Cryptography-Digest Digest #349, Volume #12 Thu, 3 Aug 00 13:13:00 EDT
Contents:
Re: Q: Quantum dots ("Trevor L. Jackson, III")
More info on Twofish needed ("kihdip")
Re: RC5 / 4 (John Myre)
Re: Software package locking ("Trevor L. Jackson, III")
Re: Elliptic Curves encryption ("Trevor L. Jackson, III")
Re: Software package locking ("Ian Dichkovsky")
Re: OTP using BBS generator? (Scott Nelson)
*Way* OT: Just Curious. Are girls/women interested ("Trevor L. Jackson, III")
Re: Software package locking (Andru Luvisi)
Kill my cipher ("Martin 'SirDystic' Wolters")
Re: What is the word on TC5? (David A. Wagner)
Re: More info on Twofish needed (tomstd)
Re: Elliptic Curves encryption (Jerry Coffin)
Re: IV for arfour (David A. Wagner)
Re: OTP using BBS generator? (Mark Wooding)
Re: New block cipher for the contest (David A. Wagner)
Re: Elliptic Curves encryption (Roger Schlafly)
Re: Elliptic Curves encryption (Doug Kuhlman)
Re: What is the word on TC5? (tomstd)
Re: Skipjack and KEA test vectors (John Myre)
Re: Kill my cipher (tomstd)
Re: Why is it necessary...? (David Hopwood)
Re: OTP using BBS generator? (Mok-Kong Shen)
----------------------------------------------------------------------------
Date: Thu, 03 Aug 2000 10:29:06 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Q: Quantum dots
Bill Unruh wrote:
> In <3988ed17$[EMAIL PROTECTED]> "David Sowinski" <[EMAIL PROTECTED]>
>writes:
> >Over the past 10 years quantum dots have been transformed from laboratory
> >curiosities to the building blocks quantum computing.
>
> Lets not go overboard. They are still far from being a building block in
> anything but theory. Ther resistance to decoherence is still to be
> determined. They are still "labratory curiosities" in that context.
There may be hope yet. Mathias Fink has done interesting work on time reversal
mirrors in
the last couple years, concentrating on acoustic signals. See
-- Ultrasonic Focusing with Time Reversal Mirrors, Fink & Prada, Advances in Acoustic
Microscopy Series, Plenum Press, 1996
-- Time-Reversed Acoustics, M. Fink, /Physics Today/, v50 #3 p34-40, 1997-Mar
The relevance is that there is a type of retroreflection that occurs when an electron
hits
the boundary between a normal conductor and a superconductor. Such a mechanism might
be
harnessed to manage coherence.
During the taming of electricity the establishment scoffed at alternating current
because
the negative half of the cycle was supposed to cancel out the energy provided during
the
positive half. During the taming of the electromagnetic spectrum (early radio) the
establishment scoffed at the idea of negative feedback. Core memory was not useful
due to
destructive read until the writeback technique proved it superior to delay lines, and
semiconductor memory crossed the same hurdle in DRAM.
Perhaps some construction of "dynamic coherence" based on time reversed
retroreflection will
be scoffed at until it creates a new industry.
------------------------------
From: "kihdip" <[EMAIL PROTECTED]>
Subject: More info on Twofish needed
Date: Thu, 3 Aug 2000 16:31:04 +0200
With a 16 round Twofish and in- and output whitening, is the needed number
of subkeys always 40 ??
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: RC5 / 4
Date: Thu, 03 Aug 2000 08:45:58 -0600
tomstd wrote:
<snip>
> Note: RC5 is the holy grail of RSA so unless you want to start a
> war with them I would avoid it.
Hm. This analogy isn't exactly right; a "holy grail" is something
you want very badly, but don't have yet. And maybe, it's not possible
to get it. Like, say, a proof of security for SHA.
What is something that you have, and are jealously protective of?
JM
------------------------------
Date: Thu, 03 Aug 2000 10:55:06 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Software package locking
This is a good example of the ego involvement that I previously mentioned. It
makes the threat very serious (credible) and quite humorous at the same time.
