In a discussion about AES, we find the statement made and agreed that "Triple-DES is proven to be very secure." That was enough for me, since there is no such "proof," either in mathematics or in practice.
Probably I did not confront the issue as well as I should have. The issue is not semantic: Even under the most casual interpretation of the word "proof," decades of use certainly have not "proven" anything about DES security. In fact, DES could be insecure right now, with decades of use being a mere smokescreen to hide that reality and encourage further use.
The problem is fundamental, and lies at the foundation of cryptography: We use puzzles to hide our secrets from unknown opponents, but if our opponents succeed in solving our puzzles (and reading our secrets), they will not tell us. And that means we will continue to use the same puzzles and thus continue to serve up our secrets on a platter.
Cryptography is distinguished from all other areas of design and construction in that we cannot know whether or not it is "working." We don't know when a cipher is failing to keep our secrets, so we don't know when it should be changed or fixed. This has massive implications for the engineering of real security systems. Sooner or later this issue must be confronted head on.
Subject: Re: AES Date: Tue, 04 May 1999 21:39:14 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <372f6808.26884312@news.visi.com> References: <925496288.733.18@news.remarQ.com> Newsgroups: sci.crypt Lines: 45 On Fri, 30 Apr 1999 13:12:52 -0500, "Anthony King Ho" <anthony.ho@controldynamics.com> wrote: >There is sometimes wonder comes cross my mind why the AES is necessary. Good question, actually. Certainly triple-DES is more than secure enough for the forseeable future, and has the benefit of being well-studied and well-trusted. >I >thought security is not based on the algorithm itself, It certainly is. If the algorithm is bad, no key length can save it. A long key is necessary for security, but not sufficient. >key length can be >increased to increase security Not all algorithms have a variable-length key. Triple-DES, for example, has a 112-bit key. >and algorithm such as Triple-DES is proven >to be very secure. Agreed. There are a few reasons to have AES. The first is that DES was designed for mid-70s hardware, and is sluggish in software. The leading AES candidates are about 8 times faster on high-end CPUs than triple-DES. They are also more flexible on 8-bit smart cards, 64-bit CPUs, ARM processors, standard cell hardware implementations, parallel processors, etc. The second is that DES (and triple-DES) has a 64-bit block. AES has a 128-bit block. There are applications where the shorter block length has security implications. The third is that it's about the most fun you can have as a block cipher designer. And I thank NIST for doing this. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: AES Date: Tue, 04 May 1999 23:18:12 GMT From: SCOTT19U.ZIP_GUY <dscott@networkusa.net> Message-ID: <7gnv7g$56a$1@nnrp1.dejanews.com> References: <372f6808.26884312@news.visi.com> Newsgroups: sci.crypt Lines: 24 In article <372f6808.26884312@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: > >and algorithm such as Triple-DES is proven > >to be very secure. > > Agreed. > Really! Just where is this proof that you seem to be talking about. My guess is that you don't really know of such a proof. David Scott -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip http://members.xoom.com/ecil/index.htm NOTE EMAIL address is for SPAMERS to email me use address on WEB PAGE -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: AES Date: Wed, 05 May 1999 00:11:24 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: <jgfunj-0505990011250001@dial-243-114.itexas.net> References: <7gnv7g$56a$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 32 In article <7gnv7g$56a$1@nnrp1.dejanews.com>, SCOTT19U.ZIP_GUY <dscott@networkusa.net> wrote: > In article <372f6808.26884312@news.visi.com>, > schneier@counterpane.com (Bruce Schneier) wrote: > > > >and algorithm such as Triple-DES is proven > > >to be very secure. > > > > Agreed. > > > > Really! > Just where is this proof that you seem to be talking > about. My guess is that you don't really know of such > a proof. > > David Scott > All other factors aside, being able to confirm a key with a small amount of ciphertext/plaintext does not bode well for an algorithm being really strong. Don't think me mean for mentioning what Shannon once was getting at; it's just the way it is, and this corollary makes lots of sense.....you should burden your attacker with having to process lots of data to prove or disprove anything. Making the algorithm solvable with a block or two just makes cracking more convenient; it that a reasonable goal for any but a would be attacker to have? -- If you think you are beaten, you are. If you thing you dare not, you don't.
Subject: Re: AES Date: 05 May 1999 14:54:04 +0200 From: "Ulrich Kuehn" <kuehn@uni-muenster.de> Message-ID: <tpku2trd6dv.fsf@math.uni-muenster.de> References: <jgfunj-0505990011250001@dial-243-114.itexas.net> Newsgroups: sci.crypt Lines: 28 jgfunj@vgrknf.arg (wtshaw) writes: > > > All other factors aside, being able to confirm a key with a small amount > of ciphertext/plaintext does not bode well for an algorithm being really > strong. > > Don't think me mean for mentioning what Shannon once was getting at; it's > just the way it is, and this corollary makes lots of sense.....you should > burden your attacker with having to process lots of data to prove or > disprove anything. Making the algorithm solvable with a block or two just > makes cracking more convenient; it that a reasonable goal for any but a > would be attacker to have? This is a principle problem. It is the unicity distance that makes a correct key detectable with only small amounts of plaintext. The actual amount needed of course depends on the entropy of the plaintext as well as the length of the key. But this is not the point. Being able to (easily) check a correctly guessed key does not give you any hint about how to get it. Ciao, Ulrich -- Ulrich Kuehn ------------------ ukuehn@acm.org kuehn@math.uni-muenster.de http://wwwmath.uni-muenster.de/~kuehn/
Subject: Re: AES Date: Wed, 05 May 1999 09:57:26 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: <jgfunj-0505990957270001@dial-243-084.itexas.net> References: <tpku2trd6dv.fsf@math.uni-muenster.de> Newsgroups: sci.crypt Lines: 33 In article <tpku2trd6dv.fsf@math.uni-muenster.de>, "Ulrich Kuehn" <kuehn@uni-muenster.de> wrote: > jgfunj@vgrknf.arg (wtshaw) writes: > > > > > All other factors aside, being able to confirm a key with a small amount > > of ciphertext/plaintext does not bode well for an algorithm being really > > strong. > > > > Don't think me mean for mentioning what Shannon once was getting at; it's > > just the way it is, and this corollary makes lots of sense.....you should > > burden your attacker with having to process lots of data to prove or > > disprove anything. Making the algorithm solvable with a block or two just > > makes cracking more convenient; it that a reasonable goal for any but a > > would be attacker to have? > > This is a principle problem. It is the unicity distance that makes > a correct key detectable with only small amounts of plaintext. The actual > amount needed of course depends on the entropy of the plaintext as well > as the length of the key. > But this is not the point. Being able to (easily) check a correctly > guessed key does not give you any hint about how to get it. > But, being unable to easily check for a correctly guess key compounds the problem for the attacker, whose problems I like to compound. The wisdom of not having an easily hacked algorithm is sound, so is that of having a large keyspace that could be brute forced, as well as extending all steps to be inconvenient timewise, not to mention keysetup times, which could be quite demanding in brute force while trivial in routine processing. Many factors should be stacked-up against the proverbial attacker's wishes for simplicity. -- FUD--fear, uncertainty, doubt
Subject: Re: AES Date: Wed, 05 May 1999 04:46:48 GMT From: ritter@io.com (Terry Ritter) Message-ID: <372fcc2b.7300595@news.io.com> References: <372f6808.26884312@news.visi.com> Newsgroups: sci.crypt Lines: 21 On Tue, 04 May 1999 21:39:14 GMT, in <372f6808.26884312@news.visi.com>, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: >On Fri, 30 Apr 1999 13:12:52 -0500, "Anthony King Ho" ><anthony.ho@controldynamics.com> wrote: >[...] >>and algorithm such as Triple-DES is proven >>to be very secure. > >Agreed. Sorry. There is NO proof of strength for Triple-DES or any other cipher in cryptography. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: AES Date: 5 May 1999 06:51:39 GMT From: lamontg@bite.me.spammers Message-ID: <7goppr$lt6$1@nntp6.u.washington.edu> References: <372fcc2b.7300595@news.io.com> Newsgroups: sci.crypt Lines: 26 ritter@io.com (Terry Ritter) writes: >On Tue, 04 May 1999 21:39:14 GMT, in ><372f6808.26884312@news.visi.com>, in sci.crypt >schneier@counterpane.com (Bruce Schneier) wrote: > >>On Fri, 30 Apr 1999 13:12:52 -0500, "Anthony King Ho" >><anthony.ho@controldynamics.com> wrote: > >>[...] >>>and algorithm such as Triple-DES is proven >>>to be very secure. >> >>Agreed. > >Sorry. There is NO proof of strength for Triple-DES or any other >cipher in cryptography. There are two different meanings of the word "prove." One is the mathemtical sense, and one is the empirical sense. I assume the poster was making an empirical statement, in which case it is true that through extensive use and analysis, Triple-DES has proven to be very secure. It has not, however, been proved to be secure. Different uses of the verb "to prove." -- Lamont Granquist (lamontg@u.washington.edu) ICBM: 47 39'23"N 122 18'19"W
