Cryptography-Digest Digest #337, Volume #14 Fri, 11 May 01 15:13:01 EDT
Contents:
Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm)
(SCOTT19U.ZIP_GUY)
Re: RC4 (Bill Unruh)
Re: Cryptanalysis Question: Determing The Algorithm? ("Douglas A. Gwyn")
Re: DES-CBC without Crypt::CBC ("Super-Simon")
Re: Best encrypting algoritme ("Tom St Denis")
Re: Horst Feistel (SCOTT19U.ZIP_GUY)
Re: Horst Feistel (Paul Rubin)
Re: good x86 coders (help please) (Paul Rubin)
Re: good x86 coders (help please) ("Tom St Denis")
Re: NSA "Headline Puzzle" confusion ... (Mitchell Morris)
Re: Best encrypting algoritme (SCOTT19U.ZIP_GUY)
Re: NSA "Headline Puzzle" confusion ... ("Jack Lindso")
Re: good x86 coders (help please) (Paul Rubin)
Re: Best encrypting algoritme ("Tom St Denis")
Re: good x86 coders (help please) ("Tom St Denis")
Re: RC4 ("Roger Schlafly")
Re: NSA "Headline Puzzle" confusion ... ("Douglas A. Gwyn")
Re: RC4 ("Tom St Denis")
Re: Tiny s-boxes (David Wagner)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm)
Date: 11 May 2001 17:37:34 GMT
[EMAIL PROTECTED] (David Hopwood) wrote in
<[EMAIL PROTECTED]>:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>"Douglas A. Gwyn" wrote:
>> "SCOTT19U.ZIP_GUY" wrote:
>> > ... But if you look at the UK my understanding is
>> > crime is going up. ...
>>
>> Of course it is, but it has nothing to do with spying.
>> They stupidly disarmed the law-abiding populace, giving
>> criminals less to fear. Same in Australia.
>
>This is completely off-topic, but in the interests of accuracy,
>total reported crime statistics in the UK are going down, except
>that reported violent crime is going up. Any theories you may have
>about the relation of that to gun control policy should be discussed
>on, for example, talk.politics.guns, not sci.crypt.
>
I don't think it was off topic. For several reasons.
One both doug and I are long term posters to this groups.
Encryption and syping go hand in hand.
Government syping can lead to descentagration of society.
I see no reason why he or I can' talk about it if we wish.
Its an unmoderated group and not every one shares your views.
I suspose if it went on long enough we might on our own
have moved it to talk.politics.crypto or somthing like
that. But I doubt lectureing either one of us is going to make
us quite. The topic was probably dead until you showed your
antigun biais. No wonder violent crime is up in the UK you
can't shoot the bastards that break into you own house.
What ever happened to the free british where I was told in
our history classes that every man had to know how to use
a long bow. The brits where once a proud strong free people.
Know you can't even watch TV without your governments permission.
And from what I;ve read if you don't have a TV and have some money
they the cops break into your house becasue they can't belive a
person doesn't own a tv. That crazy. The government seems to
have so little faith in its people it allowed things like mad
cow and the foot and mouth thing to occur. If the uk was more
open and honest in its government maybe neither would have occured.
How can you be sure all crime but violent crime is down. Do
you really think your government cares about telling its people
the truth. Or does it only tell what it has too to the people.
Violent crime may be harder to under report since people might
notice the beating that take palce and the people killed.
Yes my coutry is headed down the same path. The big crime ridden
cites have banned guns. And crime goes up. Hell when I was a kid
I took a gun to school. My NRA safety class required you to bring
your own 22. Now adays people shit in there pants when a kid takes
a gun to school. The view is different because the liberals have
fucked it up and destroyed values.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: RC4
Date: 11 May 2001 17:42:27 GMT
In <[EMAIL PROTECTED]> jlcooke <[EMAIL PROTECTED]> writes:
]Isn't RC4 a trade secret of RSA Labs? RC4-compat was reverse engineered
The algorithm is claimed as a trade secret. To the extent that ARC4 is
RC4 that trade secret is no longer secret, and is thus no longer a trade
secret. However RC4 is also a trademark of RSA Security, and thus the
name cannot be used without permission, no matter what the state of the
algorithm
]or something. All I know is you can't use or name an algorithm RC4
You can use it all you want. You just cannot name it that.
