Slashdot Mirror

← Back to Stories (view on slashdot.org)

Preview of New Block Cipher

Posted by Hemos on from the doesn't-matter-until-peer-testing dept.

flaws writes "Secure Science Corp. is offering a preview of one of the 3 ciphers they will be publishing througout the year. The CS2-128 cipher is a 128-bit block cipher with a 128 bit key. This cipher is proposed as a hardware alternative to AES, being that it is more efficient in hardware, simpler to implement, and comparably secure to AES-128. The preview of the CS2-128 cipher proposed is in html form and will be available in a published format at the end of April. At this time, requests are made for casual peer review and implementation. Secure Science will be offering a challenge at the end of April, introducing the cipher to the public. This ciphers implementation and usage will be offered in multiple hardware devices, such as wireless routers, cell-phones, and storage management hardware."

60 of 232 comments (clear)

  1. does this mean by Anonymous Coward · · Score: 3, Funny

    he can beat neo now?

    1. Re:does this mean by krishn_dev · · Score: 2, Funny

      No... I cant ping him yet. :-D

    2. Re:does this mean by flaws · · Score: 2, Interesting

      Reference Code is available for download.

  2. In case of Slashdotting... by Anonymous Coward · · Score: 5, Funny

    MD5 of article text: 79592dc553067bfafaa07086c07d2c8a

  3. PGP: A Dangerous Program for a Dangerous Time by Anonymous Coward · · Score: 5, Funny

    Hello,

    Recently I noticed that my teenage son Ezekiel had begun to encrypt
    his emails with a program called PGP. I was concerned because I'd
    always covertly monitored their email for any hints of illegal
    activity, drug use or interest in the occult - some of his classmates
    have begun playing Dungeons and Dragons and listening to KISS. Since
    Ezekiel was now using PGP, his activites were hidden from me!

    Additionally, I also overheard him talking of using a program called
    Stegasaurus to embed secret information into normal-looking pictures.
    Terrified that my son might be speaking in some sort of sinful code, I
    immediately grounded him for a month. He was only allowed to go to
    school and Bible study.

    Anyways, I've done several days worth of research on this and
    discovered a few things about PGP that I'd like to share with the
    readers of these newsgroups. To begin with, I realized that many of
    the claims made by the creators of PGP are blatently false. Although I
    do not have a background in mathematics (I have an AA in Photography)
    I was easily able to rebuild Ezekiel's private key via his public key
    and one of his encrypted messages.

    Of course I am above-average in intelligence, but PGP is supposedly
    unbreakable! Perhaps crytogrophers aren't as smart as they believe?
    Fortunately in this case Ezekiel was just discussing a girl he met in
    school - a situation I harshly reprimanded him for. However, while PGP
    may be a program with flaws, it got me thinking about other programs.
    Perhaps someone will construct a PGP-like program that cannot be so
    easily broken; one that would take days of computer time to hack!

    My concern with a program like this is that people who use
    cryptography always do so because they have something to hide. A sense
    of guilt and shame seems to drive them. They know that they are doing
    something wrong and desperately want to hide it from the eyes of the
    world (although hiding it from the eyes of God is another matter!
    LOL!)

    A study recently released by the Institute for Family Computing
    revealed that the top three uses of cryptography were for 1)
    "terrorist-related activity" 2) pedophillia and 3) drug abuse. In fact
    as far as I can tell, no legitimate use was on the top ten at all!

    What scares me about this is that law-enforcement agencies will be
    unable to sift through email to find people who are breaking the law,
    or otherwise engaged in suspicious activity. At a time when our nation
    is under siege, I find it disturbing that people are working on
    developing cryptography that cannot be broken, even by our protectors
    in the FBI and CIA! Only those with something to hide truly need
    cryptography.

    Thus I urge cryptogrophers world wide to refrain from working on such
    programs, until our nation is no longer at war. I would ask those of
    other countries to respect our right to self-defense and aid us in our
    time of trouble. Your cryptographic skills can be better put to use
    trying to find terrorists than to assist them.

    1. Re:PGP: A Dangerous Program for a Dangerous Time by maroonhat · · Score: 4, Funny

      Is your son a computer hacker?

