Cryptography-Digest Digest #692, Volume #12 Sat, 16 Sep 00 10:13:01 EDT
Contents:
Tying Up Loose Ends - Correction (John Savard)
Re: "Secrets and Lies" at 50% off (Tom St Denis)
Re: Double Encryption Illegal? (Tom St Denis)
Re: "Secrets and Lies" at 50% off (Tom St Denis)
Re: "Secrets and Lies" at 50% off (John Winters)
non-linear decorrelation? (Tom St Denis)
Re: "Secrets and Lies" at 50% off (SCOTT19U.ZIP_GUY)
Re: Tying Up Loose Ends - Correction (SCOTT19U.ZIP_GUY)
QUESTION ABOUT ALGORITHMS ("Melinda Harris")
Re: "Secrets and Lies" at 50% off (Tom St Denis)
Re: non-linear decorrelation? (Tom St Denis)
another nonlinear decorrelation idea (Tom St Denis)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Tying Up Loose Ends - Correction
Date: Sat, 16 Sep 2000 11:08:41 GMT
I finally got around to fixing two incorrect links in the description
of Quadibloc II (the "Up" links of the last two pages) because I had
something more exciting to do.
In
http://home.ecn.ab.ca/~jsavard/crypto/mi060303.htm
the page entitled "Tying Up Loose Ends", to the four awkward schemes I
provided to deal with the fact that a pseudo-Morse code always has one
symbol less than the Huffman code to which it corresponds, I have now
provided a scheme which is both efficient and which avoids
backtracking.
Since this is an element of David A. Scott's encryption proposals, and
since he claimed he didn't have the kind of difficulties with the last
symbol that I encountered, possibly this is the method he is using. If
so, I will have to credit him specifically in this case: while I think
the basic notion of coding the last symbol in a general fashion, where
a message is represented by a prefix-property binary code, and the
resulting message is transmitted with an explicit length indication,
is almost certain to have occurred to people at an early stage in the
development of this field (maybe even before Huffman came forward with
his replacement for Shannon-Fano coding), the specific scheme of using
a code that is shifted down one symbol after either the least frequent
symbol or the least frequent symbol followed by any number of
repetitions of the second least frequent symbol so as to achieve an
optimal scheme not requiring backtracking is at a level of detail that
no one might necessarily have ever bothered with before.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc
Subject: Re: "Secrets and Lies" at 50% off
Date: Sat, 16 Sep 2000 11:58:03 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> On Thu, 14 Sep 2000 22:13:42 GMT, Tom St Denis <[EMAIL PROTECTED]>
> wrote, in part:
>
> >I know you are well intentioned but for the same reason I don't like
> >other spammers, I would suggest that you don't do this.
>
> >If you want to talk about your book by all means go ahead, but you
> >really are spamming this group.
>
> >Just my two cents, and seriously no offence intended.
>
> In a sense, you might have a point; he is flogging a book on which he
> is making money. But very few people will agree with you that his post
> didn't belong, because many people were going to buy this book, and
> information on how to save money on it is therefore useful: it is very
> different from wasting bandwith trying to push something hardly anyone
> particularly wants.
It's not whether people want the book or not. Nobody asked "how much
does it cost" he just posted an ad. That's spam and there is no way to
go about it. Does he care what we think about the book? Can we find
out what he thinks about the book? Apparently not.
> However, many people will be very much tempted by your post to call
> you bad names, and so on. Why?
>
> Well: it appears obvious that your post is prompted by dismay at the
> unfairness of a world where people like Bruce Schneier recieve respect
> while people like David A. Scott recieve derision.
>
> And as to how that looks to others - despite the fact that Mr. Scott's
> two main points are valid in themselves (key dependent S-boxes are
> good, and the larger the better; compression prior to encryption
> deserves attention specifically related to encryption as an
> application) - words appropriate to polite discussion fail me.
His points are valid but he goes about them the wrong way. (see below).
> Hey, wait a minute: why does it look so bad, if Mr. Scott is famous
> for advocating two _valid_ points? It isn't just a veneration of style
> over substance, or respect accorded to markers of status like having a
> book published.
>
> The so-called "crypto gods" claim that the issues pursued by Mr. Scott
> are minor ones. And their reasoning is valid for reasons people can
> understand.
When someone constantly mocks others there words have less tenative
value.
