Cryptography-Digest Digest #110, Volume #9 Fri, 19 Feb 99 19:13:04 EST
Contents:
Re: True Randomness (R. Knauer)
Re: Randomness of coin flips (R. Knauer)
Re: Snake Oil (from the Feb 99 Crypto-Gram) (Shai Halevi)
Re: Randomness based consciousness?. (Was: Re: *** Where Does The (R. Knauer)
Re: Randomness based consciousness?. (Was: Re: *** Where Does The Randomness Come
From ?!? *** ) (R. Knauer)
Re: Randomness based consciousness?. (Was: Re: *** Where Does The (Aaron Boyden)
Re: ??? About CAST... (Mr. Tines)
Re: Craete short encryted string with PKE? (Medical Electronics Lab)
Re: SkipJack vs RC2 (John Savard)
Re: Bruce's Feb. "CRYPTO-GRAM" (John Savard)
Re: New high-security 56-bit DES: Less-DES ([EMAIL PROTECTED])
Re: Benchmarks (Medical Electronics Lab)
Re: ??? About CAST... (Medical Electronics Lab)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: True Randomness
Date: Fri, 19 Feb 1999 22:19:26 GMT
Reply-To: [EMAIL PROTECTED]
On 19 Feb 1999 16:38:01 -0500, [EMAIL PROTECTED] (Herman Rubin)
wrote:
>Even if one has a "perfect" result of a quantum process, it gets
>somewhat distorted through the measuring or recording equipment.
This is beginning to sound like a broken record. I said earlier that
you have to treat your TRNG like a piece of scientific equipment and
perform diagnostic tests on each subsystem.
You certify the radioactive detection subsystem by measuring the decay
of the isotope and fitting it to an exponential decay law, taking
careful note of the half life thus obtained.
>If there are no other problems, there is the problem that the
>quantum event can be happening when the recoding device is being
>interrogated. This may or may not be a problem, but it is there.
>It prevents the recorded information from being equidistributed,
>and can even lose independence to too great an extent.
If the condition you are referring to is that much of a problem, then
it will show up when you perform the diagnostic tests on the offending
subsystem.
I think all theorists should be required to conduct experiments as
part of their thesis. After all, good experimentalists are required to
do theoretical work for theirs. I did not know of one good
experimentalist who was not also well versed in the theoretical
aspects of his work, but I knew several theorists who couldn't start
their car on a cold morning, and got deathly ill when they came into a
laboratory. You had to practically drag them in to the lab to show
them what was actually going on behind the scenes.
Bob Knauer
"Never Trust Anyone Who Doesn't Know How To Compute!"
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Randomness of coin flips
Date: Fri, 19 Feb 1999 22:31:09 GMT
Reply-To: [EMAIL PROTECTED]
On 19 Feb 1999 14:27:21 -0500, [EMAIL PROTECTED] (Patrick Juola)
wrote:
>Once you've defined what your acceptable chance of failure is,
.... for just one given mode of failure.
>then
>the Law of Large Numbers tells me that there is an N past which
>a certain degree of skewed runs is even more improbable than that
>(given a uBp).
Yes, but it does not rule out their occurance.
>In the case that started this; if Mr. So's (see, I got the
>gender right this time) coin flips aren't independent, but instead
>are correlated to some degree, then, given enough data, then it's
>"nearly certain" (in the sense defined above -- e.g. tell me what
>your threshhold for certainty is and I'll match it) that there
>will be a divergence between the number of runs expected and
>the number observed.
It's the "nearly certain" that bothers me.
I understand the law of large numbers but I do not agree with the
interpretation that tries to extrapolate probability into certainty,
even "near certainty".
There is an item in Li & Vitanyi which I cannot put my hands on just
now that discuses the futility of ensemble approaches. Just because
you can fabricate an artificial ensemble with all its theoretical
expectations, etc. random processes do not behave in expected ways -
except probabilistically. If they did, there would be no winners at
Las Vegas, and no one would ever get struck by lightening.
The ensemble approach doesn't even work in Physics - there are no
examples of a Maxwell Boltzmann gas, for example. And just because
there was only one unicorn spotted in a herd of thousands of horses
does not mean that unicorns do not exist.
Probability is a theoretical concept, and Kolmogorov among others
questioned its applicability to the real world.
Bob Knauer
"Never Trust Anyone Who Doesn't Know How To Compute!"
