Slashdot Mirror

← Back to Stories (view on slashdot.org)

Preview of New Block Cipher

Posted by Hemos on from the doesn't-matter-until-peer-testing dept.

flaws writes "Secure Science Corp. is offering a preview of one of the 3 ciphers they will be publishing througout the year. The CS2-128 cipher is a 128-bit block cipher with a 128 bit key. This cipher is proposed as a hardware alternative to AES, being that it is more efficient in hardware, simpler to implement, and comparably secure to AES-128. The preview of the CS2-128 cipher proposed is in html form and will be available in a published format at the end of April. At this time, requests are made for casual peer review and implementation. Secure Science will be offering a challenge at the end of April, introducing the cipher to the public. This ciphers implementation and usage will be offered in multiple hardware devices, such as wireless routers, cell-phones, and storage management hardware."

25 of 232 comments (clear)

  1. "provably just as secure as AES-128"? Bah. by Jepler · · Score: 5, Informative

    I read the paper. They devote, oh, a page or so to attacks. Proven as secure as AES? bah.

    1. Re:"provably just as secure as AES-128"? Bah. by Anonymous Coward · · Score: 1, Informative

      Two words: Branch Number.

      Also the fact the round function is complete (say unlike AES) "integration style" attacks are not applicable.

      Keep in mind this is based on the research of the CS-Cipher (Vaudenay) and this.

  2. Re:Worse than previewing non-existant products... by dartboard · · Score: 2, Informative

    I can't tell if you're trolling or not. Good one, if you are. Otherwise you're an idiot. :-)

  3. Re:Go with what is widely used by Anonymous Coward · · Score: 1, Informative

    Ouch, SHA-1 is FIPS-180-1 and DSA is FIPS-186-2, those are both broken - stick to the standards, and also improve upon standards. That is the goal - the standards will change - cryptography is based on time and finance. Standards of what? PKCS, OpenPGP, NIST? Who's standards are we talking about?

  4. Re:Maybe there's something I'm not getting here, by Anonymous Coward · · Score: 1, Informative

    Since the respect of cryptographers time is money - casual means, don't spend too much time on it until it's fully published and finalized. The challenge offers incentive to take an in-depth review since it's worth it if you break it. Casual is, please don't spend too much labor breaking this if it takes more than a good portion of your time until Secure Science offers payment.

  5. Re:Hardware based? by Anonymous Coward · · Score: 2, Informative

    It's not really novel. DES, the government backed standard from the 70's, was intentionally designed for hardware implementation (the s-boxes it used were made to be of a size that could be practically implemented with the existing technology at the time).

    Software based standards are not practical for large scale deployment, the time to encrypt can often become a serious bottleneck. It's a major reason why public key cryptography, implemented in software, is frequently used only for the initial key exchange for a hardware based cryptographic scheme like DES or AES.

    -ShadowRanger

  6. Re:Well....maybe by patchvonbraun · · Score: 5, Informative

    Immunity in this case meaning that the work factor for mounting the attack is greater or equal to the work factor for brute-forcing the key. If brute-forcing the key costs 2**128 operations, and differential costs 2**129, for example, then you'd be crazy to attempt differential cryptanalysis, when bruting the key is cheaper. I admit to not having RTFP, so I can't evaluate their claim of immunity to DC and LC, but modern ciphers are deliberately designed to be resistant to attack via DC and LC.

  7. Re:Hardware acceleration by rhythmx · · Score: 3, Informative

    No. Encryption algorithms are supposed to act as one way functions when you don't have the key. If this algorithm is properly implemented (but nothing ever really is), no intrinic property of the algorithm would speed up the cracking process. Going backwards (decryption) *with* a key is faster, but going backwards without a key (cracking) is totally different.

  8. Re:Snake Oil? by flaws · · Score: 5, Informative

    1) No - it is open source and technically public domain. 2) That is what we are attempting now - the preview is to get it lined up with crypto experts to review. 3) If it gets past 2, then that is something to consider.

  9. Re:PGP: A Dangerous Program for a Dangerous Time by Anonymous Coward · · Score: 3, Informative

    adequacy.org is one of those sites that started out as a parody site, and then everyone seemed to forget what the site was really about. Some of the newer posts there (there aren't many, note that the "computer hacker" article you linked is one of the oldest yet still on the front page) are truly scary in their seriousness. I think even Landover Baptist manages to not take itself as seriously as some of adequacy's posters do.

