[randywaterhouse]

Cracking DES as set 9 of cryptopals [0] :) ? Awesome challenges in general, of course, but iirc no actually breaking a symmetric key cipher ("actually" doing a lot of work here, I admit, since there's all kinds of oracle attacks which are awesome!).

[0] For the uninitiated: https://cryptopals.com, which is of the parent's and collaborators' creation!

Ninja edit to add: This is all in good fun, recognizing that cryptopals focuses on real-world crypto that actually is used today!

[tialaramex]

The reassuring thing about DES is that DES is actually broken only for the reasons people knew about when DES was standardised in the 1970s.

The DES key size is too small (56 bits) and the DES block size is too small (64 bits).

Practical attacks on DES (as opposed to stuff like oracles that isn't a block cipher problem per se) all attack these known weaknesses of DES, theoretically it's still fine, within the bounds of those two fatal limitations.

That's reassuring because it means we're probably done. AES is faster, and it fixes the two things that are wrong with DES by having the longer keys (128-bit or 256-bit) and the larger blocks (128-bit) and so if DES is any indication there won't be a need to replace AES in the foreseeable future.

But I'm pretty sure it makes this hypothetical Cryptopals set silly. On specialist hardware DES cracking via these two obvious flaws is practical, though not exactly cheap, but "Pay somebody some Buttcoins to crack the key" isn't much of a Cryptopals exercise, and "Build your own DES cracker" is more hardcore electronics project than crypto introduction.

[mananaysiempre]

No need to replace AES except for implementation concerns, because constant-time AES on a CPU with caches but without AES in hardware is an absolute nightmare. I mean, have you seen how bitslicing works? It’s awful. Brilliantly clever, but still awful.

[rocqua]

I believe better performance without hardware specializations is why the chacha cipher was invented and added to TLS. I even think most big websites prefer it, for better mobile experience.

[tialaramex]

> I even think most big websites prefer it, for better mobile experience.

Actually the clients get to present a list of ciphers in descending order of preference, a server can (and most will) choose the first from the list that they're willing to use.

So from most heavier devices AES will be chosen because they have a hardware AES accelerator and so they put AES suites at the top of the list, while devices that don't are likely to put a suite with ChaCha20 at the top.

AES is Mandatory To Implement for modern TLS, even if your client can't do it efficiently you will need to support it in case your peer doesn't want to agree anything else.

[tptacek]

The point, of course, is not cracking DES, but instead understanding cipher design, which has not ended with AES.

[tptacek]

I liked Heys so much that I thought about putting together a block cipher cryptanalysis Set 9, but I'd much rather do someone else's Set 9 and learn from it. Maybe I can troll Aleks and Thomas Pornin into doing it.

[arkadiyt]

For anyone who wants Cryptopals set 8 (not linked on the website unfortunately):

https://gist.github.com/arkadiyt/5b33bed653ce1dc26e1df9c249d...

[baby]

Thats what I was aiming for a while ago but never got to finish https://davidwong.fr/blockbreakers/