Cryptography-Digest Digest #839, Volume #12 Wed, 4 Oct 00 14:13:00 EDT
Contents:
Check NIST test ("Cristiano")
Re: Advanced Encryption Standard - winner is Rijndael (John Myre)
Re: Looking Closely at Rijndael, the new AES (Thomas Pornin)
Re: It's Rijndael ("Scott Fluhrer")
Re: Rijndael cracked by Biham! (Mok-Kong Shen)
Re: Advanced Encryption Standard - winner is Rijndael (John Myre)
Re: Requirements of AES (John Myre)
Re: Requirements of AES (John Myre)
Re: Requirements of AES (John Myre)
Re: Mr. Zimmermann, Mr. Price when can we expect this feature ? (Rich Wales)
the trusth about rijndael cracked by biham ([EMAIL PROTECTED])
Re: Need help: considerations for IV and Keysetup (John Myre)
Re: It's Rijndael (Mok-Kong Shen)
Re: My Theory... (Mok-Kong Shen)
Re: It's Rijndael (Mok-Kong Shen)
Re: My Theory... (Mok-Kong Shen)
Re: It's Rijndael (Mok-Kong Shen)
Re: Rijndael test vectors (John Myre)
Re: Rijndael cracked by Biham! (Great Social Engineering!) (Albert Yang)
Re: Counterpane Funny Stuff (Albert Yang)
Re: Mathematical Problem (Mike Rosing)
Re: Counterpane Funny Stuff (Mike Rosing)
Re: Advanced Encryption Standard - winner is Rijndael (Mok-Kong Shen)
Re: Counterpane Funny Stuff (John Myre)
Re: Looking Closely at Rijndael, the new AES (Albert Yang)
Re: Counterpane Funny Stuff ("David C. Barber")
Re: Requirements of AES (Daniel)
OPEN LETTER ABOUT Rijndael to sci.crypt (SCOTT19U.ZIP_GUY)
No Comment from Bruce Schneier? (Albert Yang)
----------------------------------------------------------------------------
From: "Cristiano" <[EMAIL PROTECTED]>
Subject: Check NIST test
Date: Wed, 4 Oct 2000 17:58:52 +0200
We have implemented NIST test suite, but our implementations work fine?
In the draft "rng.pdf" there is some error on the results of the sample
sequence (like in DFT).
I think the best way is to compare the results of several implementation by
using the same bit stream.
I have generated the stream by collecting the most significant bit of a
1,000,000 32-bits numbers sequence calculated in this way: x(i)=69069*x(i-1)
and the seed (x0) is 0x12345678; so epsilon[i].b=x>>31 and the sequence
start with 1110000110001011...
m=10 unless otherwise stated; the p-values error is lesser than 1e-6.
These are my p-values:
Frequency 0,234046364521335
Block Frequency 0,672532414273779
Runs 0,584664057164664
Longest Run Of 1's 0,536676047502367
Rank 0,000607048641442409
DFT 0,00229023344371974
Non Ov. TM 0,295971733531129
Ov. TM 0,519165487785374
Universal 0,296229920126166
LZ Compression 0,490588901657062
Linear Complexity (m=1000) 0,790656256977868
Serial (m=17) 0,356984386847784 and 0,346361632586787
Approximate Entropy (m=14) 0,725940597565766
Cumulative Sums 0,257514803597646 and 0,182821797731254
Random Excursions 0,301770841481425
Random Excursions Variant 0,46216038216253
I hope to receive some reply.
Thanks
Cristiano
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Advanced Encryption Standard - winner is Rijndael
Date: Wed, 04 Oct 2000 10:19:48 -0600
John Savard wrote:
<snip>
> Also, if the specific construction
> material was not only specified to 0 degrees, but was obtained from
> the *lowest bidder* for supplying something to meet that spec, I would
> say the chances of it also working at -30 are ... diminished.
<snip>
Be careful. The specific (OP) question related to the use of
AES for classified data. However, the "spec" was not stated
in those terms, at all. It is true that NIST always said that
the purpose of AES was to create an algorithm to protect
unclassified data. This does not, however, translate to anything
meaningful in terms of a specification to a crypto designer
(who does not work for the NSA).
NIST itself decided what constituted an adequate algorithm when
it specified the key and block sizes.
If Rijndael isn't actually broken, so that exhaustive search is
truly the best method of attack, then of course it would be
perfectly adequate for protecting classified data, because of
its key size[*]. The "spec" is not the limiting factor.
