Cryptography-Digest Digest #153, Volume #14 Sun, 15 Apr 01 17:13:00 EDT
Contents:
Re: Remark on multiplication mod 2^n (David Wagner)
Re: MS OSs "swap" file: total breach of computer security. (Nomen Nescio)
Re: Reusing A One Time Pad ("Mark G Wolf")
Lorentz attractor... ("ClaudeVMS")
Re: Reusing A One Time Pad ("Mark G Wolf")
Re: Concerning US.A.4979832 (Terry Ritter)
Re: Reusing A One Time Pad ("Scott Fluhrer")
combiner? (newbie)
Re: LFSR Security (Graywane)
Re: Password tool! (Mok-Kong Shen)
Re: Concerning US.A.4979832 (Terry Ritter)
Re: Concerning US.A.4979832 (Terry Ritter)
Re: There Is No Unbreakable Crypto (Mok-Kong Shen)
Re: Reusing A One Time Pad (newbie)
Re: combiner? ("Tom St Denis")
Re: Reusing A One Time Pad ("Tom St Denis")
Re: Reusing A One Time Pad ("Tom St Denis")
Re: Announcing A New Rijndael Encryption Algorithm Implementation (SCOTT19U.ZIP_GUY)
Re: Announcing A New Rijndael Encryption Algorithm Implementation ("Tom St Denis")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Remark on multiplication mod 2^n
Date: 15 Apr 2001 19:39:16 GMT
Mark Wooding wrote:
>Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>> If one has two n-bit entities a and b, then one can obtain
>> from them a nonlinear combination a*b mod 2^n. [...]
>> A trivial and ad hoc remedy that suggests itself seems to be to do
>> first a full multiplication, obtaining c*2^n + d and define the result
>> to be either c + d mod 2^n or c xor d.
>
>I think this isn't a good idea. It stops the combiner from being
>invertable.
Yes, and if one sets f(a,b) := c + d mod 2^n where c*2^n + d = a*b,
then one has the interesting consequence that
f(a,b) = a * b mod 2^n - 1
holds with probability almost 1. Whether this allows attacks is
likely to depend on the cipher, but it doesn't look like a good
property to me.
For instance, if the rest of the cipher contains only additions,
then the whole cipher might have low degree over the ring Z/(2^n - 1)Z;
or, if 2^n - 1 has a small divisor d, then the differential
da = (2^n -1)/d, db = 0 ensures that f(a+da,b+db) - f(a,b) = 0
with good probability.
------------------------------
From: Nomen Nescio <[EMAIL PROTECTED]>
Subject: Re: MS OSs "swap" file: total breach of computer security.
Crossposted-To: talk.politics.crypto,alt.hacker,alt.usenet.kooks
Date: Sun, 15 Apr 2001 21:40:06 +0200 (CEST)
On Sat, 14 Apr 2001, Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote:
>MS OSs "swap" file: total breach of computer security.
>
>Unbelievable.
>
>For me, the "swap" file implementation in MS OSs is proof positive
>that MS is in a conspiracy to control OUR information (and all of
>US by implication) and is most probably cooperating with the
>government in this regard. MS is intentionally placing our right
>to privacy at risk.
>
>It also tells me that this Justice Dept. anti-trust case against MS
>may be nothing but a political charade.
>
>A computer user must have total discretionary control over certain
>aspects of OS implementation such as the activation, use, and
>access to a "swap" file.
>
>The only discretion one has at this time is to NOT use any leaky MS
>security sieve of an OS.
Not Szopa Onna Da Ropa again!
Why don't you go play in the internet traffic Tony?
------------------------------
From: "Mark G Wolf" <[EMAIL PROTECTED]>
Subject: Re: Reusing A One Time Pad
Date: Sun, 15 Apr 2001 14:53:24 -0500
> Sure given the OTP pad (0,1) you can pick elements from that pad at random
> to make a new one.... so what?
????? I said a "large" pad. Say "infinite" for example.
Your response is of no use to me.
------------------------------
From: "ClaudeVMS" <[EMAIL PROTECTED]>
Subject: Lorentz attractor...
Date: Sun, 15 Apr 2001 20:00:01 GMT
Hi,
I read an article about the Lorentz attractor being used in a synchronized
chaos transmitter-receiver setup a few
years ago. I have since found only few reports on the use of attractors in
encryption science. Obviously, one does
not trust new technology until throughly reviewed - and then you still
wonder. I am looking for a source of objective information on using
attractors in a cryptographic algorithm. Also, does sci.crypt have an FAQ
and what's its URL?