  10. Re:PGP: A Dangerous Program for a Dangerous Time by Anonymous Coward · · Score: 0, Informative

    busted.

  11. Re:Snake-oil... by jpetts · · Score: 2, Informative

    You can't reliably prove security for anything other than the one-time pad. All you can do is prove that the attcks you have chosen will not work. Attempting to prove security is attmepting to prove a negative: namely that no attack more efficient than brute force exists.

    --
    Call me old fashioned, but I like a dump to be as memorable as it is devastating - Bender
  12. Re:Go with what is widely used by provolt · · Score: 2, Informative

    While SHA-1 has been technically broken in that it doesn't provide strong collision resistance, strong resistance is not really necessary for most applications.

    The attack on it finds two messages that hash to the same value. (Strong collision resistance) The attack does not work when trying to find a message the matches a specified hash value. (Weak collision resistance).

    I don't think the attack on SHA-1 gives anyone a warm fuzzy feeling. But the current attack isn't a huge attack and it still is largely impractical. Additionally there are three other algorithms defined in FIPS PUB 180, SHA-256, SHA-384 and SHA-512. (-512 and -384 are the same algorithm, except 384 just truncates the answer from the -512 algorithm.)

    I'm not aware of any attacks on the DSA algorithm. I believe there were some attacks particular implementations of the pseudo-random number generator. In addition FIPS 186 defines two other algorithms for digital signatures, RSA and ECDSA. I don't believe there are any known practical attacks on either RSA or the Elliptic Curve DSA.

  13. Compared to... by null-sRc · · Score: 2, Informative

    whitenoise labs, a cryptography startup that just got it's algo's patented...

    Company link:
    http://www.whitenoiselabs.com/

    Cryptographic analysis link:
    http://www.whitenoiselabs.com/papers/Wagner %20Secu rity%20Analysis.pdf

    Performance anaylysis link:
    http://www.whitenoiselabs.com/papers/UVIC%2 0Perfor mance%20Analysis.pdf

    So whitenoise encryption offers a cheaper solution that is mathematically stronger, and computationally order log n complexity where n is filesize (therefore faster too)

    and please tell me why anyone in their right mind would still bother using this shoddy, expensive, slow method for cell phone encryption?

    --
    -judging another only defines yourself
    1. Re:Compared to... by Anonymous Coward · · Score: 2, Informative

      Right. And who would care to use shoddy Whitenoise? It's been broken already.

      Look here: http://eprint.iacr.org/2003/250

      tsk...tsk...tsk..

  14. Re:Snake Oil? by dtfinch · · Score: 2, Informative

    "Secure Science Corporation"

    Domain Name: SECURESCIENCE.NET
    Registered through: GoDaddy.com
    Created on: 24-Oct-03

    A quick search through the sci.crypt archives suggests that they employ at least one cryptographer who ought to be qualified to tell if it's clearly clearly.

    But my own inexperienced mind tells me that a 4x4 sbox seems awfully small, and that they've put an awful lot of effort into making it efficient in hardware requiring a minimal number of gates. It's not hard to just make a secure cipher, but it is extremely difficult to make one that's fast and simple while still being secure. IANAC (I am not a cryptoanalyst) though, so only time will tell.

    A patent search for "Secure Science Corporation" does not return any results.

  15. Re:PGP: A Dangerous Program for a Dangerous Time by X0563511 · · Score: 2, Informative
    I was quite angry that this article existed untill i hit this:

    Your son will probably try to install some hacker software. He may attempt to conceal the presence of the software in some way, but you can usually find any new programs by reading through the programs listed under "Install/Remove Programs" in your control panel. Popular hacker software includes "Comet Cursor", "Bonzi Buddy" and "Flash".


    and realized it was meant to be funny. I hope.
    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  16. Re:Review Expertise. by viega · · Score: 2, Informative

    This is an incredibly ill-informed post. A cipher that takes a 128-bit input (plus a key) and produces a 128-bit output is a block cipher, just like AES is a block cipher. This has nothing to do with a one-time pad. First, no block cipher should be used in a mode where you encrypt plaintext 16 bits at a time, and that's it (this is called ECB mode). We DO however, have a ton of ways to turn a block cipher into a function that offers strong guarantees for both confidentiality and message authentication / integrity. These are constructs where we only have to make a single assumption, which is loosely that, given a randomly chosen key, an attacker will have no significant advantage in looking at an output and distinguishing it from a randomly chosen value of the same size. Your comment about rotating keys doesn't even make much sense. Most network protocols (e.g., SSL/TLS) basically do that... every connection they end up choosing a different random key. This is basic key management, it has little to do with the block cipher, and it's something we know how to do reasonablyy well.

