Cryptography-Digest Digest #656, Volume #11 Fri, 28 Apr 00 20:13:01 EDT
Contents:
Re: factor large composite (Jeffrey Williams)
Re: Requested: update on aes contest (Diet NSA)
Vs: Requested: update on aes contest ("Helger Lipmaa")
Re: combine hashfunctions ("Joseph Ashwood")
Re: AEES 16 rounds ("Joseph Ashwood")
Re: AEES 16 rounds ("Joseph Ashwood")
Re: sci.crypt think will be AES? ([EMAIL PROTECTED])
Re: combine hashfunctions (Tom St Denis)
Re: The Illusion of Security (Tom St Denis)
Re: A naive question (stanislav shalunov)
Re: new Echelon article (Diet NSA)
Re: U-571 movie (Richard Heathfield)
Re: The Illusion of Security ("Joseph Ashwood")
Re: The Illusion of Security (Tom St Denis)
Re: combine hashfunctions ("Joseph Ashwood")
Re: A naive question ("Joseph Ashwood")
Re: Science Daily overstates significance? ("Joseph Ashwood")
Re: A naive question ("Joseph Ashwood")
Re: Another naive question ("Joseph Ashwood")
Re: sci.crypt think will be AES? (Bryan Olson)
- Bestcrypt and ATA-66 enabled m/b - Anyone get these working without
conflicts/BSOD? (Drewjen)
----------------------------------------------------------------------------
From: Jeffrey Williams <[EMAIL PROTECTED]>
Subject: Re: factor large composite
Date: Fri, 28 Apr 2000 16:04:25 -0500
Tom,
you may well be correct. However, I said nothing about 1024 bit RSA. I
was replying to someone who was arguing that market economics would
make 768 bit RSA safe (too expensive to be worth breaking).
My point is simply that the govt will probably attempt to prepare for as
large a keysize as they can reasonably afford (read that as "as much
cash as they can squeeze out of taxpayers"). That being the case, it is
**possible** that they can break 768 bit RSA.
Since we all seem to be in agreement that, regardless of the depth of
their pockets, they cannot break 2048 bit RSA without either a breakthru
in mathematics (or a flaw in the key selection), it would seem obvious that
we ought to use darn large keys.
LL&P
Tom St Denis wrote:
> Jeffrey Williams wrote:
> >
> > Your objection applies only to those for whom market economics apply
> > (ie: you, me, business, etc). It doesn't apply to government, which does
> > not aim to make a profit. A government may feel the need to have a
> > large computer (say a Beowulf cluster, for example) to break codes for
> > national security. That need may justify dropping <place insane quantity
> > of cash here> on such a computer.
> >
> > Therefore, if you wish to keep your information secret from governments,
> > etc, 768 bit RSA may be inadequate.
> >
> > Bottom line is that it really depends upon your adversary.
>
> And the reality of the situation. Talk to Bob Silverman about the
> memory required on avg to hold the matrix for the nfs of a 1024 bit RSA
> style composite. Then tell me it depends on your adversary. I don't
> know alot about the highest tech computers (this much is obvious) but
> looking at the quotes and papers on the nfs I doubt that it could be
> done at all right now.
>
> Tom
> --
> Want your academic website listed on a free websearch engine? Then
> please check out http://24.42.86.123/search.html, it's entirely free
> and there are no advertisements.
--
Jeff Williams
Software Design Engineer
DNA Enterprise, Inc
1240 E Campbell Rd, Richardson, TX, 75081
972 671 1972 x265
[EMAIL PROTECTED]
Did you know that there is enough sand in
north Africa to cover the entire Sahara?
------------------------------
Subject: Re: Requested: update on aes contest
From: Diet NSA <[EMAIL PROTECTED]>
Date: Fri, 28 Apr 2000 14:05:00 -0700
In article <[EMAIL PROTECTED]>,
Jerry Coffin <[EMAIL PROTECTED]> wrote:
>
>being feasible and useful. There's likely to be a long, slow
process
>of making them more and more feasible over time until they match
the
>capabilities of conventional computers at least for some tasks
-- at
>that point, they'll start to infiltrate the marketplace.
No one knows if it's likely that it will take a long time to make
quantum computers match the performance of their contemporary
conventional counterparts. If QCs only match the power of
conventional computers then they will not infiltrate the
marketplace if they cost significantly more. Even if the QCs do
offer advantages, the advantages may be for a specialized market.
