Cryptography-Digest Digest #26, Volume #12 Wed, 14 Jun 00 15:13:01 EDT
Contents:
Comments/analysis requested: stream cipher derived from hash function (SHA-1) (Lon
Willett)
Re: Why the golden ratio? ("Tony T. Warnock")
Re: SBOX Bananza (tomstd)
Re: Comments/analysis requested: stream cipher derived from hash function (SHA-1)
(tomstd)
Re: Retract my views on AES (DJohn37050)
Re: Can we say addicted? ([EMAIL PROTECTED])
Re: Can we say addicted? (Mike Rosing)
Re: Can we say addicted? (tomstd)
Re: Retract my views on AES (tomstd)
On using compression as proper means of encryption (Mok-Kong Shen)
hmac and 'length' issues ([EMAIL PROTECTED])
Re: Finding prime numbers ("Tony T. Warnock")
Re: Would you recon HushPOP to be any good ? ("Martin Hamann")
Re: Good ways to test. (James Felling)
Re: SBOX Bananza ("Adam Durana")
Re: Can we say addicted? (Anton Stiglic)
Re: Can we say addicted? (Anton Stiglic)
Re: Can we say addicted? (Anton Stiglic)
Threshold Schemes. (Simon Johnson)
Re: Threshold Schemes. (Anton Stiglic)
Re: Diffie's New directions in Cryptography (Anton Stiglic)
Re: On using compression as proper means of encryption (Anton Stiglic)
Re: My lastest paper on Block Ciphers (Anton Stiglic)
Re: tiger (csybrandy)
Re: Interesting Magazine Article (Mike, Copperhead) (Anton Stiglic)
Re: SBOX Bananza (tomstd)
Re: Q: Using two DES modules (Mark Wooding)
----------------------------------------------------------------------------
From: Lon Willett <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers
Subject: Comments/analysis requested: stream cipher derived from hash function (SHA-1)
Date: Wed, 14 Jun 2000 17:03:50 GMT
Reply-To: [EMAIL PROTECTED]
Crypto gurus,
Following is a construction which makes a stream cipher out of a
cryptographic hash function. It is similar to Peter Gutmann's MDC
construction (see Bruce Schneier's "Applied Cryptography"). Note that
Schneier doesn't much care for Gutmann's construction.
I would be interested in any results/comments that knowledgeable
people in the crypto community have concerning it. The point of this
construction is to use it as the basis of a PRNG, with backtracking
attacks algorithmically prevented. Other stream ciphers that I'm
aware of don't have the property that they can't be run "in reverse".
The simple stream cipher description is:
===== BEGIN stream cipher
Notation:
N -- size of hash function output
B -- size of hash function block; must be >= N.
hash(S: DATA) -- cryptographic hash compression function that maps
the N-bit value "S" and the B-bit value "DATA" to an N-bit value
(e.g. "hash" is SHA-1, "N" is 160, and "B" is 512).
State (after N*i bits output):
S1[i], S2[i] -- N-bit values
Iterative step (generate the next N bits of output):
Output[i] = S1[i] xor S2[i]
S1[i+1] = hash(S1[i]: S2[i])
S2[i+1] = hash(S2[i]: S1[i])
===== END stream cipher
Note that even if S1[i] and S2[i] are captured by an adversary, it is
still a hard problem to determine what Output[i-1], S1[i-1], and
S2[i-1] were.
This is basically a simple entropy pool remixing function (where the
pool contains 2*N bits of data).
Other RNGs seem to assume that enough entropy can be collected before
they remix their pools to prevent backtracking attacks. I would like
to make backtracking attacks "hard", even in the absence of any new
entropy, and this seems to be the simplest way of doing it.
(Actually, good RNGs use remixing functions that are similar to this
one, even in the absence of new entropy. But their design
descriptions _are_ based on the idea that new entropy is added, and no
one seems to evaluate them as stream ciphers in the case that there is
_no_ added entropy).
For those interested, the way I actually intend to apply it is
described below. I don't have too many worries about this usage,
because as long as either of "E[i+1]" or "H[i+1]" is strong, the
additional entropy guarantees that this is secure. And the intended
usage doesn't require so much random output as to prevent obtaining a
strong value for "E[i+1]" with high frequency (actually, the output is
just used to seed a conventional ANSI X9.17 RNG, which is run only for
limited periods of time). But I am still very interested in how
strong it remains when both "E[i+1]" and "H[i+1]" are missing (zero),
but the initial values for S1[0] and S2[0] are strong.
