Talk:Cipher security summary

Latest comment: 7 years ago by InternetArchiveBot in topic External links modified

"Outdated" tag

edit

@Dannyniu: You added the "outdated" tag to the article; please explain what exactly is outdated. I haven't heard of any significant cryptanalysis breakthrougs recently. Just slapping tags without any indication about what needs improving doesn't help. -- intgr [talk] 07:23, 7 October 2014 (UTC)Reply

Sorry, I can't point out any. But I still feel that the article doesn't quite point out that there're unknown attacks and is not very factually rigorous and strict. And the intro is a bit too short. Dannyniu (talk) 11:49, 7 October 2014 (UTC)Reply
@Dannyniu: Uh, what? The lead explicitly said that only publicly known attacks are listed, even before your edit. You say the article is "outdated" because it doesn't cover material that cannot possibly be known by the public? Have you seen WP:V and WP:CRYSTAL?
What's not "factually rigorous and strict"? We have sources for every single listed attack, you can go and verify. Please point out actual problems instead of hand-waving. -- intgr [talk] 15:24, 7 October 2014 (UTC)Reply
Also see WP:TMC about the usage of such tags, in particular "Avoid "drive-by" tagging: tags should be accompanied by a comment on the article's talk page explaining the problem and beginning a discussion on how to fix it, or, for simpler problems, a remark using the reason parameter as shown below" -- intgr [talk] 15:51, 7 October 2014 (UTC)Reply

@Dannyniu: Sorry if my tone above was too confrontational. Don't get me wrong, if you have any suspicion that the methodology or interpretation of sources is wrong, I would like to hear it. Most of this article has been written by only myself with no feedback from anyone, so it's quite possible I'm misunderstanding something. Just be more specific than "not very factually rigorous and strict".

As for the intro being too short, what would you like to see there? The point of this article is to provide an overview about the state of cryptanalysis against ciphers, I think it doesn't need long prose sections.

What really would be useful is a separate article explaining how the strength of symmetric algorithms is determined — explaining concepts like "security claim", when a primitive is considered "broken", how cryptanalysts "tune" the number of rounds and time complexity for unsuccessful attacks, etc. Then that can be linked from here and Hash function security. But I think that's out of scope for this article and it seems difficult to find sources on that topic, that's why I haven't attempted it. -- intgr [talk] 17:40, 23 October 2014 (UTC)Reply

Generalize to all symmetric ciphers

edit

Unless someone objects, I'm planning to move this article to "Cipher security summary", so the common RC4 stream cipher can be covered as well. I think it's not worth creating a separate "stream cipher security summary" article because there are so few relevant stream ciphers (RC4, Salsa20 and ChaCha are pretty much all I believe?).

Alternative name would be "Symmetric cipher security summary", but I think "symmetric" is redundant because asymmetric algorithms are usually not called "ciphers" anyway. -- intgr [talk] 10:47, 20 October 2014 (UTC)Reply

