Regrinding is, at core, an attempt to give new expression to an older result so that it's not merely referenced1 but actually integrated into the modern context and thus given a new life as an active part of new developments. Such new expression preserves the substance while enabling the older result to take full advantage of the current context, connecting it meaningfully to new things, discarding its limitations that were specific only to the older context and retaining otherwise in spirit if perhaps not fully in letter the still valid underlying principles. In fewer words, regrinding is a rejuvenation, so much more than just a reference2.
I've done such regrinding previously to software from the 1970s and it enabled the development of very useful tools that pushed quite quickly for further developments and new connections that were simply not even visible before the successful regrind. This time though, the scope is even wider as it all started with a legitimate question regarding the cryptographic choices of my infrastructure and it turns out that a fully grounded response requires first of all going back all the way to 1883 and the original statement of Kerckhoffs' desiderata because its exactly their regrinding -although implicit until now rather than explicit- that exposes a clear root from which one can then reason and evaluate existing cryptographic options as well as any specific choices made in a given context.
Let's start from the source3, meaning the desiderata as written by Auguste Kerckhoffs4 in his article "La Cryptographie Militaire"5 published in two parts, in January and February 1883, respectively, in the Journal des Sciences Militaires:
- Le système doit être matériellement, sinon mathématiquement, indéchiffrable.6
- Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi.7
- La clef doit pouvoir en être communiquée et retenue sans le secours de notes écrites, et être changée ou modifiée au gré des correspondants.8
- Il faut qu’il soit applicable à la correspondance télégraphique.9
- Il faut qu’il soit portatif, et que son maniement ou son fonctionnement n’exige pas le concours de plusieurs personnes.10
- Enfin, il est nécessaire, vu les circonstances qui en commandent l’application, que le système soit d’un usage facile, ne demandant ni tension d’esprit, ni la connaissance d’une longue série de règles à observer.11
Except for the 4th with its direct reference to telegraphic communications, the desiderata above are essentially expressions of "soft" requirements that are derived quite directly from human nature and from the core purpose of cryptography - neither of which fundamentally changed or are likely to ever change significantly. Consequently, the principles captured in these desiderata are as valid now as they were back in 1883 and it is only their expression and concrete practical implications that have to change in order to be fully and directly relevant in the modern context.
Taking the 4th desideratum above as the most obviously outdated in its original form, its core is that the cryptographic system needs to be applicable to the prevalent medium of communication. Hence, the change of expression required here to bring this fully to the modern day is simply that the cryptographic system has to be applicable to online communications instead of telegraphic ones. Obviously, there are deeper implications for a cryptographic system due to this change of medium from telegraphic to the online but the underlying principle so neatly expressed by Kerckhoffs remains the same: the system needs to be applicable to the relevant medium of communication (and this means, in term, fully taking into account the constraints and opportunities specific to the medium). Before attempting to explore in more detail the implications of this new expression though, there is further understanding to be gained from the original by reading and adnotating Kerckhoffs' own brief discussion of the above desiderata:
Tout le monde est d’accord pour admettre la raison d’être des trois derniers desiderata ; on ne l’est plus, lorsqu’il s’agit des trois premiers.12
C’est ainsi que des personnes autorisées soutiennent que l’indéchiffrabilité absolue du chiffre ne saurait être considérée comme une condition sine quâ non de son admission dans le service de l’armée; que les instructions chiffrées transmises en temps de guerre n’ont qu’une importance momentanée, et n’exigent guère le secret au delà des trois ou quatre heures qui suivent le moment où elles ont été données; qu’il importe donc peu que le sens d’une dépêche secrète soit connu de l’ennemi quelques heures après son interception; qu’il suffit, en un mot, que le système soit combiné de telle façon que la traduction d’un cryptogramme exige au moins trois à quatre heures de travail. On ajoute que la possibilité de pouvoir changer de clef à volonté ôte d’ailleurs au défaut de non-indéchiffrabilité toute son importance13.
Cette argumentation peut, au premier abord, paraître assez juste ; au fond, je la crois fausse14.
C’est en effet, selon moi, oublier que le secret des communications envoyées à distance conserve très souvent son importance au delà de la journée où elles ont été transmises ; sans énumérer toutes les éventualités qui peuvent se présenter, il me suffira de citer le cas où le commandant d’une ville assiégée envoie des renseignements à l’armée qui doit la secourir. De plus, une fois qu’un cryptogramme intercepté a pu être déchiffré, toute nouvelle dépêche, écrite avec la même clef et qui subit le même sort, peut être lue instantanément. Il arrivera par suite que, pendant un temps plus ou moins long, des dépêches seront expédiées dans toutes les directions, dont le déchiffrement se trouvera en quelque sorte fait d’avance : à moins d’admettre que dans un corps d’armée toutes les instructions chiffrées émanent d’un seul, ou du moins passent par les mains d’un seul, ce qui serait réduire la correspondance secrète à un rôle singulièrement modeste15.
