Cryptography-Digest Digest #838, Volume #12 Wed, 4 Oct 00 12:13:01 EDT
Contents:
Re: Democrats, Republicans, AES... ("Frog2000")
Re: My Theory... (SCOTT19U.ZIP_GUY)
Re: It's Rijndael (SCOTT19U.ZIP_GUY)
Re: Josh MacDonald's library for adaptive Huffman encoding
([EMAIL PROTECTED])
Re: PRNG improvment?? (John Myre)
Re: hourra for europa :) (Arturo)
Re: OpenSSL and Twofish (Runu Knips)
Re: Looking Closely at Rijndael, the new AES (SCOTT19U.ZIP_GUY)
Re: PRNG improvment?? (John Myre)
Re: Any products using Rijndael? (SCOTT19U.ZIP_GUY)
Re: Requirements of AES (Runu Knips)
Re: OpenSSL and Twofish (=?iso-8859-1?Q?R=E9mi?= Guyomarch)
Re: It's Rijndael (Runu Knips)
Serpent 256 and 512 (Runu Knips)
Re: My Theory... (Runu Knips)
Re: My Theory... (Thomas Pornin)
----------------------------------------------------------------------------
From: "Frog2000" <[EMAIL PROTECTED]>
Subject: Re: Democrats, Republicans, AES...
Date: Wed, 4 Oct 2000 10:56:46 -0400
Good points, Gov. Bush should go to school and learn how to add and
subtract, as he thinks everything is fuzzy, or fudgy...
"Dido Sevilla" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Albert Yang wrote:
> >
> > <snip>
> > > So it is likely for one of the candidates to increase the
> > > round number by a factor of 100, thus gains the 'highest
> > > level of security margin' and win. Does that correspond to
> > > what you mean?
> > >
> > > [snip]
> >
> > No, this is not what I mean. I mean leaning on the side of
> > conservatism, that means no new math, concepts that are well understood,
> > SP network has been around for a LONG time, it's well understood, same
> > with Feistels. Using primatives that we know a lot about, using sound
> > logic, nothing new and flashy, I mean if I wanted "new and improved",
> > wouldn't I have rooted for the Decorollated one? Nope. I think Serpent
> > was way overly conservative, used things we know a lot about, had great
> > pedigree, and probably gave me the most confidence and the warmest
> > fuzzies..
> >
>
> I'm an engineer whose main task lies more in the implementation of
> ciphers rather than in their design, and I think that you're missing a
> very important consideration that went into the AES process, one that
> has people like me in mind. Your metaphor about politics is very apt,
> except not in the way you have presented it. The whole process was
> about *compromise*. That's the key word. There are other
> considerations that go into the choice of a cipher for any given task
> besides level of security. Maybe you're one of those people who lives
> in a world where security is the holy grail and something you must
> strive for regardless of anything else, but in the real world, things
> don't work that way. You always have to make compromises. NIST wanted
> AES to run reasonably efficiently on a wide range of computing
> platforms, as well as providing a great deal of flexibility. Serpent
> just doesn't provide that. I've had the experience of implementing it on
> an embedded processor significantly more powerful than the lowest
> smart-card processors that NIST was thinking about, and it was still
> incredibly slow. Far more so on the bottom end!
>
> > The other one would be RC6, which had a lot of attacks against it
> > because it has a lot of cryptoanalysis under it's belt, via the RC5
> > inheritance. It's elegant, simple, easy to remember, easy to program
> > from memory, easy to check for proper coding, and no S-boxes to
> > memorize. While the "margin of security" was not as good as Serpent, I
> > have to say that something I can put on the back of a napkin has got to
> > be impressive regardless what people say...
> >
>
> You may be able to write the algorithm on the back of a napkin, and
> remember it easily, but that doesn't mean you can implement it so that
> it runs quickly. On my embedded system, RC6 was so slow as to be
> completely unusable, mainly because the processor didn't support the
> required operations quickly enough. Try implementing RC6 on any
> processor that doesn't directly support 32-bit rotates, and see how
> quickly it runs! Most newer processors don't have such instructions
> either (e.g. DEC Alpha and IA-64/Itanium), and AES also has the future
> in mind as well as the present. You might be able to write a very fast
> implementation of RC6 on a Pentium-class or PowerPC, but when you get to
> the next generation of processors, it'll only run so-so.