Given
the
>current (limited) group of algorithms, at least at first they'll
>likely be restricted to specialized jobs (most likely database
>engines)
We don't know this because by the time the hardware of a large &
robust enough QC is achieved, QCs may be capable of performing a
wide variety of tasks (or algorithms).
>
>The end result of these is that changes in prices happen
relatively
>gradually, NOT as massive leaps.
For a few years the price of DRAM, for example, dropped quite
dramatically.
" V hfdt afogx nfvw ufo axb (o)(o) " - Gtnjv
====================================================
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: "Helger Lipmaa" <[EMAIL PROTECTED]>
Subject: Vs: Requested: update on aes contest
Date: Fri, 28 Apr 2000 21:07:51 +0300
Terry Ritter mailto:[EMAIL PROTECTED]:
> That's sort of a self-selecting population, don't you think? Or do
> you suggest that the result is representative of knowledgeable crypto
> people everywhere?
>
> It sure doesn't represent my views.
>
> And voting is irrelevant in Science.
This self-selecting population is actually the only population (may be NSA
excluded) on this planet who knows ANYTHING about the cipher security.
I was not present this time, but looking at the results (for example, answer
to the question "which algorithms definitely SHOULD be selected for the
standard") I am not surprised at all: I know from personal experience that
most of the cryptographers and cryptanalysts really think that way.
Moreover, also I think that way.
Which probably doesn't matter much for non-specialists, since I am not Bruce
Schneier.
Helger Lipmaa
http://www.tcm.hut.fi/~helger
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: combine hashfunctions
Date: Fri, 28 Apr 2000 14:06:43 -0700
> If h1 and h2 are unrelated then this is obviously true.
For example
> SHA-1 || TIGER will give you a 160+192=352 bit hash, this
composite hash
> function is believed to be collision resistant iff h1
and/or h2 is
> collision resistance. The resistances (in this case) is
equal to a 352
> hash (i.e O(2^176) to find a collision) iff *both* hashes
are collision
> resistant.
You have forgotten a VERY important additional statement, it
must be proven that h1 and h2 are unrelated in every way,
you stated it at the beginning but you then proceeded to
forget that statement when you gave particulars. There has
been no proven unrelation between SHA-1, TIGER, MD2, MD5,
RIPEM, etc. You also seem to have forgotten that iff they
are completely unrelated, only one has to be resistent, so
it would make more sense to use a simple checksum as the
second portion (assuming it is unrelated to the other hash),
simply because of the speed. On my personal machine I get
SHA-1 speeds of around 16 MB/sec if I remember correctly,
but 32-bit checksumming I get a little over a gigabyte a
second, speeding up the entire process.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: AEES 16 rounds
Date: Fri, 28 Apr 2000 14:16:48 -0700
> You are right. My explanations are not clear enough.
> If I show multiplication table in the form
I understood your form, my problem is with the following
> | 1 2 3 4
> ------------------
> 1 | 1 2 3 4
> 2 | 2 3 4 1
> 3 | 3 4 1 2
> 4 | 4 1 2 3
Where in multiplication tables as they were taught to me,
and I assume many other people throughout the US, should
look like
| 1 2 3 4
==================
1 | 1 2 3 4
2 | 2 4 6 8
3 | 3 6 9 12
4 | 4 8 12 16
It's simply a matter of terminology.
> I found out that for each group we need only 256 byte
string.
I think your groups can be lowered below that, gimme some
time, I'll see what I can come up with.
> Correspondent law of composition is defined in algorithm
> Description.
>
> #The function that you used to define your so-called
> #multiplication tables
>
> Ok. It is no hard to generate multiplication table of the
> Order 256 like one of the order 4 above. Then I apply
> sub-key interpreting it as automorphism to get
multiplication
> table, which is used as S-box.
The problem was that in the paper that I grabbed I didn't
see a definition of the function. I think I now understand
it, if I'm right the 5th one should look something like
12345
23454
34543
45432
54321
>
> #On what grounds do you even consider laughing? Last I
> #checked it was basically the best of the best as
finalists.
>
> You are right. I do not have any grounds.
Neither do I, I'm actually spending as much time as possible
trying to find even the slightest flaw in any of them and
coming up with basically nothing so far.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: AEES 16 rounds
Date: Fri, 28 Apr 2000 14:17:26 -0700
_asm { } is what you are looking for, it marks the
internals to the {} as assembly.
