Cryptography-Digest Digest #710, Volume #12 Mon, 18 Sep 00 16:13:00 EDT
Contents:
Re: Algebra, or are all block ciphers in trouble? (Mok-Kong Shen)
Re: QUESTION ABOUT ALGORITHMS (Terry Ritter)
Re: Algebra, or are all block ciphers in trouble? ([EMAIL PROTECTED])
Re: On secret Huffman compression (SCOTT19U.ZIP_GUY)
Re: Chosen and known attacks - are they possible ?? (Jim Gillogly)
Re: Hamming weight (Mok-Kong Shen)
Re: QUESTION ABOUT ALGORITHMS (Mok-Kong Shen)
Re: MIRACL ("Michael Scott")
A conjecture - thoughts? (Andru Luvisi)
Re: QUESTION ABOUT ALGORITHMS (Terry Ritter)
Software patents are evil. ("Dann Corbit")
Re: CDMA tracking (was Re: GSM tracking) (zapzing)
Re: Disappearing Email redux (Tommy the Terrorist)
Re: Software patents are evil. (Terry Ritter)
Re: A conjecture - thoughts? (Mok-Kong Shen)
Re: non-linear decorrelation? (James Felling)
Re: More Bleh from a Blahish person. ;) (James Felling)
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Algebra, or are all block ciphers in trouble?
Date: Mon, 18 Sep 2000 20:25:37 +0200
John Savard wrote:
>
> But as long as f(x) is nonlinear, it appears that one cannot go
> further, and that Feistel-round block ciphers are safe.
I believe that one could put it as a rule of thumb that
non-linearity is always to be preferred (or else there
be appropriate means to break up (destory) the linearity
present).
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: QUESTION ABOUT ALGORITHMS
Date: Mon, 18 Sep 2000 18:11:44 GMT
On 18 Sep 2000 17:08:37 GMT, in <[EMAIL PROTECTED]>, in
sci.crypt [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
>[...]
> Terry I realize your are most likely better at crypto than
>Mr BS. But he is the media darling and unfortunutly you are
>not.
Let me point out that being a media darling was a goal I gave up many
years ago, based on initial successful results.
>But a question that might be in most people's mind is how
>much did the three of these patents cost. And in the long run
>did you make more money with these methods than if you did not
>patent them. Did you even possibly lose money since maybe the
>methods were not blessed by some media made phony crypto guru.
I don't feel comfortable discussing my business, but I can give some
information.
My patents were very, very expensive. First, I had to learn a very
great deal, which took a long time away from my work, and at that I am
certainly no patent lawyer. Now I know just about enough to apply for
a patent and prosecute the case where there is no prior art at all, a
fairly unusual situation. In one case I had a company pay for most of
two lawyers for over a month on one application and that may have cost
$40k or so -- for one patent.
Without being specific, it should be obvious that my patents have not
been spectacularly profitable. One might well imagine that there
would have been more interest had my work been described in the
current crypto texts. I take this situation to be more a comment on
the text authors than my work. But that does not buy equipment.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Algebra, or are all block ciphers in trouble?
Date: Mon, 18 Sep 2000 18:07:18 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> Well, I've added a new page to my site:
>
> http://home.ecn.ab.ca/~jsavard/co041206.htm
>
> in which I try to generalize from the fact that, given an invertible
> f-function, it is trivial to solve for the subkeys from known
> ........
> But as long as f(x) is nonlinear, it appears that one cannot go
> further, and that Feistel-round block ciphers are safe.
>
the right address is http://home.ecn.ab.ca/~jsavard/crypto/co041206.htm
it is a VERY GOOD work.
but the conslusion is ony 95% correct:
if you go writing boolean algebraic
equation at BIT level, it can be demonstrated that
ANY invertible f-function may be built-up by a proper
composition of XOR and NOT function...
(as INVERTIBLE f-function i mean ANY BOOLEAN function of N
input bit and 1 output bit where
by the knowledge of ANY N-1 input + the output
it is possible to retrieve the remaining input bit).
Such a composition allows you to extract the unknowns
from the "F(x,y,z)" expression:
you may simplify your equations, because it will be made
by XOR and NOT functions only.