> - An S-box with 65,536 or more entries limits the applicability of a
> block cipher that requires it. Also, it is only as good as the key
> schedule algorithm used to fill it.
Ah, a 16x16 sbox will most likely be partially nonlinear if it's random
and that's good. However, there are several ways to get a 16x16 sbox
with ideal properties, none of which are what D.Scott does. Making
128kb tables is not a good ideal for about 99% of all applications of
crypto.
> - Conventional block ciphers, even without key-dependent S-boxes,
> appear to approach security equivalent to the difficulty of cracking
> them through brute-force search.
This has been known for a bit :-)
> - Block ciphers are designed to resist known-plaintext attacks. Hence,
> the importance of removing redundancy from plaintext to hamper the
> task of the cryptanalyst is significantly reduced.
>
> - Modern block ciphers have large enough keys that brute-force
> searching is not practical, and so making it harder to unambiguously
> identify plaintext by complicating the compression scheme seems to be
> at best of marginal importance.
>
> One can still try to raise these minor points as something that,
> although of limited benefit, is worth doing because the effort
> required is small, and because one can't be sure that one's ciphers
> are really as strong as one thinks - so any extra precaution available
> is worth considering.
By using large sboxes?
> But if you instead go around and loudly proclaim that everything that
> isn't done your way is junk, people will make the expected response to
> that. What on earth else could you possibly expect?
Well his points (D.S's) are related to crypto but the problem is that
he rarely discusses them from a point of view that contains scientific
information.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Crossposted-To: comp.databases.oracle
Subject: Re: Double Encryption Illegal?
Date: Sat, 16 Sep 2000 11:59:32 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
>
> PRdO wrote:
> >
> > IMHO double encryption *does not* add security, i.e., double
encryption in
> > 128-bit doesn't equal better encryption.
> > (since encryption uses random keys, "randoming" again the data
would not
> > lead to more secure data).
>
> If you have an algorithm that does a perfect job (do
> you happen to have one?), then there is by definition
> nothing to improve. Otherwise, multiple encryption may
> help, if done properly.
Ah but double encryption is not the way to go about it.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: "Secrets and Lies" at 50% off
Date: Sat, 16 Sep 2000 12:02:50 GMT
In article <8pv6g2$4m4$[EMAIL PROTECTED]>,
David A Molnar <[EMAIL PROTECTED]> wrote:
> JPeschel <[EMAIL PROTECTED]> wrote:
>
> > No supper for you. Now go to your room.
>
> I know that Tom is "young," but he's not *that* young.
> Two-three years ago I was his age (assuming Tom is 17-18) and in a
similar
> position...worse off, really, since I knew far less about
cryptography.
>
For the record I am 18 (April 7th 1982).
> obCrypto: paper skimmed today was _A Critique of CryptoComplexity_ by
> Michael Merritt. Part of a DIMACS 1991 volume on "distributed
computing
> and cryptography." Asks about the intersection between crypto and
> complexity theory and whether the alliance works. Intriguing stuff,
though
> regulars in this forum have probably heard some of the arguments
before
> (e.g. asymptotic nature of security results).
>
> a test question from the paper (paraphrased from memory):
>
> "What do these two questions
> is it hard to factor 512-bit numbers?
> do one-way functions exist?
>
> have to do with each other? and will practical cryptographers care
about
> the answer to the latter?"
>
> some of the concerns raised there have been addressed -- see concrete
> security results so as to banish asymptotic security proofs. instead,
get
> explicit relation to difficulty of factoring. others who knows.
>
> obSecurityAlmostCrypto: the SDMI contest thread reminds us all that
stupid
> show cracking contests are Not The Right Way To Build Assurance. Is
there
> a "right way" to do such a contest? Are the RSA Data Security and
Certicom
> challenges examples of the "right way"?
RSA's goal is to show off the cracking ability of the public world.
They therefore concretely showed that 56-bit keys are too short, that
512-bit RSA keys can be broken, etc...
The "whitebox" crypto as in SDMI is just a stupid joke. It can't be
done at all. Speakers/Monitors are analogue, so at *some* point I can
tap the signal and steal the content. You just can't protect it
digitally.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (John Winters)
Crossposted-To: comp.security.misc
Subject: Re: "Secrets and Lies" at 50% off
Date: 16 Sep 2000 13:21:40 +0100
In article <8pvn86$gdc$[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
[snip]
>It's not whether people want the book or not. Nobody asked "how much
>does it cost" he just posted an ad. That's spam
Err, no it isn't. Look up an informed definition of Spam. Clue - the
definition isn't "anything I don't like".
