[Cryptography] Nasruddin Cryptographic Function (99% finalized)

Ray Dillinger bear at sonic.net
Fri Jul 17 23:18:42 EDT 2015



On 07/17/2015 03:35 PM, Ryan Carboni wrote:
> This should be better than Rijndael, and takes advantage of 256-bit SIMD.
> 

mmmm, nope.  You have to support claims like that with math.

Rijndael has a proof of security against linear and differential
cryptanalysis.  You can't make that claim without producing
equally strong proofs for yours. That's before we even talk
about block boundary attacks, alias attacks, other types of
group theory attacks and related-key attacks, chosen-plaintext
and chosen-ciphertext attacks, cyclometric attacks, timing
attacks, power attacks, and .... all of these things are stuff
you have to provide very convincing arguments about before
you can claim anything is better than something whose creator
did provide those convincing arguments.

One thing that SIMD ciphers are particularly prone to is
Tempest attacks.  You get a whole lot of processors doing
the same thing at the same time, and they act like a little
phased array of tiny radio transmitting antennas.  Have you
noticed that CPU's are operating at frequencies in the radio
range?  A three hundred dollar gadget can read them from
fifty feet away and get the keys.  If you're introducing
a SIMD cipher, you have to explain why that won't work.

Specifically you have to arrange it so that no part of the
key or plaintext, nor anything identifiably derived from
them, goes through many processors at the same time.

After that, justifying the use of a new cipher requires
demonstrating exactly what weakness existing ciphers have
that makes this one better.  And yours has to be a whole
lot better (ie, Rijndael has to be BADLY broken) in order
to justify something that takes many times as long to
compute on large classes of machines.

Finally you seem to be mistaken about which end of the
market is in sufficient pain to be willing to consider
adopting something new.

Right now everybody who isn't trying to figure out what
business a feeking thermostat has accessing the Internet in
the first place, is trying to connect them to the Internet
and then figure out how do do anything on the tiny ten-
cent processors they're putting into the thermostats. Then
people are trying to steal as much private information as
possible via those thermostats. Now that burglars are
ACTUALLY stealing the information in order to find out
when people aren't home, they want cryptography that runs
on those ten-cent processors. Few to none of the existing
ciphers are a good fit.

Come up with something like that, and people will pay a lot
more attention than they will to something that runs on a
CPU which would add more than a dollar a unit to the cost
of their devices.

Usually proving the required properties (or the absence
of undesired ones) involves heavy lifting via group theory,
because by definition no supercomputer is fast enough to
iterate over all keys and demonstrate that some undesired
property never happens.

The heavy lifting can be some other kind of math as
well, but however you do it, you have to have proof of
a bunch of claims, and in order make them you have to
know what the attacks are and therefore what mathematical
properties protect against them.

Seriously, best of luck.  But if you want to do this,
you have to actually DO it, not just claim somebody
could.

Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150717/3fd999df/attachment.sig>


More information about the cryptography mailing list