More "S-1" foolishness

Matt Blaze mab at crypto.com
Fri Aug 11 04:35:03 PDT 1995



>The other thing I noticed that really makes me question this is that G1
>only uses 4 of its 8 input bits.  As I wrote, it is equivalent to
>parity(i&0x17).  A bit is a terrible thing to waste, and it is hard to
>imagine why it would do this intentionally.  G1 may not be that important
>an element of the cipher but why throw away four bits?
>
>It is possible I suppose that the F and G boxes are not the ones used
>in the "real" version of whatever cipher this is, so this apparent
>weakness and the ones which Matt has pointed out may not be that
>significant.

While I'm loath to make any statement that could be interpreted as
defending this cipher, these are, as you say, only "apparent"
weaknesses.  Other than the "r vs. i" bug, which a very forgiving
observer might attribute to some kind of error (maybe the code was
typed in from a printout; maybe the program was taken from a "working
copy" in the middle of being modified), so far, no one has demonstrated
conclusively that these unorthodox and seemingly unsound design
characteristics actually help the cryptanalyst in this particular
cipher.  I'm talking out of my hat here, but for all we know
carefully selected non-uniformly distributed s-boxes and key
schedules that throw out the odd bit here and there in just the
right way might thwart some killer cryptanalytic technique that
isn't yet known in the civilian world.  Hardly likely, but still
remotely possible.

We can't completely rule this out unless we've seen that the cipher
falls to the various known meta-attacks, like differential and
linear cryptanalysis.  I don't really think this is worth the
trouble, however, given that these techniques can require considerable
effort and skill to apply to an arbitrary cipher and that everything
else about this thing points to a hoax designed to provoke just
such a waste of time.

(Someone will no doubt make me eat my words by doing a rump session
talk at CRYPTO on how interesting the linear and differential
analysis of this cipher turned out to be.)

-matt

PS to whoever posted this thing, if you're reading this: If this
cipher isn't what its comments assert, and you've just added spooky
labels to get people interested in evaluating some design technique
that you've invented because you think no one will take you seriously
if you just come clean, you're wrong.  An intellegently-written
description of your ideas, coupled with an easily-evaluated example,
can get a lot of attention from the crypto community no matter what
the source.  I've personally looked at several such schemes, and
had at one of my own (MacGuffin, which you're obviously familar
with) widely examined by doing just that.  You could have produced
such a description with about as much effort as you've obviously
already gone to in creating the "S-1" code, with far greater
potential rewards.  And if this is just a random hoax, well, I
guess it looks like you've suceeded.






More information about the cypherpunks-legacy mailing list