Cryptography-Digest Digest #36, Volume #10 Thu, 12 Aug 99 19:13:03 EDT
Contents:
Re: Future Cryptology (SCOTT19U.ZIP_GUY)
Re: Future Cryptology (Jim Dunnett)
crypto survey ([EMAIL PROTECTED])
Huffman Codes Described on Web Site (John Savard)
Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . . ("Michael VanLoon")
Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . . ("Michael VanLoon")
Re: Future Cryptology (John Savard)
Re: IDEA in AES (Mok-Kong Shen)
Re: IDEA in AES ([EMAIL PROTECTED])
Re: Future Cryptology ([EMAIL PROTECTED])
Steganography ("TERACytE")
Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . . (Philemon)
Re: Positive News About JAWS Technologies (dave)
Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . . ("Thomas J. Boschloo")
Re: Future Cryptology ("Douglas A. Gwyn")
new cipher challenge on the net ("Douglas A. Gwyn")
Re: RSA encryption exponent (Bob Silverman)
Re: NIST AES FInalists are.... ("Thomas J. Boschloo")
Re: NIST AES FInalists are.... ("Thomas J. Boschloo")
Re: NIST AES FInalists are.... (SCOTT19U.ZIP_GUY)
Re: NIST AES FInalists are.... ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Future Cryptology
Date: Thu, 12 Aug 1999 20:49:35 GMT
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>Anonymous wrote:
>> I base my uneasiness on the fact that the NSA, US Government etc.,
>> have been pretty silent on these matters of late :-) .
>
>So what's new? They have always been silent on these matters.
The NSA may be quite for other reasons. They may by busying providing
flase information so that the publc will stay under the illusion that the
bombing of the Chinese Emabssy was an accident. They may also need
to make more excuese why will won't go to Tawians aid when China gets
the green light to invade. Also they may be busy covering up other of Clintons
activities and they may be needed to come with why we bombed the pharmacy
in Sudan for no reason. They could also be busy trying to decide if we should
get the Indians and Pakistanies to fight a war. There are many things to keep
them busy. Of course I could be all wrong.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (Jim Dunnett)
Subject: Re: Future Cryptology
Date: Thu, 12 Aug 1999 19:05:59 GMT
Reply-To: Jim Dunnett
On Thu, 12 Aug 1999 11:12:03 +0200 (CEST), Anonymous <[EMAIL PROTECTED]> wrote:
>Hello All,
>
>I surmise that frequently used encryption software such as PGP (Idea) , has
>probably been broken by the NSA, ...
If so, why all the desperate attempts to get key escrow etc. up
and running?
>I base my uneasiness on the fact that the NSA, US Government etc., have been
>pretty silent on these matters of late :-) .
NSA = Never Say Anything.
>Yes - I am probably over paranoid :-)
You are. Even in the unlikely event they've broken it, keep using it - make
their life as difficult as you possibly can!
--
Regards, Jim. |Findhorn Community:
amadeus%netcomuk.co.uk | Developing EcoVillage
dynastic%cwcom.net | of about 350 people:
|
PGP Key: pgpkeys.mit.edu:11371 | http://www.gaia.org/findhorn/
------------------------------
From: [EMAIL PROTECTED]
Subject: crypto survey
Date: Thu, 12 Aug 1999 19:24:58 GMT
Simple question: Who is your enemy?
Tom
--
PGP 6.0.2i Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Crossposted-To: comp.compression
Subject: Huffman Codes Described on Web Site
Date: Thu, 12 Aug 1999 20:11:00 GMT
Thanks to the kindness of Jim Gillogly, who allowed me to make use of his table
of letter frequencies, on my web page at
http://www.ecn.ab.ca/~jsavard/mi0601.htm
is a complete walk-through of a practical example of the construction of a
Huffman code to represent all 26 letters of the alphabet.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "Michael VanLoon" <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.c++
Subject: Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . .
Date: Thu, 12 Aug 1999 13:14:00 -0700
David Goodenough <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On Mon, 09 Aug 1999 17:38:20 -0400, Pete Becker <[EMAIL PROTECTED]>
> wrote:
>
> >Paul Lutus wrote:
> >>
> >> I *think* it gets us back to the same complaint, that MSIE is
required. Not
> >> the original question, "Why is this true?"
