Cryptography-Digest Digest #341, Volume #11 Wed, 15 Mar 00 14:13:01 EST
Contents:
Re: how to introduce hs students to cryptography (Doug Stell)
Weaknesses in Solitaire Algorithm Found (Albert Yang)
Re: Q: Fourier and other transforms (Terry Ritter)
Re: NIST, AES at RSA conference (Bo D�mstedt)
Re: how to introduce hs students to cryptography (Andru Luvisi)
Re: NIST, AES at RSA conference (Terry Ritter)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Doug Stell)
Subject: Re: how to introduce hs students to cryptography
Date: Wed, 15 Mar 2000 17:57:34 GMT
Attached is my example of small-number RSA. I generally use this after
the Diffie-Hellman example, because of the slightly greater level of
complication. It covers both signature and confidentiality modes.
The example also introduces Chinese Remainder Theorem and Montgomery
Multiplication. However, these would be too complicated to dump onto
12th graders.
Example of the RSA Algorithm, on a 4-function Calculator
========================================================
Key Derivation
==============
Alice picks the following numbers:
Prime numbers: P = 11, Q = 17
Public exponent: E = 3 E < P-1, E < Q-1
g.c.d.(3,10) = 1
(E relatively prime to P and Q) g.c.d.(3,16) = 1
Alice computes the following numbers:
Public Modulus: N = P * Q = 11 * 17 = 187
Private Modulus: Phi[N] = (P-1) * (Q-1) = 10 * 16 = 160
Private exponent, using Euclid's Theorem: D = 107
D = (E)^-1 (mod Phi[N]) = (E)^(Phi[N]-1) (mod Phi[N])
= (3)^(P-1)*(Q-1)-1 (mod (P-1)*(Q-1))
= (3)^159 (mod 160) = 107
Check: E * D = 3 * 107 = 321 = 2(160) + 1 = 1 (mod 160)
Alice's public key is [N, E] = [187, 3] - made public
Alice's private key is [N, D] = [187, 107] - held in secret
-----------------------------------------------------------------
Computation of (3)^159 (mod 160), via the successive square and
multiply method:
expressing the exponent in binary form: 159 -> 1001,1111
applying the exponent from right (LSB) to left (MSB)
Successive squaring of 3 Accumulation of result
------------------------ -------------------------
(3)^01 = 3 1 -> 3 * 1 = 3
(3)^02 = 9 1 -> 9 * 3 = 27
(3)^04 = 81 (mod 160) 1 -> 81 * 27 = 107 (mod 160)
(81)^2 = 6,561 = 41(160) + 1 = 1 (mod 160)
81 * 27 = 2,187 = 13(160) + 107 = 107 (mod 160)
(3)^08 = 1 1 -> 1 * 107 = 107
(3)^16 = 1 1 -> 1 * 107 = 107
(3)^32 = 1 0 -> no mult. 107
(3)^64 = 1 0 -> no mult. 107
(3)^128 = 1 1 -> 1 * 107 = 107
Alice may discard prime numbers, P and Q, and Phi[N], as they
are no longer needed, or she may use them to increase
computation speed via the Chinese Remainder Theorem method.
�
Encryption for Authentication, with private key (187,107)
=========================================================
Alice wishes to authenticate a message, M, the number 129, and
send
it to Bob. Alice, therefore, applies her private key pair (187,
107).
