Cryptography-Digest Digest #343, Volume #14 Sat, 12 May 01 15:13:00 EDT
Contents:
Re: Secret Sharing algo ("Thomas J. Boschloo")
Re: Is Differential Cryptanalysis practical? ("Tom St Denis")
Re: Comparison of Diff. Cryptanalysis countermeasures ("Tom St Denis")
Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm) (Jim D)
TC15 analysis ("Tom St Denis")
Re: DES Crypto Myth?? (DJohn37050)
Re: Comparison of Diff. Cryptanalysis countermeasures (Mok-Kong Shen)
Re: Comparison of Diff. Cryptanalysis countermeasures ([EMAIL PROTECTED])
Re: Are low exponents a problem with RSA? ("Roger Schlafly")
Re: Is Differential Cryptanalysis practical? ("Simon Johnson")
Re: DES Crypto Myth?? ([EMAIL PROTECTED])
Re: Comparison of Diff. Cryptanalysis countermeasures ("Tom St Denis")
Re: OAP-L3: "The absurd weakness." (Anthony Stephen Szopa)
Re: OAP-L3: "The absurd weakness." (Anthony Stephen Szopa)
Re: Encryption in JavaSCRIPT (DES or Blowfish) ("Simon Johnson")
Re: OAP-L3: "The absurd weakness." (Anthony Stephen Szopa)
----------------------------------------------------------------------------
From: "Thomas J. Boschloo" <[EMAIL PROTECTED]>
Subject: Re: Secret Sharing algo
Date: Sat, 12 May 2001 19:05:01 +0200
Paul Rubin wrote:
>
> "Thomas J. Boschloo" <[EMAIL PROTECTED]> writes:
> > How about just encrypting the secret key to all key share-holders in
> > succession?! Without any checksums inside which would compromise the
> > final security. E.g. if you want to split a key into five shares of
> > which three need to be reunited you could just encrypt the key to every
> > possible combination of three keys:
> >
> > /5\
> > \3/ == 5!/(3!.2!) == 5.4/2= 10 different encrypted blocks of keys. Not
> > that much data to use. If you want all shares to be united you would
> > just need one block of encrypted secret key data. Even (5 above 4) has
> > lesser data than the (5 above 3 or 2) example.
> >
> > K.I.S.S. ??!
>
> If you want to split it into 100 shares where 50 can reconstruct the
> key, the number of blocks gets impractical. Existing secret sharing
> schemes aren't that complicated and don't have that problem.
If you have to split a key into 100 shares, you have huge logistical and
trust problems as well I would say ;-)
But thanks for the info and for assuring me somewhat that my 'KISS'
sharing algo is not obviously flawed as I was afraid it might have been.
Regards,
Thomas
--
"Software patents harm the flow of free information"
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Is Differential Cryptanalysis practical?
Date: Sat, 12 May 2001 17:20:12 GMT
"Scott Fluhrer" <[EMAIL PROTECTED]> wrote in message
news:9djnc5$hkl$[EMAIL PROTECTED]...
>
> Tom St Denis <[EMAIL PROTECTED]> wrote in message
> news:HQcL6.75067$[EMAIL PROTECTED]...
> >
> > <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> > > Tom St Denis wrote:
> > > >
> > >
> > > > > Tom St Denis wrote:
> > > >
> > > > Yes you're right in this case it is not plausiable. A cipher is
> > described
> > > > as broken if
> > > >
> > > > "It can be detistinguished from a random permutation faster than
> sieving
> > the
> > > > entire codebook"
> > > >
> > > > This entails differential/linear distiniguishers that can be used to
> > solve
> > > > for keys or just tell it from random.
> > > >
> > > > For example, you can tell Blowfish from random with alot of texts
but
> > not
> > > > what the key is. In this sense Blowfish is broken.
> > > >
> > > > Designers of new ciphers try to make ciphers that resist known
attacks
> > and
> > > > are thus unbroken.
> > > >
> > > > Tom
> > >
> > > I found the FEAL cryptanalysis paper you mentioned. That break appears
> > > to be very practical.
> >
> > Yup. Personally I think the designers of FEAL were none to smart. Sure
> diff
> > analysis was not really known but "a+b" as a secure transform? Common
:-)
>
> Tom, now be kind to the poor designers of FEAL. Yeah, their designed
turned
> out to be somewhat, errr, suboptimal. However, remember how many of your
> designs have been broken in the past.