Subject: Re: AES Date: Wed, 05 May 1999 09:49:31 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: <jgfunj-0505990949310001@dial-243-084.itexas.net> References: <7goppr$lt6$1@nntp6.u.washington.edu> Newsgroups: sci.crypt Lines: 20 In article <7goppr$lt6$1@nntp6.u.washington.edu>, lamontg@bite.me.spammers wrote: > ritter@io.com (Terry Ritter) writes: > > > >Sorry. There is NO proof of strength for Triple-DES or any other > >cipher in cryptography. > > There are two different meanings of the word "prove." One is the mathemtical > sense, and one is the empirical sense. I assume the poster was making an > empirical statement, in which case it is true that through extensive use > and analysis, Triple-DES has proven to be very secure. It has not, however, > been proved to be secure. Different uses of the verb "to prove." > This is the reason that claims by anyone that you disagree with are easily classed as snake oil, because you define who you accept by empirical or by strict definition. Then, what this means is that defining snake oil can be taken as snake oil in itself. -- FUD--fear, uncertainty, doubt
Subject: Re: AES Date: 5 May 1999 11:44:28 -0400 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <7gpp0s$7g9$1@quine.mathcs.duq.edu> References: <jgfunj-0505990949310001@dial-243-084.itexas.net> Newsgroups: sci.crypt Lines: 33 In article <jgfunj-0505990949310001@dial-243-084.itexas.net>, wtshaw <jgfunj@vgrknf.arg> wrote: >In article <7goppr$lt6$1@nntp6.u.washington.edu>, lamontg@bite.me.spammers >wrote: > >> ritter@io.com (Terry Ritter) writes: >> > >> >Sorry. There is NO proof of strength for Triple-DES or any other >> >cipher in cryptography. >> >> There are two different meanings of the word "prove." One is the mathemtical >> sense, and one is the empirical sense. I assume the poster was making an >> empirical statement, in which case it is true that through extensive use >> and analysis, Triple-DES has proven to be very secure. It has not, however, >> been proved to be secure. Different uses of the verb "to prove." >> >This is the reason that claims by anyone that you disagree with are easily >classed as snake oil, because you define who you accept by empirical or by >strict definition. Then, what this means is that defining snake oil can >be taken as snake oil in itself. On the other hand, most people -- or at least most intelligent readers of sci.crypt -- can probably distinguish between semantic quibbles and genuine issues of fact. For example, one would need to be a raving lunatic to disagree with the statement that DES (and by extension 3DES) have survived several decades of civilian, unclassified, cryptanalysis with most of its strength intact. By comparison, Merkle-Hellman knapsacks lasted less than five years. In a practical sense, then, we know that DES is much stronger than the basic knapsack, even if this difference isn't formalizable in ZFC set theory or its extensions. -kitten
Subject: Re: AES Date: Thu, 06 May 1999 13:23:18 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: <jgfunj-0605991323180001@dial-243-080.itexas.net> References: <7gpp0s$7g9$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 29 In article <7gpp0s$7g9$1@quine.mathcs.duq.edu>, juola@mathcs.duq.edu (Patrick Juola) wrote: > > On the other hand, most people -- or at least most intelligent readers > of sci.crypt -- can probably distinguish between semantic quibbles and > genuine issues of fact. For example, one would need to be a raving > lunatic to disagree with the statement that DES (and by extension > 3DES) have survived several decades of civilian, unclassified, > cryptanalysis with most of its strength intact. By comparison, > Merkle-Hellman knapsacks lasted less than five years. In a > practical sense, then, we know that DES is much stronger than > the basic knapsack, even if this difference isn't formalizable > in ZFC set theory or its extensions. > The important thing is distinguishing these is to openly recognize whether you are trying weigh ideas or merely slap down the ones you don't like; to make a point, I sometimes may do some of the later, but it is not without good reason from my point of view. DES has proven to be in these days, still a moderately useful cipher, some semifirm ground; now the problem is to extract from it what is more solid and what is more liquid: I maintain that the lessons of DES are not fully learned, and we may still harvest something good out of it if we can trim away at the rotten parts, which I am expressly trying to do to the complaints of the multitudes. -- What's HOT: Honesty, Openness, Truth What's Not: FUD--fear, uncertainty, doubt
Subject: Re: AES Date: Thu, 06 May 1999 23:47:38 GMT From: William Hugh Murray <whmurray@sprynet.com> Message-ID: <37322A73.9E492C8B@sprynet.com> References: <jgfunj-0605991323180001@dial-243-080.itexas.net> Newsgroups: sci.crypt Lines: 51 This is a multi-part message in MIME format. --------------AA628054C29A7C879F30D1A4 wtshaw wrote: > DES has proven to be in these days, still a moderately useful cipher, some > semifirm ground; now the problem is to extract from it what is more solid > and what is more liquid: I maintain that the lessons of DES are not fully > learned, and we may still harvest something good out of it if we can trim > away at the rotten parts, which I am expressly trying to do to the > complaints of the multitudes. > -- > What's HOT: Honesty, Openness, Truth > What's Not: FUD--fear, uncertainty, doubt Moderately useful? After more than twenty years, the cost of attack as a function of the cost of encryption is exactly where it was when DES was announced. I would suggest that that is a very useful cipher. I would suggest that that is a timeless cipher. Until that ratio begins to fall, I can continue to make good use of that cipher. I certainly can not use it in the way that it was used twenty years ago but there are, just as certainly, useful applications and safe modes. It will be a long time before we will know a fraction as much about an AES candidate as we know about DES. William Hugh Murray New Canaan, Connecticut --------------AA628054C29A7C879F30D1A4 name="whmurray.vcf" filename="whmurray.vcf" begin:vcard n:Murray;William Hugh tel;fax:800-690-7952 tel;home:203-966-4769 tel;work:203-966-4769 adr:;;;;;; version:2.1 email;internet:whmurray@sprynet.com fn:William Hugh Murray end:vcard --------------AA628054C29A7C879F30D1A4--
Subject: Re: AES Date: Fri, 07 May 1999 22:39:51 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: <jgfunj-0705992239520001@dial-243-082.itexas.net> References: <37322A73.9E492C8B@sprynet.com> Newsgroups: sci.crypt Lines: 36 In article <37322A73.9E492C8B@sprynet.com>, William Hugh Murray <whmurray@sprynet.com> wrote: > This is a multi-part message in MIME format. > --------------AA628054C29A7C879F30D1A4 > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: 7bit > > wtshaw wrote: > > DES has proven to be in these days, still a moderately useful cipher, some > > semifirm ground; now the problem is to extract from it what is more solid > > and what is more liquid: I maintain that the lessons of DES are not fully > > learned, and we may still harvest something good out of it if we can trim > > away at the rotten parts, which I am expressly trying to do to the > > complaints of the multitudes. > > Moderately useful? After more than twenty years, the cost of attack as > a function of the cost of encryption is exactly where it was when DES > was announced. I would suggest that that is a very useful cipher. I > would suggest that that is a timeless cipher. Until that ratio begins > to fall, I can continue to make good use of that cipher. We are spliting hares (I say that because of a rabbit that I dressed out a couple of days ago). It's hard to find middle ground these days...so on a scale of 1 to 10, perhaps still 8+. Ritter would not like the use of numbers; saying *moderate* was an attempt to satisfy calling it good but declining, as in it used to be a 10 for some. I disliked it at its beginning, including some of the same reasons it is falling into disfavor with others these days. Some of the very things I am now saying were old thoughts with me when I read of DES in the original Scientific American article. Other ciphers appear less attackable. As for me, I'll go with them now. -- What's HOT: Honesty, Openness, Truth What's Not: FUD--fear, uncertainty, doubt
