Cryptography-Digest Digest #442, Volume #14 Fri, 25 May 01 19:13:00 EDT
Contents:
Re: Good crypto or just good enough? (Tom St Denis)
Re: A generic feistel cipher with hash and gf(257) mixers (Tom St Denis)
Re: Break on Schneiers first proposed "self-study cipher" (SCOTT19U.ZIP_GUY)
Re: A generic feistel cipher with hash and gf(257) mixers (Jim Steuert)
Re: Break on Schneiers first proposed "self-study cipher" (Tom St Denis)
Re: A generic feistel cipher with hash and gf(257) mixers (Tom St Denis)
Re: A generic feistel cipher with hash and gf(257) mixers (Jim Steuert)
Re: Good crypto or just good enough? (SCOTT19U.ZIP_GUY)
Re: Good crypto or just good enough? (Tom St Denis)
Re: A generic feistel cipher with hash and gf(257) mixers (Tom St Denis)
----------------------------------------------------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Good crypto or just good enough?
Date: Fri, 25 May 2001 22:06:11 GMT
"SCOTT19U.ZIP_GUY" wrote:
>
> [EMAIL PROTECTED] (Tom St Denis) wrote in
> <[EMAIL PROTECTED]>:
>
> >How can you say "small and fast" cannot be secure? That doesn't seem
> >too obvious to me. For example, a 8x8 lookup is fast and from a
> >statistical stand point hard to attack (say when placed together with a
> >MDS, etc... ala Wide-Trail).
> >
>
> It easy to say small and fast cannot be secure. Even you can say
> it. Just use that big mouth of yours. And what it means as a rule of
> thumb if your know nothing else except it small and fast it means
> not much complexity can be done to the plain text so ther its more
> apt to be secure. Funny you question general rules like this
> yet you take it as religous faith that AES encryption we actully
> be very secure. Meaning the way it will be implimetned in something
> like PGP it will be secure.
Hmm this is completely not true. A function can be statistically
confusing and not complex.
Simple make Scottu19 a single instruction on a cpu. There I disproved
your "lemma". Now Scottu19 is efficient and non-complex.
Serious block cipher design is more than just "big messy and secure" it
has to be "compact, nimble and secure".
> >See the diff between you and I? I bet you don't.
>
> Yes your a little kid with out much real lide experience
> who is still wet behind the ears and trusts the so called
> crypto experts.
I admit I'm a bit of a doofus (i.e tons of stuff to learn and experience
myself) but I don't explicitly trust "crypto experts" just because they
tell me too. For example, when in the Noekeon design they said "no 4R
differential with less than X amount of sboxes" I not only trusted them
I checked it out myself (well partially).
> >
> >The diff is I never claimed TC15a was any good for anything at all. I
> >don't recommend people to use it and I never claimed it was secure
> >against serious attacks.
> >
> >You claim your cipher is secure without analysis and without good
> >peer-review.
> >
>
> I claim it based on more secure princples than current ciphers
> in use. High error propagation.
All AES ciphers have high error propagation within the block size. They
were designed that way because real people asked for fixed block sized
ciphers.
> Hiding of input output pairs to the
> underlying block encryption.
This is impossible and you know it. You can't possibly hide the input
and output in a chosen plaintext attack (for example).
> Fully bijective if impedanced matched.
> Treats whole file as a single block. and etc...
These are features but don't contribute to the security. A OTP works on
SINGLE bits and is provably secure. So what?
> Thats not to say it cannot be broken. Just less likely than one
> dessigned to use a wimpy key. What I realize is that the ones
> you admire are just people who know a very narrow area of a big
> field. That does make there small fast designs any better.
> I felt they could design a large key better than mine. But they
> don't. The NSA wants people to use simple ciphers. So they are
> constranted to be simple. Even your MR BS stated on this group
> a gem that is firmly implanted in your mind. He stated he felt
> it would be harder to design a big key cipher that was secure
> compared to his small key desings. I think you were among us when
> he did that. I am sure he worded it differently but that was
> the point behind it. If this wasn't a gem injected by the NSA
> to keep people dumb I don't know what is. Maybe he accidently
> write it. Or maybe like me he had one beer to many that day.
