Cryptography-Digest Digest #847, Volume #12 Thu, 5 Oct 00 06:13:01 EDT
Contents:
Re: Choice of public exponent in RSA signatures (Francois Grieu)
Re: is NIST just nuts? (Runu Knips)
Re: is NIST just nuts? (Runu Knips)
Microsoft CAPI's PRNG seeding mechanism (Pascal JUNOD)
Re: Choice of public exponent in RSA signatures (Francois Grieu)
Re: Faraday Cage (Was CDMA tracking) (Guy Macon)
Re: It's Rijndael (Thomas Pornin)
Re: Idea for Twofish and Serpent Teams (Runu Knips)
Re: Idea for Twofish and Serpent Teams (Runu Knips)
Re: NSA quote on AES ("Brian Gladman")
Re: My Theory... (Thomas Pornin)
Re: It's Rijndael (Volker Hetzer)
Re: Idea for Twofish and Serpent Teams (Runu Knips)
Re: Any products using Rijndael? (Runu Knips)
Re: No Comment from Bruce Schneier? ("Sam Simpson")
Re: About implementing big numbers (David Rush)
IDEA test vectors (Re: Rijndael test vectors) (Marc)
Re: is NIST just nuts? (Marc)
what is wrapped PCBC? (Marc)
Re: Idea for Twofish and Serpent Teams (JPeschel)
Re: Requirements of AES (Tim Tyler)
----------------------------------------------------------------------------
From: Francois Grieu <[EMAIL PROTECTED]>
Subject: Re: Choice of public exponent in RSA signatures
Date: Thu, 05 Oct 2000 10:12:41 +0200
David Hopwood <[EMAIL PROTECTED]> wrote:
> PSS will be in IEEE P1363a, PKCS #1 v2.1, and a new version
> of ISO/IEC 9796-2.
Good news, despite the "will". I'll investigate this.
I was saying:
>> One problem with PSS is the need for a random number generator
>> in the signer, and room for a subliminal channel.
and objected:
> All practical communication systems have subliminal channels,
> whether or not the signature algorithm used does; I don't see
> that this is a significant concern.
Well, ISO 9796-2 includes a specific verification step to insure
that there is only one signature acceptable per message.
I can imagine situations where a subliminal channel is a problem.
Imagine that payment using digital signature has come to replace
a man-drawn signature. Now, with a subliminal channel, a
high-isolation prisonner could conceivably leak information to
the outside while paying bills.
Also, a signer could conceivably choose a value of random, like
"I_was_forced_into_signing_this", to attempt repudiating the
signature later.
And it becomes even more difficult to certify a signing device,
such as a Smart Card, in a black box model. Maybe the PIN
(that activates the signing feature) leaks into the signature ?
Or is it some other sensitive info, like the secret key, or the
message the Smart Card previously signed ?
Finaly, there is the social-acceptability issue. A lot of humans,
including those deciding and enforcing laws and procedures,
do not understand a thing about cryptography. The less complex
it is to grasp the concept of digital signature, the better.
With a traditional signature scheme, I tell a digital signature
is "a number computed from secret key and message", and the
verification process "checks the signature is the right number,
using only the message and public information". More people will
grasp this, and gain some insight on what digital signature can
do for them, than if I must introduce anything extra in the
picture, like "one of the right number".
My view is I'd rather use one or two extra hash rather than need
a RNG and leave room for a subliminal channel, if it gets me the
same level of "provable" security. I know I am not any good at
formal proofs, but what about replacing the random by some hash
of the message ? Would not that even increase security, by leaking
provably less information to the adversary (in the random oracle
model), in the event of repeated signature of the same message ?
Francois Grieu
------------------------------
Date: Thu, 05 Oct 2000 10:15:00 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: is NIST just nuts?
Albert Yang wrote:
> I don't think Twofish should have won. Twofish is WAY too complex, and
> complexity in crypto is like a cat in a rocking chair store..
I don't think Twofish was too complex. Its basic design
principles where IMHO very simple.
> It wasn't the most secure or had the most security margain (Serpent wins
> that)
But it was the second securest, and Serpents safety factor
is simply extreme.
> It wasn't the most elegant (RC6, hands down)
Yes RC6 is elegant but it doesn't meet the requirements (key
agility). The only reason why they included Mars and RC6 in
the list of finalists was IMHO the names of IBM and RSADSI.
