Cryptography-Digest Digest #528, Volume #9 Tue, 11 May 99 15:13:03 EDT
Contents:
none (Anonymous)
Re: Shamir factoring result (Emmanuel BRESSON)
Re: Crypto export limits ruled unconstitutional (Jim Gillogly)
RSA Chips (Oliver Hauck)
Digital encryption ([EMAIL PROTECTED])
Re: How was this key constructed? (Darren New)
Re: Crypto export limits ruled unconstitutional ("Tony T. Warnock")
Re: Crypto export limits ruled unconstitutional (Kent Briggs)
Re: East German encyption code? (Volker Hetzer)
Re: Crypto export limits ruled unconstitutional ("R H Braddam")
Re: Crypto export limits ruled unconstitutional ("Tony T. Warnock")
Re: BEST ADAPTIVE HUFFMAN COMPRESSION FOR CRYPTO (SCOTT19U.ZIP_GUY)
Re: Crypto export limits ruled unconstitutional (Donald L. Nash)
Re: Thought question: why do public ciphers use only simple ops like (Jim
Gillogly)
Re: public/private key authentication? (Medical Electronics Lab)
Re: Roulettes (Darren New)
Re: Bricklaying DES (Doug Stell)
Re: AES ([EMAIL PROTECTED])
Re: Lemming and Lemur: New Block and Stream Cipher (lcs Mixmaster Remailer)
----------------------------------------------------------------------------
Date: Tue, 11 May 1999 15:58:26 +0200 (CEST)
From: Anonymous <[EMAIL PROTECTED]>
Subject: none
------------------------------
Date: Tue, 11 May 1999 10:22:13 -0400
From: Emmanuel BRESSON <[EMAIL PROTECTED]>
Subject: Re: Shamir factoring result
Hi,
a thread "factoring breakthrough?" has dealt with this on this newsgroup.
Emmanuel
John Kasdan wrote:
> There was a recent thread on the New York Times story that Shamir was
> going to present a several order of magnitude speed-up of factoring at
> Eurocrypt, but (at least on my reader) it seems to have died out.
> Does anyone know what he presented? And, even better, is there a web
> reference to it? IMWTK.
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Crossposted-To: comp.dcom.vpn
Subject: Re: Crypto export limits ruled unconstitutional
Date: Tue, 11 May 1999 09:18:04 -0700
Kent Briggs wrote:
> Ruth Bader Ginsburg - Appointed by Clinton in 1993
> Stephen Breyer - Appointed by Clinton in 1994
As we're looking at possible reversals of Bernstein, may as well list
the rest of them:
Chief Justice Rehnquist: Nixon 1971, Reagan 1986 to Chief Justice
Stevens: Ford 1975
O'Connor: Reagan 1981
Scalia: Reagan 1981
Kennedy: Reagan 1988
Souter: Bush 1990
Thomas: Bush 1991
Judge Fletcher (9th Circuit) was appointed by Carter in
1979, Judge Nelson (dissenting) by Bush in 1990, and Judge
Bright (concurring) by Johnson.
So far in Ninth Circuit it's "Democrat appointees for free
speech, Republican appointee against." Doesn't match the
White House position, so I'm not sure political affiliation
will map well onto this case.
--
Jim Gillogly
Sterday, 20 Thrimidge S.R. 1999, 16:09
12.19.6.3.5, 8 Chicchan 13 Uo, Second Lord of Night
------------------------------
From: Oliver Hauck <[EMAIL PROTECTED]>
Subject: RSA Chips
Date: Tue, 11 May 1999 18:13:10 +0200
Hi all,
I would like to learn about the present state of the art in dedicated
single-chip VLSI implementations of RSA, specifically: throughput,
latency, and energy requirements.
Has RSA been implemented on a wireless (inductance powered) crypto
chipcard yet?
Any infos/pointers are appreciated.
ThanX, Oli
--
________________________________________________________________________
Oliver Hauck
[EMAIL PROTECTED] phone: +49 6151 16-3983
http://www.vlsi.informatik.tu-darmstadt.de/oli fax: -4810
Darmstadt University of Technology Departments of CS and EE
Alexanderstrasse 10 Integrated Circuits and Systems Lab
64283 Darmstadt Germany
________________________________________________________________________
------------------------------
From: [EMAIL PROTECTED]
Subject: Digital encryption
Date: Tue, 11 May 1999 16:32:47 GMT
Hello,
I'm new to this news group, so feel free to point to web sites or FAQ lists
is they will answer my wuestion.