]unless RSA labs made it. But you can use a reverse engineered
]RC4-comapt just fine.
Usually called ARC4. RSA has never admitted that ARC4 is the same as
RC4. Tests have shown that the outputs on test vectors are identical.
]Why oh why does RSA (labs) complicate my life so.
Probably because they wanted to use it (RC4) to make money.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Cryptanalysis Question: Determing The Algorithm?
Date: Fri, 11 May 2001 16:59:51 GMT
"Bo Dömstedt" wrote:
> We may, however, annoy the cryptanalyst by using several cipher
> algorithms. We may even select cipher algorithms on the fly, possibly
> as a function of the IV (or similar arrangement...).
But my point, to which there hasn't been a satisfactory
response (perhaps because it's correct), is that not only
the *encryptor* needs to select an algorithm, but also
the (legitimate) *decryptor* needs to reliably select the
*same* algorithm. That implies communication of the
selection parameters, to be plugged into a fixed general
system that must (per Kerckhoff) be assumed to be known
to the enemy. In what way does this differ fundamentally
from a conventional crypto key? (My answer is, it doesn't.)
------------------------------
From: "Super-Simon" <[EMAIL PROTECTED]>
Crossposted-To:
alt.comp.perlcgi.freelance,alt.perl,alt.perl.sockets,comp.lang.perl,comp.lang.perl.misc
Subject: Re: DES-CBC without Crypt::CBC
Date: Fri, 11 May 2001 19:55:46 +0200
> Are you aware that CBC is an mode of operation for DES and not a cipher
> per se?
Yes, I've a JavaScript which encrypt a string using DES in CBC-mode. What I
want is sending information secure over the web (no SSL-support on my
hostingserver), the perl-CGI script encrypts and the JavaScript client
decrypts.
>
> Cipher Block Chaining. It should be part of a good DES impl'n.
I use Crypt::DES
If not:
>
> CBC = {0,0...};
> loop:
> M = {M[0]^CBC[0], M[1]^CBC[1], ...};
> C = DES(M,KEY);
> CBC = C;
>
> So the nth block is dependent on all the previous blocks. My added
> suggestion is to encrypt a message M' = {RAND, M[0], M[1], ...}. And
> when decrypting, throw away the first block. This will prevent people
> from being able to use knowledge of the first block of M as a starting
> point for an attack.
>
> JLC
>
Thanks!!!
Greetz,
Simon
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Best encrypting algoritme
Date: Fri, 11 May 2001 17:55:02 GMT
"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> [EMAIL PROTECTED] (Tom St Denis) wrote in
> <eTUK6.66540$[EMAIL PROTECTED]>:
>
> >
> >"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
> >news:[EMAIL PROTECTED]...
> >> [EMAIL PROTECTED] (Mok-Kong Shen) wrote in
> >> <[EMAIL PROTECTED]>:
> >> >
> >> >It is better to have larger blocks (the extreme is the
> >> >whole message). But one has somehow decided to use block
> >> >encryption and has chosen a small block size (e.g. for
> >> >hardware reasons). In order to get nevertheless a bit the
> >> >benefits of large block processing, one employs a (particular)
> >> >technique, which is the chaining. So chaining is a compromise,
> >> >or an afterthought, if you like. It may be mentioned that
> >> >Scott has for years advocated whole file processing in the
> >> >group (though personally I am not fond of the specific
> >> >methods he uses).
> >> >
> >>
> >> Thanks for remembering me.
> >> But I do have a question for you. You say your not fond
> >> of the methods I use. However one of the methods I have
> >> been trying to get people to use instead of the possible
> >> weak version of Rijndael from the AES people is Matts BICOM
> >>
> >> where make you make 3 passes through file
> >> pass 1 BICOM with a key
> >> pass 2 reverse file end for end
> >> pass 3 BICOM again
> >>
> >> This does treat the whole file as a single block.
> >> What would you say about that kind of encryption
> >> scheme.
> >>
> >> Of cousre if it is a text message will could use shaws
> >> GrandView method before the first BICOM
> >
> >What exactly is BICOM anyways? How is AES used in BICOM?