      ...im quite sorry a site like the one my link points to exists but its hilarious none the less

      --
      The more I learn about Windows the more I am surprised it runs at all
    2. Re:PGP: A Dangerous Program for a Dangerous Time by Anonymous Coward · · Score: 3, Informative

      adequacy.org is one of those sites that started out as a parody site, and then everyone seemed to forget what the site was really about. Some of the newer posts there (there aren't many, note that the "computer hacker" article you linked is one of the oldest yet still on the front page) are truly scary in their seriousness. I think even Landover Baptist manages to not take itself as seriously as some of adequacy's posters do.

    3. Re:PGP: A Dangerous Program for a Dangerous Time by X0563511 · · Score: 2, Informative
      I was quite angry that this article existed untill i hit this:

      Your son will probably try to install some hacker software. He may attempt to conceal the presence of the software in some way, but you can usually find any new programs by reading through the programs listed under "Install/Remove Programs" in your control panel. Popular hacker software includes "Comet Cursor", "Bonzi Buddy" and "Flash".


      and realized it was meant to be funny. I hope.
      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    4. Re:PGP: A Dangerous Program for a Dangerous Time by Jah-Wren+Ryel · · Score: 2, Funny

      Dude, I don't know what they call it in China, but over here, that's what's known as a joke, son! A joke!

      Your truly,
      Fog Horn Leghorn

      --
      When information is power, privacy is freedom.
    5. Re:PGP: A Dangerous Program for a Dangerous Time by TheoMurpse · · Score: 2, Insightful

      interest in the occult - some of his classmates have begun playing Dungeons and Dragons and listening to KISS.

      Can you people who are responding not tell it's a joke? Unless this was written 30 years ago or so!

    6. Re:PGP: A Dangerous Program for a Dangerous Time by BobNET · · Score: 2, Funny

      Recently I noticed that my teenage son Ezekiel had begun to encrypt
      his emails with a program called PGP.

      If my parents named me Ezekiel, I'd try to hide that fact too.

    7. Re:PGP: A Dangerous Program for a Dangerous Time by Ant2 · · Score: 2, Funny

      So then, why are we posting this anonymously? Exactly what is it YOU are hiding? Is it SATAN?

  4. Well....maybe by erick99 · · Score: 2, Insightful
    We prove that our design is immune to differential and linear cryptanalysis as well as argue it resists several other known attacks.

    Is it really immune? I don't know enough about the subject to understand the paper but that struck me as a bold statement

    --
    http://www.busyweather.com/
    1. Re:Well....maybe by patchvonbraun · · Score: 5, Informative

      Immunity in this case meaning that the work factor for mounting the attack is greater or equal to the work factor for brute-forcing the key. If brute-forcing the key costs 2**128 operations, and differential costs 2**129, for example, then you'd be crazy to attempt differential cryptanalysis, when bruting the key is cheaper. I admit to not having RTFP, so I can't evaluate their claim of immunity to DC and LC, but modern ciphers are deliberately designed to be resistant to attack via DC and LC.

  5. "provably just as secure as AES-128"? Bah. by Jepler · · Score: 5, Informative

    I read the paper. They devote, oh, a page or so to attacks. Proven as secure as AES? bah.

  6. Re:Worse than previewing non-existant products... by dartboard · · Score: 2, Informative

    I can't tell if you're trolling or not. Good one, if you are. Otherwise you're an idiot. :-)

  7. Go with what is widely used by John+Harrison · · Score: 5, Insightful
    One of the advantages of AES, 3DES and DES is that as heavily used standards they attract a lot of research. You can have a lot of confidence that if there is a weakness it will be discovered and made public. The same is not true of proprietary ciphers. As a example look at the 40 bit encryption used by TI for RFID tags that was recently broken by a bunch of university students. If those students had been malicious they could have broken it and not told anyone. They could have then exploited the weakness for years because the cipher isn't widely studied so it is unlikely that someone else would have bothered to crack it. If TI had simply gone with 3DES there would have been no problem.

    The moral of the story: stick to the standards people.

    --
    Lasers Controlled Games!
    1. Re:Go with what is widely used by provolt · · Score: 2, Informative

      While SHA-1 has been technically broken in that it doesn't provide strong collision resistance, strong resistance is not really necessary for most applications.

      The attack on it finds two messages that hash to the same value. (Strong collision resistance) The attack does not work when trying to find a message the matches a specified hash value. (Weak collision resistance).

