Cryptography-Digest Digest #826, Volume #12 Tue, 3 Oct 00 13:13:01 EDT
Contents:
Re: Choice of public exponent in RSA signatures (DJohn37050)
ANNC: GnuPG Keysigning Party HOWTO ([EMAIL PROTECTED])
Re: Choice of public exponent in RSA signatures (John Myre)
Rijndael: making the "flaw" plainer
Re: My Theory... (Thomas Pornin)
Re: Any products using Rijndael? ("Jeff Moser")
Re: Choice of public exponent in RSA signatures (Quisquater)
Re: Comments on the AES winner (Anton Stiglic)
Re: Choice of public exponent in RSA signatures (David Wagner)
Re: It's Rijndael (Arturo)
Re: Idea for Twofish and Serpent Teams (Arturo)
Re: Advanced Encryption Standard - winner is Rijndael (SCOTT19U.ZIP_GUY)
Re: Advanced Encryption Standard - winner is Rijndael (SCOTT19U.ZIP_GUY)
Re: It's Rijndael (Roger Schlafly)
Re: Comments on the AES winner (Helger Lipmaa)
Re: is NIST just nuts? (Jonathan Thornburg)
Re: Mr. Zimmermann, Mr. Price when can we expect this feature ? (Rich Wales)
Re: Advanced Encryption Standard - winner is Rijndael (nemo outis)
Re: Choice of public exponent in RSA signatures (SCOTT19U.ZIP_GUY)
Re: It's Rijndael (Jonathan Thornburg)
Re: Idea for Twofish and Serpent Teams (Tom St Denis)
Re: My Theory... (Tom St Denis)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Choice of public exponent in RSA signatures
Date: 03 Oct 2000 15:17:54 GMT
Using a larger exponent is simply being prudent. The MOST info about an RSA
key is revealed when using 2 or 3 for the public exponent. For example, 1/2 the
high order bits of d, the private exponent are revealed and the fact that the
key space of all possible primes of the right size is reduced by the gcd req.
These do not in themselves lead to an attack, but might aid an adversary in a
way that other choices would not. By the nature of RSA, it is concievable that
low exponent RSA could be insecure but high exponent RSA be secure. Dan Boneh
has a paper discussing this.
Don Johnson
------------------------------
From: [EMAIL PROTECTED]
Subject: ANNC: GnuPG Keysigning Party HOWTO
Date: Tue, 03 Oct 2000 15:07:42 GMT
I've written a small howto on holding a keysigning
party based on the use of GnuPG w/linux.
http://www.cryptnet.net/fdp/crypto/gpg-party.html
It's version 1.00, so feedback (comments,
suggestions, corrections) sent to me individually
would be appreciated. The goal of the document
was to help linux users gain familiarity with
GnuPG, and encourage them to hold keysigning
parties. Some LUGs have started holding
keysigning parties at their meetings. If you
are a linux user and in a LUG, I encourage you
to encourage your LUG to do the same.
- VAB
---
V. Alex Brennen [[EMAIL PROTECTED]]
[ http://www.metanet.org/people/vab/ ]
"We all call mama earth our home.
Respect her, protect her.
Don't bite the hand - hand that feeds.
She bleeds by our greed.
Yet still, she reseeds to meet our needs.
Do you hear her voice as she pleads?"
- Joules Graves, People of the Earth Tribe
[ http://www.joulesgraves.com/ ]
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Choice of public exponent in RSA signatures
Date: Tue, 03 Oct 2000 09:13:18 -0600
Thomas Pornin wrote:
<snip>
> When you look for a prime number in such a loop, all prime numbers
> are not chosen with equal probability; a prime preceded by a long
> range of non-primes is more likely to be chosen.
<snip>
Well, I didn't mean to say that my exact loop is the way
to do it. Let's say it more generally:
initialize
loop
generate a candidate p, somehow
<test p-1 here>
<test p now>
while p is not (probably) prime
The point is just to test p-1 early, before doing a bunch of
work testing p for primality, because the p-1 test is fast
and the p test is slow. The generation of candidates is
whatever it is: new random bits each time, or a PRNG output,
or some function of the prior candidate, or whatever.