>
> I think you know what it is TOM. But here is the URL.
> http://www3.sympatico.ca/mtimmerm/
> let me explain again how AES is in BICOM. Matt took the
> code supplyed by the AES people for 128 bit block size
> RIJNDAEL with 256 bit key space. Every use of the algorithm
> envoles full block sizes. Yet he manges to keep every thing
> totally bijective.
>
> your could take a 3 byte file "TOM" for example
> end decrypt it with a password to get an input file.
> that when encrypted with same password comes back to
> that file.
> He has full source code with it and he writes like
> a modern programmer not with my old ways. So even
> young guys like you might have a chance to understand it.
Blah blah blah.
If you really want to encode blocks irrespective of the blocks thru AES use
CTR modes. They allow you to encode any sized message without padding up
and each block is encrypted independent of the others.
Tom
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Horst Feistel
Date: 11 May 2001 17:47:41 GMT
[EMAIL PROTECTED] (Matthew Skala) wrote in
<9dh6nr$g3f$[EMAIL PROTECTED]>:
>In article <9dgcnv$20m$[EMAIL PROTECTED]>,
>Vinokurov Andrey <[EMAIL PROTECTED]> wrote:
>>Is Horst Feistel native American or an immigrant?
>
>Be warned that in the USA, if you say "native American", most people will
>think you mean a member of the indigenous population. If you mean it
>literally, as someone born in the USA (possibly from ancestors who
>immigrated in the last few hundred years), then you have to say "American
>native", or "American-born" or indeed almost anything else besides "native
>American".
I guess I am stickler for details. But what if some of your
anscester are "indigenous indians" and some are from europe.
What term would you use. Or is it stupid to say either. Why
not just say U.S. citizen and leave it at that. I'm an american
but if you said either "native american" or "american-born"
either way I would assume your some sort of racist.
Yes I use term american bad habit when I talk. Since that
can offend Candians and MExican both of which are Amnericans
being from same contenent. But to 99 persnet of US citizens
they don;t think the American term applies to non US citizens.
Hell many americans don't think of indians as Americans.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: Horst Feistel
Date: 11 May 2001 10:56:43 -0700
"Vinokurov Andrey" <[EMAIL PROTECTED]> writes:
> Is Horst Feistel native American or an immigrant?
Feistel is from Germany, I'm pretty sure. But to make matters more
confusing, the term "Native American" in the US refers to what used to
be called an American Indian. I can't think of any terms for what
you meant other than something like "native-born US national".
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: good x86 coders (help please)
Date: 11 May 2001 10:59:20 -0700
"Tom St Denis" <[EMAIL PROTECTED]> writes:
> One thing I learned is that there are tons of better coders here than me.
> Which is why I want to ask if anyone would be interested in writting up a
> short expose of TC15 in assembler optimized for the pentium (i.e basic
> pairing and such). It doesn't have to be a complete package, just be able
> to encrypt a block (no decryption required) with an expanded key that will
> be provided.
>
> I could code my own but the results would not reflect that of top notch
> coders. (yes I feel like a hypocrite posting this).
Since TC15 is hopefully intended as a learning project (that is, I hope
you don't want anyone to start using it in production systems), why don't
you also use the opportunity to study tuning Pentium code?
Mike Schmit's book on Pentium processor optimizations is a good way to
get started, though it's about the original (two-pipe) Pentium. The
Pentium II/III/Celeron needs different optimizations, the P-IV is
different again, and the AMD K6 and K7 are different from all the
above and from each other.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: good x86 coders (help please)
Date: Fri, 11 May 2001 18:03:24 GMT
"Paul Rubin" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "Tom St Denis" <[EMAIL PROTECTED]> writes:
> > One thing I learned is that there are tons of better coders here than
me.
> > Which is why I want to ask if anyone would be interested in writting up
a
> > short expose of TC15 in assembler optimized for the pentium (i.e basic
> > pairing and such). It doesn't have to be a complete package, just be
able
> > to encrypt a block (no decryption required) with an expanded key that
will
> > be provided.
> >
> > I could code my own but the results would not reflect that of top notch
> > coders. (yes I feel like a hypocrite posting this).