La faculté de pouvoir changer de clef à volonté est certainement une condition essentielle de tout système de cryptographie, mais c’est un avantage trompeur et sur la réalisation pratique duquel on aurait tort de compter, à travers les mille péripéties d’une longue campagne16.
Quant à la nécessité du secret, qui, à mes yeux, constitue le principal défaut de tous nos systèmes de cryptographie, je ferai observer qu’elle restreint en quelque sorte l’emploi de la correspondance chiffrée aux seuls commandants en chef. Et ici j’entends par secret, non la clef proprement dite, mais ce qui constitue la partie matérielle du système : tableaux, dictionnaires ou appareils mécaniques quelconques qui doivent en permettre l’application. En effet, il n’est pas nécessaire de se créer des fantômes imaginaires et de mettre en suspicion l’incorruptibilité des employés ou agents subalternes, pour comprendre que, si un système exigeant le secret se trouvait entre les mains d’un trop grand nombre d’individus, il pourrait être compromis à chaque engagement auquel l’un ou l’autre d’entre eux prendrait part. Rien qu’à ce point de vue il y aurait lieu de condamner l’emploi du dictionnaire chiffré, qui est en usage aujourd’hui dans l’armée17.
On m’objectera peut-être qu’en admettant le deuxième desideratum, il n’est guère possible d’établir un système complètement indéchiffrable. Il faut s’entendre : je sais très bien que vouloir dans ces conditions trouver un système mathématiquement indéchiffrable est chose mathématiquement impossible ; mais j’affirme, et non sans de bonnes raisons, que, tout en réalisant les différents desiderata que j’ai énumérés plus haut, on peut parfaitement combiner des systèmes, sinon mathématiquement, du moins matériellement indéchiffrables18.
Il paraît qu’il est sérieusement question, au ministère de la guerre, de remplacer le dictionnaire chiffré par quelque autre système plus pratique. Eh bien! si l’Administration veut mettre à profit tous les services que peut rendre un système de correspondance cryptographique bien combiné, elle doit absolument renoncer aux méthodes secrètes, et établir en principe qu’elle n’acceptera qu’un procédé qui puisse être enseigné au grand jour dans nos écoles militaires, que nos élèves seront libres de communiquer à qui leur plaira, et que nos voisins pourront même copier et adopter, si cela leur convient le dirai plus : ce ne sera que lorsque nos officiers auront étudié les principes de la cryptographie et appris l’art de déchiffrer, qu’ils seront en état d’éviter les nombreuses bévues qui compromettent la clef des meilleurs chiffres, et auxquelles sont nécessairement exposés tous les profanes ; alors seulement cet article du règle ment du 19 novembre 1874, que j’ai mentionné plus haut, pourra recevoir une application pratique et réellement satisfaisante19.
Doubtless both the agreement regarding the need for the last three desiderata as well as the lack of agreement regarding the need for the rest of them were indeed true in Kerckhoffs' time exactly as stated. But the more interesting part is the fault line on which such agreement breaks: what made at the time the last three desiderata so obvious to anyone and the first three so very much *not* obvious? Most likely, it was quite literally a matter of direct exposure and immediate feedback versus indirect exposure and longer term or even entirely lacking feedback - while any lack of adherence to the last three would cause direct, clear and immediate inconvenience to anyone attempting to use cryptography at the time, a fault or lack related to the first three would be more subtle and less easily or directly noticed, especially on the spot. Specifically, there isn't any direct or immediate visibility of failures that are caused by an encryption method being in practice more easily decrypted than it was generally thought, the secrecy of the system being in practice less of a secret than considered or the inability to communicate, recall or change the key at will being an impediment to maintaining secrecy of communications over the long term. In other words, the agreement is lacking where the feedback loop is both longer and more complex, with practical results going at times even directly against the more natural intuition or even simply against the prevalent belief or custom.
