Do you rather trust a widely adopted algorithm or an underdog if they're cryptoanalytically on a level playingfield?

Trust the widely accepted algorithm.

Not because the algorithm is better. Well, it does matter: if an algorithm is too much of an underdog, it won't have had enough scrutiny and so there's no reason to trust it. But mainly because comparing algorithms, as long as they're reasonably reputable, is meaningless: they're fine and that's it. It's not the algorithm that kills you, it's the implementation.

With a widely-used algorithm, you get a better selection of implementations, and the implementations themselves have better scrutiny. That's the important thing. So don't use an underdog for which there's only one or two implementations and nobody really looks at their code. Use a popular implementation of a popular algorithm. Popular AES implementations receive more scrutiny than those of any other block cipher. Among ciphers, only ChaCha20 receives as much scrutiny.

This is true especially if you're worried about NSA-level adversaries. We have some historical data about NSA's capabilities. We know that when they advised on the design of DES, they made it more robust to an attack technique that wasn't publicly known at the time (differential cryptanalysis), and vulnerable only to brute force with a budget that they didn't have, but were confident of reaching before anyone else. We know that when GCHQ invented Diffie-Hellman, it was rediscovered publicly less than a decade later. We know from the Snowden revelations that in the early 2010s, NSA couldn't break popular encryption primitives, but could effectively break most software due to implementation bugs.


As far as I am concerned, I do not only care about algorithms. I would trust a well known, well tested and widely used implementation. The devil hides in details, so I would not trust even a good reputation algorithm if I have no guarantees on the implementation.

It may not be a direct answer to your question, but it explains why we generally choose widely used algorithms because they have a higher chance to have a widely used and extensively tested implementation.

Tags:

Hash

Ciphers