Ian Dichkovsky wrote:
> "Trevor L. Jackson, III" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> >blah-blah-blah
> >......
> >int 1
> >......
> >blah-blah-blah
> >int 3
> >......
> >blah-blah-blah
> >......
> >breakpoints
> >....
>
> Guy Do You Know - WHAT IS Soft-ICE ?
Yup. NuMega makes Really Good Stuff.
>
> It's the powerful debugger, it's the AXE, every cracker MUST have.
> I have ;-)
> It runs in DOS, WINDOWS and spit on
> the interrupt vectors. I tell you - I crack a LOT of programs
> even with HASP dongle.
Let me phrase this in a way you'll understand:
"This CPU ain't big enough for the both of us!"
Your machine can run soft-ICE or undebuggable software -- not both.
------------------------------
Date: Thu, 03 Aug 2000 10:56:38 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Elliptic Curves encryption
Roger Schlafly wrote:
> "Trevor L. Jackson, III" wrote:
> > I agree with everything you've said. However, but none of it fits into (2). The
>only
> > experimental evidence we can conceive of is that which indicates that X is
>insecure.
>
> Just look at any of the AES papers. They do not prove that the
> cipher is secure, and they do not show insecurities either.
> They attempt to provide evidence that the cipher is secure.
> (As Ritter points out, it is weak evidence.)
I don't consider it to be _experimental_ evidence. Do you?
------------------------------
From: "Ian Dichkovsky" <[EMAIL PROTECTED]>
Subject: Re: Software package locking
Date: Thu, 3 Aug 2000 18:12:47 -0700
"Trevor L. Jackson, III" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "This CPU ain't big enough for the both of us!"
????
> Your machine can run soft-ICE or undebuggable software -- not both.
undebuggable software - huh;-)))
what do you mean?
Do you mean Wintel platform, or Apple, or Silicon?
Please, give me example.
What of the wider-spread software product for PC's is undebuggable?
------------------------------
From: [EMAIL PROTECTED] (Scott Nelson)
Subject: Re: OTP using BBS generator?
Reply-To: [EMAIL PROTECTED]
Date: Thu, 03 Aug 2000 15:21:02 GMT
On 03 Aug 2000 Grant Anderson <[EMAIL PROTECTED]>
wrote:
>I know there has been much discussion about (supposed) OTP ciphers and
>how
>most of them generally don't fulfil the OTP requirements. What I don't
>understand is why the use of the blum-blum-shub generator as the pad
>isn't acceptable?
>
For most practical applications it is acceptable.
But for most practical applications, so are a large number
of conventional ciphers, and they're all easier to use than
a Pseudo-OTP system.
One Time Pad is more a theoretical than practical encryption.
To be theoretically perfect, it requires perfect random
numbers for the pad. BBS is at best pseudo random,
therefore can, at best, offer pseudo security.
In other words, a pad derived from BBS is just another
stream cipher, and it shouldn't be called a one time pad.
(Even if it's used only once.) If a pad is created by a
repeatable method it should be called a pseudo one time pad.
Scott Nelson <[EMAIL PROTECTED]>
------------------------------
Date: Thu, 03 Aug 2000 11:19:26 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: *Way* OT: Just Curious. Are girls/women interested
Mok-Kong Shen wrote:
> David A Molnar wrote:
>
> > A2) How are you going to establish beyond a reasonable doubt that
> > some e-mail address here maps to a woman?
>
> I believe that, when AI reaches the point of really capable
> of simulating human behaviour, one would have the same
> basic problem. In other words, the Turing test probably
> cannot be done for inherent reasons that are independent
> of AI.
We'd need four tests corresponding to the for possible combinations of
interviewer and interviewee. We might learn an a lot from a program that
could pass the test when interviewed by one sex, but fail when interviewed by
another. Or pass when role playing one sex and fail when playing another.
