Date: Fri, 7 May 93 11:43:56 EDT From: Jerry Leichter Subject: File 3--Cryptography and Mythology In a recent issue of Cud, Mike Godwin presented a series of interesting arguments concerning the Clipper initiative and the Constitution. Before he even got to those arguments, however, he mentions in passing a few issues that have been brought up repeatedly. I'd like to deal with one in particular. Mr. Godwin writes: > 2. Refusal to allow public scrutiny of the chosen >encryption algorithm(s), which is the normal procedure >for testing a cryptographic scheme, and I've seen this argument in various guises and in many different forums, from the most ill-informed flames in Usenet newsgroups to statements by the EFF and industry groups. What I find fascinating is the way that a claim like this can come to be believed, when in fact it has NO basis in reality. Until quite recently, almost all cryptography in the world was carried out by the defense establishments and foreign services of the world's governments. The systems they used, and the systems they continue to use to this day, were NEVER subject to public scrutiny. The NSA continues to attempt to keep under tight secrecy all information about their cryptographic work, including information about systems and techniques that were used 40 and more years ago. Despite their general success in this regard, as far as I can tell more information has been published about NSA systems and techniques than those of any other country (with the possible exception of Britain, if you believe what Peter Wright has to say in Spycatcher) - and some of what has been published out the techniques of others has probably come through NSA sources. What little private cryptography existed was based on modifications of older military cryptosystems - e.g., the famous Hagelin machines, based on modifi-cations of World War II technology. The security of these machines was never "subject to public scrutiny", and in fact we now know that they were long ago broken by the cryptoanalytic services of the world's major powers. Today, I think it's safe to say that the majority of encrypted communication is still carried out by the same organizations, using systems whose inner workings remain secret and definitely not subject to public scrutiny. Of the remaining encrypted communication, ignoring the many trivial algorithms in use, the bulk of significant encrypted traffic is almost certainly based on DES. While the DES algorithm is public, the design choices behind it remain secret to this day. It took Shamir's re-discovery of differential cryptography to justify the choice of the P boxes and the number of rounds in DES. To the shock of conspiracy theorists, differential cryptography ended up showing that DES was as strong with respect to this important class of attacks as any system of its size could be. What has gone unmentioned is that we STILL don't have a definitive statement as to the design principles behind DES: It took 15 years to re-discover differential cryptography. Might there be another, different attack that no one in the outside world has found yet? We don't know: The most widely used public cryptographic system is subject to only a limited degree of public scrutiny. If you watch the appropriate Usenet newsgroups, you'll get the impression that "everyone" is using PGP. In fact, not only is the total message traffic encrypted using PGP or related systems insignificant outside of this rather rarefied atmosphere, but it's worth pointing out that the PGP itself is based on IDEA (or is it FEAL?), a cryptosystem in the same class as DES - a class of cryptosystems that it is not at all clear is thoroughly understood in the research community. (Shamir's work demolished several related systems that had been seriously proposed. IDEA IS secure - against this class of attack.) Where, then, are we to find a "normal procedure for testing a cryptographic scheme" that involves "public scrutiny of the chosen encryption algorithm(s)"? "Public scrutiny" in the sense the term is being used here is very much at the center of academic life. It is NOT at the center of almost anything else in the world. It's hard to find a single product that we use on a day to day basis that has been subject to "public scrutiny" in this sense. Important details of design and manufacture of products are trade secrets. GM won't tell you the algorithms used in the chips that control your new car's engine. Coca Cola won't tell you what goes into their "secret formula". Most of the world is not academia, and does not share academia's value system. The "normal procedure for testing cryptographic scheme(s)" does not exist, and has NEVER existed. What has existed is the "normal procedure for testing results presented for academic publication", which has been applied, quite properly, to academic work on cryptography. This is quite a different thing. Downloaded From P-80 International Information Systems 304-744-2253