From: "Ray Dillinger" <b...@sonic.net>
Subject: Re: Fast MAC algorithms?

I mean, I get it that crypto is rarely the weakest link in a secured
application.  Still, why are folk always designing and adopting
cryptographic tools for the next decade or so instead of for the
next few centuries?

Because we have no idea how to do that. If you were to ask 6 months ago we would've said AES-256 will last at least a decade, probably 50 years. A few years before that we were saying that SHA-1 is a great cryptographic hash. Running the math a few years ago I determined that with the trajectory of cryptographic research it would've been necessary to create a well over 1024-bit hash with behaviors that are perfect by todays knowledge just to last a human lifetime, since then the trajectory has changed significantly and the same exercise today would probably result in 2000+ bits, extrapolating the trajectory of the trajectory, the size would be entirely unacceptable. So, in short, collectively we have no idea how to make something secure for that long.

So far, evidence supports the idea that the stereotypical Soviet
tendency to overdesign might have been a better plan after all,
because the paranoia about future discoveries and breaks that motivated
that overdesign is being regularly proven out.

And that is why Kelsey found an attack on GOST, and why there is a class of weak keys. That is the problem, all future attacks are rather by definition a surprise.

This is fundamental infrastructure now!  Crypto decisions now
support the very roots of the world's data, and the cost of altering
and reversing them grows ever larger.

By scheduling likely times for upgrades the prices can be assessed better, scheduled better, and works far better for business than the "OH ****. OUR **** IS BROKEN" experience that always results from trying to plan for longer than a few years at a time. It is far cheaper to build within the available knowledge, and design for a few years.

If you can deploy something once, even something that uses three
times as many rounds or key bits as you think now that you need,

Neither of those is a strong indicator of security. AES makes a great example, AES-256 has more rounds than AES-128, AES-256 has twice as many key bits as AES-128, and AES-256 has more attacks against it than AES-128. An increasing number of attack types are immune to the number of rounds, and key bits has rarely been a real issue.

There is no way predicting the far future of cryptography, it is hard enough to predict the reasonably near future. Joe
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to