Computation of cipher C = (129)^107 (mod 187), via the successive
square and multiply method:
expressing the exponent in binary form: 107 -> 110,1011
applying the exponent from right (LSB) to left (MSB)
Successive squaring of 129 Accumulation of result
-------------------------- -------------------------
(129)^01 = 129 1 -> 129 * 001 = 129
(129)^02 = 185 (mod 187) 1 -> 185 * 129 = 116 (mod 187)
(185)^2 = 34,225 = 183(187) + 4 = 4 (mod 187)
185 * 129 = 23,865 = 127(187) + 116 = 116 (mod 187)
(129)^04 = 4 (mod 187) 0 -> no mult. 116
(129)^08 = 16 1 -> 16 * 116 = 173 (mod 187)
(129)^16 = 69 (mod 187) 0 -> no mult. 173
(129)^32 = 86 (mod 187) 1 -> 86 * 173 = 105 (mod 187)
(129)^64 = 103 (mod 187) 1 -> 103 * 105 = 156 (mod 187)
Therefore, the resulting cipher is C = (129)^107 = 156 (mod 187)
------------------------------------------------------------------
Decryption of cipher 156 with public key (187,3)
================================================
Bob uses Alice's public key pair (187, 3) to decrypt the cipher
Computation of M = (156)^3 (mod 187), via the successive square
and multiply method:
Successive squaring of 129 Accumulation of result
-------------------------- -------------------------
(156)^01 = 156 1 -> 156 * 001 = 156
(156)^02 = 26 (mod 187) 1 -> 26 * 156 = 129 (mod 187)
Therefore, the recovered message is (156)^3 = 129 (mod 187)
M = (C)^E = ((M)^D)^E (mod N) because D * E = 1 (mod Phi[N])
------------------------------------------------------------------
Interesting point of note: The number of steps in the calculation
is the sum of the number of bits in the exponent, excluding
leading
zeros and the number of 1-bits in the exponent. That is why short
exponents with few 1-bits compute quickly.
�
Encryption of a Message for Secrecy, with public key (187,3)
============================================================
Bob wishes to send a message, M, the number 129, to Alice in
secret.
Bob, therefore, applies Alice's public key pair (187, 3).
Computation of cipher C = (129)^3 (mod 187), via the successive
square and multiply method and using the table of the previous
page
Successive squaring of 129 Accumulation of result
-------------------------- -------------------------
(129)^01 = 129 1 -> 129 * 001 = 129
(129)^02 = 185 (mod 187) 1 -> 185 * 129 = 116 (mod 187)
Therefore, the resulting cipher is C = (129)^3 = 116 (mod 187)
------------------------------------------------------------------
Decryption of cipher 116 with private key (187,107)
===================================================
Alice decrypts the encrypted cipher from Bob, using her private
key pair (187, 107).
Computation of M = (116)^107 (mod 187), via the successive square
and multiply method:
expressing the exponent in binary form: 107 -> 110,1011
applying the exponent from right (LSB) to left (MSB)
Successive squaring of 129 Accumulation of result
-------------------------- -------------------------
(116)^01 = 116 1 -> 116 * 001 = 116
(116)^02 = 179 (mod 187) 1 -> 179 * 116 = 7 (mod 187)
(116)^04 = 64 (mod 187) 0 -> no mult. 7
(116)^08 = 169 (mod 187) 1 -> 169 * 7 = 61 (mod 187)
(116)^16 = 137 (mod 187) 0 -> no mult. 61
(116)^32 = 69 (mod 187) 1 -> 69 * 61 = 95 (mod 187)
(116)^64 = 86 (mod 187) 1 -> 86 * 095 = 129 (mod 187)
Therefore, the recovered message is (116)^107 = 129 (mod 187)
M = (C)^D = ((M)^E)^D (mod N) because D * E =1 (mod Phi[N])
------------------------------------------------------------------
Original scientific calculator example, supplied by D. James
Bidzos (president) and Bert. S. Kaliski of RSA Data Security,
Inc. "An Overview of Cryptography, Technology provides network
privacy," LAN TIMES, February 1990.
Modified for 4-function calculator (with memory) and CRT method
example added by Doug Stell. (This is also the method used by
the Cylink public key chip and many other implementations.)
�
Example of the Chinese Remainder Theorem Method of Calculation
==============================================================
The computations using the public key are relatively fast, due
to the fact that the exponent has been chosen to be a small
number with few one-bits. However, computations using the
private key are quite slow and will benefit from use of the
Chinese Remainder Theorem. This permits the combining of two
faster exponentiations, using smaller numbers, rather than one
exponentiation using larger numbers.
As an example of the CRT method, we will again use two examples,
Alice encrypting message, M = 129, by computing the cipher,
C = (129)^107 = 156 (mod 187) and Alice decrypting cipher,
C = 116, by computing M = (116)^107 = 129 (mod 187). (Actual
exponentiations are not shown in this example.)
Further Key Derivation for Chinese Remainder Theorem
====================================================
Instead of discarding the primes, P and Q, and using only the
private exponent, D, the primes are retained and two related key
components are computed. These are the multiplicative inverses
of P and Q, P1 and Q1, using Euclid's Theorem, such that
(P*P1) (mod Q) = 1 and (Q*Q1) (mod P) = 1.