You can be elegant and you can be too elegant. RC6 was too
elegant. Btw, RC6 was just a modification of RC5, and a too
small one to yield a cipher which can meet the requirements
of the AES contest. Rivest should IMHO have known that from
the start.
I think RC6 would be a good cipher for high end PC's if it
would be free and you use 16 rounds, instead of 8. It would
not be the securest or fastest or something but it would be
a really short and compact piece of code, which doesn't
need much memory space.
> It wasn't the easiest to cryptoanalyse (Serpent, RC6, and Rijndael)
Possible.
> It wasn't the fastest on software (Rijndael, RC6)
Where did you get that impression from ? Do you think we
all with use nothing but PPro and PII in future ? Twofish
is the fastest on some architectures, and RC6 is really
slower than the other two if you don't have a fast
multiplication and dynamic shift unit, like on the older
Pentium architectures.
> It wasn't the fastest on hardware (Serpent, Rijndael)
I don't know. Maybe the designers of the chips simply
didn't understood Twofish well enough to implement it
in a really fast/really compact way.
> It wasn't the best at anything... So no Tom, twofish shouldn't have
> won.
It was the best in security per instruction in software.
It was designed with smartcards in mind.
It allows to be implement in an extreme compact or an
extremely fast way.
> I thought Rijndael with 16 rounds for all key sizes would have
> been better, but oh well...
Well whatever.
I don't care much about RC6 and Mars, they simply didn't
meet the requirements.
To repeat myself: The ciphers of interest are Serpent,
Twofish, and Rijndael, and the later is the best choice
in the sense that it keeps life exciting, because maybe
we'll find a break for it.
------------------------------
Date: Thu, 05 Oct 2000 10:18:50 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: is NIST just nuts?
Tom St Denis wrote:
> As if that was picked... From what I understand it's not at all close
> to the securest block cipher. Will aes specify that cipher with more
> rounds? What a shame... I demand a recount! Twofish should have won!
Okay, finally nobody forces me to use AES. And all software I use
offer me a couple of ciphers, why don't just pick the most loved
one ? My SSH always uses 256 Bit Blowfish, for example. Its the
only cipher of the OpenSSL ones which I fully trust ;-)
------------------------------
Date: Thu, 05 Oct 2000 10:19:50 +0200
From: Pascal JUNOD <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: sci.crypt.random-numbers
Subject: Microsoft CAPI's PRNG seeding mechanism
I'm looking for some documentation about the internal seeding mechanism
of the
Microsoft CAPI's cryptographic secure PRNG.
Does someone have any information about it, or do I have to trust
Microsoft about their crypto
capabilities ?
A+
Pascal
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Pascal Junod, [EMAIL PROTECTED] *
* Laboratoire de S�curit� et de Cryptographie (LASEC) *
* INR 313, EPFL, CH-1015 Lausanne, Switzerland ++41 (0)21 693 76 17 *
* Place de la Gare 12, CH-1020 Renens ++41 (0)79 617 28 57 *
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------
From: Francois Grieu <[EMAIL PROTECTED]>
Subject: Re: Choice of public exponent in RSA signatures
Date: Thu, 05 Oct 2000 10:20:53 +0200
David Hopwood <[EMAIL PROTECTED]> wrote:
> PSS will be in IEEE P1363a, PKCS #1 v2.1, and a new version
> of ISO/IEC 9796-2.
Good news, despite the "will". I'll investigate this.
I was saying:
>> One problem with PSS is the need for a random number generator
>> in the signer, and room for a subliminal channel.
and objected:
> All practical communication systems have subliminal channels,
> whether or not the signature algorithm used does; I don't see
> that this is a significant concern.
Well, ISO 9796-2 includes a specific verification step to insure
that there is only one signature acceptable per message.
I can imagine situations where a subliminal channel is a problem.
Imagine that payment using digital signature has come to replace
a man-drawn signature. Now, with a subliminal channel, a
high-isolation prisonner could conceivably leak information to
the outside while paying bills.
Also, a signer could conceivably choose a value of random, like
"I_was_forced_into_signing_this", to attempt repudiating the
signature later.
