newdes

33 views
Skip to first unread message

sars

unread,
Oct 19, 2004, 3:05:48 PM10/19/04
to
sorce code, thanks


Mok-Kong Shen

unread,
Oct 19, 2004, 6:14:57 PM10/19/04
to

sars wrote:

> sorce code, thanks

DES is decades old. There is no 'new DES'. If you mean AES,
there are a number of source codes available. (A comparatively
easily readable one for 32-bit computers is accessible from my
web page.)

M. K. Shen
-------------------------------------------
http://home.t-online.de/home/mok-kong.shen

David Eather

unread,
Oct 19, 2004, 6:43:21 PM10/19/04
to
There is a NewDES - it is briefly described in Applied Cryptography (and is
decades old and also not very good)

I do comment on the OP's wonderful phrasing of his request - "sorce code,
thanks".

No.

Mailman

unread,
Oct 19, 2004, 8:28:03 PM10/19/04
to
David Eather wrote:

> I do comment on the OP's wonderful phrasing of his request - "sorce code,
> thanks".

Shooting at sitting ducks may not be very sporting - but then nobody asked
them to sit.

On the other hand expecting courtesy on the Net is somewhat over the top.
--
Mailman


----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= East/West-Coast Server Farms - Total Privacy via Encryption =---

Matt

unread,
Oct 20, 2004, 3:47:29 AM10/20/04
to
"sars" <s...@net.hr> wrote in message news:<cl3oi9$irl$1...@bagan.srce.hr>...
> sorce code, thanks

Would a Google search not have worked? Anyway, NewDES comes in two
variants, the second, "NewDES-96", patched a related-key
vulnerability; see:

http://en.wikipedia.org/wiki/NewDES

Source code was posted to this very group:

http://groups.google.com/groups?selm=4hafm9%24r51%40condor.ic.net

Matt

Matthew Fisher

unread,
Oct 26, 2004, 10:26:44 PM10/26/04
to
matt_...@yahoo.co.uk (Matt) wrote in message news:<94b59a36.0410...@posting.google.com>...

All,

Further Google Groups searching would have revealed my attack from
2001. NewDes is vulnerable to 'impossible differentials'. Do a
search for "newdes attack fisher" to see a few articles.

It is basically the same attack that Biham et al used against Khufu.
See Biham's excellent paper for details.


--M

Raphael Phan Chung Wei

unread,
Oct 27, 2004, 5:24:47 AM10/27/04
to
Hi all,
I believe the attack is flawed because there is no "miss" in the
middle as claimed. You can work out the difference by hand to verify
this.

Sorry, Matthew :)


matthew...@convergys.com (Matthew Fisher) wrote in message

David Eather

unread,
Oct 27, 2004, 11:00:56 AM10/27/04
to

I've been looking at newdes - with a good s-box and a decent key schedule
it would be a fast and decent algol.


Tom St Denis

unread,
Oct 27, 2004, 12:15:32 PM10/27/04
to
David Eather wrote:
> I've been looking at newdes - with a good s-box and a decent key schedule
> it would be a fast and decent algol.

Faster than AES?

Tom

Robert Scott

unread,
Oct 27, 2004, 11:09:30 PM10/27/04
to
On Thu, 28 Oct 2004 01:00:56 +1000, "David Eather" <eat...@tpg.com.au>
wrote:

>I've been looking at newdes - with a good s-box and a decent key schedule
>it would be a fast and decent algol.

I'm the one who invented NEWDES "decades" ago. I must admit that I
did not know much about cryptography back then, beyond what I learned
in a Helman seminar. The algorithm was intended to address what was a
concern at the time for DES - the transparency of the design. People
were concerned about the possibility of trap-doors known only to the
designers. For that reason I chose to develop a random S-box based on
the text of the Declaration of Independence, as described in the
original Cryptologia article. A carefully crafted S-box may have
produced a stronger algorithm, but it would not have passed the test
of transparent design.

