Cryptography-Digest Digest #765, Volume #11 Sat, 13 May 00 12:13:00 EDT
Contents:
Re: On higher level Feistel schemes (David Blackman)
Re: An almost-attack on Pikachu (Tom St Denis)
Re: An almost-attack on Pikachu (Tom St Denis)
Re: On higher level Feistel schemes (Baruch Even)
Re: (May 11, 2000) Cipher Contest Update (Baruch Even)
Re: Algorithm using neural networks? (David Formosa (aka ? the Platypus))
Re: Prime Generation in C,C++ or Java ([EMAIL PROTECTED])
Theoretical question ([EMAIL PROTECTED])
Re: homophones (Ricardo)
Re: the future of "mindspace"? (Kirby Urner)
Re: neural network (Mok-Kong Shen)
Re: Theoretical question (Mok-Kong Shen)
Re: On higher level Feistel schemes (Mok-Kong Shen)
Re: Theoretical question (Nicol So)
----------------------------------------------------------------------------
From: David Blackman <[EMAIL PROTECTED]>
Subject: Re: On higher level Feistel schemes
Date: Sat, 13 May 2000 20:32:49 +1000
Mok-Kong Shen wrote:
> We note that a Feistel scheme is customarily applied
> inside a block cipher, e.g. DES. However, given any
> block cipher of size n bits, denoted by the function
> E in the following, one can easily build a cipher of
> block size 2n bits though defining a typical Feistel
> round as follows:
>
> L_(i+1) = R_i
>
> R_(i+1) = L_i xor E(K_i, R_i)
>
> where L_i and R_i each have n bits and the subkeys
> K_i are to be obtained through some appropriate
> key scheduling.
>
> An apparent disadvantage of this lies of course in
> speed. However, the scheme appears otherwise to be
> o.k. At least theoretically, one could recursively
> apply the Feistel scheme to obtain ciphers of
> increasingly larger block size.
>
> Thanks for your critiques and comments in advance.
>
> M. K. Shen
> --------------------------------
> http://home.t-online.de/home/mok-kong.shen
I think speed is the problem. A Feistal scheme needs at least
3 rounds to be secure, even if the F is "perfect". So to double
your block size you will take at least 3 times as long to encrypt
a block. That means you are slower per byte than the original
smaller cypher (but probably more secure if you don't do anything
silly).
The "DEAL" cypher that was a AES candidate used your approach.
There were 6 or 8 rounds. The small encryption algorithm used
was DES. DEAL was dropped because it was very slow. Some minor
security problems were found as well, so obviously this approach
still requires some care, like anything else in cryptography.
Several of the AES candidates show you can do 128 bit cyphers
by other methods that look extremely secure and actually run
faster per byte than good 64 bit cyphers.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: An almost-attack on Pikachu
Date: Sat, 13 May 2000 11:24:50 GMT
In article <8fipos$v36$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David A. Wagner) wrote:
> By the way, if the rotate were omitted but the same S-boxes used,
there
> would be a 3-round iterative differential characteristic of
probability
> 1/2^13, and thus a 10-round char. with prob. 1/2^39, so we'd expect to
> break this variant with O(2^40) chosen texts.
There are 12 rounds in the submitted pikachu cipher, not 10.
> Also, we can think about linear characteristics. However, with the
plain
> Pikachu, doing the analogous thing for linear cryptanalysis doesn't
work
> in a nice way any more, because the rotate "goes the wrong way".
Thus,
> the natural linear attack on Pikachu doesn't seem to work.
What does "goes the wrong way" mean?
> On the other hand, if we omit the rotate but keep the same S-boxes, we
> obtain a 3-round iterative linear characteristic of probability
> 1/2 + 1/512, and thus a 10-round char. with prob. 1/2 + 1/2^25, so
we'd
> expect to need O(2^50) known texts to break the variant cipher with
this
> attack, if all works out as expected.
How did you get a three-round with 1/512? The best linear prob has a
bias of 1/32 (plus or minus). I though you just do (1/32)^r to get
the 'r' round probability? Maybe I should re-read some stuff...
