Cryptography-Digest Digest #567, Volume #11 Mon, 17 Apr 00 18:13:01 EDT
Contents:
Re: Prngxor with substitution? ("David C. Oshel")
Re: Regulation of Investigatory Powers Bill (Dave Perks)
Re: ? Backdoor in Microsoft web server ? [correction] (Jerry Coffin)
Re: AND on encrypted data (John Savard)
Re: Is AES necessary? (Tom St Denis)
Re: Regulation of Investigatory Powers Bill ("Ken D.")
Re: Paper on easy entropy (Tom St Denis)
Re: Paper on easy entropy (Tom St Denis)
Re: Paper on easy entropy (Tom St Denis)
Re: GOST idea (Tom St Denis)
Re: GOST idea (Tom St Denis)
Re: Paper on easy entropy (Tom St Denis)
Re: Paper on easy entropy (Tom St Denis)
Re: Regulation of Investigatory Powers Bill (Philip Baker)
Re: GOST idea (lordcow77)
Should there be an AES for stream ciphers? (Albert Yang)
Re: ? Backdoor in Microsoft web server ? [correction] (Jim Gillogly)
Re: Paper on easy entropy (Guy Macon)
Re: GOST idea (Tom St Denis)
Re: Paper on easy entropy (Tom St Denis)
Re: Should there be an AES for stream ciphers? (Tom St Denis)
Re: GOST idea (Mok-Kong Shen)
----------------------------------------------------------------------------
From: "David C. Oshel" <[EMAIL PROTECTED]>
Subject: Re: Prngxor with substitution?
Date: Mon, 17 Apr 2000 15:10:40 -0500
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
> David C. Oshel wrote:
> >
> > Is there a name for this algorithm? Suppose I use Mersenne Twister, by all
> > accounts a very nicely distributed long period PRNG, to index a large
> > substitution table of genuinely random bytes, such as maybe Marsaglia's CD or
> > that large file at SGI's lava lamp web site, replacing the PRNG's uint32 with
> > the table's uint32, and collapsing those four bytes into the "next" byte of
> > the Prngxor cipher?
>
> Do I understand correctly that each column of your table is a
> permutation of 0-255? (It couldn't be 'arbitrarily' random which
> would have duplicated entries!) The problem is you have to create
> (or store) that very large number of columns. I used in one of my
> humble designs therefore a user-chosen limited number of columns
> and let a PRNG to select the columns. (This substitution is only
> part of the operations done in one round of my algorithm.)
Actually, it's more naive than that. Assuming I can load the entire 600 megabyte
glob of random bits into an array, then set
uchar NextByte = array[ twister.RandUInt32() % array_size ];
Then the cipher is simply PlainByte ^ NextByte, which is PrngXor, of course. Nothing
new, fancy or safe -- unless the substitution step works.
I was stating the problem as simply as I could, so I could get a grip on the
"linearity trap" mentioned by Trevor Jackson, et al. So far, the concept has
eluded me.
There seem to be valid ways to work around the trap -- such as simply
using the PRNG to crank out a new key for each block of a file encrypted using
Serpent, Rijndael, or whatnot. But I was interested in how to do it wrong -- and
why it's wrong :)
--
David C. Oshel mailto:[EMAIL PROTECTED]
Cedar Rapids, Iowa http://pobox.com/~dcoshel
``Tension, apprehension, and dissension have begun!" - Duffy Wyg&, in Alfred
Bester's _The Demolished Man_
------------------------------
From: Dave Perks <[EMAIL PROTECTED]>
Crossposted-To: alt.security.scramdisk,alt.computer.security
Subject: Re: Regulation of Investigatory Powers Bill
Date: Mon, 17 Apr 2000 20:34:07 GMT
Stou Sandalski wrote:
>
> "Paul Rubin" <[EMAIL PROTECTED]> wrote in message
> news:8d5i2k$33h$[EMAIL PROTECTED]...
> > In article <[EMAIL PROTECTED]>, Jill <[EMAIL PROTECTED]>
> wrote:
> <snip>
>
> > fun way to do it would be with the random number generation hardware
> > built into the Pentium III chip set. That way there would be no
> > cryptography programming involved.
>
> There's rand number generator in the P III ? is it cryptographicaly random?
In the *chipset*. Documented in
http://developer.intel.com/design/chipsets/manuals/298029.pdf
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: ? Backdoor in Microsoft web server ? [correction]
Date: Mon, 17 Apr 2000 14:38:40 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
[ ... ]
> I have less concrete information than about compilers, but to
> my knowledge there are operating systems that have acquired
> certificates of attaining certain security levels. I mean, if
> some software has been similarly certified to be o.k. and later
> found to contain backdoors, then the official body examining that
> would be responsible.
Yes, there are certifications of security levels, but you need to
read what they're certifying before you put too much faith in them.
At least the normal Orange Book classifications don't guarantee much:
they're more about the fundamental design than the real security of
the system.
