Slashdot Mirror
Preview of New Block Cipher
flaws writes "Secure Science Corp. is offering a preview of one of the 3 ciphers they will be publishing througout the year. The CS2-128 cipher is a 128-bit block cipher with a 128 bit key. This cipher is proposed as a hardware alternative to AES, being that it is more efficient in hardware, simpler to implement, and comparably secure to AES-128.
The preview of the CS2-128 cipher proposed is in html form and will be available in a published format at the end of April. At this time, requests are made for casual peer review and implementation. Secure Science will be offering a challenge at the end of April, introducing the cipher to the public. This ciphers implementation and usage will be offered in multiple hardware devices, such as wireless routers, cell-phones, and storage management hardware."
he can beat neo now?
MD5 of article text: 79592dc553067bfafaa07086c07d2c8a
Hello,
Recently I noticed that my teenage son Ezekiel had begun to encrypt
his emails with a program called PGP. I was concerned because I'd
always covertly monitored their email for any hints of illegal
activity, drug use or interest in the occult - some of his classmates
have begun playing Dungeons and Dragons and listening to KISS. Since
Ezekiel was now using PGP, his activites were hidden from me!
Additionally, I also overheard him talking of using a program called
Stegasaurus to embed secret information into normal-looking pictures.
Terrified that my son might be speaking in some sort of sinful code, I
immediately grounded him for a month. He was only allowed to go to
school and Bible study.
Anyways, I've done several days worth of research on this and
discovered a few things about PGP that I'd like to share with the
readers of these newsgroups. To begin with, I realized that many of
the claims made by the creators of PGP are blatently false. Although I
do not have a background in mathematics (I have an AA in Photography)
I was easily able to rebuild Ezekiel's private key via his public key
and one of his encrypted messages.
Of course I am above-average in intelligence, but PGP is supposedly
unbreakable! Perhaps crytogrophers aren't as smart as they believe?
Fortunately in this case Ezekiel was just discussing a girl he met in
school - a situation I harshly reprimanded him for. However, while PGP
may be a program with flaws, it got me thinking about other programs.
Perhaps someone will construct a PGP-like program that cannot be so
easily broken; one that would take days of computer time to hack!
My concern with a program like this is that people who use
cryptography always do so because they have something to hide. A sense
of guilt and shame seems to drive them. They know that they are doing
something wrong and desperately want to hide it from the eyes of the
world (although hiding it from the eyes of God is another matter!
LOL!)
A study recently released by the Institute for Family Computing
revealed that the top three uses of cryptography were for 1)
"terrorist-related activity" 2) pedophillia and 3) drug abuse. In fact
as far as I can tell, no legitimate use was on the top ten at all!
What scares me about this is that law-enforcement agencies will be
unable to sift through email to find people who are breaking the law,
or otherwise engaged in suspicious activity. At a time when our nation
is under siege, I find it disturbing that people are working on
developing cryptography that cannot be broken, even by our protectors
in the FBI and CIA! Only those with something to hide truly need
cryptography.
Thus I urge cryptogrophers world wide to refrain from working on such
programs, until our nation is no longer at war. I would ask those of
other countries to respect our right to self-defense and aid us in our
time of trouble. Your cryptographic skills can be better put to use
trying to find terrorists than to assist them.
"Secure Science Corp. is offering a preview of one of the 3 ciphers they will be publishing througout the year."
And how many people will have the expertise to provide a "review" that'll satisfy everyone?
Is it really immune? I don't know enough about the subject to understand the paper but that struck me as a bold statement
http://www.busyweather.com/
I read the paper. They devote, oh, a page or so to attacks. Proven as secure as AES? bah.
If I'll be able to understand how this one works. The only algorithm I've ever understood well enough to write an implementation is RC4. I would like to see a strong algorithm that is fairly simple to understand, but I fear that such a thing is not possible.
I can't tell if you're trolling or not. Good one, if you are. Otherwise you're an idiot. :-)
The moral of the story: stick to the standards people.
Lasers Controlled Games!
The information would be readily available shortly after its public release as a product, I'm sure. There is no such thing as security through obscurity.
Well, I called up DVD Jon , and within about 15 minutes he had a working exploit for the cipher.
Oh well off to the next
Nothing to see here already been cracked...move along....
Top Questions:
1. Is this a proprietary or patented algorithm?
2. Has this algorithm gone through the usual rounds of analysis among the nations top cryptographers?
3. Has it been implemented in a FIPS 140-2 certified cryptographic module?
That should keep them busy.
but what is "casual peer review" and why would it be desired (over perhaps more in depth peer review) for an encryption technology?
In a related story, the IRS has recently ruled that the cost of Windows upgrades can NOT be deducted as a gambling loss.
