Cryptography-Digest Digest #714, Volume #11 Fri, 5 May 00 23:13:01 EDT
Contents:
Re: Crypto Export (Jerry Park)
Re: cryptographically secure (Tom St Denis)
Re: GPS encryption turned off ([EMAIL PROTECTED])
Re: GPS encryption turned off ([EMAIL PROTECTED])
Re: GPS encryption turned off (Martin Grossman)
Re: Questions about imaginary quadratic orders (David Hopwood)
Unbreakable Superencipherment Rounds (UBCHI2)
Re: Crypto Export ("Adam Durana")
XTR and Diffie-Hellman (David Hopwood)
Re: Crypto Export (Bill Unruh)
Re: Sunday Times 30/4/2000: "MI5 builds new centre to read e-mails on the net"
(Dave J)
Re: Unbreakable Superencipherment Rounds ("Scott Fluhrer")
Re: Unbreakable Superencipherment Rounds (Tom St Denis)
Re: quantum crypto breakthru? (Roger)
Re: AEES Advanced ("Scott Fluhrer")
Re: Unbreakable Superencipherment Rounds (Mr. Klay I. Eno)
----------------------------------------------------------------------------
From: Jerry Park <[EMAIL PROTECTED]>
Subject: Re: Crypto Export
Date: Fri, 05 May 2000 18:51:58 -0500
Stou Sandalski wrote:
> Well its almost the end of my school year (25days left) and in government
> everyone had to pick a pro/con topic (like abortion, legalization of weed,
> gun control laws... etc.) and write a paper on it; giving both sides and
> stating one's own opinion. Now naturaly I picked US laws against export of
> strong crypto systems. Now my problem is that I need to include actual
> facts., statistics, even quotes and I have material against export control
> laws, but I can't find arguments for the export control laws (officialy
> arguments that is, papers and things writen by actual people)...
>
> Does anyone here know where I can get some material like that? Also are
> there any cell phones currently produced or that have been produced that
> have the clipper chip or any similar key-escrow dealie in them?
>
> thanks
>
> Stou
As noted in previous posts, there are several places to obtain arguments for
export control.
I don't think you will find any arguments which make any sense (I've never seen
a sensible argument for it).
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: cryptographically secure
Date: Sat, 06 May 2000 00:05:26 GMT
Ali Tofigh wrote:
>
> Hi!
>
> I'm in urgent need for a cryptographically secure random number
> generator... I'm studying cryptography and implementing an RSA-system
> and therefore I need a random number generator that can generate
> large numbers. Around 400-500 bits long at least.
>
> Regards
> A.T.
Normally you make prng bits one at a time and concatenate them
together. So you just need a non-linear long-perioded prng.
Such as a hash in counter mode.
Tom
--
Want your academic website listed on a free websearch engine? Then
please check out http://tomstdenis.n3.net/search.html, it's entirely
free
and there are no advertisements.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: GPS encryption turned off
Crossposted-To: sci.geo.satellite-nav
Date: Sat, 06 May 2000 00:37:04 GMT
In sci.crypt Paul Rubin <[EMAIL PROTECTED]> wrote:
> OK, this helps somewhat, but remember, the enemy only has to borrow
> ONE unit to compromise the whole system for as long as the unit stays
> whitelisted. They have to be protected MUCH more carefully than, say,
> vehicles or machine guns.
Well, machine guns are also a sensitive item. I'm not sure about
vehicles, but loosing one of those isn't a good career move either. :)
> Are you serious about this? The army really has time to go round up
> every single GPS every 12 hours, in the middle of some messy troop
> operation or invasion, which is precisely when the GPS's are needed
> most? I guess it's possible but it surprises me.
Actually, most combat units do it substantially more often. At the
bottom of the chain of command, you're checking a handful of people,
say four to nine. Of course, you don't pull out the list and check the
serial number every time, you just make sure Joe Moron is still
carrying the damn thing most of them.
Every single gps isn't a large number, either. Individual troops don't
need them, since it's a command function to verify your position. So,
in a 40 man platoon you may have 1 per squad, 1 for the PL and 1 for
the PSG. However, with troops you also need to check for lost weapons,
sufficient ammo, medical problems, injuries, lost equipment, bad
morale, assign sectors of fire, etc. In short there's a _long_ list of
things that the NCO chain handles, and taking looking for a plugger on
it isn't onerous. ;)
> Don't forget, too, that the person who checks the serial numbers is
> also susceptable to bribes/seduction/blackmail/etc.
