Cryptography-Digest Digest #151, Volume #13 Mon, 13 Nov 00 19:13:00 EST
Contents:
DES advice ("Bob Luking")
Re: On an idea of John Savard (Tom St Denis)
Re: DES advice (Tom St Denis)
Re: Chimera ciphers (WAS Re: On an idea of John Savard) (Tom St Denis)
Re: Chimera ciphers (WAS Re: On an idea of John Savard) (Tom St Denis)
Re: Algorithm with minimum RAM usage? (Tom St Denis)
Re: so many fuss about impossibility to backtrace from MD to original text. (wtshaw)
Re: Chimera ciphers (WAS Re: On an idea of John Savard) (Mok-Kong Shen)
Re: On an idea of John Savard (Mok-Kong Shen)
Re: Chimera ciphers (WAS Re: On an idea of John Savard) (Mok-Kong Shen)
Re: On an idea of John Savard (David Schwartz)
LFSR's (Simon Johnson)
Learning Differential and Linear Cryptanalysis? (Simon Johnson)
Re: RC4 on FPGAs? ([EMAIL PROTECTED])
Re: On an idea of John Savard (Mok-Kong Shen)
Re: On an idea of John Savard (David Schwartz)
Re: On an idea of John Savard (Darren New)
----------------------------------------------------------------------------
From: "Bob Luking" <[EMAIL PROTECTED]>
Subject: DES advice
Date: Mon, 13 Nov 2000 21:10:45 GMT
Hi, all. Confessions of a crypto novice:
I've written a program to encrypt using DES. The first piece of code was in
Verilog for a
hardware encryption engine. The second was in Visual Basic to validate the
hardware.
The outputs match.
Unfortunately, the ciphertext is incorrect (according to FIPS 81). Somehow,
my interpretation
of the DES specification is lacking...
So, if anyone has, at their fingertips, a DES engine written in some
language with which they
can (very easily) dump out the L,R intermediate rounds, it would go a long
way towards helping
me debug this thing, and earn my eternal thanks.
Meanwhile, I'm off to the store to buy a C compiler so that I can grab some
freeware off the web
and maybe figure this out for myself. It'll be good practice...
Thanks,
Bob
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: On an idea of John Savard
Date: Mon, 13 Nov 2000 22:04:16 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
>
> Tom St Denis wrote:
> >
> > In article <[EMAIL PROTECTED]>,
> > Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> > > You missed my point that a (assumedly well designed) block
> > > cipher has rounds (cycles) that are equally good. So
> > > consider these as individual ciphers and are concatenated
> > > in the original design as a multiple encryption and yo
> > > see there can be no objection in taking these apart and
> > > mixing with those from another cipher.
> >
> > You missed my point. Most ciphers are presumably secure because you
> > are iterating the same function over and over. Take Serpent for
> > example. One round is not particularly strong, but if you add 15
more
> > rounds the cipher is secure against known attacks. Similarly if you
> > mix Serpent and Safer arbitrarly the diffusion (linear mixing) are
not
> > compatible and you are not guaranteed to have the same high level of
> > confusion.
> >
> > Mixing up ciphers is a terribly bad idea. Now taking parts from
> > ciphers to build a new one can be done (I mixed IDEA+Twofish before)
> > but you have to be carefull of how you mix up the primitives. Just
> > mixing rounds is not a good idea.
>
> You can consider the rounds to be concatenation, can't
> you? What distinguishes round 1 of Rijndael from round 2?
> You add rounds to increase the strength. The increase
> is not linear but super-linear. That's all. If a cipher
> is designed that it somehow depends on the interplay
> of the rounds for its strength, then that's a poor design
> in my view.
No, it's called avalanche affect. It could take more then one round to
accomplish. Mixing two different ciphers could delay the avalanche
affect.
I seriously doubt you will make a cipher much if any at all stronger by
randomly mixing design components. It's a very ad hoc design idea and
totally without ground.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: DES advice
Date: Mon, 13 Nov 2000 22:02:18 GMT
In article <pNYP5.89215$[EMAIL PROTECTED]>,
"Bob Luking" <[EMAIL PROTECTED]> wrote:
> Hi, all. Confessions of a crypto novice:
>
> I've written a program to encrypt using DES. The first piece of code
was in
> Verilog for a
> hardware encryption engine. The second was in Visual Basic to
validate the
> hardware.
> The outputs match.
>
> Unfortunately, the ciphertext is incorrect (according to FIPS 81).
Somehow,
> my interpretation
> of the DES specification is lacking...
