Cryptography-Digest Digest #430, Volume #12 Sun, 13 Aug 00 10:13:01 EDT
Contents:
Re: Crypto Related Professional Attitude (Eric Lee Green)
Re: Where should I hide the Key? (tomstd)
Re: Where should I hide the Key? (Eric Lee Green)
Hushmail? (Ron B.)
Re: Crypto Related Professional Attitude ("Paul Pires")
excellent Text Encrypter (R)
Re: Bluetooth security source code, Again (Tome')
Re: excellent Text Encrypter (Ron B.)
tweedle (Quisquater)
Re: crypto vs. psychology, was OTP as BBS generator (Mok-Kong Shen)
Re: Where should I hide the Key? (John Savard)
Re: Crypto Related Professional Attitude (John Savard)
Re: 1-time pad is not secure... (Mok-Kong Shen)
Re: 1-time pad is not secure... (Mok-Kong Shen)
Re: 1-time pad is not secure... (Mok-Kong Shen)
Re: 1-time pad is not secure... (Mok-Kong Shen)
Re: 1-time pad is not secure... (Mok-Kong Shen)
Re: 1-time pad is not secure... (Mok-Kong Shen)
Re: 1-time pad is not secure... (Mok-Kong Shen)
Re: 1-time pad is not secure... (Mok-Kong Shen)
Re: Crypto Related Professional Attitude ([EMAIL PROTECTED])
Re: Updated stream cipher (Frank M. Siegert)
----------------------------------------------------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: Crypto Related Professional Attitude
Date: Sun, 13 Aug 2000 05:10:05 GMT
tomstd wrote:
> This post is for the professionals
> Why don't you guys ever participate even a little in sci.crypt?
I suspect it's a lack of time. I'm not a big-shot in cryptography,
probably never will be (I lack the math skills, though I've discovered a
bit of a knack for doing security analysis on systems over the past
year), and even I pop in and out at random times using random user names
and user ID's ( eric at estinc.com is the one that I use at work, you'll
notice that it has not appeared here recently due to lack of time). This
is a function of being busy, not of being hostile to those who are truly
interested in learning. Given that Bruce Schneir has a) written a book,
and b) started a new business in the past year, it's obvious why he
isn't posting. I suspect that others have similar tales to tell... this
is an exciting and busy time for people in the security industry, due to
the vast exploding growth of the Internet there are more and more
systems out there to analyse and protect, and anybody who's any good is
scuttling about like a mad cockroach trying to fulfill all the demands
on his time while the gettin's good.
I've noticed that most of the "regulars" on this group, other than the
snake oil salesmen (who are a class in themselves), tend to be retirees
or strictly amateur (as in, they don't work in the encryption and/or
computer security industries as a profession). There are some of us who
aren't exactly professionals at cryptography but who do incorporate
cryptographic capabilities in software that we write for a living, but
we are a minority for the same reason that the professionals are --
simple lack of time.
--
Eric Lee Green There is No Conspiracy
[EMAIL PROTECTED] http://www.badtux.org/eric
------------------------------
Subject: Re: Where should I hide the Key?
From: tomstd <[EMAIL PROTECTED]>
Date: Sat, 12 Aug 2000 22:00:10 -0700
"bbUFO" <[EMAIL PROTECTED]> wrote:
>Ok, I got a good algorithm for encryption. But where is the
good place to
>store the encryption KEY?
>
>I have 3 ideas, but they seems not so good, anyone have other
idea?
>
>1. Store it with the encrypt data or in a file, so whoever get
the data or
>file can decrypt it. this is not safe.
>2. Store it in Windows Registry. But user will lost the key if
he/she format
>and reinstall Windows.
>3. Use the user's password as the key. But it need to re-
en/decrypt all the
>data every time user change password.
Solution: Don't store the key anywhere!
Tom
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: Where should I hide the Key?
Date: Sun, 13 Aug 2000 05:22:47 GMT
bbUFO wrote:
> Ok, I got a good algorithm for encryption. But where is the good place to
> store the encryption KEY?
1) You should at least protect encryption keys by encrypting them with a
user-provided password or pass phrase in conjunction with a random salt
value prior to storing them in the registry or in a dot file (for Unix
guys). A user-provided password is less secure than a truly random key,
but hopefully will suffice for keys that don't encrypt data sent over
the wire.