Therefore, I agree with DS that there is simply *no information*
from NIST or NSA about whether Rijndael could be used for
classified data. We can speculate, but our guesses are only
informed by our general view of the NSA. I will refrain from
adding mine.
JM
[1] In my opinion. I don't actually know the rules for what
constitutes adequate cryptographic protection for classified
data. Government policies, as we all know, can be suprising.
Still, it should be obvious that a 128-bit algorithm that is
not broken is not anything like the weak point in protecting
any kind of data.
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: Looking Closely at Rijndael, the new AES
Date: 4 Oct 2000 16:23:36 GMT
According to Tim Tyler <[EMAIL PROTECTED]>:
> I don't think it exists - you need a certain degree of complexity to
> poroduce enough confusion to properly resist analysis.
That's unclear. If you think about A5/1, the GSM algorithm: it is
extremely small and fast in hardware, and yet it has a well-known
security. This security is about 2^42.7 (somehow equivalent to a
42.7-bit key block cipher)(expressed with some "adequate" units, one can
lower this value to somehow 40, but this is trickery and does not change
the real thing).
Of course, 42.7-bit is small, and this allows many fast attacks (for
instance, the Biryukov-Shamir-Wagner tradeoff, which attacks the system
within a few minutes, with 26000 bits of known plaintext, and a 2^48
precalculus step)(with 64 bits of known plaintext, you can attack the
system with an average time of 6 months on a unique Alpha station, or an
average of 5 days with a right combination of one Alpha station and two
FPGA-cards). But the same design, with a 192-bit internal state, would
have a 128-bit equivalent security, and would still be extremely small
and fast.
The main problem of stream ciphers is that they are stream ciphers. The
usual enciphering algorithm which uses a stream cipher is a plain xor,
so you need a good MAC to prevent tampering with data.
About block ciphers, we sure need something faster than Rijndael, if we
want to perform on-the-fly encryption of a harddisk, while spending only
a reasonable amount of cpu on this task (a good security tool should not
use more than 10% of the computer resources, since security is not the
point of computing, only a necessary evil).
--Thomas Pornin
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: It's Rijndael
Date: Wed, 4 Oct 2000 09:06:06 -0700
Tim Tyler <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> : I conjecture that 3DES will continue to stay for a quite
> : long time. For analogy, see the programming language Cobol.
>
> I'm having a few problems getting the hang of this analogy...
>
> If 3DES <-> Cobol, who can help me with:
>
> BASIC <-> ?
FEAL
:-)
--
poncho
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Rijndael cracked by Biham!
Date: Wed, 04 Oct 2000 18:56:18 +0200
[EMAIL PROTECTED] wrote:
>
> The article on :
>
> http://sectedesax.ctw.cc
Probably the guy who posted the above wanted to 'probe'
how much is the 'trust' that people really have on the
work of NIST and of all the gurus involved in analyzing
the various AES candidates up to the present. If only
he could get the number of those who accessed this
thread! But I don't believe that he could. (BTW, can
anybody tell me how to fugure out the number of people
watching a given TV program? Is that possible at all?)
If he were a bit more intelligent, he could have taken
a real paper of Biham and 'edited' it in ways to suit
the topic of a sucessful crack of Rijndael, such that
some people would have been tempted to start to study
it ernestly, I suppose.
M. K. Shen
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Advanced Encryption Standard - winner is Rijndael
Date: Wed, 04 Oct 2000 10:43:27 -0600
Tim Tyler wrote:
>
> David Schwartz <[EMAIL PROTECTED]> wrote:
> : jungle wrote:
>
> : I see no evidence that the U.S. government ever reached the conclusion
> : that Rijndael is not suitable for protecting classified information.
>
> That's not what it's *for*, according to
> http://csrc.nist.gov/encryption/aes/round2/r2report.pdf
As DS has stated elsewhere, that is pretty thin "evidence".
>
> Classified information is likely to be protected by classified algorithms.
> Whether or not Rijndael is "suitable" it seems unlikely to get much use in
> that context.
Which is not apropos. He did not predict whether it would
actually be used. He did not guess whether it is suitable.
He remarks on the absence of "evidence" that the U.S.
government actually deems it unsuitable.
A relevant post:
==================================================
"SCOTT19U.ZIP_GUY" wrote:
> Also the US does not consider it secure encough
> for classed information.
