Ray Dillinger <bear@sonic.net> wrote:
<snip>
[As the DES,] Dataseal/Demon/Lucifer was pretty good. It may not have been the *most* secure algorithm of its time, but neither was it a transparent and useless "cipher" with obvious flaws other than the 56-bit keyspace. However, the important part of building up trust (or lack thereof) in the cipher came after it was chosen as the DES.
I suggest that you give insufficient weight to the importance of the NSA imprimatur on the DES. The DES became the standard we know today -- for years, universally accepted in US commerce, banking, and trade -- largely because the US National Security Agency (NSA) issued, upon the designation of the DES by NIST, a statement that the NSA's cryptanalysts knew of no attack on the DES algorithm more effective than a brute force search of all possible 56-bit keys. That -- and perhaps NIST's projections of the work and time required to break a 56-bit key -- provided the "due diligence" groundwork that allowed US bankers and businessmen to label crypto a solved problem. No liability could accrue to a CTO or CEO or product manager who chose to use the DES (and, conversely, no one but a fool would use an alternative cipher --whatever the key length -- in a commercial environment.) The 1976 designation of the DES -- unlike most traditional standardization efforts -- was not about interoperability. It was not even about relative cryptographic strength (although there must have been some fascinating charts at Fort Meade which projected the life-span of a 56-bit key against the successive five-year certifications built into the DES selection.) The broad acceptance of the DES in US industry and finance was, in large part, simply a function of the way a NSA-blessed cipher contained and limited potential liability. In the real world, the technical review that you celebrate -- among academic mathematicians and the(relatively few) unencumbered cryptographers in academia and private industry -- was all but irrelevant. (Only negative results would make a difference, and those were scant and slow in coming.) I would argue that, at least in the US, that research had virtually no impact on those who made the relevant purchase and policy decisions (who were seldom crypto-savvy, let alone crypto-literate.) Until well into the 1990s, there was no significant non-governmental crypto community to offer alternative judgements until fairly recently... and it must be said that the widespread trust, among American civilians, in the NSA's judgement in this matter was not misplaced. DES was pretty much what they said it was (even down to that tweak in the S-boxes to block differential analysis, which the academic crypto researchers didn't discover for many years.) The NSA was/is really very good at what they did, and -- particularly in the US computer industry (which until 1960 had been pretty much guided by NSA R&D contracts) -- their cryptanalytic expertise was wholly unchallenged.
That choice focused every cryptanalyst in the world on it, for a while, and sparked a fair amount of hard research in mathematics. Eventually someone found an attack better than brute force on it -- but the attack requires a very very large number of plaintext/ciphertext pairs to carry out, and seems unlikely in practice. The important thing though, is that people did the math, did the research, did the hard thinking -- and did it for a long time. When someone uses DES or 3DES today, she knows EXACTLY how much protection her data is getting, and knows that hundreds, possibly thousands, of brilliant people have focused many man-years on proving that that amount of protection *is* exactly how much she's getting.
It may be that some other ciphers that were around at that time are more secure -- hell, no doubt about it really. But none of those ciphers have attracted the attention of as many really bright people making *sure* it's secure that being the DES has gotten for this cipher.
Now, the newly minted AES is standing in place to receive the same attention from the worldwide community -- indeed, has already started to.
<snip> I presume that the AES selection process was open, to the degree that it was, largely to permit the large contemporary private-sector and the academic crypto community an opportunity to participate in, and endorse, the final AES selection. I suspect, however, that the formal adoption of the AES FIPS -- when Rijndael is designated the approved mechanism for securing sensitive but unclassified government data -- will involve some similar NSA endorsement, implicit or explicit. It will be interesting to see how explicit it is, and what sort of demand for an overt stamp of approval from the NSA still exists in the marketplace.