> >>
> >> Oh, BTW. In *principle* VC++'s compiler can be made to work from
the command
> >> line, thus eliminating all of that. You "simply:"
> >>
> >> 1. Extract the needed files from the distribution CD,
> >> 2. Create your own directory tree,
> >> 3. Write your own launching batch files.
> >>
> >> No MSIE, no need for a GUI at all, in fact.
> >>
> >
> >Unless you need to use the debugger...
>
> Use Windbg, as shipped with the latest and greatest platform SDK.
> Blows Dev Stew clean off the map for a debugger. Two huge advantages
> come right to mind just as I type this in:
>
> 1. It has a command line window where you can type in useful commands
> to do useful things.
>
> 2. It can open more than one memory dump window. I can only describe
> Dev Stew as *LAME* in the extreme for its insistance that it will only
> have one memory dump window open at a time.
>
> There are probably others .....
>
> As for the help files, I wonder if the help tool as provided with the
> DDK could be coaxed into showing them. Hafta check this out.
>
> FWIW, Windbg has replaced Dev Stew as my debugger of choice
I'm sorry but the DevStudio debugger is superior to windbg in so many
ways. Ever try to look at the members of a class in windbg? Doesn't
mean DevStudio debugger is perfect -- far from it. But it's the best
debugger I've seen.
------------------------------
From: "Michael VanLoon" <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.c++
Subject: Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . .
Date: Thu, 12 Aug 1999 13:15:50 -0700
Jerry Coffin <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
>
> [ IE being needed for visual studio help files ]
>
> > Why? What is special about IE that any other HTML viewer does not
have>
>
> As has already been pointed out here repeatedly, the ability to read
> the help files.
And the fact that it is componentized. There is no other HTML browser
that has all the functionality, and is nearly as easily usable through
components. A sad but true state of development in the Windows world.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Future Cryptology
Date: Thu, 12 Aug 1999 21:02:15 GMT
Anonymous <[EMAIL PROTECTED]> wrote, in part:
>On this surmise I would like to know if there are any new developments
>taking place in the civilian cryptographic world to counter this possibility
>?.
If you don't think that the AES process is advancing the state of the
art far enough, visit
http://www.freenet.edmonton.ab.ca/~jsavard/co0412.htm
and scroll to the bottom of the page to see one way to use a "really
big key" in a useful and secure fashion.
Not that I think such schemes are either really needed or even such a
profound idea - increasing key size, S-box size, et cetera, is
fundamentally trivial - but I don't think that the problem is that we
need to wait for "industry standards" to change if we feel we're
willing to waste a little extra CPU time for an extra degree of
security that other people feel is not necessary.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: IDEA in AES
Date: Thu, 12 Aug 1999 22:34:08 +0200
Paul Rubin schrieb:
>
> First of all IDEA is a 64-bit block cipher and AES uses 128-bit
> blocks. Second, IDEA is patented and the patentholders haven't
> indicated willingness to license it worldwide royalty-free under any
> circumstances. Third of all there's no reason to think it's one of
> the most sound ciphers there. It uses comparatively bizarre design
> principles compared to the currently surviving AES candidates, and it
> looks shaky under recent cryptanalytic results. It has few distinct
> advantages over other ciphers in its (64 bit) class. It was an
> academic design that probably wouldn't have gotten much attention at
> all if a certain inexperienced (at the time) cryptography implementer
> hadn't decided to use it in what became a popular free program.
I guess it is correct to say that any currently known block cipher
with n rounds can be broken with a reduced m >= 1 rounds using state
of the art (term left undefined) analysis techniques and computer
technology. So the practical security depends on how far is m from n
apart. If by some (more or less subjective) judgement one could
settle on a factor of safety f and f*m <= n, then the cipher could be
considered safe, I suppose. In fact, this is what the engineers do
in their designs. Of course, with time m is likely to increase. This
indicates that it is very desirable to have block ciphers of (user
choosable) variable number of rounds, if the ciphers are to have a
good chance to remain useful for substantially long periods of time.
In other words, variability should be provided and fixing the number
of rounds through standardization isn't a nice idea.
