and much more!
I have been discussing with Angelo in private and I told
him there are too many beginner mistake in their source,
and that even if the algorithm is safe (which I doubt but
I am not saying I can be surprised) the security can be
broken by improper implementation.
I told Angelo that if his paper did not present the
algorithm and why it had been designed this way, with
a differential, then linear then differential-linear
attack attempts and a full cryptanalysis of a reduced-round
version of their "cipher", no serious cryptographer would
review it.
Code review is not free if you want quality. It can be
free if everyone will benefit from it, like the BSD or
Linux communities have shown to everyone.
AES has been developed in competition with a lot of
ciphers from some very big and clever companies (well..
in fact.. watching back how some ciphers got broken in
the very first AES conference inspires doubt on how
big or serious some of those companies are.. hum..).
So we got AES (but others too) which have been available
for years and have suffered with success for most various
attacks attemps and reduced-round cryptanalysis.
No cipher should be advised unless it's been out for
YEARS and had not shown weakness with all new attack
techniques. This is not the case of Angelo's proposition.
I dont think whatever the value of their proposed cipher
is that it can offer better status than a free to use
public cipher which has been today under several years
of cryptanalysis from renowed and widely known cryptographers
that participated to the AES NIST development.
Blowfish.. or Twofish are very impressive. And Blowfish
has been out for _years_ and is seen as a very good cipher
(just study the key preparation part of it).
Below some anwers I sent to Angelo while discussing
in private.
----8>----8>----8>----8>----8>----8>----8>
[ November, 24th 2005 ]
The algorithm ARCS-256 bits is not vulnerable, in the way of feasible
attacks, to MD5 collisions.
No serious cryptographer will ever (or has even in the past) said of an
algorithm that it is invulnerable. Cryptography is only a protection
against time and the only mathematically cipher proven to be
invulnerable is the one time pad if :
1. they key has the same length of the message
2. the key is random (really random)
3. the key is never, ever used more than once
If you want try to make an analysis of the algorithm so you can
notice it.
The source code is full of exploitable buffer overflows
and serious C mistakes.
Even if the algorithm would be good (which I doubt knowing
it's strength is based on MD5) a proper implementation is very
difficult, Angelo. You can have a very good cipher, and because
you made a single mistakes in implementation or the random
source is not good enough, the whole falls down.
However the white paper of the algorithm will be released soon.
Before saying something is insecure I suggest you to prove it.
[...]
I hope you do understand that in the cryptography world, it is
not up to people that make remarks to you to prove anything.
If you want to propose a new cipher, you have to use mathematics
and proper presentation to have any slight chance of serious
cryptographers to have a look at it. They are paid for some over
several hundred dollars per hours for their expertise. Don't expect
them to work for free unless the algorithm will be free and will
benefit everyone, like the Rijndael AES is.
[...]
If you want public cryptanalysis of your work, then your work
has to be properly presenter like Blowfish or AES has been,
and it must be resistant to all known attacks with proof you have
to publish : differential cryptanalysis, linear cryptanalysis and
differential-linear cryptanalysis. You have to present the full
cryptanalysis of a reduce-round variant of your cipher.
Please check all papers about the AES, the attacks, the reduced-
round variant and everything that has been done in the development
of the AES. If you do the same, then you will have a chance that
serious cryptanalysts will review your work.
I will always welcome interesting work but if you don't work by
the rules of the cryptographic community, you won't get any
consideration.
Godspeed, Angelo.
----8>----8>----8>----8>----8>----8>----8>
[ November, 26th 2005 ]
The problem is you posted an email to a security list to tell people how
great your product is. This is wrong.
First you have to publish your work. And if after YEARS of cryptanalysis
your product does resist to all known attacks and shows relatively good
resistance to tempering or some attacks (sideway attacks, power
analysis attacks) then people might start to give trust to your work.
A cipher which has not been in the field and studied for years is worth
nothing.
I am waiting for your paper. And I hope I will find inside of it the
reasonning of it's construction, differential, linear and
differential-linear cryptanalysis and a full cryptanalysis of a
reduced-round variant. I want to check if there are weak keys or not
and how exactly the MD5 (which is considered as _broken_ for hashing
today) has been choosed for your work.
[...]
----8>----8>----8>----8>----8>----8>----8>
So let's wait for the paper and check it.
The strange thing about a lot of errors that can be found in the sources
files is that many would have been found by using freely available C
source checkers... :/
I hope Angelo that you are not trying to push low-grade crypto around.
You only got one name and surname for the rest of your life, and if you
burn it that way, you will be remembered as such by the crypto
community, and the whole Internet.
Now no one is going to bash you Angelo without facts. So show us a
properly written paper about your crypto work, and make it the same
quality level as papers that have presented other works like AES or
Blowfish and respected algorithms.
You will get hints, ideas to get it better. If it's worth it.
Let's not be to harsh on Angelo and let's wait for more facts.
--
unzip ; strip ; touch ; grep ; finger ; mount ; fsck ; more ; yes ;
fsck ; umount ; sleep