Thanks in advance,
Claude
------------------------------
From: "Mark G Wolf" <[EMAIL PROTECTED]>
Subject: Re: Reusing A One Time Pad
Date: Sun, 15 Apr 2001 15:03:35 -0500
> Sure given the OTP pad (0,1) you can pick elements from that pad at random
> to make a new one.... so what?
Let me assume that the first bit and last bit of my pad wrap around. That
would give me (0,1) or (1,0) to encode to bits. The time to compute all
possible messages is obviously fast. But of course what that two bit
message means is as much of a guess to the decoder as it would be to the
recipient.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Concerning US.A.4979832
Date: Sun, 15 Apr 2001 20:06:08 GMT
On Sun, 15 Apr 2001 08:43:35 GMT, in
<[EMAIL PROTECTED]>, in sci.crypt
[EMAIL PROTECTED] (David Formosa (aka ? the Platypus)) wrote:
>On Sun, 15 Apr 2001 04:11:26 GMT, Terry Ritter <[EMAIL PROTECTED]> wrote:
>[...]
>
>> Algorithm M has one input, Dynamic Substitution has two,
>
>] Given methods for generating two sequences <X_n> <Y_n> this
>] algorithm will successfully output the term of a "considerably more
>] random" sequence.
>
>page 33 Vol 2 The Art of computer Programming
>
>I read this as Algorithm M combing two imputs X and Y to generate an
>output. Indeed the algorithm has two imputs. If you can show me how
>Algorithm M operates using one input I would love to see it.
You are correct; I misremembered the logic.
>[...]
>
>> Algorithm M does not read on the claims and so is not covered by the
>> patent. When Algorithm M grows another input (or more) and is used to
>> combine streams, it has mutated beyond being Algorithm M into
>> something else which is Dynamic Substitution territory.
>
>Algorithm M has always been used to combine streems that is its
>nature.
Yes. But Algorithm M has also been examined with respect to Dynamic
Substitution, and has been found to distinguish from it. Now let's
see if we can find out why:
Dynamic Substitution
1. A mechanism for combining a first data source and a second data
source into result data, including:
(a) substitution means for translating values from said first
data source into said result data or substitute values, and
(b) change means, at least responsive to some aspect of said
second data source, for permuting or re-arranging a plurality of the
translations or substitute values within said substitution means,
potentially after every substitution operation.
Algorithm M
M1: X := x[n]; Y := y[n];
M2: j := Floor( kY / m );
M3: out := V[j]; V[j] := x;
So, in Algorithm M, a "plurality" (that is, "more than one") of
substitute values is *not* re-arranged (or "re-defined").
And thus we get a different story, but the same result. It had to be
that way, of course, since people far sharper about patents than I am
had come to that conclusion.
I am sorry for the confusion.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Reusing A One Time Pad
Date: Sun, 15 Apr 2001 12:55:14 -0700
Mark G Wolf <[EMAIL PROTECTED]> wrote in message
news:9bcpb4$290q$[EMAIL PROTECTED]...
> Please don't bother telling me you can't reuse a one time pad.
>
> If I had a "large" one time pad and used random fixed size "chunks" of it
to
> essentially generate other one time pads to encrypt the exact same
message,
> what would be the relationship between the time (given a fixed speed of
> computation) to break the coded message and the size of the pad, the size
of
> the chunks, and the number of times the pad is reused.
If no bit position within the pad is used to encrypt more than one message,
it's secure (in the information theoritical sense).
If you ever reuse a single bit position within the pad, it's not secure (in
theory, and usually in practice as well).
--
poncho
------------------------------
From: newbie <[EMAIL PROTECTED]>
Subject: combiner?
Date: Sun, 15 Apr 2001 16:04:10 -0300
Hi,
What are the conditions that has to meet a combiner to be hard to
attack?
invertible?
combining bit to bit?
combining bit-string to bit-string?
I just want to understand why Xor is not a good combiner?
It depends on how you use Xor. If you use it without hiding a keystream,
it is misuse.
But if you use one-way function f . I mean f(keystream)= h
Using the bit-string h combined with Xor is unattackable. The opponent
has no directly access to the keystream. So how could he analyze it?
