Cryptography-Digest Digest #824, Volume #12 Tue, 3 Oct 00 09:13:01 EDT
Contents:
(fwd) A secure encrypted IRC network. (ge)
Re: Idea for Twofish and Serpent Teams (Tom St Denis)
Re: is NIST just nuts? (Tom St Denis)
Re: is NIST just nuts? (Tim Tyler)
Re: is NIST just nuts? (Tom St Denis)
Requirements of AES (Tom St Denis)
OpenSSL and Twofish ("Freeler News")
Re: is NIST just nuts? (Tom St Denis)
Re: AES Rijndael 9 Round not secure ? (Tim Tyler)
Re: (fwd) A secure encrypted IRC network. (Tom St Denis)
Re: Choice of public exponent in RSA signatures (Thomas Pornin)
Re: is NIST just nuts? (Tom St Denis)
Re: It's Rijndael ("Martin Wolters")
Re: Requirements of AES (Mike Connell)
Re: is NIST just nuts? (Jim Gillogly)
Re: It's Rijndael (John Savard)
Re: Advanced Encryption Standard - winner is Rijndael (John Savard)
Re: Idea for Twofish and Serpent Teams (Zulfikar Ramzan)
Re: Encryption Project ("Robert Hulme")
Re: It's Rijndael (John Savard)
Re: Comments on the AES winner (John Savard)
Re: is NIST just nuts? (John Savard)
----------------------------------------------------------------------------
From: ge <[EMAIL PROTECTED]>
Subject: (fwd) A secure encrypted IRC network.
Date: Tue, 03 Oct 2000 13:11:42 +0200
Hello all.
This new IRC network is a 'secure' IRC net, that encrypts
the information sent between the servers, and between the
user to the server, using ssl tunneling.
The net currently has a few hundred users that use it daily,
and usually between 100 to 120 users that come online
24/7.
You can connect to it using an SSL patched client (or using
a tool named stunnel), or in a regular manner, however..
If you connect to it like to any other IRC server, a
'-insecure' tag will be added to the foot of your host.
Also, you will not be able to join 'secure' channels
which have insecure users banned.
For more information on that net please check
http://suidnet.org or irc.suidnet.org.
What do you think of the idea?
Personally, I like the idea, and I believe it is done right.
However, some believe for example that the secure/insecure tag
should be placed in the ident@ field, for example.
That would cancel ident@ however.
Also, I heard that some think it may have been better to use
IPsec.
Whatever the case, I would love to hear some comments on
this.
The network seems to work well, and a lot of users come to it,
but as far as I know - it is in development stages.
Gadi Evron.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Idea for Twofish and Serpent Teams
Date: Tue, 03 Oct 2000 11:09:16 GMT
In article <[EMAIL PROTECTED]>,
Arturo <[EMAIL PROTECTED]=NOSPAM> wrote:
> On Mon, 02 Oct 2000 18:15:57 GMT, Tom St Denis <[EMAIL PROTECTED]>
wrote:
>
> >Do what RSA did and make your own "Symmetric Cipher Standards" and
> >ignore the govt.
> >
> That�s exactly what the GSM gang did, and see the results: an
> easy-to-break cipher.
See now your being a complete idiot. Twofish and Serpent are not home-
brew ciphers designed by Business majors. They are two very good
ciphers designed by the best of the best.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: is NIST just nuts?
Date: Tue, 03 Oct 2000 11:06:05 GMT
In article <[EMAIL PROTECTED]>,
"Sam Simpson" <[EMAIL PROTECTED]> wrote:
> Erm, I thought that Serpent was generally perceived to be the most
> secure candidate? And you want Twofish to win? Why? Don't you
> agree with the suggestion that Twofish was too hard to properly
> analyse in the timeframe?
>
> Seriously Tom, your favorite cipher may not have won, but get over
> it.
Are you mental? Or just plain ignorant? I have said many times that
if Serpent or Twofish won I would be happy. I consider both ciphers
secure (well at least more so then Rijndael). I would have liked
Twofish to win because of it's versatility, but Serpent is also
acceptable in a myrad of places.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: is NIST just nuts?