------------------------------
From: Shai Halevi <[EMAIL PROTECTED]>
Subject: Re: Snake Oil (from the Feb 99 Crypto-Gram)
Date: Fri, 19 Feb 1999 17:18:32 -0500
Articles about snake-oil products are always important, and this
one is a rather good article, with one notable exception:
> Warning Sign #8: Security proofs.
>
> [...]
>
> More subtle are actual provably secure systems. They do
> exist. Last summer, IBM made a big press splash about
> their provably secure system, which they claimed would
> revolutionize the cryptography landscape.(See
> <http://www.counterpane.com/crypto-gram-9809.html#cramer-shoup>
> for a discussion.)
The point is valid. There are cases where a "provable system" does not
mean actual security. However, the Cramer-Shoup system is not one of
them. And calling it a snake-oil is misleading (to say the least). As
many people take Bruce's word very seriously, I would expect him to be
more careful.
I went to look at the URL above and found quite a number of quotes that
indicate a misunderstanding of the Cramer-Shoup result. Here are a few
of them:
> Simply, Cramer-Shoup is a public-key cryptosystem that prevents
> adaptive chosen ciphertext attacks.
> [...]
> The cryptographic community hasn't been bemoaning the problem,
> utterly lost in how to defend against the attacks, and desperately
> hoping for some company (like IBM) to come swooping down out of the
> sky with the answer.
I guess this is correct, but many people in the cryptographic community
were looking for quite a few years for a reasonably efficient
cryptosystem that can be proven to resist chosen ciphertext attacks. The
Cramer-Shoup algorithm is just that.
> RSA's vulnerability to adaptive chosen ciphertext attacks was pointed
> out soon after the algorithm was invented.
This is irrelevant here, but the notion of chosen ciphertex attacks
against public-key encryption has been around for less than 10 years
(Naor-Yung'90, Rackoff-Simon'91, Dolev-Dword-Naor'91).
> [...] PKCS #1 was vulnerable to an adaptive chosen ciphertext
> attack, but version 2 of the protocol uses a message packing
> protocol called OAEP that makes the attack infeasible.
The difference is that in the Cramer-Shoup algorithm you can prove that
these attacks are infeasible. With OAEP we only have a heuristic
argument to that effect. The question then becomes, are you willing to
pay with efficiency for the added confidence that you may get from the
security proof.
> But the proofs are based on something called the Diffie-Hellman
> Decision Problem (not the Diffie-Hellman which is much
> weaker.
The Diffie-Hellman Decision Problem is exactly what you need for the
Diffie-Hellman key-exchange protocol and for ElGamal encryption.
> And IBM's provably secure algorithm from last year's Crypto,
> Atjai-Dwork, has at least three different breaks. The breaks don't
> attack the proofs, but the assumptions surrounding the proofs.
Equating these two systems is way off. The Ajtai-Dwork system is a
"theoretical breakthrough" that so far does not have practical
implications. The Cramer-Shoup system is a practical system.
Granted, you will not be able to tell the difference by reading the IBM
press releases, but I do expect people in Bruce's caliber to recognize
this difference.
> If, in a few years, Cramer-Shoup still looks secure, [...]
Wow. This is even farther off. The whole point in proofs of security is
that you do not need to "wait for a few years and see if it is still
secure". You can actually prove it.
Back in the sci.crypt posting, Bruce conclude that
> It's great research, but mathematical proofs have little to do
> with actual product security.
My personal opinion on this, is that mathematical proofs can give you
added confidence in the security of the underlying algorithm. At the
very least, the security of a "provable" algorithm is understood better
than that of an algorithm which is not provable. Of course, getting from
there to a secure product is a long way.
Regards,
-- Shai Halevi
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Crossposted-To:
sci.skeptic,sci.philosophy.meta,sci.psychology.theory,alt.hypnosis,sci.logic
Subject: Re: Randomness based consciousness?. (Was: Re: *** Where Does The
Date: Fri, 19 Feb 1999 22:41:51 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 19 Feb 1999 13:00:13 -0500, "james d. hunter"
<[EMAIL PROTECTED]> wrote:
>that a Wintel computer system
>is worth the price of whatever they sell for.
They have finally gotten that price where it belongs, namely someone
is giving them away free.
The only better thing would be if Unka Bill would use his vast fortune
to pay everyone to take one. Then Windows would live forever.