Just for example, here's what the NSA says it will do when testing a
system for C2 level security:
2.2.3.2.1 Security Testing
The security mechanisms of the ADP system shall be tested
and found to work as claimed in the system documentation.
Testing shall be done to assure that there are no obvious
ways for an unauthorized user to bypass or otherwise
defeat the security protection mechanisms of the TCB.
Testing shall also include a search for obvious flaws that
would allow violation of resource isolation, or that
would permit unauthorized access to the audit or
authentication data. (See the Security Testing
guidelines.)
Take particular note of the fact that all of this is looking only for
_obvious_ flaws.
As the security level goes up, there are greater requirements placed
on the architecture and the testing becomes more stringent as well.
For example at the B1 level, testing is described as follows:
3.1.3.2.1 Security Testing
The security mechanisms of the ADP system shall be tested
and found to work as claimed in the system documentation.
A team of individuals who thoroughly understand the
specific implementation of the TCB shall subject its
design documentation, source code, and object code to
thorough analysis and testing. Their objectives shall
be: to uncover all design and implementation flaws that
would permit a subject external to the TCB to read,
change, or delete data normally denied under the
mandatory or discretionary security policy enforced by
the TCB; as well as to assure that no subject (without
authorization to do so) is able to cause the TCB to enter
a state such that it is unable to respond to
communications initiated by other users. All
discovered flaws shall be removed or neutralized and
the TCB retested to demonstrate that they
have been eliminated and that new flaws have not been
introduced. (See the Security Testing Guidelines.)
This is clearly a MUCH more serious level of testing than at the C2
level. The wording is still such that I doubt you could hold anybody
responsible if it fails in some area though -- it says "their
objective shall be" to disover all the problems, but doesn't say they
will necessarily achieve that objective. In fairness, I don't think
there's any way you can really expect anybody to completely achieve
such an objective.
As the security level goes still higher, the requirements go up even
more. Even though I've said I don't think absolute assurances of
security are possible, I have to admit that I'd be somewhat surprised
to see a major break in an A1 system. At the same time I feel
obliged to point that out that a system that even TRIES to meet the
criteria for B1 or above not only can be, but in fact WILL be a major
pain to use for most purposes.
NIST has initiated a different set of tests and such that try to be
oriented more toward commercial use rather than the primarily
military orientation of the NSA orange book. I haven't had a chance
to look through that too carefully, but my guess is that it might at
least come closer to what you're thinking about.
Even with that, system administration is still almost certainly going
to be the single most important thing involved in achieving any kind
of security though.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: AND on encrypted data
Date: Mon, 17 Apr 2000 20:47:55 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote, in part:
>Maybe I misunderstood. But, if two bit streams are ANDed, how can
>later the two streams be separated out? Thanks.
No, they can't be separated. But if one uses the appropriate
technique, one can decrypt the result, and get the AND of the two
plaintext streams. Presumably, that is useful for something: data that
is encrypted is to be subject to a computation while still encrypted.
John Savard (jsavard<at>ecn<dot>ab<dot>ca)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Is AES necessary?
Date: Mon, 17 Apr 2000 20:55:04 GMT
David Blackman wrote:
>
> Tom St Denis wrote:
> >
> > A 64-bit block size is only a problem if you send over 2^32 blocks of
> > ciphertext.
>
> There are real applications out there where people want to encrypt much
> more than that, and would prefer to do it all with the one key. 2^32 X 8
> bytes is only 32 Gigabytes. That's one cheap hard-disc that ordinary
> home users and small businesses can afford. Also it's easy to steal with
> the kind of physical security that small players can afford, which is
> why it might be a good idea to encrypt it.
>
> > And the keysize of 3des is 168bits not 112bits since the
> > memory required for a mitm attack is insane.
>
> OK. Either way, i think the key is big enough for now. The block size is
> the problem.
>
> > Any 64-bit block cipher with a effective keysize of 80 bits or more is
> > still usefull as a block cipher.
> >
> > Tom
>
> Getting very marginal for some applications if the guys in the black
> hats want your data badly enough.
Who says the people in black hats want your data? Maybe it's just some
kid-hacker trying to steal software...
Tom
------------------------------
From: "Ken D." <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: alt.security.scramdisk,alt.computer.security
Subject: Re: Regulation of Investigatory Powers Bill
Date: Mon, 17 Apr 2000 20:55:33 GMT
"Trevor L. Jackson, III" wrote:
>
> Stou Sandalski wrote:
.
> Actually this is false. There is no action or declaration by any government
> agency that can suspend a citizen's constitutional rights. However, the citizen
> can voluntarily disclaim those rights, as for example happens when you accept a
> job requiring a security clearance, enroll in a school, visit an airport, etc.
so... if you actually want to *live* in said country, you then have no rights
:)
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Paper on easy entropy
Date: Mon, 17 Apr 2000 20:55:55 GMT
wtshaw wrote:
>
> In article <[EMAIL PROTECTED]>, Tom St Denis <[EMAIL PROTECTED]> wrote:
>
> >
> > It's a really short paper, but it discusses a way to get entropy other
> > then trapping hardware faults.
