Cryptography-Digest Digest #846, Volume #11 Tue, 23 May 00 21:13:01 EDT
Contents:
Observation of Matsui's Modified-Feistel (tomstd)
Re: ZKPs in practice? (Helger Lipmaa)
Science art and music combine... Spiral X. 4 free MP3s up now...
([EMAIL PROTECTED])
Re: Final Comments from Twofish Team (Helger Lipmaa)
Re: Retail distributors of DES chips? (zapzing)
Re: Patent busting for AES usage (zapzing)
Re: Retail distributors of DES chips? (tomstd)
Re: pentium timings (tomstd)
Re: Patent busting for AES usage (Sundial Services)
Re: Crypto patentability ("Paul Pires")
Re: pentium timings (tomstd)
Re: Yet another block cipher: Storin ("Brian McKeever")
Re: Patent busting for AES usage (tomstd)
Re: Patent busting for AES usage ("Paul Pires")
Re: Retail distributors of DES chips? (Paul Rubin)
----------------------------------------------------------------------------
Subject: Observation of Matsui's Modified-Feistel
From: tomstd <[EMAIL PROTECTED]>
Date: Tue, 23 May 2000 16:03:21 -0700
In his paper Matsui also discusses a modified feistel where each
F function is used in a parallel. Presumably to get higher
speeds in hardware. However for the same number of 'rounds' as
a pure balanced Feistel, his structure fails to meet the same
level of Avalanche.
Which makes me think you need twice as many rounds with his
modified structure (since one half of the plaintext takes 2
rounds to affect the other half).
Any ideas? Maybe I misunderstood it...
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Helger Lipmaa <[EMAIL PROTECTED]>
Subject: Re: ZKPs in practice?
Date: Wed, 24 May 2000 01:09:51 +0300
"David A. Wagner" wrote:
> In article <8g43a3$sd4$[EMAIL PROTECTED]>,
> David A Molnar <[EMAIL PROTECTED]> wrote:
> > The recent question on "an introduction to zero-knowledge proofs"
> > had me thinking : where have zero-knowledge proofs been implemented
> > in the real world?
>
> I believe Schnorr signatures have their roots in an efficient
> zero-knowledge proof of identity. (Fiat-Shamir signatures, too.)
> But I might have the details wrong -- it may be some notion related
> to zero-knowledge, and not strictly speaking zero-knowledge, so don't
> trust me here.
Three-move identification protocols usually provide (or at least want to
provide) something called witness hiding. In principle it is a weaker
notion than zero-knowledge, since _some_ knowledge could be leaked
through them; however no _useful_ properties about the witness (secret)
is leaked. Although you could get to know something about it you
wouldn't be able to compute by yourself.
The problem is that general zero-knowledge proofs for non-trivial
languages require at least 4 steps and quite a big computational
overhead...
Helger Lipmaa
http://www.tcm.hut.fi/~helger
------------------------------
From: [EMAIL PROTECTED]
Subject: Science art and music combine... Spiral X. 4 free MP3s up now...
Date: Tue, 23 May 2000 22:55:41 GMT
Hola all...
Come on over and check out the new song, Bounce Until It Kills You.
Song number 4 on the free music train... Techno future anti pop music
from the deep dark land of Florida. If you're a serious music maker,
or technohed... you HAVE to hear this stuff.
http://www.mp3.com/spiralx
Best listened to on HiFi, or download the MP3 itself. There are very
subtle efx that get destroyed in LoFi...
Come check out the other 3 free songs... Rabid Freestyle, The Oops, and
Make It Count! 11 song CD is up for your ordering pleasure... $8. A
new single will be coming out soon, with remixes... tracks from the
upcoming second album, and if it gets finished... a video.
Let the sounds inspire your mind to new levels of thought....
-Chris, Spiral X. Futuratech...
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Helger Lipmaa <[EMAIL PROTECTED]>
Subject: Re: Final Comments from Twofish Team
Date: Wed, 24 May 2000 01:13:31 +0300
Mok-Kong Shen wrote:
> Runu Knips wrote:
>
> > It is however funny, that for any of the five AES
> > candidates, there seem to be people which fight for
> > it in this NG. Even Mars still has its fans :))
>
> Cryptology is (yet) not comparable to mathematics. One can
> hardly entirely eliminate subjectivity in evaluations, I believe.