2) You may wish to use some other scheme, depending upon your
application. For example, an application that I'm working on does a
public key chat with the server to establish a session key, then prompts
the user for a password that's required in order to contact the server.
The application's public/private keys are stored in a dot file in a
user-access-only dot directory under the user's home directory, and are
in unencrypted format because if you have user-level access to a user's
home directory under Unix, that user is compromised anyhow. This does
not, of course, compromise the server, because all the application knows
is the server's public key, which is public knowledge. Similarly, since
the user's password is not ever stored anywhere, it's not an issue (and
note that the client's public/private key pair change regularly -- the
information encrypted with the session key detirmines authentication,
not the public/private key pair, and none of that information is ever
stored anywhere prior to being sent down the wire to the server).
--
Eric Lee Green There is No Conspiracy
[EMAIL PROTECTED] http://www.badtux.org
------------------------------
From: Ron B. <[EMAIL PROTECTED]>
Subject: Hushmail?
Date: Sun, 13 Aug 2000 06:03:36 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
Have there been any evaluations of Hushmail done recently? A URL
would be sufficient.
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOZY52AzUoy7OvTSOEQLhXwCg6y/zEdOWzyy3FQhV9gWG39HEIgAAoLr2
/uyTwGVaR9NnDPkMmAWThWOG
=8bs8
=====END PGP SIGNATURE=====
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Crypto Related Professional Attitude
Date: Sat, 12 Aug 2000 23:24:59 -0700
One thought Tom.
BTW, you ask good questions.
One trend that I have seen is your good buddy DS attacking Bruce whenever he
posts. It is obviously an attempt to promote some semblance of personal
conflict between the two. Kinda like "I must be on the right track, I insult
the best". I imagine that it gets tiring after awhile being a target of
troll opportunity.
I have received E-mail direct when something I post makes a biggie take pity
on me. Just because they don't participate in the group doesn't mean they
don't participate. Maybe your just not pitiful enough :-)
Paul
tomstd <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> This post is for the professionals such as Biham, Rivest,
> Schneier, Wagner, Shamir, Coppersmith, etc...
>
> Why don't you guys ever participate even a little in sci.crypt?
>
> No offense but you claim to be active in crypto, and honest you
> guys know way more then most of us (including me). So why not
> post from time to time excluding posts to plug your papers?
>
> It seems like there are alot of arrogant professionals in the
> world. Honestly there are what 50 posts a day here, and about
> 25 active posters. It's not like there are 1000s of messages to
> read through so time is not an issue. It takes me about 30 mins
> to go through the news messages, often under 10mins since alot
> of posts are not within my resonable answering range.
>
> I agree that professionals are/may be busy and have work to
> attend to, but seriously so do I. Big deal. I post here
> because I want to learn and share. Why can't the big shots do
> the same?
>
> I invite the professionals (a.k.a big shots) to reply to this
> thread with their opinions since I want to know why they remain
> so silent when they apparently have lots to share.
>
> Sincerely,
> Tom
>
>
> -----------------------------------------------------------
>
> Got questions? Get answers over the phone at Keen.com.
> Up to 100 minutes free!
> http://www.keen.com
>
------------------------------
From: [EMAIL PROTECTED] (R)
Subject: excellent Text Encrypter
Date: Sun, 13 Aug 2000 08:29:09 GMT
Can anyone point me to a website where I can download a good text
encrypting program?
R
------------------------------
From: [EMAIL PROTECTED] (Tome')
Subject: Re: Bluetooth security source code, Again
Date: Sun, 13 Aug 2000 09:22:38 GMT
On Sun, 30 Jul 2000 01:51:50 GMT, Samuel Paik <[EMAIL PROTECTED]>
wrote:
>Tome' wrote:
>> I'm looking for source code of Bluetooth. In particular i'm
>> interested in encryption algorithm and authentication algorithm.
>> Can someone help me ?
>
>The Bluetooth cryptography algorithm looks to be documented in the
>Bluetooth specification suffiently to implement without reference
>to other sources. Is there a specific point you are puzzling about?