...so the strongness of DES against an ALGEBRAIC attack
resides in the EXPANSION permutation (from 32 to 48 bits)
and the S-Box HASHING (from 48 to 32 bits),
that constitutes a NON-Invertible f-function.
best wishes
Ferdinando
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: On secret Huffman compression
Date: 18 Sep 2000 18:20:20 GMT
[EMAIL PROTECTED] (Benjamin Goldberg) wrote in
<[EMAIL PROTECTED]>:
>SCOTT19U.ZIP_GUY wrote:
>> [EMAIL PROTECTED] (Mok-Kong Shen) wrote in
>> <[EMAIL PROTECTED]>:
>>
>> >A Huffman tree for compression is built according to the
>> >frequncy distribution in the manner that is well-known.
>> >We assume that the opponent can build the same tree.
>> >Now we do modifications to the coding as follows such
>> >that the opponent cannot decompress to obtain the
>> >original message:
>> >
>> >Use a secret key as seed of a PRNG. At each non-terminal
>> >node of the given Huffman tree, use a psudo-random number
>> >to determine whether the two branches are to be flipped,
>> >i.e. whether their markings of 0/1 are to be exchanged.
>> >Use the modified tree to do compression.
>> >
>> >We note that in order to cater for the byte/word boundary
>> >issue of the output file, one can include an end-of-file
>> >symbol (with the least frequency) in the Huffman tree
>> >and after output of that symbol use random bits to fill
>> >to the desired byte/word boundary.
>>
>> Yes do that if it makes you happy.
>>
>> but why not use my focused huffman its does the same thing
>> if you look at the code. You can supply the 0/1 switching and
>> padding as a function or you can modify it was random stuff.
>> But you already know that. However again I must point out with
>> mine you don't need to waste space with a useless EOF symbol
>
>Unless I'm mistaken, Mok-Kong Shen's code does not do the same thing as
>your huffman code; Your code is an adaptive huffman code, his is a
>static code. Also, with his code, you don't need an EOF either, in most
>cases... if the tree was based on 8-bit symbols, and we need 1..7 bits
>to fill out the last 8-bit byte, we can simply choose some symbol whose
>huffman code is longer than 8 bits, and write out part of it. Also, the
>huffman tree is probably small enough that, for PK encryption, we can
>encrypt it along with a symmetric key inside the PK block.
>
>--
>... perfection has been reached not when there is nothing left to
>add, but when there is nothing left to take away. (from RFC 1925)
>
Yes your quite right. I tend to only talk about my versions
of adaptive huffman coding. However if one needed a static huffman
coding my later conditional huffman coding could do the same thing
if one stuffed the static tree along with a symmetric key inside the
PK block. I mention it less but it is 1-1 to the file being compressed
if one does not count the tree. Where I read the condtion file is
really nothing more than predefining a tree. And it would work for
trees of less than 256 leaves.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Chosen and known attacks - are they possible ??
Date: Mon, 18 Sep 2000 18:25:50 +0000
kihdip wrote:
> <http://www.ams.org/notices/200004/fea-landau.pdf>
> - Ciphertext only
> - Known plaintext
> - Chosen plaintext
> - Chosen ciphertext
>
> Forgive my ignorance, but are the known and chosen attacks only teoretical
> ?? If not: How would an attacker get a chosen plaintext encrypted ??
Known plaintext attacks are very common: for example, the enemy sends
in code or cipher a diplomatic message to be handed to the President.
Some embassies in the past have sent encrypted newspaper articles home.
Chosen plaintext attacks are less common, but possible. The Battle of
Midway is the canonical example. American cryppies had a solid entry
into the Japanese code JN25b, and had decided that the target for the
next attack (AF in the Japanese code) was probably Midway. The brass
weren't satisfied with this level of confidence, since the downside
was potential disaster. The cryppies prepared a fake message for
Midway to send to Pearl Harbor in the clear: that its fresh-water
distiller was down. They did this, the Japanese intercepted the message,
and sent the information home that AF was short of water. The Navy
sent three carriers (very scarce after Pearl Harbor) and won the battle.
On the mundane side, if you want to break a bank transaction system,
you put in your own fake transaction with a fake name and amount that
you want to test a particular piece of the algorithm, intercept the
result, and you have your chosen plaintext.
--
Jim Gillogly
Trewesday, 27 Halimath S.R. 2000, 18:16
12.19.7.10.1, 10 Imix 4 Chen, Third Lord of Night
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Hamming weight
Date: Mon, 18 Sep 2000 20:46:13 +0200
kihdip wrote:
>
> Does anybody have an exact definition of 'Hamming weight' ??
