Re: [MIT-Scheme-devel] Blowfish, MD5, mcrypt, mhash

[Taylor R Campbell]

> Date: Thu, 2 Nov 2017 22:07:05 -0700
> From: "Arthur A. Gleckler" <address@hidden>
> 
> I like the idea, but isn't it generally accepted that writing one's own
> crypto is risky?

Merely _using_ MD5 or Blowfish in a protocol is risky!

That said, I am pretty well acquainted with what goes into crypto
implementation.

MD5 is about as easy as it gets, short of something like Salsa20 or
ChaCha.  Bugs in simple implementations of functions like this are
extraordinarily unlikely to pass even a single test vector, because by
design any flipped bits in the computation get propagated all over the
place.  There's no temptation to put in timing side channels because
everything is built out of 32-bit + & | ^ <<N >>N, for constant N.

Blowfish invites implementations with obvious timing side channel
attacks, because nobody really worried about them at the time it was
designed and everyone casually accepted secret-dependent array
indices.

It's unlikely that there's any constant-time software implementations
of Blowfish anyway -- I expect probably OpenSSL and definitely mcrypt
to be vulnerable to such attacks.  So if I copied code from somewhere
else or wrote my own, that wouldn't make things worse than they
already are.

Things are much harder for, e.g., RSA, of which I'm aware of only one
plausible candidate software implementation that is not vulnerable to
timing side channel attacks -- and is unlikely to be very fast.
(That's in BearSSL.  OpenSSL's looked like it had obvious timing side
channel attacks last time I looked; a year or so later, someone
published a paper on exploiting them.  Maybe it's improved since then,
but I doubt it.  And, indeed, yesterday's OpenSSL advisory would
affect RSA computations.)  But RSA is not relevant here.