Re: Schneier's "Helix" cipher is remarkably similar to the "generic feistel cipher"

From: Jim Steuert (pjsteuert_at_rcn.com)
Date: 10/22/03 

Date: Tue, 21 Oct 2003 19:30:59 -0400

Tom St. Denis wrote:
>
> Stop saying multi permutations. First off, nonlinear sboxes are not
> always multipermutations. Specially the SHA-1 ones [as that would
> make them linear].
>

Read "On the Need for Multipermutations:
Cryptanalysis of MD4 and SAFER" by Serge Vaudenay

or "On Weaknesses of Non-surjective Round Functions"
by Vincent Rijmen and Bart Preneel

Tom St. Denis wrote:
>
> What exactly makes your feistel "generic"? Matt Blazes Turtle is by
> far the most generic as it's provably secure against DC/LC and
> scalable [just very slow].
>
What makes it "generic" is that it reduces the design of
a cipher to the design of simpler components, specifically
an invertible hash digest and a hash key schedule. Sort of
like Luby-Rackoff but even simpler (and potentially more
efficient)

For sake of argument, the cipher answered to by Wagner
was the SHA-1 used alone as a cipher, with the
key coming in as the digest data (yes, the Davies-Meyer
cipher basis for SHA-1. But that still begs the
question of what is a good methodology for designing
these "digests". The extreme variety of the AES candidates
of itself proves that this is not a mature science.

And it is not simply a matter of the best. The sha-xxx are exemplary for
their security "strength"
on a limited "computation" budget.

That is what Schneier et. al. are doing with
their lightweight design for Helix. To quote from their
DDJ article, "

So yes, feistel ciphers (and more importantly, the
hash digest component) are still interesting. And the
"good" design principles are still unknown. (At least
the NSA's design principles).

Tom St. Denis wrote:
>
>> It is amazing to me that SHA-1 is like a handed-down
>> alien artifact. While I understand the multipermutation
>> idea there are a lot of design ideas that went into the AES candidates.
>
> Um what? SHA is an unbalanced feistel network used in Davies-Meyers
> mode. That's not exactly "unheard" of.
>

Do you know how any of the SHA-x were designed? Specifically,
how the rotates were determined, what, if any tests were
performed, the exact structure? It might as well be
designed by aliens.

Even the paper "Differential Collisions in SHA-0" by Florent
Chabaud and Antoine Joux does not even come close to answering
those questions. Why should one care if we can also come up
with another reasonable hash?

Tom St. Denis wrote:
>
> So twofish is a ripoff of your idea too?
>
I didn't say that. Twofish long predates the "generic
feistel cipher" idea.

Tom St. Denis wrote:
>
> Also Feistels are "old school". They're harder to analyze and
> generally less ideal.
>
Agreed. MDS is a useful added improvement.
But multipermutation mixers and digests
will still be here for a while, as witnessed by the
AES candidates and all the SHA-xxx things. Besides, they
are mathematically fascinating.

Tom St. Denis wrote:
>
> Daemens branch theory is exactly what ciphers should use. It's
> scientific and very efficient.
>

Tom St. Denis wrote:
>
> Good luck with that. Given your complete lack of willingness to
> actually do research your papers will be quite interesting to read.
>
I've done a *huge* amount of research. Specifically on
the subject "Gaussian Elimination Resistant Semirings".
<URL: http://users.rcn.com/pjsteuert> This is definitely
novel, if 100's of hours of google searches and
learning in seemingly unrelated math (lattices, semirings)
mean anything. Read my bibliography in the code.

If you can add to the subject, please let me know.

-Jim Steuert

Relevant Pages