Oh I agree... but I never say my designs are secure!
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Comparison of Diff. Cryptanalysis countermeasures
Date: Sat, 12 May 2001 17:21:19 GMT
<[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Tom St Denis wrote:
>
> > > >
> > > > > Another paper which I ran across decribed using a PRNG
> > > > > to generate S-boxes (something like 8 x 8 boxes) by seeding from
key
> > > > > bits. Supposedly, the probability
>
> >
> > Ah perhaps. It depends on how the sboxes are used. Try proposing a new
DES
> > using such random sboxes :-)
> >
> > Tom
>
> I smell booby-trap. We were talking about 8 x 8 boxes, not
> 6x4's remember?
>
> Changes in the DES S-boxes greatly weaken that particular algorithm.
> [Biham91]
>
> But I think you are still assuming that you know the contents of the
> S-boxes, yes?
>
>
> Is diff. cryptanalysis possible on 16 rounds without knowing the
> S-box contents even though the boxes are weak?
>
> Differential analysis assumes that you know the contents of the S-boxes.
> If diff. analysis _requires_ knowledge of the S-boxes, then it seems to
> me that the way to harden a cipher against diff. cryptanalysis is to
> deny the cryptanalyst knowledge of the boxes' contents.
You have to realize that
a) Not all sboxes are 8x8.
b) Not all attacks are based on specific differences.
Tom
------------------------------
From: [EMAIL PROTECTED] (Jim D)
Subject: Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm)
Date: Sat, 12 May 2001 17:34:10 GMT
Reply-To: Jim D
On 11 May 2001 17:37:34 GMT, [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
wrote:
> Hell when I was a kid
>I took a gun to school. My NRA safety class required you to bring
>your own 22. Now adays people shit in there pants when a kid takes
>a gun to school. The view is different because the liberals have
>fucked it up and destroyed values.
Isn't America a wonderful place? ! Rather you than me, pal!
--
______________________________________________
Posted by Jim D.
Nole me vocari, ego te vocabo.
jim @sideband.fsnet.co.uk
dynastic @cwcom.net
______________________________________________
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: TC15 analysis
Date: Sat, 12 May 2001 17:39:12 GMT
I started my analysis of TC15 (more than just poking). I am looking for low
hamming weight differentials (i.e low active sbox count).
All in all if I can keep the count under 64 I can break the cipher using a
differential attack. To help resist such attacks I looked at the sboxes
with respect to single bit differences on the input and output. They only
occur with a prob of 2/16 and there were about four such pairs. Also linear
approximations with a single bit occur with a bias of -4/16 ...
The new sbox I designed is just as fast but I replace two ANDs with ORs.
There are three single bit differences with a prob of 2/16 and the highest
single bit approxs' have a bias of -2/16. (linear bias is of the form 1/2
+/- p, i.e for -2/16 it's a bias from 0.5 of -1/8).
New source and analysis is at
http://tomstdenis.home.dhs.org/tc15.c
http://tomstdenis.home.dhs.org/tc15_box.c
I am trying to find collisions in the LT such that differences cancel out
the problem (for the attacker) is that the outputs from the sboxes do not
line up ever so a single bit output difference from one sbox can affect upto
seven new sboxes in the next round. (62% of the time between 3 and 5 sboxes
wil be active).
I was thinking of going backwards thru the LT with low hamming weight values
to see what type of inputs I need to find a collision and see if the sboxes
will produce the required differences ... etc..
Since I am new to this could someone help me out and make sure what I am
saying makes sense... I know there are lurkers who read my posts (I hope)
since my website gets pinged a bit (which is nice to know). Am I on the
right track to analyzing this cipher?
--
Tom St Denis
---
http://tomstdenis.home.dhs.org
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 12 May 2001 17:58:32 GMT
Subject: Re: DES Crypto Myth??
Versions of other ciphers that were JUST invented were broken when diffl.
cryptanalysis came out, but NOT DES. This cannot be by coinkydinky. And
Coppersmith says it was not, but was deliberate in his paper published in IBM
JRD. So the designers knew about it, but did not disclose it as it was not
generally known and why tell bad guys how to do things?
