### Re: Secure Science issues preview of their upcoming block cipher

On Tue, 29 Mar 2005 16:06:05 +0100, Ian G [EMAIL PROTECTED] wrote: I'd be interested to hear why he wants to improve on AES. The issue with doing that is that any marginal improvements he makes will have trouble overcoming the costs involved with others analysing his work. Several things 1. Highlighted [we're talking Feb'04 here] the work I was doing on FPHTs. They're much more efficient than an MDS and because of my work they have known branches. 2. I also looked into the CS-cipher way of doing things. I was able to prove what Vaudenay could only count [he never proved the trail-weight of CS-Cipher] and from that I was able to also prove the 16-point case [e.g. CS^2]. 3. CS^2 is totally meant for a pipeline. It reuses the round transform for the key schedule. So what is CS^2? It's basically 8 rounds of a 4 layer FPHT with sboxes mixed in the 2-point transforms. 8*4 == 32 step pipeline. The keyschedule essentially is just computed as processing the key one layer ahead of the plaintext. Load the key in one cycle and the block in the next. Add some FSM to determine where the key material comes from for a given stage [e.g. the fixed sigma function or the key round that is one round ahead]. Why is this cool? First off, you can get a 2 cycle encrypt. But that's meaningless because cycle could mean several hundred nanoseconds... But what is a layer? a 2-point FPHT [e.g. xors of depth three] and two parallel sbox applications. The sboxes are efficiently computable as well with a xor depth of four [or so]. So effectively a layer has a XOR gate depth of about 8-9 at most. Second, you can process SIXTEEN different keys at once. So key agility is essentially a moot point. Third, there is no dedicated key scheduler like in AES. You do need some FSM to select where the round key comes from but that's about it. Fourth, It resists integration attacks a whole heap better than AES. Fifth, it's trivial to prove that classic LC and DC are inapplicable. Sixth, the sbox was not designed to be too algebraic. The 4x4 is just a random 4x4 with max LC/DC resistance for a bijection. The resulting 8x8 has a decently low LC/DC profile, no fixed points and no points of involution. Seventh, I wrote it. Therefore it's cool. Tom - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: Secure Science issues preview of their upcoming block cipher

Dan Kaminsky wrote: Have you looked at their scheme? http://www.securescience.net/ciphers/csc2/ Secure Science is basically publishing a cipher suite implemented by Tom St. Denis, author of Libtomcrypt. Aha! I seem to recall on this very list about 2 years back, Tom got crucified for trying to invent his own simple connection protocol. He withdrew from doing useful work in creating a new crypto protocol because of criticism here, and the world is a poorer place for it. I'd be interested to hear why he wants to improve on AES. The issue with doing that is that any marginal improvements he makes will have trouble overcoming the costs involved with others analysing his work. Using AES is just efficient, it allows us all to say, right, ok, next question in 2 seconds and then easily recommend his product. Still, even if he hasn't got any good reasons, I'd still support his right to try. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: Secure Science issues preview of their upcoming block cipher

David Wagner wrote: Seecure Science Corporation writes: Secure Science is offering a preview of one of the 3 ciphers they will be publishing througout the year. [...] This cipher is [...] provably just as secure as AES-128. Adam Shostack writes: Really? How does one go about proving the security of a block cipher? Lance James @ Secure Science Corporation writes: We will be proposing 2 hashes as well. Well, that is completely non-responsive to the point Adam made. You used the term provably. Where is your proof? Did you understand the point Adam is making? In this field, the term provably means that there you have a mathematical proof. Do you have such a proof? I'm awfully skeptical Will you retract the claim that SS2 is provably just as secure as AES-128? David, There is a miswording here, we were trying to show that both AES and CS2-128 are resistant to the same class of attacks. We definitely did not try to state that they are equivalent. I recommend reading http://eprint.iacr.org/2004/085.pdf to see for yourself. -Lance As for your future hashes, will you be making similar claims? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] -- Best Regards, Lance James Secure Science Corporation [Have Phishers stolen your customers' logins? Find out with DIA] https://slam.securescience.com/signup.cgi - it's free! - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: Secure Science issues preview of their upcoming block cipher

