Re: Secure Science issues preview of their upcoming block cipher

To: Jerrold Leichter <jerrold.leichter@xxxxxxxxxx>
Subject: Re: Secure Science issues preview of their upcoming block cipher
From: Ralf-Philipp Weinmann <weinmann@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 25 Mar 2005 18:23:24 +0100
Cc: Adam Shostack <adam@xxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx, BugTraq <bugtraq@xxxxxxxxxxxxxxxxx>, cryptography@xxxxxxxxxxxx
In-reply-to: <Pine.SOL.4.61.0503251112120.5211@frame>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: TU Darmstadt, FB 20, Theoretische Informatik
References: <42421129.8000109@xxxxxxxxxxxxxxxxx> <20050325001542.GB67257@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <Pine.SOL.4.61.0503251112120.5211@frame>
User-agent: Mozilla Thunderbird 1.0 (Macintosh/20041206)

Jerrold Leichter wrote:

I can come up with a cipher provably just as secure as AES-128 very quickly....

(Actually, based on the paper a while back on many alternative ways to
formulate AES - it had a catchy title something like "How Many Ways Can You
Spell AES?", except that I can't find one like that now - one could even
come up with a formulation that is (a) probably as secure as AES-128; (b)
actually faster in hardware or simpler to implement or whatever...)

You're probably looking for [1] by Barkan and Biham. What they do isreplacing the irreducible polynomial and all the constants involved inRijndael to get what they call "dual ciphers"; basically those ciphersare isomorphic to Rijndael. All in all they get 240 dual ciphers whichare listed in [2]. What I found more interesting back then was that theyalso give square dual and log dual ciphers of Rijndael. I.e. let E bethe Rijndael encryption and E' be the encryption function of thesquare/log dual Rijndael construction. Furthermore let f be a functionthat either performs bytewise squaring in GF(2^8) or replaces each bytewith a logarithmic representation (relative to a generator g. you alsoneed to fix log_g(0) = -\infty for this to make sense). Then


 E'(f(plaintext), f(key)) = f(E(plaintext, key))

holds. The squaring construction then also naturally extends to whatthey call "higher-order self dual ciphers": meaning you can apply thesquaring multiple times.

In 2004 Wu, Lu and Laih then demonstrated that using Barkan's andBiham's method can indeed lead to more efficient implementations ofAES/Rijndael in hardware.


Cheers,
Ralf

[1] Elad Barkan and Eli Biham:
    In How Many Ways Can You Write Rijndael?
    ASIACRYPT 2002, Springer
    note: also on ePrint as http://eprint.iacr.org/2002/157
    if you don't have Springer Link access

[2] Elad Barkan and Eli Biham:
    The Book of Rijndaels
    http://eprint.iacr.org/2002/158

[3] Shee-Yau Wu and Shih-Chuan Lu and Chi Sung Laih:
    Design of AES Based on Dual Cipher and Composite Field
    Topics in Cryptology, CT-RSA 2004, Springer

--
Ralf-P. Weinmann <weinmann@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
TU Darmstadt, FB Informatik, FG Theoretische Informatik
Tel: +49-(0)6151-16-6628

References:
- Secure Science issues preview of their upcoming block cipher
  - From: BugTraq
- Re: Secure Science issues preview of their upcoming block cipher
  - From: Adam Shostack
- Re: Secure Science issues preview of their upcoming block cipher
  - From: Jerrold Leichter

Prev by Date: TCP timestamp & advanced fingerprinting
Next by Date: phpbb 2.0.13 Exploit (bug)
Previous by thread: Re: Secure Science issues preview of their upcoming block cipher
Next by thread: Re: Secure Science issues preview of their upcoming block cipher
Index(es):
- Date
- Thread