>
> Since TC15 is hopefully intended as a learning project (that is, I hope
> you don't want anyone to start using it in production systems), why don't
> you also use the opportunity to study tuning Pentium code?
Well if it ends up in real systems after years of analysis that would be
cool....
I did code my own encryption routine, it's hardly optimal IMHO but does
encrypt a block in 303 cycles on my Athlon.
> Mike Schmit's book on Pentium processor optimizations is a good way to
> get started, though it's about the original (two-pipe) Pentium. The
> Pentium II/III/Celeron needs different optimizations, the P-IV is
> different again, and the AMD K6 and K7 are different from all the
> above and from each other.
My goal was a general code where the pairing is maximized within given
constraints. I.e I try not to write
MOV EAX,EBX
ADD EAX,ECX
I would move something in between, etc...
On my website I have my x86 code
http://tomstdenis.home.dhs.org/tc15_asm.zip
Tom
------------------------------
From: [EMAIL PROTECTED] (Mitchell Morris)
Subject: Re: NSA "Headline Puzzle" confusion ...
Date: 11 May 2001 17:54:35 GMT
"Jack Lindso" <[EMAIL PROTECTED]> wrote in
<[EMAIL PROTECTED]>:
>I didn't read the whole text but it seems that third one is a
>concatenation of the previous two.
Unfortunately, it couldn't be ... the first one includes the sequence
"OPTHRCVJ", the second one doesn't have has 'F' at all, and the third one
has "VXFLHQ".
I would be relieved, however, if it had been something so simple.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Best encrypting algoritme
Date: 11 May 2001 18:07:02 GMT
[EMAIL PROTECTED] (Tom St Denis) wrote in
<WHVK6.66753$[EMAIL PROTECTED]>:
>
>"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>> [EMAIL PROTECTED] (Tom St Denis) wrote in
>> <eTUK6.66540$[EMAIL PROTECTED]>:
>>
>> >
>> >"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
>> >news:[EMAIL PROTECTED]...
>> >> [EMAIL PROTECTED] (Mok-Kong Shen) wrote in
>> >> <[EMAIL PROTECTED]>:
>> >> >
>> >> >It is better to have larger blocks (the extreme is the
>> >> >whole message). But one has somehow decided to use block
>> >> >encryption and has chosen a small block size (e.g. for
>> >> >hardware reasons). In order to get nevertheless a bit the
>> >> >benefits of large block processing, one employs a (particular)
>> >> >technique, which is the chaining. So chaining is a compromise,
>> >> >or an afterthought, if you like. It may be mentioned that
>> >> >Scott has for years advocated whole file processing in the
>> >> >group (though personally I am not fond of the specific
>> >> >methods he uses).
>> >> >
>> >>
>> >> Thanks for remembering me.
>> >> But I do have a question for you. You say your not fond
>> >> of the methods I use. However one of the methods I have
>> >> been trying to get people to use instead of the possible
>> >> weak version of Rijndael from the AES people is Matts BICOM
>> >>
>> >> where make you make 3 passes through file
>> >> pass 1 BICOM with a key
>> >> pass 2 reverse file end for end
>> >> pass 3 BICOM again
>> >>
>> >> This does treat the whole file as a single block.
>> >> What would you say about that kind of encryption
>> >> scheme.
>> >>
>> >> Of cousre if it is a text message will could use shaws
>> >> GrandView method before the first BICOM
>> >
>> >What exactly is BICOM anyways? How is AES used in BICOM?
>>
>> I think you know what it is TOM. But here is the URL.
>> http://www3.sympatico.ca/mtimmerm/
>> let me explain again how AES is in BICOM. Matt took the
>> code supplyed by the AES people for 128 bit block size
>> RIJNDAEL with 256 bit key space. Every use of the algorithm
>> envoles full block sizes. Yet he manges to keep every thing
>> totally bijective.
>>
>> your could take a 3 byte file "TOM" for example
>> end decrypt it with a password to get an input file.
>> that when encrypted with same password comes back to
>> that file.
>> He has full source code with it and he writes like
>> a modern programmer not with my old ways. So even
>> young guys like you might have a chance to understand it.
>
>Blah blah blah.