And it becomes even more difficult to certify a signing device,
such as a Smart Card, in a black box model. Maybe the PIN
(that activates the signing feature) leaks into the signature ?
Or is it some other sensitive info, like the secret key, or the
message the Smart Card previously signed ?
Finaly, there is the social-acceptability issue. A lot of humans,
including those deciding and enforcing laws and procedures,
do not understand a thing about cryptography. The less complex
it is to grasp the concept of digital signature, the better.
With a traditional signature scheme, I tell a digital signature
is "a number computed from secret key and message", and the
verification process "checks the signature is the right number,
using only the message and public information". More people will
grasp this, and gain some insight on what digital signature can
do for them, than if I must introduce anything extra in the
picture, like "one of the right number".
My view is I'd rather use one or two extra hash rather than need
a RNG and leave room for a subliminal channel, if it gets me the
same level of "provable" security. I know I am not any good at
formal proofs, but what about replacing the random by some hash
of the message ? Would not that even increase security, by leaking
provably less information to the adversary (in the random oracle
model), in the event of repeated signature of the same message ?
[Ooops, I found the flaw in the above: it would allow an adversary
to predict what the input of the RSA/Rabbin function would be,
without actually submitting the message for signing].
Francois Grieu
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Faraday Cage (Was CDMA tracking)
Date: 05 Oct 2000 08:23:23 GMT
Arturo wrote:
>
>>>Guy's comments:
>>>
>>>The idea of grounding a Faraday shield was Faraday's, and it is very
>>>important in Faraday's application, which was to protect humans from
>>>large electrostatic charges. Without the ground, the cage can hold
>>>a charge and zap you as you step out of it.
>>>
>I don�t follow it. We want to ground a cellphone via a Faraday cage.
>But if you do it right, the FC will block all EM signals incoming and
>outcoming.
>In that case: how on Earth will you be able to talk through your phone, or
>receive incoming calls? You�d might as well just plug the battery out.
>
It's for doing an experiment where you want to see what your cellphone
does when it cannot contact anything else by radio.
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: It's Rijndael
Date: 5 Oct 2000 08:51:49 GMT
According to Mok-Kong Shen <[EMAIL PROTECTED]>:
> Dumb question: Would tripling with hardware also lead
> to essential inefficiency? There could be a pipelining
> effect, isn't it?
Yes, but you triple hardware size, power consumption and latency.
Another option is to divide by three the bandwidth.
Either way, it is not an option on a gigabit ethernet.
--Thomas Pornin
------------------------------
Date: Thu, 05 Oct 2000 10:57:23 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: Idea for Twofish and Serpent Teams
Helger Lipmaa wrote:
> Tom St Denis wrote:
> > Do what RSA did and make your own "Symmetric Cipher Standards" and
> > ignore the govt.
>
> There was a thread recently in this newsgroup, about the general
> attitude that guys who understand nothing about security try to strut
> and to demand and to insult those who know better.
Tom might insult people unnecessarily in this NG, but
AFAIK he's far from being a 'guy who understand nothing
about security' !
> NIST didn't choose Rijndael due to some govt ignorance. Their choice was
> made very carefully, and reflects very closely the average opinion in
> the research community.
Hardly. Many people believed Serpent would succeed.
The choice has really surprised me.
------------------------------
Date: Thu, 05 Oct 2000 10:59:21 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: Idea for Twofish and Serpent Teams
David Blackman wrote:
> Andru Luvisi wrote:
> > Mr. Schneier said "It would be really cool to win, but mostly it's
> > just been a *lot* of FUN!"
It is possible that he already knowed his chances where
not that brilliant.
> I think this result gives both Schneier and Biham even more fun than if
> they won themselves. Both these guys are among the best cryptanalists
> who can publish. Now they have a single target that stands out above all
> others. And that target looks somewhat breakeable ...
Yep this choice keeps life interesting :-)
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: NSA quote on AES
Date: Thu, 5 Oct 2000 09:58:15 +0100
"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> [EMAIL PROTECTED] (David Crick) wrote in <[EMAIL PROTECTED]>:
>
> >"The National Security Agency (NSA) wishes to congratulate the National
> >Institute of Standards and Technology on the successful selection of an
> >Advanced Encryption Standard (AES). It should serve the nation well. In
> >particular, NSA intends to use the AES where appropriate in meeting the
> >national security information protection needs of the United States
> >government."
