Cryptography-Digest Digest #54, Volume #10 Mon, 16 Aug 99 02:13:03 EDT
Contents:
Re: NIST AES FInalists are.... (JPeschel)
Re: Wrapped PCBC mode (Tom St Denis)
Re: New encryption algorithm (SCOTT19U.ZIP_GUY)
Re: CRYPTO DESIGN MY VIEW (SCOTT19U.ZIP_GUY)
Re: Wrapped PCBC mode (SCOTT19U.ZIP_GUY)
Re: NIST AES FInalists are.... (SCOTT19U.ZIP_GUY)
Re: New encryption algorithm (JPeschel)
Re: NIST AES FInalists are.... ([EMAIL PROTECTED])
report of chat session (Tom St Denis)
Re: CRYPTO DESIGN MY VIEW ("Douglas A. Gwyn")
Re: NIST AES FInalists are.... (David A Molnar)
Re: New encryption algorithm
Re: New encryption algorithm
coding theory ([EMAIL PROTECTED])
Re: New encryption algorithm (SCOTT19U.ZIP_GUY)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: NIST AES FInalists are....
Date: 15 Aug 1999 22:13:23 GMT
"Douglas A. Gwyn" <[EMAIL PROTECTED]> writes:
>But actually I had in mind the observation that most of the
>public-sector cryptologists haven't exhibited the ability to
>crack even the classical systems such as Hagelins, indicating
>absence of knowledge of essential basic methods and tools of
>cryptanalysis. Thus, their lack of success in cryptanalyzing a
>new cipher system should be seen in context -- even if it were
>readily breakable, would they have broken it? The answer seems
>to be "not necessarily". So people who take such lack of
>successful breaking as indicative of cryptosystem strength must
>be making unwarranted assumptions.
Goodness -- could it be that me and a couple crackers of my
acquaintance have more experience in breaking in real-world
systems than all of the AES cryptologists?
Probably not.
I suspect a paper on breaking a classical system would be
unpublishable, a presentation on the same unaccptable at
a crypto conference. The phrase "it's trivial" might be the reason
for rejection.
Having talked with a few academic cryptanalysts, I got the
impression that a lot of them dabbled, early in their careers,
in breaking classical ciphers and actual real-world crypto.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Wrapped PCBC mode
Date: Sun, 15 Aug 1999 22:20:14 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Bauerda) wrote:
> >Can someone name me one benefit of Dave's 'super-duper' W-PCBC mode?
>
> It allows him to take a horribly weak algorithm and (by running it 15
or 25
> times) make it strong enough to withstand the attacks of the people
who spend a
> few minutes looking at it. Seriously, I wonder if anyone could
break the
> following: W-PCBC using four round blowfish (where Scott has his s-
box) run
> for about six rounds.
Do you mean four passes of Blowfish or a 4-round variant? In any case
Dave's method is weak with only a few passes. It needs 25 passes to
make it somewhat secure.
Tom
--
PGP 6.5.1 Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: New encryption algorithm
Date: Sun, 15 Aug 1999 23:20:56 GMT
In article <[EMAIL PROTECTED]>, Mok-Kong Shen <[EMAIL PROTECTED]>
wrote:
>JPeschel wrote:
>>
>> He could present it at a crypto conference or publish it in a respected
>> journal first.
>
>Unfortunately there is in fact a problem besides the acceptance
>of manuscripts. As far as I know, anything published will not qualify
>for a patent in Germany. I vaguely remember that this is not the case
>in US, but I am not sure of that.
>
>So the surest way to protect the priority and value of one's ideas is
>to obtain patents. To take and maintain patents can cost quite a lot
>of money, however, especially if the coverage is to be international.
>On the other hand, I was told that, if the intention is merely to have
>a proof of one's priority (proof for one's fellows in a scientific
>discipline) and not to unconditionally prevent others to make
>money with the same ideas, one can apply for a patent in certain
>countries, e.g. Germany, where after a preliminary examination the
>text of the patent application is published by the patent office in
>its bulletin for public review. At this point one can discontinue
>the patent process. This way, one pays only a fairly minimal sum of
>money (assuming that one can formulate the application without the
>help of patent lawers) but has one's ideas documented in an official
>publication. As far as I know, the same can't be done in US, since
>there is no public review of US patents.
>
I do have a patent to my name for work I did for the governement
however it take many many years to it. One it is not an easy process.