Bob Knauer
"Never Trust Anyone Who Doesn't Know How To Compute!"
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Crossposted-To:
sci.skeptic,sci.philosophy.meta,sci.psychology.theory,alt.hypnosis,sci.logic
Subject: Re: Randomness based consciousness?. (Was: Re: *** Where Does The
Randomness Come From ?!? *** )
Date: Fri, 19 Feb 1999 22:39:16 GMT
Reply-To: [EMAIL PROTECTED]
On 19 Feb 1999 17:58:03 GMT, [EMAIL PROTECTED] (David Vivash) wrote:
>although if you
>design a larger system around that smaller one you may be able to get rid of
>the unsolved theories inside the smaller system (although the larger system
>would have its own undecidable statements).
Of course, since then you will have incorporated the previously
undecidable problems as new axioms. Once you do that, you can solve
those problems formally.
>>The Turing halting problem will show you that.
>No.
Actually I find Turing's approach must more accessable. The standard
argument against solving the halting problem using a code fragment to
decide if a program will halt or not and then braching to the contrary
result in the code shows that very clearly.
>Godel's incompleteness theorem implies that all logical systems of any
>complexity are, by definition, incomplete; each of them contains,
>at any given time, more true statements than it can possibly prove according
>to its own defining set of rules.
>Hence there are true statements within the system that cannot be proven.
If a statement is present in the system, then it is proved by
construction. It is the fact that a given formal axiomatic system does
not have enough to construct the statements in the first place that
makes them undecidable.
Chaitin explains that in terms of his algorthmic complexity theory. A
formal system of cannot produce strings that are more complex than its
own inherent complexity. The best it can do is produce strings of the
same order of complexity that it has.
Bob Knauer
"Never Trust Anyone Who Doesn't Know How To Compute!"
------------------------------
From: Aaron Boyden <[EMAIL PROTECTED]>
Crossposted-To:
sci.skeptic,sci.philosophy.meta,sci.psychology.theory,alt.hypnosis,sci.logic
Subject: Re: Randomness based consciousness?. (Was: Re: *** Where Does The
Date: Fri, 19 Feb 1999 18:03:58 -0500
Reply-To: [EMAIL PROTECTED]
David Vivash wrote:
> Godel's incompleteness theorem implies that all logical systems of any
> complexity are, by definition, incomplete; each of them contains,
> at any given time, more true statements than it can possibly prove according
> to its own defining set of rules.
Goedel's incompleteness result does not apply to first-order predicate logic, a
quite powerful and complex system. Indeed, if I recall correctly, Goedel himself
produced one of the proofs of the completeness of first-order logic. I'm also a
little vague on why you say it's "by definition" that the Goedel incompleteness
theorem applies to those logical systems it does cover (specifically those
powerful enough to contain Dedekind's axioms of arithmetic as theorems). Finally,
though I suppose you might evade this point by a sufficiently cunning definition
of "complexity," any inconsistent logical system is complete.
--
Aaron Boyden
"I may have done this and that for sufferers; but always I seemed to
have done better when I learned to feel better joys."
-Thus spoke Zarathustra
------------------------------
From: Mr. Tines <[EMAIL PROTECTED]>
Subject: Re: ??? About CAST...
Date: 19 Feb 1999 20:57 +0000
###
On Thu, 18 Feb 1999 22:23:49 -0500, in
<oS4z2.4074$[EMAIL PROTECTED]>
"slydee" <[EMAIL PROTECTED]> wrote.....
> I want to know if CAST algorithm made by Carlisle Adams and Stafford
> Tavares
> if it's the official algo for Canadian Governement and if it's paten
> already.
I don't know about the official status, but the version of
the algorithm as described in RFC 2144 is offered without
restriction therein.
-- PGPfingerprint: BC01 5527 B493 7C9B 3C54 D1B7 248C 08BC --
_______ {pegwit v8 public key =581cbf05be9899262ab4bb6a08470}
/_ __(_)__ ___ ___ {69c10bcfbca894a5bf8d208d001b829d4d0}
/ / / / _ \/ -_|_-< www.geocities.com/SiliconValley/1394
/_/ /_/_//_/\[EMAIL PROTECTED] PGP key on page
### end pegwit v8 signed text
48e5afbb376f8273f12509f37ca6f51363e6160c7c4f48d407b4a3c48aaf
6502e45a78294cae48877bbfb182f3bc6b02e479efa1e9972f49bb3846fe
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: Craete short encryted string with PKE?