My company is in the process of designing a number of electronic products
which will in some form involve a digital bit stream.
I wish to encrypt this bit stream, but have had little success so far
amongst the local electronic distributors in locating a chip manufacturer
that has a ready made encryption chip.
Do they exist, or am I to got the PAL/GAL or custom design route?
Please direct all responses to my e-mail address.
Thanks.
--
Douglas Konzuk The Fortress Group of Companies Ltd.
Calgary, Alberta www.thefortressgroup.com
Canada [EMAIL PROTECTED]
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: How was this key constructed?
Date: Tue, 11 May 1999 10:42:02 -0700
Medical Electronics Lab wrote:
> My browser does the same thing. What I do is write the word "filler"
> and then copy it across 1 line. If the send doesn't work, I copy that
> line and try to send 2 lines. If that doesn't work, I cut and paste
> 4 lines. Until it goes. sometimes I end up with 16 lines of "filler" :-)
The right solution, of course, is to NOT QUOTE THE WHOLE MESSAGE YOU'RE
REPLYING TO! ;-)
If you don't have that much to say, don't just repeat everything the
previous poster said. At worst, axe it all. If your comments apply to
the entire previous post, you don't need to quote any of it, do you now?
:-)
--
Darren New / Senior Software Architect / MessageMedia, Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
------------------------------
From: "Tony T. Warnock" <[EMAIL PROTECTED]>
Crossposted-To: comp.dcom.vpn
Subject: Re: Crypto export limits ruled unconstitutional
Date: Tue, 11 May 1999 10:44:57 -0600
Reply-To: [EMAIL PROTECTED]
Kent Briggs wrote:
> cosmo wrote:
>
> > None of the current membors of the supreme court were appointed by
> > President Bill Clinton.
>
> Ruth Bader Ginsburg - Appointed by Clinton in 1993
> Stephen Breyer - Appointed by Clinton in 1994
>
> --
> Kent Briggs, [EMAIL PROTECTED]
> Briggs Softworks, http://www.briggsoft.com
The two wealthiest members, of course.
------------------------------
From: Kent Briggs <[EMAIL PROTECTED]>
Crossposted-To: comp.dcom.vpn
Subject: Re: Crypto export limits ruled unconstitutional
Date: Tue, 11 May 1999 15:38:41 GMT
cosmo wrote:
> None of the current membors of the supreme court were appointed by
> President Bill Clinton.
Ruth Bader Ginsburg - Appointed by Clinton in 1993
Stephen Breyer - Appointed by Clinton in 1994
--
Kent Briggs, [EMAIL PROTECTED]
Briggs Softworks, http://www.briggsoft.com
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: East German encyption code?
Date: Tue, 11 May 1999 15:40:16 +0200
Lars Hohmuth wrote:
>
> According to a newspaper article in Germany's Welt (
> http://www.welt.de/990508/0508s301.htm ), someone at the BStU, the
> office working through the archive of the former east German secret
> police managed to crack their encryption codes.
> Does anyone have an idea what they were using?
They didn't use any particilar encryption code.
What those guys at BStU managed was to get a reader for those old tapes
and understand the file format.
Volker
------------------------------
From: "R H Braddam" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: Crypto export limits ruled unconstitutional
Date: Tue, 11 May 1999 11:33:28 -0500
Mok-Kong Shen wrote in message
<[EMAIL PROTECTED]>...
>
>The point I like to make is the following: (1) Given a
valid
>program (source code) written in a standard
programming language,
>anyone anywhere can use a compiler to obtain from it
an executable file
>(object code) to run. So, if an authority permits
export of source
>code but forbids export of object code, it is doing
the same shear
>nonsense as permitting export of crypto-programs
(source code) in
>printed form (books) but not on magnetic media. (2) If
publication
>in source code (valid program) is not allowed, then
one can use
>(almost) plain English to express the stuff (though
maybe sometimes
>in uneconomical ways) in such a form that a
knowledgeable reader
>can readily transform it into a program. For example,
>w[i]:=w[j]+w[k] can be 'put the sum of j-th and k-th
word into
>i-th word'. (3) What is important in a good crypto
program is the
>underlying algorithm, i.e. the idea. Once the idea has
been made
>public (in really ordinary plain English) and
understood,
>implementation is never a big program. There are
enough good
>programmers capable of doing that job well, both
within and outside US.
