Concerns with the Speck Cipher
Created by: bitshark
I would like to raise there exist academic concerns (and perhaps more common sense concerns post-Vault7) with the Speck cipher.. Frankly it reminds me of the Clipper chip, or the fiasco surrounding Dual_EC_DRBG. Or even the backdoors that were inserted in OpenBSD IPSEC stack in the early days of the internet...
Some brief history of three-letter agency backdoors
- The Strange Story of Dual_EC_DRBG
- How far did the NSA go to weaken cryptography standards?
- Why I Abandoned OpenBSD and Why You Should Too…
- FBI accused of planting backdoor in OpenBSD IPSEC stack
Regarding Simon/Speck, I'd like to share this quote: "Contrary to common practice, the designers of Simon did not provide any security arguments for the ciphers. ( Ashur, 2015 )
I am not an expert here but I wanted to raise my concerns for public consideration.
While I understand that some folks have no problem running this cipher, and that I can understand and respect, I do have enough of my own misgivings that I will not be among the users of the Simon/Speck algorithms.
As a heavy user and big fan ZFS (and very interested in the progress in TFS) -- I just wanted to share my thoughts and humbly request that there be a plan to offer perhaps alternative, more conservative choice of block ciphers be considered for TFS (even it is a non-default alternative -- similar to how ZFS offers a choice of LZ4, LZJB, GZIP and ZLE for compression)
Perhaps as a second choice AES-XEX? Threefish? Salsa/ChaCha?
Excerpts from Slide Presentation by Tomer Ashun , entitled Simon: NSA-designed Cipher in the Post-snowden World
(including some rather interesting direct correspondence from the folks at the NSA )
Simon: NSA-designed Cipher in the Post-snowden World
-
“ ...Is there anyone at your venerable institution that can carefully and critically review your work before you seek to publish it? I assure you that this is in your own best interest... ” (Doug Shors, xxxx@tycho.ncsc.mil, 29/09/2015)
-
“ ...We’ve now generated a lot of data – 1024 trials for 30 rounds SIMON, and 1024 random case trials (for which we used the full SPECK algorithm and your approximations). In short, there’s nothing there; the two distributions are not distinguishable by any test we can conceive of... ” (Doug Shors, xxxx@tycho.ncsc.mil, 18/10/2015)
-
“ ...Interestingly, for 18 rounds, it appears that there is likely a distinguisher. However, it’s not a slam dunk... ” (Doug Shors, xxxx@tycho.ncsc.mil 18/10/2015)
-
“ ...then I would like to ask you to retract the claims in the ISO Belgium expert contribution that there are weaknesses in the Simon cipher... ” (Louis Wingers, xxxx@tycho.ncsc.mil, 16/10/2015)
- Simon has been somehow based on Parseval’s Theorem for its design
- The NSA are pushing Simon and Speck really hard as standards
- The NSA can run 2^10 experiments each evaluating 2^32 * 2^14 linear equations in less than one night.
- The NSA does not understand the level of doubt academics have toward their work.
- It seems that as far as crypto standards go, the post-snowden world looks pretty much like the pre-Snowden world
Simon: NSA-designed Cipher in the Post-snowden World Improved Linear Trails for the Block Cipher Simon