Cryptography-Digest Digest #44, Volume #12 Fri, 16 Jun 00 14:13:01 EDT
Contents:
Re: Is there a program simlar to Norton Scecret Stuff with better (Kent Briggs)
Re: Is there a program simlar to Norton Scecret Stuff with better encryption?
(Sébastien SAUVAGE)
Re: On using compression as proper means of encryption (Mok-Kong Shen)
Re: On using compression as proper means of encryption (Mok-Kong Shen)
Re: Def of "nonlinear order" (tomstd)
Extending LFSR...... (Simon Johnson)
Re: Random sboxes... real info (tomstd)
Re: Extending LFSR...... (tomstd)
Re: Why the golden ratio? (Bill Unruh)
Re: How RSA SecurID tokens work? (tomstd)
Re: GeekPress: Will Cyber Criminals Run the World? (Darren New)
Flattening of frequency distributions (Mok-Kong Shen)
Re: Cipher design a fading field? (Mok-Kong Shen)
Re: Cipher design a fading field? (Mok-Kong Shen)
Re: small subgroups in Blum Blum Shub ([EMAIL PROTECTED])
Re: GeekPress: Will Cyber Criminals Run the World? (Mike Rosing)
Re: Cipher design a fading field? ("Douglas A. Gwyn")
Re: Encryption on missing hard-drives ("Douglas A. Gwyn")
Re: Flattening of frequency distributions (Frank M. Siegert)
Re: Def of "nonlinear order" (Mike Rosing)
----------------------------------------------------------------------------
From: Kent Briggs <[EMAIL PROTECTED]>
Subject: Re: Is there a program simlar to Norton Scecret Stuff with better
Date: Fri, 16 Jun 2000 14:58:13 GMT
[EMAIL PROTECTED] wrote:
> This program I always liked, it was pretty straightforward. Uses a
> good algorythm(Blowfish), creates self-decrypting files so that those
> that don't have the program need only a password. The only thing is, I
> think it was only made in 40-bit encryption.
> Does anyone if they ever released a stronger version of Norton Secrte
> Stuff,
>
> or
>
> of another program that utilizes stronger encryption, and is about a
> easy to use.
>
> Thanx.
My shareware Puffer program (http://www.briggsoft.com/puffer.htm) can
produce DOS-compatible self-extracting archives with 128-bit CAST and/or
160-bit Blowfish. Puffer itself is a 32-bit Windows application.
--
Kent Briggs, [EMAIL PROTECTED]
Briggs Softworks, http://www.briggsoft.com
------------------------------
Subject: Re: Is there a program simlar to Norton Scecret Stuff with better encryption?
From: [EMAIL PROTECTED] (Sébastien SAUVAGE)
Date: Fri, 16 Jun 2000 15:37:56 GMT
[EMAIL PROTECTED] wrote in <[EMAIL PROTECTED]>:
>This program I always liked, it was pretty straightforward. Uses a
>good algorythm(Blowfish), creates self-decrypting files so that those
>that don't have the program need only a password. The only thing is, I
>think it was only made in 40-bit encryption.
>Does anyone if they ever released a stronger version of Norton Secrte
>Stuff,
>
>or
>
>of another program that utilizes stronger encryption, and is about a
>easy to use.
PGP 6.5.1i can do that.
It produces self-decrypting windows 32 bits executables.
It's free.
http://www.pgpi.org
--
==================================
Sébastien SAUVAGE
[EMAIL PROTECTED]
http://www.bigfoot.com/~sebsauvage
==================================
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On using compression as proper means of encryption
Date: Fri, 16 Jun 2000 18:10:28 +0200
David Hopwood wrote:
> "SCOTT19U.ZIP_GUY" wrote:
> > Becasue with out a tree you do not know where one symbol starts
> > and one symbol ends.
>
> You don't need to know that in advance. One possible approach is
> to assume that any bit position could be the start of a symbol,
> and tabulate the frequencies of all bit sequences (of lengths up
> to some reasonably small bound) starting from each position.
> Some of the actual symbols should stand out despite the noise
> caused by incorrect symbol boundaries; at that point you can
> guess most of the boundaries and repeat to give a more accurate
> frequency analysis.