> Also, if we switch the direction of the rotation, there is a linear
> attack. We get a 3-round iterative approximation with probability
> 1/2 + 3/2^12 and thus a 10-round char. with prob. ~ 1/2 + 1/2^27.7,
> which suggests that there could be a linear attack on such a variant
with
> something like O(2^55) known texts.
How did you find that? (learning process).
> Still, I can't seem to make this work on the real Pikachu. Any ideas?
What about the keyschedule? I can bet there is an attack there to be
had using only four passes of the key material.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: An almost-attack on Pikachu
Date: Sat, 13 May 2000 11:19:58 GMT
In article <8fiope$v0c$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David A. Wagner) wrote:
> Here is an almost-attack on Pikachu, which turns out *not* to work on
the
> real cipher, but which could easily have worked, if not for some good
luck
> on the part of the cipher design (it seems).
Well I did think a little about it's design.
> Pikachu's F function xors its input with a key to get (a,b,c,d),
applies
> a linear mixing layer to receive (2a+b+c+d, 2a+2b+2c+d, a+b+2c+d,
2a+b+2c+2d),
> applies four different bijective 8-bit S-boxes, and xors again with
another
> 32 bits of key material, and rotates the result left by one bit.
>
> Note that we have nice differentials such as (128,0,0,0) ->
(0,0,128,0)
> and (0,0,128,0) -> (128,0,0,0) of probability one for the linear
layer.
> In this case, only one of the four S-boxes will be active, and
avalanche
> will be limited. In particular, if we have a differential 128 -> 64
of
> probability p for the appropriate S-box, after the one-bit rotation
we will
> get a F-function output difference of a similar form to the the above.
So that means a difference in the msb, will go from (a, 0, 0, 0) -> (0,
0, a, 0) with a probability of 1?
> In particular, we do have the following differential:
> (0,0,128,0) -> (128,0,0,0) with probability 1/128 for all of F,
> by using the corresponding characteristic for the linear mixing layer
> (prob. 1) concatenated with the characteristic 128 -> 64 for S-box 0
> (prob. 1/128).
>
> We might naively expect to also get in a similar way a differential
> (128,0,0,0) -> (0,0,128,0) for the whole F function. However, in this
> case it turns out that we are simply lucky -- the differential 128 ->
64
> for S-box 2 has probability exactly zero, by good luck, and so this
idea
> doesn't work.
Good luck? It took me a while to make those sboxes... (well with my
program....)
> However, if the second such differential did work for Pikachu's F
function,
> we'd get a 3-round iterative differential characteristic of prob. ~
1/2^14,
> like this: (I omit the swaps)
> ( 0, 0, 0, 0) ( 0, 0,128, 0)
> (128, 0, 0, 0) ( 0, 0,128, 0)
> (128, 0, 0, 0) ( 0, 0, 0, 0)
> (128, 0, 0, 0) ( 0, 0, 0, 0).
> The first round of the above has probability 1/128; the third round
has
> probability one; and the middle round *would* have prob. ~ 1/128,
too, if it
> weren't for our good luck. Thus, if not for our good luck, there
would be
> a 10-round differential characteristic with prob. ~ 1/2^42, and by
bypassing
> the first round and using a 1-R attack, the cipher would probably
fall with
> something like 2^43 chosen plaintexts. (Right?)
> However, none of that works, because of the good luck of the choice of
> S-boxes! Nonetheless, it is still discomforting to me that even one
such
> good 1-round differential exists, that the 3-round iterative
differential
> *almost* worked out, and that it is possible for the cryptanalyst to
control
> the linear mixing layer so effectively.
>
> I conclude that Pikachu has some unexpectedly good differentials and
some
> surprising structural properties. Maybe this should be worrying.
Yet, on
> the other hand, there does not seem to be any obvious way I can see
at the
> moment to exploit these structural properties in a full attack on
Pikachu,
> so an alternate interpretation is that perhaps we should be reassured!
>
Well any ideas on how to improve the mixing layer while keeping it so
simple?
BTW I made those sboxes with sboxgen, so another avenue of attack is
the program that made them (there may be a flaw in it somewhere, since
nobody has really givin me feedback).