The new context of computers and online communications brings in some changes to the above in that it renders some parts more obvious than they were (most notably the weakness of many ciphers that *seem* indecipherable at first sight) but it is unlikely to change this sort of underpinning of how different requirements are perceived and evaluated as obviously necessary or not. So it's arguably wiser to focus less on how the consensus/agreement might have changed meanwhile and more on addressing the underlying fact that increased complexity and longer feedback loops are more likely to obscure and even shield potentially fundamental faults than to somehow render obsolete any of the core requirements. Restating thus Kerckhoffs' argument in more general terms that are just as valid now as they were in his time, there tends to be consensus on desiderata that are clearly and directly linked to obvious and immediate failures while there is less consensus on desiderata linked to failures that are more subtle and may have effects that don't become obvious directly or in real time as encryption is used.
To see the above in action, it's useful to consider how the consensus has concretely changed, as the present simply shifted the fault line on which that same agreement breaks. Nowadays there is full agreement regarding the importance of the 2nd desideratum that has been perhaps quite well re-ground already and even in various forms at that, e.g. "no secrecy through obscurity" or Shannon's maxim that "the enemy knows the system". Not surprising perhaps, given that the powerful computation capabilities of modern computers simply made this particular part of it much more directly obvious than it was in Kerckhoffs' time.
Interestingly though, something else seems to have happened to the last two desiderata: even as computers certainly made the operation and use easier and even effortless for much more complex ciphers than Kerckhoffs ever worked with, they have also replaced the physical and directly observable usability issues with less obvious ones that are likely therefore to receive less direct attention unless specifically investigated as such. As cryptography moved from slow mechanical contraptions and manual calculations to swift computer-assisted systems, opaque software and even pocket-sized hardware devices that "do it all" for the user, the more common view seems to be that the last three desiderata of Kerckhoffs are either not relevant anymore or simply fulfilled by default and thus no longer needing any further consideration. To paraphrase Kerckhoffs himself: on the face of it, this may seem a fair assessment; on a fundamental level, I think this is false.
Even though the encryption/decryption operation itself is arguably easier to perform nowadays as a device will do all the required calculations quickly and transparently, this doesn't make cryptography as an activity any easier - if anything, it makes it harder as the complexity is higher, there is less intuitive and direct feedback for any action and the potential blunders and resulting vulnerabilities have only morphed to different shapes that are harder to spot and potentially better hidden as well20.
The desired ease of use of a cryptographic system goes deeper than the purely mechanical or operational aspects and it includes as fundamental aspect the ease with which the system and the required actions can be understood well enough to avoid pitfalls. Thinking of cryptography as an activity, its "ease of use" refers to being able to obtain reliably, consistently and even verifiably the exact desired effect without any undesired side effects. The lack of physical or mental strain are in this context desired requirements only as means towards a purpose, as they support the user and they arguably reduce the chances of user error but they aren't themselves the goal nor can they be pursued as such.
Kerckhoffs himself quite plainly argues in the discussion above precisely for the routine and thorough study of a cryptographic system by those who are expected to use it. Moreover, he makes the argument that it's *only* through such study - thus markedly *not* merely through the system's ease of operation - that the user of a cryptographic system can avoid blunders that are both unavoidable otherwise and effectively compromising security regardless of the strength of the cipher by itself. If anything, I'd say that this is all the more relevant today given the much more widespread use of encryption coupled with the increased complexity of approaches and the double-edged sword of software making operations easier in a mechanical sense but much more difficult and less intuitive to understand or even simply to check/evaluate on the spot as to full implications of any given action.
Quite interestingly, the requirements of portability and single-person handling introduced by the 5th desideratum retain their relevancy in the online space even though it might seem an unlikely fit at first sight. To see the link though, it's enough to switch from the physical portability and handling that Kerckhoffs undoubtedly had in mind to the more direct meaning of whether one single person has at any given time all that they need to successfully encrypt, decrypt and check a message. Considered in this light, any cryptographic system that stores the keys remotely is already unlikely to meet the portability requirement and arguably fails even the single-person handling requirement since the remote end is effectively in itself requiring the involvement of another (hence a second "person", whether that might be an organization rather than a physical person as such). Even more directly, any schemes that fragment and distribute any part of a cryptographic system (whether it's some checks, some signatures or outright keys) are effectively going against that single-person handling requirement. If one considers the even more fundamental meaning of "single-person handling" as the ability of one person to have full control over the actions performed, it follows that it's not even enough to have everything locally and unfragmented: the crucial point is whether the user truly has both the access and the understanding required to be in control.
Considering Kerckhoffs' own discussion of the 6 desiderata in their context of use and aiming to maintain thus their fundamental meaning, a first attempt at a regrind can be perhaps made with some minimum initial notes, as follows:
- The system must be practically, if not mathematically, indecipherable.21
- It must not require secrecy and its workings should be clearly and fully exposed for anyone to access.22
- It has to provide the means to observe, communicate, retain, change or modify the key as and when users see fit23.