>
> Good cryptography is not just about unbreakability. It's also about
> ease of implementation and flexibility. Any idiot with an exposure to
> the theory of SP-networks and Feistel structures can create a cipher
> nobody can break, only it will run much too slowly for it to be used
> anywhere. Why do you suppose hardly anyone uses one-time pads? If you
> wanted real warm fuzzies, you'd use that! Of course, it's because a
> proper one-time pad implementation is far too expensive to use in the
> real world. The real challenge in creating a good cipher is not to
> design one that just provides good security, but one that provides good
> security *and* runs well. The real world is full of processors that
> don't have enough computing power, don't have enough memory, or don't
> implement certain operations, IC fabrication plants that charge too much
> when you ask them for too many gates at a given feature size, impatient
> users who are more interested in getting their data at once than getting
> it securely, and so on. We engineers are not mathematicians; we're
> willing to tolerate some error if it means we can get an answer that's
> close enough to the truth reasonably, rather than an absolutely correct
> answer that's obscenely difficult to obtain. The same goes for
> cryptography. We're willing to tolerate an algorithm that might be
> *broken* (using a stronger definition of "broken" than you crypto types
> are wont to use) at a certain time, if it can provide security for the
> present, and sufficient security in the foreseeable future. What we
> won't tolerate is an algorithm that may provide absolute security but is
> also obscenely expensive to implement.
>
> Our project wound up settling on Rijndael long before it was announced
> as AES, probably because NIST had in mind our same considerations, which
> should be typical of any real-world project that incorporates
> cryptography. Implementing all of the finalist algorithms on a real
> processor with real constraints, as part of a real project with
> deadlines and budget limitations was incredibly instructive. As an
> engineer who has had late experience implementing nearly all of the AES
> second round finalists in assembly language for a mid-range embedded
> processor, I have to agree with NIST's choice. Undoubtedly, many of
> your concerns will be addressed once Rijndael becomes a FIPS, and then
> people like me and people like you can reach a middle ground. Let's
> just wait and see.
>
> --
> Rafael R. Sevilla <[EMAIL PROTECTED]> +63 (2) 4342217
> ICSM-F Development Team, UP Diliman +63 (917) 4458925
> OpenPGP Key ID: 0x0E8CE481
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: My Theory...
Date: 4 Oct 2000 14:53:31 GMT
[EMAIL PROTECTED] (Thomas Pornin) wrote in <8revmb$2n42$[EMAIL PROTECTED]>:
>According to Tom St Denis <[EMAIL PROTECTED]>:
>> True, but remember that those subtle flaws in Rijndael parallel the
>> flaws in using a 56-bit DES key 30 years ago.
>
>The situation is different. 30 years ago, an exhaustive search on a
>56-bit DES key was already doable by mankind, with the technology
>known by that day. It was sure expensive, but yet within the reach
>of a wealthy agency, at least in the next five years. And this was
>well known.
I agree except I think the NSA had hardware to do the break
the first day it was out.
>
>The NSA did bet, 25 years ago, on the fact that they could build a
>DES-cracker before anyone else. On the other hand, they strengthened
>DES with regards to other cryptanalysis, so that only brute-force would
>be practical. This allowed the long-awaited complete quantification of
>security: it could be expressed in dollars.
>
>Introducing a backdoor, or letting it go, is a dangerous game. A smart
>guy can discover it, and use it. The NSA would not do this: too risky.
>A good backdoor is a plain one, that everybody sees. The 56-bit key
>in DES is the DES backdoor.
>
I agree for DES
>
>Nowadays, cryptography is no more a problem of CIA knights fighting
>against evil KGB terrorists. James Bond can retire. Modern spying is
>between corporations: Sony against Toshiba, Texaco against Shell, Boeing
>against Airbus. Those corporations are richer than the NSA. Therefore no
>evident backdoor could be added by the NSA: this would be a losing game.
>So they chose a rock solid algorithm. Something that would, at least,
>protect US companies against the rest of the world.