>
>M. K. Shen
I agree completely that a ban on object code would not
make much sense either. As the situation stands right
now, though, it is very likely that it violates U.S.
export laws for me to even comment on the formula
above. After all, anything I post to this news group
could be interpreted as providing technical assistance
to non-U.S. nationals in and outside the U.S. Well,
maybe not in my case, but maybe so in the case of
established cryptographers.
That is why the Bernstein case is so important to me
and many others. Bernstein wanted to post his class
materials on the university network, which is
accessible world wide. He applied for a license to do
that and was refused. That is one of the reasons it
went to court. So far they are focused on the Internet,
but newsgroups are another method of electronic
distribution and could be next.
Rick [EMAIL PROTECTED]
Murphy's Law is the only sure thing in the universe.
------------------------------
From: "Tony T. Warnock" <[EMAIL PROTECTED]>
Crossposted-To: comp.dcom.vpn
Subject: Re: Crypto export limits ruled unconstitutional
Date: Tue, 11 May 1999 10:46:25 -0600
Reply-To: [EMAIL PROTECTED]
Jim Gillogly wrote:
> Kent Briggs wrote:
> > Ruth Bader Ginsburg - Appointed by Clinton in 1993
> > Stephen Breyer - Appointed by Clinton in 1994
>
> As we're looking at possible reversals of Bernstein, may as well list
> the rest of them:
>
> Chief Justice Rehnquist: Nixon 1971, Reagan 1986 to Chief Justice
> Stevens: Ford 1975
> O'Connor: Reagan 1981
> Scalia: Reagan 1981
> Kennedy: Reagan 1988
> Souter: Bush 1990
> Thomas: Bush 1991
>
> Judge Fletcher (9th Circuit) was appointed by Carter in
> 1979, Judge Nelson (dissenting) by Bush in 1990, and Judge
> Bright (concurring) by Johnson.
>
> So far in Ninth Circuit it's "Democrat appointees for free
> speech, Republican appointee against." Doesn't match the
> White House position, so I'm not sure political affiliation
> will map well onto this case.
>
> --
> Jim Gillogly
> Sterday, 20 Thrimidge S.R. 1999, 16:09
> 12.19.6.3.5, 8 Chicchan 13 Uo, Second Lord of Night
Rarely does. Judges become markedly independent as they sit. Perhaps this
is good.
------------------------------
From: SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]>
Subject: Re: BEST ADAPTIVE HUFFMAN COMPRESSION FOR CRYPTO
Date: Tue, 11 May 1999 17:43:53 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> SCOTT19U.ZIP_GUY wrote:
> > >
> > > > > > It handles the case of 8 0's. The tree is such that there
is
> > > > > > never a symbol made up of all zeros less than eight.
> > > > >
> > > > > (I suppose you wanted to say 'never a symbol containing 8 or
more
> > > > > zeros as prefix.)
> > > >
> > > > No I meant table is such that will be always one token
(symbol)
> > that
> > > > has eight of more zeros. But the table will never have a symbol
with
> > > > less than 8 zeros.
> > >
> > > I compressed a file consisting of symbols of one kind (all a's)
with
> > > your program. I looked at the result and found that the a's are
> > > almost all coded with 1. Could you check this?
> > >
> >
> > Yes this is basically what it would do. However to check the
routines
> > when you compresses that file "A" ( the A's ) and got file "B"( the
one
> > full of binary zeros) If you uncompress file "B" to file "C" then
**error** full of binary ones is correst
> > for the compression scheme to be reasonable file "A" must equal file
"C"
> >
> > However my compression has another property most do not have.
> > Take your file "A"(or any file) run the decompress on it to get
> > file "X" then compress file "X" to file "Z". Now file "Z" must
> > equal file "A". Try this with pkzip or whatever. This propery will
> > not hold.
>
> There is apparently a confusion of yours here. As I said 'a' is coded
> to bit 1 not bit 0 by your program. So file B is (almost) full of
> binary ones.
I would not say it is a confusion. IT WAS AN ERROR. And that is why
you should run the program and not try to get the info from my sucky
english. I make typing mistakes all the time.
>
> The previous sentence of yours:
>
> The table is such that will be always one token (symbol)
> that has eight of more zeros. But the table will never have a
> symbol with less than 8 zeros.
>
> is not understandable (if there is no writing error). Does
Maybe wil are thinking diferent due to german english logic
constructs.