True, but they also have a security clearance and the arms room
controls to contend with. The only time it would be feasible to steal
(borrow) one is when the unit is garrisoned and they're in storage, at
which time they're unfilled and useless for espionage.
> I wonder if they'd be better off with some cryptographic authentication
> in each unit, so at inventory time they'd plug each unit into some
> gizmo that would authenticate it (that also would be a good time to
> rekey it, instead of OTAR).
They're actually keyed by "gizmo" now. I'm not certain what the new
system will be.
> I thought they were handed out in fairly large quantities during real
> operations, but I could be wrong. Does the typical KFOR troop have
> one these days?
The typical infantry company issues one to every unit that will
operate independantly, and one to every NCO in a counterpart
role. That is:
CO/1SG - 1 each
XO - 1
PL - 1 each (times 4 platoons)
PSG - 1 each (times 4 platoons)
SL - 1 each (3 or 4 squads per platoon, 4 platoons)
That's 14 units for well over 100 troops. Of course, numbers vary with
the type of unit and mission, but it's obvious that they're much less
common than weapons, and about as common as radios. I would hazard a
guess that these units have more of them than others too, since
working without vehicles eliminates any vehicle-mounted devices.
I mean, an armor battalion probably has as many units as tanks, say 1
per tank crew. However, stealing an Abrams isn't really an option. ;)
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: GPS encryption turned off
Crossposted-To: sci.geo.satellite-nav
Date: Sat, 06 May 2000 00:42:57 GMT
In sci.crypt Robert & Mary Barkley <[EMAIL PROTECTED]> wrote:
> But, GPS codes do NOT change every 12 hours.
Indeed, the point was that outside the arms room, most are counted at
least every 12 hours. This makes tampering with one and replacing it
somewhat harder than you may suppose.
> The operating manual for the AN/PSN-11 Programmable-Lightweight GPS
> Reciever (PLGR, or "Plugger"), specifically states that the unit is NOT
> classified when loaded with the GPS codes, due to the tamper proof
> security module.
Classified no, but it _is_ a sensitive item, and I think you'll fail
to find a unit that accounts for theirs less than twice a day in the
field. The M-16 isn't classified, either, but a missing one attracts
attention _very_ quickly.
In any case, the original question is if stealing and replacing one is
practical, which I doubt. And, as I pointed out, getting a GI drunk in
a bar is also not an option, since the plugger doesn't generally go
with him to those establishments. ;)
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
From: Martin Grossman <[EMAIL PROTECTED]>
Crossposted-To: sci.geo.satellite-nav
Subject: Re: GPS encryption turned off
Date: Fri, 05 May 2000 20:56:28 -0400
Reply-To: [EMAIL PROTECTED]
This last article hit the nail on the head!!!!
Notice the key words below...."due to the tamper proof security module"
I have not idea what in the army GPS's but my company has and still does
make goverment secure devices. They all have tamper proof things in them!
There are many ways of making them tamper proof......
First...the connection where the fill device is connected is bidirectional
communications BUT the crypto stuff Keys and algorithims are uni-
directional. (ie no way of getting them out via the fill device port.
Second...in some secure devices chips are ruined if the device is ever
opened (ie burnt with a heating element)
Some delete both KEYS and algorithims and then wipe memory with
alternating paterns until self contained batter eventualy dies out.
Third...there are many many ways of making secure devices tamper proof
that most people wouldn't even think of!
SO, since the PLGR is considered not classified (I highly doubt this
statement)
There are probably many tamper proof stuff in it so the enemy can not get
anything usefull out of it.
Robert & Mary Barkley wrote:
> > Are you serious about this? The army really has time to go round up
> > every single GPS every 12 hours, in the middle of some messy troop
> > operation or invasion, which is precisely when the GPS's are needed
> > most? I guess it's possible but it surprises me.
>
> I'm walking into the middle of this. So forgive me if I missed part of
> the topic.
>
> But, GPS codes do NOT change every 12 hours.
>
> When you look at crypto, you need to realize that certain codes have
> probablity of being compromised, or they safeguard sensitive systems.
> Which is why some codes are only good for day, one week, one month, one
> quarter, six months, one year, etc. It all depends upon the system
> they are used with. And the risks of the codes being compromised.
