Date: Thu, 03 Mar 2005 20:34:05 -0500 From: "Steven M. Bellovin" <smb@cs.columbia.edu> To: "Poul-Henning Kamp" <phk@phk.freebsd.dk> Cc: tls@rek.tjls.com Subject: Re: FUD about CGD and GBDE Message-ID: <20050304013405.330F83BFE3B@berkshire.machshav.com> In-Reply-To: Your message of "Thu, 03 Mar 2005 23:19:11 %2B0100." <11649.1109888351@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <11649.1109888351@critter.freebsd.dk>, "Poul-Henning Kamp" writes: >I have studied the AES papers and in particular the attacks and >critisisms of it very carefully, and they have proven a whole lot >of things to be impossible, but they have not proven that there >are not more that needs to be proven impossible. > >When DES was designed, nobody knew that differential attacks existed. No, no one in the open sector new. DES was specifically designed to resist differential cryptanalysis. The best source for information on how DES was designed is Don Coppersmith's paper "The Data Encryption Standard (DES) and its strength against attacks", IBM Journal of Researchand Development, Vol. 38, n. 3, pp. 243-250, May 1994. It's worth noting that in the ~30 years since DES was designed, exactly *one* attack significantly better than brute force was found: linear cryptanalysis. Coppersmith's paper shows how that could have been prevented, too. A few years ago, Biham came up with a 2^79 attack against a slightly-weakened version of Skipjack, an NSA cipher. I mentioned that to a friend who has -- let's say "connections". He smiled and said "2^79 complexity against an 80-bit cipher? I don't call that an attack, I call that good engineering". Since then, I've heard other statements from well-connected people that boil down to this: NSA has a deep understanding of how strong a cipher is. In that vein, I'll note that 256-bit AES is approved for Top Secret traffic. > >Shortly after AES was gold-plated the earlier mentioned attack >method where it is decomposed into a massive number of equations >was presented. > As noted, that attack is discredited. --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050304013405.330F83BFE3B>