrote: >:>ritter@io.com wrote: > >:>> My suggestions are well known (3-level multiciphering, independent >:>> keys, ciphers changing frequently by automatic negotiation). >:> >:>A three-level cipher is a special case of a cipher. >:>Three-level ciphers have no more provable security >:>than single ciphers. > >: Sure they do: The simple use of three levels means that no individual >: cipher can be attacked by known-plaintext or defined-plaintext. When >: those attacks are the strongest known against a cipher, the simple use >: of a ciphering stack avoids those weaknesses. > >: By having a multi-level "stack" of ciphers, we get exponentially more >: overall "cipherings" than individual ciphers (typically n**3 instead >: of n). [...] > >If you have 3 times the key-space then you may well get more security. > >However in general Bryan's point appears to be valid: A three-level >cipher *is* a special case of a cipher. By having independent layers >you might gain some in that you can replace the sections independently - >but you might lose some as well: The usual construction used to prove the possibility of weakness in multiciphering is that the next cipher may be the exact inverse of the previous, thus negating both. But if we use different ciphers and independent keys we have roughly the probability that two cipher constructions, with different keys, will be exactly inverse. Is that likely? If so, perhaps we should attack ciphertext by the method of choosing some other cipher and key at random, then expecting the result to be plaintext. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: where to put the trust Date: Wed, 20 Oct 1999 23:27:19 -0400 From: "Trevor Jackson, III" <fullmoon@aspi.net> Message-ID: <380E8816.3CCD7F74@aspi.net> References: <380e5579.3617670@news.io.com> Newsgroups: sci.crypt Lines: 57 Terry Ritter wrote: > On Tue, 19 Oct 1999 18:46:41 GMT, in <FJv5Ht.I5n@bath.ac.uk>, in > sci.crypt Tim Tyler <tt@cryogen.com> wrote: > > >Terry Ritter <ritter@io.com> wrote: > >: bryan.olson@uptronics.com wrote: > >:>ritter@io.com wrote: > > > >:>> My suggestions are well known (3-level multiciphering, independent > >:>> keys, ciphers changing frequently by automatic negotiation). > >:> > >:>A three-level cipher is a special case of a cipher. > >:>Three-level ciphers have no more provable security > >:>than single ciphers. > > > >: Sure they do: The simple use of three levels means that no individual > >: cipher can be attacked by known-plaintext or defined-plaintext. When > >: those attacks are the strongest known against a cipher, the simple use > >: of a ciphering stack avoids those weaknesses. > > > >: By having a multi-level "stack" of ciphers, we get exponentially more > >: overall "cipherings" than individual ciphers (typically n**3 instead > >: of n). [...] > > > >If you have 3 times the key-space then you may well get more security. > > > >However in general Bryan's point appears to be valid: A three-level > >cipher *is* a special case of a cipher. By having independent layers > >you might gain some in that you can replace the sections independently - > >but you might lose some as well: > > The usual construction used to prove the possibility of weakness in > multiciphering is that the next cipher may be the exact inverse of the > previous, thus negating both. > > But if we use different ciphers and independent keys we have roughly > the probability that two cipher constructions, with different keys, > will be exactly inverse. Is that likely? I haven't done the math but it appears look like the odds are much greater that the ciphertext *might* be a translation of the English plaintext into French plaintext with the same meaning. <Insert Alfred E. Neuman quote here> > > > If so, perhaps we should attack ciphertext by the method of choosing > some other cipher and key at random, then expecting the result to be > plaintext. > > --- > Terry Ritter ritter@io.com http://www.io.com/~ritter/ > Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: where to put the trust Date: Thu, 21 Oct 1999 14:42:41 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <380f262e.567806@news.prosurfr.com> References: <380E8816.3CCD7F74@aspi.net> Newsgroups: sci.crypt Lines: 13 "Trevor Jackson, III" <fullmoon@aspi.net> wrote, in part: >I haven't done the math but it appears look like the odds are much greater >that the ciphertext *might* be a translation of the English plaintext into >French plaintext with the same meaning. <Insert Alfred E. Neuman quote >here> No, strange as it seems, the odds of that are even *more* unlikely. But both events are improbable enough to be nonexistent for any practical purpose. John Savard ( teneerf<- ) http://www.ecn.ab.ca/~jsavard/crypto.htm