Don Johnson
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Comparison of Diff. Cryptanalysis countermeasures
Date: Sat, 12 May 2001 19:56:07 +0200
"SCOTT19U.ZIP_GUY" wrote:
>
[snip]
> One way the way I choose was to use a bigger S-box like 16X16
> or 19X19. And then made the key selelct from a very large class
> of S-boxes. I choose S-boxes so that any single cycle permutaion
> would be allowed. Then tested what the output characteristics
> of the simplest weakest single cycle S-boxes were used. Namely
> sequential ones like a = a +1. Very simple but not very likeely
> and then exaimed the ouputs of different types of files using
> DIEHARD. Of course if you pick any small subset of S-boxes it would
> then it would be easy to break. But in reality no matter what you
> pick every key could be considered weak in the sense that an attacker
> need only check for that key.
[snip]
How many 19*19 S-boxes would you in general use? I mean
wouldn't the storage requirement be quite excessive and
the generation time also be quite substantial? Thanks.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Comparison of Diff. Cryptanalysis countermeasures
Date: Sat, 12 May 2001 09:26:58 -0800
Tom St Denis wrote:
>
> <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> > Tom St Denis wrote:
> >
> > > > >
> > > > > > Another paper which I ran across decribed using a PRNG
> > > > > > to generate S-boxes (something like 8 x 8 boxes) by seeding from
> key
> > > > > > bits. Supposedly, the probability
> >
> > >
> > > Ah perhaps. It depends on how the sboxes are used. Try proposing a new
> DES
> > > using such random sboxes :-)
> > >
> > > Tom
> >
> > I smell booby-trap. We were talking about 8 x 8 boxes, not
> > 6x4's remember?
> >
> > Changes in the DES S-boxes greatly weaken that particular algorithm.
> > [Biham91]
> >
> > But I think you are still assuming that you know the contents of the
> > S-boxes, yes?
> >
> >
> > Is diff. cryptanalysis possible on 16 rounds without knowing the
> > S-box contents even though the boxes are weak?
> >
> > Differential analysis assumes that you know the contents of the S-boxes.
> > If diff. analysis _requires_ knowledge of the S-boxes, then it seems to
> > me that the way to harden a cipher against diff. cryptanalysis is to
> > deny the cryptanalyst knowledge of the boxes' contents.
>
> You have to realize that
>
> a) Not all sboxes are 8x8.
And since I mentioned the 6x4 sboxes just a few lines before (see
above), it should be
obvious that I realize that. Consider 8x8's vs. smaller boxes in the
context
of "randomly chosen" for clues on why I mentioned 8x8's.
> b) Not all attacks are based on specific differences.
Enlighten me.
The differential attacks that I've been able to study are based on being
able to assign a probability of a diff round output for a diff round
input.
If you don't know the S-box contents, how can you do that by looking at
the diff input and diff output of the entire algo? If you don't know the
probability for a round, you can't determine the probability for the
full round cipher.
If you don't know the probability for the full round cipher, how do you
distinguish the key?
=====BEGIN PGP MESSAGE=====
Version: PGP 6.5.8
pCxibgtG9gGHw3oOaZIu0w6iUz27izdTRvp0EdNSrMJ8La93oiygo6+eQtU4Tw==
=IZJ2
=====END PGP MESSAGE=====
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: Are low exponents a problem with RSA?
Date: Sat, 12 May 2001 17:42:46 GMT
"David Wagner" <[EMAIL PROTECTED]> wrote in message
news:9dfj1o$fn8$[EMAIL PROTECTED]...
> Matthew Kwan wrote:
> >Given the encryption function C = (P^e) mod n where (e,n) is
> >the public key, is there any security weakness in choosing a small
> >value of e?
> If P is your message, without padding, there are issues. Use OAEP,
> and they go away.
> (There is also theoretical work which might be viewed as evidence that
> RSA could be less secure with e=3 than with general e, but personally
> I'm happy to stick with e=3 for the moment.)
I agree. The main advantage of RSA is the fast signature verifications.
The security seems to be acceptable. You only get the fast
verifications with the low exponent. If I decided that low-exponent
RSA was not good enough, then I'd rather use DH/DSA or something
else.
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Subject: Re: Is Differential Cryptanalysis practical?
