Cryptography-Digest Digest #249, Volume #10 Thu, 16 Sep 99 17:13:07 EDT
Contents:
Re: Mystery inc. (Beale cyphers) (Roger Fleming)
Re: Neal Stephenson's Cryptonomicon: Crypto Cop-Out (Andrea Chen)
Re: Comments on ECC (Alex)
Re: Ritter's paper (Sundial Services)
Re: Okay "experts," how do you do it? (Roger Fleming)
Re: The good things about "bad" cryptography (Tom St Denis)
Okay "experts," how do you do it? (Sundial Services)
Re: Exclusive Or (XOR) Knapsacks (David Wagner)
Re: Second "_NSAKey" (David Wagner)
Re: The good things about "bad" cryptography (John Savard)
Re: Okay "experts," how do you do it? (John Savard)
Re: More New Stuff COMPRESS before ENCRYPT (Tom St Denis)
Re: The good things about "bad" cryptography (jerome)
Re: SCOTT19U.ZIP_GUY/Questions Please (Tom St Denis)
Current US Export Law (Bill Lynch)
Re: The good things about "bad" cryptography (John Savard)
Re: Ritter's paper (John Savard)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Roger Fleming)
Subject: Re: Mystery inc. (Beale cyphers)
Date: Thu, 16 Sep 1999 18:53:22 GMT
[EMAIL PROTECTED] (Curt Welch) wrote:
[...]
>Here's the decoded #2 document (you have to add the spaces):
>ihavedepositedinthecountyofbedfordaboutfourmilesfrombufordsinane_cavationor
>vaultsi_feetbelowthesurfaceofthegroundthefollowingarticlesbelongingjointlyt
>othepartieswhosenamesaregiveninnumberthreeherewiththefirstdepositconsistcdo
>ftenhundredandfourteenpoundsofgoldandthirtyeighthundredandtwelvepoundsofsil
>verdepositednoveighteennineteenthesecondwasmadedeceighteentwentyoneandconsi
>stedofnineteenhundredandsevenpoundsofgoldandtwelvehundredandeightyeightofsi
>lveralsojewelsobtainedinstlouisine_changetosavetransportationandvaluedatthi
>rteenrhousanddollarstheaboveissecurelypackedinironpotswithironcoversthevaul
>tisroughlylinedwithstoneandthevesselsrestonsolidstoneandarecoveredwithother
>spapernumberonedescribesthce_actlocalityofthevarltsothatnodifficultywillbeh
>adinfindingit[...]
Hmm. Given the current discussion about the possible bogosity or otherwise of
the Beale Ciphers #1 & #3, it is interesting to read the text of #2 with a
slightly skeptical eye. To me, even without looking at Beale #1 and #3 the
cleartext of Beale #2 looks like a good candidate for a hoax! Consider:
1. The quantity of treasure: some 1.3 metric tonnes of gold (value today,
around $US 18 million) and 2.3 tonnes of silver (a little under half a
million), plus gems (wildly guessing average CPI over the last 178 years at
3%, somewhwere around several million). This is a _huge_ hoard of treasure;
quite enough to make the suckers salivate and run out and buy pamphlets. So
much, in fact, that you really wonder where the conspirators got the money,
where they got the metal (IIRC, we are 29 years before the discovery of gold
in USA), and - if wealthy merchants - what the heck they were doing burying it
instead of investing.
2. Transportation. I don't know where Bufords/Bedford are, but St Louis is
Illinois/Missouri, and there is no county of Bedford in either of those
states. Unless the county names have changed, nearly 5 tonnes of precious
metal were carted at least 200km either crosscountry or on the Mississippi (we
are 11 years before the first commercial railroad in the USA, and only a few
years after _starting_ work on the _first_ road to Illinois, which doesn't
actually reach St Louis). If the destination lies near the Mississippi,
steamboats may have been used; but I am not sure how easy they were to catch
in 1819, for the first steam powered trip on that river was in 1812, and the
trade didn't take off till the 1830s. This transport task was supposedly
undertaken in secret, without theft, mishap or discovery, in wild frontier
land.
