[144669] in cryptography@c2.net mail archive
Protocol Construction WAS Re: Fast MAC algorithms?
daemon@ATHENA.MIT.EDU (Joseph Ashwood)
Sun Aug 2 13:03:26 2009
From: "Joseph Ashwood" <ashwood@msn.com>
To: "Ray Dillinger" <bear@sonic.net>
Cc: <cryptography@metzdowd.com>
In-Reply-To: <1249151086.16553.71.camel@janus.pagansexcult.org>
Date: Sun, 2 Aug 2009 05:46:12 -0700
--------------------------------------------------
From: "Ray Dillinger" <bear@sonic.net>
Subject: Re: Fast MAC algorithms?
> I mean, I get it that crypto is rarely the weakest link in a secured
> application. Still, why are folk always designing and adopting
> cryptographic tools for the next decade or so instead of for the
> next few centuries?
Because we have no idea how to do that. If you were to ask 6 months ago we
would've said AES-256 will last at least a decade, probably 50 years. A few
years before that we were saying that SHA-1 is a great cryptographic hash.
Running the math a few years ago I determined that with the trajectory of
cryptographic research it would've been necessary to create a well over
1024-bit hash with behaviors that are perfect by todays knowledge just to
last a human lifetime, since then the trajectory has changed significantly
and the same exercise today would probably result in 2000+ bits,
extrapolating the trajectory of the trajectory, the size would be entirely
unacceptable. So, in short, collectively we have no idea how to make
something secure for that long.
> So far, evidence supports the idea that the stereotypical Soviet
> tendency to overdesign might have been a better plan after all,
> because the paranoia about future discoveries and breaks that motivated
> that overdesign is being regularly proven out.
And that is why Kelsey found an attack on GOST, and why there is a class of
weak keys. That is the problem, all future attacks are rather by definition
a surprise.
> This is fundamental infrastructure now! Crypto decisions now
> support the very roots of the world's data, and the cost of altering
> and reversing them grows ever larger.
By scheduling likely times for upgrades the prices can be assessed better,
scheduled better, and works far better for business than the "OH ****. OUR
**** IS BROKEN" experience that always results from trying to plan for
longer than a few years at a time. It is far cheaper to build within the
available knowledge, and design for a few years.
> If you can deploy something once, even something that uses three
> times as many rounds or key bits as you think now that you need,
Neither of those is a strong indicator of security. AES makes a great
example, AES-256 has more rounds than AES-128, AES-256 has twice as many key
bits as AES-128, and AES-256 has more attacks against it than AES-128. An
increasing number of attack types are immune to the number of rounds, and
key bits has rarely been a real issue.
There is no way predicting the far future of cryptography, it is hard enough
to predict the reasonably near future.
Joe
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