No, I agree with Schneier that smaller key/block sized ciphers are
easier to design and easier to make secure. The problem with large key
ciphers is that you have to ensure proper key diffusion (and block data
diffusion) to avoid attacks. Look at the original SAFER+ it had key
problems because it didn't mix the 256 bit key quickly enough. However,
SAFER+ with a 192 bit key is secure against the same attack....
Tom
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: A generic feistel cipher with hash and gf(257) mixers
Date: Fri, 25 May 2001 22:10:43 GMT
Jim Steuert wrote:
>
> Hi Tom,
> I'm not really truncating. What I am doing there is taking a 32-bit
> word A and breaking it into 4 8-bit values (A1,A2, A3, A4). Then I am
> multiplying the corresponding low order byte with the low order byte
> of the other 32-bit word B = (B1,B2,B3,B4). So the result is
> C = (C1,C2,C3,C4) where C1 = A1*B1 mod 257 (where A1 only
> has values 1 to 256, i.e. no zero, 1 is represented by the binary 8-bit
> 0x00)
Mults in GF(257) are not terribly nonlinear or differentially smooth. A
big reason why IDEA is secure is because of the larger field and the
non-commutable operations. The larger the field the smoother the linear
and diffential biases become over all possible multiplicands.
> Note that in C1 a binary 0 represents the GF(257) value 1.
> The purpose is to provide non-linearity only. The mixing is done quite
> well by the mix() algorithm. The purpose is to provide an invertible
> sha-1 type hash of the input value, followed by mixing the key, followed
> by another sha-1 type hash. The collision and pre-image resistance of
> sha-1 type hashes (improved with more boolean complexity and
> nonlinearity) should, i thought, provide a reasonable cipher.
Um, your cipher appears to be more like a Feistel afaik though, SHA-1 is
a UFN, yours is a BFN...
Tom
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Break on Schneiers first proposed "self-study cipher"
Date: 25 May 2001 22:09:58 GMT
[EMAIL PROTECTED] (Tom St Denis) wrote in <[EMAIL PROTECTED]>:
>
>First off he made money by provided a text that enables millions of
>people to learn about crypto. I feel that's not a "plug" on society.
>
I see it OK to SPAM if you make money.
>Second if you proposed BICOM professionally (like all real academia
>would have) he might have looked at it already. I imagine he's a busy
>person and doesn't follow sci.crypt too closely.
>
I didn't write BICOM. But I doubt Matt would have much
more luck presenting it than I did when the ACM people lied
about me being allowed to publish. Also its hard to publish stuff
thats new or different. Much good stuff is not recognized till
years later. Working in the government I had a boss that tried
to publish some of my algorithms for inetial naviagtion update
methods. They never got anywhere they where to different. However
much of my code is still in use. Many of my data reduction and
alignmetn techniques that are still in use never made it to a
publisher. It was just to different. I have been searching the
net to see if any of the methods Matt and I use for biejctiveness
in HUFFMAN and ARITHMETIC codes is out there. So far I have
not seen it. But I doubt if a DR DOBBS or any journal would accept
a right up on it. Yes my wirtting is shitty. But when I worked
they had people who could spell and add commas and reword things
so that wasn't the reason back then. But I suppose in a few
years some BS equivlanet in blessed compression circles will
do a write up and they will drink a toast to him. Or maybe IBM
will like it and then say there existing patinent covers all
use of it. Even though they never new about it. Hell they have
to pay lawyers to do something. And legal stealing is what
most business is all about.
As for your buddy. My sources say he reads this stuff so there
is a good chance you could end up with a job through or from him.
All you have to do is keep telling the world how great he is.
>Third, I am not even close to being qualified to work for Counterpane.
>I don't have the requisit knowledge about how TCP, UDP, etc protocols
>work, or even how to program them (outside of a limited WinSock 2 API).
>Also his company is in USCA, and if you remember I live in CAN ON.
>
Yes faking humility wins lots of points.
I no little of his company. If hes half as smart as
I think he is it would be a Nevada company. Also
companies never have enough money so they grow.
So just wait you may get to work for him and stay
in Canada. Also you might try the CIA or NSA I am sure
they could use young blood anywhere.
