### Re: Secure Science issues preview of their upcoming block cipher

On Tue, 29 Mar 2005 16:06:05 +0100, Ian G [EMAIL PROTECTED] wrote: I'd be interested to hear why he wants to improve on AES. The issue with doing that is that any marginal improvements he makes will have trouble overcoming the costs involved with others analysing his work. Several things 1. Highlighted [we're talking Feb'04 here] the work I was doing on FPHTs. They're much more efficient than an MDS and because of my work they have known branches. 2. I also looked into the CS-cipher way of doing things. I was able to prove what Vaudenay could only count [he never proved the trail-weight of CS-Cipher] and from that I was able to also prove the 16-point case [e.g. CS^2]. 3. CS^2 is totally meant for a pipeline. It reuses the round transform for the key schedule. So what is CS^2? It's basically 8 rounds of a 4 layer FPHT with sboxes mixed in the 2-point transforms. 8*4 == 32 step pipeline. The keyschedule essentially is just computed as processing the key one layer ahead of the plaintext. Load the key in one cycle and the block in the next. Add some FSM to determine where the key material comes from for a given stage [e.g. the fixed sigma function or the key round that is one round ahead]. Why is this cool? First off, you can get a 2 cycle encrypt. But that's meaningless because cycle could mean several hundred nanoseconds... But what is a layer? a 2-point FPHT [e.g. xors of depth three] and two parallel sbox applications. The sboxes are efficiently computable as well with a xor depth of four [or so]. So effectively a layer has a XOR gate depth of about 8-9 at most. Second, you can process SIXTEEN different keys at once. So key agility is essentially a moot point. Third, there is no dedicated key scheduler like in AES. You do need some FSM to select where the round key comes from but that's about it. Fourth, It resists integration attacks a whole heap better than AES. Fifth, it's trivial to prove that classic LC and DC are inapplicable. Sixth, the sbox was not designed to be too algebraic. The 4x4 is just a random 4x4 with max LC/DC resistance for a bijection. The resulting 8x8 has a decently low LC/DC profile, no fixed points and no points of involution. Seventh, I wrote it. Therefore it's cool. Tom - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: Feedback from the LibTomMath Book?

[Originally I was going to make this a private reply but since I have a cool explanation of Karatsuba I'll share it with the group] --- Anton Stiglic [EMAIL PROTECTED] wrote: I think it looks pretty good!. Here are some comments: On page 82 you mention Fourier Transform based solutions, but don't describe any later on. It would be nice if you did. Two problems 1. I don't fully understand the FFT based solutions 2. I personally don't see the need for FFT in common day algorithms. Heck even Toom-Cook won't kick in until the numbers are very large. Recently I needed a fast Square-root routine, and found that not many libraries have one (OpenSSL has a mod square but not a straightforward square root function, GMP has a square-root but it doesn't seem to be fast, bc is faster than GMP for that...). If you could write something about that it would be nice. I think Karatsuba square root is good for that: http://www.inria.fr/rrrt/rr-3805.html Oddly enough, Zimmermann implemented this in GMP but I don't know why it's slow... I do include a Newton based root function which is fairly fast [haven't timed it against others]. I'll look into others. In section 6.2.4, equation 6.6., you wrote: f(x)*g(x) = acx^2 + ((a -b)(c-d) + ac + bd)x + bd That doesn't seem to work, since it gives acx^2 + a(c-d)x - b(c-d)x + acx + bdx + bd = acx^2 +acx -adx -bcx +bdx +acx + bdx +bd = acx^2 +2acx +2bdx -adx -bcx +bc Examine the terms. ac = W(oo) = 1W_2 + 0W_1 + 0W_0 bd = W(0) = 0W_2 + 0W_1 + 1W_0 The middle term (a - b)(c - d) can be written as (a_1 - a_0)(b_1 - b_0) = (-a(-1))(-b(-1)) = -\Zeta_{-1} Where a(x) = a_1*x + a_0 [same for b(x)] So -a(-1) == -(a_1 * -1 + a_0) == a_1 - a_0 This would give where W(x) == w_2 * x^2 + w_1 * x + w_0 -W(-1) = (-a(-1))(-b(1)) = -(w_2 * 1 + w_1 * -1 + w_0) = -w_2 + w_1 -w_0 Which combined gives you the matrix W(0) = 0 0 1 -W(-1) = -1 1 -1 W(oo) = 1 0 0 This means adding the two terms gives you the middle w_1 term. Hence the polynomial is actually correct. Alternatively you can use W(1) = w_2 + w_1 + w_0 = a(1)b(1) and subtract the first and third row from the middle. On the primality test section, maybe you should not that the Miller-Rabin test doesn't have any candidates that will pass the test for all bases (such as Carmichael numbers for the Fermat test). You should also talk about the probabilities, HAC, see in particular note 4.47 so as not to make the same mistake that allot of people make... You should understand that note very well. Will do. I wanted to get the book out the door quick so I just finished the pseudo code ... Continue the good work! Thanks, Tom __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Feedback from the LibTomMath Book?

