[Cryptography] quantum computers & crypto

[Ray Dillinger]

On 11/6/21 2:07 AM, Jerry Leichter wrote:

.

> This kind of thing requires *great* care.  We went through it with DES, and discovered that it's really, really hard to safely extend the key length.  In fact, as I recall it was shown that DES with no key scheduling at all - but rather a key as long as the entire schedule - was actually no stronger than DES.
>
> The paper you mention may well have considered this; I haven't looked at it.  But beware of "obvious" improvements to algorithms.  They often aren't improvements at all.
>                                                         -- Jerry
>

DES is a rather spectacular example of a cipher built to a particular
level of security and then limited in every particular to exactly that
level of security and no more.  There is nothing in excess.  The amount
of processing done limits the security to exactly the same regardless of
key length; the key length limits the security to exactly the same
regardless of processing power.  There was no single extension or
widening of it that would matter without re-doing the design work and
making corresponding extensions in all other particulars.

I have no doubt that that's exactly as intended, and given the intention
I have to really admire the people who were able to do such an extremely
precise job of it.  We're talking about "safety margins" now but DES was
very deliberately built to have exactly no safety margin anywhere,
without being any weaker specifically for its lack.

I like to think of it as a good example of making every part equally
secure - so that there's no single thing that is obviously the weakest
link.  But I would not like to think of it as setting a precedent of
having zero safety margins and zero regard for the inevitably higher
requirements of coming years.

Bear