Re: To Mok-Kong Shen Re:Variable S-boxes

From: David Eather (eather_at_tpg.com.au)
Date: 02/06/04


Date: Fri, 6 Feb 2004 16:38:25 +1000

Opps - silly mistake - the attack suggested won't work with DES (the "data"
collected will all be zero's - not very useful) but needs a cipher where the
sub key is used for whitening - note to self - ensure brain in gear before
typing

"David Eather" <eather@tpg.com.au> wrote in message
news:4023053e@dnews.tpgi.com.au...
> Hello Mok-Kong Shen, Hello All,
>
> I support pretty much every underdog (as long as they don't want to kill
> anyone) and any lost cause you can imagine. But your idea for creating
> variable S-boxes has had its run and failed - you need to rethink the
method
> and try again.
>
> Tom came up with a working general attack to the idea of variable S-boxes.
> There are variants specific to your particular scheme which was to xor (or
> other wise combine) plain text into the s-box. The simplest attack is
this
> (assuming DES for example) - xor plaintext into the sboxes so that all
> entries = 0, with DES 64 bit block, 256 bits of Sbox data this takes 4
> encryptions. The next encryption gives you the last left and right round
> subkeys - this is all or nearly all the bits from the master key - so the
> strength of DES goes down from 2**56 to almost nothing. The same approach
> would also work when a more modern cipher is modified - such as Serpent -
in
> this case you would get the last 128 bit subkey and the subkey gives
> information about bits in other sub keys.
>
> Your next proposal for starting with an IV was better but still
inadequate.
> Normally the attacker would get to choose the IV. It is no use saying
this
> is not what he should do - the attacker shouldn't try to break algorithms
> either. In any case the attack above can be used with a random IV to
> extract the final round key and other subkey data in the modified version
of
> Serpent (with 256 bit key) in about 2**132 to 2**133. This goes a long
way
> to fully breaking the modified algorithm so it has to be regarded as a
> mistake (the attack I leave for you to work out and there might be a time
> memory trade off possible)
>
> I strongly suspect that to remain secure the ability to control the
> modification to the S-box must be as difficult as finding the key or it
> won't work.
>
> Two methods are good for testing new ideas before they go public.
>
> First-
> Write it down - then spend time (until you are literally sick) looking for
> the same idea in other places. No points for re-inventing the wheel, but
a
> warm fuzzy feeling that you are on the right track.
>
> Then-
> Stick it in a draw until you forget the specific details. Then pull it
out
> and attack it as though someone else had invented it (play devil's
> advocate).
>
> I think the idea of variable S-boxes by adding plaintext to them as
> proposed, with or without and encrypted IV is dead and this thread should
> quietly pass into history.
>
> David Eather
>
>



Relevant Pages

  • To Mok-Kong Shen Re:Variable S-boxes
    ... Tom came up with a working general attack to the idea of variable S-boxes. ... encryptions. ... this case you would get the last 128 bit subkey and the subkey gives ...
    (sci.crypt)
  • Re: To Mok-Kong Shen Re:Variable S-boxes
    ... >Tom came up with a working general attack to the idea of variable S-boxes. ... >encryptions. ... >this case you would get the last 128 bit subkey and the subkey gives ... A randomly conditioned branching algorithm used with a "dynamic SSbox" ...
    (sci.crypt)
  • clique method in differential cryptanalysis
    ... I encounter some problem in implementing the attack on the ... I don't quite understand the clique method which is ... which is part of the suggested 30-bit subkey. ...
    (sci.crypt)
  • Re: Dynamic change of encryption keys
    ... volume of materials encrpyted with the same key in encryptions. ... While key rollover certainly limits the text available to mount an attack, instead the weak point can very easily become rollover phase. ... That is why I specifically brought up the SSL/TLS attack, the weakness has nothing to do with exceeding the acceptable limits of security for the cipher, but the rollover itself had weaknesses. ...
    (sci.crypt)
  • Re: New crypto algorithm
    ... >> A slight modification of Phil's attack works with your extra byte added to ... > obviously weak hashing. ... I can't put a magnitude on the number of encryptions that would ... 1st bug in MS win2k source code found after 20 minutes: ...
    (sci.crypt)