Cryptography-Digest Digest #920, Volume #11 Fri, 2 Jun 00 14:13:01 EDT
Contents:
Re: XTR (was: any public-key algorithm) (David A. Wagner)
Good ways to test. (John)
Re: Contest rule proposal (Andru Luvisi)
Re: Weak Keys in TC3 (David A. Wagner)
Re: Good ways to test. (Mark Wooding)
Re: Contest rule proposal (Andru Luvisi)
Re: Weak Keys in TC3 (tomstd)
Re: RSA/PK Question (You should do your homework first, you know this conversation
can go on for longer than breaking your overly small 768-bit keys) (tomstd)
Re: Can we say addicted? ("Joseph Ashwood")
Re: XTR (David A Molnar)
Re: Contest rule proposal ("Paul Pires")
Re: Self Shrinking LFSR (Scott Nelson)
Re: Contest rule proposal (Terry Ritter)
Re: Contest rule proposal (Terry Ritter)
Re: Contest rule proposal (Terry Ritter)
Re: Good ways to test. (Terry Ritter)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: XTR (was: any public-key algorithm)
Date: 2 Jun 2000 08:50:47 -0700
In article <[EMAIL PROTECTED]>,
Mark Wooding <[EMAIL PROTECTED]> wrote:
> David A. Wagner <[EMAIL PROTECTED]> wrote:
> > I'd argue that the `standard' exponent is e = 3.
>
> Well, SSLeay uses F_4 by default; Microsoft's cryptographic stuff uses
> F_4 by default; nCipher[1]'s crypto accelerator boxes use F_4 by
> default; SSH and PGP 2 use an odd number greater than 17.
>
> I keep on reading that 3 is a commonly used exponent, but I've not found
> a real system which actually uses it. ;-)
Ok! I concede the point.
> > (Yeah, e = 65537 might be more conservative, but if you're worried
> > enough about speed to consider switching to a totally new
> > cryptosystem, even e = 3 starts to look pretty good.)
>
> This is true. However, there are problems if you send the same message
> to e different people who all share the public exponent e, and a larger
> e makes this less likely. There's also an attack due to Coppersmith
> which can recover a message given two encryptions of it provided that
> the random padding is less than 1/e^2 of the message length.
All of these attacks are easily prevented by simply using padding,
which everyone should be doing anyway. As you say, they are not too
worrying in practice.
------------------------------
Subject: Good ways to test.
From: John <[EMAIL PROTECTED]>
Date: Fri, 02 Jun 2000 08:55:01 -0700
Are there any resources, preferrably on the Net, that can help
test the strength of an encryption system?
http://www.aasp.net/~speechfb
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Andru Luvisi <[EMAIL PROTECTED]>
Subject: Re: Contest rule proposal
Date: 02 Jun 2000 08:41:17 -0700
"Adam Durana" <[EMAIL PROTECTED]> writes:
> I think everyone that submitted a cipher has put it up for public
> discussion. That is the whole point of the contest, to put your cipher
> online so people can find it and analyze it. With Chutzpah, I believe that
> the paper said there were patents pending, and I think that's a perfectly
> fair thing to do. The author of the cipher wants people to analyze the
> cipher, but at the same time he does not want to loose control of it. It
> never occurred to me that this might be an issue, but you are right, there
> should be a new rule concerning this. Not a rule prohibiting the submission
> of a patented cipher, but a rule that states that all patented material
> included in a submission should be accompanied by a statement (from the
> patent holder of course) that allows free use of the material for the
> purposes of the contest. Does that make everyone happy?
Not particularly. The point here is: Why should we be giving someone
cost free analysis when they won't give us the algorithm cost free?
Requiring an explicit statement of patents pending will help people
avoid accidently using a patented algorithm, but it does nothing to
address the problem above.