> it mean that there is no input symbol coded to, say, 00111 and
no it means the symol coded as "00000000" can exist or the
synbol "000000000000000000000000000" could in thoery exist
but the symbol "0000000" can not exist in the tree.
> there is always one code like 0000000011 ? I can't imagine that
but "00111" can exist.
> can be the case. (Note 00111 has less than 8 zeros.) For in such a
yes it has less than 8 zeros but it is not a symbol made up of only
zeros.
> case the encoding can't be an optimal one.
Now to add more confusion to you. There is no symbol even mixed
symbols with ones and zeroes that contains a strech of more than
8 ones togethter.
example
Legal:
"1"
"111"
"11111111"
"0001111000111100011110001111" ( LEGAL IN sense no connected 9 or more
ONES)
ILLEGAL:
"111111111"
"0011111111100"
Don't get to excited THere are many HUffman trees of the same lenght
I chose trees of this form so that I could make the compression
decompression act the way I wanted to but. You can and may do it
differently.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
From: [EMAIL PROTECTED] (Donald L. Nash)
Crossposted-To: comp.dcom.vpn
Subject: Re: Crypto export limits ruled unconstitutional
Date: Tue, 11 May 1999 10:18:44 -0500
In article <[EMAIL PROTECTED]>, cosmo <[EMAIL PROTECTED]> wrote:
>None of the current membors of the supreme court were appointed by
>President Bill Clinton.
You need a history lesson, Cosmo. Ever heard of Ruth Bader Ginsberg? She
was appointed to the Supreme Court in 1993. Clinton took office on Jan.
20, 1993. You figure it out.
--
Donald L. Nash, <[EMAIL PROTECTED]>, PGP Key ID: 0x689DA021
The University of Texas System Office of Telecommunication Services
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Thought question: why do public ciphers use only simple ops like
Date: Tue, 11 May 1999 10:04:51 -0700
John Savard wrote:
> How the authenticated channel can be made to provide the additional
> security that is the point of this scheme is indeed a problem that
> could lead to a successful "why bother" argument, but one could get
> around it by:
>
> - only using the scheme for secret-key communications
>
> - using *really* large primes, et cetera, if public-key methods are
> used
If you and Ritter are saying that the reason for going to this
system is that one cannot know when or a whether a particular
crypto algorithm has been broken, then using larger primes in
your RSA scheme can't help. You have no more knowledge about
whether your enemy has a super-efficient factoring algorithm than
you do about whether they can break 3DES in real time. Both are
unknown and neither has a proof of intractability, and therefore
by (your and his) hypothesis they are equally suspect.
Of course I'm not saying you and Ritter shouldn't build systems
this way. Everyone should be entitled to do their own crypto in
a way that satisfies their security needs and their threat model.
It's your baby and you can raise it any way you want -- but I'm
not going to feel obliged to kiss it.
--
Jim Gillogly
Sterday, 20 Thrimidge S.R. 1999, 16:57
12.19.6.3.5, 8 Chicchan 13 Uo, Second Lord of Night
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: public/private key authentication?
Date: Tue, 11 May 1999 12:13:36 -0500
Dylan Thurston wrote:
> I suppose RSA would be the only way to go. However, one would have to
ECC/DSA would work just fine too :-)
> be extraordinarily careful with the protocols. For instance, a common
> security measure is to prepend a random number to every message before
> signing it. This would not be allowed: what if the random number is
> not random? I suppose a trapdoor function might work here
>
> Is this in fact the problem?
Shouldn't be. The random number isn't revealed unless you posses
the private key, and both sides don't have the same private key (in
principle).
> It seems like it would be an interesting problem, but as John Savard
> said in snipped text, it seems orthogonal to the question of whether
> an actual encryption function is used.
If all that is needed is authentication and no secret key, then something
similar to the MQV algorithm might be useful. Zero knowledge proofs
would also be useful, but they take a lot of data transfer.
Is there any data transfer "out of band"? Authentication requires
knowing something ahead of time or it requires some alternate route
for data flow. In any case, if both sides know something the other
side ought to know, they can make the other side prove it without
encrypting any data.
Definitly an interesting problem :-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: Roulettes
Date: Tue, 11 May 1999 10:16:25 -0700
[EMAIL PROTECTED] wrote:
> Given the money, I could build a large stamp size computerized dice (for about
> 100 dollars)... Using a small AVR cpu and some leds...
