Triple-DES is Proven to be Very Secure?


Terry Ritter


A Ciphers By Ritter Page


In a discussion about AES, we find the statement made and agreed that "Triple-DES is proven to be very secure." That was enough for me, since there is no such "proof," either in mathematics or in practice.

Probably I did not confront the issue as well as I should have. The issue is not semantic: Even under the most casual interpretation of the word "proof," decades of use certainly have not "proven" anything about DES security. In fact, DES could be insecure right now, with decades of use being a mere smokescreen to hide that reality and encourage further use.

The problem is fundamental, and lies at the foundation of cryptography: We use puzzles to hide our secrets from unknown opponents, but if our opponents succeed in solving our puzzles (and reading our secrets), they will not tell us. And that means we will continue to use the same puzzles and thus continue to serve up our secrets on a platter.

Cryptography is distinguished from all other areas of design and construction in that we cannot know whether or not it is "working." We don't know when a cipher is failing to keep our secrets, so we don't know when it should be changed or fixed. This has massive implications for the engineering of real security systems. Sooner or later this issue must be confronted head on.

Contents


Subject: Re: AES
Date: Tue, 04 May 1999 21:39:14 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <372f6808.26884312@news.visi.com>
References: <925496288.733.18@news.remarQ.com>
Newsgroups: sci.crypt
Lines: 45

On Fri, 30 Apr 1999 13:12:52 -0500, "Anthony King Ho"
<anthony.ho@controldynamics.com> wrote:

>There is sometimes wonder comes cross my mind why the AES is necessary.  

Good question, actually.  Certainly triple-DES is more than secure
enough for the forseeable future, and has the benefit of being
well-studied and well-trusted.

>I
>thought security is not based on the algorithm itself,

It certainly is.  If the algorithm is bad, no key length can save it.
A long key is necessary for security, but not sufficient.

>key length can be
>increased to increase security

Not all algorithms have a variable-length key.  Triple-DES, for
example, has a 112-bit key.

>and algorithm such as Triple-DES is proven
>to be very secure.

Agreed.

There are a few reasons to have AES.  The first is that DES was
designed for mid-70s hardware, and is sluggish in software.  The
leading AES candidates are about 8 times faster on high-end CPUs than
triple-DES.  They are also more flexible on 8-bit smart cards, 64-bit
CPUs, ARM processors, standard cell hardware implementations, parallel
processors, etc.

The second is that DES (and triple-DES) has a 64-bit block.  AES has a
128-bit block.  There are applications where the shorter block length
has security implications.

The third is that it's about the most fun you can have as a block
cipher designer.  And I thank NIST for doing this.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com



Subject: Re: AES
Date: Tue, 04 May 1999 23:18:12 GMT
From: SCOTT19U.ZIP_GUY <dscott@networkusa.net>
Message-ID: <7gnv7g$56a$1@nnrp1.dejanews.com>
References: <372f6808.26884312@news.visi.com>
Newsgroups: sci.crypt
Lines: 24

In article <372f6808.26884312@news.visi.com>,
  schneier@counterpane.com (Bruce Schneier) wrote:

> >and algorithm such as Triple-DES is proven
> >to be very secure.
>
> Agreed.
>

  Really!
  Just where is this proof that you seem to be talking
about. My guess is that you don't really know of such
a proof.

 David Scott

--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
to email me use address on WEB PAGE

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    



Subject: Re: AES
Date: Wed, 05 May 1999 00:11:24 -0600
From: jgfunj@vgrknf.arg (wtshaw)
Message-ID: <jgfunj-0505990011250001@dial-243-114.itexas.net>
References: <7gnv7g$56a$1@nnrp1.dejanews.com>
Newsgroups: sci.crypt
Lines: 32

In article <7gnv7g$56a$1@nnrp1.dejanews.com>, SCOTT19U.ZIP_GUY
<dscott@networkusa.net> wrote:

> In article <372f6808.26884312@news.visi.com>,
>   schneier@counterpane.com (Bruce Schneier) wrote:
> 
> > >and algorithm such as Triple-DES is proven
> > >to be very secure.
> >
> > Agreed.
> >
> 
>   Really!
>   Just where is this proof that you seem to be talking
> about. My guess is that you don't really know of such
> a proof.
> 
>  David Scott
> 
All other factors aside, being able to confirm a key with a small amount
of ciphertext/plaintext does not bode well for an algorithm being really
strong.  

Don't think me mean for mentioning what Shannon once was getting at; it's
just the way it is, and this corollary makes lots of sense.....you should
burden your attacker with having to process lots of data to prove or
disprove anything.  Making the algorithm solvable with a block or two just
makes cracking more convenient; it that a reasonable goal for any but a
would be attacker to have?
-- 
If you think you are beaten, you are.
If you thing you dare not, you don't.



Subject: Re: AES
Date: 05 May 1999 14:54:04 +0200
From: "Ulrich Kuehn" <kuehn@uni-muenster.de>
Message-ID: <tpku2trd6dv.fsf@math.uni-muenster.de>
References: <jgfunj-0505990011250001@dial-243-114.itexas.net>
Newsgroups: sci.crypt
Lines: 28

jgfunj@vgrknf.arg (wtshaw) writes:
> > 
> All other factors aside, being able to confirm a key with a small amount
> of ciphertext/plaintext does not bode well for an algorithm being really
> strong.  
> 
> Don't think me mean for mentioning what Shannon once was getting at; it's
> just the way it is, and this corollary makes lots of sense.....you should
> burden your attacker with having to process lots of data to prove or
> disprove anything.  Making the algorithm solvable with a block or two just
> makes cracking more convenient; it that a reasonable goal for any but a
> would be attacker to have?

This is a principle problem. It is the unicity distance that makes
a correct key detectable with only small amounts of plaintext. The actual
amount needed of course depends on the entropy of the plaintext as well
as the length of the key.
But this is not the point. Being able to (easily) check a correctly
guessed key does not give you any hint about how to get it.

Ciao,
Ulrich
-- 
Ulrich Kuehn ------------------ ukuehn@acm.org
                    kuehn@math.uni-muenster.de
        http://wwwmath.uni-muenster.de/~kuehn/





Subject: Re: AES
Date: Wed, 05 May 1999 09:57:26 -0600
From: jgfunj@vgrknf.arg (wtshaw)
Message-ID: <jgfunj-0505990957270001@dial-243-084.itexas.net>
References: <tpku2trd6dv.fsf@math.uni-muenster.de>
Newsgroups: sci.crypt
Lines: 33

In article <tpku2trd6dv.fsf@math.uni-muenster.de>, "Ulrich Kuehn"
<kuehn@uni-muenster.de> wrote:

> jgfunj@vgrknf.arg (wtshaw) writes:
> > > 
> > All other factors aside, being able to confirm a key with a small amount
> > of ciphertext/plaintext does not bode well for an algorithm being really
> > strong.  
> > 
> > Don't think me mean for mentioning what Shannon once was getting at; it's
> > just the way it is, and this corollary makes lots of sense.....you should
> > burden your attacker with having to process lots of data to prove or
> > disprove anything.  Making the algorithm solvable with a block or two just
> > makes cracking more convenient; it that a reasonable goal for any but a
> > would be attacker to have?
> 
> This is a principle problem. It is the unicity distance that makes
> a correct key detectable with only small amounts of plaintext. The actual
> amount needed of course depends on the entropy of the plaintext as well
> as the length of the key.
> But this is not the point. Being able to (easily) check a correctly
> guessed key does not give you any hint about how to get it.
> 
But, being unable to easily check for a correctly guess key compounds the
problem for the attacker, whose problems I like to compound.  The wisdom
of not having an easily hacked algorithm is sound, so is that of having a
large keyspace that could be brute forced, as well as extending all steps
to be inconvenient timewise, not to mention keysetup times, which could be
quite demanding in brute force while trivial in routine processing.  Many
factors should be stacked-up against the proverbial attacker's wishes for
simplicity.
-- 
FUD--fear, uncertainty, doubt  



Subject: Re: AES
Date: Wed, 05 May 1999 04:46:48 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <372fcc2b.7300595@news.io.com>
References: <372f6808.26884312@news.visi.com>
Newsgroups: sci.crypt
Lines: 21


On Tue, 04 May 1999 21:39:14 GMT, in
<372f6808.26884312@news.visi.com>, in sci.crypt
schneier@counterpane.com (Bruce Schneier) wrote:

>On Fri, 30 Apr 1999 13:12:52 -0500, "Anthony King Ho"
><anthony.ho@controldynamics.com> wrote:

>[...]
>>and algorithm such as Triple-DES is proven
>>to be very secure.
>
>Agreed.

