CDR: Re: Musings on AES and DES

Vin McLellan vin at shore.net
Mon Oct 9 00:22:01 PDT 2000


         Ray Dillinger <bear at sonic.net> wrote:
><snip>

>[As the DES,] Dataseal/Demon/Lucifer was pretty good.  It may not 
>have  been the *most* secure algorithm of its time, but neither was it a 
>transparent and useless "cipher" with obvious flaws  other than the 56-bit 
>keyspace.  However, the important part of building up trust (or lack 
>thereof) in the cipher came after it was chosen as the DES.

         I suggest that you give insufficient weight to the importance of 
the NSA imprimatur on the DES.

         The DES became the standard we know today -- for years, 
universally accepted in US commerce, banking, and trade -- largely because 
the US National Security Agency (NSA) issued, upon the designation of the 
DES by NIST, a statement that the NSA's cryptanalysts knew of no attack on 
the DES algorithm more effective than a brute force search of all possible 
56-bit keys.

         That -- and perhaps NIST's projections of the work and time 
required to break a 56-bit key -- provided the "due diligence" groundwork 
that allowed US bankers and businessmen to label crypto a solved problem. 
No liability could accrue to a CTO or CEO or product manager who chose to 
use the DES (and, conversely, no one but a fool would use an alternative 
cipher --whatever the key length -- in a commercial environment.)

         The 1976 designation of the DES -- unlike most traditional 
standardization efforts -- was not about interoperability. It was not even 
about relative cryptographic strength (although there must have been some 
fascinating charts at Fort Meade which projected the life-span of a 56-bit 
key against the successive five-year certifications built into the DES 
selection.)

         The broad acceptance of the DES in US industry and finance was, in 
large part, simply a function of the way a NSA-blessed cipher contained and 
limited potential liability.

         In the real world, the technical review that you celebrate -- 
among academic mathematicians and the(relatively few) unencumbered 
cryptographers in academia and private industry -- was all but irrelevant. 
(Only negative results would make a difference, and those were scant and 
slow in coming.)

         I would argue that, at least in the US, that research had 
virtually no impact on those who made the relevant purchase and policy 
decisions (who were seldom crypto-savvy, let alone crypto-literate.)

         Until well into the 1990s, there was no significant 
non-governmental crypto community to offer alternative judgements until 
fairly recently... and it must be said that the widespread trust, among 
American civilians, in the NSA's judgement in this matter was not misplaced.

         DES was pretty much what they said it was (even down to that tweak 
in the S-boxes to block differential analysis, which the academic crypto 
researchers didn't discover for many years.) The NSA was/is really very 
good at what they did, and -- particularly in the US computer industry 
(which until 1960 had been pretty much guided by NSA R&D contracts) -- 
their cryptanalytic expertise was wholly unchallenged.

>That choice focused every cryptanalyst in the world on it,
>for a while, and sparked a fair amount of hard research in
>mathematics.  Eventually someone found an attack better than
>brute force on it -- but the attack requires a very very
>large number of plaintext/ciphertext pairs to carry out, and
>seems unlikely in practice.  The important thing though, is
>that people did the math, did the research, did the hard
>thinking -- and did it for a long time.  When someone uses
>DES or 3DES today, she knows EXACTLY how much protection her
>data is getting, and knows that hundreds, possibly thousands,
>of brilliant people have focused many man-years on proving
>that that amount of protection *is* exactly how much she's
>getting.
>
>It may be that some other ciphers that were around at that
>time are more secure -- hell, no doubt about it really.
>But none of those ciphers have attracted the attention of
>as many really bright people making *sure* it's secure that
>being the DES has gotten for this cipher.
>
>Now, the newly minted AES is standing in place to receive
>the same attention from the worldwide community -- indeed,
>has already started to.

<snip>

         I presume that the AES selection process was open, to the degree 
that it was, largely to permit the large contemporary private-sector and 
the academic crypto community an opportunity to participate in, and 
endorse, the final AES selection. I suspect, however, that the formal 
adoption of the AES FIPS -- when Rijndael is designated the approved 
mechanism for securing sensitive but unclassified government data -- will 
involve some similar NSA endorsement, implicit or explicit.

         It will be interesting to see how explicit it is, and what sort of 
demand for an overt stamp of approval from the NSA still exists in the 
marketplace.





More information about the cypherpunks-legacy mailing list