Protocol Construction WAS Re: Fast MAC algorithms?

Joseph Ashwood ashwood at msn.com
Sun Aug 2 08:46:12 EDT 2009 

--------------------------------------------------
From: "Ray Dillinger" <bear at sonic.net>
Subject: Re: Fast MAC algorithms?

> I mean, I get it that crypto is rarely the weakest link in a secured
> application.  Still, why are folk always designing and adopting
> cryptographic tools for the next decade or so instead of for the
> next few centuries?

Because we have no idea how to do that. If you were to ask 6 months ago we 
would've said AES-256 will last at least a decade, probably 50 years. A few 
years before that we were saying that SHA-1 is a great cryptographic hash. 
Running the math a few years ago I determined that with the trajectory of 
cryptographic research it would've been necessary to create a well over 
1024-bit hash with behaviors that are perfect by todays knowledge just to 
last a human lifetime, since then the trajectory has changed significantly 
and the same exercise today would probably result in 2000+ bits, 
extrapolating the trajectory of the trajectory, the size would be entirely 
unacceptable. So, in short, collectively we have no idea how to make 
something secure for that long.

> So far, evidence supports the idea that the stereotypical Soviet
> tendency to overdesign might have been a better plan after all,
> because the paranoia about future discoveries and breaks that motivated
> that overdesign is being regularly proven out.

And that is why Kelsey found an attack on GOST, and why there is a class of 
weak keys. That is the problem, all future attacks are rather by definition 
a surprise.

> This is fundamental infrastructure now!  Crypto decisions now
> support the very roots of the world's data, and the cost of altering
> and reversing them grows ever larger.

By scheduling likely times for upgrades the prices can be assessed better, 
scheduled better, and works far better for business than the "OH ****. OUR 
**** IS BROKEN" experience that always results from trying to plan for 
longer than a few years at a time. It is far cheaper to build within the 
available knowledge, and design for a few years.


> If you can deploy something once, even something that uses three
> times as many rounds or key bits as you think now that you need,

Neither of those is a strong indicator of security. AES makes a great 
example, AES-256 has more rounds than AES-128, AES-256 has twice as many key 
bits as AES-128, and AES-256 has more attacks against it than AES-128. An 
increasing number of attack types are immune to the number of rounds, and 
key bits has rarely been a real issue.

There is no way predicting the far future of cryptography, it is hard enough 
to predict the reasonably near future.
                    Joe 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list