JM
P.S.
I'm not aware, either, of any problem with a simple
linear search, starting at a random spot. Anybody
have clues otherwise?
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Rijndael: making the "flaw" plainer
Date: 3 Oct 2000 09:20:56 -0700
Again, I reiterate: I do not have an actual attack on Rijndael. However,
someone examining my claim that it ought to have a number of rounds of the
form 4n+1 for 128-bit blocks (and 6n+1 for 192-bit blocks, and 8n+1 for
256-bit blocks) might, even if he agreed that DES with an odd number of
rounds is a bad idea (from the table in Schneier), ask, why I'm leaving
out the last round.
Am I not proposing to _create_ the very flaw I'm trying to remove?
To answer this, I need to be even more explicit.
If one considers Rijndael by means of analogy to a classic Feistel cipher
like DES, then:
The Byte Sub step corresponds roughly to the f-function.
The Mix Column step corresponds roughly to the XOR of the f-function
output with the other half of the block.
The Shift Row step corresponds to swapping the halves of the block.
The Add Round Key step corresponds to the XOR of the subkey with the
f-function input.
Thus, the final round, without a Mix Column step, is not really a 'round'
at all; it is more like just swapping halves and whitening.
Just as I was surprised that a differential attack was found against
Blowfish with its key-dependent S-boxes (I would have thought duplicate
entries, although a weakness, would not be detectable) I am surprised that
Rijndael has been subjected to differential attacks at all, however, since
having the Byte Sub in line is a considerable source of strength compared
to a conventional Feistel cipher.
Perhaps there are other, more subtle characteristics of Rijndael that make
the issue of the residue class of the number of rounds less of a concern.
Incidentally, as 128/128 Rijndael uses 10 rounds, that is one round more
than a "good" number of rounds for a 12-bit block, 8+1. So the fact that
the attack on 9-round Rijndael is impractical may be deceptive.
John Savard
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: My Theory...
Date: 3 Oct 2000 15:31:00 GMT
According to Tom St Denis <[EMAIL PROTECTED]>:
> So what? The primary concern is security, not speed.
The primary concern is getting the job done. Mind you, the purpose
of using a cryptosystem lies not in the algorithm itself; cryptography
is added to a system to get some security under certain circumstances.
But the cipher should be transparent, and therefore fast.
All you need is "adequate security". DES has long been adequate since
its only real weakness, the reduced key, was well-known and quantified
(you could estimate the cost of a real-life breaking). Same applies to
Rijndael: there is no foreseeable weakness worse than exhaustive search,
and a 128-bit keys should resist way beyond the point when your secrets
become irrelevant.
Actually, for a 20+ years secret, the algorithm used is unlikely to be
the weak point, even if it is Magenta or Loki. Those failed in the AES
contest not because they could be broken (and they actually could not be
broken, the attacks being purely academic) but because people would not
trust them.
The AES contest showed that the community knows how to design secure
ciphers, we had 15 of them; the choice is merely marketing: the point
of a standard is that people use it, so the winner had to be the most
popular. Hence Rijndael.
--Thomas Pornin
------------------------------
From: "Jeff Moser" <[EMAIL PROTECTED]>
Subject: Re: Any products using Rijndael?
Date: Tue, 3 Oct 2000 10:22:46 -0500
> So because it uses AES it must be a good tool right?
>
> See: It's starting already. People are buzzing towards AES.
Ah, c'mon.. if it's "buzzword compliant", it must be secure :-)
Jeff
------------------------------
From: Quisquater <[EMAIL PROTECTED]>
Subject: Re: Choice of public exponent in RSA signatures
Date: Tue, 03 Oct 2000 17:52:40 +0200
DJohn37050 wrote:
>
> Using a larger exponent is simply being prudent. The MOST info about an RSA
> key is revealed when using 2 or 3 for the public exponent. For example, 1/2 the
> high order bits of d, the private exponent are revealed and the fact that the
> key space of all possible primes of the right size is reduced by the gcd req.