===== BEGIN RNG
RNG state after i iterations (each an N bit value):
S1[i], S2[i], H[i]
Iterative step:
Input:
E[i+1] -- N-bit miscellaneous entropy data (if available, else zero)
H[i+1] -- N-bit hardware RNG generated value (if available, else
zero)
Notes:
H[i+1] may be weak (or zero), or may be known to an adversary,
but CAN NOT BE MANIPULATED by the adversary (ideally, of course,
it is none of these things).
There are no restrictions on E[i+1], but if it doesn't contain a
full N bits of entropy, then the PRNG is susceptible to an
iterative guessing attack, and so it shouldn't be used. Rather,
it should be saved and combined with more entropy sources until
at least N bits of entropy have been accumulated. And, of
course, ideally it should be unknown and unmanipulated by
attackers.
Output:
New state:
S1[i+1] = hash(S1[i]: S2[i], E[i+1])
S2[i+1] = hash(S2[i]: S1[i], H[i])
H[i+1]
Random value (N bits):
Output[i+1] = S1[i+1] xor S2[i+1] xor H[i+1]
===== END RNG
All comments welcome. Thanks in advance.
Lon Willett
<[EMAIL PROTECTED]>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Tony T. Warnock" <[EMAIL PROTECTED]>
Subject: Re: Why the golden ratio?
Date: Wed, 14 Jun 2000 11:15:20 -0600
Reply-To: [EMAIL PROTECTED]
Volker Hetzer wrote:
> Dennis Scott wrote:
> [golden ratio]
> > This is one that I remember from high school:
> >
> > e^(i*pi) + 1 = 0
> >
> > i=sqrt(-1)
> So, how would one get from your equation to the value 0.618?
>
By going through Bakersfield?
------------------------------
Subject: Re: SBOX Bananza
From: tomstd <[EMAIL PROTECTED]>
Date: Wed, 14 Jun 2000 10:15:32 -0700
In article <8i8crv$44s$[EMAIL PROTECTED]>, Simon Johnson
<[EMAIL PROTECTED]> wrote:
>Right your saying, to generate a brilliant S-box. I pick a
modulo
>bigger a tad bigger than the size i want. e.g. for a 16x16, use
65537
>and iterate from x=0 to x=65535
>
>e=(Good old Irrational E.)
>For i = 0 to 65535:
>sbox[i]=(i^e) mod 65537
>
>If so, very good work tom..... :)
Have you actually tested any of these sboxes?
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
Subject: Re: Comments/analysis requested: stream cipher derived from hash function
(SHA-1)
From: tomstd <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers
Date: Wed, 14 Jun 2000 10:22:22 -0700
A better simpler idea is to maintain the same S1/S2 buffers and
perform this
S1' = H(S1 || S2)
S2' = H(S2 || S1)
Output S1' and replace (S1, S2) with (S1', S2')
However you don't know the period of this prng so it could be
very short or long.
An even better idea is to maintain a counter.
Pick a random 512-bit string r, and a 128-bit counter k.
O = H(k || r)
k = k + 1
Where O is the next output.
Assuming the hash is secure (and 'r' is random) this scheme
should be secure as well.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Retract my views on AES
Date: 14 Jun 2000 17:25:54 GMT
I try to retract a previous thought at least once a day.
Don Johnson
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Can we say addicted?
Date: Wed, 14 Jun 2000 17:19:49 GMT
In article <[EMAIL PROTECTED]>,
Anton Stiglic <[EMAIL PROTECTED]> wrote:
>
> > Mike Rosing <[EMAIL PROTECTED]> wrote:
> >
> > : http://www.terracom.net/~eresrch/float/rho3.png [...]
> Yeark, a microsoft application url?
What makes that a "microsoft application url"? It doesn't reference a
.doc, or .bmp, or .xls, or .cab, or any other common microsoft formats.
The image is a simple image, no ActiveX involved.. Using a ~ to get to a
user's home directory is an old unix practice, and the choice of
webserver is based entirely on the admin's needs weighed against costs
and benefits of the available servers. So, criticizing their choice of
server doesn't seem productive either.
I suppose, I just don't get it. Please explain what a "microsoft
application URL" is. :)
Thanks
and Mike -- nice picture. :)
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Can we say addicted?
Date: Wed, 14 Jun 2000 12:27:48 -0500
Anton Stiglic wrote:
> Yeark, a microsoft application url?
