📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> halvar's Blog

Created: Wednesday, December 14 2005 01:14.00 CST Modified: Wednesday, December 14 2005 01:32.17 CST
This is an imported entry. View original. Printer Friendly ...
Blogging is strange. You write down a few lines of...
Author: halvar # Views: 1744

Blogging is strange. You write down a few lines of half-coherent something under the delusion that nobody is reading the blog, and out of a sudden you show up cross-referenced in blogs that you read yourself regularly. With such a large crew blogging at Matasano (what used to be Thomas Ptaceks blog) they have a blog-update-frequency that leads to their blog being about as productivity-destructive as slashdot.

I am seriously flattered to be mentioned there (and scared that my rants are actually read).

One of todays posts there mentions DJBs crypto algorithms, specifically Salsa20. Now, I am not a cryptographer, but I do not trust Salsa, for a variety of reasons:
  • It looks too much like MD4/MD5.
  • We have very limited understanding on why a wild mixture of ADD/XOR/ROL would produce equation systems that are hard to solve. Yes, nonlinearity over GF(2)^32 and over Z/2^32Z are given by mixing boolean functions and addition, but this paper gives some pretty neat insight into how just mixing ADD/XOR (without the ROL) is trivially solvable. I dont trust a single rotation that much.
  • Avoiding integer multiplication (whose representing BDD can grow exponentially with the number of bits and is thus hard to model using the methods in the paper) is something which I would not do - I know DJB cares a lot about timing, but given the choice of potentially leaking a few cycles and making the output of an operation ridiculously complicated (while at the same time tackling the problem of weak differential propagation in the high-order bits) I chose the latter.
  • DJB might be over-emphasizes timing. His AES S-Box stamps RDTSC output into packets, which is many orders of magnitudes more precise than any measurement you will get IMHO. True, caching issues (and cache alignment issues) can easily eat up 100 cycles, but that is still a lot less than a timer tick, the measure that in the most optimistic scenarios youd be likely to get.
All in all, I do not trust systems built on just mixing ADD/XOR/ROL. There is a reason for the name of this blog.


If you wish to comment on this blog entry, please do so on the original site it was imported from.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit