Re: Secure Science issues preview of their upcoming block cipher

2005-05-20 Thread Tom St Denis
On Tue, 29 Mar 2005 16:06:05 +0100, Ian G [EMAIL PROTECTED] wrote:
 I'd be interested to hear why he wants to
 improve on AES.  The issue with doing that
 is that any marginal improvements he makes
 will have trouble overcoming the costs
 involved with others analysing his work.

Several things

1.  Highlighted [we're talking Feb'04 here] the work I was doing on
FPHTs.  They're much more efficient than an MDS and because of my work
they have known branches.

2.  I also looked into the CS-cipher way of doing things.  I was able
to prove what Vaudenay could only count [he never proved the
trail-weight of CS-Cipher] and from that I was able to also prove the
16-point case [e.g. CS^2].

3.  CS^2 is totally meant for a pipeline.  It reuses the round
transform for the key schedule.

So what is CS^2?  It's basically 8 rounds of a 4 layer FPHT with
sboxes mixed in the 2-point transforms.  8*4  == 32 step pipeline. 
The keyschedule essentially is just computed as processing the key one
layer ahead of the plaintext.

Load the key in one cycle and the block in the next.  Add some FSM to
determine where the key material comes from for a given stage [e.g.
the fixed sigma function or the key round that is one round ahead].

Why is this cool?

First off, you can get a 2 cycle encrypt.  But that's meaningless
because cycle could mean several hundred nanoseconds...   But what
is a layer?   a 2-point FPHT [e.g. xors of depth three] and two
parallel sbox applications.  The sboxes are efficiently computable as
well with a xor depth of four [or so].  So effectively a layer has a
XOR gate depth of about 8-9 at most.

Second, you can process SIXTEEN different keys at once.  So key
agility is essentially a moot point.

Third, there is no dedicated key scheduler like in AES.  You do need
some FSM to select where the round key comes from but that's about it.

Fourth, It resists integration attacks a whole heap better than AES.  

Fifth, it's trivial to prove that classic LC and DC are inapplicable.

Sixth, the sbox was not designed to be too algebraic.  The 4x4 is just
a random 4x4 with max LC/DC resistance for a bijection.  The resulting
8x8 has a decently low LC/DC profile, no fixed points and no points of
involution.

Seventh, I wrote it.  Therefore it's cool.

Tom

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feedback from the LibTomMath Book?

2003-06-28 Thread tom st denis
[Originally I was going to make this a private reply but since I have a
cool explanation of Karatsuba I'll share it with the group]

--- Anton Stiglic [EMAIL PROTECTED] wrote:
 
 I think it looks pretty good!.
 
 Here are some comments:
 
 On page 82 you mention Fourier Transform based solutions, but
 don't describe any later on.  It would be nice if you did.

Two problems

1.  I don't fully understand the FFT based solutions
2.  I personally don't see the need for FFT in common day algorithms. 
Heck even Toom-Cook won't kick in until the numbers are very large.


 Recently I needed a fast Square-root routine, and found that not many
 libraries have one (OpenSSL has a mod square but not a
 straightforward
 square root function, GMP has a square-root but it doesn't seem to be
 fast,
 bc is faster than GMP for that...).
 If you could write something about that it would be nice. I think
 Karatsuba
 square root is good for that:
 http://www.inria.fr/rrrt/rr-3805.html
 Oddly enough, Zimmermann implemented this in GMP but I don't know why
 it's slow...

I do include a Newton based root function which is fairly fast [haven't
timed it against others].  I'll look into others.

 In section 6.2.4, equation 6.6., you wrote:
 f(x)*g(x) = acx^2 + ((a -b)(c-d) + ac + bd)x + bd
 
 That doesn't seem to work, since it gives
 acx^2 + a(c-d)x - b(c-d)x + acx + bdx + bd
 = acx^2 +acx -adx -bcx +bdx +acx + bdx +bd
 = acx^2 +2acx +2bdx -adx -bcx +bc

Examine the terms.  

ac = W(oo) = 1W_2 + 0W_1 + 0W_0
bd = W(0)  = 0W_2 + 0W_1 + 1W_0

The middle term

(a - b)(c - d)

can be written as 

(a_1 - a_0)(b_1 - b_0)  = (-a(-1))(-b(-1)) = -\Zeta_{-1}

Where a(x) = a_1*x + a_0 [same for b(x)]

So -a(-1) == -(a_1 * -1 + a_0) == a_1 - a_0

This would give where W(x) == w_2 * x^2 + w_1 * x + w_0

-W(-1) = (-a(-1))(-b(1)) = -(w_2 * 1 + w_1 * -1 + w_0) = -w_2 + w_1
-w_0

Which combined gives you the matrix

 W(0)  =  0  0  1
-W(-1) = -1  1 -1
 W(oo) =  1  0  0

This means adding the two terms gives you the middle w_1 term.  Hence
the polynomial is actually correct.