>
>Sam paik
I've just develop the encrytpion function and seem run correctly.
If my implementation pass the four set of sample data can be
considered correct?
Now i'd like implement the generation of kc' from kc but i don't
understand what does mean kc'(x)=g2(x)(kc(x)modg1(x))
1. compute kc(x) mod g1(x), where g1(x) is determined by L
2. what must i do now? g2(x)(kcmodg1(x))?
other little question,
how can i compute kc(x) mod (g1(x), if the length of g1(x) is 128 bit?
------------------------------
From: Ron B. <[EMAIL PROTECTED]>
Subject: Re: excellent Text Encrypter
Date: Sun, 13 Aug 2000 08:56:44 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
On Sun, 13 Aug 2000 08:29:09 GMT, [EMAIL PROTECTED] (R) wrote:
>Can anyone point me to a website where I can download a good text
>encrypting program?
>R
www.pgpi.org
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOZZixAzUoy7OvTSOEQLNnwCdHE65HEEScix0XV/acjgvcQOhDzUAnRvZ
5SlB8A/FYJQ3A4SuuyfYqrzQ
=bKwc
=====END PGP SIGNATURE=====
------------------------------
From: Quisquater <[EMAIL PROTECTED]>
Subject: tweedle
Date: Sun, 13 Aug 2000 12:24:00 +0200
Aah, it must sound better than shaking that sieve :-)
Japanese secret services are studying this thoroughly (They recieved the
message on Apr. 2) ;-)
Quisquater wrote:
> Following an important rumor just released by Alice Press, Ali
> ce HAMIR just found a new method for accelerating the second step
> of factorization algorithms: this step needs to handle a very large
> matrix (mainly zeroes) with an access to a computer with a very large
> RAM memory (many GBytes) and is not easy.
>
> The theory is based on an idea published very recently by Peter
> Montgomery (micros.ft): Peter shown how to do these computations
> in parallel (using the Lanczos method).
>
> The new method used ultra-sounds and several small bottles of Klein
> in cascade (it is like an accelerator for elementary particles):
> the goal is to obtain a null vector being the vectorial sum
> of many rows of the large matrix. The matrix is encoded using
> digital sounds (the zeroes are changed into ones) and
> the bottles give fast and iterative interferences. A special sensor
> is used to detect the now all-one vector encoded by
> a specific snark: the cracking sound.
>
> He found this idea just after reading the following page:
>
> http://members.spree.com/seahaas/WONDERLANDWAVS.htm
>
> The realization of such a device is possible with the current
> technology. Adi said: no CRAY, no patent, just a CRY, it is
> like Archimedes: you can now factorize in your bathroom.
> He shown a prototype using Moebius rings interacting with two tweeters.
>
> A presentation at the following hall is scheduled
> http://www.greatwoods.com/
> doing a simulation with violins and batteries,
> sponsored by the National Sound Association.
>
> So by using light (do you remember TWINKLE?
> http://www.geocities.com/EnchantedForest/Cottage/6936/stories/20.htm
> and http://jya.com/twinkle.htm ) and sound
> (without any quantum computations), we now have a multimedia
> factorisation algorithm.
>
> Arjen Lenstra is thinking to change his web page
> http://www.cryptosavvy.com/
> after the year 2000 (a progress for elliptic curves is not
> excluded).
>
> Bob Silperson (RSAink), a leading cryptographer, didn't comment at all
> but repeated again that "You can lead a worse tweedle's ass to
> knowledge, but you can't make him think"
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: crypto vs. psychology, was OTP as BBS generator
Date: Sun, 13 Aug 2000 12:39:38 +0200
wtshaw wrote:
>
> Psychology is as much art as science since humans are not all wired the
> same and tend to rewire themselves in ungovernable ways. Since crypto
> depends so much on maverick brains to conceive, use, and analyze it, it
> can be less science than art at times.
>
> Whether that which is presented about crypto as science is good science is
> sometimes also subject to question. We surely can learn lots by posing
> good scientific questions and actually testing hypotheses.