>
However many mathematical solutions proofs and methods remain
hidden for centures. Example Fermats last theorm was hidden for a
long time. It may be that the thousands of NSA phd mathematicians
have a clever break of R.. that they are counting on the rest of the
world not discovering for a hundred years. If a year from know someone
publishes a break. Who could accuse the NSA of putting in a backdoor.
They could even claim they were not aware of the break letting people
falsely conlude they are behind the times. Its a win win situation
for the NSA.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: It's Rijndael
Date: 4 Oct 2000 14:40:29 GMT
[EMAIL PROTECTED] (Fred Van Andel) wrote in
<[EMAIL PROTECTED]>:
>[EMAIL PROTECTED] (John Savard) wrote:
>
>>It *helps* if the computers of the world all use the U.S. designed
>>Microsoft Windows operating system, which means that anyone making a
>>compiler that produces programs that run on it has to license
>>"windows.h" from Microsoft (if not the Microsoft Foundation Classes as
>>well, which nearly every compiler maker would also do) and therefore
>>is compelled - regardless of which country they are located in,
>>although I'm not aware of too many non-U.S. compilers for Windows - to
>>include in their license agreements a clause requiring foreign users
>>of the compiler not to do anything with it that might constitute a
>>violation of U.S. export laws.
>>
>>So if you write and compile an encryption program outside the U.S. and
>>Canada, you're committing software piracy!
>>
>
>But can you imagine Microsoft trying to sue a European company in a
>Eoropean court for breaking an American export law. Said court will
>take great pleasure in telling Microsoft where to stick it.
>
>FVA
>
I suppose it depends on well Eropean poilitictians get kickbacks
or donations from MS. I think the NSA would only expose foreign
kick backs but not sure if they care if an american company was to
help grease the skids of justice any more than they would help
convict a crooked dishonest president if we should ever get one.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: comp.compression,comp.theory
Subject: Re: Josh MacDonald's library for adaptive Huffman encoding
Date: Wed, 04 Oct 2000 14:52:05 GMT
In article <1sEC5.97$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Kent Paul Dolan) wrote:
>
> hubris, I have to say that the "prime" skill in being a "computer
> expert" is clear communication. David is clearly no expert.
>
Exactly.
It's sad though that not only David but a LOT of others have it very easy
to rush into yet another heated, rude and unnecessary argument.
These of you clearly don't understand the good in this and other public
newsgroups. To share knowledge and experiences. We can do so much more by
cooperation than by ourselves.
The free tip of the day:
Think before you write anything!
Please?
Mikael
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: PRNG improvment??
Date: Wed, 04 Oct 2000 09:00:02 -0600
Tim Tyler wrote:
>
<snip>
> The original post may not have described
> the algorithm very precisely;
Granted -
> but I can see no way to interpret it
> that would result in the effect described.
<snip>
Try imagining what "shuffle" usually means. I interpret
the OP to mean: start with a big array with exactly the
same number of each byte value, then reorder it in some
random way, and use the result as an XOR pad. Thus his
concentration on "uniform".
JM
------------------------------
From: Arturo <[EMAIL PROTECTED]=NOSPAM>
Subject: Re: hourra for europa :)
Date: Wed, 04 Oct 2000 16:21:32 +0200
On Wed, 04 Oct 2000 15:53:38 +0200, Runu Knips <[EMAIL PROTECTED]>
wrote:
>alex wrote:
>> [bla]
>
>Why do you praise all europeans for the work of some
>scientist, which could have been as well worked in
>america or asia or maybe the backside of the moon ?
>Does that matter ?
It does. A scientists doesn�t just get up one day with his brian full
of information and well-tuned. It takes a life of dedicated work, good
teachers, an adequate working environment and access to sources of information
from a library to the Internet. Try to get it in, say, Mozambique
------------------------------
Date: Wed, 04 Oct 2000 17:07:55 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: OpenSSL and Twofish
Freeler News wrote:
> Before I start adding TwoFish to OpenSSL myself I thought I would
> check to see whether there is an existing open source distribution of
> OpenSSL that includes Two Fish.