      I don't think the attack on SHA-1 gives anyone a warm fuzzy feeling. But the current attack isn't a huge attack and it still is largely impractical. Additionally there are three other algorithms defined in FIPS PUB 180, SHA-256, SHA-384 and SHA-512. (-512 and -384 are the same algorithm, except 384 just truncates the answer from the -512 algorithm.)

      I'm not aware of any attacks on the DSA algorithm. I believe there were some attacks particular implementations of the pseudo-random number generator. In addition FIPS 186 defines two other algorithms for digital signatures, RSA and ECDSA. I don't believe there are any known practical attacks on either RSA or the Elliptic Curve DSA.

    2. Re:Go with what is widely used by Zeinfeld · · Score: 4, Interesting
      As a example look at the 40 bit encryption used by TI for RFID tags that was recently broken by a bunch of university students. If those students had been malicious they could have broken it and not told anyone. They could have then exploited the weakness for years because the cipher isn't widely studied so it is unlikely that someone else would have bothered to crack it. If TI had simply gone with 3DES there would have been no problem. The moral of the story: stick to the standards people.

      Whenever a 40 bit cipher turns up the most likely reason is the export restrictions. When TI was doing its work they could not stick to the standard.

      Plus 3DES is not exactly a great cipher, the small block size means that certain attacks become possible after 2^32 blocks of ciphertext, that is only 32 Gb of data which is not a lot of data.

      The TI problem was due to using the same cipher for 15 years without periodic security reviews.

      --
      Looking for an Information Security student project suggestion?
      Try http://dotcrimeManifesto.com/
    3. Re:Go with what is widely used by Fweeky · · Score: 2, Interesting
      http://lists.gnupg.org/pipermail/gnupg-users/2005- February/024862.html via http://it.slashdot.org/comments.pl?sid=140093&cid= 11730436:
      "let's say that unbroken SHA-1 represents a 100 meter (328 ft) wall. if a
      break allows a collision to be found in merely 2^69 operations (on
      average), that would mean the wall has crumbled to 4.9 cm (1.9 in) tall.
      that's broken!!

      OTOH, let's say that unbroken MD5 represents a 100 meter (328 ft) wall.
      comparing unbroken MD5 to broken SHA-1 means the wall would actually grow
      from 100 meters (328 ft) tall to 3.2 km (1.99 miles) tall. SHA-1, even if
      it's broken enough to find a collision in 2^69 operations (on average), is
      still stronger than MD5 was ever meant to be.

      again, using unbroken MD5 as our reference of a 100 meter (328 ft) wall,
      unbroken SHA-1 would be a wall 6553.6 km (4072 miles) tall. SHA-1 was
      intended to be incredibly stronger than MD5."
  8. Already cracked ! by MajorDick · · Score: 4, Funny

    Well, I called up DVD Jon , and within about 15 minutes he had a working exploit for the cipher.

    Oh well off to the next

    Nothing to see here already been cracked...move along....

  9. Snake Oil? by Anonymous Coward · · Score: 5, Insightful

    Top Questions:

    1. Is this a proprietary or patented algorithm?

    2. Has this algorithm gone through the usual rounds of analysis among the nations top cryptographers?

    3. Has it been implemented in a FIPS 140-2 certified cryptographic module?

    That should keep them busy.

    1. Re:Snake Oil? by flaws · · Score: 5, Informative

      1) No - it is open source and technically public domain. 2) That is what we are attempting now - the preview is to get it lined up with crypto experts to review. 3) If it gets past 2, then that is something to consider.

    2. Re:Snake Oil? by dtfinch · · Score: 2, Informative

      "Secure Science Corporation"

      Domain Name: SECURESCIENCE.NET
      Registered through: GoDaddy.com
      Created on: 24-Oct-03

      A quick search through the sci.crypt archives suggests that they employ at least one cryptographer who ought to be qualified to tell if it's clearly clearly.

      But my own inexperienced mind tells me that a 4x4 sbox seems awfully small, and that they've put an awful lot of effort into making it efficient in hardware requiring a minimal number of gates. It's not hard to just make a secure cipher, but it is extremely difficult to make one that's fast and simple while still being secure. IANAC (I am not a cryptoanalyst) though, so only time will tell.

      A patent search for "Secure Science Corporation" does not return any results.

    3. Re:Snake Oil? by m0rningstar · · Score: 2, Insightful

      You know ... the first two questions and the answers are excellent.