3. The purchase of jewels. St Louis was incorporated a city in 1822, with a
population of 5000 souls, native Americans not included. In the 1840s it had a
massive influx of European migrants so that by 1860, it had become a thriving
commercial centre of over 160,000. It is highly doubtful that in 1821, the St
Louis exchange (if it even existed) could handle a precious stones deal of
such a size: stones worth 0.1% of the total sum payed for the entire Louisiana
territory 16 years prior. But at the time the pamphlet was published, a hoaxer
unfamiliar with the city's history might not have given the possibility a
second thought.
4. Why do it? In 1819 & 1821 the US was at peace with its neighbours, with no
war in sight for decades, and the economy was expanding rapidly. Burying a
very large sum of precious metal at this time makes no sense at all. I'm open
to ideas, but all I can think of is that the hoard was stolen, and the thieves
were waiting for the heat to die down. In that case, why haven't we heard of
the Bullion Heist of 1819, and the Even Greater Bullion Heist of 1821?
5. Why three documents? It makes perfect sense if it's a hoax; #2 is the bait
(list of tasty treasure, plus brief description of other documents) and #1 is
the trap (the enciphered location, for which you need to buy the pamphlet).
Can anyone think of any other good reason to have three separate documents, in
different ciphers? (OK, limiting ciphertext under one key; but do we really
claim the cipherer knew that sort of stuff?) Note that any explanation will
also need to explain why document #2 needed to explicitly state that the
location was to be found in #1, when a legitimate recipient would have found
that out before he even read #2.
6. Active voice, first person. Why was this done by 'I' - one person - when
there are known to be several conspirators, and such an excavation would most
likely have taken a couple of mandays (at least) within 4 miles of an
inhabited place. Unless they all took a turn on the pick, they would certainly
be discovered. In that case, "We have deposited..." OK, this is a weak point,
but it's yet another point.
All in all, I would be gravely skeptical of the Beale ciphers even without the
alphabet runs being found in Beale #1. It might be possible to explain the
alphabet runs without hoaxing, but in conjunction with the general dubiousness
of Beale #2 it is most likely they are just what they seem - the hoaxer
getting tired, or lazy.
------------------------------
From: Andrea Chen <[EMAIL PROTECTED]>
Crossposted-To: rec.arts.sf.written,alt.cyberpunk
Subject: Re: Neal Stephenson's Cryptonomicon: Crypto Cop-Out
Date: Thu, 16 Sep 1999 10:43:22 -0700
>
> Except that it changes nothing from the present day.
>
> Present-day, the US could easily offer a reward on Saddam Hussein's head.
> Some large sum of US dollars, payable in cash at a secret location or
> whatever. With the cooperation of both sides of the exchange, one of which
> is a government for crying out loud, tracing it isn't a realistic option.
> The problem is that anyone who attempts to kill Saddam is likely to fail.
>
The problem is that it's against the law to assasinate foreign
leaders. The bigger problem is people like you who think the government
should ignore this law cause after all we're killing bad people. Yet
this ugly, underground shit has a habit of coming back to haunt us.
------------------------------
From: Alex <[EMAIL PROTECTED]>
Subject: Re: Comments on ECC
Date: 16 Sep 1999 16:22:20 -0400
> Alex's query about whether ECC's properties are really proven
> (whatever *that* means...)
I meant is there a mathematical proof that the time-complexity of any
algorithm for solving an ECDLP is aymptotically at least exponential in
the size of the finite field over which the EC is defined. The post I
was responding to asserted that solving an ECDLP is much harder than a
hard factoring problem of the same size, and I was wondering whether
this assertion was absolute, or relates only to current algorithms for
solving ECDLP's.
Alex.
------------------------------
Date: Thu, 16 Sep 1999 12:44:45 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Ritter's paper
Douglas A. Gwyn wrote:
>
> Patrick Juola wrote:
> > My understanding is that there are other cyphers -- the Rip van Winkle
> > cypher leaps to mind -- that are "provably secure" in the sense of a
> > proven lower bound on the work factor.
>
[...]
> But one can iterate (compose, concatenate) such encryptions in a
> way that raises the relative work factor to any arbitrary level.
