Secure Science issues preview of their upcoming block cipher

Wed Mar 30 07:05:06 EST 2005

On Tue, 29 Mar 2005 16:06:05 +0100, Ian G <iang at systemics.com> wrote:
> I'd be interested to hear why he wants to
> "improve" on AES.  The issue with doing that
> is that any marginal improvements he makes
> will have trouble overcoming the costs
> involved with others analysing his work.

Several things

1.  Highlighted [we're talking Feb'04 here] the work I was doing on
FPHTs.  They're much more efficient than an MDS and because of my work
they have known branches.

2.  I also looked into the CS-cipher way of doing things.  I was able
to prove what Vaudenay could only "count" [he never proved the
trail-weight of CS-Cipher] and from that I was able to also prove the
16-point case [e.g. CS^2].

3.  CS^2 is totally meant for a pipeline.  It reuses the round
transform for the key schedule.

So what is CS^2?  It's basically 8 rounds of a 4 layer FPHT with
sboxes mixed in the 2-point transforms.  8*4  == 32 step pipeline. 
The keyschedule essentially is just computed as processing the key one
"layer" ahead of the plaintext.

Load the key in one cycle and the block in the next.  Add some FSM to
determine where the key material comes from for a given stage [e.g.
the fixed sigma function or the key round that is one round ahead].

Why is this cool?

First off, you can get a 2 cycle encrypt.  But that's meaningless
because "cycle" could mean several hundred nanoseconds...   But what
is a "layer"?   a 2-point FPHT [e.g. xors of depth three] and two
parallel sbox applications.  The sboxes are efficiently computable as
well with a xor depth of four [or so].  So effectively a "layer" has a
XOR gate depth of about 8-9 at most.

Second, you can process SIXTEEN different keys at once.  So key
agility is essentially a moot point.

Third, there is no dedicated "key scheduler" like in AES.  You do need
some FSM to select where the round key comes from but that's about it.

Fourth, It resists integration attacks a whole heap better than AES.  

Fifth, it's trivial to prove that classic LC and DC are inapplicable.

Sixth, the sbox was not designed to be too algebraic.  The 4x4 is just
a random 4x4 with max LC/DC resistance for a bijection.  The resulting
8x8 has a decently low LC/DC profile, no fixed points and no points of
involution.

Seventh, I wrote it.  Therefore it's cool.

Tom

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com