Andru
--
==========================================================================
| Andru Luvisi | http://libweb.sonoma.edu/ |
| Programmer/Analyst | Library Resources Online |
| Ruben Salazar Library |-----------------------------------------|
| Sonoma State University | http://www.belleprovence.com/ |
| [EMAIL PROTECTED] | Textile imports from Provence, France |
==========================================================================
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Weak Keys in TC3
Date: 2 Jun 2000 08:57:59 -0700
In article <8h8l53$964$[EMAIL PROTECTED]>,
Scott Fluhrer <[EMAIL PROTECTED]> wrote:
> tomstd <[EMAIL PROTECTED]> wrote:
> > I found the first class of weak keys...If the 6 key words are
> > all equal to -F(x+1), 0<x<7, then encrypting all zero makes an
> > all zero output. The prob of getting this key is 2^-192 and it
> > requires only one chosen plaintext to detect.
>
> If the weakness is "if you use a particular key, then encrypting a
> particular plaintext will yield a particular ciphertext", well, that's a
> "weakness" that's in all block ciphers. Or, in other words, not
> particularly a weakness at all.
Note that tomstd's weakness is a much bigger deal than yours,
if you want to use the block cipher in Davies-Meyer mode to build
a hash function. If you can find a key where 0 encrypts to 0 (and
tomstd showed that you can, with much less than 2^192 workfactor),
then you can start playing games with chaining attacks -- e.g., if
the IV is 0, then prepending this special key to the message leaves
the digest unchanged. It will not be so easy to play these types
of games if the special plaintext/ciphertext pair are unpatterned;
the all-zeros plaintext/ciphertext have a lot of structure/symmetry.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Good ways to test.
Date: 2 Jun 2000 16:06:01 GMT
John <[EMAIL PROTECTED]> wrote:
> Are there any resources, preferrably on the Net, that can help test
> the strength of an encryption system?
The most effective resource is a Good Cryptanalyst. Several of these
can be contacted using the Net. They grow on trees.
-- [mdw]
------------------------------
From: Andru Luvisi <[EMAIL PROTECTED]>
Subject: Re: Contest rule proposal
Date: 02 Jun 2000 08:58:11 -0700
"Paul Pires" <[EMAIL PROTECTED]> writes:
> I understand your concern but I wish to submit an opposing view.
>
> The fact that something is patented does not effect it being "openly
> exchanged as an idea" It merely reserves the rights of the inventor when it
> comes to commercialization. No different in principal from typing "Copyright
> xxxx all rights reserved" at the top of your source code except that you
> must be far more masochistic to pursue a patent.
It is *very* different in principle. Typing "Copyright" at the top of
your code just prevents people from legally copying your source code.
Patenting your algorithm prevents people from implementing *their own*
version. One bans the free use of a particular expression of an idea,
and the other bans the free use of the idea itself.
> Unfortunately, being less that rabid on the subject of patents is
> "Politically incorrect" Hopefully my tilting at windmills will provide some
> humor if not insight.
I suppose that all depends on where you are.
> It would be wonderful if everyone donated the fruits of their labors to the
> common good. This should be an option that a person has depending on their
> own ethics and values and vision for how they fit in to the community.
> Shunning someone because they do not believe in or agree with your just
> cause is a sin.
Shunning? I have not suggested that people not talk to patent
holders. I have not suggested that people spam, or make annoying
phone calls to, or harass patent holders.
I have suggested that people not give to those who won't give back,
that we not give no cost analysis to those who will not give us a cost
free algorithm. I am identifying what I perceive to be a bad deal and
suggesting that we (the contest entrants and those analyzing their
ciphers) not enter into this deal. This would be avoiding a bad deal,
not "shunning" someone for their beliefs.
> I realize that implying a lack of virtue or civic duty is a real easy thing
> to do. It also has the added plus of making you look virtuous.
>
> It is lazy.
I did not intend to make any statements about virtue or civic duty.
I'm sorry if my post was easily interpreted as doing so.
Andru
--
==========================================================================
| Andru Luvisi | http://libweb.sonoma.edu/ |
| Programmer/Analyst | Library Resources Online |
| Ruben Salazar Library |-----------------------------------------|
| Sonoma State University | http://www.belleprovence.com/ |
| [EMAIL PROTECTED] | Textile imports from Provence, France |
==========================================================================
------------------------------
Subject: Re: Weak Keys in TC3
From: tomstd <[EMAIL PROTECTED]>
Date: Fri, 02 Jun 2000 09:10:54 -0700
In article <8h8li7$p3c$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David A. Wagner) wrote:
>In article <8h8l53$964$[EMAIL PROTECTED]>,
>Scott Fluhrer <[EMAIL PROTECTED]> wrote:
>> tomstd <[EMAIL PROTECTED]> wrote:
>> > I found the first class of weak keys...If the 6 key words
are
>> > all equal to -F(x+1), 0<x<7, then encrypting all zero makes
an
>> > all zero output. The prob of getting this key is 2^-192
and it
>> > requires only one chosen plaintext to detect.
