Cryptography-Digest Digest #437, Volume #9 Wed, 21 Apr 99 11:13:09 EDT
Contents:
Re: Question on confidence derived from cryptanalysis. ("Trevor Jackson, III")
----------------------------------------------------------------------------
Date: Wed, 21 Apr 1999 19:20:30 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Question on confidence derived from cryptanalysis.
Geoff Thorpe wrote:
>
> Hi,
>
> Terry Ritter wrote:
> >
> > On Tue, 20 Apr 1999 00:28:14 -0400, in <[EMAIL PROTECTED]>,
> > in sci.crypt Geoff Thorpe <[EMAIL PROTECTED]> wrote:
> > >
> > >I disagree - and I disagree with every sentence moreover. I may not
> > >design ciphers but I can definately slug it out with most people
> > >regarding probability theory, statistics, and logic.
> >
> > You may be willing to "duke it out," as though this were some sort of
> > winner-take-all contest, but if you believe your logic is compelling,
> > you will have to think again. Not only am I not compelled, I am
> > appalled to see you repeating things over and over, in the apparent
> > illusion that this has some relation to logic or scientific argument.
>
> Other parts of your posts refer to your ideas and your technologies and
> your experience, etc. I do not claim familiarity with your ideas, but
> moreover I was attempting to say that I also do not claim to be a cipher
> designer. I am a scientist however, and was tiring of your attempts to
> state what I saw as broad, arrogant, and overly pessimistic views as
> fact together with implications of naivety and ignorance on my (and
> others?) part. I also have no desire to "duke it out", "lock horns", or
> any such thing - just wanted to make sure you understood that not being
> a cipher designer does not mean I'm going to lie down, take your
> statements as authorative when I genuinely disagree with some of your
> fundamental points.
>
> > >I also have to
> > >assist with various API designs and have been on the (l)using end of
> > >quite a few if we want to talk standards, picking algorithms, and
> > >covering butts (oh yeah, I've done quite a bit of Risk Management
> > >related stuff too).
> >
> > What a guy you are I'm sure. Let's get on with it:
>
> yadayadayada. I have a vague idea now of some of your areas of expertise
> as per your posts and the peripheral discussion. You seem to have no
> tolerance for my views on the matter so I thought it appropriate to at
> least let you know that I'm not some bunny out on a limb here. However,
> I'm of the impression that my problem here is not that you won't
> consider my opinion as worthy of some merit, so much as you won't
> consider any other opinion than your own as worthy of merit. Mind you, I
> recall that recently you categorically discarded the considered views of
> Mr Schneier and others so I guess credentials are a waste of time anyway
> - I should have thought of that.
>
> > else's capabilities. It is not my *opinion* that any cipher we have
> > *might* possibly break -- that is fact. I assume the worst case, and
> > propose systems to provide strength even then.
>
> Exactly, you assume the worst case. Whilst you certainly will never be
> accused of lacking precaution, why should I accept that your position
> the only appropriate one to adopt? The world operates a lot more
> pragmatically than you might be prepared to accept, and naturally we
> roll the dice as a result - memories of the ice-storm in Montreal and
> the massive power-outage in Auckland, New Zealand (particularly relevant
> to me) flood to me at this point. Individually, each failure is roundly
> criticised and everyone pats themselves on the back as to why they
> wouldn't have fallen into that particular trap.
>
> I could get killed the very next time I go driving, in fact I'm
> increasingly of the opinion there are those who wouldn't be overly upset
> about it. But I do not insist that I and others must push through
> radical measures involving gondolas, pulleys, and the abolition of
> personal automotive ownership.
Definition: Worry it the interest you pay on disasters that might not
happen.
We probably don't worry about the sun rising tomorrow, or it going out,
or it going nova. Is this beause it has not done so yet? Perhaps. The
pragmatic view asserts that there is no evidence of a trend leading to
the sun behaving differently tomorrow. The scientific view asserts that
our theories of celestial mechanics forbid the earth to stop rotating
without a massive intervention and our theories of solar evolution
indicate that yellow dwarf stars do not quench or explode. Which to you
prefer?