Do you have a reference for this claim?
DS
===================================================
Your opinion that classified information is likely to be
protected by classified algorithms is reasonable. Believable
rationales for this position have been expressed here and
elsewhere. I even agree with this position. However, this
is still just opinion - not fact or evidence. And even if
it were to be proven correct, it still does not address
DS's issue, as stated - except perhaps to show that the
evidence he is interested in seeing is likely never to exist.
JM
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Requirements of AES
Date: Wed, 04 Oct 2000 10:50:55 -0600
Tom St Denis wrote:
>
> In article <[EMAIL PROTECTED]>,
> Jim Gillogly <[EMAIL PROTECTED]> wrote:
> > Tom St Denis wrote:
> > > Perhaps I should rewrite the question in a form you can understand.
> >
> > Your snide attitude isn't helping. You really aren't all that
> > far ahead of the rest of us in the class.
>
> Sorry but I had to say it that way.
<snip>
"Had to"? You mean, you can't help yourself, even in
print? Or do you mean that you had the explicit goal
of offending?
JM
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Requirements of AES
Date: Wed, 04 Oct 2000 10:53:59 -0600
Tom St Denis wrote:
<snip>
> I read their papers. They said why Rijndael was picked, not why
> Serpent or Twofish "were not" picked.
<snip>
Do you mean you disagree with having only one algorithm?
Or is it not clear, that if one algorithm is chosen, and
Rijndael is chosen, then the rest are not?
JM
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Requirements of AES
Date: Wed, 04 Oct 2000 10:55:14 -0600
Tom St Denis wrote:
<snip>
> Hmm security = most important goal.
<snip>
So? Security != security margin.
JM
------------------------------
From: [EMAIL PROTECTED] (Rich Wales)
Crossposted-To: alt.security.pgp,alt.security.scramdisk
Subject: Re: Mr. Zimmermann, Mr. Price when can we expect this feature ?
Date: 4 Oct 2000 17:27:18 -0000
"jungle" wrote:
> get it from http://members.aol.com/EJNBell/pgp263ig.zip
> it will handle 4k RSA ...
This file appears to contain compiled DOS binaries and documentation
for Noel Bell's "International Guerilla" [sic] version of PGP 2.6.3i,
but no sources.
Do you know where the source code can be found? Several reasons:
(1) so that non-DOS/Windows users (such as myself) can try it
(2) so people can compare the 2.6.3ig sources with "vanilla" 2.6.3i
and see exactly what was changed
(3) just on principle, never trust "binary-only" crypto software;
always insist on getting source code and compile it yourself
Rich Wales [EMAIL PROTECTED] http://www.webcom.com/richw/
PGP 2.6+ key generated 2000-08-26; all previous encryption keys REVOKED.
RSA, 2048 bits, ID 0xFDF8FC65, print 2A67F410 0C740867 3EF13F41 528512FA
------------------------------
From: [EMAIL PROTECTED]
Subject: the trusth about rijndael cracked by biham
Date: Wed, 04 Oct 2000 17:18:44 GMT
Hey boys,
Yes it was a joke and yes it was a random selected web site but which
offers stats.
The stats can be found at the bottom of the page or directly here :
http://usa3.viewstat.nedstatbasic.net/cgi-bin/viewstat?name=secteax
92 people clicked on the link
23 from france
16 from US
the rest ... the world
I thought there was more people reading sci.crypt
but nope, only 100 people
It's a little newsgroup here
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Need help: considerations for IV and Keysetup
Date: Wed, 04 Oct 2000 11:25:16 -0600
[EMAIL PROTECTED] wrote:
>
> To generate CBC IV values, Scramdisk uses 1024 random bytes stored in
> the first 2 sectors of its volume. Hence, Scramdisk DOES require an
> extra storage. With these 2 sectors and the current sector number of
> the sector being encrypted, Scramdisk then produces a 128bit CBC IV
> value.
Hm, that's interesting.
> Scramdisk also uses those 2 sectors as whitening value for the actual
> encryption. John, is that what you mean by doing "extra work on the
> whole block?"
Yes, an example of it. Actually I'm not expert; I'm going
on my memory of various things I've seen. Another poster
mentioned Mercy, which is essentially a block encryption
algorithm that encrypts the entire disk sector as one block.