D. Tannen has made some progress on communication between the sexes, and R.
Heinlein made some interesting suggestions in "The Moon is a Harsh Mistress".
------------------------------
From: Andru Luvisi <[EMAIL PROTECTED]>
Subject: Re: Software package locking
Date: 03 Aug 2000 08:19:42 -0700
"Trevor L. Jackson, III" <[EMAIL PROTECTED]> writes:
> Andru Luvisi wrote:
> > "Trevor L. Jackson, III" <[EMAIL PROTECTED]> writes:
[snip]
> > > Then we add communication layers for applications that have connections.
>Systems under
> > > attack can silently produce a syndrome that is detectable at the
> > > other end.
> > [snip]
> > > How would you feel if your debugger's memory display window suddenly started
>chatting
> > > with you? You might reconsider your attack.
> > [snip]
> >
> > ...or tell the entire world that your product invades people's
> > privacy. That makes your product *much* less valuable to your users.
>
> Oh. I thought you were paranoid. I see that you are actually psychotic. I'll
>leave you in
> you own world and you leave me in mine, OK?
[snip]
I'm psychotic because I believe that people have a right to privacy,
and that selling them software does not give you the right to violate
that privacy? Microsoft Publisher 2000 is limited until you register
it with Microsoft. I know people who have demanded, and received,
refunds because they were not interested in registering. I know more
people who never bought it because of this. Users are real,
breathing, people. When you are mean to them, they stop liking you.
The only reason people put up with office is because they need to,
because other people keep sending them word documents. I can't tell
you how many people I have met at Linux user groups who keep windows
on their machine just so they can run word just so they can read
things people send them which could have been expressed in plain text
just as easily.
You would do well to review your "reasoning" methods and reread my
post. I'm not interested in commenting on every mistake you made, but
I will say this: your hit rate with respect to your assumptions about
me is not high. You would do better to focus on my reasoning rather
than attacking me personally.
Andru
--
Andru Luvisi, Programmer/Analyst
------------------------------
From: "Martin 'SirDystic' Wolters" <[EMAIL PROTECTED]>
Subject: Kill my cipher
Date: Thu, 3 Aug 2000 17:42:40 +0200
Hi,
I wrote another Cipher, and I'd like
to hear, what you think about it.
It's a 16 round Feistel Cipher, which
uses 16 subkeys, generated like this:
int ky[0] = 0x01234567;
int kp[0] = 0x8F1BBCDC; (5^0.5)*(2^30)
for(i=1;i<17;i++) {
r=kp[i-1]&((1<<32)-1);
kp[i]=rot(ky[i-1],r);
ky[i]=kp[i]^kp[i-1];
}
where ky[0] is a 32 Bit User key and
rot(x,y) means a Left rotation of x by y
bits, defined as:
int rot(int in, int r)
{
int o,p;
o=in<<r;
p=in>>(32-r);
p&=(1<<r)-1;
o^=p;
return o;
}
This is the f-function it uses:
int f(int in,int k)
{
int r,r2,o,o2;
in=~in;
r=k&31;
o=rot(in,r)^k;
r2=o&31;
o2=rot(o,r2)^k;
o2=~o2;
return o2;
}
the encryption routine is this:
for(i=0;i<16;i++) {
x1[i+1]=x2[i];
x2[i+1]=x1[i]^f(x2[i],ky[i+1]);
}
where x1[0] are the left 32 bits of
the 64bit Plaintext and x2[0] are the
rightmost 32bits of the Plaintext.
The decryption the same, the subkeys
are just used in reverse order.
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: What is the word on TC5?
Date: 3 Aug 2000 08:44:58 -0700
In article <[EMAIL PROTECTED]>, Runu Knips <[EMAIL PROTECTED]> wrote:
> Hmm I'm next to sure that attack only distinguishes the
> cipher from a random permutation. He said 'generic attack
> from the literature', and that doesn't sound like deeper
> cryptanalysis - more like something which comes to mind
> immediately as you look at some concept.