>
> The operating manual for the AN/PSN-11 Programmable-Lightweight GPS
> Reciever (PLGR, or "Plugger"), specifically states that the unit is NOT
> classified when loaded with the GPS codes, due to the tamper proof
> security module.
> However, if one were to load a classified way point, then the unit is
> classified at that level.
>
> --
> Robert, Mary & Zachary Barkley
>
> http://www.geocities.com/barkleys_2000
------------------------------
Date: Sat, 06 May 2000 02:41:54 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: sci.math
Subject: Re: Questions about imaginary quadratic orders
=====BEGIN PGP SIGNED MESSAGE=====
Diet NSA wrote:
> In article <[EMAIL PROTECTED]>, David Hopwood
> <[EMAIL PROTECTED]> wrote:
>
> > I don't have a copy of [Due91]; if anyone does, I'd very much
> > appreciate it if they could post the RESSOL algorithm and the
> > algorithm for computing a Kronecker symbol, or point me to
> > another description of these algorithms.
>
> If you're interested, the Magma software package might be able to
> do tasks like these. See :
>
> http://www.maths.usyd.edu.au:8000/u/magma
Thanks.
> I suspect that you are more qualified to answer the questions you
> posed than anyone else here. If you need help I would suggest
> that you more directly contact the relevant experts.
Well, I'd never heard of quadratic orders before a week ago, but I
think you're right that Usenet was probably not the right place to ask
about this.
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBORN4MzkCAxeYt5gVAQHlhwf9EUNxNGm3dFCudCFttfMRi+aNz8J1NJuJ
5DLVCXrcyJaI7Glig+GPGPaf83wORlGpExU6YC/LS+czQW1lgY9qFO33cgsS4AMt
TrnZl7uLj9mOMNfrMBrrfgkhUm6MZeakzqaASmX3BxwfSE/EhgFL7ra0B3qe5mKa
cp/2LXIMnLoaA/bG3a48+hFJroCAb78MBVNkRRkuyN3THITtcdF13sZt/BvuOvqx
g/2CVaMMW+ADxSRAuvZ9rPt8j81LCyFf4LMAgnsal29aLhUOjPYFjH5fpV/jmOM/
GNt4oK5+ivhArlpx07jC5A3erbKJBe3PzWKMjjyXRbNL1WEsVX2ncQ==
=950H
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (UBCHI2)
Subject: Unbreakable Superencipherment Rounds
Date: 06 May 2000 01:46:48 GMT
There is a way to encrypt communications that make them impregnable to
cryptanalysts theoretically. Can the following sequence be implemented?
1) 1 round RC6
2) 1 round TwoFish
3) 1 round Serpent
4) 1 round Mars
5) 1 round Rijndael
Then top off the rounds with a final pass with 3DES. Then I do it again by
randomizing the number of rounds of each and the order of the
superencipherments using SIGABA irregular movement of the algorithms.
Anyone want to try to get through that? Obviously the speed would be slow, but
for top secret materials, is the security too much?
------------------------------
From: "Adam Durana" <[EMAIL PROTECTED]>
Subject: Re: Crypto Export
Date: Fri, 5 May 2000 21:49:13 -0400
> I don't think you will find any arguments which make any sense (I've never
seen
> a sensible argument for it).
Actually there is a sensible argument and you have most likely heard it, but
you didn't like it. As long as the US puts limits on the export of
technologies that use strong cryptographic algorithms there is no way some
sort of basic communications standard will evolve that incorporates strong
crypto. Sure you might say there are already many standards that involve
strong crypto, but there is still a great deal of communications that go on
around the world that don't use strong crypto or any encryption at all.
>From the standpoint of the agencies, such as the NSA and CIA, that monitor
communications around the world, this situation is ideal. Now if there was
no limits on the export of crypto, eventually every method of communication
would be encrypted in some form. And this would make those agencies' job's
a lot harder.
I'm sure you've heard this claim before, and it does make sense. I am not
saying its good or bad, but it does make sense.
- Adam
------------------------------
Date: Sat, 06 May 2000 02:57:52 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: XTR and Diffie-Hellman
=====BEGIN PGP SIGNED MESSAGE=====
Scott Contini wrote:
> In article <[EMAIL PROTECTED]>,
> David Hopwood <[EMAIL PROTECTED]> wrote:
> >Bryan Olson wrote:
> >> Tom St Denis wrote:
> >>
> >> > I still have some reading todo (I know basic EG right now) but I
> >> > am pretty sure you can get by with smaller ciphertext by using
> >> > sub-groups...