> There actually are implementations of this approach in real systems.
I suspect that the weakest link in most crypto implementations is not
the cipher but the key-management. I mean, if you know that the
fundamental key is, as it probably is, a text-string in printable ASCII
and probably a word out of a dictionary, or some phrase (etc...) as is
probably the case 99.9% of the time -- then THAT is how I would go about
attacking almost -any- cipher.
It don't matter how thick the steel is on the door, if you can open the
darn thing just by saying "Fritos."
------------------------------
From: [EMAIL PROTECTED] (Roger Fleming)
Subject: Re: Okay "experts," how do you do it?
Date: Thu, 16 Sep 1999 19:24:16 GMT
[EMAIL PROTECTED] wrote:
>Okay, "putup or shaddup ..." :-) :-)
>
>I see lots of articles, written by experts, who say that only experts
>can evaluate the quality of a cipher ...
I think you are mixing up two common statements here. It _is_ commonly said
that only expert cryptanalysts are much good at designing new ciphers. It is
also sometimes said that the only way we really have of evaluating security is
to allow experts to examine the cipher for a long time.
This isn't at all the same thing as saying that only an expert can evaluate
the quality of a cipher; anyone can discover an attack and thereby illustrate
a strength (or weakness) of the cipher; it's just that 'experts' are the
people who've shown that they are pretty good at finding attacks. (And of
course, there are other aspects to quality apart from security, that any
programmer can quickly evaluate).
>if they have the time, which
>they usually don't unless there's a research paper in it. Yada, yada,
>yada.
>Okay, experts, "put up or shaddup" :-) :-) ... how do you do it?
>How DO you determine that a cipher is or isn't a good one? How DO you
You try to attack it. If a lot of people who know what they are doing look at
it for several years and find no flaws, it is _believed_ to be pretty good;
there are very few proofs available, just trial by fire.
Sometimes an algorithm might be rejected as weak even though a complete attack
hasn't been found, but because the algorithm has certain features (eg
linearity, poor diffusion, highly regular key schedule, etc) that are known to
be characteristic of weak algorithms. An algorithm might also be rejected as
'possibly secure but worthless' if it is very slow or very memory hungry,
without any apparent compensatory advantages.
>conclude that it is or isn't snake oil? What IS it that you've learned
>that makes you qualified to pass judgement on a crypto-algorithm that no
>one else can do the same??
Passing judgement as secure is a matter of consensus over time, NO one person
can do it.
Passing judgement as insecure just requires an attack; ANYone can do it, you
don't need any qualifications. It's just that the people good at doing attacks
come to be considered experts.
If you want to learn more about finding attacks, you'll find a self-study
course at
http://www.counterpane.com/self-study.html
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: The good things about "bad" cryptography
Date: Thu, 16 Sep 1999 19:36:36 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] () wrote:
> There are two schools of thought about how to choose a cipher to securely
> encrypt your messages.
>
> On the surface, it doesn't seem very hard to decide which one you should
> follow.
>
> One school of thought notes that many new cipher designs have turned out,
> after brief examination, to be seriously flawed. Hence, because of this
> high risk, it is not advisable to rely on any cipher that hasn't been
> subjected to extensive study by the foremost experts in the open academic
> world.
>
> Another school of thought notes things like this:
>
> - if an attacker doesn't know the algorithm being used, he will have a
> harder time of even beginning an attack;
>
> - most well-known algorithms have key sizes that are just enough to resist
> a brute-force search, even though it's not difficult to increase the key
> size for a symmetric algorithm by an order of magnitude;
>
> - no amount of study can prove that the crack for an algorithm isn't just
> around the corner, and such a crack seems likelier to be both found and
> publicized for a well-known algorithm if it exists.
>
> Despite the fact that the advocates of the first viewpoint are among the
> most respected authorities in the field, while variations of the second
> viewpoint have often been raised by people who are, or who resemble,
> cranks and crackpots,
>
> the irritating fact is that the points cited here under the second point
> of view _are all valid_.
>
> Since the basis for the first point of view is *also* valid, this isn't an
> argument for abandoning it. But if security is the goal, we do have to
> widen our horizons. Multiple encryption allows us to do so, to address the
> concerns of the second point of view while still addressing those of the
> first.