Joe
<[EMAIL PROTECTED]> wrote in message
news:8ebjj8$8gd$[EMAIL PROTECTED]...
> Manuel,
>
> Thank you very much for your kindly reply.
>
> It should be taken into account that former AEES 256-bit
> implementation consists only from one round.
>
> Last one is 16 rounds implementation. So one round
performance is
> comparatively to former implementation a bit better.
>
> It would be no problem for me to implement this algorithm
as a sample
> application using MS Visual C++. But I can't do this
without Assembler.
> Assembler is my native language and I know a lot of hooks,
which
> improve performance.
>
> Best regards.
> Alex.
>
> In article <[EMAIL PROTECTED]>,
> Runu Knips <[EMAIL PROTECTED]> wrote:
> > Manuel Pancorbo schrieb:
> > > <[EMAIL PROTECTED]> escribi� en el mensaje de
noticias
> > > 8e6lle$p3n$[EMAIL PROTECTED]
> > > > Performance with my IP II,267 Mhz, 128 Mb is 101
Kb/sec.
> > > A bit slow, isn't it?
> >
> > But the last time he posted here it was only 64 KB/sec.
> > So he improved the speed by more than 50% in such a
> > short time. Cool :)
> >
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: sci.crypt think will be AES?
Date: Fri, 28 Apr 2000 21:25:32 GMT
Vernon Schryver <[EMAIL PROTECTED]> wrote:
> yeah, confirmed by the same experts who determined that
> http://patent.womplex.ibm.com/details?&pn=US05446889__ and
> http://www.patents.ibm.com/details?&pn=US06025810__&s_all=1#23
> are new and unique. 6025810 looks like a somewhat but not entirely
> new or unique to me idea, but I can't see how anyone skilled in the art
> might think 5446889 is new or unique.
It's even worse than those two examples in the current patent
office. In addition to the infamous prime number patent, and some
patents on actual objects instead of ideas, in the IBM gallery alone
there are:
US05443036 - Method of Exercising a Cat (Apparantly, having your cat
chase a beam of light was a new and revolutionary discovery when
proposed in the early 1990s)
US04457509 - Levitationarium for Air Floatation of Humans (Which was
apparantly more revolutionary than the existing commercailly sold
devices that did the same thing)
US03900991 - Ventriloquist Doll (From 1973, this _may_ be the original
idea, but I somehow doubt it)
US05535702 - Aquarian sea current generator (Arguably based on the
_numerous_ patents for air powered wave generators going back years
before)
In any case, the patent office has issued its share of highly dubious
patents in the past. It's not entirely their fault either, given the
flood of totally inane patent applications. (Various shapes for hats,
a cigerette lighter in the handle of an ice cream scoop, and the Santa
Claus Detector spring to mind.)
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: combine hashfunctions
Date: Fri, 28 Apr 2000 22:03:08 GMT
Joseph Ashwood wrote:
>
> > If h1 and h2 are unrelated then this is obviously true.
> For example
> > SHA-1 || TIGER will give you a 160+192=352 bit hash, this
> composite hash
> > function is believed to be collision resistant iff h1
> and/or h2 is
> > collision resistance. The resistances (in this case) is
> equal to a 352
> > hash (i.e O(2^176) to find a collision) iff *both* hashes
> are collision
> > resistant.
>
> You have forgotten a VERY important additional statement, it
> must be proven that h1 and h2 are unrelated in every way,
> you stated it at the beginning but you then proceeded to
> forget that statement when you gave particulars. There has
> been no proven unrelation between SHA-1, TIGER, MD2, MD5,
> RIPEM, etc. You also seem to have forgotten that iff they
> are completely unrelated, only one has to be resistent, so
> it would make more sense to use a simple checksum as the
> second portion (assuming it is unrelated to the other hash),
> simply because of the speed. On my personal machine I get
> SHA-1 speeds of around 16 MB/sec if I remember correctly,
> but 32-bit checksumming I get a little over a gigabyte a
> second, speeding up the entire process.
> Joe
No because if one of the hashes is easy to break then the complexity of
the system is closest to the stronger algorithm. If it takes 2^16 work
to break the 32-bit crc and 2^80 work to break SHA-1 (random birthday
thingy) then the entire complexity is 2^96 at the most only. That's
assuming it takes 2^16 steps to break a CRC-32.
If on the otherhand I used TIGER+SHA-1 then I get at the most 2^92 *
2^80 = 2^172 complexity of an attack.
And I assume they are unrelated since they don't even use similar design
structures in their construction.