P1 = inverse of (P = 11): P1 = (P)^(Q-2) (mod Q)
= (11)^15 (mod 17)
= 14 (mod 17)
Q1 = inverse of (Q = 17): Q1 = (Q)^(P-2) (mod P)
= (17)^9 (mod 11)
= (6)^9 (mod 11)
= 2 (mod 11)
The private exponents (mod P-1) and (mod Q-1) are also computed.
Private Exponent D = 107: = 7 (mod 10) = 11 (mod 16)
The CRT method private key is:
[N, P, Q, P1, Q1, D (mod P-1), D (mod Q-1)]
= [187, 11, 17, 14, 2, 7, 11]
�
Encryption for Authentication, with CRT method private key
==========================================================
1. Alice computes separately (M)^D (mod P) and (M)^D (mod Q).
(mod P) part (mod Q) part
-------------- ----------------
Private Exponent: D = 107 = 7 (mod 10) = 11 (mod 16)
Plaintext data: M = 129 = 8 (mod 11) = 10 (mod 17)
(M)^D = (129)^107 = (8)^7 (mod 11) = (10)^11 (mod 17)
= 2 (mod 11) = 3 (mod 17)
2. The Chinese Remainder Theorem says that we may combine the
above computations by substitution into the formula below:
Y (mod P*Q) = [(Y (mod P))*Q*Q1 + (Y (mod Q))*P*P1 ) (mod P*Q)
C = (M)^D (mod 187) = [(2 * 17 * 2) + (3 * 11 * 14)]
= 68 + 462 = 68 + 88 (mod 187) = 156 (mod 187)
= 530 = 156 (mod 187)
Decryption of cipher 116 with CRT method private key
====================================================
1. Alice computes separately (C)^D (mod P) and (C)^D (mod Q).
(mod P) part (mod Q) part
-------------- ----------------
Private Exponent: D = 107 = 7 (mod 10) = 11 (mod 16)
Ciphertest data: C = 116 = 6 (mod 11) = 14 (mod 17)
(C)^D = (116)^107 = (6)^7 (mod 11) = (14^11) (mod 17)
= 8 (mod 11) = 10 (mod 17)
2. The Chinese Remainder Theorem says that we may combine the
above computations by substitution into the formula below:
Y (mod P*Q) = [(Y (mod P))*Q*Q1 + (Y (mod Q))*P*P1 ) (mod P*Q)
M = (C)^D (mod 187) = [(8 * 17 * 2) + (10 * 11 * 14)]
= 272 + 1540 = 85 (mod 187) + 44 (mod 187) = 129 (mod 187)
= 1812 = 129 (mod 187)
------------------------------------------------------------------
Original scientific calculator example, supplied by D. James
Bidzos (president) and Bert. S. Kaliski of RSA Data Security,
Inc. "An Overview of Cryptography, Technology provides network
privacy," LAN TIMES, February 1990.
Modified for 4-function calculator (with memory) and CRT method
example added by Doug Stell. (Note that the successive square
and multiply method is also the method used by the Cylink public
key chip and many other implementations.)