      I'm not sure that having it FIPS-140 certified buys a vast amount from a technical perspective above and beyond the first two. It's a necessary step for getting the Federal government to use it, but I'd trust the external peer review prior to that.

      However -- there's the two points addressed: open standard and accepted for review. Given some time to analyse and review it, this sounds like a decent addition to the arsenal, IF it passes said review.

      (I'm no cryptographer. I don't even play one on /.)

  10. Maybe there's something I'm not getting here, by sporktoast · · Score: 4, Insightful

    but what is "casual peer review" and why would it be desired (over perhaps more in depth peer review) for an encryption technology?

    --
    In a related story, the IRS has recently ruled that the cost of Windows upgrades can NOT be deducted as a gambling loss.
  11. Re:Hardware based? by Anonymous Coward · · Score: 2, Informative

    It's not really novel. DES, the government backed standard from the 70's, was intentionally designed for hardware implementation (the s-boxes it used were made to be of a size that could be practically implemented with the existing technology at the time).

    Software based standards are not practical for large scale deployment, the time to encrypt can often become a serious bottleneck. It's a major reason why public key cryptography, implemented in software, is frequently used only for the initial key exchange for a hardware based cryptographic scheme like DES or AES.

    -ShadowRanger

  12. Hardware acceleration by meestaplu · · Score: 2, Insightful

    Now, I know that it's provably hard to attack a good encryption scheme. However, if this one is easier to implement in hardware -- if the cipher can be hardware accelerated more easily -- does that mean that an attack on this scheme could also be hardware accelerated more easily?

    1. Re:Hardware acceleration by rhythmx · · Score: 3, Informative

      No. Encryption algorithms are supposed to act as one way functions when you don't have the key. If this algorithm is properly implemented (but nothing ever really is), no intrinic property of the algorithm would speed up the cracking process. Going backwards (decryption) *with* a key is faster, but going backwards without a key (cracking) is totally different.

  13. Snake-oil... by rhythmx · · Score: 4, Insightful

    "We prove that our design is immune to differential and linear cryptanalysis"

    See Bruce Schneier's "Snake Oil", Warning Sign #8: Security proofs.

    "Secure Science will be offering a challenge at the end of April, introducing the cipher to the public."

    See: Warning Sign #9: "Cracking contests" and "The Fallacy of Cracking Contests"

    All of this may be well and good, but I don't any real engineers are going to be choosing this over AES anytime soon. AES was a competition backed by NIST to replace the current encryption standard (3DES). Most of the world's top cryptographers submitted thier algorithm. Only after a very long and very thourogh peer review process did the NIST declare Rijandel's submission to be the winner, and therefore the new AES standard.

    1. Re:Snake-oil... by flaws · · Score: 2, Interesting

      Ironically, Secure Science got an email from Schneier, his quote was "Wow. Definitely not Snake-oil."

    2. Re:Snake-oil... by cpeikert · · Score: 4, Insightful

      "We prove that our design is immune to differential and linear cryptanalysis"

      See Bruce Schneier's "Snake Oil", Warning Sign #8: Security proofs.

      Two things: number one, you can prove immunity to these two kinds of attacks, in a formal, rigorous way. That doesn't mean there are no attacks, but it's decent evidence of security.

      Number two, proofs of security are a very good thing. Just because snake-oil salesmen claim to have "proofs of unbreakability" does not mean that security proofs are bad. A rigorous proof of security against a well-specified, formal attack model should inspire lots of confidence. Without security proofs, cryptography would still just be mostly ad-hoc-ery.

    3. Re:Snake-oil... by ambrosine10 · · Score: 2, Insightful

      Really? Source please.

    4. Re:Snake-oil... by jpetts · · Score: 2, Informative

      You can't reliably prove security for anything other than the one-time pad. All you can do is prove that the attcks you have chosen will not work. Attempting to prove security is attmepting to prove a negative: namely that no attack more efficient than brute force exists.

      --
      Call me old fashioned, but I like a dump to be as memorable as it is devastating - Bender
    5. Re:Snake-oil... by Anonymous Coward · · Score: 5, Funny

      To: flaws@securescience.com
      From: bruce@schneier.com
      Subject: Peer Review

      Flaws,
      Peer review some algorithm you just made up? Wow. Definitely not Snake-oil. Gimme a break.