Alternatively you can use W(1) = w_2 + w_1 + w_0 = a(1)b(1) and
subtract the first and third row from the middle.  

 On the primality test section, maybe you should not that the
 Miller-Rabin test doesn't have any candidates that will
 pass the test for all bases (such as Carmichael numbers for
 the Fermat test).  You should also talk about the probabilities,
 HAC, see in particular note 4.47 so as not to make the same
 mistake that allot of people make...  You should understand
 that note very well.

Will do.  I wanted to get the book out the door quick so I just
finished the pseudo code ... 

 Continue the good work!

Thanks,
Tom

__
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Feedback from the LibTomMath Book?

2003-06-27 Thread tom st denis
Close to 100 people have downloaded the book so far [which is alot
given the nature of the book] and although it has only been two days I
was wondering if anyone has any initial impressions [good or bad].

I'm going to start the editing phase of the text fairly soon so I'd
like to know what people thought of it before I got started.

I won't repost the url since I don't want to spam the list [if you
want it just email me in private].

Thanks,
Tom

__
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Draft Edition of LibTomMath book

2003-06-25 Thread tom st denis
The Draft Edition of the LibTomMath book [book about how to implement
bignum math] is freely available on my site at

http://book.libtomcrypt.org

Keep in mind it is a draft and has not been edited yet.  However, if
you ever wanted to learn how to implement efficient [portable too]
bignum math routines you might want to give it a read.

Enjoy,
Tom

__
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


re: Draft Edition of LibTomMath book

2003-06-25 Thread tom st denis
Just a quick comment.  The PDF is not a web friendly PDF so you if
you are trying to view it inline with your browser you have to wait for
it to download completely first.

I've managed 80KB/sec off the site so it doesn't take too long to grab
it.Alternatively you can grab the .PDF.BZ2 file and decompress it
locally.  I'm only making this comment because I've noted quite a few
incomplete downloads...

Thanks,
Tom
http://book.libtomcrypt.org

__
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Draft Edition of LibTomMath book

2003-06-25 Thread tom st denis

--- bear [EMAIL PROTECTED] wrote:
 One thing that I've noticed for a long time is that there
 are *VERY* few math libraries that don't leave whatever
 numbers they're working with in memory when deallocating
 (deallocating heap via free() or deallocating stack via
 returning from a procedure call or deallocating swapspace
 by getting paged back in off a disk).
 
 And numbers that an application leaves lying around in
 whatever working memory or media it's using, can be
 discovered and exploited by other programs - frequently
 by unauthorized ones.

Very true.  LibTomMath will actually wipe the memory allocated [via
memset] before free'ing but I leave it up to the end user to lock their
heap from swapping.

Tom

__
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Session Fixation Vulnerability in Web Based Apps

2003-06-13 Thread tom st denis

--- James A. Donald [EMAIL PROTECTED] wrote:
 --
 On 12 Jun 2003 at 16:25, Steve Schear wrote: 
 http://www.acros.si/papers/session_fixation.pdf
 
 Wow.
 
 This flaw is massive, and the biggest villain is the server
 side code created for Apache.

You really lack some fundamental understanding.

https uses a secure private link to create a private http session.  It
has NOTHING todo with authentication nor identity.

For example, when you first login to say yahoo [for email] you're on
https.  Even before yahoo knows who you are.  Think of a verbal
handshake in the get smart cone of silence..

The fact that people randomly give away *their* secrets doesn't mean
the system is flawed.  It means the people are ignorant.

Tom

__
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: An attack on paypal

2003-06-12 Thread tom st denis

--- James A. Donald [EMAIL PROTECTED] wrote:
 --
 On 11 Jun 2003 at 20:07, Steven M. Bellovin wrote:
  Let me point folk at http://www.securityfocus.com/news/5654 
  for a related issue.  To put it very briefly, *real*
  authentication is hard.
 
 I don't think so.
 
 Verisign's authentication is notoriously worthless and full of
 holes, yet very few attacks have been based on getting
 certificates issued to wrong party, or on stealing poorly
 defended and readily accessible certificates, even though that
 is quite easy to do.

On the whole PKI as used today is fairly useless.  I mean just because
Company A signed/issued me a key doesn't mean I'm a nice guy nor a
legit business.  All it means is I paid money to have another company
sign my key.

What *would* be more useful is a model of web-o-trust.  E.g. you make
up your own key.  Then you import public keys from third-party auditors
you trust.  Overtime the auditors will visit the business and if they
like it they will sign the key. 

So say you trust auditors A, B and C and I trust auditors B, C and D. 
Well chances are if company Z is good the will be audited by at least
one of the auditors we have in common.  

Unfortunately there is easy corruption in this model so you would have
to keep tabs on your auditor yourself.   However, in this model it
wouldn't cost money [hey everything net-related should cost money
right?] and would actually be meaningful.

Tom

__
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]