Cryptography-Digest Digest #513, Volume #11 Sat, 8 Apr 00 09:13:00 EDT
Contents:
Re: Q: Entropy (Mok-Kong Shen)
Re: Turing machine (Mok-Kong Shen)
Re: [Q] Insecurity (Mok-Kong Shen)
Re: Is AES necessary? (David Crick)
Re: Test Vectors for Block Ciphers ("Brian Gladman")
Re: Building a stream cipher part 2. (Newbie question.) ("Simon Johnson")
My Stream Cipher. (newbie (prolly kiddie cipher)) ("Simon Johnson")
Re: Is AES necessary? (Tom St Denis)
Re: new Echelon article (Turiyan "OG: original Gog" Gold)
Re: My Stream Cipher. (newbie (prolly kiddie cipher)) (Tom St Denis)
Re: Is AES necessary? (Svend Olaf Mikkelsen)
Re: Is AES necessary? ("Trevor L. Jackson, III")
Re: My Stream Cipher. (newbie (prolly kiddie cipher)) ("Simon Johnson")
Re: My Stream Cipher. (newbie (prolly kiddie cipher)) (Tom St Denis)
Re: Is AES necessary? (Tom St Denis)
Re: [Q] Insecurity (Tom St Denis)
Re: My Stream Cipher. (newbie (prolly kiddie cipher)) ("Simon Johnson")
Re: GSM A5/1 Encryption (Thomas Pornin)
Permutation Polynomials for sboxes? (Tom St Denis)
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Q: Entropy
Date: Sat, 08 Apr 2000 11:41:44 +0200
Bryan Olson wrote:
>
> Mok-Kong Shen wrote:
> > Bryan Olson wrote:
> > > Suppose Alice will shuffle a deck of 52 cards, and choose
> > > one at random. She will not look at it, but will show it to
> > > Bob, who will then give her one of two (truthful) messages:
> > > either "the card is an ace" or "the card is not an ace."
> [...]
> > > The entropy of the message space, in bits is
> > >
> > > 48/52 * log_2(52/48)
> > > + 4/52 * log_2(52/4)
> > > = 0.391
> [...]
> > Could you please explain a bit how you derived the formula for 0.391?
>
> Probability of "the card is not an ace" = 48/52
> Probability of "the card is an ace" = 4/52
>
> The entropy of a message space is,
>
> sum over all possible messages x:
> probability(x) * log(1/probability(x))
>
> You will more commonly see this written as the equivalent:
>
> sum over all possible messages x:
> - probability(x) * log(probability(x))
>
> > What would be the entropy of the alternative message 'the card is not
> > an ace'?
>
> log_2(52/48) = 0.115 bits
I am afraid that because of my poor knowledge I am yet far from a
proper understanding of your argumentation.
The card is an ace has 0.391 bits.
The card is not an ace has 0.115 bits.
Now whether the card is an ace or not can be considered to be
a binary decision. How could the sum 0.391 + 0.115 = 0.506
be less than 1?
Thanks.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Turing machine
Date: Sat, 08 Apr 2000 11:59:45 +0200
Stou Sandalski wrote:
>
>
> Oh and I read a long time ago somewhere about this machine I think it was
> called a B-Machine (or something similar) designed (theoreticaly) by a
> mathematician from early this century (I think) and it looked to me like a
> neuro-network (the b-machine had states like organized or trained and
> unorganized). I remember there was some kind of device attached to it that
> theoreticaly could be used to solve any problem (you know the... assume a
> device such that can solve any problem in the universe, deal) Does anyone
> have any clue what this is? I would realy realy like to learn more about it
> but I can't find where i read it orignaly.
There was a logician that described in one of his books about a
mechanical device to do some automatic deductions, though I can't
find the reference now. But this probably is not what you mean.
If anything you mentioned exists, that should not have escaped
the notice of the scientists working on neuro-networks. You might
begin to track your target starting from some earlier books in
that field, e.g. the one on Perceptron.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: [Q] Insecurity
Date: Sat, 08 Apr 2000 12:05:05 +0200
Joseph Ashwood wrote:
>
[snip]
> for cryptography, but meets those criteria. Try putting it
> through DIEHARD, it gives a good estimate to the randomness,
> a cryptographically secure rng should have p-values
> distributed across [0,1] almost equally.