Subject: Re: AES Date: Sat, 08 May 1999 16:01:00 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <37355f69.1224130@news.visi.com> References: <37322A73.9E492C8B@sprynet.com> Newsgroups: sci.crypt Lines: 43 On Thu, 06 May 1999 23:47:38 GMT, William Hugh Murray <whmurray@sprynet.com> wrote: >wtshaw wrote: >> DES has proven to be in these days, still a moderately useful cipher, some >> semifirm ground; now the problem is to extract from it what is more solid >> and what is more liquid: I maintain that the lessons of DES are not fully >> learned, and we may still harvest something good out of it if we can trim >> away at the rotten parts, which I am expressly trying to do to the >> complaints of the multitudes. >> -- >> What's HOT: Honesty, Openness, Truth >> What's Not: FUD--fear, uncertainty, doubt > >Moderately useful? After more than twenty years, the cost of attack as >a function of the cost of encryption is exactly where it was when DES >was announced. No, that's not true. You're assuming that the cost to build a DES encryption engine and the cost to build a DES breaking engine have followed exactly the same "Moore's Law" curve, which they have not. >I would suggest that that is a very useful cipher. I >would suggest that that is a timeless cipher. Until that ratio begins >to fall, I can continue to make good use of that cipher. The ratio has fell and will probably continue to fall. >I certainly can not use it in the way that it was used twenty years ago >but there are, just as certainly, useful applications and safe modes. Only against some threat models. Again, the ratio has changed. >It will be a long time before we will know a fraction as much about an >AES candidate as we know about DES. Agreed. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: AES Date: Sun, 09 May 1999 00:54:39 -0600 From: jgfunj@vgrknf.arg (wtshaw) Message-ID: <jgfunj-0905990054400001@dial-243-085.itexas.net> References: <37355f69.1224130@news.visi.com> Newsgroups: sci.crypt Lines: 22 In article <37355f69.1224130@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: > On Thu, 06 May 1999 23:47:38 GMT, William Hugh Murray > <whmurray@sprynet.com> wrote about DES: > ... > > >I certainly can not use it in the way that it was used twenty years ago > >but there are, just as certainly, useful applications and safe modes. > > Only against some threat models. Again, the ratio has changed. > I'm reminded of a tag someone used a few months ago: "When the horse dies, get off." DES is no longer a running thourghbred; whether it is still worth feeding is another question. It seems it is out to pasture at any rate, or perhaps still standing at stud. -- What's HOT: Honesty, Openness, Truth What's Not: FUD--fear, uncertainty, doubt
Subject: Re: AES Date: Wed, 05 May 1999 14:13:47 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <373051d9.3696549@news.visi.com> References: <372fcc2b.7300595@news.io.com> Newsgroups: sci.crypt Lines: 29 On Wed, 05 May 1999 04:46:48 GMT, ritter@io.com (Terry Ritter) wrote: > >On Tue, 04 May 1999 21:39:14 GMT, in ><372f6808.26884312@news.visi.com>, in sci.crypt >schneier@counterpane.com (Bruce Schneier) wrote: > >>On Fri, 30 Apr 1999 13:12:52 -0500, "Anthony King Ho" >><anthony.ho@controldynamics.com> wrote: > >>[...] >>>and algorithm such as Triple-DES is proven >>>to be very secure. >> >>Agreed. > >Sorry. There is NO proof of strength for Triple-DES or any other >cipher in cryptography. Sorry. I thought he meant "proven" in the vernacular, as in "this meal has proven to be very tasty." I agree that there is no mathematical proof of the strength of triple-DES, which has nonetheless proven to be very secure (ans tasty). Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: AES Date: Thu, 06 May 1999 19:21:23 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3731eba9.5752548@news.io.com> References: <373051d9.3696549@news.visi.com> Newsgroups: sci.crypt Lines: 55 On Wed, 05 May 1999 14:13:47 GMT, in <373051d9.3696549@news.visi.com>, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: >On Wed, 05 May 1999 04:46:48 GMT, ritter@io.com (Terry Ritter) wrote: > >> >>On Tue, 04 May 1999 21:39:14 GMT, in >><372f6808.26884312@news.visi.com>, in sci.crypt >>schneier@counterpane.com (Bruce Schneier) wrote: >> >>>On Fri, 30 Apr 1999 13:12:52 -0500, "Anthony King Ho" >>><anthony.ho@controldynamics.com> wrote: >> >>>[...] >>>>and algorithm such as Triple-DES is proven >>>>to be very secure. >>> >>>Agreed. >> >>Sorry. There is NO proof of strength for Triple-DES or any other >>cipher in cryptography. > >Sorry. I thought he meant "proven" in the vernacular, as in "this >meal has proven to be very tasty." I agree that there is no >mathematical proof of the strength of triple-DES, which has >nonetheless proven to be very secure (ans tasty). It turns out to be difficult to justify such a statement even using a non-mathematical definition of "proof." For example: We can say a race car is "proven" in practice: We can see it run for some time at some speed and compare it to other entrants. Basically a car is movement at speed and we can see that. We can say a cipher program is "proven" in practice: We can see it encipher data, produce junk, then recover the original data. We can see whether or not the program crashes. We thus see the program perform its functions. But the function of a cipher is to hide information from others. Simply using a cipher for a long time while not specifically knowing that it exposes secrets hardly means the secrets are secure. We have no way to *see* whether or not hiding occurs; we have no way to see a cipher perform its function. So we simply do not have the same sort of practical experience that we commonly call "proven." I would say that simply using a cipher for a long time -- and not specifically knowing it is broken -- does *not* constitute "proven security," by any definition of "proof." --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: AES Date: 6 May 1999 15:45:16 -0400 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <7gsrgc$9hn$1@quine.mathcs.duq.edu> References: <3731eba9.5752548@news.io.com> Newsgroups: sci.crypt Lines: 85 In article <3731eba9.5752548@news.io.com>, Terry Ritter <ritter@io.com> wrote: > >On Wed, 05 May 1999 14:13:47 GMT, in <373051d9.3696549@news.visi.com>, >in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: > >>On Wed, 05 May 1999 04:46:48 GMT, ritter@io.com (Terry Ritter) wrote: >> >>> >>>On Tue, 04 May 1999 21:39:14 GMT, in >>><372f6808.26884312@news.visi.com>, in sci.crypt >>>schneier@counterpane.com (Bruce Schneier) wrote: >>> >>>>On Fri, 30 Apr 1999 13:12:52 -0500, "Anthony King Ho" >>>><anthony.ho@controldynamics.com> wrote: >>> >>>>[...] >>>>>and algorithm such as Triple-DES is proven >>>>>to be very secure. >>>> >>>>Agreed. >>> >>>Sorry. There is NO proof of strength for Triple-DES or any other >>>cipher in cryptography. >> >>Sorry. I thought he meant "proven" in the vernacular, as in "this >>meal has proven to be very tasty." I agree that there is no >>mathematical proof of the strength of triple-DES, which has >>nonetheless proven to be very secure (ans tasty). > >It turns out to be difficult to justify such a statement even using a >non-mathematical definition of "proof." For example: > >We can say a race car is "proven" in practice: We can see it run for >some time at some speed and compare it to other entrants. Basically a >car is movement at speed and we can see that. > >We can say a cipher program is "proven" in practice: We can see it >encipher data, produce junk, then recover the original data. We can >see whether or not the program crashes. We thus see the program >perform its functions. > >But the function of a cipher is to hide information from others. >Simply using a cipher for a long time while not specifically knowing >that it exposes secrets hardly means the secrets are secure. We have >no way to *see* whether or not hiding occurs; we have no way to see a >cipher perform its function. So we simply do not have the same sort >of practical experience that we commonly call "proven." But it's no more difficult than Bruce Schneier's original example : "this meal has proven to be very tasty." There's no objective standard for "tasty"; the only "proof" I can offer is that I got a hundred people together and fed them the meal, and they all responded positively about how it tasted. This examples illustrates nicely some of the issues involved : at one level of "proof", all it really means is that *I* liked the meal, and you have no reason to believe me or to trust my judgement. (Are you paying attention, Mr. Scott?) If I tell you I made egg-and-olive ice cream and it proved delicious, you may not regard this as sufficient evidence. Certainly not if you were TCBY and looking for new flavors. At another level, I could present my meal to a large collection of people and see what they all said. Yes, some of them might lie. Yes, some of them might not like the meal -- but if 99% of the people said that they liked it, that might be sufficient for you (or TCBY) to believe that it's "tasty." A third level of "proof" might involve a carefully selected group of food critics and chefs known for their discriminating palettes; when they say it's "tasty", that means even more than when the man on the street says so. >I would say that simply using a cipher for a long time -- and not >specifically knowing it is broken -- does *not* constitute "proven >security," by any definition of "proof." Simply using a cypher? No. But a lot of experts -- read : food critics and chefs -- have looked at DES for a long time, and so far no one has gone on record as saying they regard it as "not tasty." If you look at 20 years worth of restaurant reviews regarding a particular restaurant, and without exception every one of them was good, wouldn't that constitute effective "proof" that the restaurant served good food? -kitten
