CDR: Re: Musings on AES and DES
Vin McLellan
vin at shore.net
Mon Oct 9 00:22:01 PDT 2000
Ray Dillinger <bear at sonic.net> wrote:
><snip>
>[As the DES,] Dataseal/Demon/Lucifer was pretty good. It may not
>have been the *most* secure algorithm of its time, but neither was it a
>transparent and useless "cipher" with obvious flaws other than the 56-bit
>keyspace. However, the important part of building up trust (or lack
>thereof) in the cipher came after it was chosen as the DES.
I suggest that you give insufficient weight to the importance of
the NSA imprimatur on the DES.
The DES became the standard we know today -- for years,
universally accepted in US commerce, banking, and trade -- largely because
the US National Security Agency (NSA) issued, upon the designation of the
DES by NIST, a statement that the NSA's cryptanalysts knew of no attack on
the DES algorithm more effective than a brute force search of all possible
56-bit keys.
That -- and perhaps NIST's projections of the work and time
required to break a 56-bit key -- provided the "due diligence" groundwork
that allowed US bankers and businessmen to label crypto a solved problem.
No liability could accrue to a CTO or CEO or product manager who chose to
use the DES (and, conversely, no one but a fool would use an alternative
cipher --whatever the key length -- in a commercial environment.)
The 1976 designation of the DES -- unlike most traditional
standardization efforts -- was not about interoperability. It was not even
about relative cryptographic strength (although there must have been some
fascinating charts at Fort Meade which projected the life-span of a 56-bit
key against the successive five-year certifications built into the DES
selection.)
The broad acceptance of the DES in US industry and finance was, in
large part, simply a function of the way a NSA-blessed cipher contained and
limited potential liability.
In the real world, the technical review that you celebrate --
among academic mathematicians and the(relatively few) unencumbered
cryptographers in academia and private industry -- was all but irrelevant.
(Only negative results would make a difference, and those were scant and
slow in coming.)
I would argue that, at least in the US, that research had
virtually no impact on those who made the relevant purchase and policy
decisions (who were seldom crypto-savvy, let alone crypto-literate.)
Until well into the 1990s, there was no significant
non-governmental crypto community to offer alternative judgements until
fairly recently... and it must be said that the widespread trust, among
American civilians, in the NSA's judgement in this matter was not misplaced.
DES was pretty much what they said it was (even down to that tweak
in the S-boxes to block differential analysis, which the academic crypto
researchers didn't discover for many years.) The NSA was/is really very
good at what they did, and -- particularly in the US computer industry
(which until 1960 had been pretty much guided by NSA R&D contracts) --
their cryptanalytic expertise was wholly unchallenged.
>That choice focused every cryptanalyst in the world on it,
>for a while, and sparked a fair amount of hard research in
>mathematics. Eventually someone found an attack better than
>brute force on it -- but the attack requires a very very
>large number of plaintext/ciphertext pairs to carry out, and
>seems unlikely in practice. The important thing though, is
>that people did the math, did the research, did the hard
>thinking -- and did it for a long time. When someone uses
>DES or 3DES today, she knows EXACTLY how much protection her
>data is getting, and knows that hundreds, possibly thousands,
>of brilliant people have focused many man-years on proving
>that that amount of protection *is* exactly how much she's
>getting.
>
>It may be that some other ciphers that were around at that
>time are more secure -- hell, no doubt about it really.
>But none of those ciphers have attracted the attention of
>as many really bright people making *sure* it's secure that
>being the DES has gotten for this cipher.
>
>Now, the newly minted AES is standing in place to receive
>the same attention from the worldwide community -- indeed,
>has already started to.
<snip>
I presume that the AES selection process was open, to the degree
that it was, largely to permit the large contemporary private-sector and
the academic crypto community an opportunity to participate in, and
endorse, the final AES selection. I suspect, however, that the formal
adoption of the AES FIPS -- when Rijndael is designated the approved
mechanism for securing sensitive but unclassified government data -- will
involve some similar NSA endorsement, implicit or explicit.
It will be interesting to see how explicit it is, and what sort of
demand for an overt stamp of approval from the NSA still exists in the
marketplace.
More information about the cypherpunks-legacy
mailing list