Cryptography-Digest Digest #37, Volume #13 Sun, 29 Oct 00 15:13:00 EST
Contents:
Re: [PGP] Twofish, 256bit, and Usenet Posting (Tom McCune)
Re: ring homomorphic signature and encryption (Mika R S Kojo)
Re: BEST BIJECTIVE RIJNDAEL YET? (John Savard)
Re: ring homomorphic signature and encryption (Mika R S Kojo)
Re: Q: Computations in a Galois Field (Mok-Kong Shen)
Decrypt Me (Chris Nicholson)
Re: Rijndael and PGP (JPeschel)
Re: BEST BIJECTIVE RIJNDAEL YET? (SCOTT19U.ZIP_GUY)
Could Publius achieve its goal? (Mok-Kong Shen)
Re: BEST BIJECTIVE RIJNDAEL YET? (Tim Tyler)
Re: Q: Computations in a Galois Field (Tom St Denis)
Re: Decrypt Me (Tom St Denis)
Re: DATA PADDING FOR ENCRYPTION (Tim Tyler)
Re: DATA PADDING FOR ENCRYPTION (Tim Tyler)
----------------------------------------------------------------------------
Crossposted-To: alt.security.pgp
From: Tom McCune <[EMAIL PROTECTED]>
Subject: Re: [PGP] Twofish, 256bit, and Usenet Posting
Date: Sun, 29 Oct 2000 17:58:17 GMT
=====BEGIN PGP SIGNED MESSAGE=====
In article <[EMAIL PROTECTED]>, "Thomas J. Boschloo"
<[EMAIL PROTECTED]> wrote:
>My mistake really, I have been spending too much time in other
>newsgroups and forgot about public key crypto (can you imagine ;) Of
>course PGP might be very capable in generation a random session key of
>256 bits (if they
>did use that particular keylenght in PGP 7, you probably are more up to
>date with the precise figures). OTOH, concatanating two smaller hashes
>to get a larger one is not the way to go :( You would need random
>material
>with a minimal entophy of 256 bits if you are going to use 256 bit
>Twofish and how are you going to produce that from a 160 bit hash? Take
>the SHA-1
I wonder if the Intel RNG would help with this (which newer PGP versions
will automatically use for some of the random input, if the Intel RNG is
installed)?
<snip>
>Well, I will try to post more frequently in ASP. I do feed my newsreader
>
Sounds good.
>frequently though! BTW This extra hour we have today in Holland is
>really nice in order to get up-to-date with my newsreader again ;)
That extra hour is nice here too - esp. since my cable modem just came
back on line; has been off since Friday night - very frustrating.
=====BEGIN PGP SIGNATURE=====
Version: PGP Personal Privacy 6.5.8
Comment: My PGP Page & FAQ: http://www.McCune.cc/PGP.htm
iQEVAwUBOfxl4jYk/PXew/BzAQE2kAf/WJLuoRJmnNlz1ogLP4AytYlwhilDPSk3
yWIXlySibHFJ432QdiFAQRn9BqV5Ux/vl9RoP6lB1JulH/5u94uo6iPMPCuF+fsW
0S1s+oMvDomGvmsoOP209iVugvCeWdWLYeOngybymAjjan9YhcgYJ45GcMZPeBX7
ATRLBtUqerSYBspxiklbF7TMc7wsdocdN3kCGRPBxEEz77IeOktaLB0vjs1zF/nN
NsRF+1xY9WIp0TqgtDZBwqIwJvM5I+TRgWkUIBpG5uzC0uXJujK8yMh3KMlyLvwv
hdK72iuSsq7WYeYiN9X7I/EePl7UeqS3NoRbQOt29bA9Z90GgnTmyw==
=FO2B
=====END PGP SIGNATURE=====
------------------------------
From: Mika R S Kojo <[EMAIL PROTECTED]>
Subject: Re: ring homomorphic signature and encryption
Date: 29 Oct 2000 19:47:54 +0200
David A Molnar <[EMAIL PROTECTED]> writes:
> On a tangential note, are there any known relations between cryptography
> and category theory?