>
> So, if anyone has, at their fingertips, a DES engine written in some
> language with which they
> can (very easily) dump out the L,R intermediate rounds, it would go a
long
> way towards helping
> me debug this thing, and earn my eternal thanks.
>
> Meanwhile, I'm off to the store to buy a C compiler so that I can
grab some
> freeware off the web
> and maybe figure this out for myself. It'll be good practice...
First off implementing DES is only a good idea to learn how to
implement things from specs. DES is not particularly usefull in any
way today.
Also why buy a C compiler when you can easily download one for free?
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Chimera ciphers (WAS Re: On an idea of John Savard)
Date: Mon, 13 Nov 2000 22:06:33 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> There are good and poor designs. And there are even also
> designs that are considered good partly due to the name
> of the designer.
Now you are just being a troll. Most ciphers that have components or
designs strictly bent on using key material are often very weak. FROG
for example has keys that define weak ciphers.
You're better off leaving the components the same and using the key in
a more traditional fashion. That way it's easier to analyze and
probably more efficient too.
Sure 128 rounds of "Rijndael+Safer+Twofish+Mars" hybrid may be strong
but I would rather just use 10 rounds Rijndael (or 18 rounds for the
conservative) which would be easier to analyze and much faster.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Chimera ciphers (WAS Re: On an idea of John Savard)
Date: Mon, 13 Nov 2000 22:09:16 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> On Mon, 13 Nov 2000 14:32:37 GMT, Paul Crowley
> <[EMAIL PROTECTED]> wrote, in part:
>
> >Tom is right. Look at the beautiful proof of resistance to
differential
> >and linear cryptanalysis in the Rijndael paper - no such proof would
be
> >possible with a mixed-up cipher like you propose. Look at the way
the
> >different layers do different work, but interact to create a strong
> >cipher. Look at the way the structure can be re-jigged to give
> >decryption the same structure as encryption. I'd have far more
> >confidence in pure Rijndael than in any such chimera cipher.
>
> I don't feel compelled to argue this too seriously. And I will
> definitely agree that one could easily make a mistake, if one chooses
> ciphers poorly.
>
> Thus, with regards to my suggestion to alternate SAFER+ rounds with
> Rijndael: for one thing, I would allow a complete sequence of the
> Rijndael layers before applying a SAFER+ round in between.
>
> For another, to prevent vitiating much of the analysis of Rijndael, I
> should have pointed out that I would, after the SAFER+ round, re-order
> the bytes so that no displacement of the bytes in the block occurs
> during that round (it's either that, or omit the Shift Row step from
> Rijndael).
>
> Actually, it is better that a cipher with alternating round types be
> designed from the ground up, rather than fitting together two existing
> ciphers. I won't deny that either.
>
> What I do still think, however, is that we need more than resistance
> to the attacks we know about; thus, a cipher ought to be designed so
> that no attack can even be imagined - in addition to having parts
> strengthened against the attacks we know.
>
> >(http://www.unifi.it/unifi/surfchem/solid/bardi/chimera/origins.html)
>
> Cute URL.
Heterogeneous structures are often not very secure. Look at CAST-
128/256. It's a very adhoc cipher design (I also dislike their sbox
construction methods since although mathematically complicated lack
fundamental information theory background...) they use rotations and
mix up +, ^ and - in various rounds. Truly just "oh lets just type and
see what happens".
For best results one should use a balanced homogenous iterative
structure since they have balanced diffusion and are simpler to design,
analyze and implement. Also they are often more secure as well.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Algorithm with minimum RAM usage?
Date: Mon, 13 Nov 2000 22:11:36 GMT
In article <8upkgf$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Guy Macon) wrote:
> Runu Knips wrote:
> >
> >
> >Guy Macon wrote:
> >> The list of AES candidates I saw didn't include Skipjack.
> >
> >AES candidates have to have 128 bit blocks and 128, 196 and 256 bit
key
> >sizes.
> >
> >Skipjack has 64 bit blocks and a (very low) 80 bit key size.
> >
> >Too, Skipjack is from the NSA. In fact, it is the first algorithm
ever
> >published by the NSA. In fact, it was never intended to get
published.
>
> Ah. I see. Looks like Rijndael is the best choice if I want strong
> encryption in minimum RAM.
Strong is in the eye of the attacker who knows the implementor who just
met the user and is buying them a cup of coffee trying to get their
secret key... hehehe
Just throwing Rijndael at a program will NOT (NOT NOT NOT!!!) make it a
secure application. Be careful!
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: so many fuss about impossibility to backtrace from MD to original text.
Date: Mon, 13 Nov 2000 15:50:21 -0600
In article <8upfri$262$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Bill Unruh) wrote:
> No hash is backtraceable, nor is it ever used in a situation in which
> one would want to (well, ever is a strong term). Anyway, it is usually
> used as a check that the contents of an article have not been changed.