Sounds like you could build it into a package about the size of a die.
Then maybe you could add microswitches inside and the user could roll it
around to initialize the timing of the RNG you're running. A small LED
display on top could print out the numbers, but you could also have
individual LED "bulbs" in the places where pips are on real dice.
Now, how many geeks would buy such a thing in Radio Shack? ;-)
--
Darren New / Senior Software Architect / MessageMedia, Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
------------------------------
From: [EMAIL PROTECTED] (Doug Stell)
Subject: Re: Bricklaying DES
Date: Tue, 11 May 1999 15:37:46 GMT
On Fri, 07 May 1999 08:48:12 -1000, Piso Mojado <[EMAIL PROTECTED]>
wrote:
>A DES block has a Left and Right half so in the second round
>the inputs are the ciphertexts from the first round, but shifted
>to the left by half a block. This has a block size of 192 bits
>and new keys for each DES brick. The advantage is in the diffusion
>of text bits through the whole block and in longer keys. This
>may be generalized for any block size and key size by parameters
>which are easily communicated.
Years ago, there was a 3DES proposal that did something like this.
However, it didn't move a 1/2-block to the end, but added a 1/2-block
of randomness to the front end. It shifted right, instead of left. The
cipher was one block longer when you were done. It went something
like this:
Left1a Right1a Left2a Right2a Left3a Right3a first round
Rand1 Left1b Right1b Left2b Right2b Left3b Right3b second round
Rand2 Rand1 Left1c Right1c Left2c Right2c Left3c Right3c third round
The problem with all of these schemes is that they were not compatible
with the installed base of DES hardware. I believe one of the major
goals of 3DES, as we know it, is to preserve that investment. DJ would
be the person to comment on that aspect of 3DES.
The other issue with the bricklaying approach is; "How would you
implement the various modes, e.g., CBC?" We know that outer-CBC with
the 3DES we know is more secure than inner-CBC. The bricklaying
approach would lend itself to inner-CBC, but how secure is it?
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: AES
Date: 11 May 1999 18:28:15 GMT
Reply-To: [EMAIL PROTECTED]
[EMAIL PROTECTED] (Terry Ritter) writes:
>On Sat, 08 May 1999 15:58:43 GMT, in <[EMAIL PROTECTED]>,
>in sci.crypt [EMAIL PROTECTED] (Bruce Schneier) wrote:
>>This has proven to be a very tiresome conversation. I apologise if
>>you dislike our language.
>
>You already apologized. I assumed you were going to let it drop.
>
>This is not an issue of mere words, about which to use when.
Yes it is an issue of mere words.
>(Though
>one might *well* think that a question in sci.crypt, to a technical
>authority, ought to imply "proof" in the mathematical sense.)
It was a question posed by someone who had presented no evidence of
being a technical authority, it was phrased as though he was using
the empirical use of the word "prove" and not the mathematical sense.
It was merely answered by Mr Schneier and he adopted the same terms
which he saw the original poster using, and I don't understand why you
have such a painful stick up your ass about this issue of language.
>The issue goes deeper than words: it goes to the perception of "proven
>security" as a result of cryptanalysis or use.
"proven to be secure"
There is a subtle difference in meaning which apparently escapes you.
As someone who is more of a physicist than a mathematician i have no problem
with this language. I can say that general relativity has "proven to be
correct" while understanding that tomorrow it could very well be proven to
be incorrect -- in fact I entirely expect that this will happen some day.
>Presumably it is the
>years of cryptanalysis of DES which leads to this, and it is not just
>a delusion of the general public but a perception which is repeatedly
>affirmed by technical authorities (as happened here). The term
>"validation" has also been used.
But not here. So why bring it up other than to confuse the issue?
>But as far as I can tell, a logic of
>cryptanalytic validation goes something like this:
>
>1. Assuming academic cryptanalysis is the best possible,
>2. if cryptanalysis has found no break, then
>3. no break is possible.
Interesting. Care to show me where Mr. Schneier has suggested that this
logic is valid? Or are you simply using rhetorical games to try to put
words in his mouth? (yes that's a rhetorical question)
I've never, ever seen Bruce say anything even remotely suggesting that
he would accept (3.) in that list as a conclusion. The fact that you're
suggesting that he'd hold such opinions says a whole lot more about you and
why you're attacking him than it does about what he's written.
