Preview of New Block Cipher

flaws writes "Secure Science Corp. is offering a preview of one of the 3 ciphers they will be publishing througout the year. The CS2-128 cipher is a 128-bit block cipher with a 128 bit key. This cipher is proposed as a hardware alternative to AES, being that it is more efficient in hardware, simpler to implement, and comparably secure to AES-128. The preview of the CS2-128 cipher proposed is in html form and will be available in a published format at the end of April. At this time, requests are made for casual peer review and implementation. Secure Science will be offering a challenge at the end of April, introducing the cipher to the public. This ciphers implementation and usage will be offered in multiple hardware devices, such as wireless routers, cell-phones, and storage management hardware."

Re:Snake-oil...

[flaws]

Ironically, Secure Science got an email from Schneier, his quote was "Wow. Definitely not Snake-oil."

I wonder...

[Dr.Dubious+DDQ]

...how badly patent-encumbered these ciphers are going to end up being?

Re:Well....maybe

I don't know enough about the subject to understand the paper but that struck me as a bold statement

You can prove that an algorithm is immune to DC by proving that the number of plaintext/ciphertext pairs needed is greater than the number of possible plaintexts and ciphertexts. Immunity to LC can also be proven. Cryptography prior to DES was largely unmathematical juju. Cryptography today is a thing of math and science. The techniques for breaking an algorithm are known mathematical formulas, and these can be designed against.

So, why would you use a cipher that doesn't do this?

Where I work

[digitalchinky]

Crypto systems do not always need to be brute forced: 'More often than not' it is a brain dead technician sending the keys across a timeplex, via satellite, and then over HF or something equally as silly, out to their remote site.

Key exchange is where the biggest failures occur (that I see). Many crypto systems still in use throughout this part of the world (still) work in a similar method to the old enigma typewriters - typically they are rapidly broken because they send identical messages using different keys, then send the same message in clear text via some other link.

Re:does this mean

[flaws]

Reference Code is available for download.

Re:Snake-oil...

[viega]

Another ill-informed post. There's a difference between absolute security and computational security. We can easily build provable security schemes for confidentiality and integrity, where we prove computational security against all possible attacks. It's not as theoretically absolute as a one-time pad because there is a computational bound where there might be some technological breakthrough (but that's very unrealistic). Or, more likely, the very modest assumption made about the underlying block cipher will not hold. If someone ever says, "AES is broken", that basically will mean they proved that assumption doesn't hold... for AES. Honestly, that seems quite unlikely to happen any time soon, and until it does, the assumption is such that you have a provably secure scheme against all computationally feasible attacks.

Re:Ugh

[viega]

If you can't invert the function than one of the following is true:

1) You don't have a one-to-one mapping of inputs to outputs, which makes this more like the compression function of a hash function, but will certainly be weaker than optimal for the intended purpose (we could then talk about how much weaker, but at the very least we no longer have a pseudo-random permutation, and it's not even a proper pseudo-random function, which means none of our traditional block cipher proofs will hold as is).

2) The one-to-one mapping exists, but there's a hard problem making it difficult to invert, in which case you have invented a public key cryptosystem (highly unlikely)

or

3) The inversion is possible and not computationally hard, the designer just wasn't clueful enough.

There's also the possibility that the poster wasn't the designer, wasn't correct, and it is a plain ol' invertible block cipher.

Re:Go with what is widely used

[Zeinfeld]

As a example look at the 40 bit encryption used by TI for RFID tags that was recently broken by a bunch of university students. If those students had been malicious they could have broken it and not told anyone. They could have then exploited the weakness for years because the cipher isn't widely studied so it is unlikely that someone else would have bothered to crack it. If TI had simply gone with 3DES there would have been no problem. The moral of the story: stick to the standards people.

Whenever a 40 bit cipher turns up the most likely reason is the export restrictions. When TI was doing its work they could not stick to the standard.

Plus 3DES is not exactly a great cipher, the small block size means that certain attacks become possible after 2^32 blocks of ciphertext, that is only 32 Gb of data which is not a lot of data.

The TI problem was due to using the same cipher for 15 years without periodic security reviews.

Re:Go with what is widely used

[Fweeky]

http://lists.gnupg.org/pipermail/gnupg-users/2005- February/024862.html via http://it.slashdot.org/comments.pl?sid=140093&cid= 11730436:

"let's say that unbroken SHA-1 represents a 100 meter (328 ft) wall. if a
break allows a collision to be found in merely 2^69 operations (on
average), that would mean the wall has crumbled to 4.9 cm (1.9 in) tall.
that's broken!!

OTOH, let's say that unbroken MD5 represents a 100 meter (328 ft) wall.
comparing unbroken MD5 to broken SHA-1 means the wall would actually grow
from 100 meters (328 ft) tall to 3.2 km (1.99 miles) tall. SHA-1, even if
it's broken enough to find a collision in 2^69 operations (on average), is
still stronger than MD5 was ever meant to be.

again, using unbroken MD5 as our reference of a 100 meter (328 ft) wall,
unbroken SHA-1 would be a wall 6553.6 km (4072 miles) tall. SHA-1 was
intended to be incredibly stronger than MD5."