Reply-To: [EMAIL PROTECTED]
Date: Tue, 3 Oct 2000 10:57:47 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
: [EMAIL PROTECTED] wrote:
:> Albert Yang <[EMAIL PROTECTED]> wrote:
:> : [Twofish] wasn't the most secure or had the most security margain
:> : (Serpent wins that)
:>
:> I think this is true if you assume that additional rounds beyond the
:> best known attack result in more strength. More rounds certainly help
:> prevent some attacks - but can make little difference to other ones.
:>
:> We probably can't say with very much confidence which out of Serpent,
:> Twofish, Rijndael has the "most security margin" until there are
:> better attacks on two of them.
: Yeah but the idea is that known attacks are used as a metric in the
: absense of supreme enlightenment. Serpent and Twofish are secure
: against linear, differential, truncated differential, etc.. attacks
: whereas Rijndael is quasi-pseudo-weak to a known attack.
You're blinding me with science here. What "quasi-pseudo-weakness"
do you refer to?
: So I would disagree and say that 18 round Rijndael is stronger then 10
: rounds Rijndael regardless of the lack of knowledge.
That's very likely to be true - I wouldn't disagree with that.
You can't make quite the same sort of statement when comapring different
algorithms, though. For all anyone knows, the best attack on Serpent
may in twenty years time take less effort than the best attack on
Rijndael.
I do generally support the idea of adding twice as many rounds as seem
to be needed in a cypher that's supposed to last - but I don't think you
can say categorically that more rounds equates to a larger safety margin.
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: is NIST just nuts?
Date: Tue, 03 Oct 2000 11:17:02 GMT
In article <[EMAIL PROTECTED]>,
Jim Gillogly <[EMAIL PROTECTED]> wrote:
> "Herbie T. Mac" wrote:
> > As far as shortening the key length from 64 to 56 bits, that too
> > *strengthened* the algorithm with respect to DES' differential
> > vulnerability. 64-bit DES is equally as difficult to crack using
> > differential cryptanalysis as 56-bit. The change made DES faster
> > (encryption) while not compromising the intended security or
reducing the
> > time it took the NSA to crack it (assuming they ever bothered).
> >
> > They did us a tremendous favor, given the absurd amount of time the
DES
> > has been used.
>
> I disagree. The linear and differential attacks require a lot
> of information to execute: 2^43 or 2^47 chosen plaintexts. In
> practice this severely limits the applicability of the attack.
> While the differential attack is certainly of great theoretical
> interest, in practice it's far more difficult to execute than
> a 2^56 brute force key search. Note that differential analysis
> would not have broken the RSA challenges, for example -- only
> three blocks of known plaintext were available in each case,
> and no chosen plaintext. Similarly, Stage 9 of Simon Singh's
> challenge in "The Code Book" had no known plaintext, much less
> chosen plaintext. These are much closer to the situation
> pertaining in the real world.
>
> If the DES key had been left at 64 bits, the EFF machine Deep
> Crack would require over a year for a sure crack, rather than
> two days with the 56-bit DES key. A much more expensive machine
> would need to be constructed for 64 bits -- one that might be
> out of the range of a non-profit organization.
>
> I'd much rather have the protection of a 64-bit cipher with
> a DC attack of 2^47 chosen plaintexts than a 56-bit cipher
> with the same DC resistance.
>
> If this is a favor, I certainly hope they don't do us any more
> of them.
Ah but they did. They did pick Rijndael afterall...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Requirements of AES
Date: Tue, 03 Oct 2000 11:15:38 GMT
1, Security
2, Versatility
3, Security
I fail to see how Serpent or Twofish failed to beat Rijndael with those
restrictions. People mentioned that Rijndael (with it's current 10
rounds) runs 60 cycles/block faster then Twofish on a PII. But stop
being dumb, if you add the eight rounds like Eli wanted Rijndael
becomes SLOWER then Twofish.
I think alot of the arguments for Rijndael are not substantiated.
Serpent for example is plenty fast in software and blazing fast in
hardware. It's also the most secure of the bunch from an empiracle
stand point because of it's conservative and understood design.
Perhaps Twofish should not have won because of it's complexity, but I
doubt that's a serious issue. Twofish with random sboxes in the round
function can provide some security against statistical attacks.
Personally I have never done my own implementation of Twofish, but I
understand the round structure enough to make my own variation (MyFish)
so it can't be that hard.
Given that security is the MOST IMPORTANT requirement and versatility
is the second most important criteria I think Twofish or Serpent should
have won over Rijndael.
