Nullsoft's WASTE communication system
Bart Preneel
Bart.Preneel at esat.kuleuven.ac.be
Sun Jun 1 17:01:44 EDT 2003
In order to increase hardware efficiency, the 8-bit S-boxes of Anubis
have been designed by combining 4-bit S-boxes with bit permutations in
two layers. 4-bit S-boxes always have quadratic equations.
Hence if you would be worried about algebraic attacks on AES, you probably
should also worry about Anubis.
However, the BES trick of Murphy and Robshaw (Crypto 2002) does not
apply as the S-box is not longer derived from the inverse mapping.
For more details on Anubis and Khazad, see the NESSIE report at
http://www.cryptonessie.org and the paper at FSE 2003 of De Canniere et al.
and of Biryukov.
Best regards,
Bart
-------------------------------------------------------------------------------
Katholieke Universiteit Leuven tel. +32 16 32 11 48
Dept. Electrical Engineering-ESAT / COSIC fax. +32 16 32 19 69
Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, BELGIUM
bart.preneel at esat.kuleuven.ac.be
http://www.esat.kuleuven.ac.be/~preneel
-------------------------------------------------------------------------------
On Sun, 1 Jun 2003, Zooko wrote:
>
> What do you folks think about Anubis [1] ?
>
> I don't understand the maths, but I would *like* to think that Rijndael's
> positive results (mostly, its lack of negative results) would apply to Anubis
> while Rijndael's negatives (such as the hypothetical algebraic solution)
> wouldn't.
>
> Regards,
>
> Zooko
>
> http://zooko.com/
> ^-- under re-construction: some new stuff, some broken links
>
> [1] http://planeta.terra.com.br/informatica/paulobarreto/AnubisPage.html
>
> > AES has gotten a lot of attention, and right now, it's the high-prestige
> > target. (Among other things, it was clearly a front-runner in the AES
> > process from the beginning, and all of us who'd designed other algorithms
> > spent a lot of time trying to beat up on it.) Blowfish has been around
> > longer, but has probably had fewer people spend lots of time trying to
> > break it. The still-unresolved question is whether those equation-solving
> > attacks can really be used against AES, and there doesn't seem to be anyone
> > who's completely confident of the answer to that question.
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list