      Bruce

      >Bruce,
      >We just came up with a 1337 crypto algo. You wanna peer review it for us?
      >Peace,
      >flaws

    6. Re:Snake-oil... by viega · · Score: 2, Interesting

      Another ill-informed post. There's a difference between absolute security and computational security. We can easily build provable security schemes for confidentiality and integrity, where we prove computational security against all possible attacks. It's not as theoretically absolute as a one-time pad because there is a computational bound where there might be some technological breakthrough (but that's very unrealistic). Or, more likely, the very modest assumption made about the underlying block cipher will not hold. If someone ever says, "AES is broken", that basically will mean they proved that assumption doesn't hold... for AES. Honestly, that seems quite unlikely to happen any time soon, and until it does, the assumption is such that you have a provably secure scheme against all computationally feasible attacks.

  14. Re:Worse than previewing non-existant products... by Dr.Dubious+DDQ · · Score: 3, Insightful
    things like these need to be kept, yknow, secret....

    No, they don't - not if they're GOOD security.

    The intention is that with good encryption techniques, the "bad guys" can know all about how the system works...and it will work anyway. What's the point in making sure nobody sees you hiding your key under the doormat (security-through-obscurity) if the key doesn't work for anyone but you anyway?

    --
    Hacker Public Radio is our Friend
  15. I wonder... by Dr.Dubious+DDQ · · Score: 2, Interesting

    ...how badly patent-encumbered these ciphers are going to end up being?

    --
    Hacker Public Radio is our Friend
  16. I stand corrected! by John+Harrison · · Score: 4, Funny

    You are right. Nevermind what I said. Buy the snake oil, it has a better track record.

    --
    Lasers Controlled Games!
    1. Re:I stand corrected! by flaws · · Score: 2, Informative

      www.securescience.net/ciphers/csc2/csc2ref.c

    2. Re:I stand corrected! by John+Harrison · · Score: 2, Informative
      As the maker of the original "snake oil" comment, let me make a few clarifications. First, I am not the AC that is replying to you. I have posted AC to /. less than 5 times in six years, and not at all in the last six months. Second, the "snake oil" comment was about the amount of review a cipher (any cipher, not this one in particular) has undergone, not whether it is open source. It seems to me that all of the AES candidates have undergone more review than this cipher. Yet even the designers of some of those candidate ciphers have said that people should use AES because it is the standard and it will receive more research going forwad, even though they personally think their own creations have advantages.

      Though there is good work that has been done on CS, most of it appears to be done by the creators of it. Finally, from the article:
      As of yet no full cryptanalysis of the CS-Cipher is known to exist.

      --
      Lasers Controlled Games!
  17. Ugh by TechyImmigrant · · Score: 2, Insightful

    Ugh.

    1) No decrypt specified. So it doesn't work with many modes.

    2) Complete ambiguity in the endianess of the test vectors. Which end is which?

    3) Optimized for HW complexity. We have AES for that. We want new ciphers optimized for security.

    --
    Evil people are out to get you.
    1. Re:Ugh by viega · · Score: 2, Interesting

      If you can't invert the function than one of the following is true:

      1) You don't have a one-to-one mapping of inputs to outputs, which makes this more like the compression function of a hash function, but will certainly be weaker than optimal for the intended purpose (we could then talk about how much weaker, but at the very least we no longer have a pseudo-random permutation, and it's not even a proper pseudo-random function, which means none of our traditional block cipher proofs will hold as is).

      2) The one-to-one mapping exists, but there's a hard problem making it difficult to invert, in which case you have invented a public key cryptosystem (highly unlikely)

      or

      3) The inversion is possible and not computationally hard, the designer just wasn't clueful enough.

      There's also the possibility that the poster wasn't the designer, wasn't correct, and it is a plain ol' invertible block cipher.

  18. Easy killer... by danielrm26 · · Score: 4, Insightful
    "This cipher is proposed as a hardware alternative to AES, being that it is more efficient in hardware, simpler to implement, and comparably secure to AES-128."
    Comparably secure? The Rijndael algorithm has been around for a pretty long time and has undergone a lot of scrutiny. Wait until this new kid has been around the block for a few years; then we talk about comparisons to Rijndael.

    "You keep using this word. I don't think it means what you think it means."
    --
    dmiessler.com -- grep understanding knowledge
  19. Where I work by digitalchinky · · Score: 2, Interesting

    Crypto systems do not always need to be brute forced: 'More often than not' it is a brain dead technician sending the keys across a timeplex, via satellite, and then over HF or something equally as silly, out to their remote site.