Subject: Re: AES Date: Fri, 07 May 1999 10:42:38 -0400 From: fullmoon@aspi.net Message-ID: <3732FBDE.2F94E7A@aspi.net> References: <7gsrgc$9hn$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 120 Patrick Juola wrote: > > In article <3731eba9.5752548@news.io.com>, Terry Ritter <ritter@io.com> wrote: > > > >On Wed, 05 May 1999 14:13:47 GMT, in <373051d9.3696549@news.visi.com>, > >in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: > > > >>On Wed, 05 May 1999 04:46:48 GMT, ritter@io.com (Terry Ritter) wrote: > >> > >>> > >>>On Tue, 04 May 1999 21:39:14 GMT, in > >>><372f6808.26884312@news.visi.com>, in sci.crypt > >>>schneier@counterpane.com (Bruce Schneier) wrote: > >>> > >>>>On Fri, 30 Apr 1999 13:12:52 -0500, "Anthony King Ho" > >>>><anthony.ho@controldynamics.com> wrote: > >>> > >>>>[...] > >>>>>and algorithm such as Triple-DES is proven > >>>>>to be very secure. > >>>> > >>>>Agreed. > >>> > >>>Sorry. There is NO proof of strength for Triple-DES or any other > >>>cipher in cryptography. > >> > >>Sorry. I thought he meant "proven" in the vernacular, as in "this > >>meal has proven to be very tasty." I agree that there is no > >>mathematical proof of the strength of triple-DES, which has > >>nonetheless proven to be very secure (ans tasty). > > > >It turns out to be difficult to justify such a statement even using a > >non-mathematical definition of "proof." For example: > > > >We can say a race car is "proven" in practice: We can see it run for > >some time at some speed and compare it to other entrants. Basically a > >car is movement at speed and we can see that. > > > >We can say a cipher program is "proven" in practice: We can see it > >encipher data, produce junk, then recover the original data. We can > >see whether or not the program crashes. We thus see the program > >perform its functions. > > > >But the function of a cipher is to hide information from others. > >Simply using a cipher for a long time while not specifically knowing > >that it exposes secrets hardly means the secrets are secure. We have > >no way to *see* whether or not hiding occurs; we have no way to see a > >cipher perform its function. So we simply do not have the same sort > >of practical experience that we commonly call "proven." > > But it's no more difficult than Bruce Schneier's original example : > "this meal has proven to be very tasty." There's no objective > standard for "tasty"; the only "proof" I can offer is that I got > a hundred people together and fed them the meal, and they all > responded positively about how it tasted. > > This examples illustrates nicely some of the issues involved : > at one level of "proof", all it really means is that *I* liked the > meal, and you have no reason to believe me or to trust my judgement. > (Are you paying attention, Mr. Scott?) If I tell you I made egg-and-olive > ice cream and it proved delicious, you may not regard this as sufficient > evidence. Certainly not if you were TCBY and looking for new flavors. > > At another level, I could present my meal to a large collection of people > and see what they all said. Yes, some of them might lie. Yes, some of > them might not like the meal -- but if 99% of the people said that they > liked it, that might be sufficient for you (or TCBY) to believe > that it's "tasty." > > A third level of "proof" might involve a carefully selected group of > food critics and chefs known for their discriminating palettes; when > they say it's "tasty", that means even more than when the man on the > street says so. Does it? I suspect not. The man-on-the-street (MOTS) is expressing a willingness to buy. The critics and experts are selling something: their expertise. The field of subjective judgements is filled with examples of contrarian reactions from experts vs MOTS. Movies and theatrical plays are notorious for the inverse relationship between critical success and box-office success. Similarly, figure skating competition features critics and experts (judges) who have vastly different criteria than the average audience. A Disney skating show does not resemble a competition at all. The former is aimed at the critics, and the latter at the audience. Let's consider judging ciphers by the same dual standard. Financial sucess can be considered orthogonal to critical success. And neither have any rigorous relationship to security. They simply pander to different tastes in information security. > > >I would say that simply using a cipher for a long time -- and not > >specifically knowing it is broken -- does *not* constitute "proven > >security," by any definition of "proof." > > Simply using a cypher? No. But a lot of experts -- read : food > critics and chefs -- have looked at DES for a long time, and so > far no one has gone on record as saying they regard it as "not > tasty." If you look at 20 years worth of restaurant reviews regarding > a particular restaurant, and without exception every one of them was > good, wouldn't that constitute effective "proof" that the restaurant > served good food? It would depend on who assembled the collection of reviews. Note that a collection without any negative criticism would convince me that someone was distoring the truth. Let's let our paranoia run a little loose and inspect the relationships between academic funding and the national security interests. Before we ask how tightly connected these issue are, let's ask how visible the connections are. It is demonstrably within the capability, interest, and practice of the national security interests to /i/n/t/e/r/f/e/r/e/ intervene in the academic funding world. Thus the collection of reviews that I would like to rely upon is tainted. How badly? I wish I knew. > > -kitten
Subject: Re: AES Date: Sun, 09 May 1999 05:32:39 GMT From: dianelos@tecapro.com Message-ID: <7h36ln$o0n$1@nnrp1.deja.com> References: <7gsrgc$9hn$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 60 I don't think that the way we gain trust in general is directly applicable to cryptography. Here is my point: a) For better or worse, cryptography is considered a discipline of mathematics where the word "proof" (and its derivatives) has a clear and strong meaning. b) Many people who read sci.crypt are not experts in cryptography. c) At all levels people make choices and use technology without really understanding it - the result can be very costly (see agrochemicals, energy consumption or the Y2K error). There are a lot of misconceptions too about cryptography and it is important to minimize that. d) Bruce Schneier is one of the most well known and well respected cryptographers. Now, the original statement to which Schneier agreed was: "Triple DES is proven to be very secure". We can argue that this statement is correct within the common use of the English language. But it is a fact that many people who read this followed by Schneier's validation will understand that there is a mathematical proof for the security of 3DES. Therefore I think the reaction of Scott and Ritter in this thread is valid. It is important that everybody who makes decisions about information security clearly understand that there is no proof about the strength of any published block cipher. There is only expert opinion at a level somehow lower than a doctor's who recommends surgery and somehow higher than a food critic's who recommends a restaurant. I think that if cryptography were considered an engineering discipline then it would be easier to visualize the situation. For example, historically bridges did _prove_ themselves by withstanding particular weights long before mechanics was discovered. Even now there are not really proofs (in the mathematical sense) that a bridge will work. Actually, only a few decades ago a modern bridge disintegrated under the effect of the wind (not a hurricane mind you, just normal wind). That bridge had an error in its design that made it resonate to the wind absorbing more and more energy until it came tumbling down. In the same way a cipher may fail in the future under an unforeseen attack. The trouble of course is that whereas the bridge in question was unique and all subsequent bridge