�
CRT Method - calculations of supporting exponentiations
=======================================================
Computation of (11)^15 (mod 17): 15 = 1111 (binary)
Successive squaring of 11 Accumulation of result
-------------------------- ------------------------
(11)^01 = 11 1 -> 11 * 1 = 11
(11)^02 = 2 (mod 17) 1 -> 2 * 11 = 5 (mod 17)
(11)^04 = 4 1 -> 4 * 5 = 3 (mod 17)
(11)^08 = 16 1 -> 16 * 3 = 14 (mod 17)
Computation of (6)^9 (mod 11): 9 = 1001 (binary)
Successive squaring of 11 Accumulation of result
-------------------------- ------------------------
(7)^01 = 6 1 -> 6 * 1 = 6
(7)^02 = 3 (mod 11) 0 -> no mult. 6
(7)^04 = 9 0 -> no mult. 6
(7)^08 = 4 (mod 11) 1 -> 4 * 6 = 2 (mod 11)
Computation of (8)^7 (mod 11): 7 = 111 (binary)
Successive squaring of 8 Accumulation of result
-------------------------- ------------------------
(8)^01 = 8 1 -> 8 * 1 = 8
(8)^02 = 9 (mod 11) 1 -> 9 * 8 = 6 (mod 11)
(8)^04 = 4 (mod 11) 1 -> 4 * 6 = 2 (mod 11)
Computation of (10)^11 (mod 17): 11 = 1011 (binary)
Successive squaring of 10 Accumulation of result
-------------------------- ------------------------
(10)^01 = 10 1 -> 10 * 1 = 10
(10)^02 = 15 (mod 17) 1 -> 15 * 10 = 14 (mod 17)
(10)^04 = 4 (mod 17) 0 -> no mult. 14
(10)^08 = 16 1 -> 16 * 14 = 3 (mod 17)
Computation of (6)^7 (mod 11): 7 = 111 (binary)
Successive squaring of 6 Accumulation of result
-------------------------- ------------------------
(6)^01 = 6 1 -> 6 * 1 = 6
(6)^02 = 3 (mod 11) 1 -> 3 * 6 = 7 (mod 11)
(6)^04 = 9 1 -> 9 * 7 = 8 (mod 11)
Computation of (14)^11 (mod 17): 11 = 1011 (binary)
Successive squaring of 14 Accumulation of result
-------------------------- ------------------------
(14)^01 = 14 1 -> 14 * 1 = 14
(14)^02 = 9 (mod 17) 1 -> 9 * 14 = 7 (mod 17)
(14)^04 = 13 (mod 17) 0 -> no mult. 7
(14)^08 = 16 (mod 17) 1 -> 16 * 7 = 10 (mod 17)
�
Montgomery Method Multiplication
================================
Goal: To replace the "mod m" operation and the trial divisions
associated with it in the main loop with faster multiplications
and right shifts.
Moduli: R = 256 Montgomery modulus, 2^x, for binary machines
m = 187 Original modulus
Requirements: R > m
gcd(R,m) = 1
Input variables: a = 116
b = 179
c = 169
d = 69
e = 86
Expected result: f = a * b * c * d * e = 129 mod 187
Generation of values needed:
R = 256, the next power of 2 higher than modulus
m-bar = - m^(-1) mod R = - 187^(-1) mod 256 = 141
R-bar = R^(-1) mod m = 256^(-1) mod 187 = 103
R^2 mod n = 256^2 mod 187 = 69^2 mod 187 = 86
T = x-bar * y-bar, a temporary product for each calculation
U = T * m-bar mod R
Define: REDUC(T) = T * R^(-1) mod m
Compute U = T * m-bar mod R
Compute xy-bar = (T + U*m) /R
doing division by shifting
if (xy-bar < m) return xy-bar
else return (xy-bar - m)
�
Method summary:
Pick R meeting the requirements
Compute R^2 mod m, m-bar, R-bar
Convert inputs to Montgomery format
For each multiplication (x * y):
Compute T = x-bar * y-bar
Reduce T = T *R^(-1) mod m, as defined above
Convert Montomery result back to normal format
Conversion of input variables to Montomery format:
a-bar = aR mod 187 = REDUC (116 * (R^2 mod 187)) =
T = 116 * 86 = 9976
U = (T * m-bar) mod R = (9976 * 141) mod 256 = 152
T + U*m = 9976 + 152 * 187 = 38400
Dividing by 256 or shifting right 8 bits
a-bar = 150
b-bar = bR mod 187 = REDUC (179 * (R^2 mod 187)) =
T = 179 * 86 = 15394
U = (T * m-bar) mod R = (15394 * 141) mod 256 = 186
T + U*m = 15394 + 186 * 187 = 50176
Dividing by 256 or shifting right 8 bits
b-bar = 196 (Note 196 > 187)
b-bar = 9
c-bar = cR mod 187 = REDUC (169 * (R^2 mod 187)) =
T = 169 * 86 = 14534
U = (T * m-bar) mod R = (14534 * 141) mod 256 = 14
T + U*m = 14534 + 14 * 187 = 17152
Dividing by 256 or shifting right 8 bits
c-bar = 67
d-bar = dR mod 187 = REDUC (69 * (R^2 mod 187)) =
T = 69 * 86 = 5934
U = (T * m-bar) mod R = (5934 * 141) mod 256 = 86
T + U*m = 5934 + 86 * 187 = 22016
Dividing by 256 or shifting right 8 bits
c-bar = 86
e-bar = eR mod 187 = REDUC (86 * (R^2 mod 187)) =
T = 86 * 86 = 7396