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: Jim Steuert <[EMAIL PROTECTED]>
Subject: Re: A generic feistel cipher with hash and gf(257) mixers
Date: Fri, 25 May 2001 18:12:59 -0400
You are of course right about SHA-1, the 3x1 bit-sliced sboxes are
f1(x,y,z) = ( z^ (x & ( y ^ z ))
f2(x,y,z) = ( x^y^z)
f3(x,y,z) = ( (x&y)|(x&(x|y)))
which are all invertible multipermutations, (and balanced) i.e. their truth table
represents all 8 possible values. I believe that they are equivalent
to Bob Jenkin's mixing rounds, so calling them sboxes is not a valid
analogy for this example.
And even that still doesn't change the major point of this cipher, specifically,
that
an invertible sha-1 type thing, followed by a key mixed in the middle
followed by another invertible sha-1 is a reasonable cipher.
Tom St Denis wrote:
> Jim Steuert wrote:
> >
> > Thanks, Tom.
> > I appreciate your feedback. . These are just multipermutation
> > mixers, which is not equivalent to an sbox followed by an xor mixer.
>
> I analyzed your "GFinversion[256]" table for the DP/LP maxes not the
> multiplication. (GFinversion is not a 2,1-multipermutation)
>
> > I suspected that putting the nonlinearity in the mixer might be stronger
> > than putting it in an sbox whose output is connected to an xor mixer.
> > What led me to this thinking is a conventional hash function like SHA-1
> > (which does not have sboxes, and instead provides many rounds (80 in
> > that case) of mixing in lieu of sboxes. Even without nonlinearity
>
> SHA-1 does have sboxes btw. They are 3x1 bitsliced sboxes.
>
> > (except for rotates), I haven't heard of any SHA-1 weaknesses. I did
> > test 6 rounds of the modified mix() to show that it's statistics are are good
> > as
> > SHA-1. It's a simple (140 line) program which tested to make
> > sure every bit is independent ( flipping any bit flips another with 50.0000%
> > prob.)
> > I also tested bit-pair correlation so that any pair of bits flipped with
> > a 25.0000% prob. These tests were over all 2^32 (4Gig) possible values
> > of a single input. Now I know that this is not the same as finding
> > differentials.
>
> Nope. Differentials are more specific then single bit flips. For
> example, the original TC15 passed the SAC test (this is the test I think
> you are doing) after four rounds, but I found a 1R differential
> (involving six bit flips I think) that could break it faster than brute
> force for four rounds.
>
> To find differentials you should look at your functions and see where
> differences can easily pass through. Off the top of my head I remember
> your GFinversion box is very weak against diff attacks, also you work
> with single bytes at a time in your mixing....
>
> Tom
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Break on Schneiers first proposed "self-study cipher"
Date: Fri, 25 May 2001 22:15:53 GMT
"SCOTT19U.ZIP_GUY" wrote:
>
> [EMAIL PROTECTED] (Tom St Denis) wrote in <[EMAIL PROTECTED]>:
>
> >
> >First off he made money by provided a text that enables millions of
> >people to learn about crypto. I feel that's not a "plug" on society.
> >
>
> I see it OK to SPAM if you make money.
You see it as SPAM, 999,999 other people see it as news.
>
> >Second if you proposed BICOM professionally (like all real academia
> >would have) he might have looked at it already. I imagine he's a busy
> >person and doesn't follow sci.crypt too closely.
> >
>
> I didn't write BICOM. But I doubt Matt would have much
> more luck presenting it than I did when the ACM people lied
> about me being allowed to publish. Also its hard to publish stuff
> thats new or different. Much good stuff is not recognized till
> years later. Working in the government I had a boss that tried
> to publish some of my algorithms for inetial naviagtion update
> methods. They never got anywhere they where to different. However
> much of my code is still in use. Many of my data reduction and
> alignmetn techniques that are still in use never made it to a
> publisher. It was just to different. I have been searching the
> net to see if any of the methods Matt and I use for biejctiveness
> in HUFFMAN and ARITHMETIC codes is out there. So far I have
> not seen it. But I doubt if a DR DOBBS or any journal would accept
> a right up on it. Yes my wirtting is shitty. But when I worked
> they had people who could spell and add commas and reword things
> so that wasn't the reason back then. But I suppose in a few
> years some BS equivlanet in blessed compression circles will
> do a write up and they will drink a toast to him. Or maybe IBM
> will like it and then say there existing patinent covers all
> use of it. Even though they never new about it. Hell they have
> to pay lawyers to do something. And legal stealing is what
> most business is all about.
I won't even comment on this.
> As for your buddy. My sources say he reads this stuff so there
> is a good chance you could end up with a job through or from him.
> All you have to do is keep telling the world how great he is.
I've never met him. Aside from an email I sent two years ago I doubt he
knows I exist.
> >Third, I am not even close to being qualified to work for Counterpane.
> >I don't have the requisit knowledge about how TCP, UDP, etc protocols
> >work, or even how to program them (outside of a limited WinSock 2 API).
> >Also his company is in USCA, and if you remember I live in CAN ON.
> >
>
> Yes faking humility wins lots of points.
I'm being modest. It's knowing when to admit you are not qualified that
will earn you points in the community.
> I no little of his company. If hes half as smart as
> I think he is it would be a Nevada company. Also
> companies never have enough money so they grow.
> So just wait you may get to work for him and stay
> in Canada. Also you might try the CIA or NSA I am sure
> they could use young blood anywhere.
I won't comment on this aside from the the fact that I think you should
look at a map sometime. The CIA/NSA do not exist in CAN ON.
Tom
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: A generic feistel cipher with hash and gf(257) mixers
Date: Fri, 25 May 2001 22:19:01 GMT
Jim Steuert wrote:
>
> You are of course right about SHA-1, the 3x1 bit-sliced sboxes are
> f1(x,y,z) = ( z^ (x & ( y ^ z ))
> f2(x,y,z) = ( x^y^z)
> f3(x,y,z) = ( (x&y)|(x&(x|y)))
I don't know if you copied these right since F3 will simplify to (x&y) |
(x&y) = x&y.
> which are all invertible multipermutations, (and balanced) i.e. their truth table
> represents all 8 possible values. I believe that they are equivalent
> to Bob Jenkin's mixing rounds, so calling them sboxes is not a valid
> analogy for this example.
And they are not invertible multipermutations. They are non-surjective
[*] 3,1-Multipermutations at best.
> And even that still doesn't change the major point of this cipher, specifically,
> that
> an invertible sha-1 type thing, followed by a key mixed in the middle
> followed by another invertible sha-1 is a reasonable cipher.
>
"is a reasonable cipher" is questionable. First, it's not efficient in
space or time. Second, it's not simple. Third, it hasn't been
analyzed. I wouldn't jump to conclusions so quickly.
[*] To the guru's: did I use the word "surjective" right there? I keep
forgetting...
Tom
------------------------------
From: Jim Steuert <[EMAIL PROTECTED]>
Subject: Re: A generic feistel cipher with hash and gf(257) mixers
Date: Fri, 25 May 2001 18:26:03 -0400
Actually, SHA-1 is invertible, and it is a feistel network. The initial
digest values a,b,c,d,e are equivalent to the data in a conventional
feistel cipher, and the digest data w[n-k], etc, are equivalent to a
key in a conventional feistel cipher. And sha-1 is multipermutation
invertible, i.e, given the initial values and output, the "key" data can
be produced, likewise, given the output value and "key" data, the
initial digest values can be produced.
But that is my point. If the "sandwich" constuction that I propose
isn't a good convential feistel cipher, then how can
sha-1 get away without good sboxes. (Okay, it may have to do
with the 80 rounds of sha-1).
Tom St Denis wrote:
> Jim Steuert wrote:
> >
> > Hi Tom,
> > I'm not really truncating. What I am doing there is taking a 32-bit
> > word A and breaking it into 4 8-bit values (A1,A2, A3, A4). Then I am
> > multiplying the corresponding low order byte with the low order byte
> > of the other 32-bit word B = (B1,B2,B3,B4). So the result is
> > C = (C1,C2,C3,C4) where C1 = A1*B1 mod 257 (where A1 only
> > has values 1 to 256, i.e. no zero, 1 is represented by the binary 8-bit
> > 0x00)
>
> Mults in GF(257) are not terribly nonlinear or differentially smooth. A
> big reason why IDEA is secure is because of the larger field and the
> non-commutable operations. The larger the field the smoother the linear
> and diffential biases become over all possible multiplicands.
>
> > Note that in C1 a binary 0 represents the GF(257) value 1.
> > The purpose is to provide non-linearity only. The mixing is done quite
> > well by the mix() algorithm. The purpose is to provide an invertible
> > sha-1 type hash of the input value, followed by mixing the key, followed
> > by another sha-1 type hash. The collision and pre-image resistance of
> > sha-1 type hashes (improved with more boolean complexity and
> > nonlinearity) should, i thought, provide a reasonable cipher.
>
> Um, your cipher appears to be more like a Feistel afaik though, SHA-1 is
> a UFN, yours is a BFN...
>
> Tom
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Good crypto or just good enough?
Date: 25 May 2001 22:23:59 GMT
[EMAIL PROTECTED] (Tom St Denis) wrote in <[EMAIL PROTECTED]>:
>
>Simple make Scottu19 a single instruction on a cpu. There I disproved
>your "lemma". Now Scottu19 is efficient and non-complex.
Just like in K-complexity theres more than a single instruction.
The real heart of scott19u is the keyenc.key file. which holds
the base 19X19 S table info. So you need at least a million bytes
just to hold that. You forget this is not your simple short key
weak kind of cipher.
>
>> Hiding of input output pairs to the
>> underlying block encryption.
>
>This is impossible and you know it. You can't possibly hide the input
>and output in a chosen plaintext attack (for example).
Well if you unserstood what "wrapped PCBC" you would see
this is another one of your misconceptions. I feel its a
strong feature of good secure encryption since your correct
in your distorted view of the world. None of the blessed 3
letter approved NSA methods as used with DES would hide such
pairs. But Scott19u does hid them. A plain text attack would
not give them to you. The whole purpose of the Slide attack
was to just find these pairs.
Again to get back to point you never anwsered do you see
yet how a one byte output from BICOM could be one of many many
thousand of possible input messages or is still impossible in
your mind. Remember MR BS is watching. So either change to something
else or cleverly ignore this part of message.
>
>> Fully bijective if impedanced matched.
>> Treats whole file as a single block. and etc...
>
>These are features but don't contribute to the security.
Really what makes you so sure?
>
>> Thats not to say it cannot be broken. Just less likely than one
>> dessigned to use a wimpy key. What I realize is that the ones
>> you admire are just people who know a very narrow area of a big
>> field. That does make there small fast designs any better.
>> I felt they could design a large key better than mine. But they
>> don't. The NSA wants people to use simple ciphers. So they are
>> constranted to be simple. Even your MR BS stated on this group
>> a gem that is firmly implanted in your mind. He stated he felt
>> it would be harder to design a big key cipher that was secure
>> compared to his small key desings. I think you were among us when
>> he did that. I am sure he worded it differently but that was
>> the point behind it. If this wasn't a gem injected by the NSA
>> to keep people dumb I don't know what is. Maybe he accidently
>> write it. Or maybe like me he had one beer to many that day.
>
>No, I agree with Schneier that smaller key/block sized ciphers are
>easier to design and easier to make secure. The problem with large key
>ciphers is that you have to ensure proper key diffusion (and block data
>diffusion) to avoid attacks. Look at the original SAFER+ it had key
>problems because it didn't mix the 256 bit key quickly enough. However,
>SAFER+ with a 192 bit key is secure against the same attack....
>
Good answer he may hire you yet. He would be proud of you as
if you were his own sone. Notice I said good not correct.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Good crypto or just good enough?
Date: Fri, 25 May 2001 22:30:27 GMT
"SCOTT19U.ZIP_GUY" wrote:
>
> [EMAIL PROTECTED] (Tom St Denis) wrote in <[EMAIL PROTECTED]>:
>
> >
> >Simple make Scottu19 a single instruction on a cpu. There I disproved
> >your "lemma". Now Scottu19 is efficient and non-complex.
>
> Just like in K-complexity theres more than a single instruction.
> The real heart of scott19u is the keyenc.key file. which holds
> the base 19X19 S table info. So you need at least a million bytes
> just to hold that. You forget this is not your simple short key
> weak kind of cipher.