My suggestion in the original post to inject random bits serves the
purpose to increase that 'noise' beyond the level practically exploitable
by the opponent.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On using compression as proper means of encryption
Date: Fri, 16 Jun 2000 18:10:16 +0200
Tim Tyler wrote:
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> : Certainly, it would be foolish claim great strength (though I don't
> : know yet a good way to analyze), not to say to jump to any claim
> : of superiority over the well-established algorithms.
>
> Another thought springs to mind: you can probably extract the
> contents of the initial Huffman tree using a chosen plaintext attack:
> Imagine sending a large number of different short strings for encryption
> as separate messages under the same key [1].
>
> ISTM, that this would tease out information pretty directly about the
> initial Huffman tree.
You are obviously considering the scheme like sort of block cipher where
one could reuse the key. The present scheme should be considered
as a stream cipher. In each session one uses a new seed for the PRNG.
If there are different messages to be sent in one session, they are to be
processed sequentially, i.e. one doesn't reset the PRNG.
> Indeed, this may even be possible using a number of known plaintexts.
I don't think that's likely. Note, as said above, the scheme is to be
thought of as a stream cipher.
I like to take this opportunity to come back to your previous critique
of problems of the scheme in dealing with extreme cases like a file of
all zeros. I realize that this is a fundamental issue concerning frequency
distribution of the plaintext being non-flat. Normal plaintexts have
a non-flat distribution that could be exploited by the opponent. A
file of all zeros is an extreme case of non-flat distribution. So one
needs a preprocessing step to (roughly) even out the frequency
distribution. A simple to implement method to achieve that purpose
is a polyalphabetic substitution, of say 4 or 8 bit units, with a large
substitution table and a long key or a random sequence (i.e.
dynamically supplied by PRNG) as key.
M. K. Shen
------------------------------
Subject: Re: Def of "nonlinear order"
From: tomstd <[EMAIL PROTECTED]>
Date: Fri, 16 Jun 2000 09:15:05 -0700
=?iso-8859-1?Q?H=E5vard?= Raddum <[EMAIL PROTECTED]> wrote:
>Mike Rosing wrote:
>
>> tomstd wrote:
>> >
>> > I am confused now (uh-oh) I thought the nonlinear order of a
>> > function can be computed using a modification of the Bit
>> > Independence Criterion (BIC). For example a function is
>> > nonlinear to the order r if for all masks with a hamming
weight
>> > of 2..r you can perform a BIC test and pass.
>> >
>> > For example the mask '3' would be 11 in binary and mean to
test
>> > the first and second nx1 sboxes. 7 would be 111 and mean to
>> > test the first three.
>> >
>> > In otherwords no r-tuple of nx1 sboxes are linearly
dependent.
>> >
>> > If this is the case then the findings of Knudsen and
Jakobsen
>> > are wrong when they discuss the nonlinear order of cubics
and
>> > quadratics (etc) in GF(2^n). For my 20 sboxes I posted
earlier
>> > they were found to be perfectly nonlinear upto 7-tuples of
8x1
>> > sboxes...
>>
>> I have no idea what you're talking about, so I expect that by
the
>> time you explain it to me you'll have figured out the
problem :-)
>>
>> Linearly dependent means we can build a function from the
sboxes
>> with constant coefficients. I don't understand what you mean
by
>> "nonlinear order". If you build a function with powers of
sboxes
>> (is that what qudratics and cubics mean?) then it's
automaticly
>> nonlinear.
>>
>> For example, if S(x) = x1 + x2 + x3 is the sum of 3 sboxes,
it's
>> linear. If S(x) = x1^2 + x2^3 + x3^5 it's nonlinear. The
order
>> of S is 5 in this case. Is that what you mean?
>>
>> Patience, persistence, truth,
>> Dr. mike
>
>A definition of non-linear order :
>
>Consider an mxn sbox (m bits of input and n bits of output)
Each of the
>n outputbits can be
>expressed as a polynomial in the m inputbits x_0,....,x_{m-
1}. Let
>these polynomials be
>f_1,...f_n. If we xor some of these f_i's together, it might
happen
>that some high-degree terms
>cancel out, so that the sum of these f_i's has lower degree
than any of
>the individual f_i's. The
>lowest degree polynomial one can create by summing a non-empty
subset of
>{f_1,...,f_n}
>together is the non-linear order of the sbox.
