Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:17:37
Bruce Schneier (schneier@counterpane.com)
Mon, 07 Dec 1998 14:00:14 -0600
At 12:43 PM 12/7/98 +0100, Mok-Kong Shen wrote:
>In Bruce Schneier's book on p.289 it is stated:
>
> Differential analysis works against DES and other similar
> algorithms with constant S-boxes. The attack is heavily
> dependent on the structure of the S-boxes.
>
>On the otherhand it is known (see www.counterpane.com) that
>V. Rijmen did a differential analysis of Blowfish whose S-boxes
>are non-constant. Would someone please explain this apparent paradox?
I don't think there's any real "paradox." I believe I wrote that sentence
in AC when I bad less information about DC than I have now. We did
a differential attack against 5-round Twofish, and Twofish has key-
dependent S-boxes. There's a differential attack against Khufu--it's
either Crypto or Eurocrypt a few years ago--that works against those
key-dependent S-boxes. I suggest reading either our paper or the
Khufu paper.
>My (pure) conjecture is that Rijmen's success could be an indication
>of the fact that although Blowfish's S-boxes are non-constant they
>are very far from the case if they were obtained randomly without
>constraints and therefore the space of the possible S-boxes is
>rather limited.
The attack has nothing to do with that. Actually, it's a cleaner analysis
if you asume that Blowfish's S-boxes are completely random. Look
at the generation rules; they're UGLY.
>In other words there is something quasi-'constant'
>that an analyst could use to his profit. Should this be indeed the
>case, then it would be conceivable that loosening some appropriate
>constraints could eventually improve the strength of Blowfish
>(i.e. the design is not optimal).
Oddly enough, that isn't true. If I were to do Blowfish again, I would
tighten the constraints of S-box design. That's what I did in Twofish.
>I should also appreciate to be able to see a very brief sketch of
>the technique of Rijmen and an explanation why that can't be extended
>to work against Blowfish with more than 4 (a fixed number!!)
>rounds as claimed in the Web page cited above.
Unfortunately, it's in Rijmen's PhD thesis. I don't believe there is a
copy online, and that section was never published. I have a copy
in my hands, but I don't have the time or patience to explain the
attack. (Actually, it's a pretty obvious attack.)
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:17:37