Eric Hughes writes:
It has also been examined by four cryptologists (professional and/or credentialed) not involved in its development, and it was ridiculed by none of them.
I hear the sounds of autonecrothaphty (digging one's own grave). Was it recommended by any of them, and did any of the test it?
It's true I'm going out on a limb here, but the potential benefit to the world is a new cryptosystem of some value (a deliberately modest claim). And one that was not designed by NSA complete with trapdoors. Anything new always meets with resistance. The description was run by the cryptanalysts for their comment. The consensus was that the method was probably strong, or at least not obviously weak, but that they had insufficient information to judge properly. You may disagree. You may not like the proposed method, but the real question is whether it works. In-house testing has been as rigorous as we can make it, but any outside cryptanalyst is welcome to take a shot at it.
The first task of a cryptanalyst is to discover what method of encryption was used.
Usually not. This often comes as collateral information related to the intercept. In the case of a PC seizure, having a manual lying around and an executable on the disk usually qualifies.
Yes, a cryptanalyst looks around for other evidence as to which cryptosystem was used before the hard work of analysing ciphertext. As you say, it may be a manual or an exmcttable. The encipherer himself may reveal it. But in any case, identifying the encryption method *is* the first step in cryptanalysis.
The description was run by the cryptanalysts for their comment.
I've never seen any names, nor any statements of their analysis. As far as I'm concerned this stands as hearsay.
The consensus was that the method was probably strong, or at least not obviously weak, but that they had insufficient information to judge properly.
Insufficient information?? And this is all you have for review? Did they even see code, or just an English description of it? Look, if saying they didn't laugh at it is digging your own grave, saying they didn't even look at the full algorithm is acting as your own firing squad.
In-house testing has been as rigorous as we can make it, but any outside cryptanalyst is welcome to take a shot at it.
Anything as significant as a new cipher needs to be publically examined before it can be trusted. The opportunity for such public examination is not sufficient, only the actual publication and subsequent responses qualify. Therefore, I have a challenge for you to submit your algorithm in full detail to the public scrutiny of the academic cryptographic community. You have unfortunately missed the deadline for papers for CRYPTO 93, but you can always submit a paper to the Journal of Cryptology. If the cipher is to be considered secure, it should be proof against the most sophisticated attacks known; currently this means that it should be proof against differential cryptanalysis. Until this kind of high-level review has been made, I openly and publically recommend that this cipher not be used. As far as a product goes, Dolphin Encrypt would be much more useful if its cipher were trusted. A rewrite to use triple DES would be straighforward and would greatly increase the trustworthiness of the product. Eric
participants (2)
-
Eric Hughes
-
meyer