This sounds very much like the modified BIC test I explained.
How example do you represent a string of bits as a polynomial
though?
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Extending LFSR......
Date: Fri, 16 Jun 2000 16:07:44 GMT
The first question that struck me when i started reading about
these is why mod 2? Surely if we picked another prime modulo we could
find this primitive & irreducible polynomials, the max-period math
should still work right?
e.g. for a mod 257 system we could use:
x^127 + x^17 + x^31 + x^2 mod 257
would work out to be maximum length, and have a minimum period of
257^127 where each element of the shift register has a maximum value of
256?
Does this actually work, or am i just sprinkling fairy dust?
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Subject: Re: Random sboxes... real info
From: tomstd <[EMAIL PROTECTED]>
Date: Fri, 16 Jun 2000 09:20:44 -0700
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
>[EMAIL PROTECTED] (Tim Tyler) wrote in <[EMAIL PROTECTED]>:
>
>>David A. Wagner <[EMAIL PROTECTED]> wrote:
>>
>>: Nope, I stand by my statement.
>>
>>Yes. Drat ;-) It turns out it was me who was dreaming :-|
>>
>>I should obviously have realised this myself the first time
around.
>>
>>I'll have to mentally mark this area as one where my intuition
is
>>likely to lead me astray unless I am cautious.
>>
>>My apologies for exposing everyone to what turns out to have
been pretty
>>mindless blathering on the subject.
>
> Tim that shows your more of a man than "David A. Wagner" who
falsely
>stated his "Slide Attack" has destroyed scott16u.zip and later
only
>vagley admitted that he could not be really bothered to look at
the
>C code when people tried to find a weakness in my method amd it
was not
>there when they tried to use his weak methods.
> I assime you would also state that you are wrong about 1-1
compression
>if you ever saw that it was bad. But Mr wagner is so full of
it, That
>he falsely assumes that there is no advantage to 1-1
compression since
>I seem to be the first one to right about it and he like so
many people
>with an over inflated ego think they no everything. So don't
worry about
>this one point learn from it and go on. But it least no that
Wagner lacks
>a lot of what you know about compression.
You are really someone to talk. You attack people who are
trying todo some good here and yet claim everything you do is
right. You have yet to answer any serious questions regarding
your methods. You just keep blowing me off by calling me an
ignorant kid.
Shame on you for attacking David. His research is not to be
taken lightly like that. Along with the counterpane team I
think they are doing alot of good for the Crypto-community.
On a more technical note, he may have been quick to suggest the
slide attack, but at least he was thinking. He proposed for
discussion the slide attack on your cipher, and it seems to not
be effective. Big friggin deal Mr.Scott, Blowfish, RC5, IDEA,
DES, TEA, ICE, CAST, MISTY, Twofish, RC6, Rijndael, Square,
MARS, Treyfer ... are all strong against the attack as well.
It's an observation when all the rounds are identical, it's not
design to specifically break Scottu16.
As a matter of fact you have yet to discuss any weaknesses in
your methods. I find that if you can't find any weakness or
theoretical observations then you have yet to actually analyze
your method.
Just my two cents. You should respond to keep the discussion
open.
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Subject: Re: Extending LFSR......
From: tomstd <[EMAIL PROTECTED]>
Date: Fri, 16 Jun 2000 09:30:02 -0700
Simon Johnson <[EMAIL PROTECTED]> wrote:
> The first question that struck me when i started reading
about
>these is why mod 2? Surely if we picked another prime modulo we
could
>find this primitive & irreducible polynomials, the max-period
math
>should still work right?
>
>e.g. for a mod 257 system we could use:
>
>x^127 + x^17 + x^31 + x^2 mod 257
>
>would work out to be maximum length, and have a minimum period
of
>257^127 where each element of the shift register has a maximum
value of
>256?
>
>Does this actually work, or am i just sprinkling fairy dust?
You have to be careful with notation. If you want to use
another base other then 2 your new polynomial is in GF(p^n)
where p is a positive prime. For example GF(257^3) has a
primitive polynomial "244x^3 + 131x^2 + 134x + 172".