Thanks for looking at my cipher. I appreciate the heads-up.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Baruch Even <[EMAIL PROTECTED]>
Subject: Re: On higher level Feistel schemes
Date: Sat, 13 May 2000 15:06:27 +0200
I believe the idea was used already, If my memory serves me right
this construction was used in DEAL by Lars Knudsen to produce
a cipher with its F function being DES.
It might be worthwhile to search for this and his analysis. Sorry
but I do not know more than that.
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>[SNIP]
> We note that a Feistel scheme is customarily applied inside a block
> cipher, e.g. DES. However, given any block cipher of size n bits,
> denoted by the function E in the following, one can easily build a
> cipher of block size 2n bits though defining a typical Feistel round as
> follows:
>
> L_(i+1) = R_i
>
> R_(i+1) = L_i xor E(K_i, R_i)
>
> where L_i and R_i each have n bits and the subkeys K_i are to be
> obtained through some appropriate key scheduling.
------------------------------
From: Baruch Even <[EMAIL PROTECTED]>
Subject: Re: (May 11, 2000) Cipher Contest Update
Date: Sat, 13 May 2000 15:18:52 +0200
I think it would be preferable to rate the ciphers regarding their strength
actually by their best known attack, and not remove them unless the
break is too close to be plausible. Say for example that a cipher that
needs for breaking it 2^30 known plaintexts should be taken out.
But one requiring 2^80 should not.
If you'll take a look at the AES, none of the ciphers there have
perfect security. Though none of the finalists is broken to all rounds.
I still think it would be better if the ciphers would be rated and maybe
set in two classes, untouched, susceptible, broken. Also, keeping a log
of all ciphers and attacks on them would be a great thing.
In article <BgJS4.114$[EMAIL PROTECTED]>, "Adam Durana"
<[EMAIL PROTECTED]> wrote:
> I would like to define on the web site what it means to break a cipher,
> so the cipher is removed from the listing. Right now all the page
> states is that to get a cipher removed the attack has to be on the full
> version of the cipher, i.e. no reduced round variants. I would define a
> successful attack as an attack which is able to recover the plaintext,
> or key from the ciphertext, with less work than brute force. Now if the
> key space was say
> 1024 bits, and attack came up that would recover the key or plain text
> with
> 2^1000 work, should that still be considered an attack good enough to
> get
> the cipher removed? Obviously no one is going to be able to actually
> use that attack for a while, if ever. But I think when someone
> publishes a cipher for analysis, they are saying that the only attack
> they can come up with is brute force. Any attack better than that would
> be a break through. So if an attack arises that can recover the key or
> plaintext faster than brute force, I think that attack should get the
> cipher removed from the listing. Keep in mind this is a contest of
> cipher design.
>
> - Adam
>
>
>
------------------------------
From: [EMAIL PROTECTED] (David Formosa (aka ? the Platypus))
Subject: Re: Algorithm using neural networks?
Date: 13 May 2000 13:11:30 GMT
Reply-To: dformosa@[202.7.69.25]
On Fri, 12 May 2000 15:12:14 +0200, Axel Lindholm
<[EMAIL PROTECTED]> wrote:
>I just came up with a small idea for a slightly unusual encryption
>algorithm, let the data be processed through a neural network!
A nural network is normaly implemented as a matrix multiplication with
a threashold funtion. This is then run until it stablizes on a
solution. The problem is that infomation is lost threw the cycels, so
while people will not be able to decrypt it, neather will you.
And because nural nets are structured in a way that there are
"attractors" in the state space meany imputs will eventionaly converge
on the same point in a mannor that is predictable so its useless as a
one way hash.
> A good thing
>about this system might be that noone knows the encryption algorithm, even
>the person who has the network weights should have quite a problem creating
>an algorithm out of a big network with 100-200 cells.
They can just invert the network matrix, while inverting a 100 by 100
matix is slow, it is within the bounds of doablity and you are going
to have to do it as well if your to get the infomation out of it.
--
Please excuse my spelling as I suffer from agraphia. See
http://dformosa.zeta.org.au/~dformosa/Spelling.html to find out more.
Interested in drawing platypie for money? Email me.