If you have to use your own money you can forget it. Besides if a big
guy like gates wants it he has the money for lawyers and you don't
so you lose.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: CRYPTO DESIGN MY VIEW
Date: Sun, 15 Aug 1999 23:16:37 GMT
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>"SCOTT19U.ZIP_GUY" wrote:
>> Note this does not mean that they have broken the system
>> only that there is enough information to break it.
>
>I appreciate the extended discussion along these lines.
>
>> know that the words "Kill all the Cats" is somewhere ...
>> ... Next suppose the guy is a little brighter and used
>> my "adaptive huffman compression" [now] the attacker has
>> no idea of what the compressed string looks like ...
>
>That's not strictly true. He doesn't know *exactly* what
>it looks like, but he should be able to determine relative
>likelihoods, based on known population statistics for
>plaintext. While it foils a simple known-plaintext attack,
>it doesn't guarantee that a more sophisticated attack based
>on statistics might not succeed.
I know you mean well but having played with Adaptive Huffman
compressers alot. If one only knows a phrase buried in the middle
of a text. It is highly unlikely the attacker can even guess the structure
since not even the bit lengths for each charcter can be guessed let
alone there weights. This is not as easy as you might think.
>
>> Something the BS crypto gods do not want you to do.
>
>If you mean Bruce, I don't recall him ever saying you
>shouldn't compress before encryption, especially if it
>doesn't result in fixed headers etc. Virtually everyone
>agrees that that makes certain attacks more difficult.
I have not heard much if a disscussion from him or any one
like him on what kind of compression should be used. It would
be nice if some one that people whorship made relavent comments
about what kind of compression the so called experts think should
be used. I feel strong that it is one without error recovery without
headers and one that is capable of treating any file as a valid
compressed file so as to avoid guess of a key being imediately
rejected as bad.
I feel that it is not discussed very much in this group because its
use can make crypto hard to break. The NSA does not like this
anad Bruce most likely doesn't want people to really use secure
crypto either. It kind of takes away the glory things they work on.
By the way do you know of any other compression that has these
properties.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Wrapped PCBC mode
Date: Sun, 15 Aug 1999 23:23:12 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Bauerda)
wrote:
>>Can someone name me one benefit of Dave's 'super-duper' W-PCBC mode?
>
>It allows him to take a horribly weak algorithm and (by running it 15 or 25
>times) make it strong enough to withstand the attacks of the people who spend a
>few minutes looking at it. Seriously, I wonder if anyone could break the
>following: W-PCBC using four round blowfish (where Scott has his s-box) run
>for about six rounds.
>
>David Bauer
First of all you would have to find a real programer who understands bit
fields to actually do the W-PCBC and friom a lot of the comment I get here
that is going to be hard.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: NIST AES FInalists are....
Date: Sun, 15 Aug 1999 23:25:09 GMT
In article <1999Aug15.144426.1@eisner>, [EMAIL PROTECTED] wrote:
>In article <7p2c6c$21oc$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> (SCOTT19U.ZIP_GUY) writes:
>> In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
> wrote:
>>>"SCOTT19U.ZIP_GUY" wrote:
>>>> IF there is no secret NSA entry in the remaining contenders
>>>> then we tax payers are not getting our moneys worth.
>>>
>>>I think it's more probable that they're ready to propose a
>>>decent alternative if the AES winner turns out to not be good
>>>enough for its intended use within the "national infrastructure".
>>
>> I think your very wrong here for two reason. They tried to
>> force the Clipper chip on people and it failed. So they are
>> not stupid.
>
>Mr. Scott, your faith in government exceeds your knowledge of history.
>
>Before they tried promoting the Clipper chip, they tried
>promoting CCEP, the Commercial COMSEC Endorsement Program,
>which involved commercial vendors accepting chips with secret
>government algorithms.
>
>After they tried promoting the Clipper chip, they tried
>promoting Fortezza use with another secret government
>algorithm.
>
>So the fact that an approach failed for the government in
>the court of public crypto opinion does not preclude another
>similar attempt.
>
>Larry Kilgallen
Your right they may try again.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: New encryption algorithm
Date: 15 Aug 1999 22:54:41 GMT
>[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) writes:
>>He could present it at a crypto conference or publish it in a respected
>>journal first.
>>
>>Joe
>>
>
> Actual this is not true. IF it really is revolutionary and out if the main
>stream. You would never get it published in a journal since you are an
>outsider. Oh they might do it if it is weak so they can poke fun at it,
> But it would never see the light of day if it was good and not previously
>blessed by a crypto god. About the only way it will get published is when
>one of them highly respected people steals your method.