But you lose all the nice computer related properties when you
use this as a basis for a new field. In GF(2^n) each cofficient
takes a single bit, but in GF(257^n) each cofficient takes 9
bits (0..256).
I am not sure about alot of the theory on LFSRs but it looks
like they are just multiplying the LFSR by a primitive element
in the field (degree higher then the size of the LFSR) to make
the LFSR. In this case you would have to change simple addition
from XOR to addition modulo 257, and multiplication would be a
bit messier (you would use a index based shifting instead of a
logical shift).
Any thoughts about the period?
tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Why the golden ratio?
Date: 16 Jun 2000 16:36:42 GMT
In <[EMAIL PROTECTED]> Runu Knips <[EMAIL PROTECTED]> writes:
]Runu Knips wrote:
]> AFAIK there is a simple equotation of pi, e, the golden
]> number, and 1, I don't remember it exactly but it was
]> really very simple.
]*blush*
]I was wrong. The equotation mentioned there in an old
]DrDobbs magazine was really e**(i*pi) + 1 = 0 :-((((
Well, you could write 1=(golden ratio)^0, and thus bring in the golden
ratio as well:-)
]*blush*
------------------------------
Subject: Re: How RSA SecurID tokens work?
From: tomstd <[EMAIL PROTECTED]>
Date: Fri, 16 Jun 2000 09:45:11 -0700
Vin McLellan <[EMAIL PROTECTED]> wrote:
>On 06/02/2000, tomstd <[EMAIL PROTECTED]> asked:
>
> >Given the serial number and the current time how does the RSA
> >SecurID tokens create their PIN outputs?
>
> ACE/SecurID is a two-factor authentication system; the 60-
second 6-8
>digit "token code" which is continually displayed on the LCD on
the face
>of the token, and the user-memorized PIN are both required for
a valid
>authentication request to an ACE/Server, RSA's authentication
server.
>
> The SecurID uses a 10 year-old proprietary algorithm by John
>Brainard, now with RSA Labs, to hash Current Time and a
>factory-installed token-specific secret key to produce the
token-code.
How exactly will my server know what the secret displayed number
on the lcd is supposed to be at a specific time? Is there a
database of the secret keys?
I find that to be a point of attack in the system.
>The secrecy of Brainard's one-way function is really just an
artifact
>of committments made by RSA (then Security Dynamics) to its
customers
>ten years ago, when that was what was required in the market.
And no other problems...I have a hard time believing this.
> RSA (ne SDI) has been saying for all of that time that the
security
>and integrity of the process by which SecurIDs generate their
>token-codes is not dependant on the secrecy of the algorithm.
While
>unpublished, the SecurID hash has been widely studied by
numerous
>governments and their cryptographic agencies, as well as many
>corporations, before it was accepted and installed by those RSA
>customers.
Sure gimme 10k and I will say it's secure as well. I just can't
see how both the server and token can come up with the same
secret 6-8 digit number (mine are 6 digits) unless some hidden
information is embeded in the device and server. This is
obscurity not security.
> (In the US, to highlight the local scene, SecurIDs are
carried by
>all White House staffers, all US Senators, and numerous
staffers in the
>NSA, CIA, and DoD.)
>
> The serial number, embossed on the back of most SecurID
tokens (card
>or key fobs) is not relevant to the generation of the token-
codes. The
>internal processor of a SecurID isn't even aware of the serial
number
>associated with that token.
>
> The encrypted memory file in the ACE/Server does use the
token's
>serial number to index the token's the secret seed or key used
in the
>token's internal calculation. That file is used to record the
users
>chosen or assigned PIN, and it also maintains an ongoing
calculation of
>the relative accuracy of each SecurID's internal clock, using
the
>Server's clock as the baseline.
So if I steal a ACE database I can get access to all the secret
seeds? Sweet.
> A user submits a user name, SecurID token code, and the
memorized
>PIN to an ACE/Agent for relay to the ACE/Server.
>
> The ACE/Server then pulls up the file for that user, and
uses the
>token-specific seed and Current Time (adjusted as required by
the
>notation about the token's clock-chip) to generate a token-
code --
>actually, to deal with "drift," three consecutive token-code --
which
>are matched against the name, PIN, and SecurID token-code
submitted by
>the user.