Does it matter how fast the cipher is if it's not secure? Now right
now Rijndael is secure, but it has had the most number of rounds broken
compared to the other ciphers. While that's not a definate saying it
is an indication of the ability for people to attack it.
I hope people just disregard AES and pick the ciphers they know are
better.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Freeler News" <[EMAIL PROTECTED]>
Subject: OpenSSL and Twofish
Date: Tue, 3 Oct 2000 13:33:50 +0200
Before I start adding TwoFish to OpenSSL myself I thought I would
check to see whether there is an existing open source distribution of
OpenSSL that includes Two Fish.
Jason
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: is NIST just nuts?
Date: Tue, 03 Oct 2000 11:25:41 GMT
In article <[EMAIL PROTECTED]>,
Jim Gillogly <[EMAIL PROTECTED]> wrote:
> Oh, and another thing.
>
> "Herbie T. Mac" wrote:
> > As far as shortening the key length from 64 to 56 bits, that too
> > *strengthened* the algorithm with respect to DES' differential
> > vulnerability. 64-bit DES is equally as difficult to crack using
> > differential cryptanalysis as 56-bit. The change made DES faster
> > (encryption) while not compromising the intended security or ...
>
> How do you figure reducing the key from 64 to 56 bits made DES
> faster? It's just a matter of using all 64 supplied bits in the
> key schedule instead of ignoring or (worse) checking the "parity"
> bits, so even the key setup time needn't be any different.
If you ever watch "The Simpsons" (cartoon) this reminds me of
Homers "speed holes" in his car. When he was buying a car someone was
shooting at him and put holes in the car. The dealer said they
were "speed holes" that made it faster.
Perhaps the OP thinks like the dealer?
Hehehehehe
tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: AES Rijndael 9 Round not secure ?
Reply-To: [EMAIL PROTECTED]
Date: Tue, 3 Oct 2000 11:23:46 GMT
Jim Gillogly <[EMAIL PROTECTED]> wrote:
: Martin Miller wrote:
:> I'm really not an expert, but this paper describe a cryptanalysis of
:> Rijndael for 6,7,8 and a key attack that can break 9 round rijndael...
: Is that the attack on 256-bit Rijndael, where the recommended number of
: rounds is 14?
Yes.
: If so, it's mentioned in the NIST report in Sec. 3.2.1.3.
``For 128-bit keys, 6 or 7 out of the 10 rounds of Rijndael have been
attacked, the attack on 7 rounds requiring nearly the entire codebook.''
``For 256-bit keys, 7, 8, or 9 out of the 14 rounds have been attacked.
The 8 round attack requires nearly the entire codebook, and the 9
round attack requires encryptions under related unknown keys.''
>From http://csrc.nist.gov/encryption/aes/round2/r2report.pdf
It sounds like NIST knew all about this.
:> http://www.counterpane.com/rijndael.ps.zip
: For some reason Ghostscript fails for me on this (when unzipped)
: with /undefinedfilename. Does it work for everybody else?
FWIW, it works OK here.
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: (fwd) A secure encrypted IRC network.
Date: Tue, 03 Oct 2000 11:41:56 GMT
In article <[EMAIL PROTECTED]>,
ge <[EMAIL PROTECTED]> wrote:
> Hello all.
>
> This new IRC network is a 'secure' IRC net, that encrypts
> the information sent between the servers, and between the
> user to the server, using ssl tunneling.
>
> The net currently has a few hundred users that use it daily,
> and usually between 100 to 120 users that come online
> 24/7.
>
> You can connect to it using an SSL patched client (or using
> a tool named stunnel), or in a regular manner, however..
>
> If you connect to it like to any other IRC server, a
> '-insecure' tag will be added to the foot of your host.
>
> Also, you will not be able to join 'secure' channels
> which have insecure users banned.
>
> For more information on that net please check
> http://suidnet.org or irc.suidnet.org.
>
> What do you think of the idea?
>
> Personally, I like the idea, and I believe it is done right.
>
> However, some believe for example that the secure/insecure tag
> should be placed in the ident@ field, for example.
>
> That would cancel ident@ however.
>
> Also, I heard that some think it may have been better to use
> IPsec.
>
> Whatever the case, I would love to hear some comments on
> this.
>
> The network seems to work well, and a lot of users come to it,
> but as far as I know - it is in development stages.