    Key exchange is where the biggest failures occur (that I see). Many crypto systems still in use throughout this part of the world (still) work in a similar method to the old enigma typewriters - typically they are rapidly broken because they send identical messages using different keys, then send the same message in clear text via some other link.

  20. I don't get it... by cperciva · · Score: 4, Insightful

    Maybe I'm misreading the description, but it looks to me like this is an 8-round cipher with a round function considerably simpler than Rijndael's round function.

    Given that 8-round Rijndael is broken, it seems highly optimistic to think that this new cipher will not be broken.

    --
    Tarsnap: Online backups for the truly paranoid
  21. Compared to... by null-sRc · · Score: 2, Informative

    whitenoise labs, a cryptography startup that just got it's algo's patented...

    Company link:
    http://www.whitenoiselabs.com/

    Cryptographic analysis link:
    http://www.whitenoiselabs.com/papers/Wagner %20Secu rity%20Analysis.pdf

    Performance anaylysis link:
    http://www.whitenoiselabs.com/papers/UVIC%2 0Perfor mance%20Analysis.pdf

    So whitenoise encryption offers a cheaper solution that is mathematically stronger, and computationally order log n complexity where n is filesize (therefore faster too)

    and please tell me why anyone in their right mind would still bother using this shoddy, expensive, slow method for cell phone encryption?

    --
    -judging another only defines yourself
    1. Re:Compared to... by Anonymous Coward · · Score: 2, Informative

      Right. And who would care to use shoddy Whitenoise? It's been broken already.

      Look here: http://eprint.iacr.org/2003/250

      tsk...tsk...tsk..

  22. Re:Review Expertise. by viega · · Score: 2, Informative

    This is an incredibly ill-informed post. A cipher that takes a 128-bit input (plus a key) and produces a 128-bit output is a block cipher, just like AES is a block cipher. This has nothing to do with a one-time pad. First, no block cipher should be used in a mode where you encrypt plaintext 16 bits at a time, and that's it (this is called ECB mode). We DO however, have a ton of ways to turn a block cipher into a function that offers strong guarantees for both confidentiality and message authentication / integrity. These are constructs where we only have to make a single assumption, which is loosely that, given a randomly chosen key, an attacker will have no significant advantage in looking at an output and distinguishing it from a randomly chosen value of the same size. Your comment about rotating keys doesn't even make much sense. Most network protocols (e.g., SSL/TLS) basically do that... every connection they end up choosing a different random key. This is basic key management, it has little to do with the block cipher, and it's something we know how to do reasonablyy well.

  23. Re:I wonder... by nkh · · Score: 2, Informative

    AES is really more simple to understand than DES, you definitely should have a look at it: http://en.wikipedia.org/wiki/AES

  24. Re:Review Expertise. by Zeinfeld · · Score: 2, Informative
    I'm not even sure its worth reviewing... from the design intro it more or less stated that you give it a 128 bit key and it spits out 128 bits of ciphertext. In my book that is a one time pad and it won't be any more secure then using xor (in fact not using xor could make it significantly less secure).

    Not in my book or anyone else's. It is a block cipher with a key size and a block size of 128 bits, but it is designed to be used in chaining mode which a one time pad ain't.

    Now I'm assuming this isnt a one time pad so I'm also assuming the same key will be used many times considering it may act as a wireless key similar to WEP keys right now.

    The problem with WEP was not the reuse of the key, it was the modification of RC4 so that it did not discard the initial bits from the PRG. These were known to be weak when RC4 was designed.

    The secure science people are not well known on slashdot but in the field they are very well known and they have a pretty high reputation for their work on anti-phishing. Now that does not mean that I would put them in the same class as Rivest, Biham and Shamir when it comes to cipher design.

    There is an argument to be made that it is better to use a block cipher with a possibly inadequate number of rounds than risk using a stream cipher. Block ciphers are much better understood and their failure modes are much less likely to be catastrophic. A poor 128 bit block cipher is likely to result in an effective cipher strength of maybe 80 bits. A poor stream cipher can collapse to an effective cipher strength of 16 bits or less, particularly if it is not used properly.

    So this is a bit like if Schneier or Kocher came up with a cipher, they are not a Rogaway or a Rivest but they are not exactly flakes peddling snake oil. I suspect that their work will receive significant attention.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  25. Re:I wonder... by flaws · · Score: 2, Informative

    There are no plans to patent these ciphers. They are for public consumption.