designers avoided that particular flaw, if a catastrophic failure is suffered by a standard cipher the effect would desastrous and analogous to most bridges in the world tumbling down together. To me one answer to the problem of absence of proofs is super-encipherment where several ciphers of radically different designs are combined together. The analogy would be like building several bridges side by side. If one of them should fail, the other(s) would keep our communication lines open. Fortunately, in many applications of information technology combining several ciphers is only marginally more expensive than using only one. (By the way, this is another argument in favor of not patenting ciphers.) -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: AES Date: Sun, 09 May 1999 18:44:29 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <3735d6dc.19558816@news.visi.com> References: <7h36ln$o0n$1@nnrp1.deja.com> Newsgroups: sci.crypt Lines: 33 On Sun, 09 May 1999 05:32:39 GMT, dianelos@tecapro.com wrote: > Now, the original statement to which Schneier agreed was: "Triple > DES is proven to be very secure". We can argue that this statement > is correct within the common use of the English language. But it > is a fact that many people who read this followed by Schneier's > validation will understand that there is a mathematical proof for > the security of 3DES. Indeed. In retrospect, I should have been more exact in my agreement. This has proven to be linguisticly complicated. Although the only people who seems to have misunderstood is Terry Ritter, who you'd think would be used to this kind of usage already, and David Scott, who is mercifully in my kill file and whose posts I do not see. > To me one answer to the problem of absence of proofs is > super-encipherment where several ciphers of radically different > designs are combined together. The analogy would be like building > several bridges side by side. If one of them should fail, the > other(s) would keep our communication lines open. Fortunately, in > many applications of information technology combining several > ciphers is only marginally more expensive than using only one. (By > the way, this is another argument in favor of not patenting > ciphers.) Multiple encryption is generally a good idea. The only reason you don't see it widely used in practice is that using N ciphers cuts the performance by a factor of N (more or less). Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: AES Date: Wed, 12 May 1999 06:12:02 GMT From: "Douglas A. Gwyn" <DAGwyn@null.net> Message-ID: <37391B62.AF2A410F@null.net> References: <3735d6dc.19558816@news.visi.com> Newsgroups: sci.crypt Lines: 9 Bruce Schneier wrote: > Multiple encryption is generally a good idea. The only reason you > don't see it widely used in practice is that using N ciphers cuts > the performance by a factor of N (more or less). Without necessarily gaining proportionally in security. If you have a good algorithm, it would seem to be better to put the extra cycles into using that algorithm with a longer key (for example).
Subject: Re: AES Date: Wed, 12 May 1999 07:22:41 GMT From: ritter@io.com (Terry Ritter) Message-ID: <37392be7.2410068@news.io.com> References: <37391B62.AF2A410F@null.net> Newsgroups: sci.crypt Lines: 37 On Wed, 12 May 1999 06:12:02 GMT, in <37391B62.AF2A410F@null.net>, in sci.crypt "Douglas A. Gwyn" <DAGwyn@null.net> wrote: >Bruce Schneier wrote: >> Multiple encryption is generally a good idea. The only reason you >> don't see it widely used in practice is that using N ciphers cuts >> the performance by a factor of N (more or less). > >Without necessarily gaining proportionally in security. >If you have a good algorithm, it would seem to be better >to put the extra cycles into using that algorithm with a >longer key (for example). That would seem to be a way to get more keyspace, but it does not address the problems I want to address. I think we already have plenty of keyspace. The problems I see are that we first cannot guarantee the strength of a cipher, and second cannot know when our cipher has been broken. These are rarely keyspace issues. But if we have only one cipher, and our cipher is broken in secret, we will continue to use that cipher and continue to expose our information. I want to first reduce the probability of a break by multi-ciphering as a common expected process. I want the ability to change a cipher quickly and easily if new results warrant changing ciphers. I want to terminate the extent of any break which does occur by changing ciphers frequently. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: AES Date: Wed, 12 May 1999 13:54:04 GMT From: dianelos@tecapro.com Message-ID: <7hc15l$2cc$1@nnrp1.deja.com> References: <37391B62.AF2A410F@null.net> Newsgroups: sci.crypt Lines: 35 In article <37391B62.AF2A410F@null.net>, "Douglas A. Gwyn" <DAGwyn@null.net> wrote: > Bruce Schneier wrote: > > Multiple encryption is generally a good idea. The only reason you > > don't see it widely used in practice is that using N ciphers cuts > > the performance by a factor of N (more or less). > > Without necessarily gaining proportionally in security. > If you have a good algorithm, it would seem to be better > to put the extra cycles into using that algorithm with a > longer key (for example). I understand that adding more rounds to a cipher increases its resistance against known attacks exponentially. Combining ciphers with different types of rounds should at the very least increase resistance against known attacks exponentially too. In fact a theoretical attack against one cipher may not work at all against the other and therefore against the combination of the two. So I think that multiple encryption increases security better than proportionally. Now, instead of increasing the "depth" of a cipher you propose to increase its "width", i.e. the key size. I wonder how cost-effective this is. Certainly it exponentially increases resistance to exhaustive key search but this is the most primitive type of attack. It seems to me that if the cipher has some kind of structural flaw then increasing its key size may not significantly increase its security. Basically all ciphers can be described as a set of Boolean equations with as many unknowns as there are bits in the key. The difficulty of solving sets of equations depends more on the type of equations than on the number of unknowns. --== Sent via Deja.com http://www.deja.com/ ==-- ---Share what you know. Learn what you don't.---
Subject: Re: AES Date: Wed, 12 May 1999 23:11:30 -0400 From: Nicol So <nobody@no.spam.please> Message-ID: <373A42E2.C9BB75AC@no.spam.please> References: <37391B62.AF2A410F@null.net> Newsgroups: sci.crypt Lines: 37 Douglas A. Gwyn wrote: > > Bruce Schneier wrote: > > Multiple encryption is generally a good idea. The only reason you > > don't see it widely used in practice is that using N ciphers cuts > > the performance by a factor of N (more or less). > > Without necessarily gaining proportionally in security. > If you have a good algorithm, it would seem to be better > to put the extra cycles into using that algorithm with a > longer key (for example). I think most people are aware of that (there is no guarantee of proportional gain in security). I like to view Bruce's suggestion as a conservative design heuristic. Most (secret-key) block ciphers that I've come across are iterated ciphers, in which the same construct is composed with itself multiple times. You could, if you wish, consider such a cipher multiple encryption with the same cipher using non-independent keys. What multiple encryption (with unlike ciphers) buys you, in my opinion, is some irregularity and, hopefully, less susceptibility to undiscovered flaws in any single component construct. Generally speaking, I think it is more difficult to generalize observations about individual constructs to an iterated composition of them, when dissimilar structures break up the regularity that would be present in iterated composition of a single construct. If this view is close to being correct, it should be possible to obtain the same benefit by interleaving dissimilar round structures, not necessarily dissimilar "ciphers". I basically agree with you, but I don't think I can reliably tell whether I've got a good algorithm. In the absence of a convincing argument to the contrary, it is tempting to resort to what one consider as conservative design heuristics to insure against what one might have overlooked. Nicol