Sorry.  There is NO proof of strength for Triple-DES or any other
cipher in cryptography.  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM



Subject: Re: AES
Date: 5 May 1999 06:51:39 GMT
From: lamontg@bite.me.spammers
Message-ID: <7goppr$lt6$1@nntp6.u.washington.edu>
References: <372fcc2b.7300595@news.io.com>
Newsgroups: sci.crypt
Lines: 26

ritter@io.com (Terry Ritter) writes:
>On Tue, 04 May 1999 21:39:14 GMT, in
><372f6808.26884312@news.visi.com>, in sci.crypt
>schneier@counterpane.com (Bruce Schneier) wrote:
>
>>On Fri, 30 Apr 1999 13:12:52 -0500, "Anthony King Ho"
>><anthony.ho@controldynamics.com> wrote:
>
>>[...]
>>>and algorithm such as Triple-DES is proven
>>>to be very secure.
>>
>>Agreed.
>
>Sorry.  There is NO proof of strength for Triple-DES or any other
>cipher in cryptography.  

There are two different meanings of the word "prove."  One is the mathemtical
sense, and one is the empirical sense.  I assume the poster was making an
empirical statement, in which case it is true that through extensive use 
and analysis, Triple-DES has proven to be very secure.  It has not, however,
been proved to be secure.  Different uses of the verb "to prove."

-- 
Lamont Granquist (lamontg@u.washington.edu)
ICBM: 47 39'23"N 122 18'19"W



Subject: Re: AES
Date: Wed, 05 May 1999 09:49:31 -0600
From: jgfunj@vgrknf.arg (wtshaw)
Message-ID: <jgfunj-0505990949310001@dial-243-084.itexas.net>
References: <7goppr$lt6$1@nntp6.u.washington.edu>
Newsgroups: sci.crypt
Lines: 20

In article <7goppr$lt6$1@nntp6.u.washington.edu>, lamontg@bite.me.spammers
wrote:

> ritter@io.com (Terry Ritter) writes:
> >
> >Sorry.  There is NO proof of strength for Triple-DES or any other
> >cipher in cryptography.  
> 
> There are two different meanings of the word "prove."  One is the mathemtical
> sense, and one is the empirical sense.  I assume the poster was making an
> empirical statement, in which case it is true that through extensive use 
> and analysis, Triple-DES has proven to be very secure.  It has not, however,
> been proved to be secure.  Different uses of the verb "to prove."
> 
This is the reason that claims by anyone that you disagree with are easily
classed as snake oil, because you define who you accept by empirical or by
strict definition.  Then, what this means is that defining snake oil can
be taken as snake oil in itself.
-- 
FUD--fear, uncertainty, doubt  



Subject: Re: AES
Date: 5 May 1999 11:44:28 -0400
From: juola@mathcs.duq.edu (Patrick Juola)
Message-ID: <7gpp0s$7g9$1@quine.mathcs.duq.edu>
References: <jgfunj-0505990949310001@dial-243-084.itexas.net>
Newsgroups: sci.crypt
Lines: 33

In article <jgfunj-0505990949310001@dial-243-084.itexas.net>,
wtshaw <jgfunj@vgrknf.arg> wrote:
>In article <7goppr$lt6$1@nntp6.u.washington.edu>, lamontg@bite.me.spammers
>wrote:
>
>> ritter@io.com (Terry Ritter) writes:
>> >
>> >Sorry.  There is NO proof of strength for Triple-DES or any other
>> >cipher in cryptography.  
>> 
>> There are two different meanings of the word "prove."  One is the mathemtical
>> sense, and one is the empirical sense.  I assume the poster was making an
>> empirical statement, in which case it is true that through extensive use 
>> and analysis, Triple-DES has proven to be very secure.  It has not, however,
>> been proved to be secure.  Different uses of the verb "to prove."
>> 
>This is the reason that claims by anyone that you disagree with are easily
>classed as snake oil, because you define who you accept by empirical or by
>strict definition.  Then, what this means is that defining snake oil can
>be taken as snake oil in itself.

On the other hand, most people -- or at least most intelligent readers
of sci.crypt -- can probably distinguish between semantic quibbles and
genuine issues of fact.  For example, one would need to be a raving
lunatic to disagree with the statement that DES (and by extension
3DES) have survived several decades of civilian, unclassified,
cryptanalysis with most of its strength intact.  By comparison,
Merkle-Hellman knapsacks lasted less than five years.  In a
practical sense, then, we know that DES is much stronger than
the basic knapsack, even if this difference isn't formalizable
in ZFC set theory or its extensions.

	-kitten



Subject: Re: AES
Date: Thu, 06 May 1999 13:23:18 -0600
From: jgfunj@vgrknf.arg (wtshaw)
Message-ID: <jgfunj-0605991323180001@dial-243-080.itexas.net>
References: <7gpp0s$7g9$1@quine.mathcs.duq.edu>
Newsgroups: sci.crypt
Lines: 29

In article <7gpp0s$7g9$1@quine.mathcs.duq.edu>, juola@mathcs.duq.edu
(Patrick Juola) wrote:

> 
> On the other hand, most people -- or at least most intelligent readers
> of sci.crypt -- can probably distinguish between semantic quibbles and
> genuine issues of fact.  For example, one would need to be a raving
> lunatic to disagree with the statement that DES (and by extension
> 3DES) have survived several decades of civilian, unclassified,
> cryptanalysis with most of its strength intact.  By comparison,
> Merkle-Hellman knapsacks lasted less than five years.  In a
> practical sense, then, we know that DES is much stronger than
> the basic knapsack, even if this difference isn't formalizable
> in ZFC set theory or its extensions.
> 
The important thing is distinguishing these is to openly recognize whether
you are trying weigh ideas or merely slap down the ones you don't like; to
make a point, I sometimes may do some of the later, but it is not without
good reason from my point of view.

DES has proven to be in these days, still a moderately useful cipher, some
semifirm ground; now the problem is to extract from it what is more solid
and what is more liquid: I maintain that the lessons of DES are not fully
learned, and we may still harvest something good out of it if we can trim
away at the rotten parts, which I am expressly trying to do to the
complaints of the multitudes.
-- 
What's HOT: Honesty, Openness, Truth
What's Not: FUD--fear, uncertainty, doubt  



Subject: Re: AES
Date: Thu, 06 May 1999 23:47:38 GMT
From: William Hugh Murray <whmurray@sprynet.com>
Message-ID: <37322A73.9E492C8B@sprynet.com>
References: <jgfunj-0605991323180001@dial-243-080.itexas.net>
Newsgroups: sci.crypt
Lines: 51

This is a multi-part message in MIME format.
--------------AA628054C29A7C879F30D1A4

wtshaw wrote:
> DES has proven to be in these days, still a moderately useful cipher, some
> semifirm ground; now the problem is to extract from it what is more solid
> and what is more liquid: I maintain that the lessons of DES are not fully
> learned, and we may still harvest something good out of it if we can trim
> away at the rotten parts, which I am expressly trying to do to the
> complaints of the multitudes.
> --
> What's HOT: Honesty, Openness, Truth
> What's Not: FUD--fear, uncertainty, doubt

Moderately useful?  After more than twenty years, the cost of attack as
a function of the cost of encryption is exactly where it was when DES
was announced.  I would suggest that that is a very useful cipher.  I
would suggest that that is a timeless cipher.  Until that ratio begins
to fall, I can continue to make good use of that cipher.  

I certainly can not use it in the way that it was used twenty years ago
but there are, just as certainly, useful applications and safe modes. 
It will be a long time before we will know a fraction as much about an
AES candidate as we know about DES.  

William Hugh Murray
New Canaan, Connecticut
--------------AA628054C29A7C879F30D1A4
 name="whmurray.vcf"
 filename="whmurray.vcf"

begin:vcard 
n:Murray;William Hugh
tel;fax:800-690-7952
tel;home:203-966-4769
tel;work:203-966-4769
adr:;;;;;;
version:2.1
email;internet:whmurray@sprynet.com
fn:William Hugh Murray
end:vcard

--------------AA628054C29A7C879F30D1A4--




Subject: Re: AES
Date: Fri, 07 May 1999 22:39:51 -0600
From: jgfunj@vgrknf.arg (wtshaw)
Message-ID: <jgfunj-0705992239520001@dial-243-082.itexas.net>
References: <37322A73.9E492C8B@sprynet.com>
Newsgroups: sci.crypt
Lines: 36

In article <37322A73.9E492C8B@sprynet.com>, William Hugh Murray
<whmurray@sprynet.com> wrote:

> This is a multi-part message in MIME format.
> --------------AA628054C29A7C879F30D1A4
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> 
> wtshaw wrote:
> > DES has proven to be in these days, still a moderately useful cipher, some
> > semifirm ground; now the problem is to extract from it what is more solid
> > and what is more liquid: I maintain that the lessons of DES are not fully
> > learned, and we may still harvest something good out of it if we can trim
> > away at the rotten parts, which I am expressly trying to do to the
> > complaints of the multitudes.
> 
> Moderately useful?  After more than twenty years, the cost of attack as
> a function of the cost of encryption is exactly where it was when DES
> was announced.  I would suggest that that is a very useful cipher.  I
> would suggest that that is a timeless cipher.  Until that ratio begins
> to fall, I can continue to make good use of that cipher. 