As category theory is just a language of objects and arrows it can be
used in any field, and cryptography is not an exception. As far as I
know functorial concepts have not been emphasized in
cryptography (*). However, it is a very powerful language and would seem
suitable for some more abstract approaches to cryptography---whether
it is really interesting, I do not know.
-- Mika
(*) I'm excluding here the fields related to cryptography that arise
from pure mathematics and use extensively the concepts of category
theory. Recall also that computer scientist have during few last
decades used categories in various topics.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: BEST BIJECTIVE RIJNDAEL YET?
Date: Sun, 29 Oct 2000 18:29:46 GMT
On Sun, 29 Oct 2000 00:21:04 GMT, [EMAIL PROTECTED]
(John Savard) wrote, in part:
>Much more important than details like better compression, in my
>opinion, is addressing the public-key versus passphrase problem. There
>is a great way around that, that allows people to have real security.
>Unfortunately, it's patented. EKE. Until that patent expires (although
>there are alternatives, but none are quite as good), I know of no way
>to combine security with practicality that *really* adds something to
>what the regular programs already do.
To clarify: I do not dispute that the major alternatives to EKE, some
of which I mention on my web page, at
http://home.ecn.ab.ca/~jsavard/crypto/mi060703.htm
are also useful and secure.
EKE, however, is significantly more convenient for the specific
mechanism I have in mind, which also emphasizes bandwidth conservation
and minimizing dependency on external sources of random numbers (in
ways that also involve the Bellare patent).
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Mika R S Kojo <[EMAIL PROTECTED]>
Subject: Re: ring homomorphic signature and encryption
Date: 29 Oct 2000 20:31:59 +0200
David A Molnar <[EMAIL PROTECTED]> writes:
> Right now, however, I would settle for a signature scheme which is a
> group homomorphism with respect to (Z_N, +) (not (Z_N^*, *) )...
I have a problem with this request. Namely, why would you assume that
strong signature schemes with this property exist?
Let s_k: Z/NZ -> Z/NZ be an additive group homomorphism when k is
fixed. Now we get using elementary group theory
s_k(m) = s_k(1 + ... + 1) = s_k(1)+...+s_k(1) = m s_k(1),
and finding s_k(1) is easy with large probability (even for single
message m). Thus one would naively assume that signature schemes as
requested are always weak.
-- Mika
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Q: Computations in a Galois Field
Date: Sun, 29 Oct 2000 19:36:31 +0100
Tom St Denis wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> >
> > Tom St Denis wrote:
> > >
> > > Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> > > >
> > > > Bob Silverman wrote:
> > > >
> > > > > Some polynomials most certainly ARE better than others. In
> > > particular
> > > > > a finite field is isomorphic to the quotient ring Z_p[x]/(g(X))
> > > > > where p is the field characteristic and (g(x)) is an ideal
> generated
> > > > > by a primitive polynomial. This is the polynomial you are
> looking
> > > > > for. It is much faster to choose a polynomial of low Hamming
> weight
> > > > > when choosing g(x) as this can make the arithmetic quite a bit
> > > > > faster.
> > > > >
> > > > > And optimal normal bases are even better (when they exist).
> > > >
> > > > I have a question of ignorance. If one uses the same
> > > > formulae, e.g. as in Rijndael, to define substitution,
> > > > would different primitive polynomials lead to substitutions
> > > > that have different desirable properties such as avalanche
> > > > etc.? If yes, would the computationally best polynomial also
> > > > be the best with respect to these properties? Thanks.
> > >
> > > Rijndael uses multiplicative inversion and all moduli of equal
> length
> > > which are irreducible will make sboxes of equal cryptographic
> > > properties. The sboxes will be different.