I also recall "wrapped" encryption modes, where you go around
twice (or more). Then there are the large-block constructions
like BEAR, LION, and BEAST, where you use other primitives
like hash functions and stream ciphers to encrypt a large
block (even much larger than disk sectors).
> Yes, I have the whole block at hand. Could you give me
> some hints in regard to this? Can I use the Scramdisk approach given my
> design restrictions?
See above. The point was that if you encrypt the entire
block at once, you can mix up all of the bits, and can be
(potentially) secure even without an IV.
> To the question why I encrypt at all: The whole project is some kind of
> mental challenge for myself. It is not as much as who might be a
> potential enemy of my data, as to what am I theoratically, and
> moreover, practically able to do to secure data.
Well, the point about defining the enemy is that his capabilities
define what you have to do about it. Sometimes we do the mental
exercise by defining your enemy to be very powerful (e.g., like
various governments or well-funded terrorist groups). Then if
we can actually solve our problem, we know it is good enough for
anybody to use.
On the other hand, there is usually no adequate defense against
such powerful enemies without expensive non-cryptographic
parts - like working behind fences, with 24x7 guards, etc.
So if you actually want a practical solution, you must
define a practical problem.
> Btw, tape backup
> applications based on windows do not offer any adequate encryption
> features. Many backup programs use the QIC-113 standard to store data.
> Here you have the possibility to set a password - a password which is
> simply stored as PLAINTEXT in one of the beginning blocks of the tape!
> So much for security...
Eek!
> Ok, if necessary, I could lose my restriction that no extra space is
> available. Since the first block containing the header of the tape is
> of size 0x8000 bytes, and most of that space is according to the QIC-
> 113 standard unused, I might use that space to store additional
> information. Of course 100% compatibility to possible future revisions
> of the QIC-113 standard is not guaranteed anymore. Something I could
> live with if it is the only way to make sure that IV's are properly
> implentend.
Well, you don't have to do this, if these large-block tools
will work in your situation. One requirement is the one I
mentioned at first: to have the entire block at once, so you
can process it as a block, and not as a stream of data.
Another requirement, of course, is that you have adequate
processing time. It would depend on circumstances, but as
a mental exercise I guess you could simply say you do.
JM
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: It's Rijndael
Date: Wed, 04 Oct 2000 19:50:59 +0200
Runu Knips wrote:
>
> If there would be another such contest in future, I would
> vote for making the round count a parameter, so everybody
> can choose higher or lower security, as they wish. This
> way one could select a higher number of rounds if one
> wishes. I don't know how much such a concept would
> actually cost in hardware implementations.
I have expressed exactly the same wish several times.
There seems to be no reason why it can't be very readily
put into the standard. People who can afford more costs
can then use more rounds.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: My Theory...
Date: Wed, 04 Oct 2000 19:50:48 +0200
Thomas Pornin wrote:
>
> According to John Savard <[EMAIL PROTECTED]>:
> > One or two of the 15 initial applicants were less than secure, I had
> > thought.
>
> They are still unbreakable. But they are not academically secure, and
> therefore fail to convince people that they are unbreakable. It is all a
> matter of trust.
Like in politics, one sees the important role played by
the psychology of the mass.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: It's Rijndael
Date: Wed, 04 Oct 2000 19:51:13 +0200
Tim Tyler wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> : I conjecture that 3DES will continue to stay for a quite
> : long time. For analogy, see the programming language Cobol.
>
> I'm having a few problems getting the hang of this analogy...
My intended meaning probably didn't get through. Note
that one factor of Cobol's longevity is that the
companies have already invested too much in connection
with it and there is simply too big an inertia against
any reforms/revolutions.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: My Theory...
Date: Wed, 04 Oct 2000 19:50:54 +0200
Thomas Pornin wrote:
>
> It is the NSA interest that the US companies use a strong cipher. Or, at
> least, a cipher that ONLY the NSA can break. Since the NSA is no more
> the richest organization in the world, they cannot play (anymore ?) the
> backdoor game. They are doomed to propose really strong ciphers.
Is is quite sure that there are no organizations (public or
commercial) in the world that have more or less comparable
resources?
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: It's Rijndael
Date: Wed, 04 Oct 2000 19:51:05 +0200
Runu Knips wrote:
>
> Tripple-Something is always very inefficient, and only
> an option if key size is too short, which isn't the
> case for Rijndael.
Dumb question: Would tripling with hardware also lead
to essential inefficiency? There could be a pipelining
effect, isn't it?