Have you looked at their scheme? http://www.securescience.net/ciphers/csc2/ The way to come up with a cipher provably as secure as AES-128 is to use AES-128 as part of your cipher -- but their scheme does not do anything like that. I am very skeptical about claims that they have a mathematical proof that CS2-128 is as secure as AES-128. I want to see the proof. Backstory: Secure Science is basically publishing a cipher suite implemented by Tom St. Denis, author of Libtomcrypt. Though not the most ... diplomatic of characters haunting sci.crypt, the guy's quite bright, is an absurdly prolific author (has quite literally written several hundred page books documenting use of Libtomcrypt and mechanisms for multiprecision math), and can be expected to generate cool things in the years to come. As for the manner of this cipher's publication...Tom actually did release the paper some time ago. See eprint @ http://eprint.iacr.org/2004/085 . Lance has Tom on staff, and...well, sort of blew the announce. He understands rather well the error of his ways, and is in all sorts of damage control. So, quick summary -- yes, that's a very cranky way to announce a cipher, no, it's not a crank cipher. --Dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: Secure Science issues preview of their upcoming block cipher

Really? How does one go about proving the security of a block cipher? My understanding is that you, and others, perform attacks against it, and see how it holds up. Many of the very best minds out there attacked AES, so for your new CS2 cipher to be provably just as secure as AES-128, all those people would have had to have spent as much time and energy as they did on AES. That strikes me as unlikely, there's a lot more interest in hash functions today. Adam PS: I've added the cryptography mail list to this. Some of the folks over there may be interested in your claims. On Wed, Mar 23, 2005 at 05:00:25PM -0800, BugTraq wrote: | Secure Science is offering a preview of one of the 3 ciphers they will | be publishing througout the year. The CS2-128 cipher is a 128-bit block | cipher with a 128 bit key. This cipher is proposed as an alternative | hardware-based cipher to AES, being that it is more efficient in | hardware, simpler to implement, and provably just as secure as AES-128. | | http://www.securescience.net/ciphers/csc2/ | | -- | Best Regards, | Secure Science Corporation | [Have Phishers stolen your customers' logins? Find out with DIA] | https://slam.securescience.com/signup.cgi - it's free! | - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: Secure Science issues preview of their upcoming block cipher

Adam Shostack wrote: Really? How does one go about proving the security of a block cipher? My understanding is that you, and others, perform attacks against it, and see how it holds up. Many of the very best minds out there attacked AES, so for your new CS2 cipher to be provably just as secure as AES-128, all those people would have had to have spent as much time and energy as they did on AES. That strikes me as unlikely, there's a lot more interest in hash functions today. We will be proposing 2 hashes as well. Adam PS: I've added the cryptography mail list to this. Some of the folks over there may be interested in your claims. On Wed, Mar 23, 2005 at 05:00:25PM -0800, BugTraq wrote: | Secure Science is offering a preview of one of the 3 ciphers they will | be publishing througout the year. The CS2-128 cipher is a 128-bit block | cipher with a 128 bit key. This cipher is proposed as an alternative | hardware-based cipher to AES, being that it is more efficient in | hardware, simpler to implement, and provably just as secure as AES-128. | | http://www.securescience.net/ciphers/csc2/ | | -- | Best Regards, | Secure Science Corporation | [Have Phishers stolen your customers' logins? Find out with DIA] | https://slam.securescience.com/signup.cgi - it's free! | -- Best Regards, Lance James Secure Science Corporation [Have Phishers stolen your customers' logins? Find out with DIA] https://slam.securescience.com/signup.cgi - it's free! - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: Secure Science issues preview of their upcoming block cipher

| Really? How does one go about proving the security of a block cipher? They don't claim that: This cipher is ... provably just as secure as AES-128. I can come up with a cipher provably just as secure as AES-128 very quickly (Actually, based on the paper a while back on many alternative ways to formulate AES - it had a catchy title something like How Many Ways Can You Spell AES?, except that I can't find one like that now - one could even come up with a formulation that is (a) probably as secure as AES-128; (b) actually faster in hardware or simpler to implement or whatever...) -- Jerry :-) | My understanding is that you, and others, perform attacks against it, | and see how it holds up. Many of the very best minds out there | attacked AES, so for your new CS2 cipher to be provably just as | secure as AES-128, all those people would have had to have spent as | much time and energy as they did on AES. That strikes me as unlikely, | there's a lot more interest in hash functions today. | | Adam | | PS: I've added the cryptography mail list to this. Some of the folks | over there may be interested in your claims. | | On Wed, Mar 23, 2005 at 05:00:25PM -0800, BugTraq wrote: | | Secure Science is offering a preview of one of the 3 ciphers they will | | be publishing througout the year. The CS2-128 cipher is a 128-bit block | | cipher with a 128 bit key. This cipher is proposed as an alternative | | hardware-based cipher to AES, being that it is more efficient in | | hardware, simpler to implement, and provably just as secure as AES-128. | | | | http://www.securescience.net/ciphers/csc2/ | | | | -- | | Best Regards, | | Secure Science Corporation | | [Have Phishers stolen your customers' logins? Find out with DIA] | | https://slam.securescience.com/signup.cgi - it's free! | | | | - | The Cryptography Mailing List | Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] | - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Secure Science issues preview of their upcoming block cipher