> >
> >Using a subgroup (of GF(p), say) improves efficiency, but it doesn't
> >decrease the size of the ciphertext. The value g^k (and for the
>
> WRONG - It does decrease the size of the ciphertext if you use XTR!
We were talking about non-interactive Diffie-Hellman. XTR is a different
cryptosystem.
I'm aware that according to the XTR web site, www.ecstr.com, there are
proofs relating the security of XTR to a case of the Diffie-Hellman
Problem, but the last time I looked (just now), neither the full
specification of XTR, nor any security results had yet been published.
> This is a new research result by Arjen Lenstra and Eric Verheul
> which will appear in Crypto 2000.
>
> XTR is done in a subgroup of GF(p^6), but elements can be written
> more compactly than the tradional discrete log based cryptosystems.
> In particular, the elements can be represented in 340-bits. XTR
> seems to be exactly what you are looking for.
That may well be, but it can be quite difficult to compare the relative
time and space requirements of cryptosystems when different groups or
parameter choices are involved. There are also other factors affecting
choice of cryptosystem such as patents, standardisation issues, difficulty
of implementation, the precise assumptions involved in any security
arguments or proofs, etc.
I would recommend that you wait until the XTR paper has been published
(or is available on the web), and then ask here again what people think
about it.
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBORNtjTkCAxeYt5gVAQE5LwgAjQYTN9nwNDP/llSrqAtCbYch0Gd5TXEN
FwDa6k7CkyPStEj5fGiOfcITYa1TcXwf1R3ZFQ9gUHsDqpSxb+58/MSVkcY+SGo3
ZZQR5pUy9yZhCx5gK8cXg3qHW8fIVlnltg52v7q4sOv1wmhJnv+m7dvHGrV8sl6v
IJXiYcWb1pEKEuoNs+NILKpxxfo2DdzQOQrpmJPSHLa1pSnVcmrK01adRt5h6Xak
IsGdFuAEN6GJUrtLVk6709aQKQbWJlDJEmkjahELQgGPkQZQXEnrTMRGMoyF8yTq
nlyXuoScniW0ejBOLnDA33sKvvxoyh1+4pvD+3Hcegft61787rZLHA==
=KPuG
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Crypto Export
Date: 6 May 2000 02:01:35 GMT
In <[EMAIL PROTECTED]> Jerry Park <[EMAIL PROTECTED]> writes:
>As noted in previous posts, there are several places to obtain arguments for
>export control.
>I don't think you will find any arguments which make any sense (I've never seen
>a sensible argument for it).
Sure there were. David Sternlight used to trot them out regularly-- and
despite some people's opinion of th source (where is he these days?)
they did make some sense. The crucial idea was that the export controls
on crypto were there to prevent companies from putting crypto into their
mass market products. Sure fringes could get ahold of pgp or whatever,
but the vast majority of people ( which includes the vast majority of
businesses and terrorists) would not bother. Thus the traffic of
foreigners would be open to US inspection, whether for economic reasons
or security reasons. This was predicted on the fact that most programs
which could use crypto are written and exported from the USA, and that
most people are too lazy, ignorant,... to go out of their way to figure
out how to put some of the grey market crypto into their systems. And
foreign businesses also would not put crypto into their products because
they would want to sell to the largest market in the world, and would
not take a chance on their program being reexported from the USA and
they being hauled into US court.
On the general level, I think that there are good reasons to limit the
export of Bazooka launchers, atomic bombs, etc. Exactly where crypto
falls in the spectrum is much more difficult and eventually the cost of
the export controls (including public relations) outweighed the benefits.
Actually, I think that they should have encouraged MS to include crypto
in all their stuff. On the evidence of the crypto they have included in
the US market, it would have given the user a sense of confidence and
still be trivial to break. People would not have gone out to get
other crypto since it was already included. (Crypto is one product which
you cannot test the output to see if it does what it claims to do-- bad
crypto and good crypto look the same to the user.)
------------------------------
From: Dave J <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,alt.privacy,alt.ph.uk
Subject: Re: Sunday Times 30/4/2000: "MI5 builds new centre to read e-mails on
the net"
Date: Sat, 06 May 2000 03:34:52 +0100
On Fri, 05 May 2000 21:54:11 +0100, c u B e <[EMAIL PROTECTED]> wrote:
>You mean you could turn the data into a bmp (easy) and then a wav?. Still, I
>don't see the point.
