[Cryptography] Recommended Process for a new cipher mode submission

Phillip Hallam-Baker phill at hallambaker.com
Thu Jul 15 12:41:59 EDT 2021 

On Wed, Jul 14, 2021 at 12:50 AM Tushar Patel <tjpatel.tl at gmail.com> wrote:

> Would someone be able to recommend the right process to submit a new
> cipher-mode, gain acceptance and additionally, how to capitalize on the
> work?
>
> I have some ideas on these, however, it would be good to hear viewpoints
> from others. It would be good if authors with approved standards or ciphers
> wrote a project introspection (on the development process, hazards
> they faced, etc.) for their work, something like the Mythical Man Month
> with a bit more detail in the standardization process. Please do suggest if
> there are any existing recent books on this topic, I skimmed through a
> couple, however, not very useful to recent US based procedures.
>
> Thx.,
> Tushar
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> https://www.metzdowd.com/mailman/listinfo/cryptography



There are several questions that need to be answered when considering any
new cipher or operation mode.

1) What is the rationale for introducing it?

At this point performance is not going to be sufficient to motivate a new
tool unless the advantage is overwhelming. I can do AES CBC faster than I
can write to disk or the network on most devices because of hardware
support and most of those will do GCM or OCB just as fast.

The only good rationales for introducing new tools at this point are to
provide additional functionality or to take advantage of a new design
approach providing a stronger proof of security. GCM and OCB provided both,
authenticated encryption was a new type of mode and the design of both was
making use of 20+ years of developments in cryptographic proof since CBC
was developed.

In the case of the CFRG curves, we were responding to a particular attack
(Dual EC RNG) that had brought into question certain curve generation
techniques. While we can argue about just how rigid the curves really are,
we can be pretty sure there is no backdoor.

I really can't imagine us doing another curve selection contest unless
people decided we really really need >448 bit curves after all. And that is
a pretty short discussion because it's 512 bits or 521 which 521 wins and
once you choose 521, you run the rigid parameter generator and we are done.

2) What are the costs?

Back in the 80s and 90s, the DH and RSA patents described the only way to
do public key cryptography and so the RSA Labs patent monopoly was worth
billions.

It is very hard to see how any cryptographic tool could be as valuable in
the future. The reason we use GCM over OCB is the patents (and not just
those held by Rogaway). OCB is the superior choice which is why I use OCB
in the Mesh. But GCM is the incumbent.

The canon of cryptographic features pretty much closed with the launch of
PGP 30 years ago. The only tool that isn't in PGP that we have added since
is Haber Stornetta hash chains (aka Blockchain). And we would have been
using them since 1990 but for the patent.

Even the post quantum crypto has been around long enough for there to be
non-encumbered options.

Developing a new cryptographic elections scheme (and a proof) might get you
tenure but it almost certainly won't get used. I am one of the very few
people trying to get people interested in using threshold schemes and it is
an uphill struggle which I would not be able to do in either academia or in
any but the very largest industrial research labs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210715/b98185ed/attachment.htm>

More information about the cryptography mailing list