>>
>> If the weakness is "if you use a particular key, then
encrypting a
>> particular plaintext will yield a particular ciphertext",
well, that's a
>> "weakness" that's in all block ciphers. Or, in other words,
not
>> particularly a weakness at all.
>
>Note that tomstd's weakness is a much bigger deal than yours,
>if you want to use the block cipher in Davies-Meyer mode to
build
>a hash function. If you can find a key where 0 encrypts to 0
(and
>tomstd showed that you can, with much less than 2^192
workfactor),
>then you can start playing games with chaining attacks -- e.g.,
if
>the IV is 0, then prepending this special key to the message
leaves
>the digest unchanged. It will not be so easy to play these
types
>of games if the special plaintext/ciphertext pair are
unpatterned;
>the all-zeros plaintext/ciphertext have a lot of
structure/symmetry.
Yeah the all zero key is the only weak one I can think off. The
others (a + F(1) == b + F(3)) is not a particular weakness since
there is no way any block cipher can get around that, and even
then I don't know how to exploit it.
My only suggestion is to either use shorter keys and make it so
the all zero shorter key doesn't make an all zero longer key, or
ignore it. It's a rather serious flaw when using TC3 as a
hash...
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
Subject: Re: RSA/PK Question (You should do your homework first, you know this
conversation can go on for longer than breaking your overly small 768-bit keys)
From: tomstd <[EMAIL PROTECTED]>
Date: Fri, 02 Jun 2000 09:27:30 -0700
In article <uF8PwkKz$GA.330@cpmsnbbsa06>, "Joseph Ashwood"
<[EMAIL PROTECTED]> wrote:
>The entire basis of your argument was that it's good enough for
now. I
>simply asked why you did not find the other comparison correct.
You have
>continually stated that only 768 bit RSA keys are needed, and
you have
>continually been corrected that there is a for now that you
continually
>ignore, and have even stated cannot exist. This is the same
level of error
>that allowed Rivest to make grossly wrong claims about the
strength of RSA,
>stating that it would take a phenomenal amount of time to break
160-bit RSA
>keys, when in fact now, less than 30 years later, I can break
those same
>keys on the machine in front of me in times that make them
certainly broken.
I never said only use 768 bit keys, don't put words in my
mouth. I said 768 bit keys would be adequetly secure for the
average person for now. I also said for longer term security
use keys upto 2048 bits (after that it's pointless). I
personally use a 1024-bit RSA key in PGP.
>In the reality that I live in, we continually develop better
algorithms,
>ones which take less time and less space than the ones before.
We also
>continually develop better computers to run these algorithms.
You again
>claim that 80-bits is secure for now, but within moore's law
they will only
>be secure for less than a decade, I personally quite often have
secrets that
>need to be kept far longer than that, so again I say to you
that your
>estimates are vastly off, you have been corrected many times
and continue to
>make them. When people point out (quite gently the first few
times I might
>add) that you were incorrect, you return with things like "You
are a
>pragmatic jerk, you know that right?" (BTW I do know that I can
be well
>beyond a jerk on occassion).
I think my estimates posted in this thread (earlier) were wrong
about moores law, but extrapolating from the time it takes to
find a 64-bit key, I would think an 80-bit key would be quite a
bit harder.
Even assuming a 64-bit key could be found in a day (in say 10
years) a 80-bit would take about 180 years to find.
>You continually underestimate what is possible, and continually
make
>statements that you have certainly not thought out clearly,
your suggestion
>to use 768-bit RSA keys was roughly equivalent to using 64-bit
symmetric
>keys, which we all (in this I even include you based on your
recommendation
>for 80-bit symmetric keys) agree is too small. In order to get
80-bits worth
>of protection we will have to go to at least 1024-bit RSA/DH
public keys,
>and most likely by the end of the year they will have to be
bigger still.
