From owner-freebsd-hackers@FreeBSD.ORG Fri Mar 4 01:34:09 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B726C16A4CE for ; Fri, 4 Mar 2005 01:34:09 +0000 (GMT) Received: from machshav.com (machshav.com [147.28.0.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4583743D62 for ; Fri, 4 Mar 2005 01:34:09 +0000 (GMT) (envelope-from smb@cs.columbia.edu) Received: by machshav.com (Postfix, from userid 512) id A34FFFB28F; Thu, 3 Mar 2005 20:34:08 -0500 (EST) Received: from berkshire.machshav.com (localhost [127.0.0.1]) by machshav.com (Postfix) with ESMTP id 94CB1FB285; Thu, 3 Mar 2005 20:34:07 -0500 (EST) Received: from cs.columbia.edu (localhost [127.0.0.1]) by berkshire.machshav.com (Postfix) with ESMTP id 330F83BFE3B; Thu, 3 Mar 2005 20:34:05 -0500 (EST) X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 From: "Steven M. Bellovin" To: "Poul-Henning Kamp" In-Reply-To: Your message of "Thu, 03 Mar 2005 23:19:11 +0100." <11649.1109888351@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 03 Mar 2005 20:34:05 -0500 Sender: smb@cs.columbia.edu Message-Id: <20050304013405.330F83BFE3B@berkshire.machshav.com> X-Mailman-Approved-At: Fri, 04 Mar 2005 16:36:07 +0000 cc: tech-security@NetBSD.org cc: hackers@freebsd.org cc: cryptography@metzdowd.com cc: tls@rek.tjls.com Subject: Re: FUD about CGD and GBDE X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 01:34:09 -0000 In message <11649.1109888351@critter.freebsd.dk>, "Poul-Henning Kamp" writes: >I have studied the AES papers and in particular the attacks and >critisisms of it very carefully, and they have proven a whole lot >of things to be impossible, but they have not proven that there >are not more that needs to be proven impossible. > >When DES was designed, nobody knew that differential attacks existed. No, no one in the open sector new. DES was specifically designed to resist differential cryptanalysis. The best source for information on how DES was designed is Don Coppersmith's paper "The Data Encryption Standard (DES) and its strength against attacks", IBM Journal of Researchand Development, Vol. 38, n. 3, pp. 243-250, May 1994. It's worth noting that in the ~30 years since DES was designed, exactly *one* attack significantly better than brute force was found: linear cryptanalysis. Coppersmith's paper shows how that could have been prevented, too. A few years ago, Biham came up with a 2^79 attack against a slightly-weakened version of Skipjack, an NSA cipher. I mentioned that to a friend who has -- let's say "connections". He smiled and said "2^79 complexity against an 80-bit cipher? I don't call that an attack, I call that good engineering". Since then, I've heard other statements from well-connected people that boil down to this: NSA has a deep understanding of how strong a cipher is. In that vein, I'll note that 256-bit AES is approved for Top Secret traffic. > >Shortly after AES was gold-plated the earlier mentioned attack >method where it is decomposed into a massive number of equations >was presented. > As noted, that attack is discredited. --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb