1996-04-15 - Re: carrick, Blowfish & the NSA

Header Data

From: Wei Dai <weidai@eskimo.com>
To: “Perry E. Metzger” <perry@piermont.com>
Message Hash: 4c65f7df2ab7f6b70dfdab1e5b87e82b0fc3edc2ab4da2bc82f8224600655689
Message ID: <Pine.SUN.3.93.960414145921.29416C-100000@eskimo.com>
Reply To: <199604141422.KAA05302@jekyll.piermont.com>
UTC Datetime: 1996-04-15 02:02:13 UTC
Raw Date: Mon, 15 Apr 1996 10:02:13 +0800

Raw message

From: Wei Dai <weidai@eskimo.com>
Date: Mon, 15 Apr 1996 10:02:13 +0800
To: "Perry E. Metzger" <perry@piermont.com>
Subject: Re: carrick, Blowfish & the NSA
In-Reply-To: <199604141422.KAA05302@jekyll.piermont.com>
Message-ID: <Pine.SUN.3.93.960414145921.29416C-100000@eskimo.com>
MIME-Version: 1.0
Content-Type: text/plain

On Sun, 14 Apr 1996, Perry E. Metzger wrote:

> At least partially broken, yes. I've forgotten the details. I believe
> they were discussed at Eurocrypt. It may be that with the full number
> of rounds that no one yet has a cryptanalysis but I don't recall and
> it doesn't particularly matter from my perspective.

It doesn't make much sense to condemn an iterated cipher based on attacks
on reduced-round versions.  Any such cipher becomes weak if you use
sufficiently few rounds.  Conversely, many broken ciphers become secure if
you use sufficiently many rounds (in which case they also become too slow
to be useful).  I don't think there are currently any public attacks that
seriously affect the security of Blowfish.

On the other hand, if you ask cryptographers what they would use if they
were not concerned with efficiency, I think most of them would say triple

Wei Dai