U = (T * m-bar) mod R = (7396 * 141) mod 256 = 148
T + U*m = 7396 + 148 * 187 = 35072
Dividing by 256 or shifting right 8 bits
e-bar = 137
�
First multiplication:
T = a-bar * b-bar = 150 * 9 = 1350
U = T * m-bar mod R = 1350 * 141 mod 256 = 142
T + U*m = 1350 + 142 * 187 = 27904
Dividing by 256 or shifting right 8 bits:
ab-bar = 109
Second multiplication:
T = ab-bar * c-bar = 109 * 67 = 7303
U = T * m-bar mod R = 7303 * 141 mod 256 = 91
T + U*m = 7303 + 91 * 187 = 24320
Dividing by 256 or shifting right 8 bits:
abc-bar = 95
Third multiplication:
T = abc-bar * d-bar = 95 * 86 = 8170
U = T * m-bar mod R = 8170 * 141 mod 256 = 226
T + U*m = 8170 + 226 * 187 = 50432
Dividing by 256 or shifting right 8 bits:
abcd-bar = 197 (Note: 197 > m)
abcd-bar = 197 - 187 = 10
Fourth multiplication:
T = abcd-bar * e-bar = 10 * 137 = 1370
U = T * m-bar mod R = 1370 * 141 mod 256 = 146
T + U*m = 1370 + 146 * 187 = 28672
Dividing by 256 or shifting right 8 bits:
f-bar = abcde-bar = 112
Converting f-bar to f:
f = f-bar * R^(-1) mod m = 112 * 103 mod 187 = 129
f = f-bar * R^2 mod 187 = REDUC (112) =
T = 112
U = (T * m-bar) mod R = (112 * 141) mod 256 = 176
T + U*m = 112 + 176 * 187 = 33024
Dividing by 256 or shifting right 8 bits
f = 129
------------------------------
From: Albert Yang <[EMAIL PROTECTED]>
Subject: Weaknesses in Solitaire Algorithm Found
Date: Wed, 15 Mar 2000 18:34:16 GMT
Well, the subject is a bit miss leading, but I have thought of an
example where the Solitaire algorithm falls into trouble.
You get the message:
AGNWI WNGOW TOONM ON
and it translates to:
THEEN OMYIS NOWHE RE
So does this say "The Enemy is Now Here"
or does it say "The Enemy is No Where"
If I were a spy in covert ops and sent this message, there would be mass
confusion at home base. Should they send reinforcements or was it a
decoy? Now granted, this might fall under stupidity of the sender for
not sending something that has no chance of being mis-construed as
something else, but I just thought this was a problem.
I'd love to hear Bruce's comments on this.
Albert
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Q: Fourier and other transforms
Date: Wed, 15 Mar 2000 18:34:52 GMT
On Wed, 15 Mar 2000 11:01:55 +0100, in
<[EMAIL PROTECTED]>, in sci.crypt Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>[...]
>Not having studied your papers, I guess you are embedding the
>FFT technique 'into' a cipher construction.
The articles are available. I can't make you read them, but there is
not much point in trying to provide the same effect in a few newsgroup
messages.
For me, FFT represents one of a huge class of self-reversible mixing
transformations; FFT is just one of the few of all possible transforms
which have useful mathematical interpretations and properties in the
"transform space." But since FFT expands its data, it only hints at
the cryptographic utility of a large class of transforms which do
*not* expand data. When we have a huge class of distinct transforms,
and can select from among them at will, we get a *keyed* transform.
>What I think that one
>could also do with some profit is presumably at a more primitive
>(simply) level than what you do, namely one applies a certain one
>of the various transforms to a given sequence (the whole message
>perhaps) and obtain a sequence of the coefficients and subsequently
>apply a chosen encryption algorithm on that sequence. I guess that
>that pre-processing could add something of value. Evidently one
>could also change the type of transform and employ more than one
>transforms (of different types) to further complicate the matter.
It is not so easy to, say, "just use another transform." Most
arithmetic transforms expand the potential size or range of their data
values (in the FFT and FWT the value range for each element doubles
with each internal step). And most arithmetic transforms, including
The FFT, operate on reals (actually the FFT uses complex reals) and so
may return only a good floating-point *approximation* to the original.