Since in crypto a certain essential quantity, namely strength,
doesn't have a rigorously and clearly defined and practically
useful unit of measurement like metre, newton and second,
there are lurking, I am afraid, certain potential dangers
arising from phenomena of psychology of the mass. By this I
mean such things like the 'prevailing opinions' of a period
or of a very large number of people, which may under
circumstances be subject to very subtlely contrived
manipulations by a few who want to influence the mass in
favour of their individual goals. I guess that one fact in
crypto that has some connection to this is that there have
been attempts to convince the common people that strong
crypto laws and regulations are absolutely necessary for the
well-being of all. Fortunately, that campaign hasn't been
very successful, as far as I am aware. (Note that the impact
of a 'prevailing opinion', whether in science or elsewhere,
could be far-reaching if it is ever once firmly established.
For a non-conforming view-point would then either be
'shouted down' without proper logical argumentations, or
else manifestly ignored by the 'authorities' or even
disposed of in some non-soft manner, as history tells us.)
M. K. Shen
==========================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Where should I hide the Key?
Date: Sun, 13 Aug 2000 13:18:11 GMT
On Sun, 13 Aug 2000 04:34:54 GMT, "bbUFO" <[EMAIL PROTECTED]> wrote, in
part:
>3. Use the user's password as the key. But it need to re-en/decrypt all the
>data every time user change password.
A famous idea, used by ScramDisk, is:
store the key on the disk, but encrypt it with the user's password.
That way, only the key needs to be re-encrypted when the user changes
the pasword.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Crypto Related Professional Attitude
Date: Sun, 13 Aug 2000 13:16:31 GMT
On Sat, 12 Aug 2000 20:21:56 -0700, tomstd
<[EMAIL PROTECTED]> wrote, in part:
>Why is giving so bad? I think giving to those that appreciate
>it is the best and most enjoyable experience ever.
Of course, given the volume of insults here, they may be concerned
about not taking a risk of losing their cool, and hence diminishing
the lustre of their reputations.
Anyways, lesser mortals like myself can answer the typical newbie
question.
These guys actually have lives.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Date: Sun, 13 Aug 2000 15:58:39 +0200
"Douglas A. Gwyn" wrote:
>
> jkauffman wrote:
> > and your measuring equipment was absolutely perfect,
> > measured the underlying phenomenon to arbitrary precision,
> > and introduced no bias to the results due to manufacturing
> > imperfections whatsoever?
>
> It is absolutely standard scientific procedure to take into
> account the characteristics of the apparatus. Perfection is
> not necessary, and it is insane to require it. There are also
> well-understood (provable) procedures for removing stationary
> bias from a random bit stream.
I suppose that most physical measurements, after doing
sophisticated error analysis, give only values that are
intervals (in which the correct values should be) that are
considered acceptable at certain confidence levels. A more
accurate measument gives a smaller interval, but not the
'exact' value. That kind of accuracy may be o.k. or even be
big over-kill for some purposes. But I think that one can't
claim that one gets 'absolutely' perfect measurements,
at least in most cases of practical interest.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Date: Sun, 13 Aug 2000 15:58:35 +0200
Mickey McInnis wrote:
>
> Actually, if you are purely "classical" and believe in predetermination,
> a sufficiently advanced enemy can forget about trying to predict
> the pad, and just predict the cleartext. 8-)
But the perfect security of ideal OTP consists in the fact
that the opponent's a posteriori probablity of obtaining the
plaintext is the SAME as the a priori probability. There is
nothing more nor less.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Date: Sun, 13 Aug 2000 15:58:31 +0200
[EMAIL PROTECTED] wrote:
>
> I think all the crypto-books are wrong. One-time pad is only secure
> based on the assumption that random numbers do exist.
A perfect one-time pad is a theoretical construct, a model
that is useful. As such its existence in practice doesn't
matter. Compare: a morally perfect person or a perfectly
healthy person.
> But can you prove that random numbers really exist? No.
> Can you generate truely random numbers? No.
Covered above, as far as perfect random numbers go.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Date: Sun, 13 Aug 2000 15:58:45 +0200
"Douglas A. Gwyn" wrote:
>
[snip]
> inflate some other item(s). There is a similar physical principle
> (named after Heisenberg) wherein increasing knowledge of one aspect
> of a physical system automatically reduces knowledge of some other
> aspect of the system. This uncertainty is fundamental (basically
> it can be seen mathematically as a property of Fourier transforms)
> and unavoidable. It's basically what is behind randomness at the
> quantum level, or at least it's essentially the same feature.