That's my interpretation, too. Just increasing the number of rounds
to 8 or so (in the outermost cipher) should be enough to stop the generic
attacks, as far as I know.
------------------------------
Subject: Re: More info on Twofish needed
From: tomstd <[EMAIL PROTECTED]>
Date: Thu, 03 Aug 2000 08:46:05 -0700
"kihdip" <[EMAIL PROTECTED]> wrote:
>With a 16 round Twofish and in- and output whitening, is the
needed number
>of subkeys always 40 ??
2 keys per round and 8 whitening keys gets you 16*2+8=40
Tom
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Elliptic Curves encryption
Date: Thu, 3 Aug 2000 09:49:38 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
[ ... ]
> > IOW, "science", by your definition has never and probably will never
> > exist! Humpty-Dumpty would be proud of you...
>
> There appears to be a difference between domains that permit experimental
> XpXrXoXoXfX confirmation and those that do not. Sciences do this. Is it your
> position that crypto supports experimental confirmation of strength?
No, not any more than a biologist can provide experimental
confirmation that a bird evolved from a dinosaur.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: IV for arfour
Date: 3 Aug 2000 08:50:04 -0700
I see. Ok, no confusion left. Thanks.
I have to admit the proposal doesn't seem terribly practical to me.
Many folks complain about 8 or 16 bytes of overhead per packet for a
crypto IV; I can't imagine what they'd say if I asked for 256 bytes. :-/
But I guess there are probably some applications where the overhead is
acceptable. (encryption of very large files, maybe?)
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: OTP using BBS generator?
Date: 3 Aug 2000 16:19:48 GMT
[Oh, \deity, not this again.]
Terry Ritter <[EMAIL PROTECTED]> wrote:
> But being "no harder than factoring" is meaningless when an approach
> *allows* factoring.
You're cleverer than this. Put your brain in gear.
Breaking the system is no harder than factoring. Doing foo lets us
factor. Then breaking the system is no harder than doing foo.
> The alternative is to not use a "special primes" construction, and
> simply not check for having selected a short cycle. The probability
> of selecting a short cycle at random is extremely low, but not zero.
> So where BB&S could argue that their scheme was provably secure, the
> reduced scheme *might* not be secure, and that is a weakness.
No! You've failed to understand. The security warranty works
regardless, as long as the modulus is a Blum integer.
Time to bring out Blum-Goldwasser again. It's a public-key system.
Important points:
* The private key is a pair of primes p and q, with p = q = 3 (mod 4).
* The public key n is the product of p and q.
* Encryption is done by someone who knows the public key, but not the
private key. He chooses a random seed value and XORs the plaintext
with the output of the BBS generator modulo n with the seed he
chose. He appends the final state value to the ciphertext.
* The sender doesn't know the public key. He can't choose his seed to
have order, well, anything in particular. If you can compute the
orders of elements mod n, you can factor n.
* Blum-Goldwasser is semantically secure. This means that no
polynomially-bounded adversary who can't decide quadratic
residuosity mod n can compute anything about a plaintext given its
ciphertext that couldn't be computed without the ciphertext anyway.
The security of Blum-Goldwasser is entirely based on the difficulty of
predicting the output of a BBS generator *with a random seed*. Semantic
security is an extremely strong property, so this is an extremely
important result.
> I claim it is deceptive to call the reduced scheme BB&S.
I don't see it as deceptive. In fact
> It is also deceptive to claim that any system which we can make more
> secure by our own action is absolutely secure.
Did anyone else hear someone claim that the BBS was absolutely secure?
I certainly didn't.
> Here we have a case where the security guarantee is factoring, but our
> own inaction can lead to allowing exactly that factoring.
No. Again, see Blum-Goldwasser. Your own web page explains that that
you must choose the seed value carefully in order to find a long cycle.
Choosing the primes carefully doesn't guarantee you'll always find long
cycles, just that one will exist: you then have to find it. In the
Blum-Goldwasser scenario, the modulus is known to the adversary, and if
he can, by trying as hard as he can, find a short cycle, then he's
broken the system.