Newbie
------------------------------
Crossposted-To: sci.crypt.random-numbers
From: [EMAIL PROTECTED] (Graywane)
Subject: Re: LFSR Security
Date: Sun, 15 Apr 2001 20:09:29 GMT
While we are on the subject, would the following be a suitable technique to
generate "random" data for a true OTP:
1. Seed an RC4 from /dev/random on a Unix machine.
2. Use RC4 to provide the 624 words of state for each of 13 different
Mersenne Twisters (mt19937)
3. Get a number X between 100 and 1000 from RC4.
4. For each of the MT's (until X bytes is output):
A. Get a number between 1 and 1000 (from RC4).
B. Skip that number of outputs from the MT.
C. Output the next value.
D. Go to next MT and repeat at step A.
5. Get the SHA hash of the bytes generated in step 4.
6. For every byte in SHA hash, flip a coin (using RC4) and output
the byte if the coin is heads.
7. Goto step 3 and repeat until desired number of bytes is output.
If you then took the data and burned it to a CD, would it make a descent
OTP? (assuming you never used the same data twice and destroyed the CD when
you were through)
--
Note: There is no example in my hostname.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Password tool!
Date: Sun, 15 Apr 2001 22:08:26 +0200
Logan Raarup wrote:
>
> Yes, there is a password changer in AIX. But that tool works like this:
>
> $ passwd
> Enter user's password:
> Enter user's password again:
> Enter user's new password:
>
> And I wan't to make a web based application, which can change users
> passwords. But this web based application can't enter any text in these
> inputs!
> Thats why i need a program, which can do this but with som arguments
> instead.
>
> I hop you can help me with this.
My knowledge in user interface design is very poor. Maybe
others could help you. It seems not clear, though, how
you want it differently than the standard way of the
system above. What do you mean by 'arguments' above?
(You want to enter something besides the proper password?)
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Concerning US.A.4979832
Date: Sun, 15 Apr 2001 20:11:43 GMT
On Sun, 15 Apr 2001 15:56:05 GMT, in
<[EMAIL PROTECTED]>, in sci.crypt
[EMAIL PROTECTED] (John Savard) wrote:
>On Sun, 15 Apr 2001 04:11:26 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote,
>in part:
>
>>Algorithm M does not read on the claims and so is not covered by the
>>patent. When Algorithm M grows another input (or more) and is used to
>>combine streams, it has mutated beyond being Algorithm M into
>>something else which is Dynamic Substitution territory.
>
>My understanding of "Algorithm M", or MacLaren-Marsaglia, is that as
>it stands, it _does_ combine two streams.
You are right; that was my mistake, and I'm sorry for the confusion.
>Specifically, it functions as follows:
>
>Stream 1 is the output of one conventional PRNG.
>
>Stream 2 is the output of a second conventional PRNG.
>
>A table is filled with N outputs of stream 1.
>
>Then, output PRNG values are generated as follows:
>
>A value is taken from Stream 2. This value is used to indicate a
>position in the table. The value in the table in that position is used
>as the output value, and it is replaced by a new value from Stream 1.
>
>Thus, if the output values are viewed as 'substitutes' for the values
>from stream 2, this _is_ Dynamic Substitution.
Well, it is "substitution," and the table is "dynamic," but Dynamic
Substitution specifically requires that more than one value in the
table change.
>But it doesn't indicate
>or embody the general idea, because (of one among many reasons) the
>information content of stream 2 is truncated - there are only N
>elements in the table, but the PRNG outputs are allowed to have many
>more than N possible values.
Unfortunately, information is organized far differently with respect
to science and patents. Personally, I would far prefer to put forth a
general concept and receive a patent for that. But as far as I know,
patents are not like that. One reason is that they have to be
interpreted in court, and thus need to be very specific. As much as
possible, we don't want every legal action to depend upon
interpretations from different expert witnesses. But if the issue is
constrained to be a legal one, then every lawyer present can
participate, along with the judge.
So, unfortunately, the general idea of Dynamic Substitution cannot
really be said to be patented. Instead, the specific claims attempt
to cover what realizations could be predicted at the time the patent
application was made. In a sense, this is far more specific, and far
less comprehensive than one might think from a scientific perspective.
>So although Stream 1 and Stream 2 are combined, the combination looks
>more like an interruption of Stream 1 than a substitution acting on
>Stream 2, and is more often thought of in that manner. Only after you
>invented Dynamic Substitution did it become visible that Algorithm M
>was an example of that general class, which is why I view its impact
>as limited.
