[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
MPJ Encryption Algorithm
Bill Stewart writes:
> Sounds interesting; do you have any comparisons between it and IDEA
> about either encryption strength, speed, or design philosophy?
The full design philosophy for MPJ is in my thesis. Since then, I learned
about differential cryptanalysis and was relieved to see that MPJ is fairly
resistant to that. Here is a short summary:
Algorithm Key size Block size Rounds Strength* SW Speed HW Speed
DES 56 bits 64 bits 16/2 22-55 slow fast
3DES 112 bits 64 bits (16*3)/2 24-58 slower fast
IDEA 128 bits 128 bits 16 65-110 fast fast
Skipjack 80 bits 128 bits 32 79 ? ?
MPJ 128 bits 128 bits 10 70-120 medium very fast
MPJ2 >=64 bits 128 bits >=10 50-128 <=medium <=very fast
*Strength is a GUESS at log base 2 of the complexity of breaking it.
Algorithm Legal status Back door? Origin
DES Public Domain No IBM/NBS->NIST/NSA
3DES Public Domain No IBM
IDEA Patented No Switzerland
Skipjack Classified LEAF NSA
MPJ Public Domain No USA - University of Colorado at
Colorado Springs (UCCS)
MPJ2 Not yet released No USA
DES Design philosophy:
(1) Fit in small chip
(2) Use involution for reversibility (only half of block changes with each
round)
(3) Use polyalphabetic nonlinear s-boxes of limited size (requires great care
to avoid differential cryptanalysis)
(4) Some design criteria still classified.
3DES Design philosophy:
(1) Cascade existing known algorithm
(2) Avoid weak key situations
(3) Try not to require too much more key than the strength of the algorithm
justifies (i.e. just 2 instead of 3 keys are used).
(4) Apply a bandaid. Making one compound block cipher would have been more
secure, but not all the s-box design criteria are known.
IDEA Design philosophy:
(1) Use unrelated arithmetic operations on different fields.
(2) Use only 32 bit arithmetic operations for speed on a computer.
(3) Arrange the structure of the algorithm to do proper confusion/diffusion.
(4) Very small code and memory space used in computer.
Skipjack design philosophy (guessed):
(1) Similar to DES, but with a block size of 128 bytes.
(2) No attack known to the NSA will be more than a bit or two better than
exhaustive key search.
(3) Learn from the mistakes of DES (i.e. avoid weak keys and complementation
symmetries DES suffers from).
(4) Restrict knowledge of the algorithm as much as possible.
MPJ Design philosopy:
(1) Relax some of the size limits of DES & IDEA to gain security, but make
sure it fits on a PC.
(2) Avoid fragile fixed s-box & subkey design of DES, but copy its product
cipher structure.
(3) Change the whole block with each round instead of just half (i.e. 10 MPJ
rounds is as effective as 20 DES-type rounds).
(4) Make every output bit a strong function of every bit of the input and
every bit of the key within 3 rounds.
(5) Use such simple operations in a complex and nonlinear fashion that
mathematical breakthroughs are not a threat (as with RSA).
(6) Make the substitution steps reversible through a very clever construction
of reversible substitution arrays directly from the key.
(7) Make key scheduling slow (to discourage exhaustive search for keys), but
make the algorithm very fast, especially in dedicated hardware.
(8) Make creative use of nonlinearity, bit twiddling, and rounds to thwart an
analytical attack using massive quantities of known or chosen plain text.
MPJ2 Design philosophy:
(1) Generalize the key scheduling to accommodate variable length keys.
(2) Generalize to n rounds.
(3) Attempt to do key scheduling on the fly in cases where the memory
required for precomputed internal keys take up too much RAM.
Common elements: All of these block cipher algorithms use repeating rounds
of "confusion and diffusion" or "substitution and permutation" weaker ciphers
to form a stronger product cipher. All of them are secure, even if the
cipher becomes known. Skipjack is classified more to prevent knowledge of
design criteria and cryptanalysis secrets, and to allow the forced insertion
of a back door (LEAF) than for the security of the algorithm (just ask Dr.
Denning). DES and 3DES can raise the price of unauthorized disclosure of
secrets above the average individual's means. The others have the potential
of raising the price of eavesdropping by breaking crypto algorithms to above
the budgets of organized crime, hostile governments, and terrorists. None of
them prevent other technological solutions to spying, such as placing bugs
closer to the target individual, office, or computer system.
General rules of the game in CRYPTOGRAPHY and CRYPTANALYSIS:
1. There is always a way to crack any practical cryptosystem.
2. Your opponent will not tell you if she has broken your cryptosystem and
is reading your mail.
3. The longer any one cryptosystem is in use, and the more widely it is
used, the more likely it is that someone has broken it, or at least
discovered a weakness in it and not told anyone about it.
4. The more widely used a cryptosystem is, the more profitable it is to try
to break it (for either noble or ignoble purposes).
5. Exclusive control of the ability to communicate securely is a powerful
force that can easily be corrupted.
6. Putting all your eggs in one basket is unwise. Use more than one
cryptosystem, and change keys regularly -- even if you don't suspect
compromise.
7. Insecure cryptosystems often appear on the surface to be secure. They
are often sold for good money.
DISCLAIMERS:
DISCUSSIONS ABOVE ARE FROM MEMORY AND MAY NOT BE ACCURATE. ALL DATA CLAIMING
TO BE GUESSWORK IS. PROVING ANY CRYPTOSYSTEM SECURE IS USUALLY IMPOSSIBLE.
INVENTERS OF CRYPTO ALGORITHMS ARE NOT QUALIFIED TO JUDGE THEM.
Mike Johson
[email protected]
This message contains writings protected under the First Amendment of the
Constitution of the United States of America. Censorship is forbidden.