M. K. Shen
========================
http://home.t-online.de/home/mok-kong.shen (new)
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: IDEA in AES
Date: Thu, 12 Aug 1999 20:34:50 GMT
In article <7oui6d$30h$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> In article <[EMAIL PROTECTED]>,
> Anssi Bragge <[EMAIL PROTECTED]> wrote:
> > I was just about to ask the same... :)
>
> http://www.funet.fi/~bande/docs/crypt/analysis/idea.ps.gz
>
> Reduced to 3 or 3.5 rounds. I think there is an attack against 4
> rounds already.
>
A few more security comments
1. There was evidence given, not proof, that IDEA is immune to
differential crypanalysis after 4 rounds.
2. Biham's related key cryptanalysis doesn't work.
3. Willi Meier came up with an attack, however it's less efficient than
brute force for 3 rounds or more.
4. There are weak keys, but they are easily prevented and are rarely
chosen.
All of this information I directly pulled out of AC2. The only
successfull attack on IDEA was using side-channel cryptanalysis, but the
authors of IDEA created a fix. I'm not sure about mod 3 cryptanalysis,
though.
Simply put, from what I can tell, it will take a major breakthrough to
break IDEA.
As far as I can tell, you can implement IDEA faster than DES. This
usually occurs in software.
> Some other reasons why not to use it
>
> 1. Slow key setup
> 2. Slow cipher
> 3. Attacks are crawling in, although still infeasible cast doubt on
> it's security.
> 4. It's patented.
>
> Tom
> --
> PGP 6.0.2i Key
> http://mypage.goplay.com/tomstdenis/key.pgp
> PGP 2.6.2 Key
> http://mypage.goplay.com/tomstdenis/key_rsa.pgp
>
> Sent via Deja.com http://www.deja.com/
> Share what you know. Learn what you don't.
>
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Future Cryptology
Date: Thu, 12 Aug 1999 20:46:16 GMT
> Really we have the ciphers we need to make strong systems, we just
lack
> good implementations of secure systems. Most people use ad hoc
designs
> and call them secure. That is where the trouble starts. Even with
> IDEA or CAST (or any other good cipher) strong systems can fall
> with 'slight' bugs.
>
> My point is, it's not enough to say 'can the NSA crack IDEA?', but
more
> like 'can people break system X remotely, discretely and
> efficiently?'. If one person writes software to break a system, a
> million people could be using it in under a year ...
>
> Tom
> --
> PGP 6.0.2i Key
> http://mypage.goplay.com/tomstdenis/key.pgp
> PGP 2.6.2 Key
> http://mypage.goplay.com/tomstdenis/key_rsa.pgp
>
> Sent via Deja.com http://www.deja.com/
> Share what you know. Learn what you don't.
That is a very good point. There are a variety of examples that support
this. The Clipper chip used Skipjack, which appears to be a very strong
cipher, however attacks were discovered that could be used to destroy
the validity of information that was transmitted using Clipper and to
frame other people. Other common errors are leaving keys in temp or
swap files, not encrypting remote authentication, and using bad random
number generators. Goto www.counterpane.com for more information.
Casey
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "TERACytE" <[EMAIL PROTECTED]>
Subject: Steganography
Date: Thu, 12 Aug 1999 21:23:57 GMT
Does anyone know where I can get source code (preferably c++) on information
hiding in various image formats? Thanx.
------------------------------
From: Philemon <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.c++
Subject: Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . .
Date: Thu, 12 Aug 1999 18:25:49 +0600
Michael VanLoon wrote:
> I'm sorry but the DevStudio debugger is superior to windbg in so many
> ways. Ever try to look at the members of a class in windbg? Doesn't
> mean DevStudio debugger is perfect -- far from it. But it's the best
> debugger I've seen.
Listen, not to start a noisy argument, but you're very wrong about this.
VC's debugger is more "user friendly" (in that particular MS sense,
where user friendliness means lack of functionality), that's true. It is
also less temperamental. But windbag is _significantly_ more
functional--just take the aforementioned command line. I _love_ tools
with command lines (as an unusual example: that, btw, how dbase/foxpro
were, imo, always superior to Access.) The one thing I'm still missing
(that CV did have) is the capability to read scripts on startups--you
could put together kinda debug test procedures.) VC's debugger is fine
for high-level debugging. About it's being the best debugger you've
seen--take a look at WinICE.
--
len
if you must email, reply to:
len bel at world net dot att dot net (no spaces, ats2@, dots2.)
