On Thu, Aug 6, 2009 at 8:20 AM, Eugen Leitl<eugen@leitl.org> wrote:

... Third, I don't understand why Cleversafe documents claim that public key cryptosystems whose security is based on "math" are more likely to fall to future advances in cryptanalysis. I think most cryptographers have the opposite belief -- that encryption based on bit-twiddling such as block ciphers or stream ciphers is much more likely to fall to future cryptanalysis.

well, arithmetic and algebra are math :) and still exceptions to this rule. Shor's makes RSA/DH risky but quantum search in GF(256) is probably too hard for any current lifespan.

Certainly the history of modern cryptography seems to fit with this -- of the original crop of public key cryptosystems founded on a math problem, some are still regarded as secure today (RSA, DH, McEliece)

improved McEliece is my favorite contender for a post-quantum reality. hardware entropy sources are plentiful and bandwidth capable...

but there has been a long succession of symmetric crypto primitives based on bit twiddling which have then turned out to be insecure. (Including, ominously enough, AES-256, which was regarded as a gold standard until a few months ago.)

agreed. though perhaps this just argues for more conservative designs. the padlock engine on the host i'm writing this with can do 32 rounds just as easily as 10 or 14.