Close to 100 people have downloaded the book so far [which is alot given the nature of the book] and although it has only been two days I was wondering if anyone has any initial impressions [good or bad]. I'm going to start the editing phase of the text fairly soon so I'd like to know what people thought of it before I got started. I won't repost the url since I don't want to spam the list [if you want it just email me in private]. Thanks, Tom __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Draft Edition of LibTomMath book

The Draft Edition of the LibTomMath book [book about how to implement bignum math] is freely available on my site at http://book.libtomcrypt.org Keep in mind it is a draft and has not been edited yet. However, if you ever wanted to learn how to implement efficient [portable too] bignum math routines you might want to give it a read. Enjoy, Tom __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### re: Draft Edition of LibTomMath book

Just a quick comment. The PDF is not a web friendly PDF so you if you are trying to view it inline with your browser you have to wait for it to download completely first. I've managed 80KB/sec off the site so it doesn't take too long to grab it.Alternatively you can grab the .PDF.BZ2 file and decompress it locally. I'm only making this comment because I've noted quite a few incomplete downloads... Thanks, Tom http://book.libtomcrypt.org __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: Draft Edition of LibTomMath book

--- bear [EMAIL PROTECTED] wrote: One thing that I've noticed for a long time is that there are *VERY* few math libraries that don't leave whatever numbers they're working with in memory when deallocating (deallocating heap via free() or deallocating stack via returning from a procedure call or deallocating swapspace by getting paged back in off a disk). And numbers that an application leaves lying around in whatever working memory or media it's using, can be discovered and exploited by other programs - frequently by unauthorized ones. Very true. LibTomMath will actually wipe the memory allocated [via memset] before free'ing but I leave it up to the end user to lock their heap from swapping. Tom __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: Session Fixation Vulnerability in Web Based Apps

--- James A. Donald [EMAIL PROTECTED] wrote: -- On 12 Jun 2003 at 16:25, Steve Schear wrote: http://www.acros.si/papers/session_fixation.pdf Wow. This flaw is massive, and the biggest villain is the server side code created for Apache. You really lack some fundamental understanding. https uses a secure private link to create a private http session. It has NOTHING todo with authentication nor identity. For example, when you first login to say yahoo [for email] you're on https. Even before yahoo knows who you are. Think of a verbal handshake in the get smart cone of silence.. The fact that people randomly give away *their* secrets doesn't mean the system is flawed. It means the people are ignorant. Tom __ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: An attack on paypal

--- James A. Donald [EMAIL PROTECTED] wrote: -- On 11 Jun 2003 at 20:07, Steven M. Bellovin wrote: Let me point folk at http://www.securityfocus.com/news/5654 for a related issue. To put it very briefly, *real* authentication is hard. I don't think so. Verisign's authentication is notoriously worthless and full of holes, yet very few attacks have been based on getting certificates issued to wrong party, or on stealing poorly defended and readily accessible certificates, even though that is quite easy to do. On the whole PKI as used today is fairly useless. I mean just because Company A signed/issued me a key doesn't mean I'm a nice guy nor a legit business. All it means is I paid money to have another company sign my key. What *would* be more useful is a model of web-o-trust. E.g. you make up your own key. Then you import public keys from third-party auditors you trust. Overtime the auditors will visit the business and if they like it they will sign the key. So say you trust auditors A, B and C and I trust auditors B, C and D. Well chances are if company Z is good the will be audited by at least one of the auditors we have in common. Unfortunately there is easy corruption in this model so you would have to keep tabs on your auditor yourself. However, in this model it wouldn't cost money [hey everything net-related should cost money right?] and would actually be meaningful. Tom __ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]