Cryptography-Digest Digest #745, Volume #10 Wed, 15 Dec 99 14:13:01 EST
Contents:
Re: How easy would this encryption be to crack? - revised ("Tim Wood")
Re: Non-linear PRNGs (David Wagner)
Re: Non-linear PRNGs (David Wagner)
beginner question (Michael Combs)
Re: discrete logorithm reduction to factoring (David Wagner)
Re: SSL/RC4_128_EXPORT40 (David Wagner)
Re: Why no 3des for AES candidacy (wtshaw)
Re: Better encryption? PGP or Blowfish? (Tom St Denis)
Re: The Code Book
Re: Data Encryption in Applet? ("Law Wun Suen, Brian")
Re: Conditional (keyed) bidirectional hash function ? (Niall Parker)
Re: Why no 3des for AES candidacy (Uri Blumenthal)
Skytale? (John Bottoms)
Re: Why no 3des for AES candidacy ("Tim Wood")
Re: Better encryption? PGP or Blowfish? (SCOTT19U.ZIP_GUY)
Re: Better encryption? PGP or Blowfish? (James Felling)
Re: Why no 3des for AES candidacy (Eric Lee Green)
Re: Deciphering without knowing the algorithm? (SCOTT19U.ZIP_GUY)
Re: Non-linear PRNGs (Mok-Kong Shen)
----------------------------------------------------------------------------
From: "Tim Wood" <[EMAIL PROTECTED]>
Subject: Re: How easy would this encryption be to crack? - revised
Date: Wed, 15 Dec 1999 16:39:29 -0000
Steven Siew wrote in message <[EMAIL PROTECTED]>...
<SNIP>
>Frankly I'm
>not good at java, is byte same as char or is it same as unsigned char?
nothing about the algorithm:
but in Java a "char" is a Unicode character (16 bits) a "byte" is 8bits (not
pretentious it _could_ be different in Java).
<SNIP>
>Steven Siew
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Non-linear PRNGs
Date: 15 Dec 1999 08:36:04 -0800
In article <[EMAIL PROTECTED]>, John Myre <[EMAIL PROTECTED]> wrote:
> I'm not convinced that the bootstrapping to more bits would work
> so straightforwardly. Doesn't the same observation about low bits
> not depending on high bits hold for linear systems? AFAIK, those
> are not solved in this stepwise way.
Linear systems usually aren't (because there are better ways),
but they could be.
> And even reducing mod 4 leaves
> f(x) = a_0 + a_1*x + a_2*x^(2) + a_3*x^(3).
Suppose there are n unknown coefficients a_0,...,a_n. Then it should
be clear that, at the very least, there is an attack using O(m * 2^n)
work, since once you know the a_i's mod 2^{k-1}, you can learn them
mod 2^k by simply guessing their k-th bits and checking the equation
above mod 2^k. Now iterate from k=1 to k=m; in each iteration, you
guess n bits (one bit for each coefficient), so the total running time
is as claimed.
And I think this idea can be further improved, by noting that
x^(k) = 0 mod 2^k for all x,
and Pr[x^(k) = 0 mod 2^{k+1}] = 1/2,
and so on.
(Or roughly like that: it might be x^(k+c) for some small constant c.)
Consequently, in the k-th iteration, we need to know only k bits of a_0,
k-1 bits of a_1, k-2 bits of a_2, ..., one bit of a_{k-1} -- and we
don't need to know a_j for any j>=k.
Therefore it will take only O(k * 2^k) work to be able to predict the
low k bits of the output of this generator. This will often already be
enough to provide enough of an entry to read a fair amount of traffic,
given the redundancy in English text.
(It takes O(m*min(2^m,2^n)) work if you want to predict the entire output,
using this technique, so better choose n and m to be large...)
And I suspect there may well be better attacks.
I just don't have time to look any deeper.
-- David
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Non-linear PRNGs
Date: 15 Dec 1999 08:38:18 -0800
In article <[EMAIL PROTECTED]>, Pelle Evensen <[EMAIL PROTECTED]> wrote:
> Side note, has anyone studied the cryptographic properties of multiply with
> carry generators?
What cryptographic properties?