Date: Fri, 19 Feb 1999 17:12:48 -0600
[EMAIL PROTECTED] wrote:
>
> Can I use public key encryption to encrypt a short string M (10-20
> chars) to a short(!) string C?
> The length of C should be about the length of M.
>
> Encrypt(M,a) = C (a is the private key)
> Decrypt(C,b) = M (b is the public key)
> length(M) = length(C)
>
> Can I use RSA or DSA (512 bit key length) to make the functions
> Encrypt(M,a) and Decrypt(C,b)?
Have you got a and b backwards, or else what's the point??!!??
If you encrypt it so that anyone who has the public key can
decrypt it, why not just send the data in the clear?
If they are switched, any PK system will do what you want.
Send me e-mail to [EMAIL PROTECTED] and I'll explain how.
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: SkipJack vs RC2
Date: Fri, 19 Feb 1999 22:58:09 GMT
[EMAIL PROTECTED] (Doug Stell) wrote, in part:
>Once the cat was out of the bag, Rivest did publish the RC2 algorithm
>as an Internet RFC.
Thank you. I had found that out through a brief web search after my
previous posting - as you may also have noted - and examining the
description of RC2 has led me to the conclusion that the original
poster is mistaken, and there are no significant similarities between
SKIPJACK and RC2.
John Savard
http://members.xoom.com/quadibloc/index.html
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Bruce's Feb. "CRYPTO-GRAM"
Date: Fri, 19 Feb 1999 22:54:21 GMT
[EMAIL PROTECTED] (wtshaw) wrote, in part:
>Speaking of names, he could use an original title for his rag instead of
>one that has been used for many decades elsewhere. Perhaps he is trading
>on a well established reputation on purpose, maybe he just doesn't know
>better.
So that the rest of us will know better, "The Cryptogram" is the
newsletter of the American Cryptogram Association, a club of people
who solve and contribute cipher puzzles that go one or two steps
beyond those you'll find in crossword puzzle magazines; for example,
messages enciphered in Playfair or Vigenere.
I'd say the probability that Bruce is "trading on a well-established
reputation on purpose" is nil. What with the "kid sister" remark in
the opening pages of his famous book, I'd say that he regards pencil
and paper cryptography and modern computerized cryptography as
virtually two separate fields.
The ACA publication is a newsletter that has the cryptogram as its
subject; Bruce's newsletter is itself a writing, or -gram, about
cryptography - so he is also using the word in a different sense.
If anything, I fear that the American Cryptogram Association is the
last thing Bruce would want his writings to be associated with; this,
in a way, is unfortunate: simple and therefore breakable ciphers are
still worthy of study, in my opinion, to illustrate the basic
principles of the field and to help us understand the tools we have at
our disposal when designing symmetric ciphers.
John Savard
http://members.xoom.com/quadibloc/index.html
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: New high-security 56-bit DES: Less-DES
Date: Fri, 19 Feb 1999 23:19:58 GMT
[EMAIL PROTECTED] wrote:
> In article <[EMAIL PROTECTED]>,
> Bryan Olson <[EMAIL PROTECTED]> wrote:
> >
> > [EMAIL PROTECTED] wrote:
> > > see http://www.mcg.org.br/unicity.htm, with a Huffman coding example.
> >
> > Of course you know I've seen it. In your post of 16 Jan 1999 you asked
> > if I could refute a proof you use in that document. On Jan 19, I
> > responded:
> >
> > | Fair enough. The first major error is the incorrect assertion
> > | of how Shannon defined unicity distance. Shannon in fact defines
> > | it as "the number of intercepted letters" (page 692) such that the
> > | equivocation of the key becomes nearly zero. Ed's text assumes
> > | the analyst has one or two 8-byte blocks that decrypt into
> > | 8-byte English strings. He the claims a unicity distance less
> > | than the amount of intercepted text, which is wrong since the
> > | unicity distance is, by definition, the amount of intercepted text.
> >
> > I never saw a reply,
>
> ;-) Of course you saw my reply ...as it was done here ... and it was 100%
> negative to the same opinions of yours on several counts, so that is why I do
> not believe I have to reply yet once more now.....but, please see the
> archives.
No, really, I didn't see it. Did it have the same subject?
