Path: utzoo!mnetor!uunet!husc6!uwvax!rutgers!bellcore!faline!thumper!karn
From: karn@thumper.bellcore.com (Phil R. Karn)
Newsgroups: sci.crypt
Subject: Re: Request for opinions: canadian cryptographic standard.
Message-ID: <1009@thumper.bellcore.com>
Date: 24 Mar 88 22:58:05 GMT
References: <2463@geac.UUCP> <17654@watmath.waterloo.edu> <2475@geac.UUCP> <2414@unicus.UUCP>
Organization: Bell Communications Research, Inc
Lines: 32
Keywords: des canada nsa us
Summary: alternative standards?

> Given that we are not going to keep the algorithm secret, could we just
> tweak an existing standard [DES?] such that it renders existing hardware
> solutions for that standard incompatible with our spiffy Canadian
> version?

A good start. But I think I have a better idea.

Surely there must be plenty of independent expertise out there that
hasn't sold their souls either to the NSA or IBM (or non-US counterparts
thereof).  Why can't they get together and develop an informal
"counterstandard" secret-key encryption algorithm as an alternative to
DES? It would have the following properties:

1. Complete public disclosure of all algorithmic details and design
principles.

2. A widespread consensus as to the mathematical strength of the algorithm,
given point #1 above.

3. A design tailored for efficient software implementation (no "initial
permutations" or similar gratuitous garbage meant to sabotage software
in favor of custom hardware).  Unfortunately, this seems to rule out
public-key systems; that's why I said "secret-key" above.

4. A key size sufficient to rule out all brute force attacks, even those
by custom hardware.

If such an algorithm can be devised, I for one would be willing to
implement it in portable C, tune it up, and put the code into the public
domain. Comments?

Phil