See the past /. story about Mobil SpeedPass hacking if you want to see why hiding an encryption protocol is really stupid. http://slashdot.org/article.pl?sid=05/01/30/161724 0&tid=172&tid=1/
"A little from column A, a little from column B". Personally I think he's half idiot and half trolling for his fucking conga line free mac sig.
oh dear...is that the time?
It's not really novel. DES, the government backed standard from the 70's, was intentionally designed for hardware implementation (the s-boxes it used were made to be of a size that could be practically implemented with the existing technology at the time).
Software based standards are not practical for large scale deployment, the time to encrypt can often become a serious bottleneck. It's a major reason why public key cryptography, implemented in software, is frequently used only for the initial key exchange for a hardware based cryptographic scheme like DES or AES.
-ShadowRanger
Now, I know that it's provably hard to attack a good encryption scheme. However, if this one is easier to implement in hardware -- if the cipher can be hardware accelerated more easily -- does that mean that an attack on this scheme could also be hardware accelerated more easily?
"We prove that our design is immune to differential and linear cryptanalysis"
See Bruce Schneier's "Snake Oil", Warning Sign #8: Security proofs.
"Secure Science will be offering a challenge at the end of April, introducing the cipher to the public."
See: Warning Sign #9: "Cracking contests" and "The Fallacy of Cracking Contests"
All of this may be well and good, but I don't any real engineers are going to be choosing this over AES anytime soon. AES was a competition backed by NIST to replace the current encryption standard (3DES). Most of the world's top cryptographers submitted thier algorithm. Only after a very long and very thourogh peer review process did the NIST declare Rijandel's submission to be the winner, and therefore the new AES standard.
No, they don't - not if they're GOOD security.
The intention is that with good encryption techniques, the "bad guys" can know all about how the system works...and it will work anyway. What's the point in making sure nobody sees you hiding your key under the doormat (security-through-obscurity) if the key doesn't work for anyone but you anyway?
Hacker Public Radio is our Friend
...how badly patent-encumbered these ciphers are going to end up being?
Hacker Public Radio is our Friend
You are right. Nevermind what I said. Buy the snake oil, it has a better track record.
Lasers Controlled Games!
Part of the problem with these ciphers is having to constantly convert to and from decimal, which is a very poor base to use in computer science.
Transcend Humanity. Please.
Ugh.
1) No decrypt specified. So it doesn't work with many modes.
2) Complete ambiguity in the endianess of the test vectors. Which end is which?
3) Optimized for HW complexity. We have AES for that. We want new ciphers optimized for security.
Evil people are out to get you.
"You keep using this word. I don't think it means what you think it means."
dmiessler.com -- grep understanding knowledge
Why don't they just have 1000 bytes (~8000 or so bits) as encryption keys?
Well, hardware-based crypto is not really that new: see http://www.computer.org/computer/homepage/1004/sec urity/ for example.
And it's not that difficult to peer review crypto accelerators. For a given input you get a given output. Since you are free to choose your input, the possibility that somebody could try and recognise test vectors and encrypt those correctly, while faking on non-test vectors becomes vanishingly small for a reasonably large set of pseudo-random test inputs, if you verify the output against an audited software implementation.
Call me old fashioned, but I like a dump to be as memorable as it is devastating - Bender
Crypto systems do not always need to be brute forced: 'More often than not' it is a brain dead technician sending the keys across a timeplex, via satellite, and then over HF or something equally as silly, out to their remote site.
Key exchange is where the biggest failures occur (that I see). Many crypto systems still in use throughout this part of the world (still) work in a similar method to the old enigma typewriters - typically they are rapidly broken because they send identical messages using different keys, then send the same message in clear text via some other link.
Maybe I'm misreading the description, but it looks to me like this is an 8-round cipher with a round function considerably simpler than Rijndael's round function.
Given that 8-round Rijndael is broken, it seems highly optimistic to think that this new cipher will not be broken.
Tarsnap: Online backups for the truly paranoid
whitenoise labs, a cryptography startup that just got it's algo's patented...
r %20Secu rity%20Analysis.pdf
2 0Perfor mance%20Analysis.pdf
Company link:
http://www.whitenoiselabs.com/
Cryptographic analysis link:
http://www.whitenoiselabs.com/papers/Wagne
Performance anaylysis link:
http://www.whitenoiselabs.com/papers/UVIC%
So whitenoise encryption offers a cheaper solution that is mathematically stronger, and computationally order log n complexity where n is filesize (therefore faster too)
and please tell me why anyone in their right mind would still bother using this shoddy, expensive, slow method for cell phone encryption?
-judging another only defines yourself
You know that "DVD Jon" is just a code name for a bunch of slave gnomes who sit in somebody's basement and crack stuff, right? Free the gnomes!!!