In mathematics you could provide five different proofs on completely
different subjects. The question is, is any of those subjects relevant
(although proofs are correct)? In cryptography you have five different
ciphers. The question is is any of those ciphers trustworthy and fast
enough (although none is broken yet)?
Helger Lipmaa
http://www.tcm.hut.fi/~helger
------------------------------
From: zapzing <[EMAIL PROTECTED]>
Subject: Re: Retail distributors of DES chips?
Date: Tue, 23 May 2000 23:52:07 GMT
In article <8gd7jl$t7e$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Paul Rubin) wrote:
> In article <8gd3bq$qk5$[EMAIL PROTECTED]>, zapzing
<[EMAIL PROTECTED]> wrote:
> >Where can I buy DES chips? I've searched alot and I can't find any
> >retail distributors. The only thing I found was one Canadian company
> >that was mentioned in the FAQ, but their chips sound much too "high
> >end" for me. Thanks in advance.
>
> If your application isn't high end, use software, not a chip.
>
Well, One of the things I have been considering
is the possibility of malicious software.
That's why I was considering using a chip.
That way there is absolutely no possibility
that anythink will be placed in any
subliminal channels.
I figure there must be some old chips
lying around. If I can't find a reasonably
priced tamperproof chip, I may just rig up my
own tamperproof container.
I'm still reading up on GPS.
--
Do as thou thinkest best.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: zapzing <[EMAIL PROTECTED]>
Subject: Re: Patent busting for AES usage
Date: Wed, 24 May 2000 00:18:44 GMT
In article <FKzW4.195$[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]> wrote:
> I would like to start one or more threads with the
> goal of creating prior art to spoil patents based on
> using the algorithm or algorithms selected as the AES.
> [Please, no discussion of the benefits of selecting
> one, or more than one, candidate on this thread.] The
> submitters have agreed to terms that allow free use of
> the selected AES, so I am not worried about that.
> [Please no discussion of the Hitachi patents on this
> thread.]
>
> What I would like to prevent are things like the MDC-2
> and MDC-4 patents that IBM got on a DES mode of
> operation that creates a cryptographic digest from DES
> or similar block ciphers (see US Patent #4,908,861).
> These threads could declare certain ideas as obvious
> to a workman versed in the trade, or they could publish
> novel ideas, which could no longer be the basis for a
> patent.
>
Here are some ideas (and if you know about
a source of inexpensive DES chips please
let me know).
A PRNG could be created as follows:
B_i=E(k2,i+B_(i-1))
Instead of encryption hashing could be used.
Instead of adding i to B_(i-1) one could
add a hash or encryption of i.
Instead of using xor any
"generalized combiner" (as previously
discussed in this group) could be used.
A "generalized combiner" can be used
in many places that a protocol or
block mode calls for "xor".
AES could be used as a "generalized
combiner" itself, if the combiner
does not need to be reversible,
by having one symbol be the plaintext
and the other symbol be the key.
HRNGs and PRNGs can be combined
to give greater strength.
A message can be split into two or
more secrets" using an RNG (H or P)
and each secret can be encrypted using a
different key, thus increasing the
effective key length.
--
If you know about a retail source of
inexpensive DES encryption chips please
let me know.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Subject: Re: Retail distributors of DES chips?
From: tomstd <[EMAIL PROTECTED]>
Date: Tue, 23 May 2000 17:28:54 -0700
In article <8gf5j2$8ui$[EMAIL PROTECTED]>, zapzing <zapzing@my-
deja.com> wrote:
>In article <8gd7jl$t7e$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (Paul Rubin) wrote:
>> In article <8gd3bq$qk5$[EMAIL PROTECTED]>, zapzing
><[EMAIL PROTECTED]> wrote:
>> >Where can I buy DES chips? I've searched alot and I can't
find any
>> >retail distributors. The only thing I found was one
Canadian company
>> >that was mentioned in the FAQ, but their chips sound much
too "high
>> >end" for me. Thanks in advance.
>>
>> If your application isn't high end, use software, not a chip.
>>
>
>Well, One of the things I have been considering
>is the possibility of malicious software.
>That's why I was considering using a chip.
>That way there is absolutely no possibility
>that anythink will be placed in any
>subliminal channels.
>
>I figure there must be some old chips
>lying around. If I can't find a reasonably
>priced tamperproof chip, I may just rig up my
>own tamperproof container.
>
>I'm still reading up on GPS.
About a year ago someone posted about doing ciphers in hardware
and publishing the VDHL. Maybe that guy can repost?