You can't compare PK keys vs Symmetric Keys. They are not the
same thing. We can't solve 1024 bit keys primarly because of
SPACE not TIME. We can brute force a 64 bit key because of the
low SPACE requirements.
Yea, my early post on moores law is wrong, but I still have
reason to believe 80-bit keys are adequete now. If you
misunderstood my suggestions (although you don't need to believe
me) for RSA PK keys:
768-bit ~ short term (under a year)
1024-bit ~ periodic (around 5 years at the most)
2048-bit ~ long term (>10 years)
For Symmetric Keys
80-bit ~ periodic (about 5 years)
128-bit ~ long term (20~30 years)
256-bit ~ long long term (>50 years)
Although these are a bit conservative. For example to find a
128 bit key in 20 years you must search 2^97.77 keys a second
(for 20 years) to find the key. Distributed among a million
computers that is still 2^77 keys/sec. Far way off... Assuming
an average computer can test 2^21 keys/sec, and that moores law
continues we have about 84 years before we can search 2^77
keys/sec per computer.
Similarly to find a 256-bit key in 50 years, we must test 2^225
keys/sec (for 50 years) among a million comps that is 2^204
each, or about 274 years before we can do that.
Finally to find an 80-bit key in 5 years, we must test 2^52.77
keys/sec. Or 2^32 keys/sec per computer (for 2^20 comps). It
will take about 17 years before we can do that.
Remembering that the best known attack (brute force) and the
best known network (distributed.net) only has about 2^18
computers at the most. Most of which are idle or non-active.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Can we say addicted?
Date: Fri, 2 Jun 2000 09:28:19 -0700
> You too? O, well, it's better than drugs, I suppose.
Then you need to get some better drugs. (Just for the record I have in my
life used 2 drugs, adrenalin, and caffeine, so don't take me too seriously
on the subject).
Joe
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: XTR
Date: 2 Jun 2000 16:51:28 GMT
David A. Wagner <[EMAIL PROTECTED]> wrote:
>> e makes this less likely. There's also an attack due to Coppersmith
>> which can recover a message given two encryptions of it provided that
>> the random padding is less than 1/e^2 of the message length.
> All of these attacks are easily prevented by simply using padding,
> which everyone should be doing anyway. As you say, they are not too
> worrying in practice.
As long as it's the right padding. :) Fortunately, as far as I know, OAEP
is patent-free, and it has a proof of "being good padding" in the random
oracle model.
What dismays me is that the PSS signature padding does not seem to be
patent-free...
-David
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Contest rule proposal
Date: Fri, 2 Jun 2000 10:09:18 -0700
Terry Ritter <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
Thanks Terry.
I was feeling lonely again.
One comment thought.
>I have an even simpler proposal: the patent holder offers fair use of
>the patented techniques within the non-commercial context of the
>context. I certainly would not agree to someone else's definition of
>"free software."
Does everybody else have to wear a sign that says "leper" too?
Why must I assert that I won't do something bad if I have not given
cause for the suspicion? Nothing in patent law allows me to go after people
for evaluating my submission to an academic contest that I entered it in.
Boy, RSA and PKP sure pissed off a bunch of people. That's partly what this
whole issue is about.
Now, the group.
This group should worry about larger issues. Like the intellectual
intolerance which is being shown here based on myth, legend and
misinformation.
It seems that every one here (almost) has made up their mind that
someone who applies for a patent is greedy, rapacious and incapable of
contributing to the groups common good. This is a polar issue, either you
are on the side of the angels or the slime doggies. Look back on times when
this kind of "Every body Knows" group intolerance was present and be
ashamed.
I have been grandfathered, what am I griping about? You stand up and be
counted when it is required, I can do no less. If that means that you folks
take away my slot, so be it. I just asked to play too, you don't have to
beat me bloody.
Why so adamant? Why the instant assumption of criminality? How can you
accuse someone of atrocious behavior just because of the side of an issue
that they are associated with?
Look at the "reasons" that everybody is trotting out here:
Folks think I want free analysis and yet keep my rights to myself.
I want you to consider that I may be putting up as much for free as you.