@Rtc: You were the one who initially renamed this article to state "block cipher". Would you agree with what I said above? -- intgr [talk] 12:22, 21 October 2014 (UTC)Reply
@Intgr: Well, there are quite a number of stream ciphers. It is right that few are really relevant for practical application, but the same is true for about any cryptographic method. On the other hand, the best way to learn about cryptanalysis is to study less common ciphers and their weaknesses. So there is clearly academic relevance. Thus I'd like to have less common ciphers in the summary as well. If you want to do a merge, it seems more reasonable to do one big "security summary of cryptographic methods", which then includes hashes, asymmetric algorithms, etc. BTW, asymmetric cipher seems to be used in the literature. --rtc (talk) 09:57, 26 October 2014 (UTC)Reply
@Rtc: If that comparison were to be merged into here, then I would agree with you, it would make sense to split stream and block cipher summaries into separate articles. But as it stands now, RC4 is the only stream cipher listed here and splitting it into a "stream cipher security summary" article just by itself would be silly.
Speaking of "less common ciphers", that's one of my pet peeves: for some reason people seem to think that cryptographic primitives are exempt from Wikipedia's notability guidelines. I don't think they belong on Wikipedia, most probably couldn't cite even one secondary reliable source. But I'm not going to be that "bad man" proposing them for deletion.
As for merging everything together into a "security summary of cryptographic methods", I strongly disagree. There's a lot more common between block ciphers and stream ciphers than other kinds of primitives. I think the Hash function security summary article is fine by itself.
(PS: If you do IRC at all we could have a chat some time, I usually hang around in Freenode ##crypto) -- intgr [talk] 11:37, 26 October 2014 (UTC)Reply
I agree that only notable ciphers should be included, but it should be kept in mind that notability is not the same as practical relevance. academic relevance counts as well, ie., if some papers discuss a cipher for academic reasons (such as an attack on that cipher) I think it should be included. IMO, hash algorithms and block ciphers have more in common than any of those and stream ciphers, especially their round-based structure. Hash algorithms sometimes even contain a block cipher as the major building block. Putting RC4 on the same page as the block ciphers just because it is (or used to be) the one most popular stream cipher seems a little bit ad hoc to me. --rtc (talk) 12:35, 26 October 2014 (UTC)Reply
Agreed about notability. What you say about "academic relevance" boils down to WP:GNG's requirement for secondary sources. Just note that "multiple sources are generally expected".
As for stream vs block ciphers, they may be different in structure, but their threat models are the same — which is the point of this article. "Key recovery attacks" apply the same way to both stream and block ciphers, but not preimage attacks or collision attacks. How would you imagine a merge of "block cipher security summary" and "hash function security summary"?
Also, there are stream ciphers with a round structure (Salsa20) and hash functions without (PANAMA, RadioGatún) so I'm not sure that's a useful distinction. -- intgr [talk] 14:01, 26 October 2014 (UTC)Reply

Disputed

edit

This article is a weird collection of outdated and not always relevant results. I'm adding the disputed tag until sometime has time to clean up and add some missing results (sorry if that's not the correct tag, I didn't find a better one). I'll try to work on the article over the next weeks, but please take over if I don't do it.

Here are a few specific issues:

  1. Related-key attack should be listed separately from single-key attacks. In particular, some variants of AES are broken by related-key attacks.
  2. The biclique attack listed for AES is a generic attack that can be applied to any cipher, and recover a key with slightly less effort than exhaustive search. It is sometimes referred to as "accelerated key search", and it doesn't really tell anything about the security of AES.

I think there should also be some mention of the block size and issues with short block size (Sweet32). In its current shape, the article seem to suggest Blowfish as one the best options, but AES will actually give much better security.

It might also be easier to keep the page up to date if we remove the less common ciphers...

Ni fr (talk) 16:12, 4 October 2016 (UTC)Reply

Information about Sweet32 attack is added. Bieraaa (talk) 15:55, 10 November 2016 (UTC)Reply

@Ni fr: You allude that the article is out of date, can you list which ciphers are actually outdated? I'd be happy to update them, but slapping a notice without listing the facts is not constructive. :)
I don't think anyone expects Wikipedia articles to be always up-to-date. That was never the point here and the page even has a disclaimer in the lead saying "not all entries may be up to date". Still, it's probably the best overview of attacks against ciphers on the Internet (that I've seen at least).
I'm not against splitting up related-key attacks and single-key attacks on the page. But consider that many of the modern cryptanalysis papers exclude practical implementation anyway -- whether they require too many known plaintexts, too many chosen ciphertexts or related keys. The related key attacks are still key recovery attacks and have been applied to real-life protocols (WEP).
About the AES Biclique attack, you may well be right, but the Advanced Encryption Standard also lists the Biclique attack in the infobox under "Best public cryptanalysis". Do you have a source to support your statement that every cipher is vulnerable to the Biclique attack?
@Bieraaa: Thanks for the update. Do you have any ideas about this discussion? -- intgr [talk] 13:52, 30 December 2016 (UTC)Reply
edit

Hello fellow Wikipedians,

I have just modified 3 external links on Cipher security summary. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{Sourcecheck}}).

 Y An editor has reviewed this edit and fixed any errors that were found.

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 03:36, 25 November 2016 (UTC)Reply

edit

Hello fellow Wikipedians,

I have just modified 2 external links on Cipher security summary. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 5 June 2024).

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 01:53, 8 August 2017 (UTC)Reply