At anyrate any joe-blow DES chip that conforms to the DES
standard when testing with random keys/plaintext is most likely
a real chip, and not some cloak.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
Subject: Re: pentium timings
From: tomstd <[EMAIL PROTECTED]>
Date: Tue, 23 May 2000 17:33:15 -0700
In article <[EMAIL PROTECTED]>, Mok-Kong Shen <mok-
[EMAIL PROTECTED]> wrote:
>
>
>tomstd wrote:
>
>> Anyone interested in timing their code in cycles on a pentium
>> class computer (i.e k6, 586, ppro, MII, etc...) can use the
code
>> I developped (well it's not my idea, I just put it together
>> nicely) here
>
>A question of curiosity: How do you get the time to sufficient
accuracy?
>On a computer, e.g. PC, there are other tasks running
concurrently.
I think my DOS task just hogs the cpu, because the idle time
goes to zero when I do time testing.
Either rate I can test in pure dos, but I get the EXACT same
results.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
Date: Tue, 23 May 2000 17:38:21 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Patent busting for AES usage
Plus, let's have a dose of reality here. A patent inspector is a
terribly overworked government employee. He or she has an enormous
workload... and is just an overworked government employee. ;-)
So what's the path of least resistance? Well, you'll check the app for
any procedural glitch, and failing in proper lawyer-speak, then you'll
scan the database for any existing application that obviously conflicts
with it, taking care to cite each application you reviewed (to cover
your butt...). If there are any obvious conflicts, out it goes and your
butt is covered.
Otherwise, hey inspector, are you a computer-jock or something? No,
you're an overworked government employee. So you let the application go
through, after carefully documenting "no, I can't see why it does not
have merit." Then, when and if the patent is challenged in court, or
the parties sue to try to enforce their patent rights, they get to duke
it out in court to actually find out if the patent is worth the paper
it's printed on.
M-e-a-n-w-h-i-l-e, your supposedly/you-hope-its patentable idea is now a
matter of public record. It has been disclosed. And one thing's for
sure about computer algorithms: "no manufacturing is involved." Your
competitors can react to your innovation blindingly quick, upstaging
your idea before it even churns its way through the USPTO -- a process
that can take years. All they have to do is write some source-code just
like you did, tweak it just a wee bit, and instantly they're the Monkey
Wrench Gang against your patent. They're just as smart as you are.
It seems to me that the Twofish people have the right idea: no
copyright, no patent, full disclosure. Whether or not it becomes the
AES, this is a powerful draw for Twofish and particularly for
Counterpane Systems. It's credibility, an endorsement. They might be
giving up their right to make dimes from the exclusive right to employ
Twofish ... but I assure you that Twofish will have tremendous
commercial brand-recognition value to Counterpane.
What I mean is... "nobody outside this newsgroup really understands :-)
crypto." But lots of people understand a *brand name.* PGP is a
brand-name, so is RSA and SSL. So is Counterpane. "I don't know what
Bruce is saying but I trust Bruce," etc. That's worth a lot of
commercial value -- the value of perceived trustworthiness, which is
obviously life-and-death in commercial crypto. People who have gone to
the trouble to secure patent rights to their algorithms may feel quite
obligated to enforce them, and I understand that -- but I think that in
the end, "the brand-name" has a helluva lot more market ($'s) power than
saying "this is MY algorithm, mitts off!" to a competitor even if you
have that legal right ("maybe").
>Lyalc wrote:
>
> Need to be careful with 'ideas'.
> Patents cover implementations of 'ideas'- an idea alone generally cannot be
> patented.
>
> Now you've described an idea, I could patent an implementation of that
> idea - as could anyone else, provided our implementations didn't infringe
> anyone elses. (Part of patent writing seems to describe as broad an
> implementation as possible).
>
> Once an few ideas are commonpleace, then it is possible to patent
> 'inventions based on combinations of those ideas - e.g first the XOR, then
> the SBox, then "data-dependent" manipulation, then alongs comes an
> RC5/6,DES,AES style patent based on specific combinations and arrangements
> of the foregoing.
>
> Without a good proposal to go forward, then the concept of 'patent spoiling'
> is pointless.
> Two options that might work
> 1. make implementaitons as specific or narrow as possible.
> 2. do away with the concept of all intellectual property.
>
> I'm not sure what effect either would have on the industry, but it seems
> unlikely to be positive to me.