- It must be applicable to the prevalent medium of communication.
- It must allow at all times full access, control and interrogation of any and all its parts by the legitimate user without requiring for such actions the involvement of any other parties.
- Finally, it is necessary, given the circumstances of its application, that the system's complexity is minimal and all its functioning is made as explicit and clear as possible so that its use with full understanding can be achieved with some reasonable amount of study but without requiring continuous mental strain or the knowledge of a long series of rules to observe.
The above is meant as a first attempt to regrind the full set of Kerckhoffs' desiderata while recovering as well their original discussion that is quite informative and adds useful context. Perhaps better expressions can be found with time and with the experience obtained through the explicit use of this first regrind. The "re" in regrind is not limited at one, after all, nor does it ever have to be.
For my own use, I find that these fundamentals make together a useful and entirely usable lens through which one can see more clearly and evaluate the various developments in cryptography as well as any new methods or systems that have been or might be proposed. While this article took more effort to write and grew in size well beyond what I initially intended, I think it has all been time and effort well spent as it finally makes explicit the fundamentals that inform all further decisions regarding my own choices related to cryptography.
The next steps for anyone interested would be to have a look at the main current approaches and directions and the degree to which they fulfill or not these six desiderata. Such exercise gives in my experience quite a refreshing and empowering perspective that is both well grounded and able to handle quite effectively and efficiently the otherwise seemingly overwhelming volume of material to go through. One of these days I might even make the time to write it fully down and publish it as well but don't wait for me on this - go ahead and do it yourself for your own needs, then leave me a message in the comment box below so we can compare notes, results and perspectives, learning perhaps something further through the interaction itself. This is anyway how it works best, each and every time.
Certainly, Kerckhoffs is widely and even reverently cited in modern cryptography but in most cases it's only one sentence of his seminal article that is referenced, usually under the name of "Kerckhoffs' principle". The rest hardly receives any explicit attention and at times it's even dismissed as out of date essentially. My take on it though is that the substance of Kerckhoffs' 6 desiderata is still very much relevant today and moreover, the full set rather than just one desideratum makes in practice for a much more solid base for a cryptographic system than is currently explicitly available otherwise. ↩
If the term is still not all that clear to you, note perhaps that it's a term of art and thus its full meaning is embedded in its own wider context, not entirely captured by any straightforward definition. In other words, there is perhaps some closer link than it might seem between art and culture on one side, steganography and cryptography on the other. ↩
As is quite often the case with old enough material, "from the source" means in practice "as close to the source as currently available". Since I don't currently have the originals and I'm rather reluctant to postpone this until I get a chance to see it for myself at the British Library where it is in principle still available, the copy I'm using for now is the one made available by Fabien A. P. Petitcolas who maintains electronic versions of part 1 and part 2 that are made in turn from a copy of the originals as obtained by him in 1998 from the British Library. ↩
His full name was Jean Guillaume Auguste Victor Alexandre Francois Hubert Kerckhoffs but he didn't seem to have used it in full all that often, so I won't use it in full any further either. ↩
The title in full being actually "La cryptographie militaire, ou des chiffres usités en temps de guerre, avec un nouveau procédé de déchiffrement applicable aux systèmes à double clef" according to the British Library where the original is held. Decrypting the French to English, for my readers lacking the key to read directly the original, the title would therefore be "Military cryptography or cyphers used in times of war, with a new decryption method applicable to double key systems". ↩
The system must be practically, if not mathematically, indecipherable. ↩
It must not require secrecy and the enemy knowing it must not cause any inconvenience. ↩
The key must be communicable and retainable without requiring written notes and it must be changeable and modifiable at the will of the correspondents. ↩
It must be applicable to telegraphic correspondence. ↩
It must be portable and its use and functioning must not require more than one person. ↩
Finally, it is necessary, given the circumstances of its application, that the system be easy to use, not requiring mental strain nor the knowledge of a long series of rules to observe. ↩
Everyone agrees to admit the reason for existence of the last three desiderata; such agreement doesn't exist though when it comes to the first three. ↩
This is how authorised persons hold the view that the absolute indecipherability of a cipher shouldn't be considered as an absolutely necessary requirement for its use in the army; that the encrypted orders transmitted in times of war have only a temporary importance and hardly require remaining a secret beyond three or four hours after being issued; that it matters therefore little that the meaning of a secrete missive would be known by the enemy several hours after its interception; that it is enough, in a word, that the system is scrambled in such a manner that the translation of an encrypted message requires at least three hours of work. In addition, it's considered that being able to change the key at will renders the defect of non-indecipherability utterly unimportant. ↩