Jerrold Leichter writes: They don't claim that: This cipher is ... provably just as secure as AES-128. I can come up with a cipher provably just as secure as AES-128 very quickly Actually, I think Adam is totally right. Have you looked at their scheme? http://www.securescience.net/ciphers/csc2/ The way to come up with a cipher provably as secure as AES-128 is to use AES-128 as part of your cipher -- but their scheme does not do anything like that. I am very skeptical about claims that they have a mathematical proof that CS2-128 is as secure as AES-128. I want to see the proof. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: Secure Science issues preview of their upcoming block cipher

| Jerrold Leichter writes: | They don't claim that: | | This cipher is ... provably just as secure as AES-128. | | I can come up with a cipher provably just as secure as AES-128 very quickly | | Actually, I think Adam is totally right. | | Have you looked at their scheme? | http://www.securescience.net/ciphers/csc2/ I was responding in jest to the text Adam actually quoted - and indeed was refering to: | The way to come up with a cipher provably as secure as AES-128 is to use | AES-128 as part of your cipher [Remind self once more: Ironic humor doesn't work in mail] |-- but their scheme does not do anything | like that. | | I am very skeptical about claims that they have a mathematical proof that | CS2-128 is as secure as AES-128. I want to see the proof. I didn't see that claim on their site, but then again I only glanced at it quickly. Unless they have some entirely new kind of reduction, I'm guessing that what they are really claiming is that the same proofs of security that are available for AES - against generalized differential attacks, for example - are also available for CSC2. *That* much is certainly possible. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

### Re: Secure Science issues preview of their upcoming block cipher

Jerrold Leichter wrote: I can come up with a cipher provably just as secure as AES-128 very quickly (Actually, based on the paper a while back on many alternative ways to formulate AES - it had a catchy title something like How Many Ways Can You Spell AES?, except that I can't find one like that now - one could even come up with a formulation that is (a) probably as secure as AES-128; (b) actually faster in hardware or simpler to implement or whatever...) You're probably looking for [1] by Barkan and Biham. What they do is replacing the irreducible polynomial and all the constants involved in Rijndael to get what they call dual ciphers; basically those ciphers are isomorphic to Rijndael. All in all they get 240 dual ciphers which are listed in [2]. What I found more interesting back then was that they also give square dual and log dual ciphers of Rijndael. I.e. let E be the Rijndael encryption and E' be the encryption function of the square/log dual Rijndael construction. Furthermore let f be a function that either performs bytewise squaring in GF(2^8) or replaces each byte with a logarithmic representation (relative to a generator g. you also need to fix log_g(0) = -\infty for this to make sense). Then E'(f(plaintext), f(key)) = f(E(plaintext, key)) holds. The squaring construction then also naturally extends to what they call higher-order self dual ciphers: meaning you can apply the squaring multiple times. In 2004 Wu, Lu and Laih then demonstrated that using Barkan's and Biham's method can indeed lead to more efficient implementations of AES/Rijndael in hardware. Cheers, Ralf [1] Elad Barkan and Eli Biham: In How Many Ways Can You Write Rijndael? ASIACRYPT 2002, Springer note: also on ePrint as http://eprint.iacr.org/2002/157 if you don't have Springer Link access [2] Elad Barkan and Eli Biham: The Book of Rijndaels http://eprint.iacr.org/2002/158 [3] Shee-Yau Wu and Shih-Chuan Lu and Chi Sung Laih: Design of AES Based on Dual Cipher and Composite Field Topics in Cryptology, CT-RSA 2004, Springer -- Ralf-P. Weinmann [EMAIL PROTECTED] TU Darmstadt, FB Informatik, FG Theoretische Informatik Tel: +49-(0)6151-16-6628 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]