>
>Better to just hide the PGP file in the wav.
Yes yes, I have had it pointed out that stenographical encoding removes
any worry about identification of encrypted files.
I was thinking basic thoughts in an overly simple way. Only advanatage of
the headerless idea (which has been done I've found, will post a link)
is that the program to add the header would be tiny, so difficult to find.
Dave J.
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Unbreakable Superencipherment Rounds
Date: Fri, 5 May 2000 19:22:58 -0700
UBCHI2 <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> There is a way to encrypt communications that make them impregnable to
> cryptanalysts theoretically. Can the following sequence be implemented?
>
> 1) 1 round RC6
> 2) 1 round TwoFish
> 3) 1 round Serpent
> 4) 1 round Mars
1 round of Mars isn't well defined -- Mars has different types of rounds as
you go through the cipher...
> 5) 1 round Rijndael
Also, remember that the above round functions are designed to work well with
other identical round functions. TwoFish (being a Feistel network) and RC6
(IIRC) leave half the bits unchanged (unchanged here means they're in
different bit positions, but the values are preserved). A Mars core round
leaves 32 bits unchanged. If these unchanged bits line up wrong, some
original plaintext could survive unmodified a great ways into the cipher.
Also, how do you do key scheduling? This is not a silly question; weak key
scheduling has been the bane of many ciphers...
>
> Then top off the rounds with a final pass with 3DES. Then I do it again
by
> randomizing the number of rounds of each and the order of the
> superencipherments using SIGABA irregular movement of the algorithms.
>
> Anyone want to try to get through that? Obviously the speed would be
slow, but
> for top secret materials, is the security too much?
Say, if you want security that bad, why don't you do 1000 rounds of (select
one of the AES candidates in a key dependent fashion, then encrypt using an
independant key). Obviously the speed would be slow, and it would take
(3+256)*1000 bits of key, but for top secret materials, is the security too
much?
Or, better yet, do 1001 rounds... Wait, no, 1002 rounds...
--
poncho
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Unbreakable Superencipherment Rounds
Date: Sat, 06 May 2000 02:39:42 GMT
UBCHI2 wrote:
>
> There is a way to encrypt communications that make them impregnable to
> cryptanalysts theoretically. Can the following sequence be implemented?
>
> 1) 1 round RC6
> 2) 1 round TwoFish
> 3) 1 round Serpent
> 4) 1 round Mars
> 5) 1 round Rijndael
>
> Then top off the rounds with a final pass with 3DES. Then I do it again by
> randomizing the number of rounds of each and the order of the
> superencipherments using SIGABA irregular movement of the algorithms.
>
> Anyone want to try to get through that? Obviously the speed would be slow, but
> for top secret materials, is the security too much?
AFAIK one round of any of those ciphers is a) not complete and b) not
strong.
You would want something like
1) Full RC6
2) FULL Twofish
etc...
Also 3DES and AES have diff block sizes...
Tom
--
Want your academic website listed on a free websearch engine? Then
please check out http://tomstdenis.n3.net/search.html, it's entirely
free
and there are no advertisements.
------------------------------
From: Roger <[EMAIL PROTECTED]>
Subject: Re: quantum crypto breakthru?
Date: Fri, 05 May 2000 19:44:19 -0700
Diet NSA wrote:
> In article <[EMAIL PROTECTED]>, Roger Schlafly
> <[EMAIL PROTECTED]> wrote:
>
> >(2) QC offers no authentication.
>
> There are various potential quantum authentication protocols.
>
> >(3) QC offers little protection against active attacks.
>
> At least one scheme has been theoretically proven secure against
> a MITM attack. Depending on what kind of active attacks you are
> thinking about, they may be detected.
>
> >(4) A QC communication could leak a few bits with every
> >transmission.
> >(5) Imperfect equipment could leak some more info.
>
> The concept of unicity distance can be generalized to apply to
> quantum situations. It is possible to calculate how much a
> potential eavesdropper would have to know about the qubits being
> used.
And these new schemes combine QC with conventional crypto,
I assume?
The proofs I've seen seem to all assume perfect equipment,
and are invalid if the equipment has the slightest flaws.
> >I'd like to hear from anyone who think QC will ever be
> >advantageous for anything. What good is it?