> > >
> > > You could always just use F(x) = ax^-1 + b in GF(2)^n to get a
> family
> > > of "cryptographically equivalent" sboxes with the same modulus.
> >
> > I am interested how does one prove 'equal cryptographic
> > properties' or 'cryptographically equivalent' above. The
> > sboxes will be different, as you said. Do they have the
> > same avalanche? Could give a reference of your claim?
> > Thanks.
>
> I proved about 4 months ago that these sboxes have less then ideal
> avalanche (they all have the exact same bias). The order of the
> entries are different with different moduli but the LP/DP maximums
> remain the same. Just try it out for yourself :)
>
> (BTW I use this concept in a cipher I want to present at FSE'01 so ...
> if I get accepted you will see it in action).
I can't remember your post since it is long time back. Do you
mean that you showed in the special case of Rijndael that the
author's choice is optimal? I presume that's an experimental
proof. If yes, then in any other given context one has to
do experiments to determine the best polynomial to use with
respect to avalanche etc.
M. K. Shen
------------------------------
From: Chris Nicholson <[EMAIL PROTECTED]>
Subject: Decrypt Me
Date: Sun, 29 Oct 2000 10:48:05 -0800
Message 1 9:28 AM, Monday April 2, 1998
=======
MSCOG UVRTQ XYDGM TYHCS YVSOU
========
Message 2: 2:34 PM, Monday April 2, 1998
=========
NGJDGLWBCKSUKJINZVFS
=========
Message 3: 5:23 PM, Monday April 2, 1998
=======
RWTXY YICZW YVCAN KNRBI SEFVE UGDHZ KRDNJ ZWGMV VWBMO UGSDT XETHY JQHJN
=======
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Rijndael and PGP
Date: 29 Oct 2000 18:50:13 GMT
Richard Heathfield [EMAIL PROTECTED] writes:
>JPeschel wrote:
>>
>> Richard Heathfield [EMAIL PROTECTED] writes:
>>
>> >"SCOTT19U.ZIP_GUY" wrote:
>> >>
>> >That's not what he said. He said "thrown", not "throne". It was a pun,
>> >which is a kind of joke based on homophones which have distinctly
>> >different spellings and meanings.
>> >
>>
>> A pun? I'd say Ashwood accidentally misspelled throne, as "pretender
>> to the thrown" doesn't make any sense. Doesn't seem to qualify
>> as a humorous non-sequitur, either.
>
>I thought it was funny. I guess I must just have a weird sense of
>humour.
>
>Worse, did I credit Ashwood with a weird sense of humour too?
>
Could be. You guys should exhange photographs and develop
a cameraderie. -)
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: BEST BIJECTIVE RIJNDAEL YET?
Date: 29 Oct 2000 19:04:59 GMT
[EMAIL PROTECTED] (Brian Gladman) wrote in
<AiZK5.3530$zO3.102711@stones>:
>"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>> [EMAIL PROTECTED] (Brian Gladman) wrote in
>> <K4VK5.3233$zO3.92645@stones>:
>>
>[snip]
>> >It would certainly help this debate if someone who thinks they know
>> >what is meant by the term 'file' in the context of bijective
>> >compression could ***carefully*** specify their use of this term.
>> >
>> > Brian Gladman
>> >
>> >
>>
>> Brain Glady will i do that. In the case of matts program think of
>> file as a any set of bits ( where a bit has a only two vlasue "0" or
>> "1") and the number of bits that represent this file when divided by
>> 8 will exactly match a number in the set { 1 2 3 4 ...)
>> I hope that is specific enough.
>
>Thank you for your efforts, which are helpful. It would be useful to
>understand the significance of limiting the length of such bit sequences
>to be multiples of 8. Surely it would be better to remove such an
>arbitrary constraint and allow bit sequences of any length.
Well I guess most of ue use PC so it is desinged to work on 8 bit
types of files. However the concept can be applied to any machine
even one based on 3 bit bytes.