Do you know the date? I checked Dejanews, and it shows the
thread ending before you replied to that - of course Dejanews
isn't very reliable about finding things. In what archive
can I find it?
> You can even see that your text above is totally incoherent -- such as when
> you write your "definition":
>
> |"unicity distance is, by definition, the amount of intercepted text."
>
> which leads nowhere since you forgot to include "least" before "amount" and
> "that can be uniquely deciphered" after "text".
I don't think you followed. The definition is '"the number
of intercepted letters" (page 692) such that the equivocation
of the key becomes nearly zero'. In the quote you take, I'm
pointing out that your analysis claims a unicity distance
_less_ than the number of intercepted letters you used. That's
invalid, because unicity distance is defined by the number of
intercepted letters the attacker needs, not by the length of
some message prefix he recognizes.
> But given the style and
> content of your writings these mistakes do not make a difference at all when
> one tries to appraise what you wrote -- so, don't bother.
>From the beginning I've given accurate citations, talked in
precise terms, and offered mathematical justification. You've
edited them out and complained about my style and content.
> > : Shannon [Sha49] defined "unicity distance" (hereafter, "n") as the
> > : least amount of plaintext which can be uniquely deciphered from the
> > : corresponding ciphertext -- given unbounded resources by the attacker.
> >
> > That's false,
>
> No, but I am glad you disagree with me ;-)
You say it's there, I say it's not. Now I challenge you to quote
it.
[...]
> > remaining key
> > entropy must be nearly zero for a solution to qualify as "uniquely
> > deciphered"
>
> ;-) change "nearly" for "" and you will at least have said an obvious truth --
> instead of an obvious falsity as it stands.
Shannon, on page 693 says,
It will be seen from figure 7 that the equivocation curves
approach zero rather sharply. Thus we may, with but little
ambiguity, speak of a point at which the solution becomes
unique. This number of letters will be called the unicity
distance.
In the graph, key equivocation seems to be approaching zero
asymptotically. Shannon does not require H(K) to be equal to
zero at the unicity point.
> > Both of us are referring to:
> > [Shannon, Claude E. "Communication Theory of Secrecy Systems". /Bell
> > Systems Technical Journal/, vol. 28, pp. 656-715, 1949.]
>
> I am, at least.
As you well know, I've cited directly from the paper many times,
while you seem only to claim Shannon said something, which never
actually appears.
> > The unicity distance
> > of English without any key is zero. Proof: see Shannon's proof in the
> > same paper that the equivocation of a cryptogram is never greater than
> > the equivocation of the key. Thus the point at which the equivocation
> > becomes zero is at zero letters.
> >
>
> If I were to believe your "proof", then a unicity of zero for English means
> that you need to receive zero English characters in order to uniquely decide
> what I have written... surely, you can save a lot of money $$$$ on phone
> bills and Internet access if you reaally apply that "discovery" to your own
> profit!
> Go 100% for it and pls just send telephatic messages also, from now on...
O.K. Think of a zero length text. It's "" right?
Too cute? A zero length message does indeed have a unique
solution given zero intercepted letters. If the key also has
zero equivocation, then we have reached the unicity point in
zero intercepted letters. Incidentally, this is not an entirely
vacuous case since all public key encryption systems have a
unicity distance of zero.
So now that we know a zero unicity distance does not imply
telepathy, see Shannon's theorem 7, which states in part,
If N letters have been intercepted, the equivocation of
the first N letters of the message is less than or equal
to that of the key.
Thus in a system with zero key entropy, the equivocation of
any number of intercepted letters must be 0.
> > We cannot distinguish the correct DES key based on recognizing the
> > first three letters of a trial decryption.
>
> Well, I must finally agree with you! And, please note that I never said
> otherwise -- but since I sense a note of disapproval from your phrase
> (sigh!!), please note that you are perhaps confusing "three-letter
> frequencies" in my paper with "three letters" in your comment, no?
Perhaps we're getting somewhere. If you never said that you
can find the DES key based on the three letters, than why did
you say Schneier and others were wrong to estimate DES/English
unicity distance at more than one block, and contrast it with
your figure of three letters? Schneier was talking about the
DES unicity distance as Shannon defined it, not any of your
unicity-N's. I'll agree that my argument has little to do with
your three-letter frequencies if you'll agree that your
three-letter frequencies have little to do with the unicity
distance.