> (and knowledge of what 'unit' to use - do you say 0,5 ; 50% or something
> else ??)
>
> Is a Hamming weight of 0,5 necessarily the goal for every cipher ??
There is a Hamming distance between two vectors which
is defined as the number of pairs of (corresponding)
elements that are not equal and Hamming weight of
a vector is the Hamming distance between the vector
and the 0-vector. With these definitions one always
have integer values never fractional ones.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: QUESTION ABOUT ALGORITHMS
Date: Mon, 18 Sep 2000 21:01:44 +0200
Terry Ritter wrote:
>
> As far as I am aware the European patents for the IDEA cipher do in
> fact cover software implementations.
As far as I know, one has in Europe to at least let
the patent offic have the illusion that the claims
of an algorithm are somehow associated with hardware.
An earliest patent of an 'algorithm', presumably
obtained through this way (I have never looked up the
document), in Germany was one concerning using a stack
for compiling programming languages. It was issued in
the sixties.
M. K. Shen
------------------------------
From: "Michael Scott" <[EMAIL PROTECTED]>
Subject: Re: MIRACL
Date: Mon, 18 Sep 2000 19:42:42 +0100
You can get tasm from www.borland.com, but it will cost you.
Proceed as follows
1. Unzip MIRACL into a single directory - do not tick the Use Folder Names
box if using WinZip
2. Use this header for mirdef.h
#define MIRACL 32
#define MR_LITTLE_ENDIAN
#define mr_utype int
#define MR_IBITS 32
#define MR_LBITS 32
#define mr_unsign32 unsigned int
#define mr_dltype __int64
#define MR_NOASM
#define MR_FLASH 52
#define MR_IOBSIZ 1024
3. Copy all the miracl header files into the directory where Borland C puts
its standard headers. This may be c:\borland\bcc55\include
4. Edit bc32doit.bat. Remove all -B compiler flags (these invoke TASM, and
you haven't got TASM). Delete all references to mrmuldv.c
5. Run the batch file.
That should work
--
Mike Scott
Fastest is best.
MIRACL multiprecision C/C++ library for big number cryptography
Free implementations of Schoof's Algotithm for Elliptic Curves
http://indigo.ie/~mscott
"Soeren Gammelmark" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I do not have tasm32.exe, and I don't know where to get it so i tried to
> compile after defining MR_NOASM in mirdef.h, but this didn't help a bit.
> Now I seem to get the samme error messages as before plus additional
> warnings in several different source files.
>
> SG
>
> John Myre wrote:
>
> > Soeren Gammelmark wrote:
> > <snip>
> > >
> > > Error: Unable to execute command 'tasm32.exe'
> > <snip>
> >
> > Do you have tasm32.exe? That's the assembler; it doesn't come
> > with every version of the compiler. Presumably certain of the
> > source files have embedded assembly statements. Therefore
> > either you have to get the assembler, or perhaps there is a
> > configuration value somewhere to compile without it. Check
> > the sources that cause the error and find the assembly code;
> > see if there is a conditional compilation (probably using
> > #ifdef) to avoid it. Etc.
> >
> > JM
>
------------------------------
From: Andru Luvisi <[EMAIL PROTECTED]>
Subject: A conjecture - thoughts?
Date: 18 Sep 2000 11:27:24 -0700
I have the following conjecture:
If f() and g() commute, that is f(g(x)) = g(f(x)) for all x, then
f() and g() are both powers of some base function, b^y(x_0, x),
where x_0 and x are the same the first time through, x_0 stays the
same on every itteration, and the output is fed back into x.
I have been able to find base functions for every pair f() and g() I
can think of, even arbitrary sboxes which I have designed that
commute.
Is anyone aware of this conjecture being found and/or proven or
disproven before? Can anyone offer any insights or references?
Thanks,
Andru
--
Andru Luvisi, Programmer/Analyst
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: QUESTION ABOUT ALGORITHMS
Date: Mon, 18 Sep 2000 18:58:44 GMT
On Sat, 16 Sep 2000 13:29:49 GMT, in
<hBKw5.30993$[EMAIL PROTECTED]>, in
sci.crypt "Melinda Harris" <[EMAIL PROTECTED]> wrote:
>Ladies and Gentlemen
>Can anyone tell me how to patent an algorithm.
First of all, none of this can be advice -- each situation is
different and I am not a lawyer anyway. You need advice from a patent
professional who knows your situation.
