From: “B. Schneier” <bs208@newton.cam.ac.uk>
To: cypherpunks@toad.com
Message Hash: d9476ab66e36f5c7dc9165b90aceec2e348ea3d93422b151b8e4b6ca4e133ab6
Message ID: <199602251153.GAA05973@gibbs.newton.cam.ac.uk>
Reply To: N/A
UTC Datetime: 1996-02-25 12:11:56 UTC
Raw Date: Sun, 25 Feb 1996 20:11:56 +0800
From: "B. Schneier" <bs208@newton.cam.ac.uk>
Date: Sun, 25 Feb 1996 20:11:56 +0800
To: cypherpunks@toad.com
Subject: Report from Fast Software Encryption Conference
Message-ID: <199602251153.GAA05973@gibbs.newton.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain
*************************************************************************
This is a temporary e-mail address; I am in Cambridge until 12 March.
Continue to send mail to schneier@counterpane.com; it forwards by itself.
*************************************************************************
Report on the Third International Workshop on FAST
SOFTWARE ENCRYPTION, Cambridge University, UK, Feb 96
The conference was held at the Isaac Newton Institute for
Mathemtical Science, and was attended by about 45 people. What
follows is a short description of some, but not all, of the talks.
There were two papers analyzing safer: "Truncated Differentials
of SAFER" by Knudsen and Berson, and "The PHT of SAFER" by Murphy.
Unfortunately, only the first paper appears in the proceedings.
The attacks work on SAFER with 5 rounds or less, and not on SAFER
with the new key schedule suggested at Crypto '95.
Vaudenay presented his attack on Blowfish, which expoloits weak
keys that result in two S-box entries being identical. In a weak
Blowfish variant where the S-boxes are known, his attack can break
8-round Blowfish efficiently but does not work against the full
16-round version. If the S-boxes are secret, as they are in
Blowfish, his attack can detect these weak keys in the 8-round
variant but not in the 16-round variant.
Blaze presented a really clever protocol for encrypting with a
low-bandwidth smartcard. The idea is that the host computer is
trusted with the plaintext but not the key, and the secure smartcard
is too slow to do bulk encryption. He presents a protocol where the
host does all the work but does not learn the key.
Dobbertin presented a beautiful paper where he cryptanalyzed MD4,
extending the work he did cryptanalyzing RIPE-MD. Attendees took
bets on when MD5 will fall to this sort of attack.
There were several new algorithms presented. RIPEMD-160 is a
strengthened version of RIPE-MD, designed by Dobbertin, Bosselaers,
and Preneel. ISAAC is a steam cipher by Bob Jenkins. Tiger is a
one-way hash function by Anderson and Biham designed to work efficently
on 64-bit computers. Shark is a block cipher, similar in design to
SAFER, by Rijmen, Daemen, Preneel, Bosselaers, and De Win. And there
were two Luby-Rackoff-like constructions that make block ciphers of
arbitrary block size out of stream ciphers and one-way hash functions
by Anderson and Biham, called Bear and Lion. Another paper by Lucks
showed how to spead up Luby-Rackoff's block cipher. Matsui presented
some work on block cipher designs provably secure against differential
and linear cryptanalysis, but not the specific construction that is the
MISTY algorithm.
Kelsey and Schneier presented a paper on unbalanced Feistel networks.
Called UFNs, these are Feistel networks where the two sides are of
unequal size. Examples of this construction includes MD4, RC2,
MacGuffin, S1, and REDOC III. We gave some general analysis of
different constructions.
There were two papers on correlation attacks on stream ciphers, and one
paper by Golic on nonlinear filter generators.
The proceedings have been published by Springer-Verlag in their
Lecture Notes in Computer Science series, #1039. The editor
of the volume is Dieter Gollmann, and the ISBN is 3-540-60865-6.
Return to February 1996
Return to ““B. Schneier” <bs208@newton.cam.ac.uk>”
1996-02-25 (Sun, 25 Feb 1996 20:11:56 +0800) - Report from Fast Software Encryption Conference - “B. Schneier” <bs208@newton.cam.ac.uk>