Schneier on Security

If someone did break Twofish, would you be saddened at all? I'm sure you would be impressed, but would there be even a twinge of disappointment?

Just curious.

Of course I would be disappointed. But I would be really impressed. And I would likely learn a lot from the analysis.

This is the way cryptography works. Algorithms get proposed, and they get broken. One of my algorithms, MacGuffin, was broken during the rump session of the workshop it was presented. Embarrassing, yes. But that's okay.

Breaking is actually much more satisfying than designing. With designing, there's always an element of doing the best you can and hoping for the best. With analysis, the proof is in the pudding.

If truth be known, I would like to be the one to break Twofish.

After someone breaks Twofish you could always come up with an algorithm called FiveLoavesOfBread. or was that the other way around? ;-)

Stu

Blowfish was before Twofish. I kind of liked Redfish and Quadfish, but we seem to be going off in another direction entirely: Helix, Phelix.

What, exactly, is a distinguishing attack? A brief search seems to imply that it just allows one to distinguish between a cyphertext stream and a stream of random bits, but doesn't actually break an algorithm.

"[...] the proof is in the pudding."

Nope, not there. I looked! Sorry, just one of my pet peeves... the expression is

The proof of the pudding is in the eating.

Tongue-in-cheek-suggestion: Please refer to any new algorithms with names such as TITANIUM or ATOMIC. Something very strong sounding. I have recently been having internal audit complaining to me about the use of Pretty Good Privacy in our organization: "Shouldn't we be using something stronger than just 'pretty good' ?"

Bruce, here you say the best cryptanalysis was the work during the design process and provide a link. On that page you say the best cryptanalysis is the work by Moriai and Yin. Sorry - just a niggling nit.

Thanks for your vision in making twofish open, uncopyrighted and patent free. This is why I gladly buy your books than downloading them free from P2P networks ;)

Jim -- it is certainly true that the name you give can have some impact on how someone perceive it. However, that is a double edged sword because what happens if this hypothetical algorithm -- Titanium -- wound up being broken? Then the name becomes a misrepresentation, and we do not want it to stick with the algorithm...do we?

Really, I think the name is all just marketing. Any good auditor should know that Pretty Good Privacy is probably one of the best the organization could be using. That is what security should be about -- keeping up with what is currently considered the best.

Stacy said:
>[...] the proof is in the pudding."

> Nope, not there. I looked! Sorry, just
> one of my pet peeves... the expression
> is

> The proof of the pudding is in the
>eating.

And the word proof here is in the sense of test, as opposed to confirmation. Like in proving ground.

Another common, and much misunderstood phrase where prove is used in this sense is:

The exception proves the rule.

If you read this as the exception tests the rule it makes sense, if you read it as the exception confirms the rule it's a contradiction!

> The exception proves the rule.

> If you read this as the exception tests the rule it makes sense, if you read it as the exception confirms the rule it's a contradiction!

I'm afraid it's not that either. The "exception that proves the rule" uses the commonly understood meanings of those words. In this case it is a legal term (an abbreviated translation from the latin 'exceptio probat regulam in casibus non exceptis'). It loosely means "this exception being made explicit means that the rule holds in all other cases".

More details can be found (at the bottom of the page) on The Straight Dope's answer to this question. And one of the few where Cecil initially got it wrong! :)

http://www.straightdope.com/classics/a3_201.html

"Blowfish was before Twofish. I kind of liked Redfish and Quadfish"

No! After Twofish and Redfish, the only thing that can come next is Bluefish!

(By the way, what happened to Onefish?)

"What, exactly, is a distinguishing attack? A brief search seems to imply that it just allows one to distinguish between a cyphertext stream and a stream of random bits, but doesn't actually break an algorithm."

Yes. That's exactly what a distinguishing attack is. One of the properties of a good algorithm is that its output is indistinguishable from a random stream of bits. A successful distinguishing attack breaks that property.

The attack does not recover the key, nor does it allow anyone to decrypt any ciphertext. But it's still a pretty serious attack, and I would recommend that any algorithms that permit such an attack be replaced. Like the attack against SHA-1, it wouldn't be a crisis, but it would be a good idea to start upgrading.

"Bruce, here you say the best cryptanalysis was the work during the design process and provide a link. On that page you say the best cryptanalysis is the work by Moriai and Yin. Sorry - just a niggling nit."

Oops. I'll fix the Twofish page.

"Please refer to any new algorithms with names such as TITANIUM or ATOMIC. Something very strong sounding."

We're cryptographers. Marketing is down the hall.

@Tim Vail,

Names can be more important than you think in the minds of those that deal with perceptions rather than reality (i.e. marketing, management, politice etc.)

Open source software proponents are still fighting with the "free" label, trying to explain the differance between free-as-in-beer (gratis) and free-as-in-speech (libre).