We are spliting hares (I say that because of a rabbit that I dressed out a
couple of days ago). It's hard to find middle ground these days...so on a
scale of 1 to 10, perhaps still 8+.  Ritter would not like the use of
numbers; saying *moderate* was an attempt to satisfy calling it good but
declining, as in it used to be a 10 for some.  I disliked it at its
beginning, including some of the same reasons it is falling into disfavor
with others these days.  Some of the very things I am now saying were old
thoughts with me when I read of DES in the original Scientific American
article.

Other ciphers appear less attackable.  As for me, I'll go with them now.
-- 
What's HOT: Honesty, Openness, Truth
What's Not: FUD--fear, uncertainty, doubt  



Subject: Re: AES
Date: Sat, 08 May 1999 16:01:00 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <37355f69.1224130@news.visi.com>
References: <37322A73.9E492C8B@sprynet.com>
Newsgroups: sci.crypt
Lines: 43

On Thu, 06 May 1999 23:47:38 GMT, William Hugh Murray
<whmurray@sprynet.com> wrote:

>wtshaw wrote:
>> DES has proven to be in these days, still a moderately useful cipher, some
>> semifirm ground; now the problem is to extract from it what is more solid
>> and what is more liquid: I maintain that the lessons of DES are not fully
>> learned, and we may still harvest something good out of it if we can trim
>> away at the rotten parts, which I am expressly trying to do to the
>> complaints of the multitudes.
>> --
>> What's HOT: Honesty, Openness, Truth
>> What's Not: FUD--fear, uncertainty, doubt
>
>Moderately useful?  After more than twenty years, the cost of attack as
>a function of the cost of encryption is exactly where it was when DES
>was announced.  

No, that's not true.  You're assuming that the cost to build a DES
encryption engine and the cost to build a DES breaking engine have
followed exactly the same "Moore's Law" curve, which they have not.

>I would suggest that that is a very useful cipher.  I
>would suggest that that is a timeless cipher.  Until that ratio begins
>to fall, I can continue to make good use of that cipher.  

The ratio has fell and will probably continue to fall.

>I certainly can not use it in the way that it was used twenty years ago
>but there are, just as certainly, useful applications and safe modes. 

Only against some threat models.  Again, the ratio has changed.

>It will be a long time before we will know a fraction as much about an
>AES candidate as we know about DES. 

Agreed.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com



Subject: Re: AES
Date: Sun, 09 May 1999 00:54:39 -0600
From: jgfunj@vgrknf.arg (wtshaw)
Message-ID: <jgfunj-0905990054400001@dial-243-085.itexas.net>
References: <37355f69.1224130@news.visi.com>
Newsgroups: sci.crypt
Lines: 22

In article <37355f69.1224130@news.visi.com>, schneier@counterpane.com
(Bruce Schneier) wrote:

> On Thu, 06 May 1999 23:47:38 GMT, William Hugh Murray
> <whmurray@sprynet.com> wrote about DES:
> 
...
> 
> >I certainly can not use it in the way that it was used twenty years ago
> >but there are, just as certainly, useful applications and safe modes. 
> 
> Only against some threat models.  Again, the ratio has changed.
> 
I'm reminded of a tag someone used a few months ago: "When the horse dies,
get off."

DES is no longer a running thourghbred; whether it is still worth feeding
is another question.  It seems it is out to pasture at any rate, or
perhaps still standing at stud.
-- 
What's HOT: Honesty, Openness, Truth
What's Not: FUD--fear, uncertainty, doubt  



Subject: Re: AES
Date: Wed, 05 May 1999 14:13:47 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <373051d9.3696549@news.visi.com>
References: <372fcc2b.7300595@news.io.com>
Newsgroups: sci.crypt
Lines: 29

On Wed, 05 May 1999 04:46:48 GMT, ritter@io.com (Terry Ritter) wrote:

>
>On Tue, 04 May 1999 21:39:14 GMT, in
><372f6808.26884312@news.visi.com>, in sci.crypt
>schneier@counterpane.com (Bruce Schneier) wrote:
>
>>On Fri, 30 Apr 1999 13:12:52 -0500, "Anthony King Ho"
>><anthony.ho@controldynamics.com> wrote:
>
>>[...]
>>>and algorithm such as Triple-DES is proven
>>>to be very secure.
>>
>>Agreed.
>
>Sorry.  There is NO proof of strength for Triple-DES or any other
>cipher in cryptography. 

Sorry.  I thought he meant "proven" in the vernacular, as in "this
meal has proven to be very tasty."  I agree that there is no
mathematical proof of the strength of triple-DES, which has
nonetheless proven to be very secure (ans tasty).

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com



Subject: Re: AES
Date: Thu, 06 May 1999 19:21:23 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <3731eba9.5752548@news.io.com>
References: <373051d9.3696549@news.visi.com>
Newsgroups: sci.crypt
Lines: 55


On Wed, 05 May 1999 14:13:47 GMT, in <373051d9.3696549@news.visi.com>,
in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:

>On Wed, 05 May 1999 04:46:48 GMT, ritter@io.com (Terry Ritter) wrote:
>
>>
>>On Tue, 04 May 1999 21:39:14 GMT, in
>><372f6808.26884312@news.visi.com>, in sci.crypt
>>schneier@counterpane.com (Bruce Schneier) wrote:
>>
>>>On Fri, 30 Apr 1999 13:12:52 -0500, "Anthony King Ho"
>>><anthony.ho@controldynamics.com> wrote:
>>
>>>[...]
>>>>and algorithm such as Triple-DES is proven
>>>>to be very secure.
>>>
>>>Agreed.
>>
>>Sorry.  There is NO proof of strength for Triple-DES or any other
>>cipher in cryptography. 
>
>Sorry.  I thought he meant "proven" in the vernacular, as in "this
>meal has proven to be very tasty."  I agree that there is no
>mathematical proof of the strength of triple-DES, which has
>nonetheless proven to be very secure (ans tasty).

It turns out to be difficult to justify such a statement even using a
non-mathematical definition of "proof."  For example:

We can say a race car is "proven" in practice:  We can see it run for
some time at some speed and compare it to other entrants.  Basically a
car is movement at speed and we can see that.  

We can say a cipher program is "proven" in practice:  We can see it
encipher data, produce junk, then recover the original data.  We can
see whether or not the program crashes.  We thus see the program
perform its functions.  

But the function of a cipher is to hide information from others.
Simply using a cipher for a long time while not specifically knowing
that it exposes secrets hardly means the secrets are secure.  We have
no way to *see* whether or not hiding occurs; we have no way to see a
cipher perform its function.  So we simply do not have the same sort
of practical experience that we commonly call "proven."  