No .png is "portable network graphics". Not an application. And it's
all pure linux :-)
For some psycedelic pictures check out
http://www.terracom.net/~ereserch/float/movie and
http://www.terracom.net/~ereserch/float/movie2
I've got too many to upload, but it gives the flavor. Trying to show a
6 dimensional object is kinda hard, so I'll have some more pictures in
the
next few days.
Patience, persistence, truth,
Dr. mike
------------------------------
Subject: Re: Can we say addicted?
From: tomstd <[EMAIL PROTECTED]>
Date: Wed, 14 Jun 2000 10:31:59 -0700
In article <[EMAIL PROTECTED]>, Mike Rosing
<[EMAIL PROTECTED]> wrote:
>Anton Stiglic wrote:
>> Yeark, a microsoft application url?
>
>No .png is "portable network graphics". Not an application.
And it's
>all pure linux :-)
>
>For some psycedelic pictures check out
>http://www.terracom.net/~ereserch/float/movie and
>http://www.terracom.net/~ereserch/float/movie2
>
>I've got too many to upload, but it gives the flavor. Trying
to show a
>6 dimensional object is kinda hard, so I'll have some more
pictures in
>the
>next few days.
Dude I got a four-oh-four.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
Subject: Re: Retract my views on AES
From: tomstd <[EMAIL PROTECTED]>
Date: Wed, 14 Jun 2000 10:33:18 -0700
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (DJohn37050) wrote:
>I try to retract a previous thought at least once a day.
>Don Johnson
Then I retract my retraction :)
I have the funny idea I could possibly be wrong more then once.
Hehehehe..
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: On using compression as proper means of encryption
Date: Wed, 14 Jun 2000 19:43:43 +0200
Compression has been a recurring theme in our group. It
appears to be the general opinion, however, that
compression, while helps due to its function of reducing
the redundancy present in the plaintext, doesn't play a
prominent essential role in what is commonly considered
to be encryption processing as such. In fact, a few years
ago the moderator of a crypto mailing list declared
compression to be off-topic for his list.
However, a compression algorithm can be employed in such a
way that secret informations not available to the opponent
are necessary to decompress in order to recover the
original plaintext. Thus to regard compression to be not a
full-fledged element in the toolbox of crypto designers is
clearly misguided. I like therefore to describe in the
following a concrete encryption scheme based on compression:
Use a PRNG (crypto strength unessential) with a key as
seed to generate a sequence of symbols (length of sequence
determined by PRNG) to initialize an adaptive Huffman
compression algorithm, taking care that all symbols of the
plaintext alphabet are input at least once. The output in
this initialization phase is discarded. Then start feeding
symbols of the plaintext into the algorithm. Use the result
as ciphertext. Decryption amounts to a corresponding
decompression after doing the same initialization.
The security of the scheme is based on the fact that the
opponent has no knowledge of the state of the compression
algorithm at completion of the initialization phase.
One can employ the scheme alone or as a component of a
larger scheme (multiple encryption), where we note that it
need not necessarily be the first component of the whole (as
compared to current usage of compression as pre-processing).
One can also substantially boost up the scheme described
above with simple add-on's. Since a PRNG is available to us
anyway, I suggest that for this purpose we inject into the
output stream of compression some amount of random bits
at dynamically determined time points with the aid of the
PRNG. In view of the fact that the symbols of the
compression output do not have the same constant number of
bits as against the ASCII bytes of the plaintext, such
injections evidently greatly enhance the difficulty of the
task of locating the position of the first bit of any proper
symbols of the compression output stream, thus entirely
leading the analyst astray on the way to his mecca.
It may be noted that we require only a normal adaptive
Huffman compression algorithm. No modifications (e.g. for
achieving the so-called one-to-one property) whatsoever is
needed, since we have arranged to prevent the opponent to
do proper decompression processing in the first place.
Thanks for your comments in advance.
M. K. Shen
=============================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: [EMAIL PROTECTED]
Subject: hmac and 'length' issues
Date: Wed, 14 Jun 2000 17:27:49 GMT
One common problem with using keyed hashes as MACs is that additional
data could be appended (or pre-pended, depending on the algorithm) with
the required hashing easily performed.