I suggest that one should at least apply the FIPS 140-1 tests.
M. K. Shen
------------------------------
From: David Crick <[EMAIL PROTECTED]>
Subject: Re: Is AES necessary?
Date: Sat, 08 Apr 2000 10:56:00 +0100
Mok-Kong Shen wrote:
>
> > Triple-DES is still the conservative choice.
> >
> > And forget about 5-DES. Triple-DES is fine for the forseeable future.
>
> I am virtually ignorant in hardware matters. But I wonder why
> pipelining is not applicable to 3DES, i.e. the 3 modules may be
> processing 3 consecutive blocks of informations simultaneously.
> That way, there would be no time penality, excepting the setup
> time of the pipe.
3DES used in this mode is susceptible to shortcut attacks that
render it as only 2^56 strength (i.e. same as DES). 3DES used
in the slower, (outer feedback mode I believe?) mode gives us
the usual 168/112-bit strength.
See Applied Cryptography and the paper referenced therein.
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: Test Vectors for Block Ciphers
Date: Sat, 8 Apr 2000 10:38:28 +0100
<[EMAIL PROTECTED]> wrote in message
news:8cltak$stl$[EMAIL PROTECTED]...
> There are so many libraries and implementations of Block Ciphers (DES,
> 3DES, CAST, IDEA, Blowfish, TwoFish...RC4...etc)...
>
> Are there any standrd set of Test vectors that one can use to evaluate
> these libraries and test for correctness of implementation aglogorthms
> and coding?
>
> I am assuming that the answer is no, and that one has to write their own
> Test Vectors....any info or previous work in this area would be
> appreciated...It would be great to have a set of Universal Test vectors
> for each cipher....
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
I made test vectors and testing programs for all 15 ***original*** AES
algorithms available at 'ftp.hacktic.nl' (I think in directory:
pub/crypto/crypto/LIBS/aes-testing). I think the testing algortihms provided
there contain an error but new versions are avaiulable at:
http://www.btinternet.com/~brian.gladman/cryptography_technology/aes2/
I have not put up test vectors for the five AES finalists since these are
available on the NIST AES site.
Brian Gladman
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Subject: Re: Building a stream cipher part 2. (Newbie question.)
Date: Sat, 8 Apr 2000 11:00:48 -0700
Simon Johnson <[EMAIL PROTECTED]> wrote in message
news:8clmit$i6e$[EMAIL PROTECTED]...
> How's this for a stream cipher?
> I have devised these steps looking at other algorithms, and thinking what
> would be hard to find a pattern. (i hope i'm right)
>
> Lets say i intialise an array, s(0 to 255), with the values of the array
> equal to that of the arrays' index value e.g. s(i)=i
>
> Then i perform the following calcualation on the text.
>
> For i = 1 to len(key) {
> a=sqr((ascii value of i'th letter of text)+a) mod 256
> }
>
> I then generate my stream of 'x' length using:
>
> For i = 1 to x {
> j=(j+a) mod 256 'i hope this co-dependency will mash things up a bit
> a=sqr(j +s (a) + s(j)) mod 256
> 'from here onwards is 'stolen' from RC4.
> swap s(j) & s(a) 'changes structure of the s-box.
> output char = s((s(a) + s(j)) mod 256)
> }
>
> I suspect there are many faults in his algorithm. I'd be glad to here any
> suggestions on how this could be improved
>
Right i've screwed that up. If i'm correct, this cipher has got a collison
probability of 1/256. Disregard this post.
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Subject: My Stream Cipher. (newbie (prolly kiddie cipher))
Date: Sat, 8 Apr 2000 11:17:46 -0700
Here is a new, but probably very weak, stream-cipher that I would like you
to put forward idea's on how to secure it. I've designed this algorithm,
based on my logic, warped though it is :). It has no mathematical foundation
what so ever. So this cipher probably comes into the range of
kiddie-ciphers. If based on the idea's of RC4 but alot shorter.