>
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Crypto patentability
Date: Tue, 23 May 2000 17:36:58 -0700
Mok-Kong Shen <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
<Snip>
> I suppose that our group, as the largest (as far as I
> am aware) public crypto community, should form certain
> unified standpoint as to what is and what is not
> patentable in crypto in our conviction, so as to
> (hopefully) influence the future patent policy....
I've been a fly on the wall here for four years. I think I've finally found
something to comment on.
Now wait a minute here. I have listened to a lot of talk on patents from
this group. You guys are real smart but I don't think you're up to
re-inventing the patent.
Patent laws and the patent process don't impact or effect your area of
concern. Here is a bolder statement: This process works beautifully, and it
is not the process's fault that the output of the process is quite often
execrable. The patent examiner cannot process the patent on it's merits and
you guys should be the first ones to recognize why. Invention like
randomness is defined by negatives and only time and the market can tell
whether it's any good. What is done with Patents is that the bar is set and
you have to hurdle it cleanly to get a patent. That does not mean that you
have something of value if you do.
"A patent is just a license for a lawsuit" Thomas Edison.
A common misconception is that the material in a patent is what is
protected. The only rights granted are what is in the CLAIMS. All the other
material is merely support for the claims. Here's the bonus, if it is
described and not claimed it is not protected. In fact, granting of the
patent makes it public domain. (That means free, forever) The bar is that
the description must be clear enough that a professional versed in the art
could build the invention from it. Many folks like to show off how bright
they are by putting in a lot of other material. The cure is NOT to have the
examiner pass judgement based on regulation and excise this material. Ever
disagree with the IRS? Who won?
How long do you think that patents have been a part of our legal system?
It goes way back to old English law. This is not some new social program
that isn't working. This is the culmination of hundreds of years of use. My
opinion is that the only problem is that they let lawyers play with it and
turn the conventional jargon arcane. (Really screwed the pooch there) Even
this is only a stylistic issue and not a matter of law. You are not required
to use all that mumbo jumbo. You can say what you mean in plain, unambiguous
language.
It must remain an open forum. Start setting limits and the format will
become so constrained by insider agendas that only insiders can play (Kind
of like some newsgroups I know of). No, it should not be open to public
challenge. I've got better things to do than to defend against all commers.
Strange people have strange hobbies and I don't want to be yours. I was
passionate about something and went through a lot of grief and expense
because I believed in something. If you are equally passionate, cough up
your nickel, hire a legal staff and take me to court.
Prior art is the big issue. The Patent must not be anticipated by any
prior art. Most folks think that means previous patents. It does not. Any
publication or offer for public sale is prior art. The examiner can only
search and review what he can find and what the applicant supplies (he's
legally obligated to fully disclose any he knows of). The patent grant isn't
home free, any prior art found can invalidate an Issued patent. If you think
this stuff was done before, find the publication or sale and link it to a
date.
You folks have been doing the single most important thing all along.
This is a public forum where issues described here become the very prior art
that will keep a bad patent from being enforced. It won't keep it from being
issued. I said the process was beautiful, not omnipotent.
"When the only tool you have is a hammer, everything looks like a nail."-
Samuel Clemens
Paul
------------------------------
Subject: Re: pentium timings
From: tomstd <[EMAIL PROTECTED]>
Date: Tue, 23 May 2000 17:44:16 -0700
In article <[EMAIL PROTECTED]>,
Jerry Coffin <[EMAIL PROTECTED]> wrote:
>In article <[EMAIL PROTECTED]>,
>[EMAIL PROTECTED] says...
>
>[ ... ]
>
>> I will go ahead and disagree with you now. When timing my RC5
>> code I always get the same clocks per block output, no matter
>> what is running.
>
>You can disagree all you want, but it only shows that you don't
know
>what you're talking about.
True I don't know all the details, but I am going on what I see.
>The problem isn't that you'll get inconsistent results with the
same
>code. The problem is that if you change the code, the
indications
>given by your timer will NOT necessarily mean anything. It may
say
>the new code is faster, when in reality it's exactly the same
speed
>as the old code, or perhaps even slower than the old code.
Likewise,
>it could say the new code is slower when in fact it's the same
speed
>or faster.
Hmm, well I get consistant results in win98 and pure dos. So
magic or not it works. Also I can tell if it gets slower simply
because the time increases. I don't think there is anything
else to effect it. Even if my code is off by three cycles, it
will be off for every trial.
