From: John Kelsey <jmkelsey@delphi.com>
Newsgroups: sci.crypt
Subject: The S1 cipher posted two days ago
Date: Sun, 13 Aug 95 00:49:43 -0500

-----BEGIN PGP SIGNED MESSAGE-----

Subject: S1 cipher

1.   The cipher runs an unbalanced Feistel network from 48 bits to
     16 bits.  However, the 16 bits that were most-recently
     encrypted are basically used to provide only two bits of
     choice of s-box.  Also, there isn't a bit permutation here,
     which would mix the outputs from different s-boxes and
     dramatically improve diffusion.  In a hardware implementation,
     this would be free.

2.   I think it will take at least three cycles (12 rounds) for
     everything to get well-mixed, in the sense that every input
     bit has a chance to affect every output bit.  I think it will
     take four or more cycles to get full statistical independence
     between input and output.  It might be interesting to run this
     code through Crypt-X and see what drops out after three or
     four cycles.  If it takes four cycles (16 rounds) to get full
     statistical diffusion, it makes some sense for the cipher to
     use 32 rounds.
                 
3.   I think this is someone's joke.  (Or maybe it's someone's way
     of getting his homemade cipher looked over by other people.)
     I could be completely wrong, I just have a feeling this isn't
     for real.  I think I or anyone else familiar with the research
     in block cipher design that's widely published could (with
     some work) come up with a block cipher that would be more
     convincing.  Of course, "more convincing" doesn't map directly
     onto "more like NSA work," about which I know nothing that
     hasn't been published somewhere.

4.   On the other hand, I might have said the same thing about
     GOST, whose operations aren't anything remarkable at all.
     GOST with reasonable s-box choices is probably not too bad a
     cipher with 32 rounds.  I wonder if the same can be said about
     this cipher.

   --John Kelsey, jmkelsey@delphi.com
 PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMCzu7UHx57Ag8goBAQHxKgQAnaGBXn0t2UM3eTi7SHUaPqn/3dQr97KH
olO/J9gWWzchX3r25RLAgGtkL08ekBAaCykUUWfxTQs2w0AAWOuC92mndz0Ieq4k
k+ppLJjfe5H2thJBjtt6pYBZkg/vw6uetRFBGExouAyHtCjo6ZW6OZgUNfeZlhL1
jziS2E29eLc=
=PLaT
-----END PGP SIGNATURE-----