Okay, the first step, produce a 256-element array and fill it such that s(i)
= i.
Now we create the key shedule, we take the key and do a little simple feed
back routine on it.
Function keysetup (key as string) {
For i = 1 to len(key)
a=sqr((a+i) * (ascii representation of i'th character of key))
Next i
}
This section is not to be particularly secure, its just meant to produce a
'collision-less' output. i've found that square roots are quite effective at
achieveing this
We then take this value and use it to produce our stream character.
Function stream {
i=((s(j) + a) mod 256)
j = (((s(i) - a) + 256) mod 256)
swap s(i) & s(j)
t = ((s(j) + s(i)) mod 256)
outputnum = s(t)
}
There we go, thats it.
If anyone can help me fix this cipher i would be very grateful,
Simon Johnson.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Is AES necessary?
Date: Sat, 08 Apr 2000 10:59:51 GMT
Mok-Kong Shen wrote:
>
> Bruce Schneier wrote:
> >
> > <[EMAIL PROTECTED]> wrote:
>
> > >3DES is currently yet strong enough. If that's too weak, we could
> > >use 5DES etc.
> >
> > Basically, I agree. It only makes sense to use AES for applications
> > where:
> >
> > the performance of triple-DES is just too slow
> >
> > the gate count of triple-DES is just too large
> >
> > the block size of triple-DES is just too small.
> >
> > Triple-DES is still the conservative choice.
> >
> > And forget about 5-DES. Triple-DES is fine for the forseeable future.
>
> I am virtually ignorant in hardware matters. But I wonder why
> pipelining is not applicable to 3DES, i.e. the 3 modules may be
> processing 3 consecutive blocks of informations simultaneously.
> That way, there would be no time penality, excepting the setup
> time of the pipe.
Just off the top of my head, you can't use CBC mode with that can you?
>
> >
> > >We could employ some trivial variants of DES that enable expansion
> > >of the effective key space (e.g. permutation of the subkeys or
> > >the S-boxes).
> >
> > No.
>
> Could you please elaborate a bit on that? (See my recent thread
> 'Variants of DES' of 3rd April which BTW refers also to your book.)
> Many thanks in advance.
Because most re-arrangements of the sboxes are linearly weak. I have a
paper on it [that I found off the web] if you like I could email it to
ya.
Tom
------------------------------
From: [EMAIL PROTECTED] (Turiyan "OG: original Gog" Gold)
Subject: Re: new Echelon article
Date: Sat, 08 Apr 2000 13:50:00 GMT
Crossposted-To:
alt.politics.org.cia,alt.politics.org.nsa,alt.journalism.print,alt.journalism.newspapers
On Mon, 03 Apr 2000 22:22:36 GMT, [EMAIL PROTECTED] wrote:
>
>Just a thought ...
>
>Has anyone noticed that while the CIA and NSA are busy laughing and
>claiming that the EU report on Echelon is full of it, they are
>lobbying like gangbusters in the press and behind the scenes to thwart
>the creation of an EU committee to investigate the allegations???
A few possiblitys:
Echelon is actually a european spy agency intelligence project to snip
up the loose ends of the post '66 breakup of the CIA through funding
cuts.
Kennedy was enacting what he called the " golden helmet ", one of the
projects was to shatter the CIA into a thousand bits. Which he
essentially did.
The "clean" money of official sanction was gone. Now all the "ops"
turned black, tainted with black money. Whatever official yankee
doodle dandy party line justification for the "ops" that existed
previously is now essentially pushed aside by the priority of aquiring
black money for black ops.
Its like a Air america analogue. You dont really exist. But you do.
Your job is real, but its fake. And you dont have a retirement plan.
So when your given advanced notice that the project is going south,
you set up your retirement "scam".
You use your existing knowledge of networks, connections and equipment
to set something up for yourself or sell said information, middleman
your connections and or sell equipment.
The little bits still existed. But they were essentially disconnected
from the teet. The problem was, and still is, these indiscriminate
bits of blood and fur that was the dogma of the cia is now on the
grill of the mack truck with karma emblazoned on the side running
headlong into oblivion.