Date: Sat, 12 May 2001 19:49:35 +0100
<[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Tom St Denis wrote:
> >
> > <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> > >
> > > I read through the Biham and Shamir 1990 paper on "Differential
> > > Cryptanalysis
> > > of DES-like Cryptosystems". The technique is fascinating.
> > >
> > > However, when the technique was applied to 16-round DES, 2^57
plaintext
> > > pairs were required
> > > (plus huge counter arrays).
> > >
> > > A later paper by Biham and Shimir (1994) detailed an improved
technique
> > > which could be implemented with 2^49 chosen ASCII plaintexts (and
> > > counter
> > > arrays eliminated).
> > >
> > > I think it's realistic to assume that the algorithm is known by the
> > > cryptanalyst.
> > > I think it is realistic to assume that the analyst has SOME chosen
> > > plaintexts
> > > with their corresponding ciphertexts (ye old "send it to the embassy"
> > > trick).
> > > I think its CRAP to assume that even an embassy is going to encrypt
> > > 2^(large # here)
> > > carefully chosen plaintext pairs for the analyst and I think its CRAP
to
> > > assume that
> > > Joe PC User is going to encrypt 2^(small # here) carefully chosen
> > > plaintext
> > > pairs for the analyst (feel free to do whatever differential analysis
> > > you can
> > > with the commonly encrypted file headers).
> > >
> > > I'm not even sure that 2^49 chosen ASCII plaintexts is realistic.
> > >
> > > "Certifiable weakness"? Yes. Practical cryptanalysis technique? Er,
help
> > > me out 'cause I don't see it. I've only been through two papers so
there
> > > are probably improved techniques. Give me URLs, pointers to other
> > > papers...
> > >
> > > Maybe a probability of getting 2^(whatever) carefully chosen
plaintexts
> > > encrypted should be calculated and included as part of the round
> > > probabilities
> > > (kidding, kidding).
> >
> > Is this a joke post?
>
> Not a joke post (except for the last line). As I said, I was reading
> through
> both of those diff. anal. papers thinking "man, this is great" until I
> got to the part about how much chosen plaintext it took to actually
> work.
>
> > Look up their analysis of say FEAL, Knufu and various others.
>
> I'll do that. Thanks.
>
> >
> > It's true that for some ciphers diff analysis can in theory break it and
in
> > practice not but for some ciphers the attack is devastating. FEAL for
> > example can be determined from random with (FEAL-6) only 4 chosen texts.
It
> > can be broken upto quite a bit of rounds with what could be considered
only
> > a handful of texts.
>
> Diff. anal. seems to be effective on reduced round DES as well, but
> again, that
> isn't really a practical break. Even in their second paper Bih.&Sha.
> discussed
> the challenge of extending just one round - from 15 to the full 16-round
> DES.
> >
> > If we didn't know about these attacks than say RC5 with four rounds
would be
> > secure, etc...
>
> Just to reiterate in case I wasn't clear in my OP, I'm not questioning
> the significance of diff. anal. and I'm not questioning the breaks, i.e.
> the certifiable weakness of
> the cipher to a diff. anal. attack. I am questioning practicality based
> on the
> TWO papers I described. Let me reword
> the OP:
> Cipher X can be broken by diff. analysis with 2^40 carefully chosen
> plaintexts.
> From my outsider-looking-in perspective, I can't possibly imagine
> anyone, embassy or otherwise, encrypting that many plaintexts unawares,
> so it appears that while the cipher is undoubtably "broken", the break
> isn't practical. In other words, start looking for a better Cipher Y
> but don't lose sleep at night unless you're willing to encrypt LARGE
> amounts of carefully chosen plaintext pairs for your attacker. Can
> anyone
> point me to papers that describe full-round crypto algos being broken
> with reasonable amounts of carefully chosen plaintext pairs
> using diff. cryptanalysis?
>
I agree, that kind of break is impractical... however, its existence is
still _useful_.. We can use this break to suggest a key change every 2^49
plain-texts is prudent. In a way, the academic breaks are useful because
they allow us to compare the relative securities of ciphers.
Simon.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: DES Crypto Myth??
Date: Sat, 12 May 2001 09:53:43 -0800
DJohn37050 wrote:
>
> Versions of other ciphers that were JUST invented were broken when diffl.
