On Tue, 29 Mar 2005 16:06:05 +0100, Ian G <[EMAIL PROTECTED]> wrote: > I'd be interested to hear why he wants to > "improve" on AES. The issue with doing that > is that any marginal improvements he makes > will have trouble overcoming the costs > involved with others analysing his work.
Several things 1. Highlighted [we're talking Feb'04 here] the work I was doing on FPHTs. They're much more efficient than an MDS and because of my work they have known branches. 2. I also looked into the CS-cipher way of doing things. I was able to prove what Vaudenay could only "count" [he never proved the trail-weight of CS-Cipher] and from that I was able to also prove the 16-point case [e.g. CS^2]. 3. CS^2 is totally meant for a pipeline. It reuses the round transform for the key schedule. So what is CS^2? It's basically 8 rounds of a 4 layer FPHT with sboxes mixed in the 2-point transforms. 8*4 == 32 step pipeline. The keyschedule essentially is just computed as processing the key one "layer" ahead of the plaintext. Load the key in one cycle and the block in the next. Add some FSM to determine where the key material comes from for a given stage [e.g. the fixed sigma function or the key round that is one round ahead]. Why is this cool? First off, you can get a 2 cycle encrypt. But that's meaningless because "cycle" could mean several hundred nanoseconds... But what is a "layer"? a 2-point FPHT [e.g. xors of depth three] and two parallel sbox applications. The sboxes are efficiently computable as well with a xor depth of four [or so]. So effectively a "layer" has a XOR gate depth of about 8-9 at most. Second, you can process SIXTEEN different keys at once. So key agility is essentially a moot point. Third, there is no dedicated "key scheduler" like in AES. You do need some FSM to select where the round key comes from but that's about it. Fourth, It resists integration attacks a whole heap better than AES. Fifth, it's trivial to prove that classic LC and DC are inapplicable. Sixth, the sbox was not designed to be too algebraic. The 4x4 is just a random 4x4 with max LC/DC resistance for a bijection. The resulting 8x8 has a decently low LC/DC profile, no fixed points and no points of involution. Seventh, I wrote it. Therefore it's cool. Tom --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]