The scientific approach is as rigorous as we can make it.
The pragmatic approach amounts to "Don't worry, be happy!"
Now, when you add in the idea of an active and superior adversary
instead of Mother Nature, the distinction is even more sharp.
>
> Before I get accused of doing precisely what I don't want to do (lock
> horns, duke it out, etc) ... let me just say that I really am warming to
> an idea implicit in all of this - and I believe it is one of yours,
> though it was Trevor I think who recently illustrated it quite well ...
> namely the employment of a standard bank of ciphers that can be invoked
> on demand in any number of possible configurations eg strung together in
> a different order every time, utilising the different modes of
> operation, etc etc. I also agree the implementation and standardisation
> headaches of this sort of scheme are not insurmountable - indeed every
> standard SSL implementation I've seen lately seems to implement most of
> the core ciphers/modes that could be used in such a scheme. I'm also
> definately not against the idea of extensibility of frameworks to
> incorporate as-yet-unknown elements - indeed PKCS#7 probably didn't have
> DSA, ElGamal etc in mind, but now they seem to be creeping into CMS and
> that method seems to allow room to grow it again later. (If I've
> confused this with something else, someone please correct me - I could
> have my wires a little crossed right now and don't have any reference
> handy).
>
> But it seems to me, especially with regard to non-realtime applications,
> that to an extent, less-is-more ... sure a few ciphers in your pool is
> fine, especially if everyone has them. But the wholesale liberalisation
> of
> cipher farming seems to create a very real problem - a kind of protocol
> grid-lock. And frankly, I still place a lot of stock in what *I* rank as
> ciphers of tested strength and wouldn't want any system of mine having
> too many "new toy" ciphers creeping in. Perhaps we need to agree to
> disagree.
This issue reduces to defining the criteria for inclusion in "the
standard set" of ciphers. Another formulation of the issue would be to
define the relative ranks of the available ciphers and the number of
such ciphers necessary to realize some confidence that no breakthrough
will break the composite system.
The latter, relative, standard is tough to administer because it is
non-monotonic. The former system is monotonic, and also has the benefit
that it does not require a ranking of the ciphers, which judgement we
should expect to be non-negligibly political rather than rigorous.
Given a set of criteria for admission to "the standard set" of ciphers,
where does the diversity of the user community lead us? Predictably,
there will evolve a standard, perhaps open, framework within which
individual cipher implementations may be plugged. Initially everyone
would have "the standard set". As time passes some users will become
early adopters of new ciphers. Others will stick with the original set
even when superior (strength, performance, widespread usage) options are
available. POint is we'd have a good approximation of a market. You
could choose a few. Terry could choose 1024. The government could
choose its AES candidates.
This situation appeals to me much more than having the government bless
a single ciper, not matter how long or tough the competition, strict the
standards, or experienced the experts are. (At this point I lose all
ability to articulate and am reduced to...) It's just better.
Note that the desire for a market in ciphers springs from and will
motivate both designers and users in exactly the same way the market in
cipher _implementations_ does now.
>
> > Your position, dare I state it, is that you *can* estimate the
> > capabilities of your Opponents. You also say you can estimate the
> > future strength of a cipher from past tests. But for all this
> > claiming, we see no similar statements in the scientific literature.
> > So these are simply your opinions, and I see no supporting facts.
>
> Scientific literature? Ironic that it is precisely this quantity that
> you appear to place very little value in with regard to ("tested")
> cipher strength, and yet I am supposed to find some to support my view?