>
> Hope this helps. I've been a consultant to RSA, and
earlier,
>Security Dynamics, for many years. Please feel free to ask if
you need
>any additional info. The spring issue of 2600, believe it or
not, has a
>pretty detailed overview of the SecurID technology.
I will look at it, but from what I can tell it's not security
rather obscurity.
I am not sure on the hierarchy of the Servers but it doesn't
seem right to me.
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: GeekPress: Will Cyber Criminals Run the World?
Date: Fri, 16 Jun 2000 16:58:56 GMT
Will cybercriminals run the world? And if they did, wouldn't that just make
them politicians? :-)
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Flattening of frequency distributions
Date: Fri, 16 Jun 2000 19:28:09 +0200
Exploiting knowledge of frequency distributions of plaintexts
is one of the major tools of analysts in classical cryptology.
Even if some modern ciphers are believed by many to be strong
enough for direct encryption of natural language messages, I
suppose it can nontheless be justifiable to do preprocessing
to flatten the frequency distributions of single letters and
n-grams, if one is conservative in matters of security.
As far as I am aware, employing polyalphabetic substitution
(on hexs or bytes) with a large substitution table and a long
key or a dynamically generated random sequence as key flattens
the frequency distributions to some significant extents.
Another device that seems to be useful is bit rotations (by
random amounts) done on group of bits (computer words).
I should very much appreciate suggestions of other and
better methods of flattening frequency distributions as
well as discussions about them.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Cipher design a fading field?
Date: Fri, 16 Jun 2000 19:28:02 +0200
Benjamin Goldberg wrote:
> Mok-Kong Shen wrote:
> >
> > Benjamin Goldberg wrote:
> >
> > > Mok-Kong Shen wrote:
> > > >
> > > > John Savard wrote:
> > > >
> > > > > Well, if the size of the RAM available to a program is limited, not
> > > > > just the size of the program itself, then a program with N bits of
> > > > > storage available to it can have only 2^N distinct states. Hence, if
> > > > > it doesn't halt after 2^N instructions, it is proven that it will
> > > > > never halt.
> > > >
> > > > You probably mean that execution of each intruction must lead to a
> > > > single unique successor state. How about the case that this doesn't
> > > > hold, i.e. when the state transition depends on the history?
>
> Hmm, the program has N bits of RAM total [call this the state], and and
> to determine what will be the next state, not only uses all of those N
> bits, but it magically remembers what those N bits used to be, and uses
> that, too.
>
> I *think* that's what you're claiming.
I don't understand. A program that recursively computes x=f(x) may
be very large. But its state is just the current value of x.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Cipher design a fading field?
Date: Fri, 16 Jun 2000 19:27:55 +0200
"John A. Malley" wrote:
> So what kind of language is English? Is there an algorithm that can
> decide is a string belongs to the English language? (As well as other
> human languages.)
Is there an English grammar that is so detailed and unambigious for
deciding whether a sentence is English? A natural language evolves
too and I guess that there are deviations due to geographical locations,
even when we striclty confinine the set of speakers to those who are
'native' to English in the very narrow sense.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: small subgroups in Blum Blum Shub
Date: Fri, 16 Jun 2000 17:13:09 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> AFAICS from Theorem 4 of the BBS paper, lordcow77's argument
> is correct. That theorem shows that breaking the BBS generator
> is as hard as factoring N = pq even if the only constraints
> are that p and q are congruent to 3 mod 4 and x_0 is a
> quadratic residue, regardless of what the cycle length is.
Please define "breaking". :) To me, being able to guess the upcoming
bits with probability 1 because you already saw them earlier in the
cycle, *that* spells "broke". I don't know how I would go backwards from
knowing the sequence to knowing the factorization, but I do know I could
guess upcoming bits quite easily. :)
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: GeekPress: Will Cyber Criminals Run the World?
Date: Fri, 16 Jun 2000 12:17:27 -0500
zapzing wrote:
> Hmmm ... $10K? Well I was thinking more in
> the range of 100-200 dollars. I don't
> need to do several Mbits per second, only
> say about 1/100 of that.
