Cryptography-Digest Digest #351, Volume #14 Mon, 14 May 01 09:13:01 EDT
Contents:
DSA, ECDSA, RSA (Gary Silverman)
Re: number theoretic SKEY scheme (Benjamin Goldberg)
Re: Comparison of Diff. Cryptanalysis countermeasures (Paul Crowley)
Re: Comparison of Diff. Cryptanalysis countermeasures (David Wagner)
Re: number theoretic SKEY scheme (David Wagner)
Re: Another keen symmetric cipher idea (Benjamin Goldberg)
Re: 3x4 grid of triangular numbers (Benjamin Goldberg)
Re: Weird Rijndael test vectors wanted (Simon Josefsson)
which public key algorithm is easy & gd to use? ("Hilda")
Re: which public key algorithm is easy & gd to use? (Bryan Olson)
Re: DES Crypto Myth?? (Tim Smith)
Re: Encryption/Hash Permissions (Mark Wooding)
Re: Finding similar modulus to N^x Mod M? (Mark Wooding)
Re: DES Crypto Myth?? (Mok-Kong Shen)
Re: Key escrow based on BBS ("Tom St Denis")
Re: SHA PRNG (Volker Hetzer)
[Q] About HMAC(Keyed-Hashing for Msg Auth) (Young Sang Kang)
Re: DES Crypto Myth?? (DJohn37050)
Re: which public key algorithm is easy & gd to use? (John Savard)
Re: Comparison of Diff. Cryptanalysis countermeasures (John Savard)
Re: DES Crypto Myth?? (Jim Gillogly)
Re: Comparison of Diff. Cryptanalysis countermeasures (John Savard)
Quadibloc IX described on web site! (John Savard)
----------------------------------------------------------------------------
From: Gary Silverman <[EMAIL PROTECTED]>
Subject: DSA, ECDSA, RSA
Date: Mon, 14 May 2001 00:15:55 -0500
Without starting a religious war, could anyone comment on relative speed
difference between the 3 NIST approaved digital sign algorithms? Please
provide a reference if possible.
For each, I'm interested in:
signing speed
verifying speed
So, an example could be....
RSA DSA ECDSA
sign 14 10 8
verify 2 20 4
The numbers indicate the time it takes for the operation to be done.
I realize that different implementations could alter actual performance
(in addition to all of the other things like what OS, what kind of
hardware, etc...). If anyone has experience using various platforms
that would be great too. But, I'm more interested in performance due to
the algorithm as opposed to the implementation.
Thanks kindly,
Gary
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: number theoretic SKEY scheme
Date: Mon, 14 May 2001 01:35:18 -0400
Tom St Denis wrote:
>
> SKEY afaik from AC2 is a password login scheme where you create a hash
> list
> i.e
>
> 1. H_0 is a random secret
> 2. for i from 1 to N do
> 2.1 H_i = hash(H_{i-1})
>
> You give out H_N and each time you login you give the previous hash.
> The idea is that you must be who you are since you know the input to
> the hash to give predetermined values. It also has the feature that
> it doesn't depend on user remembering entropy and the scheme has a
> limited life time (i.e N logins).
>
> I am thinking of a slightly different scheme. One where you replace
> hash with a square modulo a blum integer. By giving out the square
> root you prove you know some secret info. Use the integer as a BBS
> type thing where you give the N'th output (since you know the factors
> you can seek to there).
> Then as you login you just give out the N-r BBS output.
>
> That would be slower but wouldn't it depend on factoring the blum
> integer to crack it?
Considering the size of pq needed for security against factoring,
wouldn't it be better to use ECC?
1) P_0 is a secret random point.
2) for( i = 1 to N )
2.1) P_i = 2*P_(i-1)
This depends on the difficulty of the ECDLP, rather than the difficulty
of factoring. As a result, smaller numbers can give equal security.
Also, this, like the hash method, is only useful for N logins. Using
the squaring method, if you keep p and q, you can do infinite logins.
Of course, if someone manages to break ECDLP with a particular curve,
they could also do infinite logins.
--
Customer: "I would like to try on that suit in the window."