I have this really funny quote that I like to put here. Unfortunately, there's this really annoying thing called a char
From TFP:
Our original 256-bit key designs were designed to use the round function to lower the design, implementation and cryptanalysis time. However, all of our attempts were either weak against reduced round related keys attacks or were too inefficient for on-the-fly computation. As a result for this design we reduced the key size to 128-bits.
In general (not just in cryptography, which is certainly not my field), it's a good thing to have an idea how to extend an algorithm when designing it. Here, however, that doesn't seem to be the case.
Presumably, advances in computing hardware will eventually render this 128-bit algorithm unsecure, and it would be necessary to extend the algorithm to a higher-bit cipher. However, the quote above seems to indicate that they don't really know how to extend it to higher bits and still provide the necessary cryptoanalysis and implement it well. That doesn't sound like a good thing in a design.
In contrast, many other crypto algorithms are fairly easy to strengthen over time just by increasing the key size, since such algorithms already have a substantial amount of cryptoanalysis and it's known how large the keys need to be with a given amount of computational power (with known attacks, granted). I'd be curious to see whether or not the problems they encountered are insurmountable. -- Paul
OpenSource.MathCancer.org: open source comp bio
Public domain has a very specific legal meaning. Open source is definitely not in the public domain. It is protected by copyright and all of the "open" licenses are precisely that - licenses to use that code (or documentation, images, etc.) in specific ways.
Of course some companies make the mistake you made... and when they're caught they're usually act surprised to learn that 1) somebody cares and 2) that somebody has enforceable legal rights.
As for the second comment, that's all anyone serious about security needs to know. Get back to us after at least five years of serious review by experienced cryptographers - until then you're pissing in the rain and trying to sell umbrellas.
(P.S., are you familiar with the saying that any fool can invent an encryption algorithm that they can't crack... and only a fool would believe that that proves nobody else can either?)
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Considering the number of "hired guns", and
the amount of resources poured into various
3 letter alphabet soup government organizations,
any reliance upon the "next big thing" in ciphers,
like ellipse curve encryption, is likely to end
badly. AES-1 was supposed to have been the hot
new encryption, but has been found vulnerable.
I don't expect much better long term security
with a number of other encryption methods,
particularly with the "seal of approval" of those
same 3 letter alphabet soup organizations.
A CD-R chock full of books in ANSI text or XML
or even PDF format could easily provide the basis
for a lifetime's worth of OTP (One Time Pad)
encryption. Perhaps it is time to revisit older
methods married to newer technology, instead of
newer methods with bleeding edge technology.
I seem to recall an awful lot of problems with
pseudo-random number generators and the seeding
methods they used, not so very long ago.
One of the advantages of Rijndael as the AES cipher (when such was still undecided) was ideological neutrality, unlike American, British, Japanese or Israeli ciphers. At least, no one seriously believed Belgium was out to destabilize world hegemonies. It probably behooves contenders for a "hardware replacement" for AES to demonstrate a similar lack of pups in the brouha.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
"...This implies that cryptography may come ultimately from the infantile sexual pleasure that children obtain from the muscle tension of retaining the feces." From Kahn's "The Codebreakers".
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
"The preview of the CS2-128 cipher proposed is in html form and will be available in a published format at the end of April."
The "peers" "review" the code. Perhaps they find vulnerabilities or exploits in the implementation.
And then the company releases it... in hardware.
Then, who peer reviews that? Sounds supremely fl@wed. :-)
I've actually designed the encryption end of a synthesizable Rijndael chip. It was lab 5 of ECE 435 at U.Va. Granted, that's a 4 1/2 credit course, and there were only 5 labs, but still. Adding the decryption would have less than doubled the work, and considerably less than doubled the silicon. Implementing AES in hardware is NOT hard. In the name of laziness, I did it in a highly parallel fashion a lot of work that could be serialized to reduce the transistor count by about a factor of 8, before getting to even slightly fancy optimization techniques.
You need some registers, some shifters, and some very minimal control logic. Doing the sbox algorithmically isn't terribly fast and requires a fair amount of logic, so generally you just use a 256 byte ROM for the sbox. With die space being as expensive as it was when DES was being designed, it's understandable that they did some weird things to make it fit on the chip. These days, nobody blinks at 10k transistors, even on embedded devices.
Sure, their 4x4 sbox is going to take a lot less space on the chip, but does that really buy anything? Their design document shows that 32 of them are necessary to do a whole round in a single step, while only 4 are needed for Rijndael. That's 2048 bits of ROM on CS2 and 8192 bits of ROM for Rijndael, but CS2 takes 33 rounds while the 128-bit version of Rijndael takes only 10. The amount of hardware required for comparable throughput is about the same, though Rijndael's pipeline is an order of magnitude shorter, due to fewer rounds and the rounds not having to go through that barrel-shifter network.