>
> These are weseal words if nothing else. To say they will use it
> where its appropraite does not mean anything at all. They may
> only use it in the sense of decoding messages. And they don't say
> where its appropriate for them to use. But I guess it is to much
> to expect an honest anwser from them.
Once again we can see that accuracy and objective analysis are not among
your stronger abilities.
You see 'where appropriate' as a 'let out' clause but you fail to notice
that the statement also says that NSA intends to use the AES in meeting the
national security ***information protection*** needs of the United States
government".
There are none so blind as those who will not see.
Brian Gladman
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: My Theory...
Date: 5 Oct 2000 09:01:48 GMT
According to Mok-Kong Shen <[EMAIL PROTECTED]>:
> Is is quite sure that there are no organizations (public or
> commercial) in the world that have more or less comparable resources?
My point is just the opposite. There are many organizations which
have more resources than the NSA. Think about oil companies, for
instance. Therefore there is no such thing as a cipher that only the
NSA can break. Maybe, 30 years ago, the NSA was the only organization
in the world to have both enough money and sufficient knowledge; but
cryptographic knowledge is no more a military secret.
--Thomas Pornin
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: It's Rijndael
Date: Thu, 05 Oct 2000 11:02:27 +0200
Mok-Kong Shen wrote:
>
> Runu Knips wrote:
> >
>
> > If there would be another such contest in future, I would
> > vote for making the round count a parameter, so everybody
> > can choose higher or lower security, as they wish. This
> > way one could select a higher number of rounds if one
> > wishes. I don't know how much such a concept would
> > actually cost in hardware implementations.
>
> I have expressed exactly the same wish several times.
> There seems to be no reason why it can't be very readily
> put into the standard.
The AES's guys argument was that you can't simply attach or
trim rounds without affecting key schedule and perhaps other
properties too. So, each proposed number of rounds has to
be analysed.
Unless round flexibility is *designed* into the algorithm
as proposed by Runu, modifying the round number makes
IMHO little sense.
Greetings!
Volker
--
The early bird gets the worm. If you want something else for
breakfast, get up later.
------------------------------
Date: Thu, 05 Oct 2000 11:04:42 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: Idea for Twofish and Serpent Teams
Tom St Denis wrote:
> In article <[EMAIL PROTECTED]>,
> Arturo <[EMAIL PROTECTED]=NOSPAM> wrote:
> > On Mon, 02 Oct 2000 18:15:57 GMT, Tom St Denis <[EMAIL PROTECTED]>
> wrote:
> >
> > >Do what RSA did and make your own "Symmetric Cipher Standards" and
> > >ignore the govt.
> > >
> > That�s exactly what the GSM gang did, and see the results: an
> > easy-to-break cipher.
>
> See now your being a complete idiot.
Tom, if you have the better arguments, there is no need to
insult your opponent. Just tell him your arguments !
> Twofish and Serpent are not homebrew ciphers designed by
> Business majors. They are two very good
> ciphers designed by the best of the best.
Yep.
I don't think those ciphers need any more advertisement, such
as assigning another special, useless name to them. Their
quality speaks for themselves.
------------------------------
Date: Thu, 05 Oct 2000 11:12:03 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: Any products using Rijndael?
[EMAIL PROTECTED] wrote:
> I wonder if there is any product that actually use this new AES?
AFAIK nobody used Rijndael yet because nobody thought it is
very secure.
> Im looking for disk encryption.
Good ciphers I would trust under all conditions are:
Twofish
Blowfish
Serpent
AES/Rijndael and IDEA are also ciphers with not too low
security. SEAL is a very good stream cipher, and, like
IDEA, patented. GHOST is a good russian design, old but
AFAIK still very secure. CAST128, also called CAST5, is
another really good cipher.
------------------------------
From: "Sam Simpson" <[EMAIL PROTECTED]>
Subject: Re: No Comment from Bruce Schneier?
Date: Thu, 5 Oct 2000 09:17:55 +0100
If it helps, the following message was posted by J.Kelsey (from
Counterpane) to the [EMAIL PROTECTED] mailing list 4/10/00:
--
Sam Simpson
http://www.scramdisk.clara.net/ for ScramDisk hard-drive encryption &
Delphi Crypto Components. PGP Keys available at the same site.
