--- begin forwarded text
Status: U Date: Mon, 29 Oct 2001 02:50:31 -0600 (CST) From: InfoSec News <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [ISN] Cryptanalysis of Multiswap Sender: [EMAIL PROTECTED] Reply-To: InfoSec News <[EMAIL PROTECTED]> Forwarded from: Gary Stock <[EMAIL PROTECTED]> Topic: a new Microsoft block cipher dissected, and its weakness revealed. Some readers may prefer a more 'mainstream' analysis of this exploit, which I suspect will appear soon enough. The original introduction and conclusion appear below, with full details here: http://www.cs.berkeley.edu/~rtjohnso/multiswap/ The use of graphical notation in the original may make transcription to flat text inappropriate. I encourage interested cryptogs to visit the URL directly (while it is permitted to persist :-) A few mirrors, with proper attribution, might not hurt... GS ===== Cryptanalysis of Multiswap Nikita Borisov, Monica Chew, Rob Johnson, and David Wagner UC Berkeley An anonymous security researcher working under the pseudonym "Beale Screamer" reverse engineered the Microsoft Digital Rights Management subsystem and, by October 20th, the results were available on cryptome.org. As part of the reverse engineering effort Screamer found an unpublished block cipher, which he dubbed MultiSwap, being used as part of DRM. Screamer did not need to break the MultiSwap cipher to break DRM, but we thought it would be a fun excercise, and summarize the results of our investigation below. The attacks described here show weaknesses in the MultiSwap encryption scheme, and could potentially contribute to an attack on DRM. However, the attack on DRM described by Beale Screamer would be much more practical, so we feel that these weaknesses in MultiSwap do not pose a significant threat to DRM at this time. We present these results to further the science of computer security, not to promote rampant copying of copyrighted music. The cipher The Multswap algorithm takes a 64-bit block consisting of two 32-bit numbers x0 and x1 and encrypts them using the subkeys k0,...,k11 as diagramed below... [...body of article contains graphic notation...] Conclusion We have seen that MultiSwap can be broken with a 2^14 chosen-plaintext attack or a 2^22.5 known-plaintext attack, requiring 2^25 work. We believe this shows that MultiSwap is not safe for any use. # # # ---------------------------------------------------------------------- Gary Stock vox 616.226.9550 CIO & Technical Compass fax 616.349.9076 Nexcerpt, Inc. [EMAIL PROTECTED] "The first thing you'll notice is, when the camera's plugged in..." Bill Gates, launching Windows XP Earthquake, Seattle, 28 Feb 2001 - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail. --- end forwarded text -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