Subject: Re: where to put the trust Date: 21 Oct 1999 12:45:43 -0500 From: lathamr@us.ibm.com (Richard D. Latham) Message-ID: <tyaepcobeg.fsf@perf1.hdn.sl.dfw.ibm.com> References: <380f262e.567806@news.prosurfr.com> Newsgroups: sci.crypt Lines: 28 jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) writes: > "Trevor Jackson, III" <fullmoon@aspi.net> wrote, in part: > > >I haven't done the math but it appears look like the odds are much greater > >that the ciphertext *might* be a translation of the English plaintext into > >French plaintext with the same meaning. <Insert Alfred E. Neuman quote > >here> > > No, strange as it seems, the odds of that are even *more* unlikely. > But both events are improbable enough to be nonexistent for any > practical purpose. > Yep. The same sort of calculation I make when deciding not to buy a lottery ticket ... the practical difference between exactly zero and 1 chance in circa 18 million is not "statistically significant" :-) While this gets bandied about as a reason why multiple encipherment is a bad idea, I've never seen even a trivial pair of encyptors that demonstate this reversal property. Anyone have a pointer to any examples of this actually occuring ? -- #include <disclaimer.std> /* I don't speak for IBM ... */ /* Heck, I don't even speak for myself */ /* Don't believe me ? Ask my wife :-) */ Richard D. Latham lathamr@us.ibm.com
Subject: Re: where to put the trust Date: Fri, 22 Oct 1999 14:18:44 GMT From: Tim Tyler <tt@cryogen.com> Message-ID: <FK0D38.8LF@bath.ac.uk> References: <tyaepcobeg.fsf@perf1.hdn.sl.dfw.ibm.com> Newsgroups: sci.crypt Lines: 17 Richard D. Latham <lathamr@us.ibm.com> wrote: :J.S> But both events are improbable enough to be nonexistent for any :J.S> practical purpose. : Yep. The same sort of calculation I make when deciding not to buy a : lottery ticket ... the practical difference between exactly zero and 1 : chance in circa 18 million is not "statistically significant" :-) ...while those who buy the tickets are no-doubt thinking: "Gee, I could win 10 million! What's a dollar compared to that!" ;-) -- __________ |im |yler The Mandala Centre http://www.mandala.co.uk/ tt@cryogen.com A naked man fears no pickpocket.
Subject: Re: where to put the trust Date: Thu, 14 Oct 1999 04:54:41 GMT From: dianelos@tecapro.com Message-ID: <7u3nmd$u6e$1@nnrp1.deja.com> References: <7u216r$7ke$1@quine.mathcs.duq.edu> <7u12b6$vsg$1@nnrp1.deja.com> <7tvf0d$56o$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 79 In article <7u216r$7ke$1@quine.mathcs.duq.edu>, juola@mathcs.duq.edu (Patrick Juola) wrote: ... >The bridge, however, has to stay up in all sorts of conditions, >including high winds, flooding, and so forth. Unless you can >create all possible situations of wind, water, load, &c, then >you can't test and confirm that the bridge will always stay up. Well, you are certainly right that there is no way to test a bridge for all possible conditions. The important point is that you can test it for its *basic* requirement, which is to carry weight (for a long time under normal environmental conditions). Dianelos wrote: >>No such test is known for ciphers. Cryptography is the only >>engineering field I know of, where you cannot actually test to see if >>what you build fulfils its design requirements. >Actually, I suspect that most engineering fields are like that -- >it's a dictum in CS that "testing can never show the absense of bugs, >only their presence." I've already discussed civil engineering. >Chip testing is known to be only partially reliable in e.e. I don't >think we need to discuss aerospace engineering after recent events. >What type of engineering *were* you thinking of? Again, you can check to see if a plane flies most of the time, or whether a chip correctly computes most of the time. A cipher can suffer a catastrophic failure of a global scale and we cannot really test against that. I think there is a big difference in degree. It is certainly imaginable that in the next 50 years somebody will publish a result that renders the AES, or RSA, or KEA, or whatever other critical standard there may exist then, useless. As a result of this a big crisis in the world financial and commercial system might develop. Now, it is not really imaginable that something will happen in the next 50 years that will make most bridges of the world crash down at the same time, or make most plains stop flying, or most computer chips stop working. The degree of trust we can have that a cryptographic primitive will fulfil its basic purpose during its lifetime is really not comparable to the degree of trust, based on basic testing, we do have about most other machines we build. I think there is a legitimate problem here, but I also think there are practical ways to solve it: In the future networked world we do need standard primitives, but we can also have standards in place that allow us to "instantly" substitute a primitive that is about to suffer catastrophic failure with another more robust standard. In this way we