=====BEGIN PGP SIGNED MESSAGE=====
At 01:50 PM 10/3/00 -0700, Steve Reid wrote:
>On Mon, Oct 02, 2000 at 10:20:35PM -0000, lcs Mixmaster Remailer
>wrote:
>> Rijndael appears to be a compromise between security and
>> efficiency. This leaves us in an unhappy and uncomfortable
>> position. It may well be that Twofish and perhaps Serpent
>> continue to be widely used alternatives to AES.
>I expect Rijndael, being the chosen AES, is likely to
>receive far more analysis over the next few years than any
>of the other candidates. Assuming there are no major
>weaknesses found, that analysis should greatly increase
>confidence in Rijndael as compared to other algorithms.
I agree. Also, there's a *huge* difference between academic
attacks and production attacks. An attack that breaks an
AES candidate with (say) 2^{120} work and 2^{120} adaptive
chosen plaintexts would be enough to destroy a candidate
cipher, but it will never matter in real life. And at
present, nobody who's talking has the faintest clue how
you'd get even this kind of attack on Rijndael.
It's interesting to note the cryptanalytic results that
*haven't* affected real-world security of systems using DES:
differential attacks, linear attacks, and extended Davies'
attacks. The best attack on DES is (from memory) a linear
attack that requires about 2^{43} known plaintexts. I would
be totally shocked to find a single case of this attack
being carried out to defeat the security of a real-world
system.
It's also interesting to note the cryptanalytic properties
and attacks that *have* affected real-world security of
DES-based systems: short keyspace, time-memory tradeoffs,
weak and semi-weak keys, and complementation properties.
*Those* have all had an impact on the security of real-world
systems.
>My expectation is based on what has happend with DES. Even
>though there are other algorithms that are more efficient
>and probably more secure there is more confidence in 3DES
>because of the amount of analysis that has gone into it. No
>other symmetric algorithm is likely to see as much analysis
>as DES has- except Rijndael.
I agree. Rijndael wasn't broken in two years of evaluation
by the public community, and was evaluated by the NSA as
well. (NSA more-or-less had a veto on any algorithm, as I
understand it. They didn't use the veto for any of them,
according to what I've heard.) After all that, it was just
about always one of the two fastest/cheapest algorithms on
every platform. That's why (IMO) it got chosen. I plan to
keep working on cryptanalyzing it, and I imagine everyone in
the block cipher cryptanalysis community does, too. But I
don't think there's any reason to worry about a practical
attack on it, and I haven't got a clue how to even come up
with an academic break on it, and as far as I know, neither
does anyone else on Earth.
In five years, I suspect we'll know more about the security
of Rijndael than we've ever known about the security of any
cipher. And I expect that we'll still be happily using it.
They won because their cipher is really, really good.
- --John Kelsey, [EMAIL PROTECTED]
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 6.5.1 Int. for non-commercial use
<http://www.pgpinternational.com>
Comment: foo
iQCVAwUBOduNoyZv+/Ry/LrBAQGX5QP/e8+b6a+WewcIgct/8F1Pt8pH82EI1BhT
1vfokkTsAkrr9jDxpZhFo17inkSWuUgnYY82nB9atU4uLCu22Y+JEAtf7MKxHEbi
f1n0Q1CJmA0c7CIwaSUUslJ8+PxQbPlG9G2MrR9t1DjNfNGGRpabmYaRJKA19XkK
K3BSn1uI+/0=
=AqlZ
=====END PGP SIGNATURE=====
------------------------------
From: David Rush <[EMAIL PROTECTED]>
Subject: Re: About implementing big numbers
Date: 05 Oct 2000 10:20:05 +0100
"Joseph Ashwood" <[EMAIL PROTECTED]> writes:
> > I would like to know if there is information on the web on
> implementing in
> > C big numbers, such as the ones used in RSA. Is it
> difficult ?
> Making it fast can be
> exceedingly difficult. I recommend you use Miracl, or if you
> want something free (but with various restrictions) the
> BIGNUM stuff from openssl. There's also a bignum package
> specifically under GPL.