It was not within the range of possibility to control every
cryptosystem having dynamic tables, since some such art already
existed. In particular, it was specifically necessary to avoid
Algorithm M. That appears to have been done by confining Dynamic
Substitution to situations where *more than one* table element is
changed after a substitution.
>>But I think the patent would cover attempts to circumvent the claims
>>by introducing transformations which act like as a table but which are
>>said to not *be* a table. That is the sense in which I would reach
>>beyond a table per se.
>
>I have no problems with that.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Concerning US.A.4979832
Date: Sun, 15 Apr 2001 20:13:37 GMT
On Sun, 15 Apr 2001 10:10:44 -0700, in
<wCkC6.35445$[EMAIL PROTECTED]>, in sci.crypt "B. E. Busby"
<[EMAIL PROTECTED]> wrote:
>"Terry Ritter" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>>
>> On Mon, 9 Apr 2001 22:54:07 -0700, in
>> <CexA6.196$[EMAIL PROTECTED]>, in sci.crypt "B. E. Busby"
>> <[EMAIL PROTECTED]> wrote:
>>
>> >Two things come to mind reading the claims --
>> >
>> >1) They're in "means plus function" format which has the
>> > (at least in current practice) effect of narrowing the claims
>> > to the means taught in the disclosure; and
>>
>> There certainly is some hubub. Anyone can look into it by searching
>> for "means plus function" at www.google.com
>>
>> One of the most recent examples is:
>>
>> http://www.kilstock.com/site/print/detail?Article_Id=590
>
><text of above ref clipped for bandwidth>
>
>> In the case of the Dynamic Substitution patent, I view "substitution
>> means" as a description of the complete structure needed to perform
>> the substitution function: the substitution table as described in the
>> specification. The original intent was to cover tables specifically
>> implemented in ways to try to get around a limitation of "tables."
>
>Unfortunately, decisions with phrases like "sufficiently" are not good,
>dispositive things -- it means you're going to have to sell a judge
>at the Markman hearing.
That is obviously well beyond my areas of expertise.
>> >2) There's no prosecution history here (an expensive thing to
>> > buy unless you're seriously considering licensing the patent),
>> > but the recent Festo decision has had the claims-narrowing
>> > effect of precluding the use of the Doctrine of Equivalents
>> > in reading claims that were amended to overcome issues
>> > of patentability.
>>
>> I don't know enough to even respond to that.
>
>What it means is, if you know how the patent went through the
>examination process _and_ if the claims were amended _for
>the purpose of patentability_ (i.e., not to remove informalities),
>the Festo precedent says DOE cannot be used (theory being
>that most amendments for the purpose of patentability involve
>a narrowing of the claims and the application of the DOE would
>unfairly re-broaden the claim).
>
>>
>> I suppose the result possibly might bear on the idea of creating a
>> "table" out of a mass of apparently-distinct equations. But I
>> continue to believe that if something acts like a table it will be
>> seen as a table in the PTO and in the courts. Protecting against that
>> sort of thing is, of course, why we have the phrase "substitution
>> means" in the first place.
>>
>>
>> >That said, my guess is the scope covers lookup tables wherein
>> >entry swapping is performed in order to dynamically change the
>> >mapping function.
>>
>> That would seem to be all it needs to be. It would disallow the use
>> of whole block ciphers as "substitution means," but that is not
>> something I wanted anyway.
>>
>> On the other hand, perhaps you could comment on the main areas of
>> controversy:
>>
>> * whether the claims cover combining two RNG streams,
>
>If the nature of the combine is a simple operation (e.g., XOR),
>claim 1 (that's all I recall -- this _was_ a cursory examination)
>would not seem to apply.
Well, yes, right. XOR is prior art anyway.
I meant the issue of whether the claims do indeed cover combining two
RNG streams by the mechanism described in the claims. The argument
has been made that the claims do not cover that, probably because that
was not the preferred embodiment. But I think that argument has
mostly died out by now in response to the various specific comments in
the patent which support that use.
>> * whether an "input" to Dynamic Substitution can be taken from the
>> dynamic substitution table itself,
>
>To the degree that an output of the process is used, subsequently,
>as an input simply adds elements and would change nothing
>concerning the patentability or scope of the claims. If, in a conservative
>interpretation invoking �112�6, you stick to:
>
>"combiner substitution 12 translates combiner substitution input 10
>data into combiner output 14 data. The result would be a simple
>substition, except that the substitution 12 will change. A substitution
>or inverse substitution would typically be implement [sic] as addressable
>storage,
>and realized with an electronic memory device, or an addressable area of
>memory hardware in an electronic digital computer or microprocessor. "
>
>... I don't know how else to interpret your query.