>
>
Publication of any article: scientific, academic, or popluar is always
tough for a newcomer, an unknown, or a revolutionary. It is, however,
possible. Crypto journals, like other print media, are often starved
for articles. Some technical journals, again like other publications,
are willing take to a chance on a revolutionary newcomer. If an
author thinks his article (which might also include source code)
is good, he should strive for publication.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: NIST AES FInalists are....
Date: 15 Aug 1999 23:32:48 GMT
Reply-To: [EMAIL PROTECTED]
Jim Gillogly <[EMAIL PROTECTED]> writes:
>But which hat would they be wearing? Given NSA's two conflicting
>responsibilities -- protecting US communications and reading foreign
>communications -- it's not obvious that they could justify becoming
>midwife to a good unclassified 128-bit cipher. If they report that
>a previously unknown attack would reduce the strength of three of
>the ciphers to 107 bits and we can verify this, how much confidence
>should we have that they don't know another clever attack that would
>reduce one of the survivors to 38 bits?
If the NSA did that, and subsequently someone in the public doing crypto
discovered the attack that weakened it to 38 bits then the NSA would lose
an awful lot of credibility. Businesses would start using non-NSA designed
cryptosystems, which would remove a lot of influence that the NSA can have
over protecting US cryptosystems. It is not in the NSAs self-interest to
propose ciphers with "hidden backdoors." And they have pretty much proven
that they produce good quality work (DES) and that engineered weaknesses are
right out in the open (56-bit keylength of DES, export controls, key
escrow).
--
Lamont Granquist ([EMAIL PROTECTED])
ICBM: 47 39'23"N 122 18'19"W
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: report of chat session
Date: Mon, 16 Aug 1999 01:00:34 GMT
Well we had a small chat group (4 ppl) on EFNET in 'scicrypt'. We
mainly got to know each other, talked about my Algorithm M code (found
it to run at about 12 to 16 cycles/byte) and talked about RSA/ELGAMMA.
If anyone else wants to join in, the chat session are on the EFNET IRC
servers in the room 'scicrypt'. It's every sundays at 13:00 GMT.
Everyone is invited and there are no real fixed topics.
Next week however I would like to here reviews of my Algorithm M code
(you can get it from me if you ask in email). It's basically a stream
cipher based on Algorithm M. I would also like to hear security
reviews if possible (or comments). If anyone else has a topic, just
suggest it now, or next sunday.
Some general 'rules' that will make the chat session worthwhile
1. No DCC'ing unless asked to (no warez either!)
2. No flames (it's a waste anyways)
2.1 No 'NSA' paranoia.
3. Periodically switch servers if you are getting long ping times
(with all the members)
4. Try to stay on topic (whatever is the current topic).
4.1 Try to suggest topics if it's getting dull.
These rules are not inforced, but adhering to them will make for
pleasant conversations.
Hope to talk to you there!
Tom St Denis
--
PGP 6.5.1 Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: CRYPTO DESIGN MY VIEW
Date: Mon, 16 Aug 1999 03:41:30 GMT
"SCOTT19U.ZIP_GUY" wrote:
> By the way do you know of any other compression that has these
> properties.
I haven't researched this, but I do know there are a few different
lossless compression schemes. (Can't use lossy ones if every bit
of data needs to be conveyed without distortion.) Lempel-Ziv has
been popular for several years; possibly one could use a large
"word size" (dictionary) and prime it with an agreed-upon text
before feeding the message text to it.
I occasionally get e-mail about data compression conferences,
but after I forward it to more-interested parties I delete it.
Probably a Web search would turn up something helpful.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: NIST AES FInalists are....
Date: 16 Aug 1999 05:19:07 GMT
[EMAIL PROTECTED] wrote:
> If we are prepared to imagine a real world protocol that decrypts 2^36
> chosen blocks (a thousand Gigabytes) with the same key we should also
> be prepared to imagine a protocol that leaks the key as plaintext. I
> don't think that such a gedankenexperiment can lead us to any
> meaningful result.
uh, is this a veiled reference to "The Random Oracle Paradigm, Revisited"?
probably not. Even so, consider that "leaks key as plaintext" is obviously
an extreme failure mode. So extreme that it can only be used as a means to
emphasise whatever led to that failure. If you had two schemes which
looked like
1) if bad event happens, output secret key as plaintext
2) if bad event happens, output "existential forgery"
(where "existential forgery" means something not critical, but still bad,
like a valid ECB block or a valid message showing the system's malleable
or something which is only technically a "break")
what does that say about "bad event" ? and how do you ensure that 2) isn't
hidden somewhere in part of your cipher, even if you think you can rule
out 1) ?