can have "variable" standards that can be changed quickly if necessary. Basically, the idea is to convert encrypted data into objects that include pointers to the methods needed for their processing. We can then build a menu of different primitives and keep them in reserve. If a new type of attack is announced (but not yet published) that renders a current standard useless, then NIST (or whatever other standards body we have then) can quickly check our menu against this new attack, find which primitive works best, and simply replace the old standard. All new messages will point to the new standard and future communications will be secure. No world wide loss of confidence. (By the way, if we build a standard designed to quickly replace a standard cryptographic primitive, we could actually test to see if it works.) Of course, this is not a perfect solution. Systems based on hardware will be left out (or maybe chips could have security primitives implemented in loadable microcode?). Old messages will be compromised. Saved data will have to re-encrypted (but again automatic contingency plans can exist to simplify this). Maybe there are better solutions than the one I propose. Anyhow, instead of insisting that there is no problem at all with the basic strength of our standard primitives, I think it would be best to prepare for the worst case scenario. Catastrophic failure of a standard primitive is not really that unlikely to happen, and if it does and we are unprepared then the cost of the Y2K error will look like a trifle. After all, standard cryptographic primities may very well be the most common algorithms executed in the future. Sent via Deja.com http://www.deja.com/ Before you buy.
Subject: Re: where to put the trust Date: Thu, 14 Oct 1999 19:10:04 GMT From: dianelos@tecapro.com Message-ID: <7u59pu$347$1@nnrp1.deja.com> References: <7u4k25$a6c$1@quine.mathcs.duq.edu> <7u3nmd$u6e$1@nnrp1.deja.com> Newsgroups: sci.crypt Lines: 56 In article <7u4k25$a6c$1@quine.mathcs.duq.edu>, juola@mathcs.duq.edu (Patrick Juola) wrote: > In article <7u3nmd$u6e$1@nnrp1.deja.com>, <dianelos@tecapro.com> wrote: >>Again, you can check to see if a plane flies most of the time, or >>whether a chip correctly computes most of the time. A cipher can >>suffer a catastrophic failure of a global scale and we cannot really >>test against that. > >A "catastrophic failure of a global scale?" I'm not sure I understand >what you mean by this. Cryptographic systems don't fail all by >themselves; it's a difficult task, requiring a fair amount of >expertise and skill, to make a (properly used) cryptosystem fail. If a standard cryptographic primitive fails, then all systems that use it might be in deep trouble. Cryptography will be the basis of the information society of the future and if, after 50 years, somebody finds a way to break the AES with two known plaintexts and 1 second of a PC, or if there is a mathematical breakthrough with problems we use as the basis of public key cryptography, then, if unprepered, we would probably have a sudden, mayor and global disruption in our hands. Frankly nothing comparable can happen because of a bad automotive design. I agree with you though, that it is possible to increase security on the system level. One good idea is not to depend too much on one primitive. This might be achieved, for example, by using multiple symmetric ciphers in series, or multiple key exchange algorithms in parallel. >>(...) Now, it is not really >>imaginable that something will happen in the next 50 years that will >>make most bridges of the world crash down at the same time, or make >>most plains stop flying, or most computer chips stop working. > >Obviously, you've never heard of the EMP bombs? Or, heck, the Y2K >bug? Bridges, being a little bit lower tech, are more likely to >withstand EMP bombing, but they're really sensitive to earthquakes. They taught me about EMP in '75. Actually I know quite a bit about the dangers of nuclear war (one of the reasons I moved to Costa Rica was to prepare for such an event happening). That danger has not completely disappeared and obviously the disruption caused by a global thermonuclear war would be horrendous. The fact that we still live with that latent danger does not mean we should not think about other serious dangers that may lurk in the future use of cryptography. Now, we who participate in this group can do very little about nuclear war, or a big asteroid hitting the earth, or a virus out of the jungle wiping out the human race. But we can educate less knowledgeable people about the dangers of the technology we expound and try to guide its use in a way that mitigates these dangers. There are practical ways to prepare against the worst case scenario. After the Y2K error, we all should agree that over-confidence is not a good idea. Sent via Deja.com http://www.deja.com/ Before you buy.