>No cryptanalyst will ever put this so baldly. But we see in practice
>the sequence: new cipher designs, subjected to academic cryptanalysis,
>then generally approved for use, which seems to be an expression of
>the above logic.
It seems to be about the best we can do. Barring a formal proof of
security in the mathematical sense (the holy grail of cryptography) there
seems to be no better option than to go with the cipher that has proven
to be secure through time.
[...]
>In practice our ciphers confront opponents whose knowledge and
>capabilities exceed the academic literature. Just because academics
>cannot find a break does not mean the opponents cannot.
This should be filed under D for "Duh."
>It is a
>*realistic* possibility that DES has been broken in secret from the
>time it was designed and that we still do not know that.
Yes. However, DES has been around for a very long time, and has more
extensive public cryptanalysis than probably any other algorithm, and the
rewards (prestige, furtherance of career) for breaking DES would be
substantial. This is in some sense just a glorified "crypto contest" which
we agree is not any indication of security -- however it has been going on
for 20 years with the highest rewards that the crypto community could offer
the person that broke it. Against this kind of a challenge DES has proven
to be secure.
>And while we
>might wish and hope to call this "improbable," that would be pasting
>the illusion of scientific analysis on something which cannot (yet) be
>quantified.
Why on earth does "improbable" imply to you anything about scientific
analysis or quantification? To me it implies exactly that opposite -- saying
that something is improbably almost certainly means (to me) that someone is
making a judgement call and weighing the percieved risks.
>It is just such a quantification that "proven secure"
>implies to me, and that is bad science.
Well, we clearly disagree.
>I think people get so involved in the technical aspects of
>cryptanalysis that they forget the logic of what this does or does not
>prove. Non-cryptanalysts generally *do* take this as a *validation*
>process which produces ciphers of "proven security." Cryptanalysts
>are not speaking up about whether "validation" and "proof" are useful
>terms for what they do, and that makes them part of the problem.
What I think is part of the problem is professional cryptographers on
sci.crypt who decide to attack other cryptographers over obviously
fabricated issues, just so that they can attack them. It is the kind of
behavior that I expect out of Mr. SCOTT19U.ZIP. I read what Bruce wrote
and I gave him the very obvious benefit of the doubt about the language
that was being used. You read Bruce and figured that now was a good time
to try to make yourself look smart by attacking Bruce on a stupid detail.
I'm getting quite tired of some of the people on this list who should
know better jumping all over Bruce the second he is percieved as making
the slightest mis-step. If you're upset about the fact that Bruce is
more popular, then get off of Usenet and go write your own damn book.
--
Lamont Granquist ([EMAIL PROTECTED])
ICBM: 47 39'23"N 122 18'19"W
------------------------------
Date: 11 May 1999 18:40:06 -0000
From: lcs Mixmaster Remailer <[EMAIL PROTECTED]>
Subject: Re: Lemming and Lemur: New Block and Stream Cipher
> VARIABLES:
>
> block = 128-bit integer
> block[0] = first byte of block
> plaintext = array of plaintextLength bytes to encrypt
> key[0...255] = array of 256 integers, 128 bits each
> rotate(block) = 8-bit rotation so block[0] moves to block[1]
>
> TO LEMMING ENCRYPT A BLOCK:
>
> for (i=0; i<32; i++)
> block = rotate(block ^ key[block[0]]);
How do you decrypt? I can see that you would first un-rotate, but then
you need to select an element from the key array to xor. The element
is the one identified by block[0] after you do the xor. But you don't
know that yet.
Hmmm, let's see. The first byte of the key array is a permutation
of 0..255. So if we could find an element i of key such that
key[i][0] (the first byte of key[i]) when xored with block[0] produces
i, we would have it.
But is this guaranteed to be unique? What if block[0] is 0 before we
do the decryption XOR. Then what if there is more than one value i
for which key[i][0] = i. That shouldn't be impossible since key[i][0]
is a random permutation; it could have more than one fixed point.
Is there some trick here I'm missing?
A couple of other comments:
In Lemur,
for (i=0; i<plaintextLength; i++)
{
output (block[8] ^ plaintext[i]);
block = rotate(block ^ key[block[0]]);
}
There is no block[8], you probably meant block[7]?
The key is 32K bits. That is extremely large for this kind of cipher.
It will be hard to manage and hard to exchange.
It is doubtful that the cipher provides 32K bits of security. The best
cryptographers in the world designed the AES candidates, and they are
hesitant to claim even 256 bits of security.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