Tom
--
Want your academic website listed on a free websearch engine? Then
please check out http://24.42.86.123/search.html, it's entirely free
and there are no advertisements.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: The Illusion of Security
Date: Fri, 28 Apr 2000 22:06:14 GMT
Joseph Ashwood wrote:
>
> > I doubt they restricted the keysize to protect the
> citizens.
> Actually that seems to have been at least a sideeffect of
> what they did. They reduced he key size to match the level
> of security. What is it about this that you don't
> understand?
> Joe
Hmm it possible to increase the keyspace in normal DES. Like using
independant round-keys. Although diff/linear attacks will still work
they require far too many pairs to make it work. So you can easily
increase the keyspace to 768 bits by using independant round keys, or to
a reasonable size and just expand the roundkeys.
Just like Blowfish can trivially be broken with 3 x 2^51 plaintexts (I
think this is the attack, or just the recognition?) however you don't
see that happening to many times either.
Tom
--
Want your academic website listed on a free websearch engine? Then
please check out http://24.42.86.123/search.html, it's entirely free
and there are no advertisements.
------------------------------
Subject: Re: A naive question
From: stanislav shalunov <[EMAIL PROTECTED]>
Date: Fri, 28 Apr 2000 22:24:45 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> writes:
> If one has, say 56 bits of truly random bits, one can use that as an
> OTP to encrypt 56 bits of message and obtain superior protection. If
> one use that instead as a key to an encryption algorithm, say a very
> good block cipher, to encrypt n*56 bits of message, an intuitive
> feeling is that the protection would quickly get worse as n
> increases.
Actually, theoretical security in the theory of information sense will
descrease very sharply: You encrypt the second block with the same key,
you're out. All the attacker has to do is consider all possible keys,
and try to decrypt these two blocks (chaining mode doesn't matter).
If that produces a meaningful message, bingo: With high probability
this is the key.
The whole point of things like block ciphers is to make this
computationally infeasible for the attacker.
--
stanislav shalunov | Speaking only for myself.
------------------------------
Subject: Re: new Echelon article
From: Diet NSA <[EMAIL PROTECTED]>
Date: Fri, 28 Apr 2000 16:13:52 -0700
In article <[EMAIL PROTECTED]>,
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>In actuality, most development of computing, communication
>satellites, and networks occurred in the commercial sector.
True, but the U.S. Gov't happens to be the
world's largest spending organization.
This spending plays a vital role in the
world economy & is related to
economists' realization that having a non-
zero federal deficit is a useful tool for
managing fiscal & monetary policy.
Companies, universities, etc. receive
federal funding which can go into new
research, helping to create new industry
& jobs and thus, later, new sources to
collect taxes from. I am not advocating
keeping the size of the Gov't too large
because it is already inefficient in many
areas (especially in adapting IT compared
to the private sector). Since WWII, at
least, most of the U.S.'s economic
expansion has been driven domestically,
mainly through increases in efficieny.
During this period, the source of most of
these efficiency increases has been do to
IT, so it is important for the Gov't to get
on the ball.
>While there was some development in these areas using
>government funding, much of it didn't reach the public.
However, some of this development or
derivatives of it may reach the public
later (like what happened with GPS).
>You of course are also thinking of the ARPAnet, which
>was indeed a valuable resource, but networking was
>evolving anyway, and who is to say that the Internet
>wouldn't have been better if it had evolved from a
>different source?
This speculation doesn't matter because
we cannot know otherwise than what
actually did happen.
>I'm not knocking the worthwhile research that was funded
>by the government, just the idea that it would not have
>been at least as good if the only source of financing
>had been private.
Much of the research might *not* have
been as good, scientifically speaking,
because of, say, ulterior motives (such as
the desire for profits) which exist in the
private sector.
In fact I *work* at a research lab
>that is owned by the government, but much of what we do
>is geared toward specifically governmental applications
>that the "private sector" would not normally choose to
>develop on its own.
>
>
Exactly! This is an example of why we
need the government to fund potentially
beneficial work for society that the
private sector has little incentive or
ability to fund. In a particular economy,
profit margins for producing certain
types of goods & services can be very low.
It is a myth that government *always*
does things more inefficiently.
" V hfdt afogx nfvw ufo axb (o)(o) " - Gtnjv
====================================================
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
Date: Sat, 29 Apr 2000 00:17:01 +0100
From: Richard Heathfield <[EMAIL PROTECTED]>
Subject: Re: U-571 movie
UBCHI2 wrote:
>
> Would you? Is it easier to win if you tell of your plans in advance?