WARNING: there is a trojan on your
But it doesn't say who wrote the algorithm (just the reference code) - is it someone known to the community? It's written by the anonymous academic "we" - it references a couple of papers by Tom St. Denis, but has the feel of somebody who doesn't natively speak English, and the web version has spelling problems. The paper's about 8 months old - has some version of it been submitted to any of the academic journals, and have any of the published it? fl@ws says later they're working on getting some professionals to look at it, which is a good start (realistically, if the academic community doesn't generate its own buzz, you're going to have to hire credible people to vet it to start to get some attention so that more people will start trying to attack it.) The posting mentions a "challenge", which is usually a bad, bad sign, though this looks better than the usual snake oil that does that.
Things I'd hoped to see that are missing include
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Finally I can change to something better then rot-13!
You could invent the best encryption, or even the perfect one, still it would be like beating a dead horse with DRM. Why? The problem is that You store the KEY and METHOD on the same non-trusted environment(user's machine) as the encrypted data AND you're actually decrypting it. That's how you see the video/music/etc. Nothing stops someone from extracting the key from the obfuscated binary and decrypting the file easily.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
Wouldn't any 40bit cipher be 'easy' to crack due to the small keyspace, especially if it's easy to compute.
I just hope that the passwords on my private keys use a algorithm that's so slow no one could brute force my password.
thank God the internet isn't a human right.
To see what its biggest weakness is...its a SECRET KEY TECHNOLOGY! all the wonders of unbreakability that are claimed may be true, let the hoped for flood of reviewers decide that. The whole scheme stands or falls on protection of the keys...I can't afford a courier the way DOD can so I am not sure how I am getting my key sent to my intended secure recipients.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
I've only seen the suggestion that elliptics will win in terms of keysize for public-key crypto. Has anyone done interesting work on block ciphers with elliptics?
Lea
As the United States has known since its founding, all cryptographic algorithms (even the one-time pad) are vulnerable to attack via divine revelation, even in the absense of the ciphertext itself. Those able to take advantage of this regularly are a pearl without price in the intelligence community.
Your services have immense potential value for your country in the hunt for terrorists like Osama Bin Laden. If you'd like a circular describing opportunities for employment with the NSA, just pick up your phone, call your mother, and ask for one.
//Information does not want to be free; it wants to breed.
You can't really do a block cipher with a Public Key Cryptosystem (or at least, that's not how it's intended to be used). Usually what you do is you generate some random session key for CS^2, and use a PKC like Elliptic Curve Cryptography to transmit this session key to the other party. Afterwards, you just use CS^2 w/ the session key to encrypt all the traffic.
o n.html). Therefore, you need to take a relatively huge chunk of the integer line to be able to grab enough primes such that finding the two primes which make up the key is incredibly tough.
t ml), where instead of using integers, we use points on the elliptic curve instead. The difference here is that every point on the curve can be used. So, since we don't have all these composite numbers cluttering up the place, the amount of 'space' the elliptic curve takes up is much smaller, and therefore the key is also much smaller.
In terms of raw storage size, yes, ECC has a smaller keyspace than say RSA, but this is mostly due to the fact that on the integer line, primes are fairly sparse (http://mathworld.wolfram.com/PrimeCountingFuncti
ECC on the other hand, doesn't really have this problem. ECC is a variant on the discrete logarithm problem (http://mathworld.wolfram.com/DiscreteLogarithm.h
Two problems exist with ECC. The first is that ECC could possibly be slower than RSA (although it's been argued that this is ok, since your key is much smaller than RSA). The second problem (and this is mostly a personal opinion) is that Certicom essentially has a stranglehold over ECC technology (they own over 130 ECC-related patents). This would make most every decent implementation of ECC very patent-encumbered.
So? It's a block cipher, and it has a secret key. This is not a weakness if you use it in the way it is intended to be used. Such a cipher presumes that you have you have appropriate protection for the key (which could be stored in a secure hardware device, for example) and use a secure key exchange mechanism (such as Diffie-Hellman) if you are using it over a transport layer.
*cough*
You might want to reread my post. I was not implying you would possibly ever want to use a PK cryptosystem to construct a block cipher. I was responding to the parent who was talking about using ECC for block ciphers. As I'm not aware of any such work, I asked for a reference. I do in fact understand what eliptic curves are, and how people use them in the realm of cryptography.
Lea
My apologies, the wording of the posts was misleading.
:-)
Oh well, for anyone who wanted to know how PKC and ECC works, there you go
umm. like other secret key technologies, its probably quite useful as a bulk data encryption after a session key has been negotiated using public/private
A cipher that is more efficient in hardware and therefore more easily brute-forced. What will they come up with next?