HTH
John
--
John Winters. Wallingford, Oxon, England.
The Linux Emporium - the source for Linux CDs in the UK
See http://www.linuxemporium.co.uk/
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: non-linear decorrelation?
Date: Sat, 16 Sep 2000 12:27:13 GMT
I was thinking about F(x) = a/(x+b) + c in GF(2)^n. with the
convention that a != 0, and n/0 = 0.
With the theories put out by Nyberg (I believe... not sure off hand)
the function 1/x+b is non-linear and has a very low dp max. I think
the dpmax of the entire construction will be higher (multiplication
makes diffchars of prob 1) but the non-linearness would be a nice touch.
The function would have log2((2^(n-1))(2^n)(2^n)) = 3n bits of entropy
which is nice. One problem is that it's slow as the inversion can be
done with either Euclids algorithm or using x^(p-2) mod p, but either
case is too slow for high speed algorithms. For small fields (say
under 12 bits) an inversion table could be precomputed, in fact if one
used the above F(x) as a 8x8 sbox the entire step could be precomputed.
Idea: Place those in Twofish with the fixed MDS matrix. The four 8x8
sboxes would be nonlinear and resilient to differential attacks.
Problem: Each sbox is limited to ~24 bits of entropy, unlike the
construction in Twofish which has 32 bits max per sbox. Idea... try
doing F(x) = a/(bx + c) + d in the same field where a, b != 0. Whoa
that won't work... and here is why
F(x) = a/bx + a/c + d
a/c + d = g
F(x) = a/bx + g
F(x) = (a/b)(1/x) + g
a/b = h
F(x) = h/x + g
And we are back where we started... In fact this means the original
idea is bad too (a/(x+b) + c) or am I crazy?
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Crossposted-To: comp.security.misc
Subject: Re: "Secrets and Lies" at 50% off
Date: 16 Sep 2000 12:49:21 GMT
[EMAIL PROTECTED] (John Savard) wrote in
<[EMAIL PROTECTED]>:
>On Thu, 14 Sep 2000 22:13:42 GMT, Tom St Denis <[EMAIL PROTECTED]>
>wrote, in part:
>
>>I know you are well intentioned but for the same reason I don't like
>>other spammers, I would suggest that you don't do this.
>
>>If you want to talk about your book by all means go ahead, but you
>>really are spamming this group.
>
>>Just my two cents, and seriously no offence intended.
>
>In a sense, you might have a point; he is flogging a book on which he
>is making money. But very few people will agree with you that his post
>didn't belong, because many people were going to buy this book, and
>information on how to save money on it is therefore useful: it is very
>different from wasting bandwith trying to push something hardly anyone
>particularly wants.
>
>However, many people will be very much tempted by your post to call
>you bad names, and so on. Why?
I don't agree with Tommy or you very much. But if people
are calling Tommy bad for this they are wrong. I use to get spam
from Mr BS about his crappy books and did not like it one bit.
Howver it has been several months since I last recieved spam from
him about his BS books and I do think him for not sending me more
crap about his books.
>
>Well: it appears obvious that your post is prompted by dismay at the
>unfairness of a world where people like Bruce Schneier recieve respect
>while people like David A. Scott recieve derision.
>
I think I get derision because I don't worshop Mr. BS
and think people vastly overrate is abilitues.
>And as to how that looks to others - despite the fact that Mr. Scott's
>two main points are valid in themselves (key dependent S-boxes are
>good, and the larger the better; compression prior to encryption
>deserves attention specifically related to encryption as an
>application) - words appropriate to polite discussion fail me.
>
>Hey, wait a minute: why does it look so bad, if Mr. Scott is famous
>for advocating two _valid_ points? It isn't just a veneration of style
>over substance, or respect accorded to markers of status like having a
>book published.
>
>The so-called "crypto gods" claim that the issues pursued by Mr. Scott
>are minor ones. And their reasoning is valid for reasons people can
>understand.
>
Anything different than what they currently do is a minor issue.
>- An S-box with 65,536 or more entries limits the applicability of a
>block cipher that requires it. Also, it is only as good as the key
>schedule algorithm used to fill it.