AFAIK: no. OpenSSL only includes older and "bulletproof" algorithms.
Twofish (not TwoFish and not at all Two Fish), Serpent and AES
(previously called Rijndael) where not of this class at that time.
It would be great if you could add one of these algorithms to
OpenSSL.
*************** SOMETHING ELSE:
Btw, it would be nice if someone could give me a pointer to good
documentation about OpenSSL, how to use it and what all theses
functions actually mean.
A good link about that ? Or is there a good book about it ?
Thanks in advance !
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Looking Closely at Rijndael, the new AES
Date: 4 Oct 2000 15:03:15 GMT
[EMAIL PROTECTED] (Tim Tyler) wrote in <[EMAIL PROTECTED]>:
>Tom St Denis <[EMAIL PROTECTED]> wrote:
>: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
>
>:> I don't think any small fast cipher can really be secure [...]
>
>: Why can't a fast cipher be secure? [...]
>
>My 2p: Fast cyphers /can/ be secure - provided you measure speed in terms
>of throughput - and can exploit parallelism.
>
>If you measure speed in terms of time taken for an input to produce an
>output, then "fast cypher" necessarily translates to "small cypher" - or
>to "simple cypher".
>
>Scott said "small fast cypher" in the first place. A small secure cypher
>would be a sort of cryptographic magic bullet. I don't think it exists -
>you need a certain degree of complexity to poroduce enough confusion to
>properly resist analysis.
>
Many times you seem to express my thoughts to others far better than
I could ever express such thoughts. However I think that either
"poroduce" is really "produce" or I lack more word ability than
I thought possible. I hope your not catching some sort of
spelling virus from me.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: PRNG improvment??
Date: Wed, 04 Oct 2000 09:04:32 -0600
Tim Tyler wrote:
<snip>
> : Uniform distribution emphatically does *not* mean that all
> : values occur exactly the same number of times in any given
> : finite sample. [...]
>
> Nor does this appear to be true of the output of ds908's generator.
<snip>
It does if you interpret his post the way most of us
are doing. Try reading the OP again, trying out the
assumption that "shuffle" is the main operation; that
the point is to introduce a random permutation of a
very large array that is guaranteed to have the same
count of each value.
I wouldn't make too many claims about what ds908's
generator does without clarifying how you interpret
his post. You pointed out elsewhere that the OP is
not really clear enough.
JM
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Any products using Rijndael?
Date: 4 Oct 2000 15:18:50 GMT
[EMAIL PROTECTED] (Thomas Pornin) wrote in <8rf0ej$2oc1$[EMAIL PROTECTED]>:
>According to Tom St Denis <[EMAIL PROTECTED]>:
>> I heard that trimming the DES key from 112 bits to 56 was ok... cause
>> nobody can guess a 56 bit key in 10 quadrillion billion years.
>
>Whoever told that, even 25 years ago, was either drunk or incompetent.
>The cost of a 56-bit key search has been well estimated and anticipated
>since the early seventies.
>
> --Thomas Pornin
I will make a Rijdael program for anyone. I will first have to
get an excepted C version of the block cipher with test blocks in
byte order for a PC. I will then give someone in the US so they
can go through the BULLSHIT of placeing it on the net. The chainning
however it will be "Wrapped PCBC" so that the output will be a file
that is Rijdael encrypted with no length changes. The "wrapped PCBC"
will handle any byte length for a file longer than 3 block lengths.
I do this since Rijdael is the "AES" finialist and because people
may want to encrypt file with it in a way that hides plaintext ciphertext
pairs from exposure. And they may want a method so that if any single
bit changes in the input file the whole output file changes while the
input output file length remains identical. This is not something you
will get form the NIST chaining in any mode. Since real security is
not of a convern to them.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
Date: Wed, 04 Oct 2000 17:30:51 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: Requirements of AES
Tom St Denis wrote:
> I hope people just disregard AES and pick the ciphers they know are
> better.
No, the people which don't think about crypto everyday will
use Rijndael now. Simply because they do not know better.
And this keeps our life exciting because Rijndael leaves
the possibility that it MIGHT be possible to break it, which
is very much more unlikely with Twofish and even more
unlikely with Serpent.
