28

If it comes to the security a hashing or encryption algorithm provides, we never know the full story. There's that part that we (respectively the public research) understand and can reason about, but we also know that there might be weaknesses we do not know about and though we can't reason about things we don't know, still that unknown part is relevant AND is affected by certain parameters.

If you for example have two symmetric encryption ciphers, say AES-256 and TwoFish, which conceptually should provide about the same security, which one would you rather trust?

AES-256 is much more widely used than TwoFish. This means there is a much higher incentive in breaking it (and probably much more resources are poured into achieving exactly that). That might be an argument why to prefer the underdog. On the other hand, one can also argue that much more public research is going into AES-256 for the same reason and therefore IF something was fundamentally broken, the chances that it would be publicly known are higher.

Or do such properties cancel each other out anyway and thus adoption rate of an algorithm is of no relevance to security considerations at all?

What would you put more trust into and why?

matthias_buehlmann
  • 565
  • 4
  • 12
  • 22
    This question is primarily opinion-based. But the general consensus among cryptographers is that you should rather trust a widely used algorithm, because they are subject to more scrutiny from white-hat cryptoanalysts worldwide. – Philipp Feb 26 '21 at 10:29
  • 2
    Is this kind of question really specific to encryption algorithms? Would you invest **all** your money in a established and known low-risk way or in a unclear high-risk way? And while there might be more money to gain (and lose) in the high-risk investment there is usually not much too gain when using some underdog algorithm, but still lots to lose. – Steffen Ullrich Feb 26 '21 at 11:34
  • 5
    To those who are voting to close as opinion-based, it's really not. There is a well established consensus expert answer to this question. – Xander Feb 26 '21 at 14:43

4 Answers4

57

Trust the widely accepted algorithm.

Not because the algorithm is better. Well, it does matter: if an algorithm is too much of an underdog, it won't have had enough scrutiny and so there's no reason to trust it. But mainly because comparing algorithms, as long as they're reasonably reputable, is meaningless: they're fine and that's it. It's not the algorithm that kills you, it's the implementation.

With a widely-used algorithm, you get a better selection of implementations, and the implementations themselves have better scrutiny. That's the important thing. So don't use an underdog for which there's only one or two implementations and nobody really looks at their code. Use a popular implementation of a popular algorithm. Popular AES implementations receive more scrutiny than those of any other block cipher. Among ciphers, only ChaCha20 receives as much scrutiny.

This is true especially if you're worried about NSA-level adversaries. We have some historical data about NSA's capabilities. We know that when they advised on the design of DES, they made it more robust to an attack technique that wasn't publicly known at the time (differential cryptanalysis), and vulnerable only to brute force with a budget that they didn't have, but were confident of reaching before anyone else. We know that when GCHQ invented Diffie-Hellman, it was rediscovered publicly less than a decade later. We know from the Snowden revelations that in the early 2010s, NSA couldn't break popular encryption primitives, but could effectively break most software due to implementation bugs.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
  • Very good answer, especially pointint out that it most often is about the implementation. Maybe I should have extended the question to include implementation as well, like whether you'd rather trust a widely used implementation or an underdog implementation. Looking at Heart-Bleed for example, there's the (disputed) insider claim that the NSA knew about it for a long time and exploited it. An implementation less popular than OpenSSL *might* be a less valuable target and hence implementation vulnerabilities might remain unknown for longer or for ever. – matthias_buehlmann Mar 04 '21 at 18:50
  • 4
    @matthias_buehlmann Absolutely do not trust an underdog implementation. Many vulnerabilities are discovered through systematic testing. At the scale of NSA or FSB, the additional cost of testing 50 implementations rather than 20 is small. But if you're an independent researcher, that cost is significant. So mainstream implementations get security notices from white hats. Underdogs don't. That's in addition to mainstream implementations usually getting more scrutiny, and therefore having fewer bugs, in the first place. OpenSSL was famously crappy, but since Heartbleed they've cleaned up a lot. – Gilles 'SO- stop being evil' Mar 04 '21 at 20:47
  • good explanation, thank you! – matthias_buehlmann Mar 06 '21 at 19:51
18

As far as I am concerned, I do not only care about algorithms. I would trust a well known, well tested and widely used implementation. The devil hides in details, so I would not trust even a good reputation algorithm if I have no guarantees on the implementation.

It may not be a direct answer to your question, but it explains why we generally choose widely used algorithms because they have a higher chance to have a widely used and extensively tested implementation.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
3

On the non-technical side, the reason to trust the widely adopted one is that if something bad happens, you can't be blamed for choosing unpopular technology. CYA ;)

akostadinov
  • 555
  • 3
  • 8
1

I would probably trust the widely used algorithm since there must have been a lot of research going around to find its weaknesses and because of widespread usage, most of the found weaknesses must have been patched. Moreover, the widely used algorithms would probably be easier to implement because more people use them and give tips about implementation.

alper akyuz
  • 111
  • 2