Subject: Re: where to put the trust Date: Thu, 14 Oct 1999 22:09:07 -0400 From: "Trevor Jackson, III" <fullmoon@aspi.net> Message-ID: <38068CC3.117A1D70@aspi.net> References: <7u4k25$a6c$1@quine.mathcs.duq.edu> <7u3nmd$u6e$1@nnrp1.deja.com> Newsgroups: sci.crypt Lines: 85 Patrick Juola wrote: > In article <7u3nmd$u6e$1@nnrp1.deja.com>, <dianelos@tecapro.com> wrote: > >In article <7u216r$7ke$1@quine.mathcs.duq.edu>, > > juola@mathcs.duq.edu (Patrick Juola) wrote: > >... > >>The bridge, however, has to stay up in all sorts of conditions, > >>including high winds, flooding, and so forth. Unless you can > >>create all possible situations of wind, water, load, &c, then > >>you can't test and confirm that the bridge will always stay up. > > > >Well, you are certainly right that there is no way to test a bridge for > >all possible conditions. The important point is that you can test it > >for its *basic* requirement, which is to carry weight (for a long time > >under normal environmental conditions). > > > >Dianelos wrote: > >>>No such test is known for ciphers. Cryptography is the only > >>>engineering field I know of, where you cannot actually test to see if > >>>what you build fulfils its design requirements. > > > >>Actually, I suspect that most engineering fields are like that -- > >>it's a dictum in CS that "testing can never show the absense of bugs, > >>only their presence." I've already discussed civil engineering. > >>Chip testing is known to be only partially reliable in e.e. I don't > >>think we need to discuss aerospace engineering after recent events. > >>What type of engineering *were* you thinking of? > > > >Again, you can check to see if a plane flies most of the time, or > >whether a chip correctly computes most of the time. A cipher can suffer > >a catastrophic failure of a global scale and we cannot really test > >against that. > > A "catastrophic failure of a global scale?" I'm not sure I understand > what you mean by this. Cryptographic systems don't fail all by themselves; > it's a difficult task, requiring a fair amount of expertise and skill, > to make a (properly used) cryptosystem fail. > So, yes, you can check whether a plane flies "most of the time" as long > as by "most of the time" you mean "under idealized, non-hostile situations." > But for a fighter plane, this isn't the interesting bit of time nor is it > the time that you are interested in. I can similarly prove that an > airbag "works" the 99+% of the time it's sitting quietly in the dashboard. > The only way we know to test whether or not an airbag works is by > simulating various sorts of events and hoping that it deploys properly. > Similarly, to test whether a cryptosystem works, we simulate various > attacks and see whether or not the system stands up to them. But just > as an automotive engineer can't test all the events in the world, neither > can a cryptographer. True, but the most important tests cannot be performed: inspection & maintenance. We can tell if the bridge is still up. Look at it. Walk/drive on it. We can confirm it's state and functionality. We can tell if a plane flies. Try it. We can also tell if the bridge is down. Or the plane does not function. We cannot tell if a cipher is indeed protecting our information because an adversary who has penetrated the cipher does not leave traces behind. > > > >I think there is a big difference in degree. It is certainly imaginable > >that in the next 50 years somebody will publish a result that renders > >the AES, or RSA, or KEA, or whatever other critical standard there may > >exist then, useless. As a result of this a big crisis in the world > >financial and commercial system might develop. Now, it is not really > >imaginable that something will happen in the next 50 years that will > >make most bridges of the world crash down at the same time, or make > >most plains stop flying, or most computer chips stop working. > > Obviously, you've never heard of the EMP bombs? Or, heck, the Y2K bug? > Bridges, being a little bit lower tech, are more likely to withstand > EMP bombing, but they're really sensitive to earthquakes. EMP bombs and earthquakes are noisy. One tends to notice their effects. On noticing such an event one can inspect and repair as necessary. What noise is made when a computer in Moscow/Bejing/Fort Meade translates our cipher text into plaintext? None. How will we notice? We won't.