But you may have some things to learn before you even get to that
point. Certainly there are many web pages on the patent process that
can get you started. I can describe my personal experience based on
going through the patent process several times. I currently hold
three patents on fundamental cryptographic technology.
Unless things have changed recently, and as far as I know, even in the
US it is not possible to patent an algorithm per se. But it *is*
possible to patent the use of an algorithm. This seems to be a direct
analogy to patenting "processes" ("do this, do that") which has been
very common in chemistry, for example, for the last century at least.
As far as I know, it is possible to patent the use of what we call
"algorithms" anywhere. The IDEA cipher is in fact covered by both
European and US patents. As far as I know, there is little dispute
that the European patents do in fact address software implementations
of the IDEA cipher.
>Where to go.
You should shop around for a patent attorney you can trust.
The US has a "first to invent" system which seems to benefit small
inventors. If two inventors apply for a patent on the same invention,
the inventor with the earliest legal date of invention should get the
patent, as long as he has been "moving toward" patent.
I establish a legal date of invention before shopping for an attorney.
I do this by writing out a full description of my invention for each
of several witnesses who can understand it, and having them hand-write
"read and understood" with signature and date on each page. These
people can thus testify in court as to what I knew as of a particular
date. Reduction-to-practice can be documented similarly, or the
application itself will do that when submitted.
>What to sign and
>how much it costs???
Having a patent attorney construct and prosecute an application may
well cost beyond $5,000. In addition, one has an application fee and
issue fee, if that happens. It is possible to pay for the application
to be constructed only to find out a patent will not be granted, or
what is granted does not provide any real monopoly.
Before an application can be constructed, it is necessary to first
understand exactly what the invention is and in what way it
distinguishes from all previous work. This apparently simple process
can take months. And in cryptography, it is generally necessary to
educate the patent attorney.
>Any response would be greatly appreciated
>EIA
This is not advice; for that you need to establish a professional
relationship with a patent attorney, and I am no lawyer at all.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: "Dann Corbit" <[EMAIL PROTECTED]>
Subject: Software patents are evil.
Date: Mon, 18 Sep 2000 12:03:20 -0700
Software patents are evil, akin to claiming ownership of math. Hopefully,
at some point, everyone will discover that most of the money is made by the
lawyers and protection would be better served by a simple copyright. If the
idea is so trivial that anyone can generate it from first principles, that
is the sort of thing that would really *need* patent protection and yet it
is the very thing which deserves it the least.
I will (of course) obey any law (even if absurd). But I won't have to like
it. I see no problem with copyrights. Hard work should not simply be
stolen. On the other hand, claiming ownership of a mathematical concepts is
putrid. Apparently, the courts lack a basic understanding of mathematics or
such patents would never be granted, since patenting math is illegal.
IMO [Obviously]. YMMV. A very unpopular stance in this newsgroup, I should
think, since many of the principle posters manage their livelihoods based on
crypto patents.
--
C-FAQ: http://www.eskimo.com/~scs/C-faq/top.html
"The C-FAQ Book" ISBN 0-201-84519-9
C.A.P. Newsgroup http://www.dejanews.com/~c_a_p
C.A.P. FAQ: ftp://38.168.214.175/pub/Chess%20Analysis%20Project%20FAQ.htm
------------------------------
From: zapzing <[EMAIL PROTECTED]>
Subject: Re: CDMA tracking (was Re: GSM tracking)
Date: Mon, 18 Sep 2000 19:03:47 GMT
In article <[EMAIL PROTECTED]>,
Jerry Coffin <[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] says...
>
> [ ... ]
>
> > What is the exact behaviour during this periodic wakeup?
> > Does it transmit or receive? Or does it just check a battery
> > level and then go back to sleep?
>
> IIRC, it receives, but does not normally transmit. If a law
> enforcement agency wanted to track your location using this, it would
> be quite difficult -- it only stays on for a short period of time,
> and they'd have only its RFI to track...
>
> > This has me rather curious. Is this function used to detect
> > missed calls? What exactly is it doing?
>
> It's mostly just keeping its list of "nearby" base stations up to
> date and ensuring that its clock stays in sync -- without trying to
> go into the details, CDMA phones can't work without keeping their
> clocks in sync with the base station. Doing this periodic update
> while the phone is turned off allows it to turn on almost immediately
> without having to search for nearby base stations and sync up its
> clock.
