Re: Are These Algorithms Good?



On Sun, 03 Sep 2006 18:06:04 +0100, Peter Fairbrother
<zenadsl6186@xxxxxxxxx> wrote:

clark wrote:

On Sun, 03 Sep 2006 12:33:20 +0100, Peter Fairbrother
<zenadsl6186@xxxxxxxxx> wrote:

[...]
Skipjack isn't even a contender: ignoring the 64-bit block size, the 80-bit
key is too small. Roughly speaking, people can search a 2^60 keyspace for a
few thousand dollars nowadays. If Moore's law (doubling in 18 months) holds
in 30 years a brute force attack will not only be possible, it will be
comparatively cheap.

Skipjack is currently a contender, and the only one from that entire
list that has reasonable credentials to be called reliable.

You left in the bit below where I said I was talking about a general
recommendation for use in a new system. That is important.

Note I am taking the point-of-view of recommending a cipher for a new
application, not whether a cipher is still secure. The OP seems unclear
about the context of his question, so that may not be appropriate.

I would consider Twofish to be reliable. I'd also think that some of the
others, eg Joan Daeman's ciphers, were probably reliable in their own way
too. But I don't know that, and I feel no need to find out in order to give
a general recommendation.

For instance, I eliminated Square on the grounds that I don't know much
about it - it may well be secure to it's 2^128-bit keyspace work, but AES is
newer, similar and better, from the same team, and most importantly it has
undergone a whole lot more cryptanalysis. There is no question - I'd
recommend AES over Square just for those reasons, and that's enough to
eliminate Square.


I am not saying Skipjack is not 2^80 work secure - it may well be, although
I have some doubts. But 2^80 work is not enough for a general
recommendation.


Skipjack is currently fielded for doing fairly secure transactions by
security professionals who have far greater credentials than those
recommending against Skipjack in this thread.

Looking only for a general recommendation for a cipher - and we don't know
what it will be used for - Who?

Tom may be an arrogant know-it-all sod (he knows a whole lot though), but he
does have technical security/cryptography cred.


Don't get personal btw, it just gets in the way.


So it is safe to say that your comments need to be tempered against
reality.

Searching a 60-bit keyspace doesn't have anything to do with searching
an 80-bit keyspace, does it really?

If it does please articulate how you would search an 80-bit keyspace.

That's standard. You need one block of known plaintext. You trial-decrypt
using all 2^80 keys, and test whether the result matches the plaintext. You
might need a few more blocks if it's not in ECB mode.

I suspect there may be ways of eliminating some portion of the keyspace too,
especially if you have more known plaintexts. Skipjack does not seem to have
much defense-in-depth. I haven't looked closely at it though.

But I don't need to know whether it is actually 2^80 work secure, 80 bits is
simply not enough keyspace, and 64 bits is too small for a block, so I
eliminate it for a general recommendation immediately purely on those
grounds.


Any cipher with either an 80-bit key or a 64-bit block will be rejected too.
It isn't just Skipjack. I rejected Blowfish solely because it has a 64-bit
block.



And of course, if the usefulness of the key is tied to a usable window
of time, as it is in most implementations of Skipjack, then your
argument that it is not secure becomes even weaker.


For a general recommendation, a short life is a no-no. We don't know what it
will be used for. It may be used where the life needs to be longer. It may
be used where more than 2^32 blocks are to be encrypted in the same key.
Either of these considerations rule it out.





Might I enquire whether there is a particular reason why you defend Skipjack
so strongly? It doesn't seem very logical. Most non-governmental
cryptographers would not recommend it.

I'm going to comment at the end here and try to address some points.

First... any discussion of Rijndael (which nobody disputes as being
the best) is OT for the OP and in light of clarification by the OP
this further articulates why Rijndael is OT and unnecessary.

On that list there is only one algorithm deemed worthy by its
credentials and actual fielded usage. That algorithm is Skipjack.

In the OP we are asked which of these is reliable and secure, and I
explained why Skipjack was both of those. It offers 80-bit security
with elegant design and versatile features and has the stamp of
approval from a group that, unless one wants to either disregard or
disrespect, has the pedigree to make secure recommendations.

And as to my comments being personal, I disagree. The out-of-hand
statements made by some regarding Skipjack need to be tempered with
its actual design, who designed it, and if it is an accepted item.

I merely remind those reading that it was designed by the NSA and is
being fielded by some strong players.

If you take issue with the statement I made that those players have
stronger credentials than those in this thread, perhaps there is a
selective reasoning going on, or an unrealistic expectation that a
person's credentials can never be called into question no matter what.

You are welcome to argue differently. I don't think that I cast any
disparaging remarks, but rather a realistic reminder.


.



Relevant Pages

  • Re: Are These Algorithms Good?
    ... Skipjack is currently a contender, and the only one from that entire ... recommendation for use in a new system. ... about it - it may well be secure to it's 2^128-bit keyspace work, ... Looking only for a general recommendation for a cipher - and we don't know ...
    (sci.crypt)
  • Re: Are These Algorithms Good?
    ... list that has reasonable credentials to be called reliable. ... Skipjack is currently fielded for doing fairly secure transactions by ... Searching a 60-bit keyspace doesn't have anything to do with searching ...
    (sci.crypt)