I find this interesting in a certain sense. This in effect
implies that we would never obtain any absolutely accurate
and sure knowledge from measurements (in particular in physics),
doesn't it? It follows neatly (what has been said by others)
that we can never know whether anything given is really
perfectly random, even if it were in fact perfectly random.
I suppose that in a certain flavour Heissenberg's principle
can be considered to be related to a well-known result of
Goedel.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Date: Sun, 13 Aug 2000 15:58:58 +0200
"Douglas A. Gwyn" wrote:
>
> With a truly random key stream, any such duplication of
> key is purely coincidental and unpredictable, so it cannot
> be used to leak PT information.
I guess that even a perfect OTP could leak information in
one sense, namely, in situations where the fact whether the
sender sends any message at all to the receiver could give
some clue to the opponent.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Date: Sun, 13 Aug 2000 15:58:54 +0200
Guy Macon wrote:
>
[snip]
> At the end, you have a high level of confidence that RANDMIX is,
> as far as any attacker can tell, unbiased and unpredictable.
That's o.k. for the practice. Unfortunately that NEVER suffices
in the mind of a theoretician! That's the problem.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Date: Sun, 13 Aug 2000 15:59:02 +0200
"Douglas A. Gwyn" wrote:
>
> It was always pretty obvious that for a given observed finite
> sample of a bit stream, one could specify a deterministic
> generator that would produce that bit stream. That's why we
> need to be more careful when talking about "random numbers";
> what is really relevant is "(output of a) random process".
True. We need a random process that is truly indistinguishable
from a theoretical perfect random process. How to obtain that,
or rather, how to determine that we have in fact obtained such
a process (if we are lucky engough) is the REAL (and unsolvable)
problem, I believe.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Date: Sun, 13 Aug 2000 15:58:50 +0200
John Savard wrote:
>
> The advantage of physically-generated numbers lies precisely in the
> fact that even though deterministic physical laws may be involved in
> their production, the all-important _initial conditions_ are too
> complex, and too local, to be guessed or measured or duplicated.
But if it is sufficiently biased statistically, then its
use in crypto may nontheless be questionable. Thus what is
needed is a set of powerful tests that check that a given
sequence is not distinguishable in qualities from one produced
by a (theoretical) fair coin. The real problem is however that
such a set of tests is open-ended. We can never know whether
we have enough in there. Further, testing one finite sequence
actually doesn't say about THE randomness of it. (As Douglas
Gywn stressed, randomness should be referred to the process.
A truly random process, as is well-known, can produce a
finite sequence of all 0'sk, which certainly fails all tests.)
We must consequently be content with our subjective decision
on the 'completeness' of the test suite and on the way of
interpretation of results in the sense of statistics. This
in turn implies that we always get 'practical', never
'theoretical' (perfect), security.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Crypto Related Professional Attitude
Date: Sun, 13 Aug 2000 13:51:15 GMT
In article <[EMAIL PROTECTED]>,
tomstd <[EMAIL PROTECTED]> wrote:
> This post is for the professionals such as Biham, Rivest,
> Schneier, Wagner, Shamir, Coppersmith, etc...
>
> Why don't you guys ever participate even a little in sci.crypt?
Hey, isn't it harsh including Wagner in that list - use Deja and look
up how many times he posts per week!
Schneier used to post quite regularly, but then that freak D.Scott
flamed him every time he wrote. Put yourself in Bruce's shoes - would
you give up your (very valuable...) personal time to help people on
sci.crypt only to be attacked on a personal level by someone who
clearly has "deep personal issues"?
Besides, what kind of questions do you pose that you believe aren't
sufficiently answered to your satisfaction by Wagner, Wooding,
Silverman, Ritter, Rubin, John, Savard, Peschel, Shaw, Gwyn et al.
I think we have some serious minds in the above list that really do
justice to topics discussed on sci.crypt.
> No offense but you claim to be active in crypto,
> and honest you
> guys know way more then most of us (including me).
> So why not
> post from time to time excluding posts to plug your papers?