Subject: Re: AES Date: Fri, 07 May 1999 14:44:52 +0200 From: Volker Hetzer <hetzer.abg@sni.de> Message-ID: <3732E044.4469E8DC@sni.de> References: <3731eba9.5752548@news.io.com> Newsgroups: sci.crypt Lines: 27 Terry Ritter wrote: > But the function of a cipher is to hide information from others. > Simply using a cipher for a long time while not specifically knowing > that it exposes secrets hardly means the secrets are secure. We have > no way to *see* whether or not hiding occurs; we have no way to see a > cipher perform its function. So we simply do not have the same sort > of practical experience that we commonly call "proven." But we have. Sort of. Look at it like this: You use an algorithm to protect some info with a certain value. You believe you would have noticed if somebody other than you uses that information (comparable products, evidence in courts, ...). If you have used that algorithm to protect info of that certain value often and nobody has used captured data you can conjecture that people will continue not to use your data. This can have to reasons: 1: The effort to break your algo is higher than the value of your information. 2: The damage caused by breaking the algo (switch to better algos, embarrasment of people, governments) is bigger than the value of your information. The result is the same for both cases. You can continue to use your algo. It is a bit like evidence in court. If you can't show it it's as good as you've got none. If your enemy can't (for whatever reason) use your data, it's safe to use your algorithm. This is secutity too. Greetings! Volker
Subject: Re: AES Date: Sat, 08 May 1999 15:58:43 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <37345f07.1126444@news.visi.com> References: <3731eba9.5752548@news.io.com> Newsgroups: sci.crypt Lines: 61 On Thu, 06 May 1999 19:21:23 GMT, ritter@io.com (Terry Ritter) wrote: > >On Wed, 05 May 1999 14:13:47 GMT, in <373051d9.3696549@news.visi.com>, >in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: > >>On Wed, 05 May 1999 04:46:48 GMT, ritter@io.com (Terry Ritter) wrote: >> >>> >>>On Tue, 04 May 1999 21:39:14 GMT, in >>><372f6808.26884312@news.visi.com>, in sci.crypt >>>schneier@counterpane.com (Bruce Schneier) wrote: >>> >>>>On Fri, 30 Apr 1999 13:12:52 -0500, "Anthony King Ho" >>>><anthony.ho@controldynamics.com> wrote: >>> >>>>[...] >>>>>and algorithm such as Triple-DES is proven >>>>>to be very secure. >>>> >>>>Agreed. >>> >>>Sorry. There is NO proof of strength for Triple-DES or any other >>>cipher in cryptography. >> >>Sorry. I thought he meant "proven" in the vernacular, as in "this >>meal has proven to be very tasty." I agree that there is no >>mathematical proof of the strength of triple-DES, which has >>nonetheless proven to be very secure (ans tasty). > >It turns out to be difficult to justify such a statement even using a >non-mathematical definition of "proof." For example: > >We can say a race car is "proven" in practice: We can see it run for >some time at some speed and compare it to other entrants. Basically a >car is movement at speed and we can see that. > >We can say a cipher program is "proven" in practice: We can see it >encipher data, produce junk, then recover the original data. We can >see whether or not the program crashes. We thus see the program >perform its functions. > >But the function of a cipher is to hide information from others. >Simply using a cipher for a long time while not specifically knowing >that it exposes secrets hardly means the secrets are secure. We have >no way to *see* whether or not hiding occurs; we have no way to see a >cipher perform its function. So we simply do not have the same sort >of practical experience that we commonly call "proven." > >I would say that simply using a cipher for a long time -- and not >specifically knowing it is broken -- does *not* constitute "proven >security," by any definition of "proof." This has proven to be a very tiresome conversation. I apologise if you dislike our language. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: AES Date: Sat, 08 May 1999 19:37:49 GMT From: ritter@io.com (Terry Ritter) Message-ID: <37349279.8785332@news.io.com> References: <37345f07.1126444@news.visi.com> Newsgroups: sci.crypt Lines: 119 On Sat, 08 May 1999 15:58:43 GMT, in <37345f07.1126444@news.visi.com>, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: >On Thu, 06 May 1999 19:21:23 GMT, ritter@io.com (Terry Ritter) wrote: > >> >>On Wed, 05 May 1999 14:13:47 GMT, in <373051d9.3696549@news.visi.com>, >>in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: >> >>>On Wed, 05 May 1999 04:46:48 GMT, ritter@io.com (Terry Ritter) wrote: >>> >>>> >>>>On Tue, 04 May 1999 21:39:14 GMT, in >>>><372f6808.26884312@news.visi.com>, in sci.crypt >>>>schneier@counterpane.com (Bruce Schneier) wrote: >>>> >>>>>On Fri, 30 Apr 1999 13:12:52 -0500, "Anthony King Ho" >>>>><anthony.ho@controldynamics.com> wrote: >>>> >>>>>[...] >>>>>>and algorithm such as Triple-DES is proven >>>>>>to be very secure. >>>>> >>>>>Agreed. >>>> >>>>Sorry. There is NO proof of strength for Triple-DES or any other >>>>cipher in cryptography. >>> >>>Sorry. I thought he meant "proven" in the vernacular, as in "this >>>meal has proven to be very tasty." I agree that there is no >>>mathematical proof of the strength of triple-DES, which has >>>nonetheless proven to be very secure (ans tasty). >> >>It turns out to be difficult to justify such a statement even using a >>non-mathematical definition of "proof." For example: >> >>We can say a race car is "proven" in practice: We can see it run for >>some time at some speed and compare it to other entrants. Basically a >>car is movement at speed and we can see that. >> >>We can say a cipher program is "proven" in practice: We can see it >>encipher data, produce junk, then recover the original data. We can >>see whether or not the program crashes. We thus see the program >>perform its functions. >> >>But the function of a cipher is to hide information from others. >>Simply using a cipher for a long time while not specifically knowing >>that it exposes secrets hardly means the secrets are secure. We have >>no way to *see* whether or not hiding occurs; we have no way to see a >>cipher perform its function. So we simply do not have the same sort >>of practical experience that we commonly call "proven." >> >>I would say that simply using a cipher for a long time -- and not >>specifically knowing it is broken -- does *not* constitute "proven >>security," by any definition of "proof." > >This has proven to be a very tiresome conversation. I apologise if >you dislike our language. You already apologized. I assumed you were going to let it drop. This is not an issue of mere words, about which to use when. (Though one might *well* think that a question in sci.crypt, to a technical authority, ought to imply "proof" in the mathematical sense.) The issue goes deeper than words: it goes to the perception of "proven security" as a result of cryptanalysis or use. Presumably it is the years of cryptanalysis of DES which leads to this, and it is not just a delusion of the general public but a perception which is repeatedly affirmed by technical authorities (as happened here). The term "validation" has also been used. But as far as I can tell, a logic of cryptanalytic validation goes something like this: 1. Assuming academic cryptanalysis is the best possible, 2. if cryptanalysis has found no break, then 3. no break is possible. No cryptanalyst will ever put this so baldly. But we see in practice the sequence: new cipher designs, subjected to academic cryptanalysis, then generally approved for use, which seems to be an expression of the above logic. Cryptanalysts may say "We just did what we could." But to the extent that the result is considered "proven secure" in any sense at all (and that *is* the point of this tiresome conversation), it sure looks like the above logic to me. If we were having an outbreak of former academic cryptanalysts breaking ciphers and stealing information, we might just stretch a point and say: 1. Assuming all academics are the same, 2. if our academics can't find a problem, then 3. neither can the former academics. This at least has a modicum of science to it, because we are comparing two similar groups. But of course in reality individuals differ, and their situations differ, so this isn't right either. In practice our ciphers confront opponents whose knowledge and capabilities exceed the academic literature. Just because academics cannot find a break does not mean the opponents cannot. It is a *realistic* possibility that DES has been broken in secret from the time it was designed and that we still do not know that. And while we might wish and hope to call this "improbable," that would be pasting the illusion of scientific analysis on something which cannot (yet) be quantified. It is just such a quantification that "proven secure" implies to me, and that is bad science. I think people get so involved in the technical aspects of cryptanalysis that they forget the logic of what this does or does not prove. Non-cryptanalysts generally *do* take this as a *validation* process which produces ciphers of "proven security." Cryptanalysts are not speaking up about whether "validation" and "proof" are useful terms for what they do, and that makes them part of the problem. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: AES Date: 11 May 1999 18:28:15 GMT From: lamontg@bite.me.spammers Message-ID: <7h9srv$jmu$1@nntp6.u.washington.edu> References: <37349279.8785332@news.io.com> Newsgroups: sci.crypt Lines: 126 ritter@io.com (Terry Ritter) writes: >On Sat, 08 May 1999 15:58:43 GMT, in <37345f07.1126444@news.visi.com>, >in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: >>This has proven to be a very tiresome conversation. I apologise if >>you dislike our language. > >You already apologized. I assumed you were going to let it drop. > >This is not an issue of mere words, about which to use when. Yes it is an issue of mere words. >(Though >one might *well* think that a question in sci.crypt, to a technical >authority, ought to imply "proof" in the mathematical sense.) It was a question posed by someone who had presented no evidence of being a technical authority, it was phrased as though he was using the empirical use of the word "prove" and not the mathematical sense. It was merely answered by Mr Schneier and he adopted the same terms which he saw the original poster using, and I don't understand why you have such a painful stick up your ass about this issue of language. >The issue goes deeper than words: it goes to the perception of "proven >security" as a result of cryptanalysis or use. "proven to be secure" There is a subtle difference in meaning which apparently escapes you. As someone who is more of a physicist than a mathematician i have no problem with this language. I can say that general relativity has "proven to be correct" while understanding that tomorrow it could very well be proven to be incorrect -- in fact I entirely expect that this will happen some day. >Presumably it is the >years of cryptanalysis of DES which leads to this, and it is not just >a delusion of the general public but a perception which is repeatedly >affirmed by technical authorities (as happened here). The term >"validation" has also been used. But not here. So why bring it up other than to confuse the issue? >But as far as I can tell, a logic of >cryptanalytic validation goes something like this: > >1. Assuming academic cryptanalysis is the best possible, >2. if cryptanalysis has found no break, then >3. no break is possible. Interesting. Care to show me where Mr. Schneier has suggested that this logic is valid? Or are you simply using rhetorical games to try to put words in his mouth? (yes that's a rhetorical question) I've never, ever seen Bruce say anything even remotely suggesting that he would accept (3.) in that list as a conclusion. The fact that you're suggesting that he'd hold such opinions says a whole lot more about you and why you're attacking him than it does about what he's written. >No cryptanalyst will ever put this so baldly. But we see in practice >the sequence: new cipher designs, subjected to academic cryptanalysis, >then generally approved for use, which seems to be an expression of >the above logic. It seems to be about the best we can do. Barring a formal proof of security in the mathematical sense (the holy grail of cryptography) there seems to be no better option than to go with the cipher that has proven to be secure through time. [...] >In practice our ciphers confront opponents whose knowledge and >capabilities exceed the academic literature. Just because academics >cannot find a break does not mean the opponents cannot. This should be filed under D for "Duh." >It is a >*realistic* possibility that DES has been broken in secret from the >time it was designed and that we still do not know that. Yes. However, DES has been around for a very long time, and has more extensive public cryptanalysis than probably any other algorithm, and the rewards (prestige, furtherance of career) for breaking DES would be substantial. This is in some sense just a glorified "crypto contest" which we agree is not any indication of security -- however it has been going on for 20 years with the highest rewards that the crypto community could offer the person that broke it. Against this kind of a challenge DES has proven to be secure. >And while we >might wish and hope to call this "improbable," that would be pasting >the illusion of scientific analysis on something which cannot (yet) be >quantified. Why on earth does "improbable" imply to you anything about scientific analysis or quantification? To me it implies exactly that opposite -- saying that something is improbably almost certainly means (to me) that someone is making a judgement call and weighing the percieved risks. >It is just such a quantification that "proven secure" >implies to me, and that is bad science. Well, we clearly disagree. >I think people get so involved in the technical aspects of >cryptanalysis that they forget the logic of what this does or does not >prove. Non-cryptanalysts generally *do* take this as a *validation* >process which produces ciphers of "proven security." Cryptanalysts >are not speaking up about whether "validation" and "proof" are useful >terms for what they do, and that makes them part of the problem. What I think is part of the problem is professional cryptographers on sci.crypt who decide to attack other cryptographers over obviously fabricated issues, just so that they can attack them. It is the kind of behavior that I expect out of Mr. SCOTT19U.ZIP. I read what Bruce wrote and I gave him the very obvious benefit of the doubt about the language that was being used. You read Bruce and figured that now was a good time to try to make yourself look smart by attacking Bruce on a stupid detail. I'm getting quite tired of some of the people on this list who should know better jumping all over Bruce the second he is percieved as making the slightest mis-step. If you're upset about the fact that Bruce is more popular, then get off of Usenet and go write your own damn book. -- Lamont Granquist (lamontg@u.washington.edu) ICBM: 47 39'23"N 122 18'19"W
Subject: Re: AES Date: Wed, 12 May 1999 19:32:47 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3739d5dd.5435189@news.io.com> References: <7h9srv$jmu$1@nntp6.u.washington.edu> Newsgroups: sci.crypt Lines: 217 On 11 May 1999 18:28:15 GMT, in <7h9srv$jmu$1@nntp6.u.washington.edu>, in sci.crypt lamontg@bite.me.spammers wrote: >ritter@io.com (Terry Ritter) writes: >[...] >As someone who is more of a physicist than a mathematician i have no problem >with this language. I can say that general relativity has "proven to be >correct" while understanding that tomorrow it could very well be proven to >be incorrect -- in fact I entirely expect that this will happen some day. Then you fundamentally misunderstand even your own field. The facts of relativity, as tested, do not change when a new theory is proposed. Relativity is unlikely to be "proven incorrect." Instead, there will be certain areas where the theory incorrectly models reality. The whole point of a new physical theory is to provide at least as good a model as the old, and cover even more. There is a fundamental difference between cryptography and physics with respect to provability: In physics, we can use the model to predict outcomes and then measure those outcomes in reality; the extent to which we get a match is the extent to which we have a good theory. But in cryptography, we cannot model strength. There is no computation which gives the strength value, and there is no experiment which allows us to confirm it. The only thing we have are some attacks which require some amount effort, but they give us no assurance at all that some very clever but absolutely trivial successful attack does not exist. The very concept of "proven security" in cryptography currently has no practical meaning. >>But as far as I can tell, a logic of >>cryptanalytic validation goes something like this: >> >>1. Assuming academic cryptanalysis is the best possible, >>2. if cryptanalysis has found no break, then >>3. no break is possible. > >Interesting. Care to show me where Mr. Schneier has suggested that this >logic is valid? Or are you simply using rhetorical games to try to put >words in his mouth? (yes that's a rhetorical question) If you don't like *my* syllogism, perhaps you can provide one which *does* imply cipher strength. What is your interpretation of this process? And that is not rhetorical. In my view, the whole concept is bankrupt, and these continued attempts to extend what is now clearly an unworkable process can only damage users and thus the field itself. It is time to have a clear understanding of what cryptanalysis provides, and that is an upper bound on strength, with no lower bound. To provide any implication of security, we must have a lower bound on strength. Currently, that is zero. >I've never, ever seen Bruce say anything even remotely suggesting that >he would accept (3.) in that list as a conclusion. The fact that you're >suggesting that he'd hold such opinions says a whole lot more about you and >why you're attacking him than it does about what he's written. I would say that your perception that I am attacking Schneier -- instead of the false ideas he promotes -- says more about you than me. My words were "as far as I can tell" and "a logic of validation": it is you who assign those words to Schneier, not me. But Schneier does promote the use of cryptanalysis as the way we know cipher strength -- I think that is a fair quick summary of