> These do not in themselves lead to an attack, but might aid an adversary in a
> way that other choices would not. By the nature of RSA, it is concievable that
> low exponent RSA could be insecure but high exponent RSA be secure. Dan Boneh
> has a paper discussing this.
> Don Johnson
The problem is the right trade-off between prudence and efficiency.
If the public exponent for verification of signature is small (2, 3, ...), then
- indeed a large part of the private exponent is revealed:
- we can imagine that helping attacks in case of timing analysis or power
analysis
against smart cards (having a known secret pattern to begin the analysis);
- another point is the hiding of a secret key in a software: if no caution
is used the search is coming to be very easy;
- you need some caution for small messages (no problem if correct padding and
redundancy are used); correct is not easy to define (arguments are mostly
heuristics);
- from the whole discussion I didn't see more. OK ?
In conclusion, exponent 3 is OK (at the moment), 2 be careful, more
if you are paranoid (the measure of the paranoia given by the length of
the public exponent - 2 :-).
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Comments on the AES winner
Date: Tue, 03 Oct 2000 11:40:44 -0400
"Douglas A. Gwyn" wrote:
>
> Anton Stiglic wrote:
> > In a rump session talk at Crypto 2000, N. Ferguson
> > (I believe it was) came up with an equation, in GF(2^8)
> > I believe, stating that if one can solve this equation
> > one can break Rijndael encryption. ...
> > Someone knows what the equation was?
>
> What's the point? *Any* block cipher can be expressed in
> such an equation. It doesn't imply practical solvability.
It was a *nice looking* equation, that nicely fitted in one
slide, and looked like something you would
normaly be able to solve using Mathematica.
That's the point.
Anton.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Choice of public exponent in RSA signatures
Date: 3 Oct 2000 15:48:58 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
John A.Malley wrote:
>With e = 65537 the padding can be smaller than the padding required for
>e = 3 while maintaining resistance against Coppersmith's Short Pad
>Attack. Since less bits in the string to encrypt must be random pad
>more bits in the string can be message bits - and thus there is more
>bandwidth for the message. Isn't this a point in favor of using e =
>65537?
No, I don't think so. Usually public-key encryption is just used
to encrypt a symmetric session key anyway, so even if that session
key is 256 bits long, that still leaves room for a lot of padding
material. There seems to be little point in optimizing the length
of the padding field.
------------------------------
From: Arturo <[EMAIL PROTECTED]=NOSPAM>
Subject: Re: It's Rijndael
Date: Tue, 03 Oct 2000 17:02:21 +0200
On Tue, 03 Oct 2000 12:32:54 GMT, [EMAIL PROTECTED] (John
Savard) wrote:
>On Tue, 3 Oct 2000 12:43:26 +0200, Serge Paccalin
><[EMAIL PROTECTED]> wrote, in part:
>
>>So, the US authorities still think that people that can design a
>>fairly good encryption algorithm cannot implement it in a working
>>product? :-)
>
>It *helps* if the computers of the world all use the U.S. designed
>Microsoft Windows operating system, which means
... that it really doesnīt matter what AES algorithm is chosen. Just take
advantage of Windowsī many, many bugs (that is, if the MIB didnīt manage to
backdoor it already).
------------------------------
From: Arturo <[EMAIL PROTECTED]=NOSPAM>
Subject: Re: Idea for Twofish and Serpent Teams
Date: Tue, 03 Oct 2000 17:00:09 +0200
On Tue, 03 Oct 2000 11:09:16 GMT, Tom St Denis <[EMAIL PROTECTED]> wrote:
>In article <[EMAIL PROTECTED]>,
> Arturo <[EMAIL PROTECTED]=NOSPAM> wrote:
>> On Mon, 02 Oct 2000 18:15:57 GMT, Tom St Denis <[EMAIL PROTECTED]>
>wrote:
>>
>> >Do what RSA did and make your own "Symmetric Cipher Standards" and
>> >ignore the govt.