Salesman: "Sorry sir, you will have to use the dressing room."
------------------------------
Subject: Re: Comparison of Diff. Cryptanalysis countermeasures
From: Paul Crowley <[EMAIL PROTECTED]>
Date: Mon, 14 May 2001 05:34:12 GMT
[EMAIL PROTECTED] (David Wagner) writes:
> >Differential analysis assumes that you know the contents of the S-boxes.
>
> Not always, not necessarily.
> (although often key-dependent S-boxes seem to be more resistant
> to differential cryptanalysis)
Is there a classic paper on DC attacks on key-dependent S-boxes? I
note that Twofish takes care to make its key-dependent S-boxes DC
resistant.
--
__ Paul Crowley
\/ o\ [EMAIL PROTECTED]
/\__/ http://www.cluefactory.org.uk/paul/
"Conservation of angular momentum makes the world go around" - John Clark
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Comparison of Diff. Cryptanalysis countermeasures
Date: 14 May 2001 05:57:39 GMT
Paul Crowley wrote:
>Is there a classic paper on DC attacks on key-dependent S-boxes?
Not that I know of, but the usual failure mode seems to be the following:
The cipher has some higher-level structure that is susceptible to
differential cryptanalytis no matter how the S-boxes are instantiated.
In this case, even key-dependent S-boxes will not save you.
I don't know of any examples where ciphers using key-dependent S-boxes
got broken because the S-boxes turned out to have bad differential
properties for all keys (or for many keys), although of course that
doesn't prove anything.
In any case, from my point of view, the main attraction of key-dependent
S-boxes is *not* that they stop differential cryptanalysis. We already
know how to build ciphers that stop differential cryptanalysis cold.
The real attraction of key-dependent S-boxes, IMHO, is that they might
provide better defense against the attacks we don't know about today and
that the designers weren't able to anticipate. It is hard to design
for security when you don't know what tomorrow's attacks will look
like, but we'd like to get the odds on our side as much as possible,
and key-dependent S-boxes seem like they might be useful from this point
of view (maybe). But who knows? I could be entirely wrong.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: number theoretic SKEY scheme
Date: 14 May 2001 06:01:50 GMT
Benjamin Goldberg wrote:
>Considering the size of pq needed for security against factoring,
>wouldn't it be better to use ECC?
>
>1) P_0 is a secret random point.
>2) for( i = 1 to N )
>2.1) P_i = 2*P_(i-1)
This only works if you use an elliptic curve of Z/nZ where n is a
RSA modulus. In particular, this isn't secure with elliptic curves
over Z/pZ where p is prime, since squaring isn't a one-way function
in such curves (we can compute the group order m, so we can compute
k = 2^{-1} mod m, and then P_(i-1) = k*P_i). As a consequence, we
can't use smaller numbers, and ECC seems no better than squaring
modulo a RSA modulus.
On the other hand, if you're going to take square roots modulo a
RSA modulus, you might as well just use RSA or Rabin signatures and
be done with it. Public-key signature-based authentication protocols
can provide much better security than S/KEY offers.
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Another keen symmetric cipher idea
Date: Mon, 14 May 2001 02:44:22 -0400
Tom St Denis wrote:
[snip]
> Wait... with two chosen texts the attacker wins right since MC is
> known the only unknowns are kC, k and Rp? .... back to the drawing
> board...
If it can be broken with no less than 2 chosen texts, then if you
specify a chaining mode along with the cipher, and require that it be
used, it might be secure. For example, if CBC or IAPM is used with
this, can it be broken?
--
Customer: "I would like to try on that suit in the window."
Salesman: "Sorry sir, you will have to use the dressing room."
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Crossposted-To: rec.puzzles,alt.math.recreational,sci.math
Subject: Re: 3x4 grid of triangular numbers
Date: Mon, 14 May 2001 03:33:41 -0400
Robert Israel wrote:
[snip]
> >Uck. Is there any *simple* proof for this? And, how hard is it to
> >decompose an arbitrary large number?
>
> As Gauss remarks, M = x(x+1)/2 + y(y+1)/2 + z(z+1)/2 is equivalent to
> 8M+3 = (2x+1)^2 + (2y+1)^2 + (2z+1)^2
>
> i.e. writing an integer congruent to 3 mod 8 as the sum of three odd
> squares. Note that since the squares mod 8 are 0, 1 and 4, if an
> integer congruent to 3 mod 8 is the sum of three squares they must be
> odd. So it's enough to show that any integer congruent to 3 mod 8 is
> the sum of three squares. LeVeque's "Fundamentals of Number Theory"
> suggests in a note (after stating that the sums of three squares are
> all the positive integers not of the form 4^t(8k+7)):
>
> Somewhat simpler proofs have been found since: two of them are to
> be found in Landau [Elementary Number Theory] and Mordell [Diophantine
> Equations]. A proof using p-adic fields is given in Serre [A Course
> in Arithmetic].
The math seems a bit beyond my level. What about the second question?
--
Customer: "I would like to try on that suit in the window."
Salesman: "Sorry sir, you will have to use the dressing room."
------------------------------
From: Simon Josefsson <[EMAIL PROTECTED]>
Subject: Re: Weird Rijndael test vectors wanted
Date: 14 May 2001 09:38:30 +0200
"Brian Gladman" <[EMAIL PROTECTED]> writes:
> > > KEY=0000000000000000000000000000000000000000
> > > PT=00000000000000000000000000000000
> > > CT=32CB23EE8DEBD0D4E0983EE4D3318A5F
> > KEY=0000000000000000000000000000000000000000
> > PT=00000000000000000000000000000000
> > CT=94B434F8F57B9780F0EFF1A9EC4C112C
>
> These values are correct, the earlier ones quoted are wrong.
Thanks, I've corrected my implementation now. Here's a challenge:
Given the errorenous output above (first one), what simple
implementation misstake did I make? <g>
------------------------------
From: "Hilda" <[EMAIL PROTECTED]>
Subject: which public key algorithm is easy & gd to use?
Date: Mon, 14 May 2001 20:14:12 +1200
hi,
i'm currently doing a project for my yr 4 computer sys engineering degree.
i'll need to encrpy an application using hash function & public key
algorithm.
my partner & i have chosen to use md5 & planned to use RSA ...
is RSA gd & easy to use? any other suggestion?
thanks.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: which public key algorithm is easy & gd to use?
Date: Mon, 14 May 2001 01:24:46 -0700
Hilda wrote:
[...]
> my partner & i have chosen to use md5 & planned to use RSA ...
> is RSA gd & easy to use?
RSA is probably the easiest PK system to implement. For exactly
how to format things, see PKCS#1 at:
http://www.rsasecurity.com/rsalabs/pkcs/index.html
> any other suggestion?
Read "The Status of MD5 After a Recent Attack" by H. Dobbertin
in Cryptobytes vol 2 number 2, 1996. You can get it at:
http://www.rsasecurity.com/rsalabs/cryptobytes/
(Then switch to SHA-1.)
--Bryan
------------------------------
From: [EMAIL PROTECTED] (Tim Smith)
Subject: Re: DES Crypto Myth??
Date: 14 May 2001 01:59:47 -0700
Reply-To: Tim Smith <[EMAIL PROTECTED]>
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>On the other hand, the public crypto community does have
>the advantage of having a pool of academic researchers
>which is presumably significantly larger in size than
>that of the experts employed in any single secret agency.
Why do you presume that?
--Tim Smith
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Encryption/Hash Permissions
Date: 14 May 2001 09:17:00 GMT
JustSoft <[EMAIL PROTECTED]> wrote:
> We are interested in learning about:
>
> Hash: MD4, MD5, SHA (other Name SHS), SHA1,
> RipeMD128, RipeMD160, RipeMD256, RipeMD320,
> Haval (128, 160, 192, 224, 256) with Rounds,
> Snefru, Square, Tiger, Sapphire II (128, 160, 192, 224,
> 256, 288, 320)
Square is a block cipher, not a hash. I don't believe Snefru is
patented; I don't know about Sapphire II or Haval; the others definitely
aren't.