>From what I have seen of the HMAC construction, it doesn't need a length
field to help prevent this sort of attack, but I would sure like some
consensus to that effect from other cryptoheads before implementing it
without a length field.
thanks in advance.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Tony T. Warnock" <[EMAIL PROTECTED]>
Subject: Re: Finding prime numbers
Date: Wed, 14 Jun 2000 11:46:04 -0600
Reply-To: [EMAIL PROTECTED]
Scott Fluhrer wrote:
> Bryan Olson <[EMAIL PROTECTED]> wrote in message
> news:8i5vn7$bia$[EMAIL PROTECTED]...
> > I wrote:
> > > Since we have algorithms that can find
> > > the almost-certainly next prime in polynomial time, a
> > > next-prime oracle could not reduce the time from
> > > super-polynomial to polynomial.
> >
> > I didn't write that as clearly as I should.
> (Actually, I thought it was pretty clear)
>
> > Our best factoring algorithms are currently super-polynomial
> > time. Now suppose we have a next-prime oracle; given a
> > prime it returns the next prime in constant time. Could the
> > oracle be the key to reducing the time to factor to
> > polynomial?
> >
> > No it could not. If we had a polynomial time factoring
> > algorithm that uses the oracle, we could always replace the
> > oracle with our current next-prime method. Our current
> > next-prime algorithm is polynomial time. Replacing all
> > the calls to the oracle in the p-time factoring algorithm
> > with calls to the p-time next-prime algorithm, would at
> > worst result in a run time proportional to the product of
> > the two polynomials, which is also a polynomial.
> Nit: do we have an algorithm that we can prove finds the next prime in
> polynomial time? I didn't think we did. If you are looking at the
> straight-forward:
>
> n = n+1
> while n is not prime
> n = n+1
>
> then you need to show that the gap between a prime p and next prime (the
> number of loop iterations) is bounded by a polynomial in log(p). Now,
> looking at prime gap tables, that appears to be very likely, but I didn't
> anyone has proven that.
>
> If that has been proven, could someone enlighten me? If you are thinking of
> a different next-prime algorithm, could you enlighten me?
>
One does have the theorem that there is a prime between P(k) and 2P(k), also
there is a prime between P and P**c for (I think) any c>1+epsilon.
------------------------------
From: "Martin Hamann" <[EMAIL PROTECTED]>
Subject: Re: Would you recon HushPOP to be any good ?
Date: Wed, 14 Jun 2000 19:38:24 +0200
Reply-To: "Martin Hamann" <[EMAIL PROTECTED]>
> Incorrect. Mr. Schneier was reasonably positive about hushmail, but he
> also points out some flaws. He was quite less positive about the other
> secure web-based mail companies.
--cut--
I'm very sorry - I agree with you now, after reading the old Cryptogram.
I should have doublechecked, please excuse my carelessness.
Regards,
Martin Hamann, Student,
Technical University of Denmark.
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Subject: Re: Good ways to test.
Date: Wed, 14 Jun 2000 12:55:45 -0500
John wrote:
> I am confused here. I have read many messages about secure
> encryption systems. I find basically this:
>
> 1. A system can pass tests, but may not be secure.
True in an absolute sense.
>
> 2. A system can fail tests, but may be secure.
True, but more likely false in general. If a system failing a test regarding
some cryptographic aspect is probably broken. If it is still secure after such
a failure it will typically be secure only because no one has figured out how to
exploit the flaw (yet). It is possible that the falw may not be an exploitable
one, but if a system fails a test like that, it is a red flag, and I would avoid
it.
>
>
> I think I am missing something. Why would we test, if the info.
> is not going to help us?
It will help us, but finding a flaw is not the same as exploiting one. The
testing helps by allowing us to feel confident that Area X which tested fine,
does not have a flaw in a manner detectable by our tests. More importantly if a
test is failed, we can then look at our algortithim and see if redesign will
help it out.( they are indicators of trouble as oposed to guarantees of trouble
-- like dashboard warning lights on a car.
>
>
> * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
> The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: "Adam Durana" <[EMAIL PROTECTED]>
Subject: Re: SBOX Bananza
Date: Wed, 14 Jun 2000 14:12:28 -0400
> Right your saying, to generate a brilliant S-box. I pick a modulo
> bigger a tad bigger than the size i want. e.g. for a 16x16, use 65537
> and iterate from x=0 to x=65535
>
> e=(Good old Irrational E.)
> For i = 0 to 65535:
> sbox[i]=(i^e) mod 65537
>
> If so, very good work tom..... :)
Tom doesn't mean e as in the natural base. e is just a constant he chose.