>
>If you really want to encode blocks irrespective of the blocks thru AES
>use CTR modes. They allow you to encode any sized message without
>padding up and each block is encrypted independent of the others.
>
Look TOM you asked for an anwser why do you have to be such
as ass about it. You asked question I anwsered. What on earth
makes you think encrypting each block independent of the others
does anything to add to real security. Try to think a little
before your stuid insulting typical non thought out response.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: "Jack Lindso" <[EMAIL PROTECTED]>
Subject: Re: NSA "Headline Puzzle" confusion ...
Date: Fri, 11 May 2001 21:19:16 +0200
I'm sorry but you'll have to look closer, it is concatenation but not only
of two but three matrices ==> to a fourth one.
--
Anticipating the future is all about envisioning the Infinity.
http://www.atstep.com
====================================================
"Mitchell Morris" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "Jack Lindso" <[EMAIL PROTECTED]> wrote in
> <[EMAIL PROTECTED]>:
>
> >I didn't read the whole text but it seems that third one is a
> >concatenation of the previous two.
>
> Unfortunately, it couldn't be ... the first one includes the sequence
> "OPTHRCVJ", the second one doesn't have has 'F' at all, and the third one
> has "VXFLHQ".
>
> I would be relieved, however, if it had been something so simple.
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: good x86 coders (help please)
Date: 11 May 2001 11:27:44 -0700
"Tom St Denis" <[EMAIL PROTECTED]> writes:
> My goal was a general code where the pairing is maximized within given
> constraints. I.e I try not to write
>
> MOV EAX,EBX
> ADD EAX,ECX
It's more complicated on the P2, which can keep dozens of partly
executed instructions in the air while doing later ones. I don't
think it's worth optimizing for the original Pentium any more, in most
situations.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Best encrypting algoritme
Date: Fri, 11 May 2001 18:32:22 GMT
"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Look TOM you asked for an anwser why do you have to be such
> as ass about it. You asked question I anwsered. What on earth
> makes you think encrypting each block independent of the others
> does anything to add to real security. Try to think a little
> before your stuid insulting typical non thought out response.
You didn't actually answer my question. You said
> >> your could take a 3 byte file "TOM" for example
> >> end decrypt it with a password to get an input file.
> >> that when encrypted with same password comes back to
> >> that file.
> >> He has full source code with it and he writes like
> >> a modern programmer not with my old ways. So even
> >> young guys like you might have a chance to understand it.
Which is what BICOM does, but not how. Not only that you haven't explained
why that is desirable.
Not only that but your main complaint is that their is information leakage
some how. If you use CTR the encryption is done without the plaintext. I.e
you encrypt the counters, store em, then xor them against the plaintext.
The block cipher never sees the plaintext which makes patterns and CBC style
booboos disappear. you could encode (eight blocks) AAAAAAAA or ABCDEFGH and
the attacker would not know the difference with high probability. (if the
ciphertext is IIIIIIII for example then all eight input blocks must be
different etc... but the prob of that occuring is very very very very very
very very very small).
I don't see why anyone would go out of their way to use a cumbersome, less
studied, mode of operation when a simpler alternative is available that over
comes alot of shortcommings of CBC/CFB/ETC modes of operations.
The benefits of CTR mode
1. Smaller code since you don't need a decrypt routine for the block cipher
or CTR mode (its it's own inverse)
2. Seekable. You can easily jump anywhere in the stream by encoding the
appropriate counter.
3. Fast. About as fast as the underlying transform.
4. Easy to analyze. If the transform is secure and you don't encode too
many counters CTR is secure.
5. Variable sized messages. You can encode 7-bit messages just as easily
as 43-bit ones etc...
6. It's simple. You encode a binary counter.... not alot of complexity to
the implementation.
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: good x86 coders (help please)
Date: Fri, 11 May 2001 18:34:09 GMT
"Paul Rubin" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "Tom St Denis" <[EMAIL PROTECTED]> writes:
> > My goal was a general code where the pairing is maximized within given
> > constraints. I.e I try not to write
> >
> > MOV EAX,EBX
> > ADD EAX,ECX
>
> It's more complicated on the P2, which can keep dozens of partly
> executed instructions in the air while doing later ones. I don't
> think it's worth optimizing for the original Pentium any more, in most
> situations.