I would say that simply using a cipher for a long time -- and not
specifically knowing it is broken -- does *not* constitute "proven
security," by any definition of "proof."  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM



Subject: Re: AES
Date: 6 May 1999 15:45:16 -0400
From: juola@mathcs.duq.edu (Patrick Juola)
Message-ID: <7gsrgc$9hn$1@quine.mathcs.duq.edu>
References: <3731eba9.5752548@news.io.com>
Newsgroups: sci.crypt
Lines: 85

In article <3731eba9.5752548@news.io.com>, Terry Ritter <ritter@io.com> wrote:
>
>On Wed, 05 May 1999 14:13:47 GMT, in <373051d9.3696549@news.visi.com>,
>in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:
>
>>On Wed, 05 May 1999 04:46:48 GMT, ritter@io.com (Terry Ritter) wrote:
>>
>>>
>>>On Tue, 04 May 1999 21:39:14 GMT, in
>>><372f6808.26884312@news.visi.com>, in sci.crypt
>>>schneier@counterpane.com (Bruce Schneier) wrote:
>>>
>>>>On Fri, 30 Apr 1999 13:12:52 -0500, "Anthony King Ho"
>>>><anthony.ho@controldynamics.com> wrote:
>>>
>>>>[...]
>>>>>and algorithm such as Triple-DES is proven
>>>>>to be very secure.
>>>>
>>>>Agreed.
>>>
>>>Sorry.  There is NO proof of strength for Triple-DES or any other
>>>cipher in cryptography. 
>>
>>Sorry.  I thought he meant "proven" in the vernacular, as in "this
>>meal has proven to be very tasty."  I agree that there is no
>>mathematical proof of the strength of triple-DES, which has
>>nonetheless proven to be very secure (ans tasty).
>
>It turns out to be difficult to justify such a statement even using a
>non-mathematical definition of "proof."  For example:
>
>We can say a race car is "proven" in practice:  We can see it run for
>some time at some speed and compare it to other entrants.  Basically a
>car is movement at speed and we can see that.  
>
>We can say a cipher program is "proven" in practice:  We can see it
>encipher data, produce junk, then recover the original data.  We can
>see whether or not the program crashes.  We thus see the program
>perform its functions.  
>
>But the function of a cipher is to hide information from others.
>Simply using a cipher for a long time while not specifically knowing
>that it exposes secrets hardly means the secrets are secure.  We have
>no way to *see* whether or not hiding occurs; we have no way to see a
>cipher perform its function.  So we simply do not have the same sort
>of practical experience that we commonly call "proven."  

But it's no more difficult than Bruce Schneier's original example :
"this meal has proven to be very tasty."   There's no objective
standard for "tasty"; the only "proof" I can offer is that I got
a hundred people together and fed them the meal, and they all
responded positively about how it tasted.

This examples illustrates nicely some of the issues involved :
at one level of "proof", all it really means is that *I* liked the
meal, and you have no reason to believe me or to trust my judgement.
(Are you paying attention, Mr. Scott?)  If I tell you I made egg-and-olive
ice cream and it proved delicious, you may not regard this as sufficient
evidence.  Certainly not if you were TCBY and looking for new flavors.

At another level, I could present my meal to a large collection of people
and see what they all said.  Yes, some of them might lie.  Yes, some of
them might not like the meal -- but if 99% of the people said that they
liked it, that might be sufficient for you (or TCBY) to believe
that it's "tasty."

A third level of "proof" might involve a carefully selected group of
food critics and chefs known for their discriminating palettes; when
they say it's "tasty", that means even more than when the man on the
street says so. 

>I would say that simply using a cipher for a long time -- and not
>specifically knowing it is broken -- does *not* constitute "proven
>security," by any definition of "proof."  

Simply using a cypher?  No.  But a lot of experts -- read : food
critics and chefs -- have looked at DES for a long time, and so
far no one has gone on record as saying they regard it as "not
tasty."  If you look at 20 years worth of restaurant reviews regarding
a particular restaurant, and without exception every one of them was
good, wouldn't that constitute effective "proof" that the restaurant
served good food?

	-kitten



Subject: Re: AES
Date: Fri, 07 May 1999 10:42:38 -0400
From: fullmoon@aspi.net
Message-ID: <3732FBDE.2F94E7A@aspi.net>
References: <7gsrgc$9hn$1@quine.mathcs.duq.edu>
Newsgroups: sci.crypt
Lines: 120

Patrick Juola wrote:
> 
> In article <3731eba9.5752548@news.io.com>, Terry Ritter <ritter@io.com> wrote:
> >
> >On Wed, 05 May 1999 14:13:47 GMT, in <373051d9.3696549@news.visi.com>,
> >in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:
> >
> >>On Wed, 05 May 1999 04:46:48 GMT, ritter@io.com (Terry Ritter) wrote:
> >>
> >>>
> >>>On Tue, 04 May 1999 21:39:14 GMT, in
> >>><372f6808.26884312@news.visi.com>, in sci.crypt
> >>>schneier@counterpane.com (Bruce Schneier) wrote:
> >>>
> >>>>On Fri, 30 Apr 1999 13:12:52 -0500, "Anthony King Ho"
> >>>><anthony.ho@controldynamics.com> wrote:
> >>>
> >>>>[...]
> >>>>>and algorithm such as Triple-DES is proven
> >>>>>to be very secure.
> >>>>
> >>>>Agreed.
> >>>
> >>>Sorry.  There is NO proof of strength for Triple-DES or any other
> >>>cipher in cryptography.
> >>
> >>Sorry.  I thought he meant "proven" in the vernacular, as in "this
> >>meal has proven to be very tasty."  I agree that there is no
> >>mathematical proof of the strength of triple-DES, which has
> >>nonetheless proven to be very secure (ans tasty).
> >
> >It turns out to be difficult to justify such a statement even using a
> >non-mathematical definition of "proof."  For example:
> >
> >We can say a race car is "proven" in practice:  We can see it run for
> >some time at some speed and compare it to other entrants.  Basically a
> >car is movement at speed and we can see that.
> >
> >We can say a cipher program is "proven" in practice:  We can see it
> >encipher data, produce junk, then recover the original data.  We can
> >see whether or not the program crashes.  We thus see the program
> >perform its functions.
> >
> >But the function of a cipher is to hide information from others.
> >Simply using a cipher for a long time while not specifically knowing
> >that it exposes secrets hardly means the secrets are secure.  We have
> >no way to *see* whether or not hiding occurs; we have no way to see a
> >cipher perform its function.  So we simply do not have the same sort
> >of practical experience that we commonly call "proven."
> 
> But it's no more difficult than Bruce Schneier's original example :
> "this meal has proven to be very tasty."   There's no objective
> standard for "tasty"; the only "proof" I can offer is that I got
> a hundred people together and fed them the meal, and they all
> responded positively about how it tasted.
> 
> This examples illustrates nicely some of the issues involved :
> at one level of "proof", all it really means is that *I* liked the
> meal, and you have no reason to believe me or to trust my judgement.
> (Are you paying attention, Mr. Scott?)  If I tell you I made egg-and-olive
> ice cream and it proved delicious, you may not regard this as sufficient
> evidence.  Certainly not if you were TCBY and looking for new flavors.
> 
> At another level, I could present my meal to a large collection of people
> and see what they all said.  Yes, some of them might lie.  Yes, some of
> them might not like the meal -- but if 99% of the people said that they
> liked it, that might be sufficient for you (or TCBY) to believe
> that it's "tasty."
> 
> A third level of "proof" might involve a carefully selected group of
> food critics and chefs known for their discriminating palettes; when
> they say it's "tasty", that means even more than when the man on the
> street says so.

Does it?  I suspect not. The man-on-the-street (MOTS) is expressing a
willingness to buy.  The critics and experts are selling something:
their expertise.

The field of subjective judgements is filled with examples of contrarian
reactions from experts vs MOTS.  Movies and theatrical plays are
notorious for the inverse relationship between critical success and
box-office success.

Similarly, figure skating competition features critics and experts
(judges) who have vastly different criteria than the average audience. 
A Disney skating show does not resemble a competition at all.  The
former is aimed at the critics, and the latter at the audience.

Let's consider judging ciphers by the same dual standard.  Financial
sucess can be considered orthogonal to critical success.  And neither
have any rigorous relationship to security.  They simply pander to
different tastes in information security.

> 
> >I would say that simply using a cipher for a long time -- and not
> >specifically knowing it is broken -- does *not* constitute "proven
> >security," by any definition of "proof."
> 
> Simply using a cypher?  No.  But a lot of experts -- read : food
> critics and chefs -- have looked at DES for a long time, and so
> far no one has gone on record as saying they regard it as "not
> tasty."  If you look at 20 years worth of restaurant reviews regarding
> a particular restaurant, and without exception every one of them was
> good, wouldn't that constitute effective "proof" that the restaurant
> served good food?

It would depend on who assembled the collection of reviews.  Note that a
collection without any negative criticism would convince me that someone
was distoring the truth.

Let's let our paranoia run a little loose and inspect the relationships
between academic funding and the national security interests.  Before we
ask how tightly connected these issue are, let's ask how visible the
connections are.  It is demonstrably within the capability, interest,
and practice of the national security interests to /i/n/t/e/r/f/e/r/e/
intervene in the academic funding world.  Thus the collection of reviews
that I would like to rely upon is tainted.  How badly?  I wish I knew.