  17. Re:I wonder... by nkh · · Score: 2, Informative

    AES is really more simple to understand than DES, you definitely should have a look at it: http://en.wikipedia.org/wiki/AES

  18. Re:I stand corrected! by flaws · · Score: 2, Informative

    www.securescience.net/ciphers/csc2/csc2ref.c

  19. Re:Review Expertise. by Zeinfeld · · Score: 2, Informative
    I'm not even sure its worth reviewing... from the design intro it more or less stated that you give it a 128 bit key and it spits out 128 bits of ciphertext. In my book that is a one time pad and it won't be any more secure then using xor (in fact not using xor could make it significantly less secure).

    Not in my book or anyone else's. It is a block cipher with a key size and a block size of 128 bits, but it is designed to be used in chaining mode which a one time pad ain't.

    Now I'm assuming this isnt a one time pad so I'm also assuming the same key will be used many times considering it may act as a wireless key similar to WEP keys right now.

    The problem with WEP was not the reuse of the key, it was the modification of RC4 so that it did not discard the initial bits from the PRG. These were known to be weak when RC4 was designed.

    The secure science people are not well known on slashdot but in the field they are very well known and they have a pretty high reputation for their work on anti-phishing. Now that does not mean that I would put them in the same class as Rivest, Biham and Shamir when it comes to cipher design.

    There is an argument to be made that it is better to use a block cipher with a possibly inadequate number of rounds than risk using a stream cipher. Block ciphers are much better understood and their failure modes are much less likely to be catastrophic. A poor 128 bit block cipher is likely to result in an effective cipher strength of maybe 80 bits. A poor stream cipher can collapse to an effective cipher strength of 16 bits or less, particularly if it is not used properly.

    So this is a bit like if Schneier or Kocher came up with a cipher, they are not a Rogaway or a Rivest but they are not exactly flakes peddling snake oil. I suspect that their work will receive significant attention.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  20. Re:I wonder... by flaws · · Score: 2, Informative

    There are no plans to patent these ciphers. They are for public consumption.

  21. Crypto Law Public Domain vs. Copyright P.D. by billstewart · · Score: 2, Informative
    "Public Domain" actually several relevant specific legal meanings.
    • US Technology Export Laws (which were written back when the Free World was the enemy of Communism to prevent Commies from getting militarily useful technology, and kept around much longer as a fiction to prevent citizens from having private communications that the FBI and NSA couldn't wiretap) defines "public domain" essentially as open knowledge that can be freely discussed, at least by academics, without the same limitations as non-public-domain crypto technology which mustn't be disclosed to those nasty Foreigners (except Canadians and sometimes Brits.) Those laws aren't totally gone, but they're mostly gone and it's easy enough to work around them for the most part.
    • Copyright and Patent have their own different meanings of Public Domain - If something is copyrighted, you can't copy the exact implementation, but you can write your own code that implements the same mathematical functions. But it it's public domain, feel free to Xerograph it, retype it, whatever.
    • But if something is patent-protected, you can't implement the algorithm/business-method/hardware yourself, even writing your code from scratch in a clean room, unless you've got a license from the patent-holder.
    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  22. Re:I stand corrected! by John+Harrison · · Score: 2, Informative
    As the maker of the original "snake oil" comment, let me make a few clarifications. First, I am not the AC that is replying to you. I have posted AC to /. less than 5 times in six years, and not at all in the last six months. Second, the "snake oil" comment was about the amount of review a cipher (any cipher, not this one in particular) has undergone, not whether it is open source. It seems to me that all of the AES candidates have undergone more review than this cipher. Yet even the designers of some of those candidate ciphers have said that people should use AES because it is the standard and it will receive more research going forwad, even though they personally think their own creations have advantages.

    Though there is good work that has been done on CS, most of it appears to be done by the creators of it. Finally, from the article:
    As of yet no full cryptanalysis of the CS-Cipher is known to exist.

    --
    Lasers Controlled Games!
  23. Re:Review Expertise. by slavemowgli · · Score: 2, Informative

    FYI, Schneier *did* come up with a cipher. Look up "Blowfish" and "Twofish". The latter was even submitted to the NIST AES contest from which Rijndael ultimately emerged as the winner, and it was one of the most serious contenders, too.

    --
    quidquid latine dictum sit altum videtur.