> Anyway - I have already said that my view (that a cipher not falling
> over despite some considerable efforts against it does merit some
> "value") is not based on any exact science. I think history, and some
> basic common sense warrant my conclusions. Your contrary opinion does
By basic common sense I suspect you mean your intution regarding
satisficing your need for not the reality of security, but the feeling
of being secure. Thus:
1) I invite you to amplify your concept of "basic common sense" and
inspect and articulate your rationale.
2) I further invite you to consider that a harsh interpretation of your
contention woul be "stay with the pack". This social behavior is
exactly why contentious positions like Terry's are valuable. The
Pundits/Leaders/Sages rely upon their power to define the position of
"the pack" to their advantage. Terry is being "unreasonable" on this
topic by refusing to compromise. About this Ben Franklin, a historical
source of basic common sense, said:
Reaonable men accomodate themselves to circumstances.
Unreasonable men
accomodate circumstances to themselves. Thus, all progress is due
to
unreasonable men.
> not appear to be any more scientifically founded - although it does
> appear to be a little more "absolute" or "axiomatic" (and IMHO "not
> terribly practically useful").
>
> > >Now, statement (1) is wrong.
> >
> > Which was: "1) We cannot estimate the probability that an effective
> > attack exists which we did not find."
> >
> > Since you think this is wrong, you must believe we *can* make an
> > estimate. Fine. Do it. Show me.
>
> The fact that I can drive in Quebec without getting killed for 3 months
> suggets I can probably survive another few days. I don't know what my
> chances would be in London - and maybe the insurance salesman doesn't
> either. Fine, I'll go for a drive shortly and if I STILL don't get
> killed (ie. I post again in the future to this group) then that supports
> my estimate of the probability. If you think I'm wrong, break triple-DES
> and you show me. Otherwise - neither of us is correct in any pure sense
> ... but I'm still comfortable with my approach and if others are too
> that's all that matters. Anyway, now I think about it further - exactly
> how can you possibly insist that "we cannot estimate a probability" ???
> Sounds absurd. Particularly with something that has any historical
> record at all?
OK, state one. What is the probability of you dying the next time you
drive in Quebec?
Note that if you research some actuarial data or insurance estimates
you'll have to determine whether the field of crypto provides enough
data to support similar statistical estimates.
IMHO, we have no taxonomy of ciphers that would allow us to distinguish
the ciphers of interest from the garbage most people use for security.
The analogous gap in the driving situation would be to try and evaluate
the driving statistics of every vertebrate in Quebec.
>
> As someone with a love of pure mathematics, it does feel a little
> disturbing to be arguing a point with someone where it is *I* who am on
> the fuzzy, pragmatic, approximation side of the fence and the other is
> arguing puristically.
>
> > Alas, what people believe is not science.
>
> But what people believe influences what they will and will not do (and
> will or will not put up with). And unless a scientist can *prove*
> absolutes they will have difficulties imposing absolutes. Perhaps a good
> way to measure this is to ask an insurance-brokerage expert to comment
> on the insurability (premiums etc) on an information resource secured
> using your approach versus something like I prefer. Not a single ounce
> of "science" will enter into this equation (I suppose) and yet I can't
> imagine a more adequate way to judge the situation - after all, it is
> these kind of people whose lives it is to cover the costs of things when
> they go wrong.
There's a massive gap here. Are we discussing what people actually do,
or what they should do if they were rational? The former is a waste of
time and bandwidth.
>
> > >year than the average "expected life". It's a very basic and common
> > >mathematical model/argument, and it's common sense.
> >
> > Oddly, no such study has appeared in the literature. That seems
> > somewhat strange, since you say it is very basic common sense.
> > Perhaps everyone else in cryptography has simply been blinded to this
> > fundamental truth. When will you write it up for us?
>
> If I hire a programmer to work with a new technology and a deadline, and
> my options (for the same money/conditions etc) are between someone who
> has demonstrated he/she can handle new technologies (in the past of
> course), and someone who *might* be able to handle new technologies, I'm
> going to hire the one with experience. A new candidate might be faster,
> hungrier, and actually better with the new technology - but why would I
> take that chance versus the chance the experienced one ran out of puff?