You forget that your million byte table was made by a 2kb piece of
code... Boowah.. one point for tom.
So what. You are in the same boat as Twofish. Are the sboxes really
random or just a function of some key material and precomputed to save
time?
Your 19x19 table isn't a trully random 19x19 it's a table that was
shuffled and such by a shorter program...
>
> >
> >> Hiding of input output pairs to the
> >> underlying block encryption.
> >
> >This is impossible and you know it. You can't possibly hide the input
> >and output in a chosen plaintext attack (for example).
>
> Well if you unserstood what "wrapped PCBC" you would see
> this is another one of your misconceptions. I feel its a
> strong feature of good secure encryption since your correct
> in your distorted view of the world. None of the blessed 3
> letter approved NSA methods as used with DES would hide such
> pairs. But Scott19u does hid them. A plain text attack would
> not give them to you. The whole purpose of the Slide attack
> was to just find these pairs.
>
> Again to get back to point you never anwsered do you see
> yet how a one byte output from BICOM could be one of many many
> thousand of possible input messages or is still impossible in
> your mind. Remember MR BS is watching. So either change to something
> else or cleverly ignore this part of message.
Um differential attacks are worthless against CTR mode encryption too.
CTR is more efficient. Thus CTR wins.
> >> Fully bijective if impedanced matched.
> >> Treats whole file as a single block. and etc...
> >
> >These are features but don't contribute to the security.
>
> Really what makes you so sure?
Ok, reversal. You proposed the notion, what makes you so sure yourself?
> >> Thats not to say it cannot be broken. Just less likely than one
> >> dessigned to use a wimpy key. What I realize is that the ones
> >> you admire are just people who know a very narrow area of a big
> >> field. That does make there small fast designs any better.
> >> I felt they could design a large key better than mine. But they
> >> don't. The NSA wants people to use simple ciphers. So they are
> >> constranted to be simple. Even your MR BS stated on this group
> >> a gem that is firmly implanted in your mind. He stated he felt
> >> it would be harder to design a big key cipher that was secure
> >> compared to his small key desings. I think you were among us when
> >> he did that. I am sure he worded it differently but that was
> >> the point behind it. If this wasn't a gem injected by the NSA
> >> to keep people dumb I don't know what is. Maybe he accidently
> >> write it. Or maybe like me he had one beer to many that day.
> >
> >No, I agree with Schneier that smaller key/block sized ciphers are
> >easier to design and easier to make secure. The problem with large key
> >ciphers is that you have to ensure proper key diffusion (and block data
> >diffusion) to avoid attacks. Look at the original SAFER+ it had key
> >problems because it didn't mix the 256 bit key quickly enough. However,
> >SAFER+ with a 192 bit key is secure against the same attack....
> >
>
> Good answer he may hire you yet. He would be proud of you as
> if you were his own sone. Notice I said good not correct.
Whatever. I gave evidence to support my point and you just belittle me
and point out useless information.
You know if you were not the only poster in sci.crypt I would haved
ignored you long ago.
Tom
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: A generic feistel cipher with hash and gf(257) mixers
Date: Fri, 25 May 2001 22:31:41 GMT
Jim Steuert wrote:
>
> Actually, SHA-1 is invertible, and it is a feistel network. The initial
> digest values a,b,c,d,e are equivalent to the data in a conventional
> feistel cipher, and the digest data w[n-k], etc, are equivalent to a
> key in a conventional feistel cipher. And sha-1 is multipermutation
> invertible, i.e, given the initial values and output, the "key" data can
> be produced, likewise, given the output value and "key" data, the
> initial digest values can be produced.
Yes, SHA is a feistel, it's a UFN or Unbalanced Feistel Network. What
you are proposing looked to me like a BFN or Balanced Feistel Network.
> But that is my point. If the "sandwich" constuction that I propose
> isn't a good convential feistel cipher, then how can
> sha-1 get away without good sboxes. (Okay, it may have to do
> with the 80 rounds of sha-1).
Um, 80 rounds of pretty much any round variant transform is secure.
Note that SHA wouldn't be an efficient cipher though
Tom
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