Crack my Hash win$200 http://dformosa.zeta.org.au/~dformosa/PlatyMAC.txt
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Prime Generation in C,C++ or Java
Date: Sat, 13 May 2000 14:15:13 GMT
Bryan Olson <[EMAIL PROTECTED]> wrote:
> First, and beside the original point, there's the
> constructor-abuse resulting in the prime generator being
> called "BigInteger". Should it be obvious that the way to
The problem is that isProbablePrime must be in BigInteger, since it's
reasonable to ask if an integer is prime. A BigPrime class would then
contain only the single constructor. Even worse, you would have to
either double the number of methods in BigInteger, or typecast
BigPrime every time you wanted to do arithmetic involving both primes
and composites.
You are correct that a static method that returned a prime BigInt
with a given certainty would have probably been better.
I personally feel that the biggest problem is naming the parameter
certainty, which leads to mistakes like my own of assuming it's the
percentage and not iterations. Naming it iterations at least, would
have sent me off to find the full api docs.
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
From: [EMAIL PROTECTED]
Subject: Theoretical question
Date: Sat, 13 May 2000 14:05:37 GMT
Hello,
I have a kind of math-theoretical question about probability
(crypto-related, of course).
Definitions
===========
M_0 is a (large) set, say {0, 1} ^ 80
f_i : M_0 -> M_0; i = 0, 2, ..., N-1
M_(i+1) = f_i[M_i)] = { f_i(a) : a <- M_i }; i = 1, 2, .., N-1
m_i = E(| M_i |)
That is, we map M_0 into a subset M_1 of M_0 using f_0,
then map M_1 into a subset M_2 of M_0 using f_1 and so on.
f_i are random functions.
I want to find m_N.
Step I
======
Pr(x <- M_(i+1)) = 1 - ((1 - 1/m_0)^m_i)
(not choosing x as the image of any y <- M_i)
Step II
=======
m_(i+1) = m_0 * E(Indicator_{x <- M_(i+1)}) = m_0 * Pr(x <- M_(i+1)) =
= m_0 - m_0 * (1 - 1/m_0)^m_i)
(linearity of expectancy)
Step III
========
Let r_i = m_i / m_0.
Divide the equation from II by m_0 to get the system
r_0 = m_0 / m_0 = 1
r_(i+1) = 1 - (1 - (1/m_0)) ^ (m_0 * r_i) ~= 1 - e^(- r_i)
(as m_0 is very large)
Step IV
=======
Let F(x) = 1 - e^(-x)
Run iterations of F(x), starting from x = 1 to get r_N = F^N(1)
Approximate results
===================
N | r_N
========+=========
10^3 | 2^(-9)
10^4 | 2^(-12)
10^5 | 2^(-15)
10^6 | 2^(-19)
10^7 | 2^(-22)
10^8 | 2^(-25)
10^9 | 2^(-29)
The question is:
1. Is my theoretical computation correct, and if so,
2. Does the C program attached I used to compute iterations lose
accuracy
quickly, and if not so,
3. Why does it take so much iterartions to get m_N feasible
(e.g., to get m_N = sqrt(m_0), more than 2^30 iterations are
required!
problem circumstances point out N should be ~ 2^10)
Thanks in advance,
RaeNye.
========8<====================== cut here ==============8<============
#include <stdio.h>
#include <math.h>
double f(double x)
{
return - expm1(-x);
/* GNU extension, accurate even for infinitisimal x */
/* link with -lm */
/* WAS: return 1 - exp(-x); */
}
int main(void)
{
int n, i = 0;
double x = 1.0;
printf("Enter number of iterations: ");
scanf("%d", &n);
while (i < n)
{
x = f(x);
++i;
/* pretty print */
if (n < 20 || i % (n / 20) == 0 || i == n)
{
int exponent;
double mantissa = frexp(x, &exponent);
printf ("x[%d] = %g = %g * 2^%d\n", i, x, mantissa, exponent);
}
}
printf("Done.\n");
return 0;
}
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Ricardo <[EMAIL PROTECTED]>
Subject: Re: homophones
Date: Sat, 13 May 2000 17:37:24 +0200
Emol eng Keier huet "G. R. Bricker" <[EMAIL PROTECTED]> an engem
Artikel vum Sat, 13 May 2000 06:58:30 GMT an der Newsgroup sci.crypt
geschriwen:
[snip]
> And, of course, if you suspect a specific word or words are in the cipher
>text (such as "enemy") that is also a wedge. Remember the Brits dropping
>mines in the Baltic and North Sea in order to elicit the Germans into using
>the grid coordinates and the word "mines"?