Its still got some gas in the tank and someones trying to stop it.
Echelon sticks its nose, ear and finger up the butt of the whole slop
operations going on. And someone doesnt like it. These same people
will try to keep the International UN warcrimes tribunal and organized
crime agency from materializing but it will all be in vain.
Those mafia robber networks are run by dimwitted thugs with
sofisticated technology. They hire investigators to watch they're
members, they're familys, and investigate anyone that comes within
arms length of them.
I knew of private investigators that bragged about having government
clearance. And using C class clearance to aid in they're
investigative dutys. They can access files that tell who's a FBI
agent or informant, ect.
They sell this info to mafia (wannabe's?) and who knows who else. No
fear... Because there is no one that can police them (at least no one
they know of). There is no CIA to catch these crook spys. The FBI
admittedly are going against superior techology with some of these
mafia people. Thats because they are being second guessed.
Pull the plug on those networks, revoke all previous clearances, and
or audit every inquiry in the last 30 years and run down leads. Oh,
and put a hushpuppy on that pistol. Make it look like suicide. Save
the taxpayers the money of a useless murder investigation.
>On Wed, 15 Mar 2000 00:19:02 GMT, [EMAIL PROTECTED] wrote:
>
>>
>>
>>http://www.wired.com/news/politics/
>>0,1283,34932,00.html
>>
>>
>>Sent via Deja.com http://www.deja.com/
>>Before you buy.
True Buddha School is pure Atheism.
Its goals are total anNIHILation,
the highest aim of all virtue.
This is Nirvana.
In the beginning only death is real.
Immortality means dying first.
"I'm not sure what part of me intimidates you."
Booya -- [EMAIL PROTECTED] -- ICQ: 23934701
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"When you stop believing in me, you will become me" -- Buddha
"Popular religion can be summed up as respect for
ecclesiastics." -- Spinoza
"One man rules better than several that come close to being one"
-- Thomas aquinas
"There exist no class distinctions in education." -- Confucious Analects Verse 22
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: My Stream Cipher. (newbie (prolly kiddie cipher))
Date: Sat, 08 Apr 2000 11:16:32 GMT
Simon Johnson wrote:
>
> Here is a new, but probably very weak, stream-cipher that I would like you
> to put forward idea's on how to secure it. I've designed this algorithm,
> based on my logic, warped though it is :). It has no mathematical foundation
> what so ever. So this cipher probably comes into the range of
> kiddie-ciphers. If based on the idea's of RC4 but alot shorter.
>
> Okay, the first step, produce a 256-element array and fill it such that s(i)
> = i.
> Now we create the key shedule, we take the key and do a little simple feed
> back routine on it.
>
> Function keysetup (key as string) {
> For i = 1 to len(key)
> a=sqr((a+i) * (ascii representation of i'th character of key))
> Next i
> }
>
> This section is not to be particularly secure, its just meant to produce a
> 'collision-less' output. i've found that square roots are quite effective at
> achieveing this
> We then take this value and use it to produce our stream character.
>
> Function stream {
> i=((s(j) + a) mod 256)
> j = (((s(i) - a) + 256) mod 256)
> swap s(i) & s(j)
> t = ((s(j) + s(i)) mod 256)
> outputnum = s(t)
> }
>
> There we go, thats it.
That's an RC4 clone, a bad one at that. first off the integer square
root is not a bijective function of the input, well because for each
root 'c', 2c + 1, squares give the same result. For example the root of
9, 10, 11, 12, 13, 14 and 15 is 3. Second the multiplication is bad
since only 1/4th of all the outputs will be odd anyways. So to say your
key schedule is 'collision-less' is premature. Also you get a single
variable out of the key schedule? Where is s() built?
If you want to make a stream cipher that's note worthy, it either has to
have better properties then RC4, be smaller, be faster, be simpler
and/or be more secure. Otherwise I would revert to RC4.
Keep up the work :)
Tom
------------------------------
From: [EMAIL PROTECTED] (Svend Olaf Mikkelsen)
Subject: Re: Is AES necessary?