------------------------------
From: Michael Combs <[EMAIL PROTECTED]>
Subject: beginner question
Date: Wed, 15 Dec 1999 16:27:29 GMT
I have little or no experience with encryption/decryption and have a
small problem I hope you can help me with. I am trying to decode a file
format that appears to be encrypted by the rearrangement of chunks of
data and apparently the use of offsets. Most of the data is text and
can be clearly read, although in pieces throughout the file. These
files are large and the data doesn't seem to have a simple systematic
scheme. A data set, encrypted twice, results in a different output
file. This, I am assumming, means that all of the data to decode the
file is in the file. Is there any logical or statistical analysis I can
use the break this code. I have access to the data set and the
encryption app so I can create the encrypted output. I would be
extremely greatful to anyone that could assist me.
Thanks in advance,
mike
[EMAIL PROTECTED]
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Crossposted-To: comp.theory
Subject: Re: discrete logorithm reduction to factoring
Date: 15 Dec 1999 08:43:46 -0800
In article <8373h1$7vb$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
> Is it true that discrete log reduces to factoring ?
There are two cases: an easy case, and a hard case.
1. If you can take discrete logs mod n, you can factor n.
(Easy. Pick a random r, between n and 2n, say. Compute y=g^r, and
ask for the discrete log of y to the base g. Say you get back s.
Then r-s is likely to be a multiple of phi(n), or at least of
phi(n)/c for small c, and factoring n with knowledge of phi(n) is
straightforward and handled in most number theory texts. That
was a rough sketch, and some details probably have to be fixed.)
2. If you can take discrete logs mod p, what does that say about
factoring n? Well, apparently noone knows anything about this one.
This is a long-standing open problem in cryptography.
-- David
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: SSL/RC4_128_EXPORT40
Date: 15 Dec 1999 08:46:13 -0800
Start by reading the SSL specification.
The answer is a little too long to give here in full detail, so you'd
have to read the spec anyway.
Others have done this experiment before, and helped understand very well
exactly what the cost of RC4 keysearch is in software. You might like to
read about their efforts first -- if so, do a websearch for brutessl,
Adam Back, Ian Goldberg, Hal Finney, or the cypherpunks brute squad.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Why no 3des for AES candidacy
Date: Wed, 15 Dec 1999 11:05:24 -0600
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
> Jim Gillogly wrote:
> > Is it also against the law for NSA to decrypt communications that
> > were intercepted and handed to them by the FBI working a domestic
> > case?
>
> Yes, in most instances.
Of course, you could always weave in a foreign angle, like the guy was
wearing foreign made threads, or ate at other than a domestic oriented
cafe. It all depends of how you decorate the cake as to wheather it will
be eaten. The results might still be that nothing is interesting rather
than a transcript.
--
There are those who are neither constrained by in belief of
their power over time and space.
All will have found too late when their time has run out,
and others find for them, a little space to be forgotten in.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Better encryption? PGP or Blowfish?
Date: Wed, 15 Dec 1999 17:09:56 GMT
In article <[EMAIL PROTECTED]>,
James Felling <[EMAIL PROTECTED]> wrote:
>
>
> molypoly wrote:
>
> > Ok, I'm a 'newbie' and am trying to understand this. With
a "zero
> > information system" such as PGP, one can easily read the encrypted
> > file.
> > If you are using PcCrypto, where the passphrase is not stored
> > ANYWHERE, then one cannot read the encrypted file. Am I getting
this?
> > Thanks in advance.
>
> I think that is what they are saying, but I think that they are wrong.
That was not what *i* was saying.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: <[EMAIL PROTECTED]>
Subject: Re: The Code Book
Date: Wed, 15 Dec 1999 17:33:04 GMT
In response to my own post:
About half of the perpetual calendars I've found on the web give 15
October 1586 as a Saturday, as I also found with the Unix 'cal' that came
with my SuSE Linux 6.1. Other sites list the day as a Wednesday.
Most Julian day calculators on the give 15 October 1586 as JD 2300622 (one
gave JD 2300620). Today, Wednesday, 15 December 1999 is JD 2451528, 150906
days since that date, or exactly 21558 weeks since then.
So it seems that it probably was a Wednesday that Queen Mary first
appeared in court.
Warner <[EMAIL PROTECTED]> wrote:
> The first sentence of Simon Singh's _The Code Book_ is, "On the morning of
> Wednesday, 15 October 1586, Queen Mary entered the crowded courtroom of
> Fotheringhay Castle". The calendars I have referred to give this date as
> being on a Saturday. I'm interested in hearing comments on this apparent
> inconsistency or references to such.