> Any key-based ciphering whatsoever always has some probability of
> opponents selecting the correct key at random, and so has inherent
> weakness. We can't prevent that. But the use of a reduced X^2 mod N
> structure has *additional* weakness which we *can* prevent. It is a
> shame to say that is equivalent to the true BB&S design.
But it's *not* additional weakness. It's *exactly the same* weakness,
with a different hat on.
> The security warranty from the real Blum, Blum & Shub paper is based
> upon composites of large primes of a form which they call "special."
No. It's based on the difficulty of the quadratic residuosity problem
(QRP) modulo a Blum integer. And *nothing else*.
> But now we have people using the part of BB&S they like, and throwing
> out what they don't like. Do we really think the authors of the paper
> did not see that possibility and decide against it? Please.
You don't consider that it's possible for mathematicians to prove
additional properties of a system they've devised, just through
interest? Oh, well.
> I have seen various recommendations that RSA really should be using
> special primes. Bob Eachus made one, as far as I remember.
My software generates strong primes for RSA (and BBS, for that matter),
using Gordon's algorithm. I'm not really sure why I bother: I believe
the arguments by Bob Silverman and many other experts that it's a waste
of effort. (But it doesn't take much longer, it doesn't introduce
weaknesses, and the code's there...) But, basically, I accept that it's
unnecessary.
Note that we can use cycle-finding to factor RSA moduli too: the result
that a cycle has a high probability of finding a pair of square roots
holds even when the modulus isn't a Blum integer. I see a particular
lack of interest in exploiting this as an attack against RSA.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: New block cipher for the contest
Date: 3 Aug 2000 09:20:12 -0700
In this post, I show how to break Jaleo with about 16 known texts and
O(2^28) bit operations.
Jaleo encrypts the N-bit plaintext u to the N-bit ciphertext c as follows:
v = uM (matrix multiplication over GF(2))
w = v - m mod 2^N
c = wM (matrix multiplication over GF(2))
The NxN matrix M and the N-bit quantity m are key-dependent. Also N = 128.
Note that there is a lot of linearity here. The low bit of v, v_0, can
be expressed as a linear function of u, say v_0 = u . a (GF(2) dot-product)
where a is the first column of M. Similarly, the low bit of w, w_0, can
be expressed as a linear function of the bits of c, say w_0 = c . b where
b is the first column of M^{-1}. Finally, the low bit of w, w_0, can be
expressed as a linear function of u_0 and m_0; namely, w_0 = u_0 + m_0
(here + represents addition over GF(2), i.e., xor).
Combining these three observations, we see that
c.b = w_0 = u_0 + m_0 = u.a + m_0,
so in particular,
b.c + a.u + m_0 = 0.
When a plaintext/ciphertext pair u,c is known, this gives a single
linear equation on 2N+1 formal unknowns (i.e., the N bits of b, the
N bits of a, and the single bit m_0). Each known text gives another
linear equation. Thus, with 2N+1 known texts, we obtain a system of
2N+1 linear equations in 2N+1 unknowns, and thus we can expect that
the system may be uniquely solved for a,b,m_0 using Gaussian elimination
with just O(N^3) bit operations.
This reveals a good deal of key material, and already shows that each
subsequent ciphertext will leak a single bit of information on the
plaintext.
But it gets worse. The same attack may be repeated on the next
lowest bit position of v,w,m, i.e., w_1 = v_1 + m_1 + m_0 * (v_0 + 1);
since v_0 and m_0 are now known, they may be eliminated, and we may
solve another set of 2N+1 linear equations in 2N+1 unknowns to learn
m_1 as well as the second column of M and M^{-1}. In this way, we
may repeat until the entire key has been derived, and then the cipher
is well and truly broken. The same 2N+1 known plaintexts may be re-used,
and we repeat Gaussian elimination N times, so the total workfactor of
the attack is O(N^4).