------------------------------
From: dave <[EMAIL PROTECTED]>
Subject: Re: Positive News About JAWS Technologies
Date: Thu, 12 Aug 1999 22:34:11 GMT
I had a good browse through the JAWS website, and in the news/faq
section found "....original programmer has been working on the project
for about 17 years....". Then in the next paragraph: "......original
programmer is in his late 20's and is considered a prodigy."
Indeed.
regards all, DaveM.
------------------------------
From: "Thomas J. Boschloo" <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.c++
Subject: Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . .
Date: Thu, 12 Aug 1999 23:17:21 +0200
Dave Hazelwood wrote:
>
> Arrgh...give me ANY alternative and I'll take it!
Isn't Borland <www.borland.com> still in business? I would for sure
/never/ buy a MS programming language.
(Yes it is: http://www.borland.com/bcppbuilder/)
Thomas
--
AMD K7 Athlon 650 Mhz! <http://www.bigbrotherinside.com/#help>
PGP key: http://x11.dejanews.com/getdoc.xp?AN=453727376
Email: boschloo_at_multiweb_dot_nl
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Future Cryptology
Date: Thu, 12 Aug 1999 21:17:10 GMT
[EMAIL PROTECTED] wrote:
> Well, this brings up an interesting point. They may not be out to get YOU,
> but how do you know they don't deem certain people as a risk? I mean if you
> think about it, if you have all that techonlogy and man power, why not
> follow the potential trouble makers too?
Several reasons, including
(1) It's against the law and their charter to spy on citizens
within the US;
(2) They don't have resources to waste on such low-return spying.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: new cipher challenge on the net
Date: Thu, 12 Aug 1999 21:29:07 GMT
http://www.cranfield.ac.uk/ccc/bpark/distributed.html
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: RSA encryption exponent
Date: Thu, 12 Aug 1999 22:44:23 GMT
In article <7ouhs9$2sv$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> In article <[EMAIL PROTECTED]>,
> vincent <[EMAIL PROTECTED]> wrote:
> > I've read somewhere that to "speed-up" the RSA encryption, one could
> > choose (when generating an RSA key) an exponent such as 65537 since it
> > just has two '1' in its binary representation.
What matters is that it is small. It's Hamming weight does matter to
some extent, but the dominating factor in determining encryption
time is the size of the exponent.
>
> Actually 65537 requires at least 17 multiplications, 7 and 3 are also
> good choices. You want the decryption exponent to be large.
>
> >
> > The criterion to chose e in an RSA key is :
> > e has to be relatively prime to phi(n)=(p-1)*(q-1)
Almost. Usually e is chosen *first*, then p,q are generated in
such a way as to satisfy the criterion.
> >
> > 65537 is prime, so it should be relatively prime to any number but its
> > multiples.
> > Assuming p and q are primes, is there any chance that
> > phi(n) is a multiple of 65537 ?
If you just blindly and randomly generate p and q, then the
probability is 2/65537 that e=65537 will divide phi(n).
However, since p and q are not blindly generated, but rather are
generated so as to satisfy GCD(e, (p-1)(q-1)) = 1, then the answer
to your question is that it is moot. If e does divide phi(n), then you
have not properly generated p and q.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Thomas J. Boschloo" <[EMAIL PROTECTED]>
Subject: Re: NIST AES FInalists are....
Date: Thu, 12 Aug 1999 22:27:13 +0200
[EMAIL PROTECTED] wrote:
>
> You don't have to be a member of the NSA to write good crypto
> algorithms. Look at DES, CAST, RC5 and Blowfish. I think a fair level
> of 'trust' has to be put into the AES designers.
What I am worried about, is that some of the AES designers *ARE* members
of the NSA. That would be smart.
If they are really that good (and I don't *know* if they are that good),
they could design a cypher that would win the contest (and still be
crackable by their supperiour knowledge). How do we know for sure that
the crypto gods that entered the contest are not secretly very akin to
the goverment reading all encrypted stuff? How do we know that
www.anonymizer.com is not run by the feds?
<http://members.tripod.com/spookbusters/informerizer.htm> Am I cracking
up again in my paranoid mania?!
One counter argument I have already heard. Like the crypto gods having a
lot to lose, by it becoming known that, they released unsafe algorithms.
(But then again, they're only human..)