It's pretty reasonabl price for IP. You can probably put it into
$5 chips. It's $7.5k for DES, and $10k for 3DES. The cost per
chip works out to 10k + n*5 = n*C. For an effective cost of $10/chip
you need 2000 chips. Most markets are larger than that. Maybe
you can piggy back off of someone else?
Patience, persistence, truth,
Dr. mike
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Cipher design a fading field?
Date: Fri, 16 Jun 2000 15:22:03 GMT
"Trevor L. Jackson, III" wrote:
> The non-existence of T tells us nothing about the existence of M.
Sure it does. The assumption that M exists led to the conclusion
that T exists (in fact I showed an explicit construction using M),
but we have a theorem that T does not exist; therefore there is a
contradiction, and "reductio ad absurdem" applies, so we conclude
that the assumption that M exists is wrong.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Encryption on missing hard-drives
Date: Fri, 16 Jun 2000 15:27:59 GMT
[EMAIL PROTECTED] wrote:
> What *do* they use? What is the current "state-of-the-art" GAO approved
> encryption system. Please don't tell me they still you single round
> DES! Kiss that data good-bye!
The GAO is not the agency that approved cryptosystems for protection
of classified information. However, that is moot, because seldom is
encryption used to protect information on hard disk drives; the usual
protection is to restrict physical access; i.e. the equipment is
locked in a vault that only authorized personnel have access to.
Apparently some agencies don't pay enough attention to established
security procedures, and that is the actual problem. Historically we
have had this problem in various guises "forever".
------------------------------
From: [EMAIL PROTECTED] (Frank M. Siegert)
Subject: Re: Flattening of frequency distributions
Date: Fri, 16 Jun 2000 17:40:25 GMT
On Fri, 16 Jun 2000 19:28:09 +0200, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>I should very much appreciate suggestions of other and
>better methods of flattening frequency distributions as
>well as discussions about them.
Just an idea... why not using several text streams created by an
"eddington ape" algorithm* (were each stream is created according to a
different cryptographically strong RNG) and xor (or add modulo,
subtract modulo or decoding) the streams together.
As each stream has a similar character distribution as plain text
(English or whatever langauge and text books you setup the 'apes' to
use) the original text should be effectively hidden.
* see Article from Scientific American 1983, or in German 'Spektrum
der Wissenschaft' 2/1984
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Def of "nonlinear order"
Date: Fri, 16 Jun 2000 12:38:57 -0500
>>Raddum <[EMAIL PROTECTED]> wrote:
> >A definition of non-linear order :
> >
> >Consider an mxn sbox (m bits of input and n bits of output)
> Each of the
> >n outputbits can be
> >expressed as a polynomial in the m inputbits x_0,....,x_{m-
> 1}. Let
> >these polynomials be
> >f_1,...f_n. If we xor some of these f_i's together, it might
> happen
> >that some high-degree terms
> >cancel out, so that the sum of these f_i's has lower degree
> than any of
> >the individual f_i's. The
> >lowest degree polynomial one can create by summing a non-empty
> subset of
> >{f_1,...,f_n}
> >together is the non-linear order of the sbox.
Thanks for the definition. So for example, if f1 ~ x^5, f2 ~ x^4
f3 ~ x^3 and f4 ~ x^2, the lowest degree in the set is x^2 and
that's the nonlinear order? Or do I have to take 2 terms, and
that would make x^3 the minimum high order term?
tomstd wrote:
>
> This sounds very much like the modified BIC test I explained.
> How example do you represent a string of bits as a polynomial
> though?
Let each bit be a coefficient of a function. Using the above
example, suppose I've got a 4x4 sbox. Then x0, x1, x2, x3 are
the inputs and y0, y1, y2, y3 are the outputs. I take
y0 = x0*f1 + x2*f3
y1 = x1*f2 + x3*f4
y2 = x0*f3 + x1*f4
y3 = x2*f1 + x3*f2
And that defines the sbox. Since this defines the subset of
functions, I take it the non-linear order is given by the last
line which has the minmum non-linear term (3 in this example).
Hmmmm.... You need to collapse the equations down to a bit,
so I suppose you use parity? Or else the whole thing is done
modulo some other f, and you just keep the last bit? Or
take a trace?
Patience, persistence, truth,
Dr. mike
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