> 
>         -kitten



Subject: Re: AES
Date: Sun, 09 May 1999 05:32:39 GMT
From: dianelos@tecapro.com
Message-ID: <7h36ln$o0n$1@nnrp1.deja.com>
References: <7gsrgc$9hn$1@quine.mathcs.duq.edu>
Newsgroups: sci.crypt
Lines: 60

    I don't think that the way we gain trust in general is
    directly applicable to cryptography. Here is my point:

    a) For better or worse, cryptography is considered a discipline of
       mathematics where the word "proof" (and its derivatives) has a
       clear and strong meaning.

    b) Many people who read sci.crypt are not experts in cryptography.

    c) At all levels people make choices and use technology without
       really understanding it - the result can be very costly (see
       agrochemicals, energy consumption or the Y2K error). There are
       a lot of misconceptions too about cryptography and it is
       important to minimize that.

    d) Bruce Schneier is one of the most well known and well respected
       cryptographers.

    Now, the original statement to which Schneier agreed was: "Triple
    DES is proven to be very secure". We can argue that this statement
    is correct within the common use of the English language. But it
    is a fact that many people who read this followed by Schneier's
    validation will understand that there is a mathematical proof for
    the security of 3DES. Therefore I think the reaction of Scott and
    Ritter in this thread is valid. It is important that everybody who
    makes decisions about information security clearly understand that
    there is no proof about the strength of any published block
    cipher. There is only expert opinion at a level somehow lower than
    a doctor's who recommends surgery and somehow higher than a food
    critic's who recommends a restaurant.

    I think that if cryptography were considered an engineering
    discipline then it would be easier to visualize the situation.
    For example, historically bridges did _prove_ themselves by
    withstanding particular weights long before mechanics was
    discovered. Even now there are not really proofs (in the
    mathematical sense) that a bridge will work. Actually, only a few
    decades ago a modern bridge disintegrated under the effect of the
    wind (not a hurricane mind you, just normal wind). That bridge had
    an error in its design that made it resonate to the wind absorbing
    more and more energy until it came tumbling down. In the same way
    a cipher may fail in the future under an unforeseen attack. The
    trouble of course is that whereas the bridge in question was
    unique and all subsequent bridge designers avoided that particular
    flaw, if a catastrophic failure is suffered by a standard cipher
    the effect would desastrous and analogous to most bridges in the
    world tumbling down together.

    To me one answer to the problem of absence of proofs is
    super-encipherment where several ciphers of radically different
    designs are combined together. The analogy would be like building
    several bridges side by side. If one of them should fail, the
    other(s) would keep our communication lines open. Fortunately, in
    many applications of information technology combining several
    ciphers is only marginally more expensive than using only one. (By
    the way, this is another argument in favor of not patenting
    ciphers.)

-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/       Search, Read, Discuss, or Start Your Own    



Subject: Re: AES
Date: Sun, 09 May 1999 18:44:29 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <3735d6dc.19558816@news.visi.com>
References: <7h36ln$o0n$1@nnrp1.deja.com>
Newsgroups: sci.crypt
Lines: 33

On Sun, 09 May 1999 05:32:39 GMT, dianelos@tecapro.com wrote:
>    Now, the original statement to which Schneier agreed was: "Triple
>    DES is proven to be very secure". We can argue that this statement
>    is correct within the common use of the English language. But it
>    is a fact that many people who read this followed by Schneier's
>    validation will understand that there is a mathematical proof for
>    the security of 3DES. 

Indeed.  In retrospect, I should have been more exact in my agreement.
This has proven to be linguisticly complicated.  Although the only
people who seems to have misunderstood is Terry Ritter, who you'd
think would be used to this kind of usage already, and David Scott,
who is mercifully in my kill file and whose posts I do not see.

>    To me one answer to the problem of absence of proofs is
>    super-encipherment where several ciphers of radically different
>    designs are combined together. The analogy would be like building
>    several bridges side by side. If one of them should fail, the
>    other(s) would keep our communication lines open. Fortunately, in
>    many applications of information technology combining several
>    ciphers is only marginally more expensive than using only one. (By
>    the way, this is another argument in favor of not patenting
>    ciphers.)

Multiple encryption is generally a good idea.  The only reason you
don't see it widely used in practice is that using N ciphers cuts the
performance by a factor of N (more or less).

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com



Subject: Re: AES
Date: Wed, 12 May 1999 06:12:02 GMT
From: "Douglas A. Gwyn" <DAGwyn@null.net>
Message-ID: <37391B62.AF2A410F@null.net>
References: <3735d6dc.19558816@news.visi.com>
Newsgroups: sci.crypt
Lines: 9

Bruce Schneier wrote:
> Multiple encryption is generally a good idea.  The only reason you
> don't see it widely used in practice is that using N ciphers cuts
> the performance by a factor of N (more or less).

Without necessarily gaining proportionally in security.
If you have a good algorithm, it would seem to be better
to put the extra cycles into using that algorithm with a
longer key (for example).



Subject: Re: AES
Date: Wed, 12 May 1999 07:22:41 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <37392be7.2410068@news.io.com>
References: <37391B62.AF2A410F@null.net>
Newsgroups: sci.crypt
Lines: 37


On Wed, 12 May 1999 06:12:02 GMT, in <37391B62.AF2A410F@null.net>, in
sci.crypt "Douglas A. Gwyn" <DAGwyn@null.net> wrote:

>Bruce Schneier wrote:
>> Multiple encryption is generally a good idea.  The only reason you
>> don't see it widely used in practice is that using N ciphers cuts
>> the performance by a factor of N (more or less).
>
>Without necessarily gaining proportionally in security.
>If you have a good algorithm, it would seem to be better
>to put the extra cycles into using that algorithm with a
>longer key (for example).

That would seem to be a way to get more keyspace, but it does not
address the problems I want to address.  I think we already have
plenty of keyspace.  

The problems I see are that we first cannot guarantee the strength of
a cipher, and second cannot know when our cipher has been broken.
These are rarely keyspace issues.  But if we have only one cipher, and
our cipher is broken in secret, we will continue to use that cipher
and continue to expose our information.  

I want to first reduce the probability of a break by multi-ciphering
as a common expected process.  

I want the ability to change a cipher quickly and easily if new
results warrant changing ciphers.  

I want to terminate the extent of any break which does occur by
changing ciphers frequently.  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM



Subject: Re: AES
Date: Wed, 12 May 1999 13:54:04 GMT
From: dianelos@tecapro.com
Message-ID: <7hc15l$2cc$1@nnrp1.deja.com>
References: <37391B62.AF2A410F@null.net>
Newsgroups: sci.crypt
Lines: 35

In article <37391B62.AF2A410F@null.net>,
  "Douglas A. Gwyn" <DAGwyn@null.net> wrote:
> Bruce Schneier wrote:
> > Multiple encryption is generally a good idea.  The only reason you
> > don't see it widely used in practice is that using N ciphers cuts
> > the performance by a factor of N (more or less).
>
> Without necessarily gaining proportionally in security.
> If you have a good algorithm, it would seem to be better
> to put the extra cycles into using that algorithm with a
> longer key (for example).

I understand that adding more rounds to a cipher increases its
resistance against known attacks exponentially. Combining ciphers
with different types of rounds should at the very least increase
resistance against known attacks exponentially too. In fact a
theoretical attack against one cipher may not work at all against
the other and therefore against the combination of the two. So I
think that multiple encryption increases security better than
proportionally.

Now, instead of increasing the "depth" of a cipher you propose to
increase its "width", i.e. the key size. I wonder how
cost-effective this is. Certainly it exponentially increases
resistance to exhaustive key search but this is the most primitive
type of attack. It seems to me that if the cipher has some kind of
structural flaw then increasing its key size may not significantly
increase its security. Basically all ciphers can be described as a
set of Boolean equations with as many unknowns as there are bits
in the key. The difficulty of solving sets of equations depends
more on the type of equations than on the number of unknowns.


--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---



Subject: Re: AES
Date: Wed, 12 May 1999 23:11:30 -0400
From: Nicol So <nobody@no.spam.please>
Message-ID: <373A42E2.C9BB75AC@no.spam.please>
References: <37391B62.AF2A410F@null.net>
Newsgroups: sci.crypt
Lines: 37

Douglas A. Gwyn wrote:
> 
> Bruce Schneier wrote:
> > Multiple encryption is generally a good idea.  The only reason you
> > don't see it widely used in practice is that using N ciphers cuts
> > the performance by a factor of N (more or less).
> 
> Without necessarily gaining proportionally in security.
> If you have a good algorithm, it would seem to be better
> to put the extra cycles into using that algorithm with a
> longer key (for example).

I think most people are aware of that (there is no guarantee of
proportional gain in security).  I like to view Bruce's suggestion as
a conservative design heuristic.  Most (secret-key) block ciphers that
I've come across are iterated ciphers, in which the same construct is
composed with itself multiple times.  You could, if you wish, consider
such a cipher multiple encryption with the same cipher using
non-independent keys.  What multiple encryption (with unlike ciphers)
buys you, in my opinion, is some irregularity and, hopefully, less
susceptibility to undiscovered flaws in any single component construct.