Regards,
Thomas
--
AMD K7 Athlon 650 Mhz! <http://www.bigbrotherinside.com/#help>
PGP key: http://x11.dejanews.com/getdoc.xp?AN=453727376
Email: boschloo_at_multiweb_dot_nl
------------------------------
From: "Thomas J. Boschloo" <[EMAIL PROTECTED]>
Subject: Re: NIST AES FInalists are....
Date: Thu, 12 Aug 1999 22:30:23 +0200
[EMAIL PROTECTED] wrote:
>
> Here's a tip dave... No one uses your method (there might be 3 people
> out there) because
>
> a) no real study on it
> b) no real theory or thought into it
> c) it's slow
> d) it's ugly
> e) it's memory intense
> f) you claim it's the best in the world.
Well said!
Thomas
--
AMD K7 Athlon 650 Mhz! <http://www.bigbrotherinside.com/#help>
PGP key: http://x11.dejanews.com/getdoc.xp?AN=453727376
Email: boschloo_at_multiweb_dot_nl
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: NIST AES FInalists are....
Date: Thu, 12 Aug 1999 23:51:13 GMT
In article <7ovfu4$pjg$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>In article <[EMAIL PROTECTED]>,
> Matt Curtin <[EMAIL PROTECTED]> wrote:
>> (...)
>> In light of the release of SKIPJACK specifications and the success of
>> an attack on a 31-round variant, it has been suggested that the
>> cryptographic expertise "out here" might have caught up to that "in
>> there". If NSA knew about attacks using impossible differentials and
>> applied the technique to SKIPJACK reduced by one round, blessing it as
>> secure would be an incompetent blunder.
>> (...)
>
>I think there are several logical errors in this argument.
>
>First of all, "a successful cryptanalytic attack" can mean widely
>different things. NSA's business is to protect or expose secrets in the
>real world, not to publish academic papers describing theoretical
>attacks. No matter how theoretically interesting an attack, from NSA's
>point of view it is worthless if it is not capable of recovering the
>plaintext or the key. Skipjack is almost susceptible to impossible
>differentials, a theoretical attack discovered in the public sector,
>but within NSA's frame of mind this is of little real consequence.
>
>Secondly, the fact that Skipjack resists impossible differentials at
>the minimum number of rounds makes one think that they did previously
>know about this attack. After all, DES has just sufficient rounds for
>resisting differential attacks and we know for a fact that its
>designers knew about this attack many years before it became public. By
>the way it is probable that Skipjack is strong against attacks that NSA
>knows about but we in the public sector don't - in fact Skipjack
>appears to be quite strong against power attacks, a type of practical
>attack discovered only very recently.
>
>Thirdly, Skipjack was meant for public consumption. Certainly NSA's
>methodology for designing a cipher for the public is different from
>their state of the art for designing military grade ciphers. It is
>difficult to believe that NSA would present to the world a cipher that
>they themselves cannot break in praxis, i.e. recover the key or
>plaintext under real world conditions. At the same time this cipher
>should be strong enough to resist *practical* attacks developed in the
>public sector. So, a cipher like Skipjack represents a very special
>kind of design requirements.
>
>There is no doubt in my mind that NSA is much more advanced in
>cryptology than the public sector - people who know what they can do
>keep approving their gargantuan budget, which means that they are
>earning it. It is incredible to believe that the public sector with a
>small fraction of the resources of NSA could achieve a comparable level
>of knowledge. The big picture of course is that on the one hand there
>is a very advanced and costly agency developing technology of great
>importance for the information society of the future, and on the other
>hand the technology that will in fact be used will come from the much
>smaller and underfinanced academic sector. To my mind this is grossly
>inefficient. In fact I believe everybody's security and wellbeing would
>increase if NSA were allowed to make public their state of the art
>knowledge. Knowledge gives power, but a world where knowledge is shared
>by all is ultimately more secure.
>
>Meanwhile the academic community has not really broken any nontrivial
>symmetric cipher (including the 30 years old DES) in an nontrivial
>manner. The AES process has absorbed the conventional wisdom about a
>cipher's relative strength, which is: if we have to choose between two
>ciphers and we know about a theoretical flaw in one and we don't know
>about even a theoretical flaw in the other then we must consider the
>second one more secure. This is a reasonable strategy, even though it
>is a bad predictor of how the competing ciphers will fare against an
>unknown type of attack that may be discovered in the future. In fact, I
>believe the only reasonable way to predict a cipher's resistance
>against publicly unknown attacks is its simplicity of design (or else
>assume that somebody from the NSA is secretly helping the designer).