One point you missed is that no matter what cipher you use if the system is
flawed it won't matter. I don't think choosing a secure system is as simple
as saying I use 3des with RSA ... (ala pgp) or Blowfish or etc...
Most of the time real systems are not broken via math flaws ... cuz really
the math out there is good. Take RC5 for example there exists an attack
(currently known) but it's not really going to be used any time soon. If I
use a bad rng for the keys do you really need to break rc5 first?
Tom
--
damn windows... new PGP key!!!
http://people.goplay.com/tomstdenis/key.pgp
(this time I have a backup of the secret key)
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
Date: Thu, 16 Sep 1999 12:42:03 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Okay "experts," how do you do it?
Okay, "putup or shaddup ..." :-) :-)
I see lots of articles, written by experts, who say that only experts
can evaluate the quality of a cipher ... if they have the time, which
they usually don't unless there's a research paper in it. Yada, yada,
yada.
Okay, experts, "put up or shaddup" :-) :-) ... how do you do it?
How DO you determine that a cipher is or isn't a good one? How DO you
conclude that it is or isn't snake oil? What IS it that you've learned
that makes you qualified to pass judgement on a crypto-algorithm that no
one else can do the same??
:-)
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Exclusive Or (XOR) Knapsacks
Date: 16 Sep 1999 12:27:28 -0700
In article <%_8E3.290$gE.6812@stones>, Gary <[EMAIL PROTECTED]> wrote:
> Problem:
> Given an n bit number X and a set {B1,B2,...,Bn} of n bit numbers;is there a
> subset whose elements collectively XORed give X?
>
> Can the general problem be solved easily?
Yes. Gaussian elimination will solve it in O(n^3) time.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Crossposted-To: talk.politics.crypto
Subject: Re: Second "_NSAKey"
Date: 16 Sep 1999 12:33:06 -0700
In article <7rrd9v$oge$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
> All applications should do integrity checking on themselves, so that
> inserting a few NOPs will not work.
Integrity checking is very hard (roughly speaking, impossible)
to do well; and anyway, in real life, nobody does it.
So it's irrelevant to the "_NSAKEY" debate...
> More importantly, it seems to me that the number of security
> applications is intractable.
The number of security applications that use CryptoAPI is not
that large. (As for the rest, they're not relevant, because
the "_NSAKEY" couldn't be used to compromise them anyway.)
Anyway, if you spike MSIE, Netscape, MS-Office, and PGP, that
probably accounts for 99% of all encrypted traffic. (I may not
have the list exactly right, but the point is that 1% of the
apps probably account for 99% of the ciphertext.)
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: The good things about "bad" cryptography
Date: Thu, 16 Sep 1999 19:42:52 GMT
"Steven Alexander" <[EMAIL PROTECTED]> wrote, in part:
>I am not against the use of multiple algorithms as it does mean that only a
>fraction of your messages will be uncovered if one of the algorithms is
>cracked.
I'm in favor of using multiple algorithms one after the other. What
you're referring to is Terry Ritter's idea. I agree that one shouldn't
use algorithms that haven't been analyzed to some extent, and I'm sure
he does too.
However, I go further than that: one shouldn't use, alone, algorithms
that haven't been analyzed to the intense extent that Bruce Schneier
recommends. But, because there aren't many such algorithms, and those
we have are limited in key size and in other ways, I think we have to
also use, in addition, a layer of less proven algorithms to get these
*other* desirable characteristics - even if they are secondary.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Okay "experts," how do you do it?
Date: Thu, 16 Sep 1999 20:44:40 GMT
Sundial Services <[EMAIL PROTECTED]> wrote, in part:
>How DO you determine that a cipher is or isn't a good one? How DO you
>conclude that it is or isn't snake oil? What IS it that you've learned
>that makes you qualified to pass judgement on a crypto-algorithm that no
>one else can do the same??
Well, I see this post was sprinkled liberally with smileys.
I'm definitely not one of the "experts"; in fact, recently I've made a
few posts stating that those who are, quite incorrectly, disdainful of
the experts do still have some valid points of their own that we
ignore at our peril.