I must admit that NEWDES is not very good, especially in light of all
the better choices now available. I thought that having complete
diffusion of a single bit change in seven rounds was good enough, but
when there are only 17 rounds, that just isn't enough diffusion. If I
were to modify it now, I would either add more rounds, or change the
round function so that complete diffusion happens in just three or
four rounds. Another thing I would change would be the key expansion
schedule. It is too simple - even with the 1996 modification.
Finally, I would change some of the exclusive-ORs to addition. That
would introduce a little more complexity at no cost in computing time,
and at the same time it would avoid the complementation property that
NEWDES shares with DES.


-Robert Scott
Ypsilanti, Michigan
(Reply through this forum, not by direct e-mail to me, as automatic reply address is fake.)

David Eather

unread,
Oct 28, 2004, 7:40:35 AM10/28/04
to
It wasent a bad cipher either. A few small things you missed - the better
s-box.

David Eather

unread,
Oct 28, 2004, 8:08:12 AM10/28/04
to
The figures I have is it is about 6 times faster than DES - and faster than
AES

on a comparable system. AES 93 megB/ s

NewDES 186 megB/s - even another round would not slow it to AES speed.

Comparison was made by Applied Crypt's bench marks for DES and NewDES - and
then converting the speed of nudes using the info on
http://fp.gladman.plus.com/cryptography_technology/aes/


Tom St Denis

unread,
Oct 28, 2004, 8:37:45 AM10/28/04
to

Ok. Now prove it secure against LC and DC. ;-)

Tom

Joe Peschel

unread,
Oct 28, 2004, 10:33:45 AM10/28/04
to
"David Eather" <eat...@tpg.com.au> wrote in
news:4180...@dnews.tpgi.com.au:

> Comparison was made by Applied Crypt's bench marks for DES and NewDES
> - and then converting the speed of nudes

I looked all over Brian's page, but the closest thing to a nude that I
could find was a health warning. Am I missing something? Where's the
friggin' nudes?

J


--
__________________________________________
When will Bush be tried for war crimes?

"Our enemies are innovative and resourceful, and so are we. They
never stop thinking about new ways to harm our country and our
people, and neither do we." --G. W. B.

Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________

David Eather

unread,
Oct 28, 2004, 3:31:31 PM10/28/04
to
Joe Peschel wrote:
> "David Eather" <eat...@tpg.com.au> wrote in
> news:4180...@dnews.tpgi.com.au:
>
>> Comparison was made by Applied Crypt's bench marks for DES and NewDES
>> - and then converting the speed of nudes
>
> I looked all over Brian's page, but the closest thing to a nude that I
> could find was a health warning. Am I missing something? Where's the
> friggin' nudes?

Sorry - Freudian mistake, and to make it worse I have no idea of what it was
supposed to be.

Do you think BRG would put a nude there if we asked nicely?

Peter Fairbrother

unread,
Oct 28, 2004, 3:39:24 PM10/28/04
to
David Eather wrote:

> Joe Peschel wrote:
>> "David Eather" <eat...@tpg.com.au> wrote in
>> news:4180...@dnews.tpgi.com.au:
>>
>>> Comparison was made by Applied Crypt's bench marks for DES and NewDES
>>> - and then converting the speed of nudes
>>
>> I looked all over Brian's page, but the closest thing to a nude that I
>> could find was a health warning. Am I missing something? Where's the
>> friggin' nudes?
>
> Sorry - Freudian mistake, and to make it worse I have no idea of what it was
> supposed to be.

NewDes?



> Do you think BRG would put a nude there if we asked nicely?

Yes please.


--
Peter Fairbrother

David Eather

unread,
Oct 28, 2004, 3:41:16 PM10/28/04
to

I was just posting as a wind-up (something i'll only do once a year), but
with a good s-box (AES's ?) and only a 64 bit block it would have to be
close to secure via the fokelore method of counting active s-boxes, but it
might be even better to use randomly generated s-boxes!