If you are concerned about your phone being
trackable when it is off, why not just put
it in an aluminum briefcase ?
--
"Sarcasm: the last refuge of modest and
chaste-souled people when the privacy of
their soul is coarsely and intrusively invaded."
--Dostoyevsky--
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tommy the Terrorist <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy,uk.legal
Subject: Re: Disappearing Email redux
Date: 18 Sep 2000 18:21:00 GMT
In article <[EMAIL PROTECTED]> David Rush, [EMAIL PROTECTED]
writes:
>> In other words, when an NSA listening post or CIA tap on the Internet
>> (such as the one across the street from the AOL Reston facility that all
>> AOL traffic passes through)
>Do you have evidence of this, or are you just speaking from a healthy
>sense of paranoia about a 'media' provider which believes that
>centralized servers provide the best 'internet' service?
I don't have specific evidence that the cable which runs from the CIA
building just north of Dulles toll road is directly connected to the
cable which runs from the central AOL exchange through which ALL of AOL's
transmissions pass immediately south of the Dulles toll road. The only
way to settle the question one way or another would be to actually
inspect that particular 50 yards or so of real estate and see which way
the wires actually run.
"AOL Reston is IMMEDIATELY ACROSS THE HIGHWAY from the building that the
Federation of American Scientists www.fas.org identifies as the CIA TASC
building. This puts it directly in the district that FAS had identified
for other spy-related industries. This was rather predictable, as high
bandwidth fiber optics are expensive to lay...
For a satellite shot of AOL Reston, look to the map at
http://www.fas.org/irp/overhead/ciaode.htm
it should be about in the middle - probably #16 (listed on the legend as
COMSEARCH) Note that these buildings are aligned directly across the
Dulles expressway from the CIA building. (note that TASC is not the only
CIA building in Reston...)
Use mapquest.com to look up 12100 Sunset Hills Road... note that it is
immediately north of the expressway, while 12100 Sunrise Drive is
immediately south of it
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Software patents are evil.
Date: Mon, 18 Sep 2000 19:45:32 GMT
On Mon, 18 Sep 2000 12:03:20 -0700, in <0Gtx5.217$hu1.995@client>, in
sci.crypt "Dann Corbit" <[EMAIL PROTECTED]> wrote:
>Software patents are evil, akin to claiming ownership of math.
As far as I can understand the undefined term "software patents," that
is nonsense. Nobody owns math. The discovery of a new practical use
for math computations may be patentable, however. And it is illusion
to imagine that software is not essentially hardware computation.
Feel free to read my published article from almost a decade ago, "The
Politics of Software Patents":
http://www.io.com/~ritter/ARTS/POLIPAT4.HTM
I note that the intervening decade has not produced the software
disaster many predicted.
>Hopefully,
>at some point, everyone will discover that most of the money is made by the
>lawyers and protection would be better served by a simple copyright.
Copyright only protects "the form" of the expression, not the
expression itself. So copyright is fine for writers whose
contribution is just the form: the particular words and phrases they
use. But copyright does nothing for researchers whose contribution is
the content or meaning. In particular, copyright does nothing to
protect new ideas in software, which easily can be re-arranged to
achieve the same result in a different form.
>If the
>idea is so trivial that anyone can generate it from first principles, that
>is the sort of thing that would really *need* patent protection and yet it
>is the very thing which deserves it the least.
>
>I will (of course) obey any law (even if absurd). But I won't have to like
>it. I see no problem with copyrights. Hard work should not simply be
>stolen.
Copyrights only protect the actual words and phrases of a description,
not the content. So the only "hard work" you appear to protect is
that of writers, instead of scientists and engineers. That sounds a
little strange.
>On the other hand, claiming ownership of a mathematical concepts is
>putrid.
Patents grant ownership of the manufacture, sale or use, but mainly
sale for use. Society appears to believe this will encourage
invention and that such is a worthwhile goal. Patents also provide an
economic basis for new ideas to transition into the old society
structure. Note that all of this occurs at virtually no public cost
except to those who consider the expense of the new thing to be
reasonable, even in the context of an established market.
>Apparently, the courts lack a basic understanding of mathematics or
>such patents would never be granted, since patenting math is illegal.
So, basically, you imagine that you have a deeper understanding of
patent law than patent-law courts, patent offices, and various
patent-law attorneys? How odd.