Depending on what values you choose for e and p (p = the modulus), the
resultant s-box may have good or bad properties. The trick is to find an e
and p that together produce a good s-box by this method.
- Adam
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Can we say addicted?
Date: Wed, 14 Jun 2000 14:24:39 -0400
[EMAIL PROTECTED] wrote:
>
> In article <[EMAIL PROTECTED]>,
> Anton Stiglic <[EMAIL PROTECTED]> wrote:
> >
> > > Mike Rosing <[EMAIL PROTECTED]> wrote:
> > >
> > > : http://www.terracom.net/~eresrch/float/rho3.png [...]
>
> > Yeark, a microsoft application url?
>
> What makes that a "microsoft application url"? It doesn't reference a
> .doc, or .bmp, or .xls, or .cab, or any other common microsoft formats.
I think you completely misunderstood what I wrote.
It was a question (see the question mark). I did not know what a .png
file was.
> The image is a simple image, no ActiveX involved..
Well it's not just a simple image. It seems like my netscape can view
the .png files that are embedded in html, such as in the web page
bellow:
http://www.terracom.net/~eresrch/float/
but it can't directly view the file
http://www.terracom.net/~eresrch/float/rho3.png
This might be because of the fact that in my "Applications" menu,
PNG is associated to a plug-in (which I have not defined), and I
can't tell Netscape that the file should be handled by himself (the
browser) and not an external plug-in application.
I'm using Netscape Communicator 4.72 by the way...
Anton
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Can we say addicted?
Date: Wed, 14 Jun 2000 14:28:35 -0400
[EMAIL PROTECTED] wrote:
>
> In article <[EMAIL PROTECTED]>,
> Anton Stiglic <[EMAIL PROTECTED]> wrote:
> >
> > > Mike Rosing <[EMAIL PROTECTED]> wrote:
> > >
> > > : http://www.terracom.net/~eresrch/float/rho3.png [...]
>
> > Yeark, a microsoft application url?
by microsoft application url, I meant if it was a url to a file
that can only be opened by a Microsoft only application, like
the latest version of .doc files (although StarOffice and other
Lynux applications can handle a bunch of the older versions) or others
such as in your example.
Anton
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Can we say addicted?
Date: Wed, 14 Jun 2000 14:29:46 -0400
Mike Rosing wrote:
>
> Anton Stiglic wrote:
> > Yeark, a microsoft application url?
>
> No .png is "portable network graphics". Not an application. And it's
> all pure linux :-)
O.k. cool, I found the PNG web page by the way:
http://www.libpng.org/pub/png/
Anton
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Threshold Schemes.
Date: Wed, 14 Jun 2000 18:19:14 GMT
Now, that i'm more awake, i'll make another attempt at this post :p.
Basically this concerns the Threshold Scheme on Pg. 528-529 of Applied
Cryptography. In Schneier's example he uses the shadows:
3 mod 13, 7 mod 13 and 5 mod 13.
To reconstruct the message, solve this set of linear equations:
a(2^2) + (2*b) + m = 3 mod 13
a(3^2) + (3*b) + m = 7 mod 13
a(5^2) + (5*b) + m = 5 mod 13
I'm looking for a sure-fire way to find these coeffients. I can solve
it, but i need to know how many times the shadow was reduced during
computation.
Anyone willing to help?, please complete the example to show working.
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Threshold Schemes.
Date: Wed, 14 Jun 2000 14:35:34 -0400
Could you firstly describe that scheme briefly here, so that we don't
all
have to go find the book and read it?
Anton
Simon Johnson wrote:
>
> Now, that i'm more awake, i'll make another attempt at this post :p.
>
> Basically this concerns the Threshold Scheme on Pg. 528-529 of Applied
> Cryptography. In Schneier's example he uses the shadows:
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Diffie's New directions in Cryptography
Date: Wed, 14 Jun 2000 14:43:55 -0400
[EMAIL PROTECTED] wrote:
>
> Hi,
> From where will I get an online copy of the original "New directions
> in cryptography" by Diffie and Hellmann?
>
> Here is a description of the paper
> ?New directions in cryptography?,
> IEEE Transactions on Information Theory, 22
> (1976), the IEEE 22nd Annual Symposium on Foun-dations
> of Computer Science,
I doubt you will find a 1976 paper as such on the web, unless someone
re-wrote it or scaned it.
Your best bet would be to find a library that has the IEEE FOCS
series books.