> --
------------------------------
From: "Law Wun Suen, Brian" <[EMAIL PROTECTED]>
Crossposted-To:
comp.lang.java.security,microsoft.public.java.security,comp.lang.java.programmer
Subject: Re: Data Encryption in Applet?
Date: Thu, 16 Dec 1999 01:23:54 +0800
I make a big big mistake....
The secret key should be generate by the client instead of the server and use the
public key of the server to encrypt it.
Thank you Chris to point out my mistake
Rgds,
Brian Law
------------------------------
Date: Wed, 15 Dec 1999 09:42:15 -0800
From: Niall Parker <[EMAIL PROTECTED]>
Subject: Re: Conditional (keyed) bidirectional hash function ?
OK, I should have been looking at signature schemes, thanks for
the tips :)
How important is hashing the original serial number A ? Would leaving
it sequential weaken the authentication ?
... Niall
------------------------------
From: Uri Blumenthal <[EMAIL PROTECTED]>
Subject: Re: Why no 3des for AES candidacy
Date: Wed, 15 Dec 1999 12:41:04 -0500
Tim Wood wrote:
> OK, right. I don't think that all of the analysis on DES is invalidated
> by any means - in the same way that it is possible to use Differential
> Cryptanalysis on several different ciphers. I also see from the paper
> that the key generation tecniques can also be applied to IDEA with
> minor modification (and other block ciphers in general)
Yes.
However you are aware of the crypto rule of thumb: if you change
anything in the algorithm, the analysis *results* obtained for
the original one, no longer apply to the modified one - i.e.
if the original cipher was found to have strength of 2^N,
the modification changed it to ???. [the fear is that while
improving resistanec against attack A, it became weaker against
another attack B.]
> They also suggest Changing the order of the S-Boxes (in passing) to
> 24673158. This in-fact comes for the analysis done on normal DES and
> 3DES.
No we didn't. That's from different papers/proposals by either
Eli Biham, or Matsui-san. We wanted to preserve ALL of the
crypto engine, because changing the order of S-boxes invalidates
the results of analysis - it's now an effectively new cipher engine,
whose resistance has to be analyzed from scratch (which they did, of
course).
> I also see that the new key-schedule eliminates weak keys from the
> cipher.
Oh yes it does - a neat thing, if you ask me (:-).
> And to use it DES does not necessarily have to be tripled, I understand
> that they suggest 32 round DES (not 48-round triple DES) although mostly
> it is personal choice and "best-for-situation".
It is not exactly a "personal choice" - but a computation of the
strength accomplished. I.e. one shot in the head is usually enough.
Two to five will make it really certain. 344 shots do seem rather
excessive.
[I can add, that the exprerience of analyzing GOST has been utilized.]
> Mu understanding from Appendix A was that they had actually renamed it
> to DES-SK/n. Am I inncorect?
You are correct, and yes we did.
> So DES-SK/32 (better double-DES) or triple DES improvment DES-SK/48.
> are being suggested?
Yes, for the reasons outlined above.
Unfortunately, there is one attack nothing can defend against:
collecting a dictionary. This dooms ALL 64-bit block ciphers.
SO AES begins 128-bit block cipher standard, and DES-SK loses
its relevance as a practical cipher (unles you don't expect to
produce enough ciphertext for this attack to be a concern), and
becomes a mere demonstration of what a strong key schedule can do
and how it could be computed...
> >This was the purpose of the
> >design suggested in the above paper: to keep valid the results
may I underline this word: ^^^^^^^
> >of 20+ years of analysis AND at the same time increase the
> >strength of the algorithm, with MINIMAL invasion.
> >IMHO it was accomplished.
>
> It was indeed, I am Impressed.
(:-) Thanks!
> >In other words, the modified algorithm is DES because all the
> >ANALYSIS performed on DES is still valid and applicable.
>
> But, some of the analysis of DES is applicable to block ciphers in
> general....
The *analysis* is certainly applicable. The *results* - not exactly.
I mean - a cipher that fended off attacks for 20 years, is somewhat
more likely to resist attacks yet to come, than a cipher which has
been around (analysed) only for two-three years... Mentality...
> I think that for manageability's sake, DES and 3DES should be
> reserved as names for the relevant standards. If people were allowed to
> significantly modify DES and still call it DES snake oil andvertising
> would simply get worse.
Which is why in the paper we did give it a different name, to show
both the similarity and the divergence.
> Also from a knowledge managment Point of view, having lots of schemes
> with the same name starts to detracted from the disscusion of their
> merits ;-).