The FWT is an integer transform so it does return the original values,
but still has the increased range. I suppose we could get an
indivisibility ("all or nothing") property out of just using some
transform, but of course an unkeyed transform provides no added
secrecy.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Bo D�mstedt)
Subject: Re: NIST, AES at RSA conference
Reply-To: [EMAIL PROTECTED]
Date: Wed, 15 Mar 2000 18:40:40 GMT
[EMAIL PROTECTED] (John Savard) wrote:
>As I've noted, the problem of communication here is that, while "no
>cipher is provably secure" is a theoretical problem, and one that
>seems insoluble for the moment...
... just for the moment, yes. The really scary thing is that the
real security, in any real system, will depend substantially
on implementation details, electrical shielding, regular
change of keys, key distribution mechanisms, indoctrination
of operators, ... Even if the theory sort itself out at the very
next moment, all the really difficult problems still remain
unsolved. The construction that Terry Ritter proposes makes
sense in any case.
Bo D�mstedt
Chief Cryptographer
Protego Information AB
http://www.protego.se/
2000-03-15
------------------------------
From: Andru Luvisi <[EMAIL PROTECTED]>
Subject: Re: how to introduce hs students to cryptography
Date: 15 Mar 2000 10:31:09 -0800
"Douglas A. Gwyn" <[EMAIL PROTECTED]> writes:
[snip]
> I agree in general with this sentiment. It is insane to try to
> teach youngsters professional-level *any*thing. They need material
> they can readily *master* (if they apply themselves), not
> frustration.
[snip]
That all depends on the "youngster". Although this is fine for most
students, *requiring* that all students follow your
works-for-most-people speed and level will still frustrate the slow
ones and frequently bore the bright kid in the front row and turn him
into an underachiever.
Andru
--
==========================================================================
| Andru Luvisi | http://libweb.sonoma.edu/ |
| Programmer/Analyst | Library Resources Online |
| Ruben Salazar Library |-----------------------------------------|
| Sonoma State University | http://www.belleprovence.com/ |
| [EMAIL PROTECTED] | Textile imports from Provence, France |
==========================================================================
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: NIST, AES at RSA conference
Date: Wed, 15 Mar 2000 18:52:20 GMT
On Wed, 15 Mar 2000 18:13:48 GMT, in <[EMAIL PROTECTED]>,
in sci.crypt Albert Yang <[EMAIL PROTECTED]> wrote:
>Isn't it a question of relativity (not the Einstein stuff) I mean, if I
>have two algorithms, A and B, I might not be able to prove that A is
>stronger than B, but I can prove that A is faster than B, and that B
>offers no additional value over A. I think this is the basis in which
>NIST made it's decisions.
We can *measure* faster. We can't measure *stronger*. So we *can't*
know when "B offers no additional value over A."
Even if we can *break* B, we *still* don't know that we can't break A
easier using something we do not yet understand.
>The other part is Pedigree. When you have people like Bruce, Eli, Ron,
>IBM designing the ciphers, there is a few things that are generally
>pretty safe to assume.
OK, enumerate those things which are safe to assume. Now, do those
things give us what we need in a cipher? I think the *only* reason we
use a cipher is to protect our data from others who may want to expose
that data. Do these "few things" assure us that the cipher will do
that? I think not.
>Bruce has broken a lot of ciphers in the past as has Ron and Eli, and
>the IBM people aren't chopped liver either, so if Eli comes up with
>differential cryptoanalysis, then I can reasonably assume that an
>algorithm he produces will be relatively safe from such an attack. Same
>with Bruce. whatever he has done to gain successful attacks against
>certain algorithms, I can basically look at the menu of ciphers he has
>broken and the methods used, and pretty safely assume that his algorithm
>is safe from those attacks.
>
>Now I want to say here, that __NO__ algorithm which can be decrypted can
>be proven to be 100% secure. There's no such thing. But the
>probability that nothing short of a brute force attack is possible on
>it, and the key length is something like 2^128, I'm probably going to
>sleep OK at night.
You can sleep if you want, but there is no basis for saying that
"nothing short of a brute force attack is possible." The inability to
know that is the problem, since the past implies the contrary: the
history of cryptography shows that new attacks are invented
frequently, and then are used on ciphers previously thought secure.
That has been the nature of cryptography -- including academic
cryptography -- from the beginning to the present. Why do you expect
that to change for some particular cipher?
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
