Path: utzoo!mnetor!uunet!husc6!cmcl2!brl-adm!brl-smoke!gwyn From: gwyn@brl-smoke.ARPA (Doug Gwyn ) Newsgroups: sci.crypt Subject: Re: Request for opinions: canadian cryptographic standard. Message-ID: <7547@brl-smoke.ARPA> Date: 25 Mar 88 16:56:37 GMT References: <2463@geac.UUCP> <17654@watmath.waterloo.edu> <2475@geac.UUCP> <2414@unicus.UUCP> <1009@thumper.bellcore.com> Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB) ) Organization: Ballistic Research Lab (BRL), APG, MD. Lines: 41 Keywords: des canada nsa us In article <1009@thumper.bellcore.com> karn@thumper.bellcore.com (Phil R. Karn) writes: >Surely there must be plenty of independent expertise out there that >hasn't sold their souls either to the NSA or IBM (or non-US counterparts >thereof). Why can't they get together and develop an informal >"counterstandard" secret-key encryption algorithm as an alternative to >DES? The main reason is that very few of the "public" cryptologists are qualified cryptanalysts; training of the latter is almost exclusively done by government agencies who intimidate their employees into Never Saying Anything. Knowledge that the secret agencies have is not generally available to help the public evaluate cryptosystems. >1. Complete public disclosure of all algorithmic details and design >principles. One of the problems is that the secret agencies tend to jealously guard design principles. For example, the Lucifer S-boxes were strengthened using guidelines that I believe have never been publicly disclosed. >2. A widespread consensus as to the mathematical strength of the algorithm, >given point #1 above. Consensus means little. What you want is for several independent attacks by competent cryptanalytic teams to fail to find exploitable weaknesses. Few systems would pass such a test. Note that there have been several recent public cryptosystems for which the (public) consensus initially was that they were secure, and only later was it shown that the consensus had been wrong. >4. A key size sufficient to rule out all brute force attacks, even those >by custom hardware. Brute-force attacks are stupid. Of course they must be made impractical, but so must more clever techniques. Guaranteed security at a certain confidence level requires a key length comparable in size to the amount of text being encrypted (just how much less depends on details of the system). This brings up the practical issue of key distribution. Most common systems implement a compromise that relies more on system complexity than on information-theoretic security. But you still need frequent key changes.