 Posted: Thu Sep 27, 2007 2:20 am |
 |
|
| Ruptor |
| Site Admin |
 |
 |
| Joined: 29 Mar 2006 |
| Posts: 19 |
| Location: Gold Coast, Australia |
|
|
|
|
 |
|
Salsa20 may have resisted the stone age linear and differential cryptanalysis attacks so far, but to qualify as a 256-bit secure cipher...
1. Its perpetual cyclic structure raises concerns.
2. Its self-similarity is a serious problem. Although currently there is no slide attack capable of breaking ciphers with a known half of the plaintext and half of the ciphertext, 10 rounds of a keyless self-similar round function does not look like a trustworthy structure.
Both these flaws are the reason why Salsa20 fails our tests for any number of rounds.
LR theorem for provably secure Feistel network ciphers [Salsa20 is an unbalanced Feistel network block cipher with a 64-bit counter] requires every PRF round function to be independent. Other fundamental works in the same area prove that round functions must be at least "sufficiently" different. This is not the case with Salsa20, two rounds of which form a weak self-similar round function. A simple addition of the key to the data block before and after encryption is not a secure design. It is only a matter of time before a new slide attack breaking Salsa20 is invented.
3. The IT world has progressed from kilobytes to gigabytes since the DES. It is not stopping or slowing down. A limit on 2^64 long streams is unacceptable for a long-term cipher. A 256-bit limit on key size is also unacceptable for a long-term 256-bit secure cipher. These limits contradict even Daniel J. Bernstein's own paper "Understanding Bruteforce".
Ruptor |
|
Last edited by Ruptor on Wed Oct 15, 2008 2:33 pm; edited 1 time in total
_________________
2B | ~2B = ? |
|
|
|
| Posted: Thu Oct 09, 2008 1:01 pm |
|
|
| Ruptor |
| Site Admin |
|
|
| Joined: 29 Mar 2006 |
| Posts: 19 |
| Location: Gold Coast, Australia |
|
|
|
|
|
|
| Ruptor wrote: | | It is only a matter of time before a new slide attack breaking Salsa20 is invented. |
Just as we predicted, a new slide attack breaks Salsa20 (http://eprint.iacr.org/2008/405). Although the author may claim that it is not applicable to this or to that application, the fact that the software developers and protocol designers must worry about it makes it not suitable for general-purpose use, at least not as a 256-bit secure cipher.
Ciphers are designed for the security conscious, for the paranoid, to keep their paranoia at check. Such a design flaw that could have been trivially prevented by adding a round number or any other counter to one of the words between rounds. Neither performance nor the cipher’s already high complexity would have been affected. Such a counter would also destroy the cipher’s cyclic structure that remains being another worry. |
|
_________________
2B | ~2B = ? |
|
|
|
 | |  |
| ASD Forum Index » ASD Results |
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
|
