Thank you so much for pursuing this. Humanity has never had a secure platform worth a crap. So many of our most intractable problems can be reduced by secure platforms-- not only the obvious problems like secure identification and communications, and the need to automate our banking transactions but second tier problems like transportation that are fundamentally limited by trust issues, automating car navigation which again depends on much higher security and reliability, etc. etc.
A secure platform is one of the key problems that must be solved in order to decentralize many of the activities now concentrated into downtowns, and carried out manually, causing high costs and wasting petroleum.
Posted by Todd at November 25, 2008 07:00 PMHmm...
Your analysis of NSA behaviour with regard to AES may not be valid.
It appears to be based on an assumption that the open crypto community is as well versed in analysis as the NSA.
This is a risky assumption to make as demonstrated in the past with DES and the fact that they have significantly more resources both human and technical than the entire open crypto community.
Now a possible senario based on an assumption that they have one or more undisclosed techneques currently unknown to the open crypto community.
1, NSA call for submissions and reject all that fail against published attacks from the open crypto community.
2, The open crypto community then put their weight behind attacking the remaining submissions.
As part of this process they effectivly reveal the latest "state of the art" in the open crypto community to the NSA.
3, now knowing what the open crypto community know and are showing signs of discovering in the way of attacks, the NSA can then filter their unknown attacks to see which is most likley to remain unknown for the longest.
4, The NSA having made a selection of their uknown attack(s) then select which submission left after the open crypto community mauling is going to be vulnerable to the attacks.
If you remember back to the AES final selection there was some surprise expressed in the open crypto community that the "bricklayer" functions did not have a high non linear complexity.
So yes I can easily see why a number of people would be somewhat cautious about the judges selected.
However irrespective of if the NSA has done this (which I put at a low probability) does it actually change the result in any way?
Afterall any new attack is likley to effect considerably more than one crypto alg as they had effectivly been filtered against the same "strengthaning techniques".
Posted by Clive Robinson at November 28, 2008 08:04 AMThese are great points. Thanks for this discussion.
A minor note: In the AES process, by the time we got near the end of the process, a front-runner had emerged and the research community was, if not at rough consensus, somewhere in the vague neighborhood of a rough consensus. I remember a straw poll at one of the AES conferences (maybe it was the last one?) where attendees were asked to vote for one of the five finalists, and Rijndael had a clear lead over any other candidate. There were of course plenty of votes for the other four, and the poll was entirely informal and unscientific and probably flawed in a dozen ways, but still, Rijndael seemed to be the cipher to beat. So in that particular case, NIST's choice was somewhat easier than it could have been. True, NIST could have picked some other cipher, but they probably would have had to justify such a choice pretty well. It's interesting to think about how to set up such a competition so that the same incentives apply even if the choice doesn't turn out to be so clear-cut.
Posted by Anonymous at December 31, 2008 11:10 PM