Check out www.filetopia.com
They have a major headstart on this "secure IRC"...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: Choice of public exponent in RSA signatures
Date: 3 Oct 2000 11:56:02 GMT
According to John Myre <[EMAIL PROTECTED]>:
> Actually, wouldn't that be 50%?
Hum... yes.
> In this case we have folded the requirement on p-1 into the
> loop, so no explicit test is required.
When you look for a prime number in such a loop, all prime numbers
are not chosen with equal probability; a prime preceded by a long
range of non-primes is more likely to be chosen.
I am not aware of any weakness implied by such a prime generation,
but one can hardly be too cautious in that matter.
--Thomas Pornin
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: is NIST just nuts?
Date: Tue, 03 Oct 2000 11:45:10 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> : [EMAIL PROTECTED] wrote:
> :> Albert Yang <[EMAIL PROTECTED]> wrote:
>
> :> : [Twofish] wasn't the most secure or had the most security margain
> :> : (Serpent wins that)
> :>
> :> I think this is true if you assume that additional rounds beyond
the
> :> best known attack result in more strength. More rounds certainly
help
> :> prevent some attacks - but can make little difference to other
ones.
> :>
> :> We probably can't say with very much confidence which out of
Serpent,
> :> Twofish, Rijndael has the "most security margin" until there are
> :> better attacks on two of them.
>
> : Yeah but the idea is that known attacks are used as a metric in the
> : absense of supreme enlightenment. Serpent and Twofish are secure
> : against linear, differential, truncated differential, etc.. attacks
> : whereas Rijndael is quasi-pseudo-weak to a known attack.
>
> You're blinding me with science here. What "quasi-pseudo-weakness"
> do you refer to?
Check out the "linear-sums" square attack by the Twofish team (on the
counterpane website).
> : So I would disagree and say that 18 round Rijndael is stronger then
10
> : rounds Rijndael regardless of the lack of knowledge.
>
> That's very likely to be true - I wouldn't disagree with that.
>
> You can't make quite the same sort of statement when comapring
different
> algorithms, though. For all anyone knows, the best attack on Serpent
> may in twenty years time take less effort than the best attack on
> Rijndael.
>
> I do generally support the idea of adding twice as many rounds as seem
> to be needed in a cypher that's supposed to last - but I don't think
you
> can say categorically that more rounds equates to a larger safety
margin.
Yeah, but given all our advances in crypto we can barely break 9 rounds
of Serpent because it was designed to resist these attacks. Rijndael
suffers 8 of 10 rounds. I am not saying Serpent is more secure because
it has 32 rounds, I am saying it's more secure because we know how to
attack it just, that the attack won't work for more then 9 rounds. 16
round Serpent would be more secure then Rijndael. 32 rounds in
serpent is a smart idea just to be conservative.
Let's be conservative and give Rijndael 32 rounds too. How fast would
that be?
Let's not forget that NIST sanctioned 3des which is a 48-round DES
cipher...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Martin Wolters" <[EMAIL PROTECTED]>
Subject: Re: It's Rijndael
Date: Tue, 3 Oct 2000 14:11:45 +0200
>Recently I attempted to look at MAGENTA but couldn't
>locate any more its documentation. Could you help?
Here it is:
http://www.gel.ulaval.ca/~klein/maitrise/aes/magenta.pdf
------------------------------
From: Mike Connell <[EMAIL PROTECTED]>
Subject: Re: Requirements of AES
Date: 03 Oct 2000 14:40:39 +0200
Tom St Denis <[EMAIL PROTECTED]> writes:
my $0.02, IMHO, IANAL, etc. etc... ;)
With just a cursory look over a random selection of documents on the
AES pages, I feel compelled to share my nearly groundless opinion ;)...
> Given that security is the MOST IMPORTANT requirement and versatility
> is the second most important criteria I think Twofish or Serpent should
> have won over Rijndael.
>
FWIW, I was expecting Serpent to win - fast in hardware, not so fast
in software, but I assumed that wouldn't carry so much weight on the
assumption of Moore's law holding. Most important of all - serpent
seemed really solid and secure. I could have had a nice warm fuzzy
feeling using it (albiet a little slowly ;), based upon the trust of
the security.
> Does it matter how fast the cipher is if it's not secure? Now right
> now Rijndael is secure, but it has had the most number of rounds broken
> compared to the other ciphers. While that's not a definate saying it
> is an indication of the ability for people to attack it.