>
Again more crap. making it large does not neceisarly make it weak.
The fact is the S-box can be any random single cycle permuttaion
and I sugguest people do a lot to create as random of an S-box
as possible, My last contest showed how much better it is for certain
things than any of the AES stuff which I feel will be deliberately
weak so the NSA can still keep there hand in the Cookie Jar.
As far as compression being a minor concern. MR. BS in his previous
book stated it was a good idea. Of course any real detail was left out
maybe on purpuss. If you use the wrong compression. THen usuaully only
one key can do the decryption. That is surely not a good thing and I
doubt even MR BS is not so stupid to miss that. So may this minor
detail is missed on purpose so people will continue to use bad compression.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Tying Up Loose Ends - Correction
Date: 16 Sep 2000 13:01:11 GMT
[EMAIL PROTECTED] (John Savard) wrote in
<[EMAIL PROTECTED]>:
>I finally got around to fixing two incorrect links in the description
>of Quadibloc II (the "Up" links of the last two pages) because I had
>something more exciting to do.
>
>In
>
>http://home.ecn.ab.ca/~jsavard/crypto/mi060303.htm
>
>the page entitled "Tying Up Loose Ends", to the four awkward schemes I
>provided to deal with the fact that a pseudo-Morse code always has one
>symbol less than the Huffman code to which it corresponds, I have now
>provided a scheme which is both efficient and which avoids
>backtracking.
John I have looked at your page several times and told you
how to fix it. But I guess your still to dam lazy to write real
code to check anything.
>
>Since this is an element of David A. Scott's encryption proposals, and
>since he claimed he didn't have the kind of difficulties with the last
>symbol that I encountered, possibly this is the method he is using. If
>so, I will have to credit him specifically in this case: while I think
>the basic notion of coding the last symbol in a general fashion, where
>a message is represented by a prefix-property binary code, and the
....
I take it with all the cavets that you still don't have a
clue as to what I did and your back handed comliments don't
mean shit. John I have real code you can test. DO YOU?
I didn't have the difficulties you have. Becasue you have a
closed mind and refuse to write code to test anything. Instead
you spout fluff as if your really know something.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: "Melinda Harris" <[EMAIL PROTECTED]>
Subject: QUESTION ABOUT ALGORITHMS
Date: Sat, 16 Sep 2000 13:29:49 GMT
Ladies and Gentlemen
Can anyone tell me how to patent an algorithm. Where to go. What to sign and
how much it costs???
Any response would be greatly appreciated
EIA
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc
Subject: Re: "Secrets and Lies" at 50% off
Date: Sat, 16 Sep 2000 13:17:47 GMT
In article <8pvokk$t4u$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Winters) wrote:
> In article <8pvn86$gdc$[EMAIL PROTECTED]>,
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> [snip]
> >It's not whether people want the book or not. Nobody asked "how much
> >does it cost" he just posted an ad. That's spam
>
> Err, no it isn't. Look up an informed definition of Spam. Clue - the
> definition isn't "anything I don't like".
What are you guys talking about? I own a copy of applied crypto, I
like his research!!!
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: non-linear decorrelation?
Date: Sat, 16 Sep 2000 13:20:04 GMT
In article <8pvoum$i6b$[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
> I was thinking about F(x) = a/(x+b) + c in GF(2)^n. with the
> convention that a != 0, and n/0 = 0.
Change that simply to F(x) = a/x + b and we are all set (a!=0 1/0 = 0).
Similarly if the inversion was precomputed as S[] then the function
would resemble
y = (a * S[x]) + b
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: another nonlinear decorrelation idea
Date: Sat, 16 Sep 2000 13:38:22 GMT
In GF(65537) we can use F(x) = ax^3 + b (mod 65537) which has an
inverse function given by F'(x) = ((x - b)/a)^43691 (mod 65537) which
means it's a bijection. Although cubing requires at least two
multiplications (square, mult) or three mults in total (the entire
function) it shouldn't be terribly slow.
Similarly in GF(257) we find 3(171) mod 256 = 1 thus it too would be
function. Again this can be precomputed as a lookup table.
In fact couldn't this extend to higher orders? I am bit shaky on this
however, is the only requirement that the exponents have inverses?
Such as F(x) = ax^7 + bx^5 + cx^3 + d (mod 2^k + 1)
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