>> >
>> Thatīs exactly what the GSM gang did, and see the results: an
>> easy-to-break cipher.
>
>See now your being a complete idiot. Twofish and Serpent are not home-
>brew ciphers designed by Business majors. They are two very good
>ciphers designed by the best of the best.
>
I guess I didnīt read well. I pretended to read ..." and ignore
everybody else". Certainly, Twofish, Serpent of any other are no less secure
just because the gov. didnīt make it. It was a private enterprise, but a
transparent one: you had access to all info, the entire algorithm, source code
and the like. OTOH, the GSM algorithms were developed in secrecy and not given
peer review.
I didnīt mean to say "gov-made=good, privately-made=bad". The complete
idiot apologizes.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Crossposted-To: alt.security.scramdisk
Subject: Re: Advanced Encryption Standard - winner is Rijndael
Date: 3 Oct 2000 15:56:30 GMT
[EMAIL PROTECTED] (Jeff Moser) wrote in
<8rcrtl$90p$[EMAIL PROTECTED]>:
>> Not really. If they want a real contest. Make a 10k doucument
>> encrypted with a secret key. And offer someone 10 million dollars
>> state and federal government tax fee if they can decrypt it
>> it in a years time. Will they do that. Hell no someone might
>> break it. And they don't want anyone to break it.
>
>If you're smart enough to break the cipher, you sure as hell wouldn't
>take the 10 million. That is peanuts compared to what you could make if
>you knew that you could break all "secure" documents of the future for
>~20 years.
>
>Jeff
>
>
>
That is your guess. I think someone smart enough to break the cipher
would take the 10 million. Becasue once it gets out how it was done
you may not make a dime. There is also the chance you could be teminated
by some accident arranged by a 3 letter agency. So taking the money
with everyone aware may be the safest option.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Crossposted-To: alt.security.scramdisk
Subject: Re: Advanced Encryption Standard - winner is Rijndael
Date: 3 Oct 2000 16:00:46 GMT
[EMAIL PROTECTED] (nemo outis) wrote in
<wUlC5.24308$[EMAIL PROTECTED]>:
>I'd like to briefly interrupt this quarrel to ask if there are any
>decent sources of info in the public domain that discuss "endorsed
>algorithms" for use at secrecy levels of confidential and up.
>
>Regards,
>
>
I would assume that information is not available to the public.
What is available is some old hardware from the WWII days. Maybe
the KGB arhives or the chinese could make some of the methods available.
But even if the US made it available one would need it to be authenicated
using some old telegrams the russians may have intercepted since you
could not trust the government to be honest about its release.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: It's Rijndael
Date: Tue, 03 Oct 2000 09:23:47 -0700
Joseph Ashwood wrote:
> plainly that the ok of RU-486 was "wrong", while Gore praised it (Source:San
> Jose Mercury News),
Big deal. Clinton also held up RU-486 for 8 years, so I can't see
the pro-abortion folks getting excited about this issue.
There is a whole assortment of pluses and minuses for Gore and
Bush. But on the subject of crypto and privacy, Clinton/Gore/Reno/Freeh
are the worst administration ever. Bush couldn't possibly be as bad.
------------------------------
From: Helger Lipmaa <[EMAIL PROTECTED]>
Subject: Re: Comments on the AES winner
Date: Tue, 03 Oct 2000 21:26:50 +0300
John Savard wrote:
> On Mon, 02 Oct 2000 19:05:47 -0400, "Douglas A. Gwyn"
> <[EMAIL PROTECTED]> wrote, in part:
> >Anton Stiglic wrote:
>
> >> In a rump session talk at Crypto 2000, N. Ferguson
> >> (I believe it was) came up with an equation, in GF(2^8)
> >> I believe, stating that if one can solve this equation
> >> one can break Rijndael encryption. ...