"When you have to kill a man, it costs nothing to be polite." -
Churchill.
--
Richard Heathfield
"Usenet is a strange place." - Dennis M Ritchie, 29 July 1999.
C FAQ: http://www.eskimo.com/~scs/C-faq/top.html
34 K&R Answers: http://users.powernet.co.uk/eton/kandr2/index.html (63
to go)
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: The Illusion of Security
Date: Fri, 28 Apr 2000 16:17:48 -0700
The NSA examined the design for the cipher that was to be
DES. They suggested new S-boxes, and suggested reducing the
keyspace to 56 bits. To my knowledge they made no other
recommendations. The round keys are quite independent, the
s-boxes are protected against differential analysis. The
decision was based on the fact that the underlying algorithm
could offer no more than 56 bits of security. I repeat, what
about this don't you understand? It wouldn't have mattered
if a 768 bit key was used, the security still would have
only been 56 bits. The key space reduction to 56 bits was
the smart decision, it was the recommendation, and it gave
the public some easily seen value for the security that was
approximately correct.
Joe
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: The Illusion of Security
Date: Fri, 28 Apr 2000 23:34:19 GMT
Joseph Ashwood wrote:
>
> The NSA examined the design for the cipher that was to be
> DES. They suggested new S-boxes, and suggested reducing the
> keyspace to 56 bits. To my knowledge they made no other
> recommendations. The round keys are quite independent, the
> s-boxes are protected against differential analysis. The
> decision was based on the fact that the underlying algorithm
> could offer no more than 56 bits of security. I repeat, what
> about this don't you understand? It wouldn't have mattered
> if a 768 bit key was used, the security still would have
> only been 56 bits. The key space reduction to 56 bits was
> the smart decision, it was the recommendation, and it gave
> the public some easily seen value for the security that was
> approximately correct.
> Joe
What facts are you basing this on? The "56-bit security" is taken from
the small key. The only known attacks (linear and diff cryptanalysis)
are not pratical, which means independant keys can get you upto (*) 768
bits of practical security. Maybe some others should comment on this,
and I suggest you read "Differential Cryptanlysis of DES-Like systems"
by Eli Biham (&) which covers this in detail.
Tom
(*) There are of course mitm attacks as well, but are not practical
either.
(&) Available off my crypto website at http://24.42.86.123/crypto/
--
Want your academic website listed on a free websearch engine? Then
please check out http://24.42.86.123/search.html, it's entirely free
and there are no advertisements.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: combine hashfunctions
Date: Fri, 28 Apr 2000 16:25:43 -0700
> And I assume they are unrelated since they don't even use
similar design
> structures in their construction.
That is a first impression relation only. the value of pi
and the infinite sum that approximates it have very
different design, very different appearances, very different
discoveres, etc, but they are none the less equivalent for
all intents and purposes.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: A naive question
Date: Fri, 28 Apr 2000 16:30:23 -0700
Right, the lower bound of the security is of course 0. That
was the logic behind my stating that a perfect cipher must
be used, although I probably should have been more detailed
on what a perfect cipher is. To me it is one where any
method of attack requires at least as much effort as brute
force, that includes relationships between blocks encrypted
with the same key, and I'm sure there are other inherent
assumptions that I'm making that just don't come to mind
right now.
Joe
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Joseph Ashwood wrote:
> > Ok, so an absolute max is of course, the brute forcing
of
> > one block.
> > However to attack the entire system will take ~g * 2^k/g
> > attempts for full brute force
> > So it must offer strength of 2^k
>
> You mean, that's an upper bound on the "strength".
> Obviously, a 64-bit-block cipher with a 56-bit key
> could be devised that requires much less computation
> to crack. Indeed, the key might be recovered (with
> high likelihood) for a very small number of blocks,
> so this whole slowly-degrading-function-of-number-
> of-blocks argument is spurious.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Science Daily overstates significance?
Date: Fri, 28 Apr 2000 16:45:05 -0700
It's really a debatable topic. The short answer, and the
answer that I give in regards to this quite a bit is:
The security of Quantum Cryptography relies on the proof of
One Time Pad
The One Time Pad proof relies on a true random number
generator
The existance of a true random number generator has never
been proven, it has actually been proven that you cannot
prove it's existance.