However, the experts *do* know things that I don't. And what they know
isn't something that's necessarily all that easy to explain or learn.
Techniques like differential and linear cryptanalysis are difficult to
understand. One can understand the general idea, but that won't
necessarily give you the ability to come up with new, ingenious
variations on those attacks, such as the "Boomerang Attack" due to
David Wagner.
Many of these experts have Ph. D.s in mathematics.
And, if one reads what Bruce Schneier has written carefully, even an
"expert" isn't qualified to pronounce a cipher secure. So becoming one
won't give you that power either. Instead, what counts is that a
cipher has been examined for years, by dozens of experts! (And Terry
Ritter is right too: even that doesn't actually prove that a cipher is
secure.)
Speaking of Bruce, there's a "cryptanalysis course" on his site
involving references to papers in the published literature, many of
which are available on the Web. I've seen some of the papers he's
referenced, but I haven't yet attempted the course.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: More New Stuff COMPRESS before ENCRYPT
Date: Thu, 16 Sep 1999 19:53:49 GMT
In article <7rpjop$1v7e$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> Updated my page on Adaptive One to One Huffman compression
> and have source code with examples at my site. This is the
> kind of compression one should do before one encrypts if one
> is to use compression.
>
> http://members.xoom.com/ecil/compress.htm
Why?
Tom
--
damn windows... new PGP key!!!
http://people.goplay.com/tomstdenis/key.pgp
(this time I have a backup of the secret key)
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (jerome)
Subject: Re: The good things about "bad" cryptography
Date: 16 Sep 1999 20:04:11 GMT
Reply-To: [EMAIL PROTECTED]
a 'solution' is to have a secret algorithm designed by good experts.
suppose a organization do a cipher rand keep it secret,
because the cipher has been reviewed by their own experts, assumed to
be good, it is unlikly to have obvious flaws.
to my mind the key is not public or not, it is obvious that it is harder
to crack a cipher without algo than the same cipher with the algo.
all is in the quality of the review. being public increase the quality
of your review but make the job of the attacker easier. it is tradeoff
and you have to decide.
the solution is easy for most beginners because they don't have good
experts but for the NSA or other security services it is different.
in fact to my mind, the biggest problem is that too many people
think they have/are good experts.
On 16 Sep 99 13:05:58 GMT, [EMAIL PROTECTED] wrote:
>There are two schools of thought about how to choose a cipher to securely
>encrypt your messages.
>
>On the surface, it doesn't seem very hard to decide which one you should
>follow.
>
>One school of thought notes that many new cipher designs have turned out,
>after brief examination, to be seriously flawed. Hence, because of this
>high risk, it is not advisable to rely on any cipher that hasn't been
>subjected to extensive study by the foremost experts in the open academic
>world.
>
>Another school of thought notes things like this:
>
>- if an attacker doesn't know the algorithm being used, he will have a
>harder time of even beginning an attack;
>
>- most well-known algorithms have key sizes that are just enough to resist
>a brute-force search, even though it's not difficult to increase the key
>size for a symmetric algorithm by an order of magnitude;
>
>- no amount of study can prove that the crack for an algorithm isn't just
>around the corner, and such a crack seems likelier to be both found and
>publicized for a well-known algorithm if it exists.
>
>Despite the fact that the advocates of the first viewpoint are among the
>most respected authorities in the field, while variations of the second
>viewpoint have often been raised by people who are, or who resemble,
>cranks and crackpots,
>
>the irritating fact is that the points cited here under the second point
>of view _are all valid_.
>
>Since the basis for the first point of view is *also* valid, this isn't an
>argument for abandoning it. But if security is the goal, we do have to
>widen our horizons. Multiple encryption allows us to do so, to address the
>concerns of the second point of view while still addressing those of the
>first.
>
>John Savard
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: SCOTT19U.ZIP_GUY/Questions Please
Date: Thu, 16 Sep 1999 19:52:12 GMT
In article <7rqksg$3664$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> >tunafish wrote:
> >> What they seem to have done is deliberaltely weeken these algorithms
> >> by asking those who submitted to make certain modification to the
> >> code...