>
>Once it is admitted that a property can only be maintained when the
>length is a multiple of 8, there is no logic (apart from matters of
>practice rather than principle) for rejecting other approaches that
>maintain the property for files containing bit sequences that are
>multiples of any other arbitrary integer.
Are you toying with me again. You know on most machines multiples
of 8 bits is what makes up files.
>
>And, of course, if you are limiting the lengths of bit sequences to be
>multiples of eight for practical reasons, then there are many other
>practical matters to consider such as, for example, whether the
>representation of such bit sequences should (or should not) contain
>explicit representations of their lengths.
>
IN an idea computer systen it might be best to use bit stream of
arbitary length. But the machines I deal with have 8 bit bytes. If
you use a different sice then mode the code.
>> Matts program magically maps every
>> member to every other member in a unique way based on the key.
>> The main way it does this is he cleverly compresses to a intermediate
>> file that is infinite in length. This infinite file has at last one
>> bit that is a one. And the last bit that is a one is a finite distacne
>> from the start. He then basically encrypts this file wiht Rijndael use
>> full block sizes to map it to another unique file in the specail
>> cinsturction. When this process is done he converts the output back
>> to normal files as descriped at start of this paragraph.
>> Know this is a quick summary and not fully detailed. But I hope you
>> get the drift. Check out his code.
>
>I have looked at his work and he uses arithmetic coding with a nice
>technique for recognising the ends of files. I did some work on
>arithmetic coding in a cryptographic context around 10 years ago and I
>am aware of what it can offer in this context.
>
>But in my view, in the great majority of practical situations the
>security advanatges provided by arithmetic coding will not be
>significantly different when the file length is represented externally
>rather than internally . This is not an argument for not using his
>termination technique but rather one to question whether there are
>significant security reasons for doing this.
>
Well I guess you don't yet understand what it is doing.
And I think you Tim and I had this argument quite some
time ago. If you can't see how not adding information to a
file can weaken it cryptogaphically then don't use it since
you think you already know it all
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Could Publius achieve its goal?
Date: Sun, 29 Oct 2000 20:15:31 +0100
I re-read the article in Scientific American. While it
admitted that a censorship at the receiving end (detection
of access to Publius documents) would subvert its goal, I
believe that the system could also suffer in another way.
One who is against Publius, e.g. a government institution,
could namely run a Publius server and encrypt a huge
amount of not very interesting (or maybe interesting but
faked) stuffs and send these to the other Publius servers
in the world. Soon the storage capacity of these would be
exhausted and the whole system comes to a halt. This is
analogous to DOS attack. Or am I seeing a problem where
there is in fact none?
M. K. Shen
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: BEST BIJECTIVE RIJNDAEL YET?
Reply-To: [EMAIL PROTECTED]
Date: Sun, 29 Oct 2000 19:06:26 GMT
Brian Gladman <[EMAIL PROTECTED]> wrote:
: "Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
:> Tom St Denis <[EMAIL PROTECTED]> wrote:
:> : [EMAIL PROTECTED] wrote:
:> :> Tom St Denis <[EMAIL PROTECTED]> wrote:
:> :> : [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
:> :> :> http://www3.sympatico.ca/mtimmerm/bicom/bicom.html
:> :>
:> :> I believe that's why the product includes a bijective version of
:> :> Rijndael [...]
:>
:> : Of course Rijndael is bijective it's a friggin block cipher.
:>
:> That's not the point. Have you considered issues related to dealing with
:> files which are not exact multiples of the Rijndael block length?
:>
:> Can you point me at any other implementation of Rijndael where decrypting
:> an arbitrary cyphertext, and re-encrypting again with the same key
:> produces exactly the same file?
: He cannot do this because this is not what Rijndael does. Rijndael (in its
: AES form) operates on sequences of 128-bits [...]
Rijndael is a block cypher algorithm - one of whose common uses is
encrypting files.