> In this sense the multi to one nature is a detriment, since there are
> many many many articles with the same hash. Some of those could be
> articles which completely change the sense of the original, and if those
> alternative articles were easy to find, the hash would be useless as a
> check that the article was not changed. This is the point. Can you find
> other articles which have the same hash as the given article? Not, can
> you find the original article which had this hash.
>
You confuse how good a hash is with what a hash is. In the broadest
sense, a hash is merely a form of ciphertext that contains less
information than plaintext. Whether you can figure out what is missing is
the source of all sorts of fun and games.
Surely a hash is backtraceable to one that produced it in the first place;
they can recognize what it once was, as another might not be sure. It is
characteristic of all true hashes that collision occurs.
For absolute verification, no collision, you could merely encrypt with a
private key in a good system.
--
Pangram: Move zingy, jinxed products; hawk benign quality fixes.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Chimera ciphers (WAS Re: On an idea of John Savard)
Date: Mon, 13 Nov 2000 23:50:05 +0100
John Savard wrote:
>
[snip]
> Actually, it is better that a cipher with alternating round types be
> designed from the ground up, rather than fitting together two existing
> ciphers. I won't deny that either.
That's certainly (trivially) true. On the other hand, these
alternating round types would be considered to be components
of one (big) round.
> What I do still think, however, is that we need more than resistance
> to the attacks we know about; thus, a cipher ought to be designed so
> that no attack can even be imagined - in addition to having parts
> strengthened against the attacks we know.
I don't think that it is ever possible (though certainly
very desirable) in 'practice' that a cipher be designed that
no attack can even be 'imagined'. It would be like designing
a building that can withstand an earthquake of ANY magnitude.
On the other hand, many attacks can be prevented, if the
user takes proper care. In particular, those that require
large amounts of material encrypted with the same key
can be easily counteracted through eliminating the occurence
of that condition via frequent change of the keys. Since no
opponent is omnipotent, sufficient security is always
achievable in my conviction through more rounds, multiple
encryption, exploitation of variability (parametrization
and dynamic modification), etc. etc. The real and difficult
problem lies in the appropriate estimation of the capability
of the opponent and hence the economic choice of the level
of security to be provided.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On an idea of John Savard
Date: Mon, 13 Nov 2000 23:53:25 +0100
Tom St Denis schrieb:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> >
> >
> > Tom St Denis wrote:
> > >
> > > In article <[EMAIL PROTECTED]>,
> > > Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> > > > You missed my point that a (assumedly well designed) block
> > > > cipher has rounds (cycles) that are equally good. So
> > > > consider these as individual ciphers and are concatenated
> > > > in the original design as a multiple encryption and yo
> > > > see there can be no objection in taking these apart and
> > > > mixing with those from another cipher.
> > >
> > > You missed my point. Most ciphers are presumably secure because you
> > > are iterating the same function over and over. Take Serpent for
> > > example. One round is not particularly strong, but if you add 15
> more
> > > rounds the cipher is secure against known attacks. Similarly if you
> > > mix Serpent and Safer arbitrarly the diffusion (linear mixing) are
> not
> > > compatible and you are not guaranteed to have the same high level of
> > > confusion.
> > >
> > > Mixing up ciphers is a terribly bad idea. Now taking parts from
> > > ciphers to build a new one can be done (I mixed IDEA+Twofish before)
> > > but you have to be carefull of how you mix up the primitives. Just
> > > mixing rounds is not a good idea.
> >
> > You can consider the rounds to be concatenation, can't
> > you? What distinguishes round 1 of Rijndael from round 2?
> > You add rounds to increase the strength. The increase
> > is not linear but super-linear. That's all. If a cipher
> > is designed that it somehow depends on the interplay
> > of the rounds for its strength, then that's a poor design
> > in my view.
>
> No, it's called avalanche affect. It could take more then one round to
> accomplish. Mixing two different ciphers could delay the avalanche
> affect.
>
> I seriously doubt you will make a cipher much if any at all stronger by
> randomly mixing design components. It's a very ad hoc design idea and
> totally without ground.
If you interleave two good ciphers I believe that the
result is certainly stronger than any single one.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Chimera ciphers (WAS Re: On an idea of John Savard)
Date: Mon, 13 Nov 2000 23:57:53 +0100
Tom St Denis wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> > There are good and poor designs. And there are even also
> > designs that are considered good partly due to the name
> > of the designer.
>
> Now you are just being a troll. Most ciphers that have components or
> designs strictly bent on using key material are often very weak. FROG
> for example has keys that define weak ciphers.