M. K. Shen
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Rijndael test vectors
Date: Wed, 04 Oct 2000 11:35:44 -0600
John Savard wrote:
<snip>
> I'm still miffed that the specification for Rijndael - even the
> current version - does not exhibit the S-box. That it happens to be
> the multiplicative inverse on GF(2^8) followed by a bitwise matrix
> multiply is very nice background material, but prospective
> implementers ought not to be expected to jump through hoops of
> advanced mathematics.
<snip>
Tell NIST - if not now, then early in the comment period
for the FIPS. The FIPS itself is going to be the standard,
not the Rijndael paper(s). Heck, send them a proposed
document; I bet they'd appreciate someone helping out!
JM
------------------------------
From: Albert Yang <[EMAIL PROTECTED]>
Subject: Re: Rijndael cracked by Biham! (Great Social Engineering!)
Date: Wed, 04 Oct 2000 17:48:07 GMT
I have to admit, this is great social engineering.
First, a hot topic: Rijndael.
Second, make a crazy claim. Rijndael cracked!
Third, put something that gives it credibility. Cracked by Biham.
That's just great! It shows that we are vulnerable not to slide attacks
or differential or linear attacks etc... but to social engineering, the
strongest of attacks.
Albert
------------------------------
From: Albert Yang <[EMAIL PROTECTED]>
Subject: Re: Counterpane Funny Stuff
Date: Wed, 04 Oct 2000 17:49:57 GMT
Hmmm, I'm waiting for Scotty too Hotty to reply to this one, I love it
when he has a field day with Mr. BS has he refers to him.
Serpent should have won...
Albert
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Mathematical Problem
Date: Wed, 04 Oct 2000 12:49:50 -0500
"Saurabh Tavildar (97007024)" wrote:
> I am a senior undergraduate student of the Indian Institute of Technology,
> Bombay and am presently working on my undergraduate thesis on "Error
> Control Codes applied to Public Key Cryptosystems". I am presently
> studying issues related to public key cryptosystems and am on the lookout
> for a moderately complex problem that can be solved in a period of around
> 8 months.
>
> I'd prefer a theoretical problem as my interests lie in the same. I have a
> descent background in mathematics, information theory and
> communication (maths olympiad levels).
How about explaining how you use error correction for public key crypto?
Maybe we can ask enough dumb questions you'll find a hard problem :-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Counterpane Funny Stuff
Date: Wed, 04 Oct 2000 12:53:27 -0500
Tom St Denis wrote:
>
> at http://www.counterpane.com/pr-funding.html
>
> They have the quote "Counterpane is the right company at the right
> time. They offer the first scalable security business model that
> broadly leverages unparalleled security expertise to all businesses. I
> can't think of a better team to solve the problem of securing e-
> business."
>
> What the hec k is a "scalable security business model that broadly
> leverages unparalelled security expertise...." sounds like the output
> of a buzzword generator...
It is the output of a buzzword generator. That's how business works.
Technical details never matter, money changes hands based on belief,
and sales is all about creating belief.
what are you doing wasting your time reading that crap for anyway?
:-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Advanced Encryption Standard - winner is Rijndael
Date: Wed, 04 Oct 2000 20:03:35 +0200
Tim Tyler wrote:
>
> Classified information is likely to be protected by classified algorithms.
> Whether or not Rijndael is "suitable" it seems unlikely to get much use in
> that context.
There is a problem of some 'logical' nature. Since we by
definition have no knowledge of 'classified' algorithms,
we have no means to check the issue of Rijndael's being
used in that context. So the question is sort of ill-posed
in my view.
M. K. Shen
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Counterpane Funny Stuff
Date: Wed, 04 Oct 2000 11:44:09 -0600
Richard Heathfield wrote:
<snip>
> So, in summary,it's a neat little toy ladder, chained to your desk,
> which you damaged while using it to jemmy open your office stationery
> packaging.
<snip>
ROTFL.
Thank you.
JM
------------------------------
From: Albert Yang <[EMAIL PROTECTED]>
Subject: Re: Looking Closely at Rijndael, the new AES
Date: Wed, 04 Oct 2000 17:52:49 GMT
<snip>
> Scott said "small fast cypher" in the first place. A small secure cypher
> would be a sort of cryptographic magic bullet. I don't think it exists -
> you need a certain degree of complexity to poroduce enough confusion to
> properly resist analysis.