This discussion relates to a particular *implementation* of Rijndael
which achieves a bijection between the space of all possible 8-bit
granular messages, and the set of strings of blocks output from Rijndael.
Obviously to do this it does a little bit more than just implement the raw
Rijndael spec - it uses chaining modes, compression, etc.
In this context, my question could be expanded to: "are there any other
programs - based around Rijndael - where decrypting a ciphertext, and
re-encrypting it again with the same key always results in exactly the
same block of data?"
This probably counts as a rhetorical question by now.
: The big problem in this debate is that the term 'file' is ill-defined. I
: can certainly define a file in a particular way and trivially produce a
: program, using Rijndael, that decrypts and re-encrypts to produce the
: original file. But my guess is that what I would define as a file others
: would see differently.
Here, "files" are defined as being 8-bit granular sequential chunks of
data.
: It would certainly help this debate if someone who thinks they know what is
: meant by the term 'file' in the context of bijective compression could
: ***carefully*** specify their use of this term.
That could get messy. First, append "usually stored on a reasonably
long-term storage device" to the above.
For a proper definition there may be issues about file types, date
stamps, read only flags, etc. I presume such things may be safely
ignored in this context.
Files don't have an "endianness" associated with them - but they do have a
direction - i.e. a first bit and a last bit - but essentially, they are
just a finite stream of N bits - with (N & 7) = 0.
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Q: Computations in a Galois Field
Date: Sun, 29 Oct 2000 19:22:25 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> I can't remember your post since it is long time back. Do you
> mean that you showed in the special case of Rijndael that the
> author's choice is optimal? I presume that's an experimental
> proof. If yes, then in any other given context one has to
> do experiments to determine the best polynomial to use with
> respect to avalanche etc.
No dude, read what I posted. I said "all polynomials" have the same
sub-optimal diffusion. That's one reason (not the only) for tacking on
the affine transformation in Rijndael.
This affects other ciphers such as Misty, LOKI97, etc..
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Decrypt Me
Date: Sun, 29 Oct 2000 19:20:11 GMT
In article <[EMAIL PROTECTED]>,
Chris Nicholson <[EMAIL PROTECTED]> wrote:
> Message 1 9:28 AM, Monday April 2, 1998
> -------
> MSCOG UVRTQ XYDGM TYHCS YVSOU
> --------
>
> Message 2: 2:34 PM, Monday April 2, 1998
> ---------
> NGJDGLWBCKSUKJINZVFS
> ---------
>
> Message 3: 5:23 PM, Monday April 2, 1998
> -------
> RWTXY YICZW YVCAN KNRBI SEFVE UGDHZ KRDNJ ZWGMV VWBMO UGSDT XETHY
JQHJN
> -------
They all mention "I should not really post this to sci.crypt and
perhaps read the FAQ first".
You want a challenge? Break my TC5 cipher... :)
http://www.geocities.com/tomstdenis/
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: DATA PADDING FOR ENCRYPTION
Reply-To: [EMAIL PROTECTED]
Date: Sun, 29 Oct 2000 19:26:18 GMT
Bryan Olson <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> Bryan Olson wrote:
:> : Tim Tyler wrote:
:> :> Bryan Olson wrote:
:> :> : [...] can you imagine someone so clueless as to expect his message
:> :> : space won't have enough redundancy to cover a couple hundred (or
:> :> : several thousand) bits of key equivocation?
:> :>
:> :> Surely it is *very* easy to imagine such a case.
:> :>
:> :> What about the man sending short messages, for example?
:>
:> : "Message" yes, that's what the OTP is all about. "Messages"
:> : sounds he doesn't really have a grasp of the requirements for
:> : information theoretic security.
:>
:> Your implication that someone sending some short messages with a block
:> cypher has a screw loose appears to be unwaranted.
: I implied nothing of the sort. [...]
"Doesn't really have a grasp of the issues at hand" then.
:> I suppose you are suggesting he should be using an OTP,
:> and not bothering with a padding scheme?