(:-)
------------------------------
From: John Bottoms <[EMAIL PROTECTED]>
Subject: Skytale?
Date: Wed, 15 Dec 1999 21:13:01 GMT
Krewe,
The Roman rulers used a skytale to encrypt messages by
wrapping a strip of cloth around a rod. The message was
written on the cloth and when unrolled from the rod it was
difficult (then) to decrypt unless you had a rod of the same
size. As I understand it there were rods of different sizes
in use.
So...if a ruler had a number of rods and wanted to keep them
close so no one could measure them he would probably bundle
the rods together and keep it nearby. It sounds mysteriously
like a fasces (fascist) which are often shown in the hands of
Roman rulers. Is this likely? (Remember, you heard it here first.)
-JB
(Krewe Vietnam)
------------------------------
From: "Tim Wood" <[EMAIL PROTECTED]>
Subject: Re: Why no 3des for AES candidacy
Date: Wed, 15 Dec 1999 18:16:00 -0000
Uri Blumenthal wrote in message <[EMAIL PROTECTED]>...
>Tim Wood wrote:
>> OK, right. I don't think that all of the analysis on DES is invalidated
>> by any means - in the same way that it is possible to use Differential
>> Cryptanalysis on several different ciphers. I also see from the paper
>> that the key generation tecniques can also be applied to IDEA with
>> minor modification (and other block ciphers in general)
>
>Yes.
>
>However you are aware of the crypto rule of thumb: if you change
>anything in the algorithm, the analysis *results* obtained for
>the original one, no longer apply to the modified one - i.e.
>if the original cipher was found to have strength of 2^N,
>the modification changed it to ???. [the fear is that while
>improving resistanec against attack A, it became weaker against
>another attack B.]
I am, but the methods still apply. I do take your point about not having to
re-do the analysis by not changing the 'engine' though.
>> They also suggest Changing the order of the S-Boxes (in passing) to
>> 24673158. This in-fact comes for the analysis done on normal DES and
>> 3DES.
>
>No we didn't. That's from different papers/proposals by either
>Eli Biham, or Matsui-san. We wanted to preserve ALL of the
>crypto engine, because changing the order of S-boxes invalidates
>the results of analysis - it's now an effectively new cipher engine,
>whose resistance has to be analyzed from scratch (which they did, of
>course).
Sorry, I intepreded it as a suggestion rather than a reference
"The same paper also showed that S-boxes order “24673158” is immune to both
differential and linear attack. Combining this with our key schedule and a
generating key length of at least 64 bits again results in a practically
unbreakable cipher."
I think however that it was due to me adding too much significance to this
bit when I was reading it.
>
>> I also see that the new key-schedule eliminates weak keys from the
>> cipher.
>
>Oh yes it does - a neat thing, if you ask me (:-).
>
>> And to use it DES does not necessarily have to be tripled, I understand
>> that they suggest 32 round DES (not 48-round triple DES) although mostly
>> it is personal choice and "best-for-situation".
>
>It is not exactly a "personal choice" - but a computation of the
>strength accomplished. I.e. one shot in the head is usually enough.
>Two to five will make it really certain. 344 shots do seem rather
>excessive.
Sorry, very bad wording on my part, "implementation and risk-model
dependant" would be better. *grin*
>[I can add, that the exprerience of analyzing GOST has been utilized.]
>
>> Mu understanding from Appendix A was that they had actually renamed it
>> to DES-SK/n. Am I inncorect?
>
>You are correct, and yes we did.
>
>> So DES-SK/32 (better double-DES) or triple DES improvment DES-SK/48.
>> are being suggested?
>
>Yes, for the reasons outlined above.
>
>Unfortunately, there is one attack nothing can defend against:
>collecting a dictionary. This dooms ALL 64-bit block ciphers.
>SO AES begins 128-bit block cipher standard, and DES-SK loses
>its relevance as a practical cipher (unles you don't expect to
>produce enough ciphertext for this attack to be a concern), and
>becomes a mere demonstration of what a strong key schedule can do
>and how it could be computed...
Yes, I understand that some analysis has been done on using triple-DES to
effectively create a 128bit-block, but it only weakened the cipher.
>
>> >This was the purpose of the
>> >design suggested in the above paper: to keep valid the results
> may I underline this word: ^^^^^^^
>> >of 20+ years of analysis AND at the same time increase the
>> >strength of the algorithm, with MINIMAL invasion.