>
> These terms are all relative. If you think all the AES candidates are
> "small" and "fast", then different baselines for measurement are in use.
> --
> __________ http://alife.co.uk/ http://mandala.co.uk/
> |im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
What do you call most of Ron's stuff? RC4? Small, fast, secure. RC5?
RC6? I would trust my data to any of those.
TEA is not bad, although I don't have as much trust for it as I do Ron's
stuff...
Albert
------------------------------
From: "David C. Barber" <[EMAIL PROTECTED]>
Subject: Re: Counterpane Funny Stuff
Date: Wed, 4 Oct 2000 10:52:16 -0700
I like Counterpane as a company, but I have to admit that this sounds like
something I saw in Dilbert awhile back. :^)
*David Barber*
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:8re3u3$trn$[EMAIL PROTECTED]...
> at http://www.counterpane.com/pr-funding.html
>
> They have the quote "Counterpane is the right company at the right
> time. They offer the first scalable security business model that
> broadly leverages unparalleled security expertise to all businesses. I
> can't think of a better team to solve the problem of securing e-
> business."
>
> What the hec k is a "scalable security business model that broadly
> leverages unparalelled security expertise...." sounds like the output
> of a buzzword generator...
>
> Hehhee
>
> Tom
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Daniel)
Subject: Re: Requirements of AES
Date: Wed, 04 Oct 2000 17:56:01 GMT
On 03 Oct 2000 14:40:39 +0200, Mike Connell <[EMAIL PROTECTED]>
wrote:
>
>All in all, I'm a little dissapointed. I am missing the "warm fuzzy
>feeling" that I was hoping for...
>
>best wishes,
>Mike.
Sorry to say folks, but being Belgian, I have experienced the "warm
fuzzy feeling". It indeed was a very welcome feeling after Sydney :)
Daniel
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: OPEN LETTER ABOUT Rijndael to sci.crypt
Date: 4 Oct 2000 17:55:19 GMT
Rijndael is the chosen one for now so lets live with it!
How ever I would like to propose a chainning mode so people
who encypt files can do a few things that the NIST chainning
methods will not allow them to do. The problem with any
encryption chainning mode is that they do not hide the underlying
cipher from attack so that it is easy for someone to gain a list
of ciphertext plaintext block pairs. I have been corresponding with
NIST but I feel it is leading to nowhere. Just like the false promises
of the guy who encouraged my to write a paper for ACM. My proposal
is this. We design chainning modes that hide the ciphertext plaintext
pairs along with test vectors to check the implimentation.
We design modes that do the following. A single bit change in the
input file changes the whole output file. The length of the output
file matches the length of input file.
A am not good at writting the government during my 26 years of
work gave up on that. But I wrote and designed and tested lots of code.
I may not be able to explain "wrapped PCBC" in a way that Mok or
David Wagner can follow. But I can write a short C program that
could use Rijdnael and use it "wrapped PCBC" my style of it not
someones guess of what I mean. THe code would be short since no
one seem to follow what I do. And with its shortness someone else
could explain it to them.
I would write two major rountines WPE( unsigned char * p1, long n)
and WPD( unsigned char * p1,long n) here first one encrypts and
second one decrypts. the p1's point to a virtual file that contains
the data to workded on. The array has room for to leading blocks
in front of where it points and two trailing blocks past the last
byte used in file. n is the number of bytes. The smallest file handled
would be 3 blocksizes + 1 byte.
I would need to call Encypt_Rijndael(unsigned char Pin, unsigned char
Pou) and Decrypt_Rijndael( unsigned char Pin, unsigned char Pout) to do
the intermitted block. But those can be some other trusted persons code.
Hell even if you don't like my choice of chainning we should try to make
one of the type above so those of us that want more security can be happy.
I am sure we will never see a chaining mode like this from the NIST.
I am willing to help is anyone ELSE!
Of course it will run 5 times slower than a straight ECB mode of Rijndael.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: Albert Yang <[EMAIL PROTECTED]>
Subject: No Comment from Bruce Schneier?
Date: Wed, 04 Oct 2000 18:04:48 GMT
I expected to hear from a few people, Brian Gladman, the author's of
Rijndael themselves etc... But most of all, I expected Bruce to say
something on sci.crypt. Something sportsman-like, like, "Rijndael is a
good algorithm, designed by two people who know what they are doing. I
want to congratulate them on being selected as the AES winner."
Comments? From Bruce?
Albert
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