: No. Just don't bother with the pointless non-standard
: padding schemes.
The problems of padding scheme of appending a 1 and padding with 0s to
the end of the block is the topic under discussion I believe.
If you would label this as "pointless, non-standard" then we would be in
agreement.
:> Using an OTP may require significantly more key material.
:> Note that the redundancy you mentioned arises with messages
:> longer than the unicity distance.
: Wrong. It arises when the sum of the redundancy in
: all the messages sent under the key exceeds the key
: entropy.
I was (rather obviously) dealing with the case of one key per message.
Sending more than one message under the same key can only make things
worse (from the POV of the security of the messages).
:> This may be significantly greater than the length of the normal block
:> cypher's key.
:>
:> Consequently, using an OTP may require far larger keys than
:> are on the cards.
:>
:> It's probably simpler to use a padding scheme that adds zero bytes of
:> known plaintext to the message, thus avoiding the problem completely.
: That's where you've made your mistake - moving away from
: the standard padding schemes solves no problem.
It decreases the chance of an attacker being able to identify a correct
message.
Perhaps you should specify what you think "the standard padding schemes"
refers to. Does it include the zero padding discussed further up this
thread, for example?
:> :> What about the man who forwards an encrypted message he has
:> :> intercepted back to his HQ for decipherment?
:> The attacker that intercepts his message may be unable to
:> distinguish a correct decrypt from a random stream (without
:> lots of work).
: Huh? If he's forwarding intercepted messages, then there's
: a small pool of possible plaintexts.
Which may not be known to the attacker. He may not even know the
cipher it is encrypted under. His task might be to strip off the outer
layer of encryption and then pass the message to his supervisor
to deal with the (classified) inner algorithm.
If he can recognise a correct decrypt by the zero padding, he may succeed.
If the padding is not present, his job is impossible.
:> Consequently adding up to 127 zero bits to the file might make
:> finding a termination criteria much easier for him.
: As John Myre wrote
: Nobody with any sense cares, and you know why.
It was false then, and is false now.
:> Redundancy is only useful to attackers if they can detect it.
:>
:> It's not a case of whether /I/ can imagine someone so
:> clueless as to have such expections - it's why /you/ can't
:> see that a perfectly intelligent and rational person could
:> have such expectations.
: And yet your examples fail.
No they do not - you just fail to grasp them.
: You thought small messages can't cover the unicity distance; [...]
Which is true, under some circumstances.
: [...] not so since you can send more than one.
Um - not if there's one key per message.
: You thought intercepted encrypted messages won't have useful
: redundancy. Did it occur to you that the attacker could have
: intercepted the same messages, or that the original sender is a likely
: attacker?
Did it occur to you that there might be other attackers not in this
category?
Obviously not.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Florist: Petal pusher.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: DATA PADDING FOR ENCRYPTION
Reply-To: [EMAIL PROTECTED]
Date: Sun, 29 Oct 2000 19:35:20 GMT
SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
: [EMAIL PROTECTED] (Tim Tyler) wrote in <[EMAIL PROTECTED]>:
:>After describing the bitflipping problem, it goes on to say:
:>
:>``Ciphertext stealing is a better way (see figure 9.5[snip ref]).
:> [snip description which makes little sense withouut the diagram]
:> The benefit of this method is that all the bits of the plaintext
:> go through the encryption algorithm.''
:>
:>I believe this is bijective *provided* more than 1 block is present.
: I don't like to think I'm a purest. But it is sort of skipping
: the problem. Especailly when it can be solved with a little thought.
One plus point is that it's fast and simple.
By contrast, to make the transition from an 8-bit file to a 128 bit list
of blocks normally takes some time, effort and programming.
Matt gets this for free since he's compressing first - and winds up with
one of his finitely odd streams - given that he has to convert this to
*something*, converting it to a 128-bit granular file comes naturally -
but other folks may not be performing such a stage - in which case
a few simple XORs might look attractive.
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