Of course and I understand the points you raised (which I have
snipped for brevity) but that is the reason why I stipulated the
possibility of superencryption by rencrypting the first ciphertext
according to a simple but random second key and then, after adding
arbitrary spaces to the second ciphertext as nulls, rencrypting this
to numerals using the primary key. Then there is no direct
relationship between ciphertext and plaintext and there are way too
many possible keys (ca. 3×10^180). Crucially, though, the ciphertext
remains perfectly and unambiguously decipherable for someone knowing
both keys. Such a superencryption can be done with no modern
computing technology: just pen and paper.
--
ricardo icq# 51047940 gsm# +352091511692
esch/alz lux ue obtenez pgp @ http://www.pgpi.com/
"Tu te sens comme je me sens, ou suis-je tout seul?"
d'Regierung as eng Gefor fir d'Fraiheet - votez libertarian!
------------------------------
From: Kirby Urner <[EMAIL PROTECTED]>
Crossposted-To: alt.politics.org.cia,alt.politics.org.nsa
Subject: Re: the future of "mindspace"?
Reply-To: [EMAIL PROTECTED]
Date: Sat, 13 May 2000 08:51:18 -0700
>You dont see the future "architecture" as having a point
>where everything is connected to everything?I see that
>as a distinct possibility.
What's "architecture". We're already attaching to the
same "mother ship" -- and so all interconnected.
>Isnt that where we were heading anyway, with chips that
>identify our presence online?
Chips identify computers, computers get passed around.
Lots of people breezing in and out of internet cafes.
Maybe you're thinking of the recent virus problems.
Melissa had an embedded ID thanks to Word, which most
people didn't know about. Luv Bug also contained ID.
But the virus-making subculture is one of those wherein
people want acknowledgement and respect from peers, so
complete anonymity is rarely the goal.
With DNA ID, we've certainly improved the ability to
identify individuals at a crime scene, plus lots of
computer utilities follow IP trails back to source in
real time. It's very true that anonymity is sometimes
only in the mind of the poster -- others know who you
are and where you live.
>very real possibility that certain factions will make a hell of
>alot of noise while we are "really" moving towards a one world
>consciousness? It is the public perception that is scary,
>and the public that pays the bills, at that.
Is "one world consciousness" a bad thing or a good
thing or neither? More and more people are watching
the same movies (Jackie Chan etc). So in this sense,
we have a lot of memes in common -- more than ever
before.
In my view, humans need to coordinate with themselves
better. Movies a good example: huge "casts of thousands"
organized to perform in synch. Humans have so far excelled
in self-organization when it comes to war, the space
program, and now computers + internet.
I'm encouraged to the extent that we can choreograph
on a big scale in the civilian sector (problem of
"dual use" being the key problem these days), because
I think we have the potential to improve living
standards on a sustainable basis, as a result of
more know-how, better comprehension of principles
(a basic tenet of my school of thought). Of course
we also have the power to utterly wreck the whole
situation and make the planet quasi-unlivable.
>Why do we spend billions to keep secrets, when we know
>secrets are lost anyway?At some point instead of
>investing billions on secrets it may be better off
>spending the money making better information managers.
>What happens when we are "all on the same side"?How
>are we going to justify trillion dollar budgets?
Billions of humans doing constructive activity, including
planning ahead, automatically equates to trillions of
dollars -- that's just the bookkeeping description of
people filling their time with "doing" (so-called
"economic activity", i.e. just getting through the
day, taking care of the kids etc).
The cost of secrecy, in the sense of encryption
technology, has steadily decreased, to where Joe Blow
has access for free.
In my original post, I was more trying to distinguish
between secrecy and the fact of different subcultures,
trainings and backgrounds. What my peer group does
might be hard for others to understand and vice versa,
because of training. Particle physicists aren't
necessarily trying to "encrypt" their understanding
-- may in fact be doing their best to express insights
clearly -- and yet to those unable to read the math,
it makes almost no sense at all.