his position -- which implies that he *does* have *some* logic which in his mind *does* provide some logical implication of strength. And while I have become convinced that any such logic is false, if someone can come up with workable logic which does produce such a conclusion, I would have to accept it. >>No cryptanalyst will ever put this so baldly. But we see in practice >>the sequence: new cipher designs, subjected to academic cryptanalysis, >>then generally approved for use, which seems to be an expression of >>the above logic. So I clearly *did* show my doubt that Schneier would ever *express* such a syllogism. The question is, "What syllogism *does* he use?" In what way *can* cryptanalytic results *ever* be used to imply user information security? >It seems to be about the best we can do. Barring a formal proof of >security in the mathematical sense (the holy grail of cryptography) there >seems to be no better option than to go with the cipher that has proven >to be secure through time. So, basically, since we have no way to find a lower bound on strength, we will just ignore it. We will ignore the idea that any cipher might have a trivial break which we do not know. We will encourage users to believe they have "proven security," while knowing that we have no such thing. In other fields, making claims which cannot be supported would be called "deceptive," or perhaps even "fraud." >[...] >>It is a >>*realistic* possibility that DES has been broken in secret from the >>time it was designed and that we still do not know that. > >Yes. However, DES has been around for a very long time, and has more >extensive public cryptanalysis than probably any other algorithm, and the >rewards (prestige, furtherance of career) for breaking DES would be >substantial. This is in some sense just a glorified "crypto contest" which >we agree is not any indication of security -- however it has been going on >for 20 years with the highest rewards that the crypto community could offer >the person that broke it. Against this kind of a challenge DES has proven >to be secure. No, DES has *not* proven to be secure. It has simply no break that we know about. Not knowing about weakness is far different than having proven security. The very idea that we could on the one hand admit that DES *might* be broken, and then call it "secure" -- simply because we do not know for sure that a break exists -- sounds crazy. Not *knowing* that our cipher is broken is the *normal* situation for a cipher being broken. It is all we ever know of the worst possible case when our information is being harvested and wisely exploited. Our only reasonable choice is to assume that the cipher *might* be broken. And that can hardly be called "secure." >>And while we >>might wish and hope to call this "improbable," that would be pasting >>the illusion of scientific analysis on something which cannot (yet) be >>quantified. > >Why on earth does "improbable" imply to you anything about scientific >analysis or quantification? To me it implies exactly that opposite -- saying >that something is improbably almost certainly means (to me) that someone is >making a judgement call and weighing the percieved risks. But in cryptography we *have* no information on which to perceive risks. We do not know the "absolute strength" of our ciphers. We do not know the capabilities of our opponents. We do not know how many of our designs have been broken by our opponents. There is simply no information upon which to base a risk analysis or a judgment call. >[...] >What I think is part of the problem is professional cryptographers on >sci.crypt who decide to attack other cryptographers over obviously >fabricated issues, just so that they can attack them. If you are referring to me, in this case, your interpretation is false. I have a substantial history of messages and writings which directly confront the issue of proof in cryptography, and my position has not changed to allow me to attack the current guru. Schneier created the problem; I did not go after him. On the other hand, to the extent that Schneier has in recent months actively promoted various ideas which are logically insupportable, we will find that I oppose those ideas. >It is the kind of >behavior that I expect out of Mr. SCOTT19U.ZIP. I think you need to look to yourself to find why you take a rational issue in personal terms. Attacking Schneier's misuse of these terms is not an attack on Schneier, and certainly not an attack on you. Unless, of course, you think there *is* "proven security" in cryptography, in which case this reality may be quite distressing to you. >I read what Bruce wrote >and I gave him the very obvious benefit of the doubt about the language >that was being used. Then you are giving him far too much benefit. As an "authority," Schneier has a responsibility to not mislead those who ask for his advice. Schneier is a writer to whom words are professional tools, who is well aware that words can be misinterpreted, and he can take action to prevent that. In this case he did not. The idea that there is anything in cryptography like "proven security" is a widespread misconception which can lead to a fruitless unending search for the holy grail which is said to exist. This belief is a serious problem which can undermine the attempt of any student to put the field into perspective. Your acceptance of words which can be misinterpreted is the wrong way to go -- instead we should expect statements which are provably correct (and not just not proven wrong) which have a clear meaning. When ambiguity exists, we should expect a discussion to resolve that in the context of the truth. This *is* that discussion. >You read Bruce and figured that now was a good time >to try to make yourself look smart by attacking Bruce on a stupid detail. It is hardly a stupid detail; it is at the basis of understanding what cryptography can do. >I'm getting quite tired of some of the people on this list who should >know better jumping all over Bruce the second he is percieved as making >the slightest mis-step. If you're upset about the fact that Bruce is >more popular, then get off of Usenet and go write your own damn book. You need to first of all be more tolerant, and second to understand that a whole range of possible motives can produce pretty much the same actions. Your interpretation of my motives in those actions is false, and consequently says more about you than me. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: AES Date: Tue, 11 May 1999 22:28:17 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <3738aba1.567668@news.prosurfr.com> References: <37349279.8785332@news.io.com> Newsgroups: sci.crypt Lines: 36 ritter@io.com (Terry Ritter) wrote, in part: >In practice our ciphers confront opponents whose knowledge and >capabilities exceed the academic literature. Just because academics >cannot find a break does not mean the opponents cannot. This is a true statement, although some people will express doubts about it. Doubt #1: The open atmosphere of free inquiry lets science progress best, so even the NSA isn't *far* ahead of the academic community, Doubt #2: What are you, some kind of spy or crook, that you don't want the U.S. Government to read your mail? There are arguments against these doubts; I won't dwell on them, except to note that cryptanalysis is specialized and esoteric, and it is a _marginal_ subject in academia; only a very few lucky professors are allowed to get away with doing a major amount of their research in this subject. The closed confines of the NSA represent a bigger academic community for this subject than the open academic community - probably several times over. Opponents stronger than the academics *do* still exist, and these doubts, which basically are based on the premise that the NSA is the only such opponent, don't banish them all. I will now proceed to name some of them: - The intelligence agencies of China, France, Russia, and other countries that may wish to spy even on legitimate businesses; - Hackers seeking to read your messages 20 years from now, who will have the benefit of what academics *will* know in 20 years. John Savard ( teneerf<- ) http://members.xoom.com/quadibloc/index.html
Subject: Re: AES Date: Wed, 05 May 1999 16:52:38 +0200 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <37305B36.831A9CA5@stud.uni-muenchen.de> References: <372fcc2b.7300595@news.io.com> Newsgroups: sci.crypt Lines: 15 Terry Ritter wrote: > > > Sorry. There is NO proof of strength for Triple-DES or any other > cipher in cryptography. Minute restriction: The OTP is provably secure. But the (theoretically) random keystream can't be obtained in practice (or rather the keystream can't be proved to be (theoretically) random). So the proof is in a certain sense a 'circular' one in my humble opinion. The consequence of the fact you pointed out is that there can only be 'practical' security. Persuing absolute security is more or less like persuing eternal life. M. K. Shen
Terry Ritter, his current address, and his top page.
Last updated: 2001-06-03