[Cryptography] On the Impending Crypto Monoculture

[Brian Gladman]

On 24/03/2016 21:45, Ray Dillinger wrote:
> 
> 
> On 03/24/2016 11:36 AM, Stephen Farrell wrote:
>>
>> On 24/03/16 12:41, Peter Gutmann wrote:
>>> So the (pending) Bernstein monoculture isn't necessarily a vote for Dan, it's
>>> more a vote against everything else.
>>
>> I agree with a lot of your analysis but not your title.
>>
>> Monoculture is wrong. I really don't see AES-GCM going away while
>> there's h/w support. And nor will RSA until a lot of CAs have made
>> a lot of changes, or we figure out how to do better than X.509 in
>> the real world.
> 
> Monoculture is wrong, but it's less wrong than overcomplicated
> and brittle.  Overcomplicated and brittle has been the *only*
> thing that non-monoculture solutions have shown themselves
> capable of producing so far, so this is a vote of no confidence
> in design by committee until the people on committees learn
> how important it is to design simple and solid.

I certainly agree the standardisation committees involved in
cryptographic and related protocols often produce overly complex and
convoluted designs that turn out to be fragile as a result.

But our major problems are not really with the low level primitives we
have available, quite a few of which have proved robust in  prcatice,
but rather in the fact that we are designing to accommodate too many
options for each primtive at each level in our protocols and too many
protocols that do essentially the same job in different ways.

I can hence see why the IETF would embark on a round of protocol
rationalisation, including an effort to reduce the number of primitives
involved.  But it seems to me very odd to discard a range of primitives
that have proved to be robust and reliable in real use (AES, DH, ...).

We certainly want to reduce the 'size' of our multi-culture but moving
to the other end of the spectrum is surely not the answer, especially so
if this means throwing out primitives that have proved to be effective.

    Brian Gladman