Preview of New Block Cipher

flaws writes "Secure Science Corp. is offering a preview of one of the 3 ciphers they will be publishing througout the year. The CS2-128 cipher is a 128-bit block cipher with a 128 bit key. This cipher is proposed as a hardware alternative to AES, being that it is more efficient in hardware, simpler to implement, and comparably secure to AES-128. The preview of the CS2-128 cipher proposed is in html form and will be available in a published format at the end of April. At this time, requests are made for casual peer review and implementation. Secure Science will be offering a challenge at the end of April, introducing the cipher to the public. This ciphers implementation and usage will be offered in multiple hardware devices, such as wireless routers, cell-phones, and storage management hardware."

In case of Slashdotting...

MD5 of article text: 79592dc553067bfafaa07086c07d2c8a

PGP: A Dangerous Program for a Dangerous Time

Hello,

Recently I noticed that my teenage son Ezekiel had begun to encrypt
his emails with a program called PGP. I was concerned because I'd
always covertly monitored their email for any hints of illegal
activity, drug use or interest in the occult - some of his classmates
have begun playing Dungeons and Dragons and listening to KISS. Since
Ezekiel was now using PGP, his activites were hidden from me!

Additionally, I also overheard him talking of using a program called
Stegasaurus to embed secret information into normal-looking pictures.
Terrified that my son might be speaking in some sort of sinful code, I
immediately grounded him for a month. He was only allowed to go to
school and Bible study.

Anyways, I've done several days worth of research on this and
discovered a few things about PGP that I'd like to share with the
readers of these newsgroups. To begin with, I realized that many of
the claims made by the creators of PGP are blatently false. Although I
do not have a background in mathematics (I have an AA in Photography)
I was easily able to rebuild Ezekiel's private key via his public key
and one of his encrypted messages.

Of course I am above-average in intelligence, but PGP is supposedly
unbreakable! Perhaps crytogrophers aren't as smart as they believe?
Fortunately in this case Ezekiel was just discussing a girl he met in
school - a situation I harshly reprimanded him for. However, while PGP
may be a program with flaws, it got me thinking about other programs.
Perhaps someone will construct a PGP-like program that cannot be so
easily broken; one that would take days of computer time to hack!

My concern with a program like this is that people who use
cryptography always do so because they have something to hide. A sense
of guilt and shame seems to drive them. They know that they are doing
something wrong and desperately want to hide it from the eyes of the
world (although hiding it from the eyes of God is another matter!
LOL!)

A study recently released by the Institute for Family Computing
revealed that the top three uses of cryptography were for 1)
"terrorist-related activity" 2) pedophillia and 3) drug abuse. In fact
as far as I can tell, no legitimate use was on the top ten at all!

What scares me about this is that law-enforcement agencies will be
unable to sift through email to find people who are breaking the law,
or otherwise engaged in suspicious activity. At a time when our nation
is under siege, I find it disturbing that people are working on
developing cryptography that cannot be broken, even by our protectors
in the FBI and CIA! Only those with something to hide truly need
cryptography.

Thus I urge cryptogrophers world wide to refrain from working on such
programs, until our nation is no longer at war. I would ask those of
other countries to respect our right to self-defense and aid us in our
time of trouble. Your cryptographic skills can be better put to use
trying to find terrorists than to assist them.

"provably just as secure as AES-128"? Bah.

[Jepler]

I read the paper. They devote, oh, a page or so to attacks. Proven as secure as AES? bah.

Go with what is widely used

[John+Harrison]

One of the advantages of AES, 3DES and DES is that as heavily used standards they attract a lot of research. You can have a lot of confidence that if there is a weakness it will be discovered and made public. The same is not true of proprietary ciphers. As a example look at the 40 bit encryption used by TI for RFID tags that was recently broken by a bunch of university students. If those students had been malicious they could have broken it and not told anyone. They could have then exploited the weakness for years because the cipher isn't widely studied so it is unlikely that someone else would have bothered to crack it. If TI had simply gone with 3DES there would have been no problem.

The moral of the story: stick to the standards people.

Snake Oil?

Top Questions:

1. Is this a proprietary or patented algorithm?

2. Has this algorithm gone through the usual rounds of analysis among the nations top cryptographers?

3. Has it been implemented in a FIPS 140-2 certified cryptographic module?

That should keep them busy.

Re:Snake Oil?

[flaws]

1) No - it is open source and technically public domain. 2) That is what we are attempting now - the preview is to get it lined up with crypto experts to review. 3) If it gets past 2, then that is something to consider.

Re:Well....maybe

[patchvonbraun]

Immunity in this case meaning that the work factor for mounting the attack is greater or equal to the work factor for brute-forcing the key. If brute-forcing the key costs 2**128 operations, and differential costs 2**129, for example, then you'd be crazy to attempt differential cryptanalysis, when bruting the key is cheaper. I admit to not having RTFP, so I can't evaluate their claim of immunity to DC and LC, but modern ciphers are deliberately designed to be resistant to attack via DC and LC.

Re:Snake-oil...

To: flaws@securescience.com
From: bruce@schneier.com
Subject: Peer Review

Flaws,
Peer review some algorithm you just made up? Wow. Definitely not Snake-oil. Gimme a break.

Bruce

>Bruce,
>We just came up with a 1337 crypto algo. You wanna peer review it for us?
>Peace,
>flaws

More hardware-efficient than Rijndael?

[ca1v1n]

I've actually designed the encryption end of a synthesizable Rijndael chip. It was lab 5 of ECE 435 at U.Va. Granted, that's a 4 1/2 credit course, and there were only 5 labs, but still. Adding the decryption would have less than doubled the work, and considerably less than doubled the silicon. Implementing AES in hardware is NOT hard. In the name of laziness, I did it in a highly parallel fashion a lot of work that could be serialized to reduce the transistor count by about a factor of 8, before getting to even slightly fancy optimization techniques.

You need some registers, some shifters, and some very minimal control logic. Doing the sbox algorithmically isn't terribly fast and requires a fair amount of logic, so generally you just use a 256 byte ROM for the sbox. With die space being as expensive as it was when DES was being designed, it's understandable that they did some weird things to make it fit on the chip. These days, nobody blinks at 10k transistors, even on embedded devices.

Sure, their 4x4 sbox is going to take a lot less space on the chip, but does that really buy anything? Their design document shows that 32 of them are necessary to do a whole round in a single step, while only 4 are needed for Rijndael. That's 2048 bits of ROM on CS2 and 8192 bits of ROM for Rijndael, but CS2 takes 33 rounds while the 128-bit version of Rijndael takes only 10. The amount of hardware required for comparable throughput is about the same, though Rijndael's pipeline is an order of magnitude shorter, due to fewer rounds and the rounds not having to go through that barrel-shifter network.