> >> Someone knows what the equation was?
>
> >What's the point? *Any* block cipher can be expressed in
> >such an equation. It doesn't imply practical solvability.
>
> True. However, if it was possible to actually write the equation on a
> blackboard (think of what the corresponding equation for DES would
> look like) I suppose that could be, however invalidly, _perceived_ as
> grounds for concern.
...I had an equation for RSA I could write on the corner of the page...
------------------------------
From: [EMAIL PROTECTED] (Jonathan Thornburg)
Subject: Re: is NIST just nuts?
Date: 3 Oct 2000 18:29:09 +0200
In article <[EMAIL PROTECTED]>, Jim Gillogly <[EMAIL PROTECTED]> wrote:
>It was recognized immediately (but denied vigorously by the Gov't) that
>56 bits were too short to protect against key-search attacks. If the
>NSA didn't have brute force machines for handling DES within a decade or
>so of the DES roll-out, they were shirking their responsibilities.
If they didn't have it _before_ the DES rollout they were shirking.
Diffie and Hellman (IEEE Computer, June 1977, p.74-84) describe an
exhaustive-search known-plaintext attack which breaks DES with 2^56
decryptions. They describe a hardware design for a special-purpose
"DES-cracking engine" which could do this in ~ 1 day. They estimate
that their design would cost ~ $20M (*) to build, using 1977 IC
technology.
(*) Diffie & Hellman estimated that the cost was good to within a factor
of 3 or so, which is close enough for these purposes.
It's fairly clear that NSA had (a lot) more than US$20M to spend on
DES cracking at the time.
--
-- Jonathan Thornburg <[EMAIL PROTECTED]>
http://www.thp.univie.ac.at/~jthorn/home.html
Universitaet Wien (Vienna, Austria) / Institut fuer Theoretische Physik
Q: Only 7 countries have the death penalty for children. Which are they?
A: Congo, Iran, Nigeria, Pakistan[*], Saudi Arabia, United States, Yemen
[*] Pakistan moved to end this in July 2000. -- Amnesty International,
http://www.amnesty.org/ailib/aipub/2000/AMR/25113900.htm
------------------------------
From: [EMAIL PROTECTED] (Rich Wales)
Crossposted-To: alt.security.pgp,alt.security.scramdisk
Subject: Re: Mr. Zimmermann, Mr. Price when can we expect this feature ?
Date: 3 Oct 2000 16:34:13 -0000
"pgp651" wrote:
> Mr. Zimmermann, Mr. Price when can we expect this feature?
> After RSA patent hoopla is over, isn't now the time to
> implement 4k RSA keys into PGP v262?
I don't work for NAI and can't speak for them, but I wouldn't hold my
breath waiting for NAI to release =any= updates to PGP 2.6.2. This
version of PGP is over four years old, and (for better or worse) they
have gone on to newer versions.
If anyone is going to modify PGP 2.6.2 (or, more appropriately, the
bug-fixed international version, 2.6.3ia) to accommodate larger keys,
it will presumably be a third party not connected to NAI. Actually,
I believe some groups have already done this. Have you checked out
the CKT version, for example?
Rich Wales [EMAIL PROTECTED] http://www.webcom.com/richw/
PGP 2.6+ key generated 2000-08-26; all previous encryption keys REVOKED.
RSA, 2048 bits, ID 0xFDF8FC65, print 2A67F410 0C740867 3EF13F41 528512FA
------------------------------
Crossposted-To: alt.security.scramdisk
From: [EMAIL PROTECTED] (nemo outis)
Subject: Re: Advanced Encryption Standard - winner is Rijndael
Date: Tue, 03 Oct 2000 16:40:54 GMT
Thanks for the feedback.
But let me then ask a related question. Is there any good public domain info
(speculative or otherwise) discussing what would make currently available
algorithms (e.g., Rijndael, its AES rivals, Blowfish, and so forth)
*unsuitable* for secrecy levels of confidential and up?