Date: Sat, 08 Apr 2000 11:31:46 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
>> I am virtually ignorant in hardware matters. But I wonder why
>> pipelining is not applicable to 3DES, i.e. the 3 modules may be
>> processing 3 consecutive blocks of informations simultaneously.
>> That way, there would be no time penality, excepting the setup
>> time of the pipe.
>
>Just off the top of my head, you can't use CBC mode with that can you?
Decryption, yes.
Encryption, no.
--
Svend Olaf
------------------------------
Date: Sat, 08 Apr 2000 07:41:51 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Is AES necessary?
David Crick wrote:
> Mok-Kong Shen wrote:
> >
> > > Triple-DES is still the conservative choice.
> > >
> > > And forget about 5-DES. Triple-DES is fine for the forseeable future.
> >
> > I am virtually ignorant in hardware matters. But I wonder why
> > pipelining is not applicable to 3DES, i.e. the 3 modules may be
> > processing 3 consecutive blocks of informations simultaneously.
> > That way, there would be no time penality, excepting the setup
> > time of the pipe.
>
> 3DES used in this mode is susceptible to shortcut attacks that
> render it as only 2^56 strength (i.e. same as DES). 3DES used
> in the slower, (outer feedback mode I believe?) mode gives us
> the usual 168/112-bit strength.
>
> See Applied Cryptography and the paper referenced therein.
Are there any references for intermittent outer feedback? I.e., a feedback
mode wherein the feedback from block N is not used by block N+1, but by block
N+S where S is a skip factor. When S >= 3 pipelining 3DES would not stall due
to feedback dependency.
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Subject: Re: My Stream Cipher. (newbie (prolly kiddie cipher))
Date: Sat, 8 Apr 2000 12:39:57 -0700
Oooh Harsh,
But needed, i'm new to this cipher construction, and i would just like
to know, how you came to these conclusions? If i'm to improve, i must know
how to detect faults as severe as these.
Prehaps the only way to improve this cipher, is to start afresh........
Some day, i may reach your level of expertises. Until then, expect more
pants ciphers :)
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: My Stream Cipher. (newbie (prolly kiddie cipher))
Date: Sat, 08 Apr 2000 11:48:02 GMT
Simon Johnson wrote:
>
> Oooh Harsh,
> But needed, i'm new to this cipher construction, and i would just like
> to know, how you came to these conclusions? If i'm to improve, i must know
> how to detect faults as severe as these.
Well look at the function F(x, y) = x * y, [over Q]. What condition
exist for all even outputs? One input must be even. What condition
exist for all odd? BOTH have to be odd. So 1/4th of all outputs are
odd.
iSQRT(x) is generally not a good idea. Did you mean x^2 or x^1/2 by
SQR?
> Prehaps the only way to improve this cipher, is to start afresh........
Or figure out why I said what I did.
> Some day, i may reach your level of expertises. Until then, expect more
> pants ciphers :)
My level of expertises? Ha I am a newbie just like you. I just happen
to have been shot down [like you were] amany times before.
Good luck,
Tom
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Is AES necessary?
Date: Sat, 08 Apr 2000 11:49:49 GMT
Svend Olaf Mikkelsen wrote:
>
> Tom St Denis <[EMAIL PROTECTED]> wrote:
>
> >> I am virtually ignorant in hardware matters. But I wonder why
> >> pipelining is not applicable to 3DES, i.e. the 3 modules may be
> >> processing 3 consecutive blocks of informations simultaneously.
> >> That way, there would be no time penality, excepting the setup
> >> time of the pipe.
> >
> >Just off the top of my head, you can't use CBC mode with that can you?
>
> Decryption, yes.
> Encryption, no.
I would certainly view that as a weakness of pipelineing 3DES then.
I don't understand what MK's original argument is? Serpent for example
is directly *based on* the analysis of previous ciphers, that's why it's
so secure. So what is wrong with AES?
The whole purpose of AES were to find a replacement for DES stronger
then 3des right? Then all the AES finalists are *already* better then
3des?