The problem is that if I optimize the code specially for the Athlon (which
is what I am running) I lose out on all other platforms etc..
Which is why I wanted to make general optimizations so it wouldn't be dog
slow on intel machines and super fast on Athlons ,etc...
So far I have it down to 300 or so cycles per block (GCC gets it downto 365
so I think I did a decent job for about 30mins).
I have tried a few reorderings but I can't break 300... have you checked my
code?
What do you think about the block cipher itself?
Tom
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: RC4
Date: Fri, 11 May 2001 17:13:56 GMT
"jlcooke" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Isn't RC4 a trade secret of RSA Labs?
No. It has been published for years.
> RC4-compat was reverse engineered
> or something. All I know is you can't use or name an algorithm RC4
> unless RSA labs made it.
Not exactly. If you use RC4-compat, then you might very well be
using an algorithm that RSA labs made. So using the name "RC4"
would be ok under your rule.
> But you can use a reverse engineered
> RC4-compat just fine.
> Why oh why does RSA (labs) complicate my life so.
Its really not an issue. RSA (labs) and its parent corp really
don't care if you use RC4 or not.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: NSA "Headline Puzzle" confusion ...
Date: Fri, 11 May 2001 17:34:44 GMT
Mitchell Morris wrote:
> In the example, however, a 'W' appears in the "solved" tableau when it
> didn't appear at all in the preliminary tableau and I don't see where it
> came from.
It was taken from another chain of the first message: LNAWDQ
If you look around it in the tableau, you'll see how this was used
to "fill in the gap".
> The "example" then repeats this procedure with another permutation chain,
> then concludes:
> Now you can use the information you have from your headline
> recoveries and the fact that you know that each row in the table
> is a slide of every other row to complete the table and recover
> a chain of all 26 letters.
> followed by a diagram that includes a significantly larger tableau with one
> row completely filled in and I don't see how tableaus 1 and 2 led to the
> construction of tableau 3.
Keep in mind that each chain can be decimated at some other interval.
So, for example, to extend GOACSY use the KOPTHRCVJZEYF chain
redecimated
every 5 characters O.C.Y.T.J.K.R.E.P.V.F.H.Z. which meshes with every
2nd
character to produce GOACSY.T.J.K.R.E.P.V.F.H.Z. Use another chain to
fill in the remaining letters.
By the way, this chaining business is extremely important. It's a way
to exploit the latent structural regularity of the system.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: RC4
Date: Fri, 11 May 2001 18:43:31 GMT
"Roger Schlafly" <[EMAIL PROTECTED]> wrote in message
news:o5VK6.672$[EMAIL PROTECTED]...
> "jlcooke" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Isn't RC4 a trade secret of RSA Labs?
>
> No. It has been published for years.
>
> > RC4-compat was reverse engineered
> > or something. All I know is you can't use or name an algorithm RC4
> > unless RSA labs made it.
>
> Not exactly. If you use RC4-compat, then you might very well be
> using an algorithm that RSA labs made. So using the name "RC4"
> would be ok under your rule.
>
> > But you can use a reverse engineered
> > RC4-compat just fine.
> > Why oh why does RSA (labs) complicate my life so.
>
> Its really not an issue. RSA (labs) and its parent corp really
> don't care if you use RC4 or not.
Not only that but RC4 is showing signs of weakness. It's not an ideal
cipher for use really since well it's based more on muddle then anything
else.
Tom
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Tiny s-boxes
Date: 11 May 2001 18:47:19 GMT
Simon Johnson wrote:
>To be 100% certain that a particular input difference causes a set output
>difference with the highest probability possible for that s-box (the
>DP-Max)... I'd conjecture that the minimum amount of work required is
>2^(2n), where n is the size of the input into the box.
Nope, your conjecture is not true in general.
For instance, it is not true for Rijndael-like S-boxes based
on inversion in a finite field.
>My idea (which wont work with the interpolation attack, since no
>precomputation is required) was to make the s-box so large that finding
>_any_ difference by brute-force is computationally infeasible.
I'm very skeptical. How do you know that brute force will be the
best way to find a good differential? And how will legitimate users
store the S-box if it is this large?
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