> Cipher: Gost, Cast128, Cast256, Blowfish, IDEA
> Mars, Misty 1, RC2, RC4, RC5, RC6, FROG, Rijndael,
> SAFER, SAFER-K40, SAFER-SK40,SAFER-K64, SAFER-SK64,
> SAFER-K128, SAFER-SK128, TEA, TEAN, Skipjack, SCOP,
> Q128, 3Way, Twofish, Shark, Square, Single DES, Double DES,
> Triple DES, Double DES16, Triple DES16, TripleDES24,
> DESX, NewDES, Diamond II, Diamond II Lite, Sapphire II
There is a patent covering CAST ciphers in general, but CAST128 and
CAST256 are free to use; MARS is in a similar position. IDEA, Misty,
RC5, RC6 are patented. Blowfish, FROG, Rijndael, the SAFER ciphers,
TEA, 3-Way, Twofish, Shark, and Square I know not to be patented. DES
was patented ages ago, but I believe that it was always free to use, and
the patent will have expired by now. I'm not aware of any reason anyone
might want to use NewDES. RC2 and RC4 are `trade secrets' of RSA
Security Inc. The others I don't know about.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Crossposted-To: sci.math
Subject: Re: Finding similar modulus to N^x Mod M?
Date: 14 May 2001 09:43:32 GMT
Ichinin <[EMAIL PROTECTED]> wrote:
> is there a paper somewhere regarding finding 2 or more similar
> exponents to:
>
> Secret = N^x Modulo M
More or less any book on elementary number theory.
> Q: is it possible to automatically deduce the a similar
> modulus by calculating it from the given values, hence
> getting the frequency of how often a similarly modulus
> occur?
Yes. N^x = N^y (mod n) iff x = y modulo the order of N mod n.
> An example:
>
> x = 2^1766 Mod 1999
>
> x is 1657.
OK. We note that \lambda{1999} = 1998 = 2 * 3^3 * 37. The order of 2
must divide 1998. Some work with a calculator reveals that 2^333 = 1
(mod 1999), and no smaller factor of 1999 has this property; hence the
order of 2 is 333.
> Another example:
>
> N = 2
> M = 81726137
> secret Exponent = 815312
> Exponent Modulo M = 69536232
> ----------------------------
> Frequency = 1316460 =20(+) bits
81726137 = 31 * 1187 * 2221 is composite. \lambda{M} = \lcm(30, 1186,
2220) = 1316460 = 2^2 * 3 * 5 * 37 * 593. We see immediately that 2 is
primitive modulo 81726137, and its order is 1316460.
-- [mdw]
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: DES Crypto Myth??
Date: Mon, 14 May 2001 12:00:12 +0200
Tim Smith wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> >On the other hand, the public crypto community does have
> >the advantage of having a pool of academic researchers
> >which is presumably significantly larger in size than
> >that of the experts employed in any single secret agency.
>
> Why do you presume that?
I assume on plausibility grounds that they are more
people who prefer to serve the well-being of the general
public than otherwise (i.e. at least partly or sometimes
against that), just like in the modern era there are in
the whole world more people for the democracy than those
who are happy to work for certain totalitarian powers.
M. K. Shen
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Key escrow based on BBS
Date: Mon, 14 May 2001 10:22:31 GMT
"Bryan Olson" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> Tom St Denis wrote:
> >
> > Bryan Olson wrote:
>
> > > Perhaps my statement of the property wasn't clear. When
> > > I wrote "one should be able to tell from the message..."
> > > I was using "message" to mean the things that get sent.
> > > In your scheme the message is: (y', ciphertext, final K).
> > >
> > > How can you tell from public information whether the final
> > > K value was properly computed?
> >
> > You mean the host?
>
> No, I mean what I wrote.
>
> > Simple, you clock K back (you can clock BBS forwards and
> > backwards) the required number of steps then see if the message
decrypts.
>
> With public information you can find a square root of K?
> Note that you didn't say anything about publishing the
> factorization of N, and doing so would destroy the system.
> Please do tell how.
What the heck? You're distorting everything I am saying. The only thing my
system provides is a way for the Host to read all messages too. It would be
hard to get away with faking the last K value.