> True, until I try one I will not know which one was better but I'll hope
> you agree estimations, probabilities, and common sense are all present
> and can be utilised. I got a feel that your view on this was almost
> quantum mechanical - then I remembered that even QM admits probability
> distributions and expected values (and the difference between a likely
> result and an unlikely one even though each is possible until you find
> out for sure).
>
> But I digress perhaps, and we've already demonstrated we don't agree
> here so ...
The decision strategy you suggest smack of von Neuman's classic game
theory strategy of min/max. One makes decisions in order to minimize
the maximum damage one might sustain in the rest of the game. However,
I suspect you haven't spplied it fully.
When you evaluate the maximum damage you might sustain in crypto, whic
would be the revelation of all of the information you want to protect,
such revelation unbeknownst to you, you'll _quickly_ jump toward
multiple lays of protection rather than faith* in a single (or few)
best** ciphers.
*opinion unsupported by fact.
**what the hell are the units of measure? NIST has carefully not stated
rigorous standards. Only vague and presumably subjective issues.
>
> > You are arguing your opinion about cipher strength. (Recall that I do
> > not argue an *opinion* about cipher strength, but instead the *fact*
> > that any cipher may be weak.) If you have compelling factual
> > evidence, I will support it. Show me the correlation you say exists.
> > Prove it. Then you can use it.
>
> I've already admitted that my "correlation" is a fuzzy one, full of
> ideas that are "compelling" (to me) here, "suggestive" (to me) there,
> etc - and that my conclusion is a fuzzy one. Perhaps then I've shown
> compelling "fuzzy" evidence. [;-) Anyway, you are saying I cannot use
> "tested strength" as a measure - and your sole reason seems to be -
> "because it could still break tomorrow". Nobody disputes the latter
> statement but it does not logically imply the blanket assertion you
> make. Not proving things one way or the other does not mean we need
> default to your assertion, that all ciphers are equal when only existing
> failures to break them are in evidence, and abandon my assertion, that
> failing to break ciphers does provide useful information for
> "estimations".
>
> And in case you ask, no - I know of NO research paper to support this
> and have no interest in attempting to create some when I'm already
> satisfied.
>
> > Nobody has any problem with you making a call for yourself and risking
> > only yourself. But if this "call" is intended to formulate what
> > "should" happen for much of society, you may need to revise your
> > estimate as to the consequences of failure. Just how much disaster
> > are you willing for us to have?
>
> The *consequences* of failure are not what I'm estimating. And again,
> I'll agree that the idea discussed before (utilising a defined set - for
> interoperability this seems necessary - of ciphers, algorithms, etc etc
> that can be jumbled around on the fly to diffuse the impact "a break"
> would have). It would interesting, though off topic, to see how your
> absolutist approach generalises to arms control, transportation
> legislation, etc. All areas where "pragmatic fuzzies" tend to preside
> over "puristic absolutes" - even when they're cautionary variety.
>
> > Will it be OK for everyone to use the single standard cipher which you
> > predict is strong, if you turn out to be wrong? Will it be OK when
>
> I've already moved a bit to your side on at least one point - one single
> cipher (if they are implicitly atomic and cannot encompass the idea that
> one can effectively put what would be 3 or 4 atomic ciphers into a
> "cipher") would not be as comforting as a small (I still think "fixed",
> or at least "slow moving") collection of ciphers jumbled up to disperse
> the impact a break in any one configuration would have. I still think my
> point applies to the selection of those ciphers though.
Yes, because adversarial testing is the only standard we have. I think
the fundamental point addresses the limitations of that standard, not
its total lack of merit.
Terry's "extremeism/unreasonableness" comes straight from applying that
fundamental point to the AES situation we face. When AES is over we are
no better off. In fact, if everyone adopts the AES winner we'll be
measurably _worse_ off than we are now. The unease we feel about not
knowing how good/bad our ciphers are is a healthy attitude that we
should retain. (Terry should forgive me for over interpreting his
motives).
