EnRUPT – The Simpler The Better - Latest comments on ïrRUPT64x2/H

In response to: ïrRUPT64x2/H

Sean O’Neil [Member] — Fri, 12 Dec 2008 13:29:31 +0000

> It is instructive to compare your and Greg Rose's responses to having your hash broken.

Yes it is. It is also very instructive to compare the two hashes and the attacks. Greg Rose’s hash has no tunable parameter and requires major structural changes to protect against the attack. Contrary to that, EnRUPT was submitted with a security parameter s, requiring only a few extra rounds to defend against such class of attacks. In that light, EnRUPT cannot even be considered or called broken, only 8 rounds of it are broken. 5 rounds of Rijndael are broken, and nobody is complaining about Rijndael with 10.

Naturally, Greg Rose does not want people to waste any more time on his hash since it cannot be easily fixed, while I insist that it is premature to declare EnRUPT broken trying to dismiss it, no matter how much you hate it as one of your competitors. EnRUPT simply does not need any fixing, only tuning the tunable parameter requested by NIST to increase its security. All the attacks must take all the parameters into consideration before claiming EnRUPT to be broken.

In response to: ïrRUPT64x2/H

A non a mouse [Visitor] — Fri, 12 Dec 2008 08:04:06 +0000

> Are we looking for a good algorithm or are we
> looking to get rid of all the most competitive
> algorithms as quickly as possible?

It is instructive to compare your and Greg Rose's responses to having your hash broken.

In response to: ïrRUPT64x2/H

Sean O’Neil [Member] — Tue, 25 Nov 2008 15:07:07 +0000

Dear anonymous coward,

"algorithms that specify the number of rounds as a parameter" makes no sense. It is either a specific number or a variable parameter. In case of EnRUPT it is a parameter, not a specified constant.

The measurements of complexity of linearization were incorrectly transferred from block hashing to stream hashing. We do not say that s has to be at least 8, even for stream hashing. It is still at least 2 for block hashing and for stream ciphers. For collision resistance it probably has to be at least 5 for w=32 and at least 7 for w=64. We recommend a slightly higher value for s to guarantee a sufficiently high change in the state between the inputs.

No matter how much you want to see EnRUPT removed from the competition, it is still incorrect to call the entire EnRUPT family, its ïrRUPT mode and even more specifically ïrRUPT64x2-256/s broken. No one has pointed out a structural weakness in any of them, merely an attack against 8 rounds of ïrRUPT64x2 (s=4). The future versions of its specification will be updated accordingly. It is not even known if EnRUPT is going to be accepted in the competition yet, so your verbal attacks are premature.

In response to: ïrRUPT64x2/H

Anonymous Coward [Visitor] — Tue, 25 Nov 2008 14:15:48 +0000

So algorithms that specify the number of rounds as a parameter are not broken? Even if they recommond wrong parameters?

It is up to the designer of the algorithm to pick the correct parameters (tradeoff between security and performance). You made a wrong choice.

In your specification you wrote: "Therefore, in order to be able to break ïrRUPT faster than 2^h, the attacker must be able to approximate each arithmetic adder at a cost of less than w/4⋅(s–1) bits, which is highly unlikely even for s=2." Now it turns out s has to be at least 8...

In response to: ïrRUPT64x2/H

Sean O’Neil [Member] — Tue, 25 Nov 2008 10:13:13 +0000

Dear anonymous coward,

1. No changes need to be made to EnRUPT submitted as EnRUPT[w]x[P]/[s] and so far not broken as such.

2. Whether EnRUPT is in or out of the competition, it is up to NIST to decide, NOT you. However, your bitterness is understandable. EnRUPT is too competitive. Many submitters are eager to see it out of their way.

3. You are shooting in the dark obviously without any knowledge of Boole structure or the attack. Boole has no tunable parameters, it is submitted fixed at 16 mixing rounds. The Boole attack also exploits a structural flaw that cannot be fixed with extra rounds. So, yes, I am sure.

In response to: ïrRUPT64x2/H

Anonymous Coward [Visitor] — Tue, 25 Nov 2008 09:18:14 +0000

NIST is quite clear: "NIST will refuse to accept changes that seem to be responses to attacks, even if an attack can be blocked by a very simple change, unless there is a convincing argument that the attack is only the result of a typo in the first place."

Face it. You are out of the competition!

Are you sure Boole can not be patched by doubling the amount of rounds?

In response to: ïrRUPT64x2/H

Ilya [Visitor] — Tue, 25 Nov 2008 07:58:51 +0000

Hope so. Let see a NIST verdict first anyway.

In response to: ïrRUPT64x2/H

Sean O’Neil [Member] — Tue, 25 Nov 2008 06:55:55 +0000

The SHA-3 organizers have improved the competition since the AES. They do differentiate that for NIST purposes now, which is why they have requested a tunable security/performance parameter. EnRUPT submission is not broken. What is broken is only the initially recommended s=4 variant. It is not yet broken even for s=5 or s=8, what to talk about the currently recommended s=H. That is contrary to Boole, Sgàil, HASH 2X, NKS2D or WaMM, which are broken exploiting structural flaws and cannot be cured with a few extra rounds or simply do not have a tunable security/performance parameter at all.