[cryptography] QODE(quick offline data encryption)

Warren Kumari warren at kumari.net
Wed Jan 7 15:32:08 EST 2015


On Wed, Jan 7, 2015 at 3:09 PM, Kevin <kevinsisco61784 at gmail.com> wrote:
> On 1/7/2015 2:40 PM, Jeffrey Goldberg wrote:
>>
>> On 2015-01-07, at 12:26 PM, Kevin <kevinsisco61784 at gmail.com> wrote:
>>
>>>     Any company could review it and decide if it's worth using or not.
>>
>> Hi Kevin.
>>
>> Actually that’s a part of my job within the company I work for. I’m the
>> one who can read some of the primary literature in cryptography. Now this
>> makes me unusual, not a lot of companies
>> our size have someone with my skills.
>>
>> But I would be useless at evaluating your algorithm. I don’t know how to
>> check if linearity in S-Boxes; I don’t know what properties to look for in a
>> key schedule; I don’t know how to look for related key attacks, etc. I’ve
>> never broken anything and wouldn’t really know where to begin trying to
>> break something.
>>
>> So what I do is rely on expert advice and err toward being conservative.
>> My understanding of both the process by which AES was developed and chosen
>> along with the extensive research on it is that remains a very good choice
>> as a block cipher.
>>
>> So if I were to “review” your algorithm for my company, I wouldn’t do it
>> by actually reading the code, I would ask exactly the same sorts of
>> questions that you have been presented with:
>>
>> (1) Does it offer me some valuable feature that isn’t available in more
>> standard alternatives?
>>
>> If “no", there really is no reason to look at it further.
>>
>> (2) Is there good reason to believe that it has all of the security
>> properties I depend on of what I am already using?
>>
>> If “no”, there is no reason for me to look at it further.
>>
>> (3) Is there a clear design document explains how it is supposed to
>> achieve its claimed security properties?
>>
>> This is part of (2), but I wanted to break it into its own point. I can
>> read — slowly and with effort — the descriptions of the designs of the
>> things that I do use. I don’t get all of the finer points, but I see how
>> problems that I never even would have thought of are addressed.
>>
>> As others have suggested, this is what you should START with.
>>
>> (4) What does the expert community say about it?
>>
>> If it hasn’t been sufficiently studied, then even if it is a complete work
>> of genius, I’m going to wait until people who know how to evaluate things
>> have done so.
>>
>> (5) Are there “safe” implementations of it available for me to use?
>>
>> An implementation needs to not only implement the algorithm, but guard
>> against side-channel attacks.
>>
>> There are other things as well. All of which your system fails at without
>> anyone having to look at the code.
>>
>>> I am not going to take it down. Freedom, boys and girls, freedom.
>>
>> Good for you. Now if you actually want people to start looking at it,
>> start with addressing
>> my point (3). If you don’t make it easy for people to analyze your system,
>> it is not going to receive the expert scrutiny required to meet some of the
>> other criteria.
>>
>>
>> But the concern is that there are software developers out there who don’t
>> pay attention to the criteria that I listed. So, sure, go ahead and play
>> with ideas. But please put some prominent notes that it hasn’t been
>> evaluated and was designed by someone with no expertise, and so should only
>> be used for playing around.
>>
>> And if you would like expert evaluation, you need to help those experts.
>> There are lots of lone crackpots out there who think that they are lone
>> geniuses. You are going to show that it isn’t a complete waste of experts
>> time to look at your stuff.
>>
>> Cheers,
>>
>> -j
>
> J.  I think it's great that you can look at this sort of thing from all
> angles.  The security lies in data with a salt added to data which is
> rotated to the left by the length of bytes.  I won't insult your
> intelligence by rehashing the formula as it is clearly written in the code.

Errr... *which* code? Where?

Sum total of what is published (that I could find) is:

https://github.com/kjsisco/qode/blob/master/qode.au3

containing 5 lines:

-----

qode
====

An encryption algorithm
-----

Perhaps you have missed the fact that you need to git push? Or is
there some other location that I missed somewhere?

W



> The point is, do you feel this provides the level of security that you
> desire?  If the answer is no, in the trash can it goes!
>
>
>
> --
> Kevin
>
>
> ---
> This email is free from viruses and malware because avast! Antivirus
> protection is active.
> http://www.avast.com
>
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf


More information about the cryptography mailing list