> >
> >Oh, good grief! That's the old conspiracy theory resurrected
> >from the early DES debate. What EVIDENCE do you have that this
> >has occurred?
> I don't even have evidence that the guy Mr L.H. the FBI guy with the
> license to kill that is so certifed good at killing mothers holding babies
> was also in Waco. But I have read articles that state he was there since
> he did so good at Ruby Ridge. Of course the evidence if there was any
> was destroyed unless the texas rangers can provide a link. But I think
> he is the kind of guy the FBI uses when it has to kill woman and
> children. But then again maybe I am all wrong. Don't take me wrong
> I think V.H. aka D.K was a very very bad sick person.
> If you are very well read you should be smart enough to realize there
> was much discussion about how fast custom circuits could be made in
> the days of DES. Just like most people have no idea how old the SR-171
> is. Most people have no idea how good the government with its vast supply
> of money is at building custom equipment in the old days. It is a fact
> IBM was going to go with a 64 bit system but the NSA stepped in to
> make it a 56 bit sytem. Why? Because a 56 bit system is can be
> brute force searched 256 times faster. I think the old book "The Puzzle
> Palace" covers this somewhat if your interested.
Funny according to Applied Crypto (the book you hate for no reason) The
original NBS submission from IBM had a 112 bit key ...
Funny that the new AES is 128+ bits... funny stuff.
Tom
--
damn windows... new PGP key!!!
http://people.goplay.com/tomstdenis/key.pgp
(this time I have a backup of the secret key)
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Bill Lynch <[EMAIL PROTECTED]>
Subject: Current US Export Law
Date: Thu, 16 Sep 1999 15:10:23 -0500
I've got a question about current US Export Law regarding strong
encryption. I got to thinking about this in light of recent
developments:
http://www.zdnet.com/zdnn/stories/news/0,4586,2335300,00.html?chkpt=hpqs014
Given that the current law restricts US companies from exporting strong
encryption in their products, could a company like IBM, for example,
develop a product to be compatable with an overseas strong encryption
program and still be subject to export restrictions?
For instance, say a French firm develops a strong encryption program
similiar to one that RSA Labs would sell. Could IBM engineer the
software on their servers to be compatable with the French program so
that an overseas customer would basically just plug in the French
program and be on their way? Since there's no strong encryption in the
AS/400 itself, it wouldn't be subject to US export laws. Is that
correct?
Thanks in advance,
--Bill Lynch
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: The good things about "bad" cryptography
Date: Thu, 16 Sep 1999 19:38:48 GMT
[EMAIL PROTECTED] (Patrick Juola) wrote, in part:
>The problem is that the first point cited here -- *IF* the attacker
>doesn't know the algorithm being used -- is widely regarded as a
>deeply improbable event, especially in the case of a widely used
>or distributed system. I would, in fact, regard that point as "true
>but irrelevant", in the same category as "if you make a lucky guess,
>then any cryptographic method can be broken," or even "I have a blue
>crayon on my desk."
One could, if one wished, treat an algorithm as if it were a key.
However, that prevents the algorithm from being analyzed properly.
I do view the points in the second group as being...secondary. This is
why those in the school of thought that advocates focusing on points
of that type - of which I only included three representative examples
- while ignoring the primary considerations that respected and
conservative authorities advocate is indeed wrongheaded, and largely
deserves its poor reputation.
But there is a problem. Even Bruce Schneier noted the existence of a
problem when he recently noted that about the only algorithm that has
*really* recieved adequate analysis is DES. Not Blowfish, not any of
the AES candidates.
We do need more choices. But that isn't a valid argument for opting
for poor choices, I agree. I believe, however, that there is a way out
of this dilemma.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Ritter's paper
Date: Thu, 16 Sep 1999 20:46:22 GMT
Sundial Services <[EMAIL PROTECTED]> wrote, in part:
>It don't matter how thick the steel is on the door, if you can open the
>darn thing just by saying "Fritos."
Although that might be just too simple for a learned cryptanalyst in
these suspicious times.
(well-known literary allusion)
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
