1996-04-14 - Re: carrick, Blowfish & the NSA

Header Data

From: “Perry E. Metzger” <perry@piermont.com>
To: SINCLAIR DOUGLAS N <sinclai@ecf.toronto.edu>
Message Hash: a500cebc7c63efd0b8282cbcc1b30d233435888b2be485a30258105684a21712
Message ID: <199604141422.KAA05302@jekyll.piermont.com>
Reply To: <96Apr14.100201edt.1826@cannon.ecf.toronto.edu>
UTC Datetime: 1996-04-14 16:44:13 UTC
Raw Date: Mon, 15 Apr 1996 00:44:13 +0800

Raw message

From: "Perry E. Metzger" <perry@piermont.com>
Date: Mon, 15 Apr 1996 00:44:13 +0800
To: SINCLAIR DOUGLAS N <sinclai@ecf.toronto.edu>
Subject: Re: carrick, Blowfish & the NSA
In-Reply-To: <96Apr14.100201edt.1826@cannon.ecf.toronto.edu>
Message-ID: <199604141422.KAA05302@jekyll.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain

> > Jerry Whiting writes:
> > > One reason we chose to use Blowfish as the basis for carrick is that
> > > it _is_ a new algorithm.  One has to assume that the NSA et al. has
> > > tools optimized to crack DES and possibly IDEA/RSA.  At least let's
> > > give them something else to sweat over.
> > 
> > They won't sweat over it long. Blowfish was broken.
> Yikes!  Are you sure?

At least partially broken, yes. I've forgotten the details. I believe
they were discussed at Eurocrypt. It may be that with the full number
of rounds that no one yet has a cryptanalysis but I don't recall and
it doesn't particularly matter from my perspective.

> This is the first I've heard of it.  This would mean
> that PGPPhone is not secure.

I was unaware that PGPPhone used Blowfish, but if it does that was a
stupid idea in the first place.