CDR: Musings on AES and DES
Ray Dillinger
bear at sonic.net
Sun Oct 8 17:57:28 PDT 2000
Reflections on AES and DES....
DES was developed by a team that wanted to call it "Dataseal"
at IBM. Some IBM flacks renamed it Demon (for "demonstration
cipher"), a name the original developers didn't like. So they
agitated against the new name, and eventually someone decided
to rename it Lucifer, which the original developers liked even
less. One gets the impression that the flacks were just toying
with the techies here, twisting the knife as it were.
But then it was adopted (in a slightly different form) as the
Data Encryption Standard of the US government, and everybody
gave up on the "demonic" naming conventions and just started
calling it DES.
Now, Dataseal/Demon/Lucifer was pretty good. It may not have
been the *most* secure algorithm of its time, but neither was
it a transparent and useless "cipher" with obvious flaws
other than the 56-bit keyspace. However, the important part
of building up trust (or lack thereof) in the cipher came
after it was chosen as the DES.
That choice focused every cryptanalyst in the world on it,
for a while, and sparked a fair amount of hard research in
mathematics. Eventually someone found an attack better than
brute force on it -- but the attack requires a very very
large number of plaintext/ciphertext pairs to carry out, and
seems unlikely in practice. The important thing though, is
that people did the math, did the research, did the hard
thinking -- and did it for a long time. When someone uses
DES or 3DES today, she knows EXACTLY how much protection her
data is getting, and knows that hundreds, possibly thousands,
of brilliant people have focused many man-years on proving
that that amount of protection *is* exactly how much she's
getting.
It may be that some other ciphers that were around at that
time are more secure -- hell, no doubt about it really.
But none of those ciphers have attracted the attention of
as many really bright people making *sure* it's secure that
being the DES has gotten for this cipher.
Now, the newly minted AES is standing in place to receive
the same attention from the worldwide community -- indeed,
has already started to.
Even if it's not technically as secure as Twofish and Serpent,
the coming years of attention are going to reduce the likelihood
of an attack that we just didn't know about on AES -- but not
as much on Twofish and Serpent. So whatever its respective
strength, our *knowledge* of its strength will become stronger
and stronger as more and more time goes by with attention
focused on it.
Anyway, from the POV of confidence in a cipher, it's not really
as important which cipher they picked. It's important that they
picked one -- and now cryptanalytic attention is focused on it.
Every day no flaw is found raises our confidence that there is
none, making the security of this cipher more trustworthy.
Regardless of its strength relative to the other candidates (which
in reality we may never know except by the continued failure to
find obvious breaks in anything) the trustworthiness of the cipher,
deriving from the amount of effort and testing that have gone
into it, will quickly eclipse the trustworthiness of all other
candidates.
It would have been the same whichever cipher they picked.
Bear
More information about the cypherpunks-legacy
mailing list