Rijndael was a pragmatic decision. Maybe I'll have to take
a closer look at it now. At least adding more rounds to it
seems to be not that problematic :-)
------------------------------
From: =?iso-8859-1?Q?R=E9mi?= Guyomarch <[EMAIL PROTECTED]>
Subject: Re: OpenSSL and Twofish
Date: Wed, 04 Oct 2000 17:31:06 +0200
Runu Knips wrote:
>
> Btw, it would be nice if someone could give me a pointer to good
> documentation about OpenSSL, how to use it and what all theses
> functions actually mean.
The best I found is the old SSleay documentation :
http://www.columbia.edu/~ariel/ssleay/
Documentation on openssl.org is either incomplete or inaccurate,
sometimes both :-(
--
R�mi Guyomarch - Network Admin
Inventaire Forestier National
French National Forest Inventory
http://www.ifn.fr/
------------------------------
Date: Wed, 04 Oct 2000 17:38:45 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: It's Rijndael
Tim Tyler wrote:
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> : I conjecture that 3DES will continue to stay for a quite
> : long time. For analogy, see the programming language Cobol.
>
> If 3DES <-> Cobol, who can help me with:
Hmm. Better write 3DES <-> FORTRAN ;-)
Cryptography is IMHO still a young field.
------------------------------
Date: Wed, 04 Oct 2000 17:45:05 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Serpent 256 and 512
Cornelius Sybrandy wrote:
> The only other cipher that allowed for redefining blocksize was RC6, a
> very elegant cipher, but it didn't scale as well.
Wrong. The Serpent designers stated there will be also a 256 and 512
bit version of Serpent (which I am really unpatiently are waiting for
!!!) which will scale very well on 64 and 128 bit processors. Of course
they have not the 128 bit block size of AES anymore, but that is really
not a problem for me ;-)
------------------------------
Date: Wed, 04 Oct 2000 17:51:18 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: My Theory...
Tom St Denis wrote:
> In article <8rcu3k$i91$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (Thomas Pornin) wrote:
> > According to Tom St Denis <[EMAIL PROTECTED]>:
> > > So what? The primary concern is security, not speed.
> > The primary concern is getting the job done.
> > All you need is "adequate security". DES has long been adequate since
> > its only real weakness, the reduced key, was well-known and quantified
> > (you could estimate the cost of a real-life breaking). Same applies to
> > Rijndael: there is no foreseeable weakness worse than exhaustive
> > search, and a 128-bit keys should resist way beyond the point when
> > your secrets become irrelevant.
Why 128 bit ???
All AES candidates can be used with 256 bit keys, which, according
to our knowledge, can't be broken with the power of a supernova
(see Schneier's Applied Crypto).
> > Actually, for a 20+ years secret, the algorithm used is unlikely to be
> > the weak point, even if it is Magenta or Loki. Those failed in the AES
> > contest not because they could be broken (and they actually could not
> > be broken, the attacks being purely academic) but because people would
> > not trust them.
>
> True, but remember that those subtle flaws in Rijndael parallel the
> flaws in using a 56-bit DES key 30 years ago.
Tom, which subtle flaws does Rijndael have ?
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: My Theory...
Date: 4 Oct 2000 16:08:03 GMT
According to SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]>:
> Example Fermats last theorm was hidden for a long time.
It is usually believed that Fermat had a wrong proof. There is some
sort of proof, which fails for n > 17.
> It may be that the thousands of NSA phd mathematicians
I never bought the rumors about the "thousands of experts" NSA
employed. Anyone has real figures ?
> Its a win win situation for the NSA.
The NSA is not winning this way. Many companies will use the AES. If it
is flaky, and the NSA knows it, someone else can learn it too... and
not say it. This other guy could plunder the US companies knowledge
and hinder further development of the US economy. This would imply a
lowering of the NSA budget.
It is the NSA interest that the US companies use a strong cipher. Or, at
least, a cipher that ONLY the NSA can break. Since the NSA is no more
the richest organization in the world, they cannot play (anymore ?) the
backdoor game. They are doomed to propose really strong ciphers.
--Thomas Pornin
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