:-D

(ok twice a year)


Raphael Phan Chung Wei

unread,
Oct 28, 2004, 9:57:37 PM10/28/04
to
Dear Scott,

Nice to hear personally from the designer of NewDES. I think NewDES
was quite a good cipher at the time it was invented. Even now,
beginning cryptographers can still refer to it's simple structure for
an insight into block cipher design and analysis. Also, it's been
used by Kelsey et. al to demonstrate related-key attacks, so it also
has merits there.

I agree with you that the key schedule could be made stronger, but
then again, it was the key schedule (and also that of your 1996
modification) that brought about the "double swiping attack" etc.

On your note to replace XOR with modulo addition, note that for some
ciphers, eg. DES, it has been shown (by Biham & Shamir) that modulo
addition may be weaker than XOR.


For the betterment of cryptologic education,

Raphael


(Robert Scott) wrote in message news:<418062d6...@news.provide.net>...

Robert Scott

unread,
Oct 28, 2004, 10:51:49 PM10/28/04
to
On 28 Oct 2004 18:57:37 -0700, rp...@swinburne.edu.my (Raphael Phan
Chung Wei) wrote:

>..On your note to replace XOR with modulo addition, note that for some


>ciphers, eg. DES, it has been shown (by Biham & Shamir) that modulo

>addition may be weaker than XOR..

I meant to replace only a few of the XORs with addition - just enough
to break the complementation property and provide a little more
complexity, since XOR and addition used in combination does not
simplify as easily as all XORs.

David Wagner

unread,
Oct 29, 2004, 2:10:20 AM10/29/04
to
Raphael Phan Chung Wei wrote:
>Nice to hear personally from the designer of NewDES. I think NewDES
>was quite a good cipher at the time it was invented. Even now,
>beginning cryptographers can still refer to it's simple structure for
>an insight into block cipher design and analysis.

I agree. Simplicity is a real asset, and I think investigating these kind
of easily understandable design ideas has been very much worth the effort.

Tom St Denis

unread,
Oct 29, 2004, 6:30:46 AM10/29/04
to
Robert Scott wrote:
> On 28 Oct 2004 18:57:37 -0700, rp...@swinburne.edu.my (Raphael Phan
> Chung Wei) wrote:
>
>
>>..On your note to replace XOR with modulo addition, note that for some
>>ciphers, eg. DES, it has been shown (by Biham & Shamir) that modulo
>>addition may be weaker than XOR..
>
>
> I meant to replace only a few of the XORs with addition - just enough
> to break the complementation property and provide a little more
> complexity, since XOR and addition used in combination does not
> simplify as easily as all XORs.

Wouldn't a better approach be to say... use science? I hear it can do
wonders. Like for instance, is NewDES a wide-trail design? If not, why
not?

Tom

Matthew Fisher

unread,
Oct 29, 2004, 2:44:24 PM10/29/04
to
Raphael,

You are correct as posted the attack was flawed. But a 1R,2R,etc
version is applicable. I worked out more of the detail awhile back,
I'll see if I still have it around somewhere.

NEWDES is vulnerable, in a theoretical way, to the impossible
differential attack. I don't believe the attack has any practical
application as it won't be much better than brute and requires tons of
plaintext/ciphtext pairs.

For its time, it was a good cipher with open design principles.
Without question, it helped advance the art of cipher design and
highlighted key areas in block cipher design.

I suspect by adding a few (<8) more rounds, NEWDES can be made
completely secure against all known attacks.

--Matt

rp...@swinburne.edu.my (Raphael Phan Chung Wei) wrote in message news:<f89fd5ee.04102...@posting.google.com>...

Matt

unread,
Nov 1, 2004, 5:39:56 AM11/1/04
to
rp...@swinburne.edu.my (Raphael Phan Chung Wei) wrote:
> Dear Scott,
>
> Nice to hear personally from the designer of NewDES. I think NewDES
> was quite a good cipher at the time it was invented.

<snip>

I was wondering how many concrete block cipher designs had been
published for academic study by January 1985 (when NewDES was
published in Cryptologia)? I know of Madryga, which was proposed in
1984. And, of course, DES and a couple of versions of Lucifer. But I
couldn't find much else after a few minutes trawling through early
CRYPTO / EUROCRYPT proceedings ... does anybody know of other block
ciphers from before 1985?

