Question about iraqi block cipher

[boby89]

Has someone analysed the chaos1 S-box in the IBC cipher ?
And has someone analysed the one_way function ?

This cipher seems to be 8-bit computers oriented, isn't it ? Is it possible
to optimized it for 32-bit computers ?

ftp://ftp.zedz.net/pub/crypto/crypto/LIBS/ibc/ibc.c

[Raphael Phan]

Hi,

Is there any place that we can view the documentation for IBC?

Raphael

boby89 wrote:

--

" When you were born, you cried and the world rejoiced.
Live your life in such a manner that when you die,
the world cries and You rejoice... "

[matthew...@my-deja.com]

In article <8f65um$dnd$1...@wanadoo.fr>,

"boby89" <bob...@hotmail.com> wrote:
> Has someone analysed the chaos1 S-box in the IBC cipher ?
> And has someone analysed the one_way function ?
>
> This cipher seems to be 8-bit computers oriented, isn't it ? Is it
possible
> to optimized it for 32-bit computers ?
>
> ftp://ftp.zedz.net/pub/crypto/crypto/LIBS/ibc/ibc.c
>
>

Hey all,

Is the implementation correct?

If so, the cipher is a 5 Feistel cipher. The right half is sent through
a one-way hash like function and combined with the left. The halves are
then swapped.

The key material is used in a complicated way to create the one-way
hash. No key material is used in the round and no whitening is added.

As it implemented, the cipher is vulnerable to the slide attack. A
chosen plain text attack should be able to peel off a round with 2^32
plaintext.

I am not sure that the slid pair will reveal much however. If the
one-way function is truly difficult to reverse, the slid pair will only
give one input/output to the hash. I suspect that some information can
be gained however in which case enough slid pairs will break the cipher.

By cheating I can create many slid pairs so it is certain that slid
pairs exist.

--Matt

Sent via Deja.com http://www.deja.com/
Before you buy.

[David A. Wagner]

Is this _really_ an Iraqi standard, or is someone pulling our legs?

It is a 5-round Feistel cipher, with a 256-bit block and with the same
(complicated) Feistel function in each round. Thus, it should be
vulnerable to slide attacks, if I am not mistaken. However, it looks
like it may take 2^64 chosen texts to create a single slid pair.

The Feistel function is called "one_way" in the source, but it's not clear
that it is actually one-way, and with a reasonable number of input/output
values for the Feistel function it may be possible to determine the key.
One could imagine obtaining these input/output values by getting many
slid pairs, but as discussed above it is not obvious how to do this with
any reasonable data complexity, so this is not a practical threat.

There is also a more practical problem with this cipher. Since all
rounds are the same, there are likely to be 2^128 fixed points (not
necessarily a problem, except possibly for hashing modes), and (this is
worse) encryption is the same as decryption, so with an encryption oracle
one can decrypt interesting ciphertext. (This would also spell problems
for OFB mode -- the keystream would repeat every two blocks -- if the
final swap were omitted; but fortunately, the final swap is included.)

All in all, the lack of round dependence is not a showstopper, but it
is perhaps not what was intended.

The cipher also looks likely to be quite slow, in software and in
hardware. And there is little reason to bother with slow ciphers of
questionable security when we have 3DES.

Anyway, I haven't submitted this to any serious analysis, but based on
what I have seen so far, it does not appear to be especially impressive,
from a simple surface examination. Is there any particular reason to
look further?

[Dan Day]

On 8 May 2000 12:52:35 -0700, d...@blowfish.isaac.cs.berkeley.edu (David A.

Wagner) wrote:
>
>Is this _really_ an Iraqi standard, or is someone pulling our legs?
>
>It is a 5-round Feistel cipher, with a 256-bit block and with the same
>(complicated) Feistel function in each round. Thus, it should be
>vulnerable to slide attacks, if I am not mistaken. However, it looks
>like it may take 2^64 chosen texts to create a single slid pair.

Is there somewhere on the web that gives a semi-layman's intro
to "slide attacks"? (I've got a good math background, but
papers with too many crypto-specific buzzphrases tend to lose me,
for lack of introductory definitions.)

And how many "chosen texts" would it take to make a real dent in
Blowfish, which I believe is also a Feistel cipher?

--
"How strangely will the Tools of a Tyrant pervert the
plain Meaning of Words!"
--Samuel Adams (1722-1803), letter to John Pitts, January 21, 1776

[Tom St Denis]

Dan Day wrote:
>
> On 8 May 2000 12:52:35 -0700, d...@blowfish.isaac.cs.berkeley.edu (David A.
> Wagner) wrote:
> >
> >Is this _really_ an Iraqi standard, or is someone pulling our legs?
> >
> >It is a 5-round Feistel cipher, with a 256-bit block and with the same
> >(complicated) Feistel function in each round. Thus, it should be
> >vulnerable to slide attacks, if I am not mistaken. However, it looks
> >like it may take 2^64 chosen texts to create a single slid pair.
>
> Is there somewhere on the web that gives a semi-layman's intro
> to "slide attacks"? (I've got a good math background, but
> papers with too many crypto-specific buzzphrases tend to lose me,
> for lack of introductory definitions.)
>
> And how many "chosen texts" would it take to make a real dent in
> Blowfish, which I believe is also a Feistel cipher?
>

It's my understanding the slide attack only works when all the round
functions are the same. You try to find pairs that match for certain
round numbers (a, b) (i.e for a pair) and deduce part of the key from
that.

However it's best to use round keys to avoid the attack.

Tom