back to article Cisco open-sources experimental cipher

Cisco is offering up an experimental cipher which, among other things, could help preserve the anonymity of data in cloud environments. In putting what it calls “FNR” (Flexible Naor and Reingold) into the hands of the public, The Borg says its work is currently experimental rather than production software. Cisco software …


This topic is closed for new posts.
  1. John Savard


    This seems to be a very inefficient cipher. It needs seven rounds to be secure, but each round includes an AES encryption as the f-function. A stream cipher using AES would be a simpler way to secure data of arbitrary length - but just XORing stream cipher output to the data is lacking in security in some ways that this addresses. However, there are other ways to improve the combiner that have less overhead, so I can't be optimistic that this will get widespread adoption.

    1. TheVogon

      Re: Unfortunately

      And what was wrong with IPSEC?

  2. Don Jefe

    The Naor and Reingold

    The Flexible Naor and Reingold figures proved to be a big hit with focus group participants. The flexibility in the Naor makes it easier and more fun for users to express their interpretation of the nightmarish horrors inflicted on Reingold by the Naor during their 2,000 year conflict.

    Parents also cited the flexibility as a purchase decision driver. The razor tipped barbed spines of the Naor and the Twin Swords of Reingold in the static versions have been implicated in more than 1 million incidents of nocturnal carpet ambush when not stored properly at night. The flexibility of the new figures reduces the potential for foot puncture by more than 60%. Available at retailers for Hanukkah 2015.

    1. tony2heads

      Re: The Naor and Reingold

      I thought that Reingold was assisted by Niebelungen

      Icon -closest I could get to a dwarf was a troll

  3. Andraž 'ruskie' Levstik

    And after it's accepted... they drop...

    the P bomb on the world...

  4. Carpetsmoker

    Why not a stream cipher?

    Why not a stream cipher? In my limited understanding of cryptography, it won't require padding, and should be secure (if used correctly) even for small pieces of data? What's the advantage of the added complexity?

    1. DanDanDan

      Re: Why not a stream cipher?

      "What's the advantage of the added complexity?" - Easier to patent?

  5. Ben Liddicott

    What is wrong with CTR mode?

    CTR mode effectively converts a block cipher into a stream cipher, eliminating the need for padding.

    CTR is the only mode you need.

    1. Michael Wojcik Silver badge

      Re: What is wrong with CTR mode?

      CTR is the only mode you need.

      Unless you can't guarantee a sufficiently-unpredictable nonce for every message, which could be the case with many applications.

      And GCM is widely seen as superior to CTR, since it also provides integrity.

  6. Alan Bourke

    No, no, no Cisco!

    For this to be taken seriously the acronym must be changed to FNAR.

    1. theblackhand

      Re: No, no, no Cisco!

      I'm not sure if FNAR will provide sufficient entropy.

      FNAR FNAR on the other hand would meet and exceed the recommendations for childish names in encryption technologies for the foreseeable future.

    2. Anonymous Coward
      Anonymous Coward

      Re: No, no, no Cisco!

      OK, El Reg, you had me at "Cisco" and "preserve the anonymity of data in cloud environments." Which reminds me, the unicorn I ordered hasn't been delivered yet.

  7. Christian Berger


    Padding gives you the great advantage of "rounding up" packet sizes, essentially obscuring their actual length to some degree. If you don't do that, you'll end up leaking the length of your cleartext which is a bad idea.

    1. Will Godfrey Silver badge

      Re: Problematic

      Glad you said that. It was the first thing that crossed my mind.

  8. Almost Me
    Big Brother

    What this is and isn't. The TL;DR version.

    It's a tweakable cipher (encryption depends on secret key plus something publicly known which varies with each record, like a record number or a person's name) designed for encoding very short bit strings without increasing the length of the data. Think of storing encrypted credit card numbers in a database without increasing the size of the field.

    For efficiency concerns, the authors point out that AES is directly supported by modern hardware.

    It therefore isn't directly comparable with AES in CTR mode or nor with GCM. Nor is it intended to obscure message lengths or provide message authentication.

    Whether this is an acceptably efficient and more secure solution than other approaches I will leave to professional cryptographers to decide.

This topic is closed for new posts.

Other stories you might like

Biting the hand that feeds IT © 1998–2022