-- Matt

Raphael Phan Chung Wei

unread,
Nov 1, 2004, 7:56:16 PM11/1/04
to
Hi Matthew,

How have you been?

I agree that NewDES' structure is vulnerable to impossible
differentials, and therefore I think it'll be interesting to all of us
here to hear your 1R,2R,etc attack version. Do you mean 1R,2R with
conventional differential cryptanalysis or with impossible
differentials?

Impossible differential cryptanalysis may not seem practical but after
all, most block cipher cryptanalysis methods aren't. Their main
purpose is to evaluate how secure a block cipher design is.

> I suspect by adding a few (<8) more rounds, NEWDES can be made
> completely secure against all known attacks.

I believe this is an open problem that would be interesting to have
sci.crypters find an answer to. :-)

Raphael


matthew...@convergys.com (Matthew Fisher) wrote in message news:<a6281740.04102...@posting.google.com>...

Raphael Phan Chung Wei

unread,
Nov 1, 2004, 8:07:29 PM11/1/04
to
Dear Matt,

On Madryga, there's been some interesting cryptanalysis work done on
it, for instance see http://en.wikipedia.org/wiki/Madryga.

On that note, it seems that there's a lot of public interest in block
ciphers these days.

Matt, how bout checking out past issues of Cryptologia to see if
there're any old ciphers there? Also, check out this one:
Henk Meijer, Selim G. Akl: Two New Secret Key Cryptosystems. EUROCRYPT
1985: 96-102

Raphael


matt_...@yahoo.co.uk (Matt) wrote in message news:<94b59a36.04110...@posting.google.com>...

matt_...@yahoo.co.uk

unread,
Nov 3, 2004, 9:06:27 AM11/3/04
to
Well-spotted! I've also found

* T. E. Moore, Stafford E. Tavares: A Layered Approach to the Design of
Private Key Cryptosystems. CRYPTO 1985: 227-245

(Although both this and Meijer-Akl's paper were published after the
start of 1985.) I haven't got old back issues of Cryptologia, but a
brief scan through the "Table of Contents" doesn't seem to turn up
much:

http://www.dean.usma.edu/math/pubs/cryptologia/back_issue_library.htm

I think other early designs might be found in patents. I found one
describing an SPN by Davida et al., submitted in 1978 (US patent
#4,275,265).

In the sense that DES and Lucifer were developed largely in obscurity,
and that other designs drew such little attention that it's now pretty
difficult to find out about them, perhaps the publication of Madryga
and NewDES could be considered a start point (or at least a milestone)
for the open academic literature on concrete block cipher designs?
--Matt

Matthew Fisher

unread,
Nov 5, 2004, 10:05:23 PM11/5/04
to
Raphael,

I am well but don't study crypto much anymore. My passion is block
cipher design and analysis. Since the AES contest that area of crypto
has gone quiet.

I was pleased to see Biham's et al recent attacks on SHA-0, clever
indeed. The XSL attacks are also interesting but have not been
advanced much since the Serpent attack.

I conjecture that by using a 1R,2R approach a miss in the middle can
be created in NEWDES. My original attack was flawed since it was one
round off. By pushing the differential up a round or two, the miss
will definitely happen. The only issue is whether the signal to noise
ration will still be high enough to determine the outer round keys.
Like I mentioned, I did the analysis several years ago so the details
are fuzzy.

NEWDES is a good cipher for study since is structure is simple. I
believe it can be proven resistent to differential, partial
differential, and linear attacks via exhaustive search. Only by
attacking from both ends can a differential be kept intact. Adding a
few more rounds will likely push the probablties beyond the available
plain text (2^64).

--Matt


rp...@swinburne.edu.my (Raphael Phan Chung Wei) wrote in message news:<f89fd5ee.0411...@posting.google.com>...

Reply all
Reply to author
Forward
0 new messages