Subject: Re: where to put the trust Date: Tue, 12 Oct 1999 20:11:07 GMT From: Tom St Denis <tomstdenis@my-deja.com> Message-ID: <7u04kd$b1d$1@nnrp1.deja.com> References: <3803329c.852311@news.io.com> Newsgroups: sci.crypt Lines: 44 In article <3803329c.852311@news.io.com>, ritter@io.com (Terry Ritter) wrote: > And I think you are fooling yourself. > > Cryptography is different from the areas in which we trust expertise > because in cryptography there is no way for anyone to know whether any > particular approach is successful. > > Would you really trust a doctor who could not know whether the > patients, having been treated, were alive or dead? Would you trust a > computer if you knew there was no way to check the results? Would you > drive on bridges if you did not know that bridges generally stay up? > > Bridges generally stay up precisely because engineers can unarguably > distinguish between a bridge which falls and one that does not. > Without this, there is no way to measure prediction, and no way to > develop the knowledge to make predictions correspond to reality. > > There are many predictions in cryptography, but no similarly apparent > result. There simply is no way to know when cryptography keeps things > secret from opponents who are themselves secret. There is thus no way > to judge risk, and similarly no way to judge expertise. In a very > essential way, there can be no real experts on cryptographic strength. So what you are saying is that no mistakes have ever been made in any other field known to man? Who is fooling who? Just because cryptography is a relatively new field (as is space travel) there are experts in the field. Most of whom have been in it since the beginning of the modern era. > And that is the same sort of argument that led Germany and Japan to > assume their codes were secure in WWII. They were both wrong. And that the titanic would not sink... It's an all or nothing. With your arguement no experts exist in any fields at all because people tend to be wrong once in a while. Tom Sent via Deja.com http://www.deja.com/ Before you buy.
Subject: Re: where to put the trust Date: Tue, 12 Oct 1999 20:34:27 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: <jgfunj-1210992034280001@dial-243-001.itexas.net> References: <3803329c.852311@news.io.com> Newsgroups: sci.crypt Lines: 24 In article <3803329c.852311@news.io.com>, ritter@io.com (Terry Ritter) wrote: > ....There is thus no way > to judge risk, and similarly no way to judge expertise. In a very > essential way, there can be no real experts on cryptographic strength. > As stated so often we look for failures and cracks. The best that we can do is to try to piece together as much as what the know what is clearly breakable, as far as me know. My scale idea on this is in that vein, so we downgrade ciphers with advances in breaking. > > >So although (for example) Twofish has not been proven to be strong, it has > >been designed by people in the know, and I would trust it, just like I trust > >my doctor to give a good evaluation of my health. > > And that is the same sort of argument that led Germany and Japan to > assume their codes were secure in WWII. They were both wrong. > The problem with cookbook cipher construction is that when the receipes are limited, they are apt to have a similar flavor. Some people always cook with curry; I like it, but not as a steady diet. -- Truth lies in your path for you to stumble over, even if you think you can easily sidestep it.