For example, Springer Lecture Notes in Computer Science has a CD
of scanned versions of all the papers from 1981 - 1997.
But I don't think that IEEE FOCS has such a thing (someone correct
me if I'm wrong).
Anton
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: On using compression as proper means of encryption
Date: Wed, 14 Jun 2000 14:50:47 -0400
My I suggest something to you?
You seem to have allot of ideas, which might be interesting,
but the posts in which you express does ideas are very
lengthy. Personally, I haven't read one of them because I
don't want to spend that much time. It would be nice if
you could go straight to the fact and express your ideas.
If something is missing, someone will ask you.
Anton
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: My lastest paper on Block Ciphers
Date: Wed, 14 Jun 2000 14:54:01 -0400
Brian Gladman wrote:
>
> I use MS Word and, as you suggest, it is easy to output in postscript by
> insalling a postscript printer driver. Ghostscript can then be used to
> convert from PS to PDF format using its 'pdfwrite' driver.
This is not portable. If you compile a .ps on one machine, you might
not
be able to get the .pdf on another. If you start out with the .dvi
format
(which you get out of latex), then you can get a .ps and .pdf on any
machine. Can you get a .dvi from MS Word?
Anton
------------------------------
From: csybrandy <[EMAIL PROTECTED]>
Subject: Re: tiger
Date: Wed, 14 Jun 2000 14:36:08 -0400
Reply-To: [EMAIL PROTECTED]
If you need a 256 bit digest, you can always use HAVAL. It has a
variable length output from 128-256 bits.
csybrandy
Cypheridea wrote:
>
> i had a few questions about the tiger hash algorithm.
>
> is it more secure than MD5 or SHA1?
> can it generate a 256 bit digest?
> Does anyone know where can i get the C++ source code?
>
> thanks
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Interesting Magazine Article (Mike, Copperhead)
Date: Wed, 14 Jun 2000 14:58:43 -0400
Mok-Kong Shen wrote:
>
> John Savard wrote:
>
> > An "Invention and Technology" special by American Heritage magazine
> > has an article on "Breaking Codes Without Computers", which talks
> > about many of the special-purpose codebreaking machines used by the
> > U.S. during World War II. The author has a book coming out this
> > October.
>
> I tend to consider 'special-purpose machines' to be 'computers'. What
> we commonly call 'computers' are 'general-purpose computers', while
> there are 'special-purpose computers', e.g. for solving some problems
> in physics more efficiently. I guess it is certainly very interesting to
> know
A hardware implementation of Twinkle would be a 'special-purpose
machine"
for factoring.
Hardware computing DES is a special-purpose machine for encrypting or
decrypting with DES. A supercomputer is
a 'special-purpose machine' for doing parallel computations.
A pentium III in which you run a program for factoring is *not* a
special-purpose machine.
Anton
------------------------------
Subject: Re: SBOX Bananza
From: tomstd <[EMAIL PROTECTED]>
Date: Wed, 14 Jun 2000 11:55:50 -0700
In article <jWP15.46$[EMAIL PROTECTED]>, "Adam Durana"
<[EMAIL PROTECTED]> wrote:
>> Right your saying, to generate a brilliant S-box. I pick a
modulo
>> bigger a tad bigger than the size i want. e.g. for a 16x16,
use 65537
>> and iterate from x=0 to x=65535
>>
>> e=(Good old Irrational E.)
>> For i = 0 to 65535:
>> sbox[i]=(i^e) mod 65537
>>
>> If so, very good work tom..... :)
>
>Tom doesn't mean e as in the natural base. e is just a
constant he chose.
>Depending on what values you choose for e and p (p = the
modulus), the
>resultant s-box may have good or bad properties. The trick is
to find an e
>and p that together produce a good s-box by this method.
>
Bingo I should have cleared that up. I will have this all
cleared up during the summer (I have a expanded paper planned
similar to my Feistel Paper but with a broader scope, I will
cover various methods of sbox construction, speaking of which
Adam do you want to help add your method of low DP to the list?)
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Q: Using two DES modules
Date: 14 Jun 2000 18:51:59 GMT
Scott Fluhrer <[EMAIL PROTECTED]> wrote:
> - If your guess is correct, no block of the OFB will repeat (unless it
> goes into a loop). If your guess is incorrect, you expect to see
> repeated blocks after 2^{32} or so blocks.
Yes, I like that. Good attack. It still makes option 2 the strongest
of the three, I think.
-- [mdw]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
