From: Eric Hughes <hughes@soda.berkeley.edu>
To: cypherpunks@toad.com
Message Hash: 5957a837c2aa600a238b86f6de912ed490b65128e82f6879d00fd6bae4535085
Message ID: <9305290706.AA00052@soda.berkeley.edu>
Reply To: <9305281746.AA11286@wixer>
UTC Datetime: 1993-05-29 07:10:16 UTC
Raw Date: Sat, 29 May 93 00:10:16 PDT
From: Eric Hughes <hughes@soda.berkeley.edu>
Date: Sat, 29 May 93 00:10:16 PDT
To: cypherpunks@toad.com
Subject: CIPHERS: Dolphin Encrypt public review
In-Reply-To: <9305281746.AA11286@wixer>
Message-ID: <9305290706.AA00052@soda.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain
>The description was run by the cryptanalysts for their comment.
I've never seen any names, nor any statements of their analysis. As
far as I'm concerned this stands as hearsay.
>The consensus was that the method was probably strong, or at least
>not obviously weak, but that they had insufficient information to
>judge properly.
Insufficient information?? And this is all you have for review? Did
they even see code, or just an English description of it? Look, if
saying they didn't laugh at it is digging your own grave, saying they
didn't even look at the full algorithm is acting as your own firing
squad.
>In-house testing has
>been as rigorous as we can make it, but any outside cryptanalyst is
>welcome to take a shot at it.
Anything as significant as a new cipher needs to be publically
examined before it can be trusted. The opportunity for such public
examination is not sufficient, only the actual publication and
subsequent responses qualify.
Therefore, I have a challenge for you to submit your algorithm in full
detail to the public scrutiny of the academic cryptographic community.
You have unfortunately missed the deadline for papers for CRYPTO 93,
but you can always submit a paper to the Journal of Cryptology. If
the cipher is to be considered secure, it should be proof against the
most sophisticated attacks known; currently this means that it should
be proof against differential cryptanalysis.
Until this kind of high-level review has been made, I openly and
publically recommend that this cipher not be used.
As far as a product goes, Dolphin Encrypt would be much more useful if
its cipher were trusted. A rewrite to use triple DES would be
straighforward and would greatly increase the trustworthiness of the
product.
Eric
Return to May 1993
Return to “meyer <wixer!wixer.bga.com!meyer@cactus.org>”