Subject: Re: where to put the trust Date: 14 Oct 1999 08:42:49 -0400 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <7u4j49$a4s$1@quine.mathcs.duq.edu> References: <3804F9BC.CE74D717@aspi.net> <7u2895$7ra$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 20 In article <3804F9BC.CE74D717@aspi.net>, Trevor Jackson, III <fullmoon@aspi.net> wrote: >Patrick Juola wrote: >> Put simply : if cryptographic "experts" didn't trust the opinions of >> other experts, no one would read, or publish, the journals, and no >> one would attend the conferences. > >The effect is real but the term "trust" is probably too strong unless it's the >trust-but-verify flavor, which I find distasteful. The whole open source issue >is based on the desire to minimize the degree of trust necessary to believe in >one's security. Anyone, expert or amateur, who says "It's secure, trust me" is >selling something I don't want to buy. On the other hand, anyone who says "I don't like the look of that Feistel cypher; it looks insecure" is much more likely to be believed if the person saying it is Ron Rivest or Adi Shamir. Even without a demonstration, Adi's expertise counts for something. -kitten
Subject: Re: where to put the trust Date: Thu, 14 Oct 1999 22:26:45 -0400 From: "Trevor Jackson, III" <fullmoon@aspi.net> Message-ID: <380690E5.2D5212E3@aspi.net> References: <7u4j49$a4s$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 56 Patrick Juola wrote: > In article <3804F9BC.CE74D717@aspi.net>, > Trevor Jackson, III <fullmoon@aspi.net> wrote: > >Patrick Juola wrote: > >> Put simply : if cryptographic "experts" didn't trust the opinions of > >> other experts, no one would read, or publish, the journals, and no > >> one would attend the conferences. > > > >The effect is real but the term "trust" is probably too strong unless it's the > >trust-but-verify flavor, which I find distasteful. The whole open source issue > >is based on the desire to minimize the degree of trust necessary to believe in > >one's security. Anyone, expert or amateur, who says "It's secure, trust me" is > >selling something I don't want to buy. > > On the other hand, anyone who says "I don't like the look of that > Feistel cypher; it looks insecure" is much more likely to be believed > if the person saying it is Ron Rivest or Adi Shamir. Even without > a demonstration, Adi's expertise counts for something. Yes. This is preciesely the asymmetry that is the foundation of the argument for cipher diversity. If an expert claims a cipher may be insecure we should pay a great deal of attention to his opinion. If an expert claims a cipher may be secure we should not pay much attention to his opinion. The dynamic aspects of expert opinions are also worth noting. An expert who does not claim an insecurity in a cipher will quickly change his opinion when shown an effective attack because the attack is an existential proof of insecurity. But an expert who claims an insecurity is very hard to convince that there are no effective attacks. If no expert is willing to claim an insecurity we have the best security available. But it isn't much comfort. Consider a situation that maximizes the degree of expertness brought to bear on cipher selection: 1) We collect all of the experts in the world, continually adding to the group as new ones appear. 2) We bind the experts to be truthful and forthcoming. 3) We use only ciphers no expert considers insecure. In the above situation we might have confidence in our ciphers because we have confidence in step #1 and we believe the odds of a cipher breaking without the knowledge of at least one expert is small. But even in this best possible situation we're still exposed to the threat of a cipher that was previously not known to be insecure becoming known as insecure. So tapping all of the expertise it is theoretically possible to tap does not significantly improve our confidence in our selection of secure ciphers. When you add in reality where a large fraction of the expert population is not available, and where not all available experts are truthful and forthcoming, there is no source of confidence in cipher strength. The best decision is to minimize one's vulnerability to cipher weakness. This probably means using multiple ciphers and changing the set as time passes.

Terry Ritter, his current address, and his top page.

Last updated: 2001-06-11