>
> You're better off leaving the components the same and using the key in
> a more traditional fashion. That way it's easier to analyze and
> probably more efficient too.
>
> Sure 128 rounds of "Rijndael+Safer+Twofish+Mars" hybrid may be strong
> but I would rather just use 10 rounds Rijndael (or 18 rounds for the
> conservative) which would be easier to analyze and much faster.
As said in another follow-up, I believe interleaving
leads to increase in strength much like concatenation
of the ciphers.
M. K. Shen
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: On an idea of John Savard
Date: Mon, 13 Nov 2000 14:59:34 -0800
Mok-Kong Shen wrote:
> If you interleave two good ciphers I believe that the
> result is certainly stronger than any single one.
This is certainly false if you, for example, interleave DES with
reverse DES.
DS
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: LFSR's
Date: Mon, 13 Nov 2000 22:59:54 GMT
I'm going to implement a 128-bit LFSR which is self shrinking. The
question i put to you, is wether i should do this in C or ASM?
Is there more much to be gained, performance wise, by doing this in ASM?
Could anyone give me a quantitive comparision between a C
implementation and an ASM implementation?
Thanxs,
Simon.
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Learning Differential and Linear Cryptanalysis?
Date: Mon, 13 Nov 2000 23:03:44 GMT
Where can i find refrence material, books etc. with a clear and consise
explanation of these two attacks?
Books on the subject would be excellent, if not URL's :)
Thanks,
Simon.
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: RC4 on FPGAs?
Date: Mon, 13 Nov 2000 23:09:23 GMT
http://www.tkt.cs.tut.fi/research/tutwlan/publications.html
Although I don't know how to get a login and password...
I don't read Finish... If someone does, please post it...
Thanks.
Albert
In article <weVP5.1276$[EMAIL PROTECTED]>,
"CMan" <[EMAIL PROTECTED]> wrote:
> Is this available on the net?
>
> JK
>
> --
> CRAK Software
> http://www.crak.com
> Password Recovery Software
> QuickBooks, Quicken, Access...More
> Spam bait (credit E. Needham):
> root@localhost
> postmaster@localhost
> admin@localhost
> abuse@localhost
> webmaster@localhost
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
>
> "Panu H�m�l�inen" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > ajd wrote:
> >
> > > Has anyone implemented the RC4 algorithm on an FPGA (or can anyone
point
> me
> > > to someone who has)? What sort of throughput did you get?
> >
> > I did. However, I don't know how good the implementation was.
Throughput
> was
> > same as in software.
> >
> > See paper H�m�l�inen Panu, H�nnik�inen Marko, H�m�l�inen Timo,
Saarinen
> Jukka,
> > "Hardware Implementation of the Improved WEP and RC4 Encryption
Algorithms
> for
> > Wireless Terminals", The X European Signal Processing Conference
> > (EUSIPCO'2000), September 5 - 8, 2000, Tampere, Finland, pp.
2289-2292.
> >
> > -- Panu H�m�l�inen
>
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On an idea of John Savard
Date: Tue, 14 Nov 2000 00:28:03 +0100
David Schwartz wrote:
>
> Mok-Kong Shen wrote:
>
> > If you interleave two good ciphers I believe that the
> > result is certainly stronger than any single one.
>
> This is certainly false if you, for example, interleave DES with
> reverse DES.
In context of multiple encryption one is generally
considering purposedly ciphers of different natures
in order to avoid possible 'cancelling' effect.
M. K. Shen
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: On an idea of John Savard
Date: Mon, 13 Nov 2000 15:32:22 -0800
Mok-Kong Shen wrote:
>
> David Schwartz wrote:
> >
> > Mok-Kong Shen wrote:
> >
> > > If you interleave two good ciphers I believe that the
> > > result is certainly stronger than any single one.
> >
> > This is certainly false if you, for example, interleave DES with
> > reverse DES.
>
> In context of multiple encryption one is generally
> considering purposedly ciphers of different natures
> in order to avoid possible 'cancelling' effect.
However, each of those individual ciphers is designed to have an
avalanche affect. Their combination may or may not have such an affect.
DS
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: On an idea of John Savard
Date: Mon, 13 Nov 2000 23:47:46 GMT
Tom St Denis wrote:
> Mixing up ciphers is a terribly bad idea. Now taking parts from
> ciphers to build a new one can be done (I mixed IDEA+Twofish before)
> but you have to be carefull of how you mix up the primitives. Just
> mixing rounds is not a good idea.
What would be the benefit to interleaving the rounds, versus just running
the two encryptions in sequence?
--
Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