Generally speaking, I think it is more difficult to generalize
observations about individual constructs to an iterated composition of
them, when dissimilar structures break up the regularity that would be 
present in iterated composition of a single construct.  If this view is 
close to being correct, it should be possible to obtain the same 
benefit by interleaving dissimilar round structures, not necessarily 
dissimilar "ciphers".

I basically agree with you, but I don't think I can reliably tell 
whether I've got a good algorithm.  In the absence of a convincing
argument to the contrary, it is tempting to resort to what one 
consider as conservative design heuristics to insure against what one
might have overlooked.

Nicol



Subject: Re: AES
Date: Fri, 07 May 1999 14:44:52 +0200
From: Volker Hetzer <hetzer.abg@sni.de>
Message-ID: <3732E044.4469E8DC@sni.de>
References: <3731eba9.5752548@news.io.com>
Newsgroups: sci.crypt
Lines: 27

Terry Ritter wrote:

> But the function of a cipher is to hide information from others.
> Simply using a cipher for a long time while not specifically knowing
> that it exposes secrets hardly means the secrets are secure.  We have
> no way to *see* whether or not hiding occurs; we have no way to see a
> cipher perform its function.  So we simply do not have the same sort
> of practical experience that we commonly call "proven."
But we have. Sort of.
Look at it like this:
You use an algorithm to protect some info with a certain value.
You believe you would have noticed if somebody other than you
uses that information (comparable products, evidence in courts, ...).
If you have used that algorithm to protect info of that certain value
often and nobody has used captured data you can conjecture that people
will continue not to use your data. This can have to reasons:
1: The effort to break your algo is higher than the value of your information.
2: The damage caused by breaking the algo (switch to better algos, embarrasment
   of people, governments) is bigger than the value of your information.
The result is the same for both cases. You can continue to use your algo.
It is a bit like evidence in court. If you can't show it it's as good as
you've got none.
If your enemy can't (for whatever reason) use your data, it's safe to use
your algorithm. This is secutity too.

Greetings!
Volker



Subject: Re: AES
Date: Sat, 08 May 1999 15:58:43 GMT
From: schneier@counterpane.com (Bruce Schneier)
Message-ID: <37345f07.1126444@news.visi.com>
References: <3731eba9.5752548@news.io.com>
Newsgroups: sci.crypt
Lines: 61

On Thu, 06 May 1999 19:21:23 GMT, ritter@io.com (Terry Ritter) wrote:

>
>On Wed, 05 May 1999 14:13:47 GMT, in <373051d9.3696549@news.visi.com>,
>in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:
>
>>On Wed, 05 May 1999 04:46:48 GMT, ritter@io.com (Terry Ritter) wrote:
>>
>>>
>>>On Tue, 04 May 1999 21:39:14 GMT, in
>>><372f6808.26884312@news.visi.com>, in sci.crypt
>>>schneier@counterpane.com (Bruce Schneier) wrote:
>>>
>>>>On Fri, 30 Apr 1999 13:12:52 -0500, "Anthony King Ho"
>>>><anthony.ho@controldynamics.com> wrote:
>>>
>>>>[...]
>>>>>and algorithm such as Triple-DES is proven
>>>>>to be very secure.
>>>>
>>>>Agreed.
>>>
>>>Sorry.  There is NO proof of strength for Triple-DES or any other
>>>cipher in cryptography. 
>>
>>Sorry.  I thought he meant "proven" in the vernacular, as in "this
>>meal has proven to be very tasty."  I agree that there is no
>>mathematical proof of the strength of triple-DES, which has
>>nonetheless proven to be very secure (ans tasty).
>
>It turns out to be difficult to justify such a statement even using a
>non-mathematical definition of "proof."  For example:
>
>We can say a race car is "proven" in practice:  We can see it run for
>some time at some speed and compare it to other entrants.  Basically a
>car is movement at speed and we can see that.  
>
>We can say a cipher program is "proven" in practice:  We can see it
>encipher data, produce junk, then recover the original data.  We can
>see whether or not the program crashes.  We thus see the program
>perform its functions.  
>
>But the function of a cipher is to hide information from others.
>Simply using a cipher for a long time while not specifically knowing
>that it exposes secrets hardly means the secrets are secure.  We have
>no way to *see* whether or not hiding occurs; we have no way to see a
>cipher perform its function.  So we simply do not have the same sort
>of practical experience that we commonly call "proven."  
>
>I would say that simply using a cipher for a long time -- and not
>specifically knowing it is broken -- does *not* constitute "proven
>security," by any definition of "proof."  

This has proven to be a very tiresome conversation.  I apologise if
you dislike our language.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com



Subject: Re: AES
Date: Sat, 08 May 1999 19:37:49 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <37349279.8785332@news.io.com>
References: <37345f07.1126444@news.visi.com>
Newsgroups: sci.crypt
Lines: 119


On Sat, 08 May 1999 15:58:43 GMT, in <37345f07.1126444@news.visi.com>,
in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:

>On Thu, 06 May 1999 19:21:23 GMT, ritter@io.com (Terry Ritter) wrote:
>
>>
>>On Wed, 05 May 1999 14:13:47 GMT, in <373051d9.3696549@news.visi.com>,
>>in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:
>>
>>>On Wed, 05 May 1999 04:46:48 GMT, ritter@io.com (Terry Ritter) wrote:
>>>
>>>>
>>>>On Tue, 04 May 1999 21:39:14 GMT, in
>>>><372f6808.26884312@news.visi.com>, in sci.crypt
>>>>schneier@counterpane.com (Bruce Schneier) wrote:
>>>>
>>>>>On Fri, 30 Apr 1999 13:12:52 -0500, "Anthony King Ho"
>>>>><anthony.ho@controldynamics.com> wrote:
>>>>
>>>>>[...]
>>>>>>and algorithm such as Triple-DES is proven
>>>>>>to be very secure.
>>>>>
>>>>>Agreed.
>>>>
>>>>Sorry.  There is NO proof of strength for Triple-DES or any other
>>>>cipher in cryptography. 
>>>
>>>Sorry.  I thought he meant "proven" in the vernacular, as in "this
>>>meal has proven to be very tasty."  I agree that there is no
>>>mathematical proof of the strength of triple-DES, which has
>>>nonetheless proven to be very secure (ans tasty).
>>
>>It turns out to be difficult to justify such a statement even using a
>>non-mathematical definition of "proof."  For example:
>>
>>We can say a race car is "proven" in practice:  We can see it run for
>>some time at some speed and compare it to other entrants.  Basically a
>>car is movement at speed and we can see that.  
>>
>>We can say a cipher program is "proven" in practice:  We can see it
>>encipher data, produce junk, then recover the original data.  We can
>>see whether or not the program crashes.  We thus see the program
>>perform its functions.  
>>
>>But the function of a cipher is to hide information from others.
>>Simply using a cipher for a long time while not specifically knowing
>>that it exposes secrets hardly means the secrets are secure.  We have
>>no way to *see* whether or not hiding occurs; we have no way to see a
>>cipher perform its function.  So we simply do not have the same sort
>>of practical experience that we commonly call "proven."  
>>
>>I would say that simply using a cipher for a long time -- and not
>>specifically knowing it is broken -- does *not* constitute "proven
>>security," by any definition of "proof."  
>
>This has proven to be a very tiresome conversation.  I apologise if
>you dislike our language.

You already apologized.  I assumed you were going to let it drop.  

This is not an issue of mere words, about which to use when.  (Though
one might *well* think that a question in sci.crypt, to a technical
authority, ought to imply "proof" in the mathematical sense.)

The issue goes deeper than words: it goes to the perception of "proven
security" as a result of cryptanalysis or use.  Presumably it is the
years of cryptanalysis of DES which leads to this, and it is not just
a delusion of the general public but a perception which is repeatedly
affirmed by technical authorities (as happened here).  The term
"validation" has also been used.  But as far as I can tell, a logic of
cryptanalytic validation goes something like this:

1. Assuming academic cryptanalysis is the best possible,
2. if cryptanalysis has found no break, then
3. no break is possible.

No cryptanalyst will ever put this so baldly.  But we see in practice
the sequence: new cipher designs, subjected to academic cryptanalysis,
then generally approved for use, which seems to be an expression of
the above logic.  Cryptanalysts may say "We just did what we could."
But to the extent that the result is considered "proven secure" in any
sense at all (and that *is* the point of this tiresome conversation),
it sure looks like the above logic to me.  