Regards,
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(SCOTT19U.ZIP_GUY) wrote:
>[EMAIL PROTECTED] (nemo outis) wrote in
><wUlC5.24308$[EMAIL PROTECTED]>:
>
>>I'd like to briefly interrupt this quarrel to ask if there are any
>>decent sources of info in the public domain that discuss "endorsed
>>algorithms" for use at secrecy levels of confidential and up.
>>
>>Regards,
>>
>>
>
> I would assume that information is not available to the public.
>What is available is some old hardware from the WWII days. Maybe
>the KGB arhives or the chinese could make some of the methods available.
>But even if the US made it available one would need it to be authenicated
>using some old telegrams the russians may have intercepted since you
>could not trust the government to be honest about its release.
>
>
>David A. Scott
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Choice of public exponent in RSA signatures
Date: 3 Oct 2000 16:25:26 GMT
[EMAIL PROTECTED] (John Myre) wrote in <[EMAIL PROTECTED]>:
>"John A.Malley" wrote:
>>
>> David Wagner wrote:
><snip>
>> > And, in real life, everyone uses random padding, and the random
>> > padding is large enough to avoid Coppersmith's attack.
>>
>> With e = 65537 the padding can be smaller than the padding required
>> for e = 3 while maintaining resistance against Coppersmith's Short
>> Pad Attack. Since less bits in the string to encrypt must be random
>> pad more bits in the string can be message bits - and thus there is
>> more bandwidth for the message. Isn't this a point in favor of using e
>> = 65537?
><snip>
>
>Almost no one uses RSA to encrypt "messages" per se; instead they
>use the conventional scheme of encrypting the message with a
>symmetric cipher, then encrypt the symmetric key with RSA. Note
>that the symmetric key is already much smaller than the RSA
>encryption size (for a single encryption). Thus, there is in
>fact already a surplus of RSA bandwidth, and there is no virtue
>in attempting to squeeze more info in. Indeed, the higher the
>security level, the more true this is (RSA size increases much
>faster than the symmetric key size).
>
>If you can think of a (real) situation in which the RSA bandwidth
>actually matters, that would be of interest.
>
Since the symmetric key that is sent is padded and one can never
by sure about the padding. And since encrypted data should appear
random. It would make sense to pack the first part of the encrypted
message instead of the socalled random padding. Tbis would help PGP
beause of the week chaining and the fact that it does somechecks
to see if user using the correct key. It would offer a little more
security to put this in for the padding so hidden in the RSA part
of message. But since it is more secure don't expect PGP to ever
do something this simple and obvious.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: [EMAIL PROTECTED] (Jonathan Thornburg)
Subject: Re: It's Rijndael
Date: 3 Oct 2000 18:59:57 +0200
In article <[EMAIL PROTECTED]>, Jim Gillogly <[EMAIL PROTECTED]> wrote:
[[many clear and cogent remarks with which I quite agree]]
>suppose Serpent
>had been chosen, with its perceived high security margin. If the
>rounds were doubled, it would have an even higher security margin.
>If they were doubled again, it would be higher still. Would this
>make you more comfortable with it? After all, security is the
>most important criterion (I agree with this), and adding rounds
>makes it harder. At some point you <have> to trade efficiency
>against your perceived security margin. The only argument we
>can reasonably have is how high a security margin is enough.
Another interesting design point is 3AES = 3Rijndael, done just the
same way people do encrypt/decrypt/encrypt 3DES to get extra security
from DES. Judging from the DES experience, if this is done carefully[*]
it gives a big boost in security, roughly squaring the work factor for
the best known breaks. It has the advantage that it can exploit the
many ultra-optimized Rijndael implementations (tuned software, special
hardware complete with NSA backdoors^W^W^W^W, etc etc) which will no
doubt appear.