  26. Re:Time again for One Time Pads? by ManuelKelly · · Score: 2, Funny

    This sounds like someone has finally found a use for all of those AOL cd's. A completely new set of pads delivered to your door monthly.

  27. Origin of Cryptography by Big_Oh · · Score: 2, Funny

    "...This implies that cryptography may come ultimately from the infantile sexual pleasure that children obtain from the muscle tension of retaining the feces." From Kahn's "The Codebreakers".

  28. Crypto Law Public Domain vs. Copyright P.D. by billstewart · · Score: 2, Informative
    "Public Domain" actually several relevant specific legal meanings.
    • US Technology Export Laws (which were written back when the Free World was the enemy of Communism to prevent Commies from getting militarily useful technology, and kept around much longer as a fiction to prevent citizens from having private communications that the FBI and NSA couldn't wiretap) defines "public domain" essentially as open knowledge that can be freely discussed, at least by academics, without the same limitations as non-public-domain crypto technology which mustn't be disclosed to those nasty Foreigners (except Canadians and sometimes Brits.) Those laws aren't totally gone, but they're mostly gone and it's easy enough to work around them for the most part.
    • Copyright and Patent have their own different meanings of Public Domain - If something is copyrighted, you can't copy the exact implementation, but you can write your own code that implements the same mathematical functions. But it it's public domain, feel free to Xerograph it, retype it, whatever.
    • But if something is patent-protected, you can't implement the algorithm/business-method/hardware yourself, even writing your code from scratch in a clean room, unless you've got a license from the patent-holder.
    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  29. More hardware-efficient than Rijndael? by ca1v1n · · Score: 5, Insightful

    I've actually designed the encryption end of a synthesizable Rijndael chip. It was lab 5 of ECE 435 at U.Va. Granted, that's a 4 1/2 credit course, and there were only 5 labs, but still. Adding the decryption would have less than doubled the work, and considerably less than doubled the silicon. Implementing AES in hardware is NOT hard. In the name of laziness, I did it in a highly parallel fashion a lot of work that could be serialized to reduce the transistor count by about a factor of 8, before getting to even slightly fancy optimization techniques.

    You need some registers, some shifters, and some very minimal control logic. Doing the sbox algorithmically isn't terribly fast and requires a fair amount of logic, so generally you just use a 256 byte ROM for the sbox. With die space being as expensive as it was when DES was being designed, it's understandable that they did some weird things to make it fit on the chip. These days, nobody blinks at 10k transistors, even on embedded devices.

    Sure, their 4x4 sbox is going to take a lot less space on the chip, but does that really buy anything? Their design document shows that 32 of them are necessary to do a whole round in a single step, while only 4 are needed for Rijndael. That's 2048 bits of ROM on CS2 and 8192 bits of ROM for Rijndael, but CS2 takes 33 rounds while the 128-bit version of Rijndael takes only 10. The amount of hardware required for comparable throughput is about the same, though Rijndael's pipeline is an order of magnitude shorter, due to fewer rounds and the rounds not having to go through that barrel-shifter network.

    --
    WARNING: there is a trojan on your
  30. Author? Rationale? Trustability? by billstewart · · Score: 3, Insightful
    Reference code is important, and while the paper's pretty brief, it looks believable at first glance (I'm an engineer who's dealt with lots of crypto, but am not a crypto mathematician) - it claims to have addressed at least the most important popular attacks.

    But it doesn't say who wrote the algorithm (just the reference code) - is it someone known to the community? It's written by the anonymous academic "we" - it references a couple of papers by Tom St. Denis, but has the feel of somebody who doesn't natively speak English, and the web version has spelling problems. The paper's about 8 months old - has some version of it been submitted to any of the academic journals, and have any of the published it? fl@ws says later they're working on getting some professionals to look at it, which is a good start (realistically, if the academic community doesn't generate its own buzz, you're going to have to hire credible people to vet it to start to get some attention so that more people will start trying to attack it.) The posting mentions a "challenge", which is usually a bad, bad sign, though this looks better than the usual snake oil that does that.