I have diligently presented my paper and asked for comments. I have reserved
the right to commercialize it. Your analysis (if you choose to stoop so low)
is your property not mine. I have not hired you as a consultant. You would
laugh if I pointed a potential licensee at you and said " Ask Andru, He
likes it". I have no rights to the commercialization of your analysis. If
you want to make an exchange, fair to both sides, I'm open. Why do you feel
that I must prostrate myself and surrender all rights in advance, with no
agreement of exchange?
I saw no Rule that said "You must give up all rights to your stuff and in
exchange all analysts will work diligently on your idea and post quality
results" Yeh, right.
It isn't about the freedom of Ideas its about preserving the hierarchy
of control . (That's you guys)
It's not easy being a filthy patent monger in sci.crypt. This whole
thread is off topic! You guy's sat back fat dumb and happy and jumped all
over this, confident in the assumption of moral superiority. I was invited,
I looked at the rules, I didn't post any suggestions to clear MY OWN WAY
when the contest was being formed.
Now you have to decide. Sneer and dismiss these pleas as being from
someone who just doesn't understand the real issue. You can't back down from
these weighty social concerns can you? Or admit that this group needs an
enema when it comes to this topic.
Paul
------------------------------
From: [EMAIL PROTECTED] (Scott Nelson)
Subject: Re: Self Shrinking LFSR
Reply-To: [EMAIL PROTECTED]
Date: Fri, 02 Jun 2000 17:32:22 GMT
On 2 Jun 2000, Forrest Johnson <[EMAIL PROTECTED]> wrote:
>In article <[EMAIL PROTECTED]> Scott Nelson,
>[EMAIL PROTECTED] writes:
>>I don't know how Tom did it,
>>but if you're interested in generating maximal length polys,
>>you might want to look at my lfsr program. It's available at
>>ftp://helsbreth.org/pub/helsbret/random/
>>(both source and MSDOS executable)
>>
>Scott, I have a couple questions about your program (the comments,
>actually -- my C programming is less than expert). You stated in the
>preamble that irreducible polynomials are needed for maximal length
>rather than primitive polynomials. I think it's the other way around.
>
>(Ex. X^4 + x^3 +x^2 + x^1 + 1 is irreducible, but not primitive. It
>also won't produce a maximum period in a 4-bit LFSR.) Also, from Shift
>Register Sequences by Solomon Golomb: "...not all the irreducible
>polynomials of degree r have maximum exponent. That is, they do not all
>correspond to shift register sequences of length 2^r - 1."
>
You may be right.
I've been unable to locate a definitive reference for
the meanings of primitive and irreducible, so can nether confirm
nor deny it. However, it's clear that to be maximal
length a polynomial must be both primitive and irreducible.
>You also stated that "Approximately 1/16 of the chosen polys are maximal
>length". I might be tripping over the term "chosen", but there are 2048
>max length polynomials (out of 65535 possible) for a 16 bit LFSR. Maybe
>your program restricts the choice of polynomials to test to a subset of
>that 65535 and that's where the 1/16 comes from.
>
There are only 32768 16 bit values with the high bit set.
The other 32768 values aren't properly 16 bit LFSR's, but if
one included them, then there would be more than 2048 that work.
(Half are rejected immediately since they do not have
the right parity of taps, but I still count them.)
>If anyone just wants tap sequences, that site also has lists of all
>maximal length tap sequences for registers up to 24 bits plus 2, 4, and 6
>tap ML sequences for 25 to 32 bits. I'm working on a list of dense (half
>the bits or more involved) sequences for the latter -- maybe a couple
>more weeks.
It may take a /bit/ longer than a couple of weeks to brute
force the dense 32 bit ML sequences.
Scott Nelson <[EMAIL PROTECTED]>
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Contest rule proposal
Date: Fri, 02 Jun 2000 17:59:51 GMT
On 02 Jun 2000 08:41:17 -0700, in <[EMAIL PROTECTED]>,
in sci.crypt Andru Luvisi <[EMAIL PROTECTED]> wrote:
>[...]
>The point here is: Why should we be giving someone
>cost free analysis when they won't give us the algorithm cost free?
