What Encryption Do People In The Know Use?

A reader writes "What do cypherpunks in the know recommend for the paranoid types. I'm wondering because of the rising amount of protests. I look and most of these people seem clueless when using the net. Paranoia runs rampant (try taping a protest), yet they use stuff like real, which has been known to violate privacy. So my question is, what would slashdot readers recommend for people who have privacy they actually wish to protect? Are there any good laymen level papers on this?"

Re:Depends on what you're protecting

Pegwit is a program. RSA is an algorithm. There IS a difference-- PGP implements RSA (among other algorithms). Pegwit implements ECC algorithms; it is not an algorithm by itself.

As for symmetric algorithms: take your pick.

A lot of programmers and cryptographers are familiar with Blowfish, and it's very popular. It's easy to understand and implement (the F-function is dirt simple, and the key schedule is only a little more complicated), so there are a lot of products using the algorithm. So far, there haven't been any successful attacks against the full, 16-round algorithm, and lots of cryptologists have tried.

Triple-DES is, of course, based on DES. DES has been analyzed thoroughly over the years, and has held up relatively well-- none of the attacks found were within practical ranges. Triple-DES hasn't been broken-- and likely won't be.

Rijndael is, of course, the AES. It's based on some very innovative concepts, and I'm comfortable with it. It's a little unconventional (most ciphers nowadays seem to be Feistel ciphers, or variants thereof-- Rijndael is a step in a different direction), but it's been analyzed extensively. Nothing too damning has been found. It's probably good enough to use right now without worry, but the ultra-paranoid will wait a few years to watch for new analysis.

Serpent was an AES candidate algorithm. It was based on VERY conservative design principles; this has led to a rock-solid cipher. Serpent doesn't do anything truly unconventional-- everything in the cipher spec is based on sound reasoning and is backed up by YEARS of analysis. A little slower than other algorithms, Serpent still has a lot going for it, and I'd recommend it as soon as any other algorithm.

As for public-key algorithms:

RSA and ElGamal. Old, trusted, and well-understood. RSA has been analyzed since the early 1980's, and has held up VERY well. ElGamal has received a boatload of analysis, as well-- it's not likely to crack soon.

ECC is a very open field, currently, and it holds a LOT of potential. But the comfort level isn't quite there, for me. I'd give it another year or two-- there's a lot of research because of the advantages ECC can bring to public-key cryptography.

Programs:

PGP/GPG. Take your pick. I like GPG, partially for the more intensive peer review, partially for the licensing. PGP has been around longer, however, so it may be more comfortable.

Depends a lot on your needs.

[rjh]

For public-key algorithms, I'm actually really fond of Rabin. RSA (and ElGamal) is built on three totally unproven conjectures:

• P != NP
• Factoring very large composites is an NP problem (El Gamal: calculating discrete logarithms is an NP problem)
• There is no other way to break RSA than by factoring large numbers (El Gamal: no other way to break it than by calculating discrete logarithms)

Rabin, on the other hand, is based on two totally unproven conjectures:

• P != NP
• Factoring very large composites is an NP problem

... Yes, Rabin has some problems--the ciphertext tends to be much larger than with RSA--but on the whole, it's on a much stronger mathematical foundation. There have been some interesting hints, throughout the years, that the third of RSA's assumptions is not valid--nothing to make any but the most out-there mathematicians drool, but hints nonetheless.

By dodging the third issue, Rabin manages to be (theoretically) safer than RSA for a given modulus size. The word `theoretical' is extremely important, though; putting algorithms into practice is a far different thing than analyzing them in theory!

For this reason, although I prefer Rabin in theory, in practice I really don't care much which algorithm you use--RSA, El Gamal or Rabin are all just fine.

For symmetric algorithms, there is one and only one option for the hardcore and paranoid cryptogeek. That option is TripleDES--either two or three subkeys doesn't matter all that much, but three is definitely preferred. No other symmetric algorithm in history has been cryptanalyzed as heavily as DES. No other symmetric algorithm in history has established as much trust as DES. While at 56 bits of key DES is too weak for anything serious, TripleDES (at somewhere between 112 and 168 bits of key, depending on who you believe) is solid as a rock.

Of course, it's slower than hell and rekeying takes forever. But hey. If you want only the best, most secure, most-trusted, nothing else even comes close.