If we were having an outbreak of former academic cryptanalysts
breaking ciphers and stealing information, we might just stretch a
point and say:

1. Assuming all academics are the same, 
2. if our academics can't find a problem, then
3. neither can the former academics.  

This at least has a modicum of science to it, because we are comparing
two similar groups.  But of course in reality individuals differ, and
their situations differ, so this isn't right either.  

In practice our ciphers confront opponents whose knowledge and
capabilities exceed the academic literature.  Just because academics
cannot find a break does not mean the opponents cannot.  It is a
*realistic* possibility that DES has been broken in secret from the
time it was designed and that we still do not know that.  And while we
might wish and hope to call this "improbable," that would be pasting
the illusion of scientific analysis on something which cannot (yet) be
quantified.  It is just such a quantification that "proven secure"
implies to me, and that is bad science.

I think people get so involved in the technical aspects of
cryptanalysis that they forget the logic of what this does or does not
prove.  Non-cryptanalysts generally *do* take this as a *validation*
process which produces ciphers of "proven security."  Cryptanalysts
are not speaking up about whether "validation" and "proof" are useful
terms for what they do, and that makes them part of the problem.  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM



Subject: Re: AES
Date: 11 May 1999 18:28:15 GMT
From: lamontg@bite.me.spammers
Message-ID: <7h9srv$jmu$1@nntp6.u.washington.edu>
References: <37349279.8785332@news.io.com>
Newsgroups: sci.crypt
Lines: 126

ritter@io.com (Terry Ritter) writes:
>On Sat, 08 May 1999 15:58:43 GMT, in <37345f07.1126444@news.visi.com>,
>in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:
>>This has proven to be a very tiresome conversation.  I apologise if
>>you dislike our language.
>
>You already apologized.  I assumed you were going to let it drop.  
>
>This is not an issue of mere words, about which to use when.  

Yes it is an issue of mere words.

>(Though
>one might *well* think that a question in sci.crypt, to a technical
>authority, ought to imply "proof" in the mathematical sense.)

It was a question posed by someone who had presented no evidence of
being a technical authority, it was phrased as though he was using
the empirical use of the word "prove" and not the mathematical sense.
It was merely answered by Mr Schneier and he adopted the same terms 
which he saw the original poster using, and I don't understand why you
have such a painful stick up your ass about this issue of language.

>The issue goes deeper than words: it goes to the perception of "proven
>security" as a result of cryptanalysis or use.  

"proven to be secure"

There is a subtle difference in meaning which apparently escapes you.

As someone who is more of a physicist than a mathematician i have no problem
with this language.  I can say that general relativity has "proven to be
correct" while understanding that tomorrow it could very well be proven to
be incorrect -- in fact I entirely expect that this will happen some day.

>Presumably it is the
>years of cryptanalysis of DES which leads to this, and it is not just
>a delusion of the general public but a perception which is repeatedly
>affirmed by technical authorities (as happened here).  The term
>"validation" has also been used.  

But not here.  So why bring it up other than to confuse the issue?

>But as far as I can tell, a logic of
>cryptanalytic validation goes something like this:
>
>1. Assuming academic cryptanalysis is the best possible,
>2. if cryptanalysis has found no break, then
>3. no break is possible.

Interesting.  Care to show me where Mr. Schneier has suggested that this
logic is valid?  Or are you simply using rhetorical games to try to put
words in his mouth?  (yes that's a rhetorical question)

I've never, ever seen Bruce say anything even remotely suggesting that
he would accept (3.) in that list as a conclusion.  The fact that you're
suggesting that he'd hold such opinions says a whole lot more about you and
why you're attacking him than it does about what he's written.

>No cryptanalyst will ever put this so baldly.  But we see in practice
>the sequence: new cipher designs, subjected to academic cryptanalysis,
>then generally approved for use, which seems to be an expression of
>the above logic.  

It seems to be about the best we can do.  Barring a formal proof of
security in the mathematical sense (the holy grail of cryptography) there
seems to be no better option than to go with the cipher that has proven
to be secure through time.

[...]
>In practice our ciphers confront opponents whose knowledge and
>capabilities exceed the academic literature.  Just because academics
>cannot find a break does not mean the opponents cannot.  

This should be filed under D for "Duh."

>It is a
>*realistic* possibility that DES has been broken in secret from the
>time it was designed and that we still do not know that.

Yes.  However, DES has been around for a very long time, and has more
extensive public cryptanalysis than probably any other algorithm, and the
rewards (prestige, furtherance of career) for breaking DES would be
substantial.  This is in some sense just a glorified "crypto contest" which
we agree is not any indication of security -- however it has been going on
for 20 years with the highest rewards that the crypto community could offer
the person that broke it.  Against this kind of a challenge DES has proven
to be secure.

>And while we
>might wish and hope to call this "improbable," that would be pasting
>the illusion of scientific analysis on something which cannot (yet) be
>quantified.

Why on earth does "improbable" imply to you anything about scientific
analysis or quantification?  To me it implies exactly that opposite -- saying
that something is improbably almost certainly means (to me) that someone is
making a judgement call and weighing the percieved risks.

>It is just such a quantification that "proven secure"
>implies to me, and that is bad science.

Well, we clearly disagree.

>I think people get so involved in the technical aspects of
>cryptanalysis that they forget the logic of what this does or does not
>prove.  Non-cryptanalysts generally *do* take this as a *validation*
>process which produces ciphers of "proven security."  Cryptanalysts
>are not speaking up about whether "validation" and "proof" are useful
>terms for what they do, and that makes them part of the problem.  

What I think is part of the problem is professional cryptographers on 
sci.crypt who decide to attack other cryptographers over obviously 
fabricated issues, just so that they can attack them.  It is the kind of
behavior that I expect out of Mr. SCOTT19U.ZIP.  I read what Bruce wrote
and I gave him the very obvious benefit of the doubt about the language
that was being used.  You read Bruce and figured that now was a good time
to try to make yourself look smart by attacking Bruce on a stupid detail.
I'm getting quite tired of some of the people on this list who should
know better jumping all over Bruce the second he is percieved as making
the slightest mis-step.  If you're upset about the fact that Bruce is
more popular, then get off of Usenet and go write your own damn book.

-- 
Lamont Granquist (lamontg@u.washington.edu)
ICBM: 47 39'23"N 122 18'19"W



Subject: Re: AES
Date: Wed, 12 May 1999 19:32:47 GMT
From: ritter@io.com (Terry Ritter)
Message-ID: <3739d5dd.5435189@news.io.com>
References: <7h9srv$jmu$1@nntp6.u.washington.edu>
Newsgroups: sci.crypt
Lines: 217


On 11 May 1999 18:28:15 GMT, in <7h9srv$jmu$1@nntp6.u.washington.edu>,
in sci.crypt lamontg@bite.me.spammers wrote:

>ritter@io.com (Terry Ritter) writes:

>[...]
>As someone who is more of a physicist than a mathematician i have no problem
>with this language.  I can say that general relativity has "proven to be
>correct" while understanding that tomorrow it could very well be proven to
>be incorrect -- in fact I entirely expect that this will happen some day.

Then you fundamentally misunderstand even your own field.  The facts
of relativity, as tested, do not change when a new theory is proposed.
Relativity is unlikely to be "proven incorrect."  Instead, there will
be certain areas where the theory incorrectly models reality.  The
whole point of a new physical theory is to provide at least as good a
model as the old, and cover even more.  

There is a fundamental difference between cryptography and physics
with respect to provability:  In physics, we can use the model to
predict outcomes and then measure those outcomes in reality; the
extent to which we get a match is the extent to which we have a good
theory.  But in cryptography, we cannot model strength.  There is no
computation which gives the strength value, and there is no experiment
which allows us to confirm it.  The only thing we have are some
attacks which require some amount effort, but they give us no
assurance at all that some very clever but absolutely trivial
successful attack does not exist.  The very concept of "proven
security" in cryptography currently has no practical meaning.  


>>But as far as I can tell, a logic of
>>cryptanalytic validation goes something like this:
>>
>>1. Assuming academic cryptanalysis is the best possible,
>>2. if cryptanalysis has found no break, then
>>3. no break is possible.
>
>Interesting.  Care to show me where Mr. Schneier has suggested that this
>logic is valid?  Or are you simply using rhetorical games to try to put
>words in his mouth?  (yes that's a rhetorical question)

If you don't like *my* syllogism, perhaps you can provide one which
*does* imply cipher strength.  What is your interpretation of this
process?  And that is not rhetorical.

