[Cryptography] On the Impending Crypto Monoculture

Andrew Donoho awd at ddg.com
Fri Mar 25 01:27:23 EDT 2016


> On Mar 24, 2016, at 18:55 , Brian Gladman <brg at gladman.plus.com> wrote:
> 
> We certainly want to reduce the 'size' of our multi-culture but moving
> to the other end of the spectrum is surely not the answer, especially so
> if this means throwing out primitives that have proved to be effective.




Gentlefolk,



	Admittedly, I’m new to this list and, as an iOS developer, I am limited in my algorithm choices by what Apple provides. (For example, Apple internal to the OS uses ECC. But they only allow us hoi polloi to use the suite below.) But lets look at that list and compare it to NSA suite B. Basically, I can implement suite B communications as they specify today.



Suite B for TS	iOS Available

AES-256-CBC	X
SHA-384		X
HMAC-SHA-384	X
RSA-3072 sign	X
RSA-3072 enc	X

ECDH-P-384
ECDSA-P-384
DH Key exchange



	In my app's code, I’ve only used AES-256-CBC, SHA-256, HMAC-SHA-256, and RSA-2048. (Yes, I use encrypt then MAC.) The larger SHA modes and RSA modulus sizes are supposed to be supported, but I haven’t yet needed to use them in my applications.



	Do I need to move to the Bernstein monoculture? I’ve used other code Dan has written. By and large, I like how he does things. But the above suite isn’t broken. It is old and boring. It looks like a monoculture of existing NIST/IETF standards to me. It may be computationally expensive, but I’ve got 2 1.5 GHz 64 bit ARM cores. I don’t really notice the load. I’ve got an excellent high entropy random number source. It seems straightforward to implement a robust secure system with these primitives. To move off of Apple’s stack, I have two problems. First, I need to bring the crypto code. Second, I then get pushed out of BIS commodity crypto status. Neither of these things are good for my business. The latter can seriously limit my ability to go to market.



	Is there something wrong with the above set of primitives that NSA and Apple have gotten wrong? While some may consider me naïve, I think I’m OK where my code is. Should I worry? Should I move to the Bernstein stack?



Anon,
Andrew
____________________________________
Andrew W. Donoho
Donoho Design Group, L.L.C.
awd at DDG.com, +1 (512) 750-7596, twitter.com/adonoho

Essentially, all models are wrong, but some are useful.
	— George E.P. Box





More information about the cryptography mailing list