
How can you tell if a cipher is secure? - baby
http://cryptologie.net/article/173/how-can-you-tell-if-a-cipher-is-secure/
======
PeterWhittaker
Cryptanalysis requires years of study and practical work. One determines
whether or not a cipher is secure by applying rigorous analysis based on that
study and work, by attempting all known attacks, and by reviewing the design
itself to ensure that it has been conceived to be secure against all known
attacks - other than brute force - then reviewing the implementation.

The most telling line in this article is _I 'm still a student. Those are
information I've gathered and this is my understanding of it._ Do not draw
conclusions from this article, these are basically the initial notes of
someone new to the field.

I'd invite this person to investigate in detail the histories of SHA-3 and of
AES, at least as far as the getting to the last few candidate algorithms.
Those histories contain considerable information about what was wrong with
previous digests and symmetric algorithms and about the state of the art in
cryptanalysis prior to and during the development of these algorithms, and
suggests promising areas for future research.

How do tell if an cipher is secure? We work very, very hard to break it, using
every trick we know, theoretical and practical. Then we invent new ones.
Eventually, we develop criteria for a risk management decision: How likely is
it that we did everything we could, that the cipher is as good as it appears
to be?

Then we wait.

------
wyager
It's easy to prove that a cipher is insecure; just provide a counter-example
to its security claims.

It's much harder to prove that a cipher is secure. You must exclude all
possibilities where the security claims might be incorrect.

------
Kenji
It bothers me a lot that most if not all of today's cryptography is completely
reliant on P not equal NP (which we still don't know but always assume) and
that designing new algorithms is still based on design patterns and good
practice, rather than rigorous proofs in complexity. Of course I'm aware that
we just have no other choice for the time being, that is, until there are
significant advances in complexity theory.

~~~
Dylan16807
I wouldn't say it's entirely reliant on that. It relies on the cost of brute
forcing growing faster than the cost of encrypting. But it could theoretically
be a large degree polynomial.

------
frevd
..or simply publish an encrypted version of a bitcoin wallet file - while the
coins remain in your account your cipher is supposedly safe.

~~~
deckar01
I'm pretty sure, if you published a "canary", it would be in the attackers
best interest not to trip the alarm while they exploited any unsuspecting
systems.

~~~
frevd
For sure, but there are a lot of other people on this earth who's interest it
is to get those bucks ;].

~~~
Retra
Only if you made it worthwhile. You would be better off paying people to try
to break your crypto.

