CDR: Musings on AES and DES

Ray Dillinger bear at sonic.net
Sun Oct 8 17:57:28 PDT 2000 

Reflections on AES and DES....  

DES was developed by a team that wanted to call it "Dataseal" 
at IBM.  Some IBM flacks renamed it Demon (for "demonstration 
cipher"), a name the original developers didn't like.  So they 
agitated against the new name, and eventually someone decided 
to rename it Lucifer, which the original developers liked even 
less.  One gets the impression that the flacks were just toying 
with the techies here, twisting the knife as it were.

But then it was adopted (in a slightly different form) as the 
Data Encryption Standard of the US government, and everybody 
gave up on the "demonic" naming conventions and just started 
calling it DES.  

Now, Dataseal/Demon/Lucifer was pretty good.  It may not have 
been the *most* secure algorithm of its time, but neither was 
it a transparent and useless "cipher" with obvious flaws 
other than the 56-bit keyspace.  However, the important part 
of building up trust (or lack thereof) in the cipher came 
after it was chosen as the DES. 

That choice focused every cryptanalyst in the world on it, 
for a while, and sparked a fair amount of hard research in 
mathematics.  Eventually someone found an attack better than 
brute force on it -- but the attack requires a very very 
large number of plaintext/ciphertext pairs to carry out, and 
seems unlikely in practice.  The important thing though, is 
that people did the math, did the research, did the hard 
thinking -- and did it for a long time.  When someone uses 
DES or 3DES today, she knows EXACTLY how much protection her 
data is getting, and knows that hundreds, possibly thousands, 
of brilliant people have focused many man-years on proving 
that that amount of protection *is* exactly how much she's 
getting.

It may be that some other ciphers that were around at that 
time are more secure -- hell, no doubt about it really.  
But none of those ciphers have attracted the attention of 
as many really bright people making *sure* it's secure that 
being the DES has gotten for this cipher. 

Now, the newly minted AES is standing in place to receive 
the same attention from the worldwide community -- indeed, 
has already started to.  

Even if it's not technically as secure as Twofish and Serpent, 
the coming years of attention are going to reduce the likelihood 
of an attack that we just didn't know about on AES -- but not 
as much on Twofish and Serpent.  So whatever its respective 
strength, our *knowledge* of its strength will become stronger 
and stronger as more and more time goes by with attention 
focused on it.  

Anyway, from the POV of confidence in a cipher, it's not really 
as important which cipher they picked.  It's important that they 
picked one -- and now cryptanalytic attention is focused on it.

Every day no flaw is found raises our confidence that there is 
none, making the security of this cipher more trustworthy.  
Regardless of its strength relative to the other candidates (which 
in reality we may never know except by the continued failure to 
find obvious breaks in anything) the trustworthiness of the cipher, 
deriving from the amount of effort and testing that have gone 
into it, will quickly eclipse the trustworthiness of all other 
candidates. 

It would have been the same whichever cipher they picked. 

				Bear

More information about the cypherpunks-legacy mailing list