[*] 3DES seems pretty safe, but there are some interesting attacks
worth keeping in mind before starting to implement it. For example:
Stefan Lucks,
"Attacking Triple Encryption,"
Fast Software Encryption '98, Volume 1372 of Lecture Notes in
Computer Science (S. Vaudenay, ed.), Springer-Verlag, 1998.
http://th.informatik.uni-mannheim.de/m/lucks/papers.html
H. Handschuh, B. Preneel, On the security of double and 2-key
triple modes of operation. L. Knudsen (Ed) 6th FSE, LNCS 1636.
Springer-Verlag, 1999.
--
-- Jonathan Thornburg <[EMAIL PROTECTED]>
http://www.thp.univie.ac.at/~jthorn/home.html
Universitaet Wien (Vienna, Austria) / Institut fuer Theoretische Physik
Q: Only 7 countries have the death penalty for children. Which are they?
A: Congo, Iran, Nigeria, Pakistan[*], Saudi Arabia, United States, Yemen
[*] Pakistan moved to end this in July 2000. -- Amnesty International,
http://www.amnesty.org/ailib/aipub/2000/AMR/25113900.htm
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Idea for Twofish and Serpent Teams
Date: Tue, 03 Oct 2000 16:52:42 GMT
In article <[EMAIL PROTECTED]>,
Arturo <[EMAIL PROTECTED]=NOSPAM> wrote:
> On Tue, 03 Oct 2000 11:09:16 GMT, Tom St Denis <[EMAIL PROTECTED]>
wrote:
>
> >In article <[EMAIL PROTECTED]>,
> > Arturo <[EMAIL PROTECTED]=NOSPAM> wrote:
> >> On Mon, 02 Oct 2000 18:15:57 GMT, Tom St Denis
<[EMAIL PROTECTED]>
> >wrote:
> >>
> >> >Do what RSA did and make your own "Symmetric Cipher Standards" and
> >> >ignore the govt.
> >> >
> >> Thatīs exactly what the GSM gang did, and see the results: an
> >> easy-to-break cipher.
> >
> >See now your being a complete idiot. Twofish and Serpent are not
home-
> >brew ciphers designed by Business majors. They are two very good
> >ciphers designed by the best of the best.
> >
> I guess I didnīt read well. I pretended to read ..." and
ignore
> everybody else". Certainly, Twofish, Serpent of any other are no
less secure
> just because the gov. didnīt make it. It was a private enterprise,
but a
> transparent one: you had access to all info, the entire algorithm,
source code
> and the like. OTOH, the GSM algorithms were developed in secrecy and
not given
> peer review.
>
> I didnīt mean to say "gov-made=good, privately-made=bad". The
complete
> idiot apologizes.
Good, glad you cleared that up.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: My Theory...
Date: Tue, 03 Oct 2000 16:54:51 GMT
In article <8rcu3k$i91$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Thomas Pornin) wrote:
> According to Tom St Denis <[EMAIL PROTECTED]>:
> > So what? The primary concern is security, not speed.
>
> The primary concern is getting the job done. Mind you, the purpose
> of using a cryptosystem lies not in the algorithm itself; cryptography
> is added to a system to get some security under certain circumstances.
> But the cipher should be transparent, and therefore fast.
>
> All you need is "adequate security". DES has long been adequate since
> its only real weakness, the reduced key, was well-known and quantified
> (you could estimate the cost of a real-life breaking). Same applies to
> Rijndael: there is no foreseeable weakness worse than exhaustive
search,
> and a 128-bit keys should resist way beyond the point when your
secrets
> become irrelevant.
>
> Actually, for a 20+ years secret, the algorithm used is unlikely to be
> the weak point, even if it is Magenta or Loki. Those failed in the AES
> contest not because they could be broken (and they actually could not
be
> broken, the attacks being purely academic) but because people would
not
> trust them.
>
> The AES contest showed that the community knows how to design secure
> ciphers, we had 15 of them; the choice is merely marketing: the point
> of a standard is that people use it, so the winner had to be the most
> popular. Hence Rijndael.
True, but remember that those subtle flaws in Rijndael parallel the
flaws in using a 56-bit DES key 30 years ago.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