>
> It seems like there are alot of arrogant professionals in the
> world.
Looking at some of your previous posts, perhaps they could turn it
around and call you an arrogant newbie. Some of your questioning
of "those more experienced" has been impolite at best...
> Honestly there are what 50 posts a day here, and about
> 25 active posters. It's not like there are 1000s of messages to
> read through so time is not an issue. It takes me about 30 mins
> to go through the news messages, often under 10mins since alot
> of posts are not within my resonable answering range.
And how many of those posts would require the cryptographers you have
named to reply in order for the poster(s) to get a reasonable answer?
One post a week maybe?
> I agree that professionals are/may be busy and have work to
> attend to
Tom, wait until you get into the big wide world. Some of the people
you list are Professors and as such will be worried about running
courses / whole departments in prestigious universities. Others run
several recently created businesses etc.
>, but seriously so do I. Big deal.
[Joke!] I'm sure your paper round takes up a lot of time.... [/Joke]
> I post here
> because I want to learn and share. Why can't the big shots do
> the same?
>
> I invite the professionals (a.k.a big shots) to reply to this
> thread with their opinions since I want to know why they remain
> so silent when they apparently have lots to share.
>
> Sincerely,
> Tom
Rgds,
--
Sam Simpson
http://www.scramdisk.clara.net/ for ScramDisk hard-drive encryption &
Delphi Crypto Components. PGP Keys available at the same site.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Frank M. Siegert)
Subject: Re: Updated stream cipher
Date: Sun, 13 Aug 2000 14:09:53 GMT
On 12 Aug 2000 18:13:17 -0700, [EMAIL PROTECTED]
(David A. Wagner) wrote:
>Frank M. Siegert <[EMAIL PROTECTED]> wrote:
>> I put some work into my cipher 'stepfive' [...] Comments anyone?
>
>It's a little complicated. That makes analysis more time-consuming.
Upfront it is Arcfour in 2-D, nothing more, nothing less.
Each cell content in the S-field [16x16] can be converted to a x/y
position by using the high 4 bits for x and the low 4 bits for y,
using this mechanism the same basic 'swap' method and key setup as in
Arcfour is implemented. I did this just to check if the resulting
methode would have similar properties to the original arcfour
algorithm.
There are some new elements built in mostly for the purpose of
presenting them:
- the simple one stage 'increment one - swap - add' of arcfour was
extended to a multi stage method. The bitfield serves as a
'compressor' function which compresses a 8 bit value to a 3 bit - for
the purpose of 'regulating' the general speed. Any other mechanism
would do too. For each 'cipher' byte generated a value is extracted
from the bitfield that serves as a 'depth limiter'. Zero would cause
just the 'normal' arcfour a-like behavour.
- the key setup was remodeled, so also the 'walk' of the initor cell
(which is just n=(n+1) mod 256) is now handled variable by building up
a closed 'psuedo' random walk over all field elements depending on the
key. You are right there is a timing issue here because key setup time
becomes key dependable (depending on the key used). I do not know if
the merrits of higher complexity for the walk of the initor do justify
this yet.
>It might help if you described the motivation for this cipher. What
>problem does it solve that other ciphers can't? Why is it interesting?
Because I have not seen it yet in other ciphers, I tried to build upon
the arcfour method (which is to date unbroken afaik). Beside I liked
to see if a n-dimensional coded arcfour would actually work?
Also I'd like to model the method to get rid of initial artefacts, so
the cipher generation can start right away. I have heard that it is
recommended in 'true' arcfour to drop the first few cipher bytes and
the random walk stuff would get rid of them I suppose.
>How fast is Stepfive? It looks to me like it could be slow.
The speed depends entirely at the contents of the bitfield. Make this
just 2-bit values and the speed goes up. Remove it or make all values
0 and you have arcfour speed (except for the bit work on the
coordinate calculation).
>I noticed that Stepfive uses loops with variable iteration counts.
>Although I can't say whether this property leads to weaknesses in this
>specific case, in general it can often allow timing attacks.
Yep, noted. An attacker can persumely get an estimation of the state
of the bitfield by this. However no state of the S-field is revealed.
Thanks
Frank
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