Bringing this home to intelligence gathering, even
if you were to assume NO encryption, and complete
access to all the communications, you'd STILL have
the huge problem of trying to comprehend mindsets,
schools of thought. To anticipate how a group will
respond to this or that requires a lot of psychology,
but before you get to that, you just need some nuts
and bolts understanding of the culture. This may not
be easy at all.
What I'm saying is that human beings are "enigmatic"
and/or "cryptic" to one another on many levels. We
may laugh at some of the same jokes in the movies,
and therefore think we think alike, but once you
start digging to deeper levels, you find that we're
programmed rather differently. So even if you remove
all encryption and anonymity from the picture (not
the real world situation), you STILL have the problem
of humans failing to understand one another.
This is why a lot of intelligence work involves study
of propaganda, what an alien culture uses to hype/psych
itself into a mindset -- you want the exaggerated
stuff, the caricatures, the cartoons. If you're
studying the USA mindset, you need to watch a lot of
television advertising. Some of the best intelligence
work actually goes on in the private sector, in market
research departments. That's where they really get a
handle on what makes people want/buy/demand.
A lot of the same techniques get applied to political
programming. You just have to remember that a huge
percentage of human activity is about "manipulation"
in the sense of "getting others to play your game".
Is that bad? I know it sounds bad, but when you get
right down to it, you can't have culture without
"buy in".
It's mostly a question of coercian versus people
sensing they're exercising free choice (even if being
bombarded by programming -- they're free to develop
critical faculties in response (though many choose
to forego this capability)). In the USA, there's
a lot of propaganda about freedom to choose -- and
I contribute to that propaganda effort, as I'm against
designs with high coercion quotients -- part of what
makes me a "liberal" in the sense of "anti-authoritarian".
Kirby
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: neural network
Date: Sat, 13 May 2000 18:02:55 +0200
"G. R. Bricker" wrote:
> [snip]
> would be encoded differently. Essentially, it would be similar to each
> message creating a new key for the next message. This would be an "evolving
> key". Very intriguing...
But aren't there already some potentially viable ways of obtaining a
new key from a message already received, e.g. hashing it and doing
other post-processing? Thanks.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Theoretical question
Date: Sat, 13 May 2000 18:03:01 +0200
[EMAIL PROTECTED] wrote:
> f_i are random functions.
Could you please tell what's your definitaon of 'random functions'?
Thanks.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On higher level Feistel schemes
Date: Sat, 13 May 2000 18:15:29 +0200
David Blackman wrote:
> I think speed is the problem. A Feistal scheme needs at least
> 3 rounds to be secure, even if the F is "perfect". So to double
> your block size you will take at least 3 times as long to encrypt
> a block. That means you are slower per byte than the original
> smaller cypher (but probably more secure if you don't do anything
> silly).
>
> The "DEAL" cypher that was a AES candidate used your approach.
> There were 6 or 8 rounds. The small encryption algorithm used
> was DES. DEAL was dropped because it was very slow. Some minor
> security problems were found as well, so obviously this approach
> still requires some care, like anything else in cryptography.
>
> Several of the AES candidates show you can do 128 bit cyphers
> by other methods that look extremely secure and actually run
> faster per byte than good 64 bit cyphers.
Thanks for the informations. There can be no question that an 128
bit cipher designed as such should be much faster than one obtained
from a comparable 64 bit cipher using the Feistel scheme. However,
in case (for some reasons) one doesn't yet have an appropriate 128
bit cipher ready, then using the Feistel scheme appears to be one of
the viable ways out in my humble view.
M. K. Shen
------------------------------
From: Nicol So <[EMAIL PROTECTED]>
Subject: Re: Theoretical question
Date: Sat, 13 May 2000 12:06:12 -0400
Reply-To: see.signature
Mok-Kong Shen wrote:
>
> [EMAIL PROTECTED] wrote:
>
> > f_i are random functions.
>
> Could you please tell what's your definitaon of 'random functions'?
A "random function" is usually taken to mean a function chosen uniformly
at random from the set of all functions with a given domain and
codomain. That's probably what the original poster meant.
--
Nicol So, CISSP // paranoid 'at' engineer 'dot' com
Disclaimer: Views expressed here are casual comments and should
not be relied upon as the basis for decisions of consequence.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
