On Tue, 15 Nov 2005, Perry E. Metzger wrote:
| Does the tension between securing one's own communications and
| breaking an opponents communications sometimes drive the use of COMSEC
| gear that may be "too close to the edge" for comfort, for fear of
| revealing too much about more secure methods? If so, does the public
| revelation of Suite B mean that the NSA has decided it prefers to keep
| communications secure to breaking opposition communications?
Remember Clipper?  It had an NSA-designed 80-bit encryption algorithm.  One
interesting fact about it was that it appeared to be very aggressively
designed.  Most published algorithms will, for example, use (say) 5 rounds
beyond the point where differential cryptoanalysis stops giving you an
advantage.  Clipper, on the other hand, falls to differential cryptoanalysis
if you use even one less round than the specification calls for.

Why the NSA would design something so close to the edge has always been a
of a mystery (well, to me anyway).  One interpretation is that NSA simply
has a deeper understanding than outsiders of where the limits really are.
What to us looks like aggressive design, to them is reasonable and even

Or maybe ... the reasoning Perry mentions above applies here.  Any time you
field a system, there is a possibility that your opponents will get hold of
it.  In the case of Clipper, where the algorithm was intended to be
there's no "possibility" about it.  So why make it any stronger than you

Note that it still bespeaks a great deal of confidence in your understanding
of the design to skate *that* close to the edge.  One hopes that confidence
actually justified for cryptosystems:  It turned out, on the key escrow side
of the protocol design, NSA actually fell over the edge, and there was a
simple attack (Matt Blaze's work, as I recall).

                                                        -- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to