Consider the AES to be symptomatic relief only. We'll feel better by
having a government blessed standard, one the everyone else is using,
and our unease will be soothed. That is a Bad Thing.
>
> > communications grind to a halt and incompatible low-security temporary
> > measures are instituted everywhere while a new cipher is integrated
> > into all the programs which must be replaced throughout society? Is
> > that OK with you?
>
> And quantum computers could break everything and that wouldn't be OK
> with me either. But I'm not going to resort to carrier pigeons (which
> could be broken by a large society of hunters ... oh god ... this is
> getting too much).
>
> > >Our Opponents are just well-paid versions of us, most of
> > >whom probably grew up around us, and who find their occupations not too
> > >unfathomably unethical to suffer day by day.
> >
> > This is simply breathtaking: It is appallingly, plainly, immediately
> > false even to the most casual observer. People do differ, we do have
> > limitations others do not have, and others often do take advantage of
> > knowledge to which we have no access.
>
> You still don't get what I'm saying ... YES people do differ, but I
> think continuously, not by quantum leaps that erase any relationship you
> can draw.
>
> > >Sure thing - but the whole system does not collapse down to a binary
> > >system of "broken" and "not-broken-yet" ... as you say, you put together
> > >a threat model ... consistent with your requirements and using a chosen
> > >method for judging a components "worth", and amplify it here and there
> > >as appropriate. A lot like putting together a cost-proposal I guess ...
> > >add in your known prices, choose an acceptable value for the "unknowns",
> > >amplify the costs of all the "risky" bits, add x% profit on top - and
> > >then bang another 30% on top for good measure, and generally covering
> > >your butt some more.
> >
> > Write whatever numbers you want: you cannot support them.
>
> You can be as cautious as you like and you could still get busted - you
> can be as irresponsible as you like and you COULD (not likely) get away
> with it. You can also just give up. That same model applies every time I
> write a proposal, an electricity company designs and insures an
> infrastructure, and many other real world situations. Tell me why I HAVE
> to resort to such a binary system of "broken" and "not-broken-yet". You
> don't seem to be able to support your claim that the test of time (and
> attack) does not provide a usable measure and you yourself have not
> written any numbers to try. Don't tell me and many other people with an
> interest that it's invalid to use such approaches, and then only support
> your claim by statement - particularly if you intend to then insist I
> support my own claims with numbers or proofs I'm supposed to pluck out
> of thin-air.
>
> > >3 ciphers strung in a line is, to me, a cipher.
> >
> > The distinction is that each cipher is an independent and separable
> > element which can be "mixed and matched" with any other. Each cipher
> > is tested as an independent unit, and brings whatever strength it has
> > independent of internal ciphering requirements. Dynamic mixing and
> > matching prevents having any fixed target to attack.
>
> So should good cipher design as far as I can see but I'll go along with
> you here. I see this idea as promising and will not argue with the
> premise that if you've got 5 good ones, why just stick with one - indeed
> why just stick with a fixed arrangement of that 5 (effectively making
> one very complicated, but still fixed, cipher) when you can jumble the
> order, modes of operation, etc each time. (The way in which that has
> been done would presumably become part of the "key"). I'd still prefer
> that we standardise on those 5 and maybe rotate new ones in
> "occasionally" (conservatively) in a method not-unlike the current AES
> process - ie. public exposure to candidates for a good hard thrash at
> them before actual incorporation of them into systems.
Conservativeness in your rotation schedule would be a good thing.
Consider that the expiration of a cipher under the proposed regime would
be a trivial operation. It would not trigger a frantic and massive
effort to replace a critical component of our infrastructure. We'd just
deprecate one of the component ciphers when its key size was "too
small", or a new and interesting attack developed. Note that in the
latter case the attack might not develop into a serious threat in which
case the cipher could be re-enabled easily as well.
