[Cryptography] ratcheting DH strengths over time

Jerry Leichter leichter at lrw.com
Mon Nov 16 15:34:58 EST 2015 

>> Our symmetric cryptography, on the other hand, is based on
>> algorithms that we believe cannot be attacked using anything
>> significantly better than a brute-force attack.
> 
> However, it is frequently the case that this proves false. See again
> RC4,
[Funny, I've often argued the opposite side on this question.]

I don't believe anyone ever saw RC4 as in a class with modern block encryption algorithms.  Little oddities were found pretty much as soon as the algorithm became public.  It took a while to turn them into practical attacks.

DES has been subject to public attacks for forty years now.  (It was subject to more attacks internally at IBM, and by NSA (take that for what you will) for several years before that.)  To this day, there are no attacks significantly better than brute force.  That's quite a track record.

IDEA has been around for 25 years.  The best known attacks reduce the complexity from 2^128 to about 2^126.

Skipjack, the encryption algorithm proposed as part of the infamous Clipper chip, has been under public attack for about 17 years; the NSA claimed they had done 10 years of vetting before declassifying it.  No significant attacks have been published.

AES has been around for about 15 years, and is probably the most attacked cryptographic algorithm in existence.  (Well, maybe after DES.)  The best attack   is from 2^128 to 2^126.  (This is the same biclique attack that gets about the same advantage over IDEA.)

None of this *guarantees* anything.  Someone could come up with an attack that demolishes some broad class of cryptographic algorithms tomorrow.  But as engineering/risk bets, modern block algorithms are pretty good.

> various hash functions, etc., and even various cryptographic
> modes (like various block cipher modes) that prove less secure than
> was previously believed.
Hash functions have indeed been problematic.  Note, however, where attacks on them are the most hazardous:  When they are used as part of signature algorithms.  Eliminate the signatures and you don't need the hash functions.  It's not clear why a signature is needed in a SCADA system using shared keys.  A MAC is quite enough to guarantee authenticity, and we know how to build those from a symmetric encryption algorithm.

The fancier cryptographic modes that try to provide too much have gotten hit.  The basic modes - CBC, CTR - continue to provide the guarantees they always did.  You do have to be careful about understanding *exactly what* they guarantee.

> Over the long term, one needs to be able to abandon one cipher suite
> and move to another. Sadly, that has proven hard in practice.
If you can determine that your current cryptographic mechanisms are become weak long enough ahead of time that you can trust them to deliver an update ... a solution is, in principle, possible.

Against a "0-day" attack, only rip out and replace can possibly work.

                                                        -- Jerry

More information about the cryptography mailing list