Also I doubt much pairs with
rdtsc
push eax
push edx
So there won't be much clash with the code I am testing.
>> What you have todo is call 'timer(void *)' more then once and
>> take the average to get a good idea of what's going on.
>
>Oh ye of little knowledge of statistics! An average will NOT
fix the
>sort of fundamental problems you've got in your code. It's
true that
>with properly functioning timing, you still need to run code
more
>than once to time it properly. This is NOT, however, to make
up for
>errors in the timing. First of all, you want to ensure that
the code
>is in the cache before you time it (unless you're specifically
timing
>something related to cache usage). Second, you _may_ get
interrupts
>during your timing. If an interrupt occurs, however, you will
get a
>bimodal distribution (assuming everything else is working
correctly).
>
>In this case, you should NOT (most _definitely NOT_) average
the
>times: the time containing interrupt servicing is completely
spurious
>and unrelated. It should be completely _ignored_ in the final
>output.
>
>Using an average assumes that errors in either direction are
equally
>likely. With properly functioning timing code, errors on the
low
>side absolutely can NOT happen. Therefore, in this case you
want to
>use the minimum of the times you get, NOT the average.
Well for my RC5 code I normally get between 126-130 for the
encrypt routine, but I think it has todo with cache usage in
win98. However in pure dos I get 126 consistently.
>> Even still if the rdtsc is part of the start/ending of the
>> tested code, that's why it's called 512 times. So the
majority
>> of the used cycles is in the called code and not the timer
code.
>
>This isn't true, and even if it was, it would still be
irrelevant.
>Yes, making 512 calls to the code being timed can reduce the
>magnitude of the error to some degree, even with this
(ridiculous)
>number of calls, the error can still be just under 8%.
>
>To summarize: you've written code that's fundamentally wrong,
and
>then taken a brute-force approach to minimizing the magnitude
of the
>errors your produce.
Um, bingo.
It works for what I need. It gives as far as I can tell fairly
accurate results. The time goes up with bad code, and down with
good code. Close enough.
If for example I switch:
; load blk
mov edi,[esp+4]
mov esi,[esp+8] ; key pointer
mov eax,[edi] ; blk[0]
mov ebx,[edi+4] ; blk[1]
mov edx,rounds/2 ; # of rounds
to:
; load blk
mov edi,[esp+4]
mov eax,[edi] ; blk[0]
mov ebx,[edi+4] ; blk[1]
mov esi,[esp+8] ; key pointer
mov edx,rounds/2 ; # of rounds
The output time goes from 126 to 128. Seems fairly accurate to
me, since the "mov eax,[edi]" doesn't pair with the above
instruction.
>> This code is for estimating and profiling, not for exact
>> measurements.
>
>You're completely ignoring the fact that it's just plain
_wrong_. To
>know whether it's safe to use it, somebody basically has to
know a
>LOT more about things than you do, and would be able to write
FAR
>better code themselves with considerably less effort than it
would
>take to decide whether they're willing to ignore the errors
from your
>code.
What errors? It gives logical outputs.
>In short, your code is worse than useless: for the few people
who
>could theoretically use it, it's more trouble than it's worth.
For
>everybody else, it can and will produce misleading and
incorrect
>results, and worse yet, produce them with enough consistency
that
>most people are likely to actually believe its results.
>
>Publishing code like this (even for free) is grossly
irresponsible.
Oh shut up you stupid biggot. My code works, I admit I am not
an engineer at intel or something, but the code works, it gives
logical outputs, and I don't give a rat's behind if you like it.
I release my code to the public for pure research purposes. If
you don't like my timer.asm code, why not contribute a fix?
It's not like I don't give out anything else (sboxgen, rc5asm,
teaasm, etc...) so don't condemn my work because "he made a
mistake so he's a complete moron".
I say "good day" sir.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: "Brian McKeever" <[EMAIL PROTECTED]>
Subject: Re: Yet another block cipher: Storin
Date: Tue, 23 May 2000 17:52:26 -0700
<[EMAIL PROTECTED]> wrote in message
news:8ge70k$isf$[EMAIL PROTECTED]...
> In article <[EMAIL PROTECTED]>,
> Runu Knips <[EMAIL PROTECTED]> wrote:
> > [EMAIL PROTECTED] wrote:
> In general linear algebra this is true, but I think modulo addition and
> mult screws it up. The matrix in my example is invertible because the
> determinant is non-zero. At the same time, I showed -two- vectors that
> produce the zero vector, a contradiction with respect to being
> bijective. The linear algebra rules appear to be different when using
> modulo math.