-David Molnar
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: New encryption algorithm
Date: 16 Aug 99 05:49:54 GMT
Mok-Kong Shen ([EMAIL PROTECTED]) wrote:
: JPeschel wrote:
: >
: > He could present it at a crypto conference or publish it in a respected
: > journal first.
: Unfortunately there is in fact a problem besides the acceptance
: of manuscripts. As far as I know, anything published will not qualify
: for a patent in Germany. I vaguely remember that this is not the case
: in US, but I am not sure of that.
In the US, a one-year period is allowed, but many other countries do not
allow this.
: So the surest way to protect the priority and value of one's ideas is
: to obtain patents. To take and maintain patents can cost quite a lot
: of money, however, especially if the coverage is to be international.
Indeed. And there is another problem: in the U.S., there is a tendency to
"rubber-stamp" patent applications; although they are checked for novelty
and effectiveness, this check is still a limited one, and many patents are
granted for things that have already been invented long ago, or are
"obvious improvements in the art", or are otherwise invalid - and in
some cases the inventor only finds this out when his patent is challenged
in court. More than half of patents challenged in court are found
invalid, but as people presumably don't choose to challenge the ones that
are unassailable, this doesn't mean this is the average for all patents.
John Savard
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: New encryption algorithm
Date: 16 Aug 99 05:45:27 GMT
[EMAIL PROTECTED] wrote:
: But lets theoretically assume that this algorithm really is
: revolutionary and that its author would be able to make money on its
: patent. In this case how can he insure his idea from being stolen by
: somebody else who could simply patent it first and become the inventor
: of the algorithm in terms of law?
You are right, this is difficult. (Actually, there is an easy answer: he
should go and patent it, then reveal it.)
In general, little consideration is given to this by people saying that a
secret algorithm is not good, because:
1) there is no need of a "revolutionary algorithm". Triple-DES with
whitening (increase the key size by XORing the input and output with
secret quantities, also part of the key) should do just nicely for about
any purpose, and
2) it is very easy for a black box, or a secret algorithm, to do an
apparently good job of encrypting, and yet provide no real security; for
example, suppose I sell you a program that does this: encrypt with DES,
using a constant key I know, XOR the result with your 64 bit key, encrypt
with DES, using another constant key I know. You can try the program with
different keys, and it will seem to be enciphering by means of an
excellent block cipher with a 64-bit key. Yet I have a trivial
known-plaintext attack against your messages.
Because people have alternatives, secret algorithms will tend to be
ignored - even if they really are revolutionary.
John Savard
------------------------------
From: [EMAIL PROTECTED]
Subject: coding theory
Date: Mon, 16 Aug 1999 05:47:33 GMT
Hi,
I am taking a course on coding theory based on Raymond Hill's book "A
First Course in Coding Theory."
In preparing for a test I could use example exam questions (esp. with
solutions), or anything you might think off. Does any one have
suggestions?
Topics that are most relevant are:
cyclic codes, linear codes, BCH codes, perfect codes, hamming codes.
Thanks.
Ayelet Margalit
[EMAIL PROTECTED]
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: New encryption algorithm
Date: Mon, 16 Aug 1999 07:10:25 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(JPeschel) wrote:
>>[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) writes:
>
>>>He could present it at a crypto conference or publish it in a respected
>>>journal first.
>>>
>>>Joe
>>>
>>
>> Actual this is not true. IF it really is revolutionary and out if the main
>>stream. You would never get it published in a journal since you are an
>>outsider. Oh they might do it if it is weak so they can poke fun at it,
>> But it would never see the light of day if it was good and not previously
>>blessed by a crypto god. About the only way it will get published is when
>>one of them highly respected people steals your method.
>>
>>
>Publication of any article: scientific, academic, or popluar is always
>tough for a newcomer, an unknown, or a revolutionary. It is, however,
>possible. Crypto journals, like other print media, are often starved
>for articles. Some technical journals, again like other publications,
>are willing take to a chance on a revolutionary newcomer. If an
>author thinks his article (which might also include source code)
>is good, he should strive for publication.
>
>Joe
>
Joe I am not sure I really belive it is as easy as you say.
Suspose I wanted to submit my scott16u with a few pactches
such as array sizes to a Journal Where the write up is short but that
would contain the full source code with operation examples.
I would rather do examples than write. But do you honestly
know of one that I can do this. And would not the office have to
be in the US since I could not export it out legally. I would
be willing to do this but I don't want to pay for something
phony.
If you like you could proof read the writting part for any errors
in grammer and use your name as co-writer or what ever.
Or if you wish go all the way and do scott19u instead
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