>
> I hope people just disregard AES and pick the ciphers they know are
> better.
>
> Tom
It would seem to be a hard choice for the paranoid. On one hand,
Serpent (or maybe Twofish ;) seems more secure (albeit technically),
but OTOH, Rijndael is going to be getting most (if not all) of the
attention as the winner. Should I go with what seems to be more
secure, but has less analysis, or go with what may appear to be less
secure?
All in all, I'm a little dissapointed. I am missing the "warm fuzzy
feeling" that I was hoping for...
best wishes,
Mike.
--
Mike Connell [EMAIL PROTECTED] +46 (0)31 772 8572
[EMAIL PROTECTED] http://www.flat222.org/mac/ icq: 61435756
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: is NIST just nuts?
Date: Tue, 03 Oct 2000 12:26:20 +0000
Tom St Denis wrote:
> Yeah, but given all our advances in crypto we can barely break 9 rounds
> of Serpent because it was designed to resist these attacks. Rijndael
> suffers 8 of 10 rounds.
The Counterpane paper describes an attack on 7 rounds, which they seem
to indicate is not practical: it uses 2^128 known texts, i.e. the entire
codebook, 2^120 work and 2^64 bits of memory. This is an interesting
attack and result, but it's obviously completely academic, and I wouldn't
consider it a break of 7-round Rijndael. They do not (yet) extend the
7-round attack to an 8-round attack: at that point they move to the
longer key sizes.
--
Jim Gillogly
Hevensday, 12 Winterfilth S.R. 2000, 12:15
12.19.7.10.16, 12 Cib 19 Chen, Ninth Lord of Night
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: It's Rijndael
Date: Tue, 03 Oct 2000 12:27:44 GMT
On Tue, 03 Oct 2000 10:32:44 +0200, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote, in part:
>Recently I attempted to look at MAGENTA but couldn't
>locate any more its documentation. Could you help?
I had the same problem with CRYPTON, which I was going to add to my
web site. (I did find the mods to the key schedule that NIST
rejected.) But MAGENTA is described on my site, at:
http://home.ecn.ab.ca/~jsavard/crypto/co040811.htm
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Crossposted-To: alt.security.scramdisk
Subject: Re: Advanced Encryption Standard - winner is Rijndael
Date: Tue, 03 Oct 2000 12:24:29 GMT
On Tue, 03 Oct 2000 00:07:20 -0400, jungle <[EMAIL PROTECTED]>
wrote, in part:
>what cash contest you are running ?
He may not be running one now, but he did run one - with, I believe, a
$1000 prize - previously.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
Date: Tue, 03 Oct 2000 08:33:16 -0400
From: Zulfikar Ramzan <[EMAIL PROTECTED]>
Subject: Re: Idea for Twofish and Serpent Teams
> Try saying that to Mr Schneier or Dr. Biham....
>
Actually, during the last AES conference, there was a closing remarks session in
which one representative from each of the design teams participated. Someone
asked the panel if they had to choose an algorithm for the AES other than their
own, which would they choose.
All of them said Rijndael (except for the Rijndael team, who said RC6 because of
its simple yet elegant design philosophy). Though, I should mention that Ross
Anderson actually said "Rijnadel with 32 rounds."
The point is that none of these folks were really against Rijndael. Although
there have been cryptanalytic attacks against it, those attacks are academic.
Moreover, the attacks that work against the largest number of rounds don't apply
for the 128-bit version. Even if some progress is made towards a cryptanalysis of
the full 10/12/14 rounds of Rijndael, it would be surprising if these attacks are
practical enough to cause alarm.
I think that the sentiment was that any of the finalist algorithms would make a an
excellent encryption standard. And I agree for the most part.
Rijndael has a beautiful design, it appears to offer excellent security, it's very
versatile, and it was among the fastest algorithms on numerous platforms and
computing environments.
--Zully
=======
Zulfikar Ramzan (AKA Zully)
Laboratory for Computer Science, MIT
NE43-311, (617) 253-2345
http://theory.lcs.mit.edu/~zulfikar/homepage.html
------------------------------
From: "Robert Hulme" <[EMAIL PROTECTED]>
Subject: Re: Encryption Project
Date: Tue, 3 Oct 2000 13:34:07 +0100
The situation has changed a little...