Tom
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: [Q] Insecurity
Date: Sat, 08 Apr 2000 11:52:58 GMT
Mok-Kong Shen wrote:
>
> Joseph Ashwood wrote:
> >
> [snip]
> > for cryptography, but meets those criteria. Try putting it
> > through DIEHARD, it gives a good estimate to the randomness,
> > a cryptographically secure rng should have p-values
> > distributed across [0,1] almost equally.
>
> I suggest that one should at least apply the FIPS 140-1 tests.
Diehard has a few more tests then FIPS 140-1, and normally a good
indicator when something is afoot. It's simple to get and easy to use.
BTW: Although the minimum you need for DH is about 11mb, please pass
more then that? There are many times when I talk to people and they
don't use enough. Of course enough = mu, but that's not the point.
When I do my tests [on the hash-rng for example] I give it at least 50mb
just to see what happens.
Tom
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Subject: Re: My Stream Cipher. (newbie (prolly kiddie cipher))
Date: Sat, 8 Apr 2000 13:06:34 -0700
What a failure.... :)
But if at first you do not successed try, try, again.
But the prehash was wrong anyway.
It should be:
a=sqr(a*i*asc(mid(text,i,1)))
This prolly doesn't make a difference, but it doesn't make much difference i
suspect. I brute-forced this without collsion over a small, 2^16
permutations without collision.
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: GSM A5/1 Encryption
Date: 8 Apr 2000 12:22:02 GMT
According to David A. Wagner <[EMAIL PROTECTED]>:
> That's only because A5 is not very good.
Actually, I think that A5/1 delivers an impressive security, considering
the ridiculously small amount of silicium needed to implement it. With
128 bits of internal state, it would still be fast and cheap, and
adequately secure too.
--Thomas Pornin
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Permutation Polynomials for sboxes?
Date: Sat, 08 Apr 2000 12:25:51 GMT
In a paper by R. Rivest on "Permutation Polynomials mod 2^w", he
discusses a way to create a function F(x) over Z(2^w) which is a
permutation of the set. I was wondering if [other then in RC6] this
could be used to create sboxes? I have just briefly tried 2^4 type
polynomials, like
F(x) = 3x + 2x^2 + 2x^3, gives me, (0, 7, 14, 1, 12, 11, 10, 5, 8, 15,
6, 9, 4, 3, 2, 13) as the output [I stepped for i=0 to 15].
F(x) = 3x + x^2 + x^3 + x^4 + x^5 gives me, the same (why?, hmm will
have to look into that)
F(x) = 3x + 3x^2 + x^3 + x^4 + x^5, gives me (0, 9, 10, 3, 12, 13, 6, 7,
8, 1, 2, 11, 4, 5, 14, 15)
Let's see...
3x + 2x^2 + 2x^3 = 3x + x^2 + x^3 + x^4 + x^5
x(3 + 2x + 2x^2) = x(3 + x + x^2 + x^3 + x^4)
x(3 + 2x + 2x^2) = x(3 + x(1 + x(x(1 + x))
...
Now I get stumped I can see the = x(3 + a + b) part on the right half
is what I have to solve... Maple factored it into (3 + 2x^2 + x^3 + x^4)
which is similar to my orginal left...)
Anyways...
In the above two outputs ((0, 9, 10, 3, 12, 13, 6, 7, 8, 1, 2, 11, 4, 5,
14, 15) for example) I can remove the identity F(0) = 0, by adding an
odd constant, however like x(2x + 1) in RC6 there is most likely fixed
points.
One nice property is that I can compute these sboxes on the fly and they
appear to have nice high avalanche...
Does the order (highest exponent) of the polynomial effect the
avalanche?
For anyone who has yet to read the paper, a permutation polynomial mod
2^w is any F() such that
F(x) = A[0] + A[1]x + A[2]x^2 + A[3]x^3 + A[4]x^4 ...
Where A[0] is odd [or omitted], A[1] is odd, (A[2] + A[4] + A[6] + ...)
is even and (A[3] + A[5] + A[7] + ...) is even. They are easy to
construct, probably can even be random [just test for the above
requirements].
Maybe replace the perm in RC6 with an high-order random permutation
polynomial?
Some ideas :)
Tom
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