Bruce, you want to break TwoFish yourself? Aren't you afraid the tin-foil-hatters are going to acuse you of "doing a DES/NSA" and hiding a deliberate weakness?

"Of course I would be disappointed. But I would be really impressed. And I would likely learn a lot from the analysis."

I can see how this would be. I was wondering because sometimes I come up with some really neat bit of code (or so I think), and someone better at it than I points out a flaw. I don't get disappointed, but rather excited at the possibility of learning from the mistakes.

"Breaking is actually much more satisfying than designing."

Cryptography, like most of security, is a battle of wits, and like any other battle of wits, breaking an algorithm represents a victory in this battle. Victory is usually more satisfying than planning a defense.

@Jim,
Just as well it wasn't Bouncy Castle.

I much prefer names like Twofish, Rijndael, Phelix over Blowfish, MARS, Serpent, or TITANIUM and ATOMIC, because in the former case every Google hit is about the cipher.

@Jim,

"Shouldn't we be using something stronger than just 'pretty good' ?"

The correct reply to this is:
"Yeah, but there are probably untrained humans involved. 'Pretty Good' is about the best we can hope for..."

;-)

Not to belabor a proverb, but "The exception proves the rule" has developed two distinct meanings. Ithika, you have the older legal definition. Rick has given the newer scientific definition. The latter comes from the scientific habit of looking for revealing special cases, because those can often distinguish between competing theories.

As a quick example: Newtonian physics implies that light, with mass 0, should not be affected by (nor exert) gravity, because gravitational force is proportional to both masses involved. Einsteinian physics says it should, because even massless particles are affected by spatial curvature. By experiment, light is indeed affected by gravity, so Einstein "wins", and Newton gets demoted to an approximation.

Not specially in regards to twofish, but if you needed to encrypt a sensitive file on your home computer, what method would choose in today's world? And could you trust the encryption optioned provided by a commercial entity, such as Microsoft? (I would be afraid that they have a backdoor somewhere.)

No, I like names that express the vagueness of the protection they offer. "pretty good privacy" is just that - it's pretty good, we think. Well, we hope. Kind of. If you use it right. And the hardware is secured. And the users are trained right. And no-one stuffs up. Mostly. Until someone breaks it.

Calling something "the ultimate bombproof uncrackable encryptonometer, now with 3162 bit keys!" is likely to lead to people assuming it's so secure that they don't have to worry. Just read the Risks Digest and see how much of a problem this sort of thing is already...

"Not specially in regards to twofish, but if you needed to encrypt a sensitive file on your home computer, what method would choose in today's world?"

I use PGP Disk.

@Jeff
Use truecrypt. It is free, open source, and the authors definitly knows what they are doing. Regular new versions too. Linux + Windows version. http://www.truecrypt.org/

Thanks Yongqian, I will look into it.

Thanks for the observations Bruce.

Since one of the explicit design goals of AES candidates -- the reason for a 128 bit block -- was resistance to codebook attacks on the order of 2^64 blocks, I think distinguishing attacks requiring 2^100 chosen blocks can't even be regarded as certificational.

Oops. s/can't/can

I thought everyone still considered it atleast as secure as the other NIST finalists.

"Rumors of the death of Twofish has been greatly exaggerated."

Seriously? You mean "As opposed to the information about the algebraic attacks on Rijndael, which has been entirely accurate," don't-you?

He who draws the sword ...
;-)

Vincent, is that you? Or is it some other Vincent? If it's you, e-mail me. I am currently writing a new essay on Rijndael, and I have a few questions.

If it's another Vincent: While there are some weird algebraic properties of Rijndael, no one has anything even remotely resembling an attack based on them. The biggest Rijndael skeptic right now is Arjen Lenstra, and he doesn't have anything except a seriously bad feeling.

Right now, the most interesting positive development regarding Rijndael is its endorsement by the NSA, not just for Secret information but for Top Secret as well:

http://www.nsa.gov/ia/industry/crypto_suite_b.cfm

To me, this says a lot.

About rijndael, I still don't understand why its simple algebraic structure would be any problem. I thought the very idea was the security of any encryption scheme must depend only on the key and not the algorithm (and it makes sense too, because say you're at war, your enemy is sure to get access to your hardware on the battlefield and thus get the algorithm eventually).

Now, if an algorithm is clean, simple and easy to understand (for everyone), in my opinion, it's only a good thing. Relying on something that's complex and hard to analyze would be like relying on security through obscurity to me. Going back to that war analogy, relying on complexity, your enemy might be able to monitor your government and citizens because their experts were good enough to come up with an attack as opposed to your own experts (or perhaps even students who were given a chance to analyze the algorithm before use) who missed the attack because of the complexity of that algorithm.

The thing that is so cool with twofish is that its free, made by a group of professionals and has a history to back it up. I just never understood why it was 256 bits instead of 448 like blowfish???
I guess twofish is probably a significantly differnt cipher.