> cryptanalysis came out, but NOT DES. This cannot be by coinkydinky. And
> Coppersmith says it was not, but was deliberate in his paper published in IBM
> JRD. So the designers knew about it, but did not disclose it as it was not
> generally known and why tell bad guys how to do things?
> Don Johnson
Sounds reasonable. I just wondered after I read the Seberry paper.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Comparison of Diff. Cryptanalysis countermeasures
Date: Sat, 12 May 2001 18:49:38 GMT
<[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Tom St Denis wrote:
> >
> > <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> > > Tom St Denis wrote:
> > >
> > > > > >
> > > > > > > Another paper which I ran across decribed using a PRNG
> > > > > > > to generate S-boxes (something like 8 x 8 boxes) by seeding
from
> > key
> > > > > > > bits. Supposedly, the probability
> > >
> > > >
> > > > Ah perhaps. It depends on how the sboxes are used. Try proposing a
new
> > DES
> > > > using such random sboxes :-)
> > > >
> > > > Tom
> > >
> > > I smell booby-trap. We were talking about 8 x 8 boxes, not
> > > 6x4's remember?
> > >
> > > Changes in the DES S-boxes greatly weaken that particular algorithm.
> > > [Biham91]
> > >
> > > But I think you are still assuming that you know the contents of the
> > > S-boxes, yes?
> > >
> > >
> > > Is diff. cryptanalysis possible on 16 rounds without knowing the
> > > S-box contents even though the boxes are weak?
> > >
> > > Differential analysis assumes that you know the contents of the
S-boxes.
> > > If diff. analysis _requires_ knowledge of the S-boxes, then it seems
to
> > > me that the way to harden a cipher against diff. cryptanalysis is to
> > > deny the cryptanalyst knowledge of the boxes' contents.
> >
> > You have to realize that
> >
> > a) Not all sboxes are 8x8.
>
> And since I mentioned the 6x4 sboxes just a few lines before (see
> above), it should be
> obvious that I realize that. Consider 8x8's vs. smaller boxes in the
> context
> of "randomly chosen" for clues on why I mentioned 8x8's.
I could design a cipher that uses 8x8s where random ones would be a "bad
thing".
> > b) Not all attacks are based on specific differences.
>
> Enlighten me.
>
> The differential attacks that I've been able to study are based on being
> able to assign a probability of a diff round output for a diff round
> input.
> If you don't know the S-box contents, how can you do that by looking at
> the diff input and diff output of the entire algo? If you don't know the
> probability for a round, you can't determine the probability for the
> full round cipher.
> If you don't know the probability for the full round cipher, how do you
> distinguish the key?
Not all attacks are based on saying "an input diff of 0x55BB leads to an
output difference of 0x1234". They could say "an input difference of
(0,0,x,y) leads to (a,b,0,0) where x,y,a,b are nonzero".
Tom
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: alt.hacker,talk.politics.crypto
Subject: Re: OAP-L3: "The absurd weakness."
Date: Sat, 12 May 2001 11:58:19 -0700
John Savard wrote:
>
> On Fri, 11 May 2001 02:46:20 -0700, Anthony Stephen Szopa
> <[EMAIL PROTECTED]> wrote, in part:
>
> >Anyone who would let you do their thinking for them deserves
> >no better.
>
> You would be *surprised* how few hours some people have in the day,
> and how *many* ingenious enciphering programs, claimed to be secure,
> are offered for their consideration.
>
> Hence, generally, people have no choice but to rely, at least in part,
> on the judgement and advice of others. Still, they do some thinking
> for themselves - they evaluate who is more likely to be competent and
> trustworthy before choosing which 'experts' to heed.
>
> This is why, for example, Bruce Schneier's advice is so popular.
>
> John Savard
> http://home.ecn.ab.ca/~jsavard/
I only agree with those who support their assertions with directly
pertinent objective facts and sound reasoning.
I almost always hear generalities supported by unfounded or at least
certainly not communicated assumptions that render the comments
unintelligible.
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: alt.hacker,talk.politics.crypto
Subject: Re: OAP-L3: "The absurd weakness."