Tom
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: SHA PRNG
Date: Mon, 14 May 2001 12:58:54 +0200
Joseph Ashwood wrote:
> Since a common hash to use is SHA-1 and the size is a worthless entry you
> can add 352 bits from a source that is at least aprtially entropic. The
> difficulty arises in proving that SHA-1 has no collision on a 160-bit input,
> that it remains uninvertible, and that there are no short cycles.
If, by collision you just mean two inputs leading to the same output, that's ok
for a prng because a pseudorandom function has to have this behavior.
As long as you cannot predict or provoke a collision it's just fine.
Greetings!
Volker
--
They laughed at Galileo. They laughed at Copernicus. They laughed at
Columbus. But remember, they also laughed at Bozo the Clown.
------------------------------
From: Young Sang Kang <[EMAIL PROTECTED]>
Subject: [Q] About HMAC(Keyed-Hashing for Msg Auth)
Date: Mon, 14 May 2001 20:18:44 +0900
Reply-To: [EMAIL PROTECTED]
Hi.
In RFC2104(HMAC: Keyed-Hashing for Message Authentication),
ipad and opad are defined like this
ipad = the byte 0x36 repeated B times
opad = the byte 0x5C repeated B times.
I'm curious to know whether 0x36 and 0x5C are magic numbers or not.
Just nothing?
Thanks, in advance.
--
% DCS Lab, Dept. of CSE, Seoul Nat'l Univ., Korea
% <mailto:[EMAIL PROTECTED]>
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 14 May 2001 11:48:54 GMT
Subject: Re: DES Crypto Myth??
I think I remember Don Coppersmith saying that the "T" stood for "twiddle" or
some such. Also that the peel back methods on the first and last rounds of DES
were not known 20 years ago, but that 16 rounds were deliberate as a safety
measure agasint the twiddle.
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: which public key algorithm is easy & gd to use?
Date: Mon, 14 May 2001 12:26:54 GMT
On Mon, 14 May 2001 01:24:46 -0700, Bryan Olson <[EMAIL PROTECTED]>
wrote, in part:
>RSA is probably the easiest PK system to implement.
I'd tend to say that Diffie-Hellman is even easier, because you can
use one fixed prime, so you don't need to write a primality tester,
_only_ routines to do multiprecision arithmetic. Of course, that
assumes you only need encryption, and not signatures, because in that
case RSA is easier to understand.
John Savard
http://home.ecn.ab.ca/~jsavard/
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Comparison of Diff. Cryptanalysis countermeasures
Date: Mon, 14 May 2001 12:29:29 GMT
On 14 May 2001 05:57:39 GMT, [EMAIL PROTECTED] (David Wagner)
wrote, in part:
>In any case, from my point of view, the main attraction of key-dependent
>S-boxes is *not* that they stop differential cryptanalysis. We already
>know how to build ciphers that stop differential cryptanalysis cold.
>The real attraction of key-dependent S-boxes, IMHO, is that they might
>provide better defense against the attacks we don't know about today and
>that the designers weren't able to anticipate. It is hard to design
>for security when you don't know what tomorrow's attacks will look
>like, but we'd like to get the odds on our side as much as possible,
>and key-dependent S-boxes seem like they might be useful from this point
>of view (maybe). But who knows? I could be entirely wrong.
I'd tend to agree that key-dependent S-boxes may provide protection
against more than differential cryptanalysis. But of the methods that
_do_ provide this protection, key-dependent S-boxes are certainly
easier to understand by nontechnical people than most of the other
methods.
John Savard
http://home.ecn.ab.ca/~jsavard/
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: DES Crypto Myth??
Date: Mon, 14 May 2001 05:47:36 -0700
Mok-Kong Shen wrote:
>
> Tim Smith wrote:
> >
> > Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> > >On the other hand, the public crypto community does have
> > >the advantage of having a pool of academic researchers
> > >which is presumably significantly larger in size than
> > >that of the experts employed in any single secret agency.
> >
> > Why do you presume that?