The issue here does not concern the output of the mechanism, but
rather the table.
The argument was made that since the claims specify an input sequence,
this necessarily implies something coming into the claimed mechanism,
and to that extent I agree. But the argument continues that these
sequences thus cannot come from the table inside the mechanism, and
with that I disagree, since that would be just something beyond the
claim.
>> * whether the claims assume the table to be invertible, and
>
>"Still another object of this invention is to provide an efficient
>inverse mechanism or process by which previously-combined
>data can be separated or extracted, suing [sic] the confusion
>data involving in the original combination. Since deciphering is
>normally required, an efficient mechanism can make the whole
>system practical."
>
>coupled with:
>
>"A substitution or inverse substitution would typically be implement as
>addressable storage..."... to me this (again assuming invoking �112�6)
>says, "yes" to the instant query.
Then let me argue to the contrary with:
"The combiner can also be used to combine two pseudo-random confusion
streams into a more-complex confusion stream. In this case, extraction
may be unnecessary and so the combiner substitution tables need not be
invertible. Thus, the translation changes need not be limited to
permutations."
"Another use for a dynamic substitution combiner would be to combine
two different pseudo-random sources. This would generate a
more-complex pseudo-random combination, and would also help protect
both input sources from analysis better than the simple exclusive-OR
combiner generally used. In this case, an extractor would generally be
unnecessary, since the same combined result could be reproduced by
generating the original pseudo-random sources and combining them."
All that was certainly *intended* to make clear that combining does
not necessarily require extraction, making extraction unnecessary and
invertibility not required. Thus, the open form of the claims,
supposedly allowing arbitrary table contents.
>> * whether "Algorithm M" (ironically, prior art actually described in
>> the patent itself and examined prior to allowance) limits the claims.
>
>If I understood the thread, your claims were distinguished over
>Algo-M. This is not a limitation. Again, I've not seen the
>prosecution history -- you, as the inventor, have relevant
>data here that I don't have.
We just went over that in other messages. It turns out that Algorithm
M only changes one element of the table in each operation, whereas the
Dynamic Substitution patent claims require a plurality of elements to
be "permuted" or "re-defined."
>It doesm however, imply that using Algo-M as described in the
>literature cannot infringe your patent.
Of course.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: There Is No Unbreakable Crypto
Date: Sun, 15 Apr 2001 22:11:28 +0200
David Wagner wrote:
>
> Mok-Kong Shen wrote:
> >Very dumb question: It seems that your argument hinges
> >on the block size being larger (double) than the key.
>
> No, it doesn't: It is very general. If E(k,x) is a block cipher with
> 128-bit key and 128-bit block, then set F(k) = <E(k,0), E(k,1)> and note
> that this is a length-doubling PRG. Moreover, F is secure if E is secure
> against all attacks that use at most two blocks of chosen plaintext.
> This same idea can be extended to work for any key and block sizes.
Theoretically, that would mean 128 random bits could be
extended securely into an infinite bit string. Isn't
that a little bit counter-intuitive? Thanks.
M. K. Shen
------------------------------
From: newbie <[EMAIL PROTECTED]>
Subject: Re: Reusing A One Time Pad
Date: Sun, 15 Apr 2001 16:11:14 -0300
Scramble it with constraint not reuse a single bit position within the
pad
It is simple.
Scott Fluhrer wrote:
>
> Mark G Wolf <[EMAIL PROTECTED]> wrote in message
> news:9bcpb4$290q$[EMAIL PROTECTED]...
> > Please don't bother telling me you can't reuse a one time pad.
> >
> > If I had a "large" one time pad and used random fixed size "chunks" of it
> to
> > essentially generate other one time pads to encrypt the exact same
> message,
> > what would be the relationship between the time (given a fixed speed of
> > computation) to break the coded message and the size of the pad, the size
> of
> > the chunks, and the number of times the pad is reused.
>
> If no bit position within the pad is used to encrypt more than one message,
> it's secure (in the information theoritical sense).
>
> If you ever reuse a single bit position within the pad, it's not secure (in
> theory, and usually in practice as well).