Date: Sat, 12 May 2001 12:01:07 -0700
Xcott Craver wrote:
>
> Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote:
> >
> >I think the place to start in answering this question is to read the
> >Help Files: Theory, Processes, Operation, etc. and the recommended
> >use.
>
> You might be under the false impression that people respond
> to your posts out of interest in your cipher, when in fact
> they only do so to inform 3rd parties, who may have recently
> taken a peek into sci.crypt, that you are one of the regular
> crackpots.
>
> >Good luck. You'll need it if you think you have a prayer in
> >breaking the OTP files.
>
> I'd love to, but oooh, I just got an email, and in order
> to display it on the screen my software requires me to
> shuffle a deck of cards 10 times and do some long division
> on the back of an envelope.
>
> -S
Obviously, the simplicity and readily understandable concepts upon
which OAP-L3 is based can lead to frustration.
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.java.javascript,comp.lang.javascript
Subject: Re: Encryption in JavaSCRIPT (DES or Blowfish)
Date: Sat, 12 May 2001 20:06:59 +0100
Super-Simon <[EMAIL PROTECTED]> wrote in message
news:9dc2on$geg$[EMAIL PROTECTED]...
> Hi,
>
> Is it possible to encrypt and decrypt strings with DES or Blowfish in
> JavaSCRIPT? If it is possible, where can I get more information????
Its likely you wont want to use DES. It can be broken by exhaustive search
of the keyspace in under 24 hours using super-computers.
Simon.
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Subject: Re: OAP-L3: "The absurd weakness."
Date: Sat, 12 May 2001 12:05:06 -0700
David Hopwood wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> "Douglas A. Gwyn" wrote:
> > James Felling wrote:
> > > ... while I do accept that using your medhods over and over again
> > > you can and will eventually get good data, it requires more work to
> > > get to that point than it would with a conventional stream cypher.
> >
> > Well put.
>
> It should also be noted that it isn't just a little bit more work; it is
> several orders of magnitude more work. The types of shuffling operations
> that OAP-L3 uses are all special cases of the same method, and that method
> is not very good at distributing entropy within the permutation table.
> In particular, the probability that two initially adjacent elements will
> remain adjacent, is far greater than it should be by chance. The result
> is similar to trying to shuffle a stacked deck of cards using a small
> number of shuffles - except that the table is much larger than 52 elements,
> which makes the resulting bias much worse.
>
> There's little point in telling Szopa this, though; people have done that
> before, but he tries to claim that the output stage will hide the non-
> randomness in the permutation table. AFAICS (from an admittedly brief
> analysis), there is no reason to believe that it does, and I would be
> surprised if there were not a distinguisher using only a small amount
> of output. (If anyone here is really bored, and inclined to spend a
> hour or two deciphering a few pages of badly written cipher description
> from someone with an anti-mathematical bent, they'd have a good chance
> of breaking OAP-L3 with the recommended number of steps.)
>
> In any case, the cipher is ridiculously inefficient, and too reliant
> on the quality of user-provided random input.
>
> - --
> David Hopwood <[EMAIL PROTECTED]>
>
> Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
> RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
> Nothing in this message is intended to be legally binding. If I revoke a
> public key but refuse to specify why, it is because the private key has been
> seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3i
> Charset: noconv
>
> iQEVAwUBOviLgTkCAxeYt5gVAQGlTQgAiWYVbHi0AkhGG8Ho9sqTz0Kq4ES47g/6
> tGk6pcMEV1nChlpXw8n3Zg2Dh6hjOrV9TWHDWAiilyY8eIEWi9awwIkeA6K6nNyA
> EvDVbSgywKYpg+0hlHnmcpzKnSfeMs8g65U8v+ZQcCrOItCiqkD2b068bmd4+aop
> GDKR1bvaa7vLeVrRYcw4mdPr6MFa8VuRplWTOpuJg0l8N6MSHgYlaSTPCxOvNVjq
> vpNewWBFCrHxqs9RnBlDPNPBIFet4stOwo5wMxzrJvPAKaSDq37f/Q4n8NrpUp9I
> GUWEOlUNND716SaYrf7Gf0QjgHs+ra+/mJcKnXV9r0bHMPX+GAuTBg==
> =9B+D
> -----END PGP SIGNATURE-----
I am sure there are many here in these news groups who are most
anxious to see some proof supporting your unfounded assertions.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