What seems to be happening now (and correct me please if this is incredibly
stupid) is this:
The data in the database is going to be encrypted. So it'll go from being
like this:
ID Name Pay
1 Rob $10,000
to
ID EncryptedData
1 AASDFO"�$
the data will be encrypted by the application I'm writing that processes the
data from their payroll system - and encrypted with something like TripleDES
or something, with the users password as the key. The password will be an 8
character random alpha numeric.
Then the encrypted database will be put on the database server - and even if
someone nicked each record is encrypted with a password / key that is unique
for each record. ASP (or PHP as we might get to use now) will decrypt and
decode (into the right variables) all the fields for a record that were
originally stored as seperate fields. That way the passwords are only stored
on the computer that encrypts the database, and mailed to each person
individually (postal mail) - the passwords are not stored on the server.
So a check would be performed when people try to login to see if the
password/key they're trying for a particular record produces valid data or
not.
Is this glaringly wrong?
-Rob
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: It's Rijndael
Date: Tue, 03 Oct 2000 12:32:54 GMT
On Tue, 3 Oct 2000 12:43:26 +0200, Serge Paccalin
<[EMAIL PROTECTED]> wrote, in part:
>So, the US authorities still think that people that can design a
>fairly good encryption algorithm cannot implement it in a working
>product? :-)
It *helps* if the computers of the world all use the U.S. designed
Microsoft Windows operating system, which means that anyone making a
compiler that produces programs that run on it has to license
"windows.h" from Microsoft (if not the Microsoft Foundation Classes as
well, which nearly every compiler maker would also do) and therefore
is compelled - regardless of which country they are located in,
although I'm not aware of too many non-U.S. compilers for Windows - to
include in their license agreements a clause requiring foreign users
of the compiler not to do anything with it that might constitute a
violation of U.S. export laws.
So if you write and compile an encryption program outside the U.S. and
Canada, you're committing software piracy!
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Comments on the AES winner
Date: Tue, 03 Oct 2000 12:34:35 GMT
On Mon, 02 Oct 2000 19:05:47 -0400, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote, in part:
>Anton Stiglic wrote:
>> In a rump session talk at Crypto 2000, N. Ferguson
>> (I believe it was) came up with an equation, in GF(2^8)
>> I believe, stating that if one can solve this equation
>> one can break Rijndael encryption. ...
>> Someone knows what the equation was?
>What's the point? *Any* block cipher can be expressed in
>such an equation. It doesn't imply practical solvability.
True. However, if it was possible to actually write the equation on a
blackboard (think of what the corresponding equation for DES would
look like) I suppose that could be, however invalidly, _perceived_ as
grounds for concern.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: is NIST just nuts?
Date: Tue, 03 Oct 2000 12:46:57 GMT
On Tue, 03 Oct 2000 11:05:58 +0000, Jim Gillogly <[EMAIL PROTECTED]> wrote,
in part:
>How do you figure reducing the key from 64 to 56 bits made DES
>faster? It's just a matter of using all 64 supplied bits in the
>key schedule instead of ignoring or (worse) checking the "parity"
>bits, so even the key setup time needn't be any different.
Well, one would have had to make *slight* changes to Permuted Choice 1
and Permuted Choice 2, but you are absolutely correct.
To give DES a 128-bit key would have doubled the time for key setup:
but to make DES still work with a 128-bit key (given cryptanalytic
results that allow an attack in 2^65 time against DES with independent
subkeys reported in AC, so this is, of course, hindsight) I've
suggested one way of modifying DES that (and it also takes into
account David Wagner's boomerang attack, again hindsight) should allow
it:
Simply move the initial permutation and the inverse initial
permutation to where they can do some good: after rounds 4 and 12.
That is: four rounds, IP, eight rounds, IIP, four rounds.
A simple way of using a 128-bit key (although I've thought in terms of
a 112-bit key, to avoid having to create a new key schedule from
scratch) would be to produce two DES-like key schedules (but with
different sequences of shifts) from the two halves of the key, and
alternating between them like this: two rounds using keys from one
schedule followed by two rounds using keys from the other.
In fact, here is a concrete proposal for a 112-bit key variation:
the first 64 bits (including parity bits) of the key produce key
schedule 1 in the normal DES fashion; the second 64 bits of the key
produce key schedule 2 which is produced in the normal DES fashion,
but used in reverse order as for DES decipherment;
rounds 1 and 2 use keys from key schedule 1, and so on.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