However, the likelihood of a Quantum Encryption protected
message being broken is most likely extremely slim. This
however does not take into account the fact that it may be
possible to force the state some other way. If for example
I, as an attacker, could force your protons to follow my
protons, I would have your pad. If I could force your
protons to follow a random number generator of any kind that
I have in my possession, I will have broken you encryption.
In short, even though many people would feel confident in
trusting the security of Quantum Encryption, if it is a life
threatening secret (of perhaps military import), I would
still hadge my bets by using more crypto inside the secured
container.
Joe
"William Rowden" <[EMAIL PROTECTED]> wrote in message
news:8ech27$uut$[EMAIL PROTECTED]...
> My interest in cryptography led to a friend sending me
this link:
>
>
http://www.sciencedaily.com/releases/2000/04/000427105148.ht
m
>
> The article ("You'd Have To Break The Laws Of Physics To
Break This
> Code") seems a bit overstated, as it suggests quantum
entanglement is
> a step toward creating secret "codes" that are "absolutely
> unbreakable." I would appreciate a review by one of the
sci.crypt
> regulars, who know far more about this topic than I.
>
> As far as I understand it, this technique, if implemented,
could
> permit secure session key distribution without public-key
> methods--methods which *may* eventually succumb to
computational
> power. (Am I right in thinking that not all public-key
methods are
> easily parallelizable, and consequently vulnerable to
quantum
> computing?)
> --
> -William
> PGP key: http://www.eskimo.com/~rowdenw/pgp/rowdenw.asc
until 2000-08-01
> Fingerprint: FB4B E2CD 25AF 95E5 ADBB DA28 379D 47DB 599E
0B1A
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: A naive question
Date: Fri, 28 Apr 2000 16:34:40 -0700
> If you have 56 random bits that the enemy (I'll use this
term for those
> who would want to crack the message) does not have, i.e.
an OTP, and you
> use this to encrypt 56 bits of data, the cipher is
unbreakable. With no
> exceptions.
There are always exceptions. It is possible to construct a
cipher in such a way that even with only one block,
encrypted with 56 bits of key, it is possible to reverse the
encryption in significantly faster than brute force. Just
one example, take the plaintext block ("abcdefg"), append a
copy of the plaintext block (abcdefgabcdefg), XOR the first
half of the block with the key, reverse the key, xor the
second half of the block with the reversed key. I'm sure I
can come up with worse if I really try.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Another naive question
Date: Fri, 28 Apr 2000 16:47:52 -0700
In general I'm inclined to say that the difficulty will be
the same, but if E is chosen properly, the difficulty should
increase. Honestly this is in terms of analysis difficulty
this is equivalent to multiple encryption, which is a
double-edged sword.
Joe
"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> Suppose one has a block cipher and two plaintexts of equal
length
> with
>
> C1 = E(P1)
>
> C2 = E(P2)
>
> Let
>
> C3 = C1 xor P2
>
> Assuming that the opponent has no knowledge of P1, is C3
easier
> or more difficult to analyze than C2 in general? Thanks.
>
> M. K. Shen
>
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: sci.crypt think will be AES?
Date: Fri, 28 Apr 2000 23:45:29 GMT
Terry Ritter wrote:
> The distinction would seem obvious.
Yes, I thought it was obvious. I'll be sure and
append the smiley next time.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Drewjen)
Subject: - Bestcrypt and ATA-66 enabled m/b - Anyone get these working without
conflicts/BSOD?
Date: 29 Apr 2000 00:03:05 GMT
I was wondering if anyone has been able to get BestCrypt encryption software
(http://www.jetico.sci.fi/) running on an ATA-66 enabled board. On every
Win98/ATA-66 enabled board I've tried, I get "Blue Screens Of Death"(BSOD). BC
say's a "hook" has mistakenly been placed within the system which prevents it
from creating V-drives, or something to that effect. It say's it thinks "Magic
Folders" is responsible, but I have no idea what that is and I'm sure it's not
installed on any of the cleanly installed Win98 setups, I've done. Perhaps
someone can recommend some strong encryption software that runs on Win98/ATA-66
enabled boards? BC uses Blowfish in cipher block chaining mode and GOST28147-89
in cipher feedback mode and DES in cipher block chaining mode. I'd like
something at least as strong with a fast and easy interface. TIA
Regards,
drewjen
Please forgive me if this post is not quite on topic. It's likely you'll never
see another OT post from me, so perhaps you can tolerate it this once.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
