Cryptography: Is Staying with the Herd Really Best?

A recent Internet Watch column argues that new cryptography is bad cryptography. Drawing an analogy to the medical profession , it says, " A good doctor won't treat a bacterial infection with a medicine he just invented when proven antibiotics are available. " That certainly sounds reasonable. But, in a very real and practical sense, there is no proven cryptography. And this is not just an issue of mathematical proof: The cryptographic profession simply can't tell whether or not a cipher really is protecting data. It is as though medical doctors were telling us about their cures when in reality they couldn't even tell if their patients were alive or dead. It is not that we want to avoid crypt-analysis; indeed, we want all the analysis we can get. And it is true that a brand new cipher has had scant time for analysis. But the result of even deep analysis is not a proven design; it is just something that we don't positively know to be weak. This slight shift of meaning is the basis for understanding what cryptography can and can't do. For one thing, it means that any cipher—no matter how deeply analyzed—could be weak in practice. And that means that anyone concerned with real security probably should consider using something other than the same cipher as everyone else. One possibility is using new cryptography in new ways, which is the exact opposite of what that previous column suggests. Surely, we all would like to have a fully reviewed library or cipher in the same way that we would like to have a fully debugged program. But not even lengthy review or analysis guarantees either cryptographic strength (the ability to resist attack) or a lack of program bugs. For example, most crypto experts probably would agree that just because 20 years of analysis of the US Data Encryption Standard has not found an easy break doesn't mean that no easy break exists. And if a break does exist, it may have been actively exploited for years without our knowing. We certainly couldn't call that a strong cipher. In practice, even extensive review is not a rational or scientific indication of strength. This is not an issue of perfection versus reality, and it isn't like software where we tolerate various bugs and still get real work done. In software, the bugs are generally peripheral to our goals, and …