In my view, the whole concept is bankrupt, and these continued
attempts to extend what is now clearly an unworkable process can only
damage users and thus the field itself.  It is time to have a clear
understanding of what cryptanalysis provides, and that is an upper
bound on strength, with no lower bound.  To provide any implication of
security, we must have a lower bound on strength.  Currently, that is
zero.  


>I've never, ever seen Bruce say anything even remotely suggesting that
>he would accept (3.) in that list as a conclusion.  The fact that you're
>suggesting that he'd hold such opinions says a whole lot more about you and
>why you're attacking him than it does about what he's written.

I would say that your perception that I am attacking Schneier --
instead of the false ideas he promotes -- says more about you than me.


My words were "as far as I can tell" and "a logic of validation": it
is you who assign those words to Schneier, not me.  

But Schneier does promote the use of cryptanalysis as the way we know
cipher strength -- I think that is a fair quick summary of his
position -- which implies that he *does* have *some* logic which in
his mind *does* provide some logical implication of strength.  And
while I have become convinced that any such logic is false, if someone
can come up with workable logic which does produce such a conclusion,
I would have to accept it.  


>>No cryptanalyst will ever put this so baldly.  But we see in practice
>>the sequence: new cipher designs, subjected to academic cryptanalysis,
>>then generally approved for use, which seems to be an expression of
>>the above logic.  

So I clearly *did* show my doubt that Schneier would ever *express*
such a syllogism.  The question is, "What syllogism *does* he use?"
In what way *can* cryptanalytic results *ever* be used to imply user
information security?


>It seems to be about the best we can do.  Barring a formal proof of
>security in the mathematical sense (the holy grail of cryptography) there
>seems to be no better option than to go with the cipher that has proven
>to be secure through time.

So, basically, since we have no way to find a lower bound on strength,
we will just ignore it.  We will ignore the idea that any cipher might
have a trivial break which we do not know.  We will encourage users to
believe they have "proven security," while knowing that we have no
such thing.  In other fields, making claims which cannot be supported
would be called "deceptive," or perhaps even "fraud."


>[...]
>>It is a
>>*realistic* possibility that DES has been broken in secret from the
>>time it was designed and that we still do not know that.
>
>Yes.  However, DES has been around for a very long time, and has more
>extensive public cryptanalysis than probably any other algorithm, and the
>rewards (prestige, furtherance of career) for breaking DES would be
>substantial.  This is in some sense just a glorified "crypto contest" which
>we agree is not any indication of security -- however it has been going on
>for 20 years with the highest rewards that the crypto community could offer
>the person that broke it.  Against this kind of a challenge DES has proven
>to be secure.

No, DES has *not* proven to be secure.  It has simply no break that we
know about.  Not knowing about weakness is far different than having
proven security.  

The very idea that we could on the one hand admit that DES *might* be
broken, and then call it "secure" -- simply because we do not know for
sure that a break exists -- sounds crazy.  Not *knowing* that our
cipher is broken is the *normal* situation for a cipher being broken.
It is all we ever know of the worst possible case when our information
is being harvested and wisely exploited.  Our only reasonable choice
is to assume that the cipher *might* be broken.  And that can hardly
be called "secure."  


>>And while we
>>might wish and hope to call this "improbable," that would be pasting
>>the illusion of scientific analysis on something which cannot (yet) be
>>quantified.
>
>Why on earth does "improbable" imply to you anything about scientific
>analysis or quantification?  To me it implies exactly that opposite -- saying
>that something is improbably almost certainly means (to me) that someone is
>making a judgement call and weighing the percieved risks.

But in cryptography we *have* no information on which to perceive
risks.  We do not know the "absolute strength" of our ciphers.  We do
not know the capabilities of our opponents.  We do not know how many
of our designs have been broken by our opponents.  There is simply no
information upon which to base a risk analysis or a judgment call.  


>[...]
>What I think is part of the problem is professional cryptographers on 
>sci.crypt who decide to attack other cryptographers over obviously 
>fabricated issues, just so that they can attack them.  

If you are referring to me, in this case, your interpretation is
false.  I have a substantial history of messages and writings which
directly confront the issue of proof in cryptography, and my position
has not changed to allow me to attack the current guru.  Schneier
created the problem; I did not go after him.  

On the other hand, to the extent that Schneier has in recent months
actively promoted various ideas which are logically insupportable, we
will find that I oppose those ideas.  


>It is the kind of
>behavior that I expect out of Mr. SCOTT19U.ZIP.  

I think you need to look to yourself to find why you take a rational
issue in personal terms.  Attacking Schneier's misuse of these terms
is not an attack on Schneier, and certainly not an attack on you.
Unless, of course, you think there *is* "proven security" in
cryptography, in which case this reality may be quite distressing to
you.  


>I read what Bruce wrote
>and I gave him the very obvious benefit of the doubt about the language
>that was being used.  

Then you are giving him far too much benefit.  As an "authority,"
Schneier has a responsibility to not mislead those who ask for his
advice.  Schneier is a writer to whom words are professional tools,
who is well aware that words can be misinterpreted, and he can take
action to prevent that.  In this case he did not.  

The idea that there is anything in cryptography like "proven security"
is a widespread misconception which can lead to a fruitless unending
search for the holy grail which is said to exist.  This belief is a
serious problem which can undermine the attempt of any student to put
the field into perspective.  

Your acceptance of words which can be misinterpreted is the wrong way
to go -- instead we should expect statements which are provably
correct (and not just not proven wrong) which have a clear meaning.
When ambiguity exists, we should expect a discussion to resolve that
in the context of the truth.  This *is* that discussion.  


>You read Bruce and figured that now was a good time
>to try to make yourself look smart by attacking Bruce on a stupid detail.

It is hardly a stupid detail; it is at the basis of understanding what
cryptography can do.  


>I'm getting quite tired of some of the people on this list who should
>know better jumping all over Bruce the second he is percieved as making
>the slightest mis-step.  If you're upset about the fact that Bruce is
>more popular, then get off of Usenet and go write your own damn book.

You need to first of all be more tolerant, and second to understand
that a whole range of possible motives can produce pretty much the
same actions.  Your interpretation of my motives in those actions is
false, and consequently says more about you than me.  

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
Crypto Glossary   http://www.io.com/~ritter/GLOSSARY.HTM



Subject: Re: AES
Date: Tue, 11 May 1999 22:28:17 GMT
From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard)
Message-ID: <3738aba1.567668@news.prosurfr.com>
References: <37349279.8785332@news.io.com>
Newsgroups: sci.crypt
Lines: 36

ritter@io.com (Terry Ritter) wrote, in part:

>In practice our ciphers confront opponents whose knowledge and
>capabilities exceed the academic literature.  Just because academics
>cannot find a break does not mean the opponents cannot.

This is a true statement, although some people will express doubts
about it.

Doubt #1: The open atmosphere of free inquiry lets science progress
best, so even the NSA isn't *far* ahead of the academic community,

Doubt #2: What are you, some kind of spy or crook, that you don't want
the U.S. Government to read your mail?

There are arguments against these doubts; I won't dwell on them,
except to note that cryptanalysis is specialized and esoteric, and it
is a _marginal_ subject in academia; only a very few lucky professors
are allowed to get away with doing a major amount of their research in
this subject. The closed confines of the NSA represent a bigger
academic community for this subject than the open academic community -
probably several times over.

Opponents stronger than the academics *do* still exist, and these
doubts, which basically are based on the premise that the NSA is the
only such opponent, don't banish them all. I will now proceed to name
some of them:

- The intelligence agencies of China, France, Russia, and other
countries that may wish to spy even on legitimate businesses;

- Hackers seeking to read your messages 20 years from now, who will
have the benefit of what academics *will* know in 20 years.

John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/index.html



Subject: Re: AES
Date: Wed, 05 May 1999 16:52:38 +0200
From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
Message-ID: <37305B36.831A9CA5@stud.uni-muenchen.de>
References: <372fcc2b.7300595@news.io.com>
Newsgroups: sci.crypt
Lines: 15

Terry Ritter wrote:
> 
> 
> Sorry.  There is NO proof of strength for Triple-DES or any other
> cipher in cryptography.

Minute restriction: The OTP is provably secure. But the (theoretically)
random keystream can't be obtained in practice (or rather the keystream
can't be proved to be (theoretically) random). So the proof is
in a certain sense a 'circular' one in my humble opinion. The
consequence of the fact you pointed out is that there can only be
'practical' security. Persuing absolute security is more or less
like persuing eternal life.

M. K. Shen

Terry Ritter, his current address, and his top page.

Last updated: 2001-06-03