>> >IMHO it was accomplished.
>>
>> It was indeed, I am Impressed.
>
>(:-) Thanks!
>
>
>> >In other words, the modified algorithm is DES because all the
>> >ANALYSIS performed on DES is still valid and applicable.
>>
>> But, some of the analysis of DES is applicable to block ciphers in
>> general....
>
>The *analysis* is certainly applicable. The *results* - not exactly.
>I mean - a cipher that fended off attacks for 20 years, is somewhat
>more likely to resist attacks yet to come, than a cipher which has
>been around (analysed) only for two-three years... Mentality...
Point taken.
tim
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Better encryption? PGP or Blowfish?
Date: Wed, 15 Dec 1999 19:15:40 GMT
In article <8375uj$9ik$[EMAIL PROTECTED]>, molypoly <[EMAIL PROTECTED]> wrote:
> Ok, I'm a 'newbie' and am trying to understand this. With a "zero
>information system" such as PGP, one can easily read the encrypted
>file.
All a ZERO INFORMATION system means is that if someone
has the time all the information needed to break the system is
there. Zero additional information is needed to break the system.
PGP is such a system. People who compress with bad compression
and then use standard emcryption also may fall into this group.
> If you are using PcCrypto, where the passphrase is not stored
>ANYWHERE, then one cannot read the encrypted file. Am I getting this?
> Thanks in advance.
>
I don't know much about PcCrypto. But if it is not a ZERO Knowledge
type of encryption then the attacker needs addtional information to break
the system. In short even if your message is 1000 times longer than
your key. If the person had all the time in the Universe he still with out
additional information can not break you system since he would not
know the soultion even if he found it. However if the attacker knows
additional information such as your an English speaker and there is
some high propabilty that you used MSWORD to write a English
text then he may use that information to guess a soultion if such a
solution exists in the solution space. But in a ZERO information
system like PGP given enough time you can with 100% accuracy
get the solution to the encrypted file with out any outside information
this is something new people to crypto do not undestand.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Subject: Re: Better encryption? PGP or Blowfish?
Date: Wed, 15 Dec 1999 12:28:03 -0600
"SCOTT19U.ZIP_GUY" wrote:
> In article <8375uj$9ik$[EMAIL PROTECTED]>, molypoly <[EMAIL PROTECTED]> wrote:
> > Ok, I'm a 'newbie' and am trying to understand this. With a "zero
> >information system" such as PGP, one can easily read the encrypted
> >file.
> All a ZERO INFORMATION system means is that if someone
> has the time all the information needed to break the system is
> there. Zero additional information is needed to break the system.
> PGP is such a system. People who compress with bad compression
> and then use standard emcryption also may fall into this group.
>
> > If you are using PcCrypto, where the passphrase is not stored
> >ANYWHERE, then one cannot read the encrypted file. Am I getting this?
> > Thanks in advance.
> >
> I don't know much about PcCrypto. But if it is not a ZERO Knowledge
> type of encryption then the attacker needs addtional information to break
> the system. In short even if your message is 1000 times longer than
> your key. If the person had all the time in the Universe he still with out
> additional information can not break you system since he would not
> know the soultion even if he found it. However if the attacker knows
> additional information such as your an English speaker and there is
> some high propabilty that you used MSWORD to write a English
> text then he may use that information to guess a soultion if such a
> solution exists in the solution space. But in a ZERO information
> system like PGP given enough time you can with 100% accuracy
> get the solution to the encrypted file with out any outside information
> this is something new people to crypto do not undestand.
>
> David A. Scott
Alright I am really confused now. I do not understand your terms, much less the
point being driven at. I had thought I did, but it seems that based on this posting
I did not/
What is a Zero information system( as you use the term)?
What is a Zero Knowledge system(as you use the term)?
Could you also give examples for each of a system which is one, and an example of a
system which is not?
Thanks.
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: Why no 3des for AES candidacy
Date: Wed, 15 Dec 1999 11:36:21 -0700
Paul Koning wrote:
> Eric Lee Green wrote:
> > ...
> > Today's enterprise-class tape drives can handle streams of up to 40 megabytes
> > per seconds. The servers that feed these beasts may have multiple gigabit
> > Ethernet cards so that they can suck down enough data to keep the pipe full. I
> > looked at encrypting those streams with 3DES, since 3DES is a nice proven
> > algorithm, but it was just TOO BLOODY SLOW.
