5 November 1999: Link to Schneier's answer to Anderson and Gladman, and Gladman's proposal for release of all, including NSA's, AES cryptanalysis.
1 November 1999
Source: Excerpted from a SlashDot October 29 online interview of Bruce Schneier.
I bought your first edition of Applied Cryptography, and you say two things that bother me, with respect to your submission of Twofish as a Federal standard for encryption.
In the forward, you describe how you got interested in cryptography, and that you had no background or training in the field, but you thought it was interesting. Also, several times throughout the book you caution people not to trust cryptosystems from amateurs.
Clearly you have become well versed in the history and application of cryptography, your book makes all other descriptions of the state of the art invisible by comparison. Still, it appears to me that cryptosystem design and analysis requires fairly extreme mathematical proficiency, which I do not believe that you have.
Now, of course, Twofish is published in detail, and the best people in the world have attempted to crack it (and I think that the competitive process that the US Gov't has promoted is a spectacular way to get the best people to attack each other's ciphers). But, I remain somewhat worried that at the foundations of Twofish...is there something missing that a PhD in mathematics and number theory would have seen?
The winner of this competition will likely be the next DES, and will provide security for a fairly large percentage of the planet. The stakes are high. I'm sure that you have an answer to this criticism, and I'm eager to hear it.
[Bruce Schneier] ANSWER:
Certainly you should not trust cryptographic algorithms designed by people who have no experience designing and analyzing cryptographic algorithms. The question you ask is different. You are asking if a Ph.D. in mathematics and number theory gives someone any special insights that someone without the Ph.D. would miss. I believe that cryptographic experience is something that is learned through both training and through experience, and that someone with a Ph.D. is not automatically a better cryptographer.
Cryptography is interesting, because there are no absolute metrics. Anyone can design an algorithm that he himself cannot break. This means that anyone, from the best cryptographer to the sorriest man on the street, can design a cryptographic algorithm that works: that encrypts and decrypts data properly, and that the designer cannot break. The false reasoning that often follows is this: "I can't break it, therefore it is secure." The first question that anyone else should ask is: "You say you can't break it; well, who the hell are you?" More on this topic can be found at http://www.counterpane.com/crypto-gram-9810.html#cipherdesign.
The experience of the designers is something that I look at very carefully when I evaluate an algorithm. I can't devote the months and years necessary to convince myself that an algorithm is secure, so I want to know about the people who are convinced. And I don't look at their academic degrees; I look at what else they have broken.
The Twofish team has dozens of published cryptanalytic attacks, breaking all kinds of ciphers. (A list of Counterpane papers can be found at http://www.counterpane.com/publish.html, and David Wagner's published papers can be found at http://www.cs.berkeley.edu/~daw/.) These are impressive results: mod n cryptanalysis, boomerang attacks, slide attacks, side-channel cryptanalysis, related-key differential cryptanalysis, and attacks against Skipjack, Speed, Akelarre, RC5a, CMEA, ORYX, TwoPrime, etc., etc., etc. Interestingly enough, all five AES finalists have been designed by teams that have a similarly impressive list of published cryptanalytic attack. With a couple of exceptions, none of the non-finalists have any cryptanalysts on their teams.
Another thing to look at is the quality of the designer's analysis. I like designs that have long and detailed documents that discuss how the designers have attacked their own design. You can see this in the submissions for Twofish, and for Mars, RC6, and E2. I worry about a cipher like Serpent that does not come with any analysis. Either the designers didn't do any, which is bad -- or they did it and are hiding it, which is worse.
I think these things speak more to the strength of the design than academic degrees.
In fact, I have seen many systems designed by Ph.D. mathematicians with little cryptographic experience, that have been quickly broken. Experience in cryptography is much more important than experience in general mathematics.
It is certainly possible that there are attacks against an algorithm that the designers missed. This is why AES is a public process. Before AES is chosen, dozens of people with Ph.D.s in mathematics will be performing their own analyses on the submissions. If Twofish is chosen, it will because none of those Ph.D.s have found any weaknesses.
But if you want Ph.D.s on the Twofish team, co-designer Doug Whiting has a Ph.D. in computer science from CalTech. His dissertation was on building Reed-Solomon error-correcting codes in VLSI, so it had a heavy math content.
cc: John Young <email@example.com>
Date: Mon, 01 Nov 1999 20:46:23 +0000
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
John Young asks:
> Bruce Schneier says in a SlashDot interview yesterday:
> I like designs that have long and detailed documents
> that discuss how the designers have attacked their
> own design. You can see this in the submissions for
> Twofish, and for Mars, RC6, and E2. I worry about a
> cipher like Serpent that does not come with any
> analysis. Either the designers didn't do any, which is
> bad -- or they did it and are hiding it, which is worse.
> If the Serpent designers have answered this we'd appreciate
> a pointer. Any comment here on Bruce's tough talk?
Serpent was the first of the AES candidates to be published, at FSE
98; our paper there has a bit over four pages of cryptanalysis
(proceedings pp 227-231; online version pp 7-11). This set the
standard of cryptanalysis expected of the other candidates. The full
specification which we submitted to NIST has got over five pages of
cryptanalysis (pp 7-12). List members may check for themselves via the
Serpent home page:
One reason why our paper is not as long as some other submissions is
that our design is simpler and more transparent, which makes analysis
easier. Once we have shown that none of the currently known attacks
work against Serpent, there is nothing more to add.
In fact, after Eli and I came up with the first version of Serpent in
September 1997, we asked Lars to join us specifically so that we would
have a fresh mind to do nothing but attack it. I don't think any of
the other teams did this. Lars's contributions have been significant -
the most obvious being the improved S-boxes. He also did a lot of work
on tying down the differential and linear bounds.
So the comment attributed to Bruce is wierd. But I have been misquoted
so often myself by journalists that I'm not going to assume that he
actually said it.
From: "Brian Gladman" <firstname.lastname@example.org>
Cc: "Bruce Schneier" <email@example.com>
Subject: Re: Serpent
Date: Mon, 1 Nov 1999 22:32:04 -0000
[Snip JY inquiry above]
It would be truly amazing if Bruce had said this since the Serpent AES
itself contains several pages of analysis. If Bruce had said 'insufficient
analysis' instead of 'any analysis' he might have had a point (although
Ross's post answers this) but if he really did say the words as given above
then I fear that he has let his bias show through in a major way.
If these really are Bruce's words they can only mean that he has either not
bothered to read the Serpent AES paper or, alternatively, that he is trying
to cast Serpent in a bad light in public. Sadly, the latter seems more
likely since it is very hard to believe that he is unaware of the content of
But I share Ross's hope that this report will prove to be inaccurate.