Patents on "processes" ("do this, do that") have been common for at
least a century. Patents on a computational process which ends up
providing some benefit for use seems a very natural extension.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: A conjecture - thoughts?
Date: Mon, 18 Sep 2000 22:08:24 +0200
Andru Luvisi wrote:
>
> I have the following conjecture:
>
> If f() and g() commute, that is f(g(x)) = g(f(x)) for all x, then
> f() and g() are both powers of some base function, b^y(x_0, x),
> where x_0 and x are the same the first time through, x_0 stays the
> same on every itteration, and the output is fed back into x.
The notation b^y(x_0, x) isn't quite clear for me.
Could you illustrate with an example?
M. K. Shen
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Subject: Re: non-linear decorrelation?
Date: Mon, 18 Sep 2000 14:59:21 -0500
Tom St Denis wrote:
> I was thinking about F(x) = a/(x+b) + c in GF(2)^n. with the
> convention that a != 0, and n/0 = 0.
>
> With the theories put out by Nyberg (I believe... not sure off hand)
> the function 1/x+b is non-linear and has a very low dp max. I think
> the dpmax of the entire construction will be higher (multiplication
> makes diffchars of prob 1) but the non-linearness would be a nice touch.
>
> The function would have log2((2^(n-1))(2^n)(2^n)) = 3n bits of entropy
> which is nice. One problem is that it's slow as the inversion can be
> done with either Euclids algorithm or using x^(p-2) mod p, but either
> case is too slow for high speed algorithms. For small fields (say
> under 12 bits) an inversion table could be precomputed, in fact if one
> used the above F(x) as a 8x8 sbox the entire step could be precomputed.
>
> Idea: Place those in Twofish with the fixed MDS matrix. The four 8x8
> sboxes would be nonlinear and resilient to differential attacks.
> Problem: Each sbox is limited to ~24 bits of entropy, unlike the
> construction in Twofish which has 32 bits max per sbox. Idea... try
> doing F(x) = a/(bx + c) + d in the same field where a, b != 0. Whoa
> that won't work... and here is wh
>
> F(x) = a/bx + a/c + d
I believe that this step is not correct.
a/(bx+c) != a/bx +a/c.
>
>
> a/c + d = g
>
> F(x) = a/bx + g
> F(x) = (a/b)(1/x) + g
>
> a/b = h
>
> F(x) = h/x + g
>
> And we are back where we started... In fact this means the original
> idea is bad too (a/(x+b) + c) or am I crazy?
>
> Tom
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Subject: Re: More Bleh from a Blahish person. ;)
Date: Mon, 18 Sep 2000 15:09:39 -0500
Simon Johnson wrote:
> Okay, try again... its obvious u've missed the question i'm trying to
> ask (through my bad phrasing.)
>
> What i'm saying is this (not sure if this has been proven/disproven):
> Every mapping of n bits to n bits has a function that will describe it.
> Does this make any sense?
Yes. And it is in effect true.( all Sboxes maw be represented as a system
of binary operations)
>
>
> So like: Say we wanted a 8x8 s-box. Instead of using a fixed table, we
> could use an maths function. let F(X) = X + 1 mod 256. We take x and
> compute F(X), F(X) then substitues x. If this doesn't make sense, i
> give up ;)
>
> Okay, now what i was trying to ask was this:
>
> Does a function exist that can describe every s-box?
Every sbox can be described by a single function, and thus in a much larger
space every sbox of size s, may be represented as a F*(x) for a given x,
you have a given sbox.
> If so, then some
> of these functions must duplicate the *best* s-boxes one can produce.
Sounds good so far.
>
>
> Say i found such a function in GF(2^32). I could then use this one
> function as my entire f-function, in a Feistel based cipher.
Yep.
> Lets say i
> added the round key to the plain-text chunk being encrypted, mod
> (2^32). How many rounds would this require before the best linear and
> differential attack requires more known plain-text blocks than exist?
It would depend upon how well the sbox that F(X) is equivalent to resists
linear/ differential attacks.
Thw question you are asking is roughly equivalent to how large is a
"quantity" of water. If one is asking about a specific item or measure one
can answer, but if one is asking about a generic "quantity" it becomes
imposible to resolve an answer.
>
>
> I believe this is somewhat clearer. If my langauge is incorrect don't
> hesitate to point it out
>
> Thanxs,
> Simon Johnson.
>
> -------------------------
> 'Man is everywhere in chains'
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