Please consider the terms I used to describe the replace ment effort:
frantic and massive. I believe these are appropriate in the situation
where a threat to the single dominant cipher appeared. Note that this
is the _best_ case for such a threat because the worst case is that an
originally open-literature researcher would have a strong temptation to
hide a serious threat in order to profit by his discovery.
Since DES did not face such a threat (that we know of; an attack, or
several, might have been co-opted by the dark side), we have not had to
go through such a convulsion. Let's not. And let's not by design
rather than by accident.
The adjectives frantic and massive used together should _terrify_ anyone
responsible for security. It is a recipe for disaster.
>
> > >You need all three in
> > >the same place and in the same order to have anything other than a
> > >"noise generator". Breaking 3 ciphers should be no more difficult than
> > >breaking one well designed one using 3 different stages
> >
> > Really? Tell me more about how ciphers are designed. How long did
> > you say you have been doing this? How many ciphers have you designed?
> > Have you measured them? Where can we see your work?
>
> Already told you I'm not a cipher designer. But there are cipher
> designers who share my view so attack the idea, not the guy saying it. I
> might also add - you're asking me to measure ciphers after having
> insisted quite strongly that any such attempt is implicitly impossible
> (with the absolute exception of breaking it).
>
> Can I take apart a modern cipher and say "that's not a cipher - look,
> it's lots of little ciphers"? All I said was the division for me between
> 3 ciphers strung in a line and one cipher with 3 stages to it seems to
> be a question of packaging and patents. One could even stretch the
> definition and include the possibility of reording "stages" based on the
> "key". But I'm not going to suck myself into a bits-on-the-wire cipher
> designing discussion because I know I can't make a worthwhile
> contribution to it.
Do you feel confident to evalate the merit of a crupo philosophy based
on diversity? Note that a very strong (well thought of by people who
think of these things -- an Oz-ism) cipher, IDEA, is based on just such
a philosophy. The designers explicitly stated that they included
operations drom different algebraic groups in order to eliminate a
single modus that could be attacked. We are entertaining the extension
of that philosophy from the primitive operations to all of the higher
levels of organization of the cipher (let's call it a cipher _system_ --
system of ciphers).
You appear to be favoring this approach, but still dislike the
fundamental arguments for it. I find this confusing.
>
> > >regular basis. I see this as unacceptable in a real-world scenario for
> > >reasons of interoperability & standardisation, as well as security.
> >
> > What you mean is that *you* do not know how such a system would be
> > standardized and made interoperable. Then you imply this means
> > *nobody* *else* could do it either.
>
> Fair call. Let me try again then - I think there could well be some very
> useful gains made from employing standards that use multiple primitives
> that hopefully seem (barring quantum computers?) to be independant
> targets of attack, that when used in different orders, modes, etc reduce
> the chances of the whole system getting broken rather than one putting
> the house on one primitive, or one configuration of the primatives. I do
> however think we should be measuring the primitives (which you suggest
> is pointless) as best we can, and that we should use a conservative
> approach to the standardisation on those primitives and the method by
> which new ones are incorporated into the standards.
>
> If your "boolean model" of cipher strength is valid - can't this entire
> idea, when wrapped and considered as an entity in itself, then be
> implicated as just as "trust-worthy" as a single cipher that hasn't been
> broken? I would NOT regard them as equal but your argument, by
> extension, does.
Good point. We probably agree that a composite is at least as strong as
its components. But one of the fundamental flaws in using "testedness"
as a substitute for strength is that it is a subjective evaluation.
Only when we have an objective test can we actually quantify the
relative distinctions.
So, conservatively, we don't know how much weight we're carrying. To be
safe we'll have to use belt, suspenders, and LBV -- and _still_ we're
faced with the non-negligible possibility that we may not be able to
carry it all.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