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: Elliptic Curves encryption
Date: Thu, 03 Aug 2000 09:26:06 -0700
"Trevor L. Jackson, III" wrote:
> I don't consider it to be _experimental_ evidence. Do you?
Yes. If a bunch of ciphertexts pass a bunch of randomness tests,
then that is experimental evidence. Not sure what your objection
is -- would you prefer the term "empirical evidence"?
------------------------------
From: Doug Kuhlman <[EMAIL PROTECTED]>
Subject: Re: Elliptic Curves encryption
Date: Thu, 03 Aug 2000 11:05:01 -0500
Mark Wooding wrote:
>
> Terry Ritter <[EMAIL PROTECTED]> wrote:
> >
> > On Tue, 01 Aug 2000 13:26:12 -0500, in
> > <[EMAIL PROTECTED]>, in sci.crypt Doug Kuhlman
> > <[EMAIL PROTECTED]> wrote:
> >
> > >But knowing that "breaking" BBS (for example) is equivalent to
> > >factoring is SOMEthing.
> >
> > No, it is not, and we just went through that a month ago.
>
> Yes, we did, and you're still wrong now.
>
I already took this to email, since I figured you regulars are probably
tired of seeing the discussion. Now if only Terry would respond
again....
> > So "breaking" BB&S means that we have found it to be weak to the given
> > attack, and that -- my goodness! -- might not even overturn
> > mathematics as we know it.
>
> It would certainly be an interesting new factoring method.
>
Sure would be. I have my doubts of it working, but lots of
silly-sounding ideas actually work quite well.
> > >I still would like you to present something to me as a fact.
> >
> > How about this: That's a stupid request.
>
> Now prove that this is a fact. ;-)
>
My sentiments exactly!
Doug
------------------------------
Subject: Re: What is the word on TC5?
From: tomstd <[EMAIL PROTECTED]>
Date: Thu, 03 Aug 2000 09:27:24 -0700
[EMAIL PROTECTED] (David A. Wagner) wrote:
>In article <[EMAIL PROTECTED]>, Runu Knips
<[EMAIL PROTECTED]> wrote:
>> Hmm I'm next to sure that attack only distinguishes the
>> cipher from a random permutation. He said 'generic attack
>> from the literature', and that doesn't sound like deeper
>> cryptanalysis - more like something which comes to mind
>> immediately as you look at some concept.
>
>That's my interpretation, too. Just increasing the number of
rounds
>to 8 or so (in the outermost cipher) should be enough to stop
the generic
>attacks, as far as I know.
How does the generic attack work?
Tom
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Skipjack and KEA test vectors
Date: Thu, 03 Aug 2000 10:24:20 -0600
Eric Smith wrote:
<snip>
> I instrumented my implementation, and found that the NIST test vector
> uses 104 of the 256 entries in the F table. It seems inexcusable to
> me that an official specification for an encryption algorithm not
> be accompanied by at least enough test vectors to cover all of the
> table values.
True, although Skipjack and KEA seem anomalous. For instance, there
is no FIPS for them. So the document at NIST doesn't actually define
a "standard". (What is it, then? I don't know.)
I imagine that the real problem is that NSA simply doesn't think in
these terms. The NSA likes it better when they *get* information
rather than *giving it out*. And NIST can hardly publish NSA data
on their own.
> Sigh.
Yes.
JM
------------------------------
Subject: Re: Kill my cipher
From: tomstd <[EMAIL PROTECTED]>
Date: Thu, 03 Aug 2000 09:33:23 -0700
"Martin 'SirDystic' Wolters" <[EMAIL PROTECTED]> wrote:
>Hi,
>
>I wrote another Cipher, and I'd like
>to hear, what you think about it.