Feel free to not give such an analysis.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Contest rule proposal
Date: Fri, 02 Jun 2000 18:00:12 GMT
On 2 Jun 2000 14:59:11 GMT, in <[EMAIL PROTECTED]>,
in sci.crypt [EMAIL PROTECTED] (Mark Wooding) wrote:
>Terry Ritter <[EMAIL PROTECTED]> wrote:
>
>> I don't guess you would. A worldwide royalty-free license might as
>> well mean there was no patent at all.
>
>That's clearly not what Adams and Tavares thought when they granted such
>licences for CAST-128 and CAST-256. And it's clearly not what RSA
>Security Inc. thought when they submitted RC6 to the AES contest.
If you have something to say I suggest you say it more directly.
>> And that's exactly why I did not participate in AES. If any contest
>> is to see all available techniques, it must allow patented techniques
>> as well.
>
>I could go into a patents rant at this point. I'll try to resist, and
>instead pick at the word `available': the `availability' of a patented
>cipher is qualititively different from the `availability' of a free
>cipher.
At least AES could *argue* (unconstitutionally, I believe) that there
was a *reason* for having an unencumbered cipher. No such reason
exists in a much more informal contest.
Nor is science helped by hiding one's head in the sand and hoping to
prevent new technology from appearing. The issue for every academic
and analyst should be whether or not they know how to address the new
technology and develop a meaningful understanding from it. That has
nothing whatsoever to do with whether someone owns that technology or
not.
>> This is an issue which is obviously not science.
>
>Clearly. If all we wanted to do was to make scientific progress, we
>should just get on and do that. But it's not that simple: people seem
>to want to make money at the same time, and that's where the problem
>comes from.
I would say that some people seem to want to lump science with their
own meager view of the world, and hope to prevent others from choosing
their own approach, even though that is legal, moral, and effective.
One point of a patent is to *reveal* information, as opposed to
keeping it secret. This choice is always available, and if there is
no profit from exposure, then there will be more secrecy and less
public advance. Congratulations on being on the wrong side.
>> Everybody wants a free lunch. If we just pass a law demanding free
>> lunches, everyone can eat. Right?
>
>I'm not so fussed about paying for lunches. Each individual lunch takes
>time and effort to prepare. [There's a long off-topic rant about this
>distinction, which I'll omit.]
There is no distinction: Each individual new technology takes time to
research and prepare, and unless costs are recovered, that research
cannot continue.
So-called "free" ciphers are one of the worst possible deals that
society could have made. Not only does society get to pay for the
systems which use those "free" ciphers, they simultaneously reduce the
financial basis for an industry of cipher development and measurement
which would produce a continuing flow of good ciphers.
>On the subject of free lunches, though, isn't there something of the
>same sort in presenting your cipher, which you plan to cash from, for
>review and analysis from people in their spare time?
Feel free to not review and analyze anything you don't want to. One
purpose of presenting new ciphering technology is to improve the
analyst, not the cipher. I don't charge for that.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Contest rule proposal
Date: Fri, 02 Jun 2000 18:00:29 GMT
On 02 Jun 2000 08:33:45 -0700, in <[EMAIL PROTECTED]>,
in sci.crypt Andru Luvisi <[EMAIL PROTECTED]> wrote:
>[...]
>You hit the nail quite squarely on the head: Why should we give a
>designer no cost analysis when he won't give us the algorithm for no
>cost?
That nail *has* no head: If you don't want to contribute an analysis,
then don't. Nobody is forcing you. Don't whine about having to do
something you can simply choose to not do.
Of course that means you will not have developed techniques to perform
such an analysis in the context of the new technology, but that is
your loss.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Good ways to test.
Date: Fri, 02 Jun 2000 18:04:37 GMT
On 2 Jun 2000 16:06:01 GMT, in <[EMAIL PROTECTED]>,
in sci.crypt [EMAIL PROTECTED] (Mark Wooding) wrote:
>John <[EMAIL PROTECTED]> wrote:
>
>> Are there any resources, preferrably on the Net, that can help test
>> the strength of an encryption system?
There is -- and can be -- no test which can find all possible
weaknesses in a system.
>The most effective resource is a Good Cryptanalyst. Several of these
>can be contacted using the Net. They grow on trees.
Unfortunately, cryptanalysts can't know the strength of a system
unless they can break it. If they can't break it, the system may be
weak anyway.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