>
> I assume on plausibility grounds that they are more
> people who prefer to serve the well-being of the general
> public than otherwise (i.e. at least partly or sometimes
> against that), just like in the modern era there are in
> the whole world more people for the democracy than those
> who are happy to work for certain totalitarian powers.
I don't find these "plausibility grounds" compelling. I suspect
you will find that government researchers in black chambers around
the world feel they too are serving the well-being of the general
public... or at least the well-being of the public of their country.
I don't find your last half compelling, either: people generally find
that by some startling coincidence their loyalty lies with the country
where they were raised. Most Chinese cryppies will feel that their
work will best be used in the service of China's interest; similarly
for Russians, Israelis, French and Germans, irrespective of the
nature of their government.
I would be more persuaded by comparisons of the number of people
trying to publish in refereed crypto conferences and journals with
(say) Bamford's estimates of the number of crypto researchers at NSA.
No, I'm not motivated to look up these numbers myself.
--
Jim Gillogly
Trewesday, 23 Thrimidge S.R. 2001, 12:40
12.19.8.3.19, 1 Cauac 17 Uo, Seventh Lord of Night
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Comparison of Diff. Cryptanalysis countermeasures
Date: Mon, 14 May 2001 12:58:26 GMT
On Mon, 14 May 2001 03:23:40 GMT, [EMAIL PROTECTED]
(John Savard) wrote, in part:
>I have the description ready, but FTP problems are preventing me from
>uploading it to my site.
The problems have now been corrected, and Quadibloc IX is described
at:
http://home.ecn.ab.ca/~jsavard/crypto/co040714.htm
John Savard
http://home.ecn.ab.ca/~jsavard/
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Quadibloc IX described on web site!
Date: Mon, 14 May 2001 13:10:56 GMT
Well, after having a long rest, I've come up with a new cipher design:
http://home.ecn.ab.ca/~jsavard/crypto/co040714.htm
This time, I've decided to give people a sporting chance to prove it
insecure: the design has only four rounds.
However, the classic Quadibloc f-function is executed *ten times* in
each round, so the resulting cipher is only about as fast as
double-DES.
It has a 128-bit block size.
Earlier, in the thread "Back to the Drawing Board", I noted that I was
playing with the idea of using a 5 of 10 code to control an ICE-style
swap in a cipher that divided a 256-bit block into two parts, one 160
bits in length, and the other 96 bits in length. Thus, two radically
different cipher structures would be applied to the block.
Later, I considered taking key-dependent polymorphism even further
than Quadibloc VIII, by dividing the right portion of the block into
three pieces, and performing three operations on them, either in the
order (1,2,3),(2,3,1),(3,1,2) or the order (1,3,2),(2,1,3),(3,2,1) so
that in each of three steps, all three operations are performed -
protecting against power consumption attacks - yet there are six
algorithmic possibilities.
But instead, Quadibloc IX is a return to simplicity. Only one
encryption operation, the classic Quadibloc f-function (with the extra
key-dependent S-box layer introduced in Quadibloc II, and with the
particular arrangement of fixed S-box use to prevent subblock whole
byte rotation symmetry used in Quadibloc VIII) is used.
What makes me hope that Quadibloc IX is any good?
Its special feature is that it uses indirection. In Quadibloc II, the
encryption of one 64-bit half of the block produces intermediate
results that are used to control the encryption of the other half in a
nonlinear fashion, through selecting S-boxes and the like.
Here, I instead use the intermediate results on one half of the block
to produce the subkeys used to encrypt the other half. But I don't
just use them as subkeys.
Instead, I take the intermediate results, and the first thing I do
with them is encrypt them. (This follows an idea in a paper which
states that using a Feistel structure as an f-function blocks
differential cryptanalysis.)
But then I use the result of that encryption as subkeys for encrypting
two subkeys, and then the encrypted subkeys are used in encrypting the
other half of the block. I also make use of fixed subkeys, and of XORs
of available intermediate results; this latter thing is perhaps
dangerous, since it connects back to earlier parts of the round, and
could concievably be a weakness under some circumstances. I think,
though, in this case I've been careful, and the complication will
help, not hurt.
John Savard
http://home.ecn.ab.ca/~jsavard/
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