That would be GMP, the GNU Multi-Precision library. Available from
your better FSF mirrors everywhere. It's pretty fast and
highly-portable (well, ported anyway). I don't know how the speed
compares with the other suggestions presented so far.
david rush
--
And Visual Basic programmers should be paid minimum wage :)
-- Jeffrey Straszheim (on comp.lang.functional)
------------------------------
From: [EMAIL PROTECTED] (Marc)
Subject: IDEA test vectors (Re: Rijndael test vectors)
Date: 5 Oct 2000 09:40:41 GMT
>No - the cipher blocks are passed through the algorithm 10000 times in
>each of these tests, not just once.
Passing it through 10000 times sounds like a good probe. Does anyone
have such a testvector for IDEA?
------------------------------
From: [EMAIL PROTECTED] (Marc)
Subject: Re: is NIST just nuts?
Date: 5 Oct 2000 09:40:51 GMT
>: Hardware is *not* where we will see alot uses of it.
>
>I thought that was a pretty central design consideration.
>
>AES will be used in smart cards and the like.
This is software. Although 8-bit software usually, and not
what most people have in mind when they talk about software.
In traditional SC applications only the RAM/ROM requirements
matter, the speed is secondary. It mostly is a response
latency problem, because the interface is too slow anyway
for transfer of huge datablocks. Response time is a big
problem for example when you pass the road toll sensor
with 200 km/h and the card session is implemented
with secure-messaging. It adds up.
(Though RAM/ROM are more important still)
------------------------------
From: [EMAIL PROTECTED] (Marc)
Subject: what is wrapped PCBC?
Date: 5 Oct 2000 09:41:01 GMT
No email supplied other than [EMAIL PROTECTED], sorry
for asking public.
> The "wrapped PCBC" will handle any byte length for a file longer than
> 3 block lengths.
How does "wrapped PCBC" work, and why do you prefer it over "ciphertext
stealing" which works with files >= 1 block length?
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Idea for Twofish and Serpent Teams
Date: 05 Oct 2000 09:52:06 GMT
Runu Knips writes:
>Helger Lipmaa wrote:
>> Tom St Denis wrote:
>> > Do what RSA did and make your own "Symmetric Cipher Standards" and
>> > ignore the govt.
>>
>> There was a thread recently in this newsgroup, about the general
>> attitude that guys who understand nothing about security try to strut
>> and to demand and to insult those who know better.
>
>Tom might insult people unnecessarily in this NG, but
>AFAIK he's far from being a 'guy who understand nothing
>about security' !
Much of what Tom posts is insulting, patronzing, wrong or exaggerated. Helger
might have written "guys who understand damn little about security" instead of
"nothing about
security" but you do see his point, don't you? Neophytes insulting and calling
into question the opinion of real experts deprives sci.crypt of more postings
from real experts.
>
>> NIST didn't choose Rijndael due to some govt ignorance. Their choice was
>> made very carefully, and reflects very closely the average opinion in
>> the research community.
>
>Hardly. Many people believed Serpent would succeed.
>The choice has really surprised me.
>
Playing around with ciphers, having an opinion and posting it don't make
you a part of the research community. Helger is a part of that community;
you and I ain't. It's nice that you share your opinion, though. Sorry
you were disappointed.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Requirements of AES
Reply-To: [EMAIL PROTECTED]
Date: Thu, 5 Oct 2000 09:41:30 GMT
Paulo S. L. M. Barreto <[EMAIL PROTECTED]> wrote:
: <!doctype html public "-//w3c//dtd html 4.0 transitional//en"><html>
Thanks - but no thanks...
: It was said that NSA likes other kind of "hardware protection" also,
: including self-destructing devices; this may sound funny, but it's
: difficult to decide its verossimilitude.
It doesn't sound /that/ funny - some civilian devices do similar things:
``The 6K of SRAM included on the monolithic chip has been specially
designed so that it will rapidly erase its contents as a tamper response
to an intrusion. [...]
Specific intrusions that result in zeroization include:
* Opening the case;
* Removing the chip's metallurgically bonded substrate barricade;
* Micro-probing the chip;
* Subjecting the chip to temperature extremes;
In addition, if excessive voltage is encountered, the sole I/O pin is
designed to fuse and render the chip inoperable.''
- from: http://www.ibutton.com/ibuttons/java.html
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