>The conceptually most simple AES candidate is my doomed Frog; the most
>simple AES finalist is probably RC6, followed by Rijndael. In fact, my
>guess is that unless some theoretical flaw is discovered in them during
>the next 12 months or so, these two will be the AES winners.
>
I agree with most of what you said but you word things much better.
However I have more faith in a fishy algorithim winning the contest. I would
also like to state. That scott19u maybe slow but I belive it is based in
the kind of simplicity you stress. Though the hateful wrong comments
of Wagner and others state otherwise. I feel they may be jealous of
the overall strength of my method. If is far more secure of an algotrithm
than any of the short key AES candidates.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: NIST AES FInalists are....
Date: Thu, 12 Aug 1999 21:56:23 GMT
In article <[EMAIL PROTECTED]>,
Matt Curtin <[EMAIL PROTECTED]> wrote:
> (...)
> In light of the release of SKIPJACK specifications and the success of
> an attack on a 31-round variant, it has been suggested that the
> cryptographic expertise "out here" might have caught up to that "in
> there". If NSA knew about attacks using impossible differentials and
> applied the technique to SKIPJACK reduced by one round, blessing it as
> secure would be an incompetent blunder.
> (...)
I think there are several logical errors in this argument.
First of all, "a successful cryptanalytic attack" can mean widely
different things. NSA's business is to protect or expose secrets in the
real world, not to publish academic papers describing theoretical
attacks. No matter how theoretically interesting an attack, from NSA's
point of view it is worthless if it is not capable of recovering the
plaintext or the key. Skipjack is almost susceptible to impossible
differentials, a theoretical attack discovered in the public sector,
but within NSA's frame of mind this is of little real consequence.
Secondly, the fact that Skipjack resists impossible differentials at
the minimum number of rounds makes one think that they did previously
know about this attack. After all, DES has just sufficient rounds for
resisting differential attacks and we know for a fact that its
designers knew about this attack many years before it became public. By
the way it is probable that Skipjack is strong against attacks that NSA
knows about but we in the public sector don't - in fact Skipjack
appears to be quite strong against power attacks, a type of practical
attack discovered only very recently.
Thirdly, Skipjack was meant for public consumption. Certainly NSA's
methodology for designing a cipher for the public is different from
their state of the art for designing military grade ciphers. It is
difficult to believe that NSA would present to the world a cipher that
they themselves cannot break in praxis, i.e. recover the key or
plaintext under real world conditions. At the same time this cipher
should be strong enough to resist *practical* attacks developed in the
public sector. So, a cipher like Skipjack represents a very special
kind of design requirements.
There is no doubt in my mind that NSA is much more advanced in
cryptology than the public sector - people who know what they can do
keep approving their gargantuan budget, which means that they are
earning it. It is incredible to believe that the public sector with a
small fraction of the resources of NSA could achieve a comparable level
of knowledge. The big picture of course is that on the one hand there
is a very advanced and costly agency developing technology of great
importance for the information society of the future, and on the other
hand the technology that will in fact be used will come from the much
smaller and underfinanced academic sector. To my mind this is grossly
inefficient. In fact I believe everybody's security and wellbeing would
increase if NSA were allowed to make public their state of the art
knowledge. Knowledge gives power, but a world where knowledge is shared
by all is ultimately more secure.
Meanwhile the academic community has not really broken any nontrivial
symmetric cipher (including the 30 years old DES) in an nontrivial
manner. The AES process has absorbed the conventional wisdom about a
cipher's relative strength, which is: if we have to choose between two
ciphers and we know about a theoretical flaw in one and we don't know
about even a theoretical flaw in the other then we must consider the
second one more secure. This is a reasonable strategy, even though it
is a bad predictor of how the competing ciphers will fare against an
unknown type of attack that may be discovered in the future. In fact, I
believe the only reasonable way to predict a cipher's resistance
against publicly unknown attacks is its simplicity of design (or else
assume that somebody from the NSA is secretly helping the designer).
The conceptually most simple AES candidate is my doomed Frog; the most
simple AES finalist is probably RC6, followed by Rijndael. In fact, my
guess is that unless some theoretical flaw is discovered in them during
the next 12 months or so, these two will be the AES winners.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