> >
> >
> It is rumored (e.g., in Singh's book) that the NSA is developing
> quantum encrypted fiber optic networks for the Pentagon.
Could be misinformation. Or maybe they have excess funds in
their budget.
> "If we do not prevent highly classified secrets from being stolen,
> then how are we going to sell them to the Chinese?"
> - Madeleine Albright (addressing recent thefts)
Can you give a cite for that amazing quote?
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: AEES Advanced
Date: Fri, 5 May 2000 19:47:45 -0700
<[EMAIL PROTECTED]> wrote in message news:8eumbn$uvd$[EMAIL PROTECTED]...
> Hi Scott,
>
> #If a block cipher does not act like a random permutation, then the
> # attacker can deduce deep things about the internals by examining
> # exactly how it deviates. Examining the last round is only one
> # example, and I suspect it may have more advantage against your
> #cipher than you expect.
>
> I am sorry, but this statement has nothing to do with my algorithm.
Then give me the algorithm, and let me see for myself...
> Most of you here are so nervous and arrogant. A reason may be that
> AES has something to do with money and revenue of attendees in nearest
> future and has not much to do with cryptography and science.
No. On a regular basis, we get newbies that claim "unbreakable"
cryptography. They are, almost without exception, laughably weak or
hideously slow (or both!). You'll get a similar attitude if you posted on
sci.physics that you just invented a perpetual motion machine.
>
> #Are you seriously claiming that AEES has significantly better
> # security than Twofish (or Serpent or Rijndael)?
>
> Yes! I do.
I humbly submit that you don't know enough to have an opinion. If you
disagree with my assessment, answer this question: how many cryptographic
algorithms have you successfully cryptanalyzed?
> Please take a look at comparison table below:
>
> | Block | Key | S boxes
> -----------------------------------------------
> Cerpent | 128 | 256 | 8 fixed
> Twofish | 128 | 256 | 4 key-dependent
> AEES | 256 | 2048 | 16 key-dependent
> Rijndael| 128 | 256 | 1 fixed
Ah, yes, the "I have a bigger key, therefore I'm more secure" claim.
Consider this: DES has a 56 bit key. A newspaper cryptograph has
(effectively) a 86.9 bit key. However, my mother can solve a newspaper
cryptograph, while she is entirely unable to break a ciphertext-only DES
problem.
>
> | Rounds| Permutations |S box math
> -----------------------------------------------
> Cerpent | 32 | fixed | transfr.tables
> Twofish | 16 | fixed | transfr.tables
> AEES | 16 | key-dependent| finite groups
> Rijndael| 14 | no | finite fields
Correction: Rijndael most certainly does has permutations. Maybe they just
don't call them that...
In any case, I wouldn't put a whole lot of faith into your 'S Boxes'.
According to Mr. Felling, you are doing modular addition, which has
*serious* weaknesses against linear and differential cryptanalysis -- there
are characteristics with probability 1 (!).
> Performance of AEES is not good in this comparison. But this is only
> a question of time,hardware and development.
>
> A propos Eli's and Adi's Differential Crytanalysis of DES-like
> Cryptosystems
> may be hardly applied to the architectur of my algorithm.
>
> Please, take a look at updated AEES algorithm description
> at www.alex-encryption.de.
You *still* haven't put a text-only version there (or if you did, I didn't
see it).
I have an idea on an attack that is based on what I have gathered about the
algorithm. I hesitate to post it without seeing the actual algorithm. If
you would be so kind as to publish it (or just email it to me), I'll see if
it is valid.
--
poncho
------------------------------
From: [EMAIL PROTECTED] (Mr. Klay I. Eno)
Subject: Re: Unbreakable Superencipherment Rounds
Date: Sat, 06 May 2000 03:04:16 GMT
[EMAIL PROTECTED] (UBCHI2) wrote:
>There is a way to encrypt communications that make them impregnable to
>cryptanalysts theoretically. Can the following sequence be implemented?
>
>1) 1 round RC6
>2) 1 round TwoFish
>3) 1 round Serpent
>4) 1 round Mars
>5) 1 round Rijndael
I would definitely ROT13 it as well just to make sure. Also, the plaintext
message should say exactly the opposite of what you really mean.
--
"Mr. Klay I. Eno" is actually 0627 845391 <[EMAIL PROTECTED]>.
01 2345 6 789 <- Use this key to decode my email address and name.
Play Five by Five Poker at http://www.5X5poker.com.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