    Things I'd hoped to see that are missing include

    • Why should we care? There are lots of crypto algorithms out there, some of which, like the AES candidates, have been thoroughly beaten up by the community. Is there some weakness (esp. with Rijndael) that this addresses?
    • "Faster in hardware" - Sometimes hardware's interesting, but only if you're going to sell lots of it; it needs to perform decently in software. There's a bit of discussion of some of the issues, particularly making it fit on 8-bit processors, in case anybody still uses those, but nothing indicating that any speed testing has been done, or indicating what quantities of memory it needs or sensitivity to running on various architectures (e.g. x86 or something with enough registers or ARM or MIPS, 8/16/32/64 bit issues, etc.) The reference code does indicate that it can at least be implemented in C without hopeless quantities of bit-twiddling, which is a good start.
    • I couldn't really tell which block modes were useful - CBC, counter-mode, etc. Is there anything different here than AES?
    • How well does it parallelize - if you're trying to pump out maximum speed on something other than a discrete 8-bit chip, such as an array of cells in an FPGA or ASIC, does that work ok? Or is the answer simply "go use whichever standard operations mode you like, just as you would with AES or 3DES?
    • Is 128 bits long enough for both the key and the block? There was some discussions about originally trying to design for 256-bit keys, but cutting back to 128 for efficiency reasons. If making it fit onto an 8051 is part of your design criteria, that may be necessary, but many algorithms have some encryption modes that aren't as useful because of birthday attacks because the keys are too short.
    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
    1. Re:Author? Rationale? Trustability? by Ckwop · · Score: 4, Insightful

      Why should we care? There are lots of crypto algorithms out there, some of which, like the AES candidates, have been thoroughly beaten up by the community. Is there some weakness (esp. with Rijndael) that this addresses?

      The only "weakness" in AES is that the transform is incomplete. Nobody has turned this into an attack and it's unlikely to become a source of attack.

      I couldn't really tell which block modes were useful - CBC, counter-mode, etc. Is there anything different here than AES?

      No, modes of operation are independent of the underlying block cipher.

      How well does it parallelize - if you're trying to pump out maximum speed on something other than a discrete 8-bit chip, such as an array of cells in an FPGA or ASIC, does that work ok? Or is the answer simply "go use whichever standard operations mode you like, just as you would with AES or 3DES?

      I've not read the details of the spec to be able to answer this question. Sorry :(

      Is 128 bits long enough for both the key and the block? There was some discussions about originally trying to design for 256-bit keys, but cutting back to 128 for efficiency reasons. If making it fit onto an 8051 is part of your design criteria, that may be necessary, but many algorithms have some encryption modes that aren't as useful because of birthday attacks because the keys are too short.

      This isn't really a concern. In order for birthday attacks to come about using CBC, or some other chaining mode, you'd have to encrypt around 2^64 blocks. The block is 128-bit long, which gives 2^4 * 2^64 = 2^68 bytes of encryption before the probabilities become an issue. If you're encrypting that much with a single key, you're insane.

      You might think counter mode would help you avoid that problem, but alas, it does not. In a random stream you'd expect each group of 128-bits to be equally probable. With CTR, however, we know that each 128-bit block of the keystream will only be repeated after 2^128 encryptions. This fact allows you to distinquish CTR from random after around, you guessed it, 2^64 encryptions.

      Oh btw, donate to Tom St Denis he writes a cool cryptolib.

      Simon.

  31. Re:Review Expertise. by slavemowgli · · Score: 2, Informative

    FYI, Schneier *did* come up with a cipher. Look up "Blowfish" and "Twofish". The latter was even submitted to the NIST AES contest from which Rijndael ultimately emerged as the winner, and it was one of the most serious contenders, too.

    --
    quidquid latine dictum sit altum videtur.
  32. No-one is perfect... except God. by abb3w · · Score: 2, Funny
    Although Ido not have a background in mathematics (I have an AA in Photography) I was easily able to rebuild Ezekiel's private key via his public key and one of his encrypted messages. Of course I am above-average in intelligence, but PGP is supposedly unbreakable!

    As the United States has known since its founding, all cryptographic algorithms (even the one-time pad) are vulnerable to attack via divine revelation, even in the absense of the ciphertext itself. Those able to take advantage of this regularly are a pearl without price in the intelligence community.

    Your services have immense potential value for your country in the hunt for terrorists like Osama Bin Laden. If you'd like a circular describing opportunities for employment with the NSA, just pick up your phone, call your mother, and ask for one.

    --
    //Information does not want to be free; it wants to breed.