>
> I am not saying the cipher is broke because I haven't found a case with
> the actual matrix. The general principle would seem to hold however.
>
> --Matthew
>
Well, the problem is you're taking the rule for matrices over the reals and
applying it directly to a matrix over another ring. The general rule for
when a square matrix has an inverse (and hence is 1-1) is if the determinant
is (mulitplicatively) *invertible*. Over the reals, this means non-zero.
Over his ring (Z/2^24Z), it means the determinant has to be odd (ie
relatively prime to 2^24).
The matrix in your example (over ints mod 4) had determinant 2, which is not
invertible (it would have to have determinant 1 or 3 (each of which is its
own multiplicative inverse)).
Brian
------------------------------
Subject: Re: Patent busting for AES usage
From: tomstd <[EMAIL PROTECTED]>
Date: Tue, 23 May 2000 17:51:41 -0700
In article <8gf74o$a0f$[EMAIL PROTECTED]>, zapzing <zapzing@my-
deja.com> wrote:
>In article <FKzW4.195$[EMAIL PROTECTED]>,
> <[EMAIL PROTECTED]> wrote:
>> I would like to start one or more threads with the
>> goal of creating prior art to spoil patents based on
>> using the algorithm or algorithms selected as the AES.
>> [Please, no discussion of the benefits of selecting
>> one, or more than one, candidate on this thread.] The
>> submitters have agreed to terms that allow free use of
>> the selected AES, so I am not worried about that.
>> [Please no discussion of the Hitachi patents on this
>> thread.]
>>
>> What I would like to prevent are things like the MDC-2
>> and MDC-4 patents that IBM got on a DES mode of
>> operation that creates a cryptographic digest from DES
>> or similar block ciphers (see US Patent #4,908,861).
>> These threads could declare certain ideas as obvious
>> to a workman versed in the trade, or they could publish
>> novel ideas, which could no longer be the basis for a
>> patent.
>>
>
>Here are some ideas (and if you know about
>a source of inexpensive DES chips please
>let me know).
>
>A PRNG could be created as follows:
>
>B_i=E(k2,i+B_(i-1))
>
>Instead of encryption hashing could be used.
>Instead of adding i to B_(i-1) one could
>add a hash or encryption of i.
The problem with using the above, is if B[0] is fixed, and I
find the key, I can find all others B[i] outputs.
Similarly with using a hash in counter mode. That's why it must
be non-invertible, or very difficult (i.e large symmetric key).
Using a good hash (md5, sha-1, tiger, etc...) in counter mode
like
B[i] = H(B[i - 1] || i || key)
Is much simpler, and it's secure iff the hash is secure and the
key is random (and sufficiently large, say >100 bits).
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Patent busting for AES usage
Date: Tue, 23 May 2000 17:53:03 -0700
That was easy, you've already done it.
The only hitch to using prior art to prevent something is that the art must
be prior. No time machines allowed. Quite often things look obvious in hind
sight. At least they did to my old manager.
If it is published or offered for sale, I believe it is already prior art.
No need to do something else.
Paul
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Retail distributors of DES chips?
Date: 24 May 2000 00:58:06 GMT
In article <8gf5j2$8ui$[EMAIL PROTECTED]>, zapzing <[EMAIL PROTECTED]> wrote:
>Well, One of the things I have been considering is the possibility of
>malicious software. That's why I was considering using a chip. That
>way there is absolutely no possibility that anythink will be placed
>in any subliminal channels.
DES is a block cipher, a one-to-one, invertible mapping between plaintext
and ciphertext. It can't and doesn't have subliminal channels. Maybe
you're thinking of DSA. For DSA, a hardware implementation would be
*more* susceptible to subliminal channels than a software implementation,
assuming you had source code for the software that you could inspect.
>I figure there must be some old chips lying around. If I can't find a
>reasonably priced tamperproof chip, I may just rig up my own
>tamperproof container.
If you're looking for tamper resistant key management, try a smart
card ship or something like a Java iButton
(http://www.ibutton.com/ibuttons/java.html). These are not what I'd
call a DES chip in that they are normally small microprocessors that
implement DES in firmware rather than hardware. But they are
inexpensive and reasonably secure.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