This argument can seem, at first sight, fair enough; on a fundamental level, I think it's false. ↩
It comes down in fact, in my opinion, to forgetting that the secret of distance communications very often remains important beyond the day of transmission; without ennumerating all the cases that may arise, it will be enough to point to the situation where the major of a town under siege sends intelligence to the army that must save it. Moreover, once an intercepted cryptogram was successfully decrypted, all further intercepted messages encrypted with the same key can be read immediately. It follows that, after more or less time, there will be messages sent in all directions for which the decryption will have been already done of sorts, in advance, unless requiring that in an army corps, all encrypted instructions come from a single person or at least are handled by a single person, which would mean reducing secret messages to a peculiarly modest role. ↩
The ability to change the key at will is certainly an essential condition for any cryptographic system but it is a misleading advantage and it would be wrong to count on its practical implementation throughout the numerous adventures of a long campaign. ↩
As to the necessity of secrecy, which constitutes, to my eye, the main defect of all our cryptographic systems, I'll observe that it restricts in a way the use of encrypted communications to commanders in chief. And here by secret I don't mean the key itself but the concrete tools of the system: tables, dictionaries or whatever mechanical gear is required. In fact, one doesn't need to create immaginary phantoms and to cast doubt on the incorruptibility of employees or of subordinates, to understand nevertheless that, if a system requiring secrecy is found in the possession of too many individuals, it can be compromised at any point where one or another is involved. This point of view alone would give enough grounds to condemn the reliance on a dictionary of codes, as is currently the case in the army. ↩
One might object perhaps that, by admitting the second desideratum it would hardly be possible to establish a system entirely indecipherable. To understand one another: I know very well that, wanting under these conditions to find a system that is mathematically indecipherable is a mathematical impossibility; but I state, and not without good reasons, that, even while fulfilling the various desiderata that I ennumerated above, one can perfectly well construct systems that are, if not mathematically, at least practically indecipherable. ↩
It would seem that the army ministry is seriously raising the question of replacing the dictionary of codes by some other system that is more practical. Well! If the Administration wants to fully benefit from all the services that can be provided by a cryptographic system of communications that is well made, it should completely discard secret methods and establish as a principle to accept only a method that can be taught in the open in our military schools, one that our students will be free to talk about with whom they please and one that our neighbours could even copy and adopt, if that is suitable and even more: only when our officers study the principles of cryptography and learn the art of decryption will they be able to avoid the numerous blunders to which all laypersons are exposed and that compromise the key of the best ciphers; only then will this regulation article of 19 Novembre 1874 that I mentioned above stand a chance to receive a practical and truly satisfactory application. ↩
There is even a whole new scope and strong incentives for purposefully though transparently sabotaged systems but even leaving that aside for the time being, there are many examples of direct blunders and vulnerabilities inadvertently introduced through encryption systems or "improvements" to such systems as proposed and promoted by experts in the field. To pick just one of the most visible examples, take for instance the OCB2 mode of operation which was included in the ISO2009 standard, widely adopted and implemented due to its technical advantages and then found to be entirely and easily broken in theory as well as in practice, with direct, real-world attacks exploiting an overlooked interaction between two of its underlying constructs. For full details, see for instance the paper by Inoue, Iwata, Minematsu and Poettering, "Cryptanalysis of OCB2: Attacks on Authenticity and Confidentiality", Journal of Cryptology, Vol 33, Issue 4, Oct 2020, pp. 1871-1913. ↩
All the devils here are in what that "practically" means in a modern context. The original expression though is general enough so that it still stands exactly as it was and it's quite a joy to see this, too. ↩
I'm trying to be more explicit here even at risk of making this way more verbose than the "Kerckhoffs' principle" usually is. ↩
The core part that is still relevant about "without help from written notes" is more difficult to capture here. Kerckhoffs' point was essentially the same one made today about passwords, namely that one that is too difficult to be remembered will therefore be written down and thus easily found out by an adversary. This runs however into the unescapable fact of the modern environment that computers are simply too powerful for humans to rely only on their memory. Consequently, any practical security will require some form of external help, thus "written notes" in the widest possible sense. But I think that Kerckhoffs' point still stands and there should always be *as well* and in addition to all other protection layers (such as NOT keeping such notes in plain text, for instance) at least one part that remains at all times solely in the mind of the legitimate user. ↩
Comments feed: RSS 2.0