>
> --
> poncho
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: combiner?
Date: Sun, 15 Apr 2001 20:22:05 GMT
"newbie" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Hi,
>
> What are the conditions that has to meet a combiner to be hard to
> attack?
> invertible?
> combining bit to bit?
> combining bit-string to bit-string?
>
> I just want to understand why Xor is not a good combiner?
> It depends on how you use Xor. If you use it without hiding a keystream,
> it is misuse.
> But if you use one-way function f . I mean f(keystream)= h
> Using the bit-string h combined with Xor is unattackable. The opponent
> has no directly access to the keystream. So how could he analyze it?
Your question makes no sense whatsoever. XOR is not an insecure operation,
it's not secure either. In conjunction with other operations it could be
made secure. For example inversion in GF(2^W)/f(x) where f(x) is an
irreducible polynomial is a highly non-linear function but it's based on
shift, xor and "and" operations.... all of which on their own are "linear"
and "insecure".
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Reusing A One Time Pad
Date: Sun, 15 Apr 2001 20:23:57 GMT
"Mark G Wolf" <[EMAIL PROTECTED]> wrote in message
news:9bcu9b$61ha$[EMAIL PROTECTED]...
> > Sure given the OTP pad (0,1) you can pick elements from that pad at
random
> > to make a new one.... so what?
>
> ????? I said a "large" pad. Say "infinite" for example.
>
> Your response is of no use to me.
Your OP is stupid. You can't reuse an OTP... hence the friggin name
*****ONE***** TIME PAD.
My point is that reusing parts of (0111101011101011111000) is no different
then (10) ...
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Reusing A One Time Pad
Date: Sun, 15 Apr 2001 20:25:14 GMT
"Mark G Wolf" <[EMAIL PROTECTED]> wrote in message
news:9bcusb$3f38$[EMAIL PROTECTED]...
> > Sure given the OTP pad (0,1) you can pick elements from that pad at
random
> > to make a new one.... so what?
>
> Let me assume that the first bit and last bit of my pad wrap around. That
> would give me (0,1) or (1,0) to encode to bits. The time to compute all
> possible messages is obviously fast. But of course what that two bit
> message means is as much of a guess to the decoder as it would be to the
> recipient.
Let's alias the pad (0, 1) = (a, b)
I could reuse the pad like aaaabbbbbababab or ababababababba or .....
Tom
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Announcing A New Rijndael Encryption Algorithm Implementation
Date: 15 Apr 2001 20:14:33 GMT
[EMAIL PROTECTED] (Eric Lee Green) wrote in
<[EMAIL PROTECTED]>:
>On Sun, 15 Apr 2001 03:06:15 GMT, bloopa <[EMAIL PROTECTED]> wrote:
>>VSpace Encrypted Chat
>
>Yawn. After seeing the various disclaimers about export I could care
>less. It's permissible to export virtually anything from the United
>States nowdays -- my own employer exports 128-bit Rijndael and the
>export license was granted virtually instantaneously (and I will
>personally state, as the author of most of the cryptographic
>components in that piece of software, that there are no back doors and
Actually if there is a backdoor its in Rijndael itself and not
in something the NSA did or did not make you do. I dare say Matts
Bicom is still the best implimention of Rijndael out there and its
free.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Announcing A New Rijndael Encryption Algorithm Implementation
Date: Sun, 15 Apr 2001 20:26:51 GMT
"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> [EMAIL PROTECTED] (Eric Lee Green) wrote in
> <[EMAIL PROTECTED]>:
>
> >On Sun, 15 Apr 2001 03:06:15 GMT, bloopa <[EMAIL PROTECTED]> wrote:
> >>VSpace Encrypted Chat
> >
> >Yawn. After seeing the various disclaimers about export I could care
> >less. It's permissible to export virtually anything from the United
> >States nowdays -- my own employer exports 128-bit Rijndael and the
> >export license was granted virtually instantaneously (and I will
> >personally state, as the author of most of the cryptographic
> >components in that piece of software, that there are no back doors and
>
> Actually if there is a backdoor its in Rijndael itself and not
> in something the NSA did or did not make you do. I dare say Matts
> Bicom is still the best implimention of Rijndael out there and its
> free.
Bah who cares? Rijndael used in CTR mode is good enough... Why strive for
esoteric features like "bijectiveness" since by definition AES is a
bijection anyways!
Tom
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
