[Cryptography] Decoding Simon and Speck: Block Ciphers for the Internet of Things

[Ryan Carboni]

I have previously told the Tor developers that they should work in PR, now
I believe that the NSA is also very good at PR. I shall decode Simon and
Speck: Block Ciphers for the Internet of Things for you.

" In a stable world, it’s a good strategy to specialize, but when
conditions change rapidly, specialists don’t always fare so well"
everyone uses AES. Or Keeloq. Or RC4. People select the protocol for the
application they will use, hence why the IoT won't use WPA2. Of course
digital signal processing requires many many gates so...

"For example, the consensus has long been that a budget of 2000 GE is all
the chip area that might reasonably be allocated for security on the most
constrained RFID tags"
Who sets the consensus? I believe Snowden and John Gilmore had something to
say about IPsec consensus?
Regardless, nearly 40% of the registers for 256-bit secure Simon is for the
temporary key. It isn't hard to beat Simon's security for better RFID
performance, but that would hurt it's performance on other applications.
Every cryptographer, particularly the ones who work on examining Keeloq
have totally failed to notice this.

"One further point about AES: not every application requires the same high
level of security that AES is designed to provide."
AES is the worst cipher to be adopted by American industry since DES.
Should've gone with Skipjack.

"that almost exactly matches PRINCE’s latency and area; it implements the
combinational logic for 5 rounds, and encrypts in b 44 / 5 c 9 cycles."
Yes, designing a hardware implementation with reasonable parameters will
reduce latency and area. Would you be surprised if Prince would be better
as a 2 cycle implementation?

"This is excellent performance relative to other block ciphers; indeed
CLEFIA realizes the 'world’s highest hardware gate e ciency'"
Other block ciphers may have been incompetently designed.

"The C implementations of Speck 128/256 have better overall performance
than the best C implementations of ChaCha20, a stream cipher especially
noted for its speed."
ChaCha is a 512-bit poorly keyed block cipher. To achieve diffusion over
such a large block size, more rounds and instructions are needed. To
achieve non-linear dependency on each key bit, more rounds are needed.
Naturally they said in a previous paper that ChaCha doesn't compare to
Speck because it is a stream cipher (weird meme). It is a sad comedy when a
protocol uses SHA-2-512 and truncates it to 256-bits to key a cipher when
to avoid slide and Meet in the Middle attacks one needs at least twice the
round keys.

Anyway, embedded micro controllers for storage devices are 100 MHz ARM CPUs
that cost half a cent each. There exists cheap FPGAs with a thousand slices.



"AES, on processors with cache memory can be particularly vulnerable to
these cache-timing attacks"
they just trolling you now and you don't see it

"Because of their simplicity (and perhaps because of their source!)"
The NSA is very sexy. Join us.

"Simon and Speck have been quite thoroughly vetted by the cryptographic
community in the two years since their publication."
Simon and Speck are very secure because numerous papers have incrementally
improved upon each other, fortunately there wasn't a major breakthrough
because that might halve the number of papers released. (oddly enough many
of the papers were from Chinese researchers)


The NSA manipulates you to your face, and you have failed. Each and every
one of you.




P.S. The phone system was a trade secret, but now WPA2 specification is a
paywall. All these bought off cryptographers are in a cover their ass
operation. They know they overlooked it, they have to explain to you why
they overlooked it so they can still appear valuable to you. We could've
had the Clipper chip, but now we may as well be using Tribler's OFB with
same IV (nothing to see here).
Anyway, WPA3 is needed for post-quantum eventually. Everything should head
towards some sort of post-quantum algorithm, now that NTRU's patent
expired. There is no reason why NTRU is not used, and I'd suggest
conservative parameters for a given amount of input entropy.
Smart cards and post-quantum for everything.

P.P.S. Binney is a pathological liar. Just watch A Good American on
Netflix. It is no wonder that the EFF is currently ineffectually
complaining about unconstitutional laws. John Schindler is right, he
doesn't express himself well, but I'm pretty sure he represents the
opinions of the intelligence community in that many of you are blind and
incompetent. (naturally the same could go for the intelligence community...)

Bonus round because a helicopter flew over my house:
Schneier said: "There is too much mistrust in the air. NIST risks
publishing an algorithm that no one will trust and no one (except those
forced) will use."

That means trust me, I am opposed to what is happening and I am an expert.

Schneier then said: I misspoke when I wrote that NIST made "internal
changes" to the algorithm. That was sloppy of me. The Keccak permutation
remains unchanged. What NIST proposed was reducing the hash function's
capacity in the name of performance. One of Keccak's nice features is that
it's highly tunable.

Oh, I was just exaggerating, trust me, I have gone over to the other's side.

When a familiar face changes their mind, will you go along with them if you
were wavering to begin with?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20171019/d4588597/attachment.html>