>
> >For a randomly chosen
> > ciphertext block, we should be able to find about four billion DES
> > keys that decrypt our ciphertext block to a candidate plaintext
> > beginning with the ASCII characters "The".
>
> Four billion DES keys ... hmmmm... can you please tell me how you arrived at
> this number in that exact situation you describe? Can you provide your full
> assumptions and calculations, and error bars for the "about" you used?
One in 2^24 randomly chosen blocks begins with ASCII "The".
Therefore I expect one in 2^24 of the 2^56 DES keys will a
induce a candidate plaintext beginning "The". That's 2^32
keys, which is a little over four billion.
> Or, is this going to be another "contrived example"?
Let's try another question along the same lines. If we use
the all zero ciphertext, and test keys in numerical order
from 0000..0001, about how many keys do you think we'd have
to try to find 10 that decipher the zero block to a block
beginning "The". We don't care what the other bytes of
the block contain. I'd say well have to try about 168
million.
> Finally, please tell me what your "example" above has to do with three-letter
> frequencies -- or, you assume to get three-letter frequency measurements from
> those three letters?
What the example shows is that the unicity distance of ASCII
English under DES is greater than three letters.
So here's a clear, straightforward question: If we know that
a plaintext is English coded in ASCII and encrypted with DES and
only DES, how many letters of ciphertext do we need in order to
have a unique solution for plaintext and key with negligible
chance of error?
Of course DES ciphertext usually comes in units of blocks, so
you might want to assume CFB mode.
> > If the plaintext language allowed us to distinguish the correct key
> > with just one block of DES ciphertext (as does known plaintext), this
> > does not speed up exhaustive attack significantly over, say, random
> > ASCII. The unicity distance of random ASCII under DES is about seven
> > blocks,
>
> :-) if you say so...but that is not correct, right? BTW, there are at least
> TWO basic things wrong in your last phrase above.
I'll clarify. I'm considering all 7-bit characters ASCII, not just
the printable ones. So "random ASCII" consists of bytes with the
high bit reset and the other 7 uniformly distributed. That yields
a unicity distance of 7 8-byte blocks.
So I'm claiming that if all I know about the plaintext is that
the top bit of each byte is reset, the number of trial decryptions
I need is less that 1% greater than if I have known plaintext.
Are you disagreeing? If so, why doesn't the attack work, or is
the math that you edited out in error? If the attack does work
in the time I calculated, where did your speed up factor for
exhaustive attack come from?
--Bryan
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: Benchmarks
Date: Fri, 19 Feb 1999 17:25:28 -0600
Michael Scott wrote:
> (1) Exactly which Elliptic Curve variant is being used here?
> (2) What exactly do you mean by "Key Generation" and "Shared Secret"?
> (3) You say that "Pentiums have a built-in math processor that is used to
> speed up modular exponentiations such as those in traditional DH. The Math
> coprocessor is not used to speed up ECDH operations in this benchmark".
> Please explain.
> (4) Would you maintain that these benchmarks accurately reflect the innate
> performance differential between DH and ECDH?
I'm not from Certicom, but I can explain a few things.
They are using GF(2^n) fields instead of prime fields. That means
they don't need the fp math unit, just the integer units to do bit
manipulation. I would say yes, they do accurately reflect the
innate performance differential between DH and ECDH, the field
sizes for ECDH are smaller so you need fewer cycles to do anything,
and because it's all bit manipulation instead of multiplication
it goes *lots* faster.
Welcome to the world of ECC :-)
Key Generation comes from each side creating a random number,
multiplying that with a random point, then sending that point to
the other side. Each side then multiplies their random number
with the point they got from the other side, and both sides now
have a "shared secret" - the end result of a DH exchange.
Hope that helps. To learn more check out
http://www.manning.com/Rosing
Patience, persistence, truth,
Dr. mike
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: ??? About CAST...
Date: Fri, 19 Feb 1999 17:04:17 -0600
slydee wrote:
>
> Hi to you,
>
> I want to know if CAST algorithm made by Carlisle Adams and Stafford
> Tavares
> if it's the official algo for Canadian Governement and if it's paten
> already.
>
> Thank's for your answer...
It is patented by Entrust, the company they work for. Entrust has
released CAST-128 to the public domain, and I thing they have or
will soon do the same thing for CAST-256 (the AES entry). As for it
being "official" for the Canadian Government, I have no idea.
Patience, persistence, truth,
Dr. mike
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