>
>It's a 16 round Feistel Cipher, which
>uses 16 subkeys, generated like this:
>
>int ky[0] = 0x01234567;
>int kp[0] = 0x8F1BBCDC; (5^0.5)*(2^30)
>
>for(i=1;i<17;i++) {
> r=kp[i-1]&((1<<32)-1);
> kp[i]=rot(ky[i-1],r);
> ky[i]=kp[i]^kp[i-1];
>}
>
>where ky[0] is a 32 Bit User key and
>rot(x,y) means a Left rotation of x by y
>bits, defined as:
>
>int rot(int in, int r)
>{
> int o,p;
> o=in<<r;
> p=in>>(32-r);
> p&=(1<<r)-1;
> o^=p;
> return o;
>}
>
>This is the f-function it uses:
>
>int f(int in,int k)
>{
>int r,r2,o,o2;
>in=~in;
>r=k&31;
>o=rot(in,r)^k;
>r2=o&31;
>o2=rot(o,r2)^k;
>o2=~o2;
>return o2;
>}
Your F function is vulnerable to differential cryptanalysis.
The probability of a single input difference not causing a
massive output difference is (27/32)^2 ~ 0.71.
Tom
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Date: Thu, 03 Aug 2000 13:45:06 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Why is it necessary...?
=====BEGIN PGP SIGNED MESSAGE=====
Sergio Arrojo wrote:
> Why is it necessary to know the number of points of a curve in order
> to find a point with order n (n large prime)?, once we know the order
> of the curve, how do we manage to find such a point?
Suppose the order of the curve is c*n, with n prime. Then pick a random
point, multiply it by c, and if the result is not the point at infinity [*],
it will have order n.
[*] the result is very unlikely to be the point at infinity if n is large.
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOYlpJDkCAxeYt5gVAQE63AgAicnCVzjyfVdr6RZ0l9YJAt6Zb91Ntqjo
RXqYbPqNsFZTPAXw9tc+wEazBhBn2/n5NYNIxrk/ZTeB35ceHPNqKNVoKdh352//
icJfiVAVETaHDBEuts1IFetWpE4hQCYdLthZPiNuzzCkLQynAngglxhNPz7dsBLh
Y4Lz6FbUv7OlDkXGACZZq9uW6SA4fcqZNL1tRtmHG+kklFxEd3mJW39LLCKgCbFR
RDgiBwD2M1PMlgPoWQF7cg0TvsdXtJQ2Mi3cKwQ/L/Qxy7IZC4wFBonmxb2oNFuM
OhkKIzpiqQS/f45UaFxBBJf6R6G3KdVrFSDBaFM3+63xbI59QPFWSg==
=Lag5
=====END PGP SIGNATURE=====
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
Date: Thu, 03 Aug 2000 18:52:29 +0200
lordcow77 wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> >BBS has been a recurring topic in this group. I have little
> >knowledge in that but I have the impression that discussions
> >about it never led to unanimously accepted results. You
> >may try to look into old postings of this group.
> >
>
> Wrong. Practically everyone accepts that choosing the factors of
> the modulus to be congruent to 3 mod 4 and picking a random
> starting point are enough to ensure that the resulting BBS
> sequence will be secure, based on the computational equivalence
> of predicting BBS and deciding quadratic residuosity (and
> therefore factoring). Terry Ritter is the only proponent of the
> position that one must take elaborate steps to ensure that one
> falls into a guaranteed long cycle on the basis of a
> misunderstanding of the security proof given by Blum, Blum, and
> Shub and a desire to assert that no cipher can be proven to be
> secure under reasonable assumptions, such that he can promote
> his own products that "stack" multiple patented algorithms
> together.
For one that does not have expert knowledge in BBS, like me,
it seems unfortunately to be difficult to know from the materials
of past discussions in the group alone whether one party is
absolutly right and the other absulutely wrong. Perhaps this is
a consequence of the fact that crypto is a subtle art. (BTW,
multiple encryption is not an invention of Terry Ritter but is
well-known since earlier times of cryptography. Shannon also
treated a series of three ciphers in one of his papers. There
seems to be no reason why one should neglect that potential
device of cryptography in my humble view.)
M. K. Shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