>
> Actually, in silicon 3DES isn't too bad.
Unfortunately, network cards which incorporate encryption are not currently
available for a reasonable price. The problem is U.S. export restrictions --
having two versions of hardware (one domestic, one global) is much harder than
having two versions of software (where you can basically chop out the
encryption with one #define at compile time).
So software it is, and 3DES is too slow in software to keep up with Gigabit
Ethernet :-(.
--
Eric Lee Green [EMAIL PROTECTED]
Software Engineer Visit our Web page:
Enhanced Software Technologies, Inc. http://www.estinc.com/
(602) 470-1115 voice (602) 470-1116 fax
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Deciphering without knowing the algorithm?
Date: Wed, 15 Dec 1999 19:27:45 GMT
In article <[EMAIL PROTECTED]>, CLSV <[EMAIL PROTECTED]> wrote:
>"SCOTT19U.ZIP_GUY" wrote:
>
>> [...] If you see an algorithm that is adavertised as throughly studied by the
>> best cryptoheads in the world. Then you can be pretty dam sure it is weak.
>> Strong crypto is not allowed. You can not export it since if you could the
>> NSA would not be allowed to read your mail and they ain't about to let
>> that happen.
>
>Not all of "the best cryptoheads in the world" live in the US.
>Furthermore as I understand it the US export regulations are only
>valid for binaries. You still may export knowledge. And that is
>what happens on this newsgroup.
Actually your wrong. Maybe Crypto Gods get to export freely
but in most of the US only code in a book can be exported. I can
not give you the soucre code of my stuff directly from Texas with
out fear of Jack Booted thugs kicking in my door.
Yes I know not all the good cryptoheads live in the US
but what makes you think the NSA would not kill or silence
them if they are precieved as a threat. I though just this last
year there was a strange death of a European expert. Do
you really thing the NSA would let some one in Europe
make real progress who was not controlled directly by
them. Don't forget even the Swiss are in bed with the NSA
you do remember how they modifed the swiss crypto equipment
so as to help in spying.
>
>> By the way the Crypto Gods have declared scott19u weak and easy to break
>> but the bastards keep making excuses why they can't break it. Mr Wagner who
>> publicly bragged on this forum that his latest slide attack would be the
> death
>> of my method was full of shit.
>
>Breaking a cipher costs effort. So if someone is willing to
>take time to look into a design on this forum it is a favour.
>
Yes I did consider it a favor. And I understanf Mr BS and
friends have looked at my stuff but don't have the balls to say
much about it. I think it is to embarassing for them. Like I
said the last public statement made by Wagner who MR BS
rates very highly admitted he wasn't bright enough to actaully
read C code that complies on DJGPP so he was full of shit
when he claimed his shitty Slide Attack could kill it. He
is strangely silent about this recently except to say I have
no new ideas about cyrpto when he can't even undestand
what the fuck I wrote in scott19u. He is a fucking phony.
>Think about it.
>
>Regards,
>
> Coen Visser
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Non-linear PRNGs
Date: Wed, 15 Dec 1999 19:45:15 +0100
David Wagner wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> > In a post of Feb 1988 in sci.crypt, V. S. Anashin has given a
> > general theorem for constructing full period (2^m) non-linear
> > PRNGs of arbitrarily high degree. (Literature: Mathematical Notes,
> > Vol. 55, 1994, p. 109-133. Plenum Pub.). This is reproduced in
> > essence below:
> >
> > Let f(x) = a_0 + a_1*x^(1) + a_2*x^(2) + ..... + a_n*x^(n)
> > where x^(k) = x(x-1)(x-2)...(x-k+1).
> > Then the generator u(i) = f(u(i-1)) mod 2^m (m>2) has period
> > 2^m if and only if the following congruences hold:
> > a_0 = 1 mod 2, a_1 = 1 mod 4, a_2 = 0 mod 2, a_3 = 0 mod 4.
> >
> > Question: Has anyone studied such PRNGs from cryptological point
> > of view? I surmise that they are extremely hard for analysis even
> > with moderate values of n.
>
> I don't think this is secure for cryptographic purposes.
>
> Note that this generator never mixes the higher-order bits into the
> least significant bits. In other words, you can reduce everything in
> sight mod two, and all the equations still hold.
Sorry, I don't yet understand your statements. Let m=32 and n=5.
Could you please use an example and give a sketch of computations
substantiating the above?
M. K. Shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
