The end of 1994 saw two cryptography conferences: the Workshop on Cryptographic Algorithms in Leuven, Belgium, and the biannual Asiacrypt in Wollongong, Australia.
The Leuven workshop was the second of the year, and focused on cryptographic algorithms; the first was held in Cambridge, England, and was the subject of my article, ``The Cambridge Algorithms Workshops'' (Dr. Dobb's Journal, April 1994). The focus of both workshops was cryptographic algorithms, particularly alternatives to the 20-year-old Data Encryption Standard (DES). Remarkably, there are few candidates. Both of this year's workshops produced few papers proposing actual cryptographic algorithms. Most papers were on the theory behind the design and analysis of algorithms.
Jim Massey (who at Cambridge proposed SAFER, a 64-bit block cipher with a 64-bit key) presented an alternate-key schedule that gave the algorithm a 128-bit key. SAFER is being considered for widespread use by the Singaporean government and may be available in a silicon chip from Dallas Semiconductor. Both of these developments seem premature; initial cryptanalysis of SAFER is promising, but the algorithm's principles are still new. More study is needed before anyone should trust the security of this algorithm.
Ron Rivest presented the RC5 algorithm, the subject of his article, ``The RC5 Encryption Algorithm'' (Dr. Dobb's Journal, January 1995). This algorithm, too, is new and untested: Steer clear of it until further cryptanalysis is performed.
Matt Blaze and I presented MacGuffin, a block algorithm based on our new theory of asymmetric Feistel networks. The algorithm was broken at the conference, but we're hopeful that the underlying theory is still sound. We'll be back with MacGuffin II.
When I designed Blowfish last year, there were very few concrete cryptographic algorithms to choose from. DES has outlived its usefulness, IDEA is patent protected, and the few others were either broken or only had a 64-bit keysize. I proposed Blowfish as a fast, software-oriented algorithm unencumbered by patents or licenses. Since then, I am happy to report that there have been no successful attacks against Blowfish. Expect a full report on its status in Dr. Dobb's Journal this summer, after the cryptanalysis contest expires (see ``The Blowfish Encryption Algorithm,'' Dr. Dobb's Journal, April 1994).
Of the other algorithms proposed at the workshop, only Fish has been broken. Ross Anderson presented an attack at Leuven, and proposed something he called ``Pike,'' billed as a leaner, meaner version of Fish. (I'm not sure why an entire school of algorithms has been named after sea creatures.)
At this point I would hesitate to recommend any of the algorithms proposed at either the Cambridge or Leuven workshops. Cryptography is a game: Propose then break, propose then break. If algorithms survive a few years without any successful cryptanalysis, I might be convinced to trust them. Before that point, it's just too risky.
Eli Biham presented a more conservative solution at the Asiacrypt conference. He described a method of increasing the security of DES by adding key-dependent S-boxes. These S-boxes are not completely random, but are created to be resistant to known methods of cryptanalysis. Biham's method adds 56 bits to the key length of DES, making it as secure as triple-DES, but no slower in either hardware or software. And since some chip manufacturers sell DES chips with loadable S-boxes, this enhancement can be accomplished with existing hardware.
Biham wasn't absent at Leuven, either. He and Paul Kocher presented an attack against the encryption algorithm used in the popular PKZIP compression program. This is a known-plaintext attack, requiring fewer than a few hundred bytes of known plaintext and less than a day on a personal computer. In practice, it can be fairly easy to collect this known plaintext, and PKZIP encryption should not be used to protect sensitive information.
Other interesting papers at Asiacrypt included the results of the recent factoring of RSA-129, a 19-digit number that was the product of two equal-length prime numbers. This calculation has profound implications for the security of some implementations of public-key-cryptography algorithms such as RSA. Schemes based on a 512-bit modulus are breakable by anyone willing to spend a few million dollars and wait a few months for the results.
Cryptography is a fast-moving field, and workshops and conferences are where cryptographers share results and discuss new problems. These two gatherings marked the end of a good year for cryptography.