> >
> Here is a call to post it directly here.
There a few errors in the paper, I have to correct. Thanks for your
time though.
Tom
> --
> Doubt until you have proof, then doubt frequently. Descartes
> %/^): [|]"! ?=)@~ ;)[]* :@\@} *#~}> ,=+)! .($`\
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Paper on easy entropy
Date: Mon, 17 Apr 2000 20:56:45 GMT
Steve Roberts wrote:
>
> >> Tom St Denis wrote:
> >> >
> >> > I wrote a mini paper discussing a method of extracting entropy from the
> >> > keyboard. It's at
> >> >
> >> > http://24.42.86.123/files/entropy.ps
> >>
> >> It would be nice if you would say in a couple of sentences here
> >> of what that method is and how one proceeds to determine how much
> >> entropy (method of measurement) is in the stuff one actually
> >> obtains from the keyboard. Thanks.
> >
> >You type at the keyboard, I then make an order-0 model of the input and
> >calc the estimated entropy from that. For example the string
> >'ogt93trwebfwejkfbhwujhtuih3tlkgkw' contains an estimated 2.01 bits per
> >char of entropy (66.54 bits total).
>
> But you can type a pre-determined text and control how much entropy
> you let in!
>
> I have implemented a similar system where the application tells you
> what letters to type. The letters were randomly chosen (poor
> randomiser will do for this) and the application did not accept any
> others. Then I took the microsecond time between the typed characters
> and got entropy form the low order bits. In this way I was using a
> hardware source i.e. the typist's brain and his/her ability to get to
> the right keys on the keyboard.
>
> It also meant I could prove to an auditor that the results were
> random.
>
Not all platforms have micro-second timers. My goal was to estimate the
entropy in a text buffer and hash as required.
Tom
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers
Subject: Re: Paper on easy entropy
Date: Mon, 17 Apr 2000 20:57:42 GMT
I fixed the algorithm in my source. I will update the paper and discuss
a bit more in it. Thanks for helping.
Tom
Scott Nelson wrote:
>
> On Mon, 17 Apr 2000 03:06:50 GMT, Tom St Denis <[EMAIL PROTECTED]> wrote:
>
> >I wrote a mini paper discussing a method of extracting entropy from the
> >keyboard. It's at
> >
> >http://24.42.86.123/files/entropy.ps
> >
>
> The sample code in the paper is flawed.
> According to it, "abcdaaaa" has a higher entropy (9.7)
> than "abcddcababdcdcbabadc" (8.0)
>
> Perhaps you wanted something like:
>
> double entropy(unsigned char *input, int len)
> {
> double p[256], chars, e;
> int x, y;
>
> memset(p, 0, sizeof(p));
> chars = (double)len;
>
> for (x = 0; x < len; x++)
> ++p[input[x]];
> for (x = 0; x < 256; x++)
> p[x] /= chars;
> /* sum up */
> e = 0.0;
> for (x = 0; x < 256; x++)
> {
> if (p[x])
> e -= p[x] * (log(p[x]) / log(2.0));
> }
> return e * chars;
> }
>
> I think that's still flawed since it ignores sequency
> information (the probability of 'u' after a 'q' is much
> higher than the probability of a 'u' after a 'z')
> but at least it would be consistent with the definition
> in the paper.
>
> Scott Nelson <[EMAIL PROTECTED]>
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: GOST idea
Date: Mon, 17 Apr 2000 20:59:30 GMT
Mok-Kong Shen wrote:
>
> Tom St Denis wrote:
> >
> > Mok-Kong Shen wrote:
>
> > > > Maybe I misunderstood. My point is the following: If v is the
> > > > input and w the output and one knows that between v and w there
> > > > is a certain avalanche property, i.e. the effect of flipping
> > > > one bit of v. Now suppose I have a mapping of u to v that is a
> > > > permutation. Two values u1 and u2 differing only in one bit
> > > > may have the corresponding values v1 and v2 differing in many
> > > > bits and their resulting effect on a comparison between w1 and
> > > > w2 may not be simple to tell.
> > >
> > > Addendum:
> > >
> > > Could you please give a literature reference to the fact that
> > > the function you gave previously is a permutation?
> >
> > 2x^2 + x mod 2^w is a permutation polynomial of x. Hmm I got the idea
> > from a paper on Rivest's site, and I can email a copy if you want.
>
> But in your post of 16th April you said you are working in GF(2^w).
> Now GF(2^w) has characteristic 2, so 2x^2 = 0, if I don't err.
Actually no it doesn't. modulo 2^w, 2x^2 + x is always a permutation
polynomial.
Tom
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: GOST idea
Date: Mon, 17 Apr 2000 21:01:06 GMT
Mok-Kong Shen wrote:
> As far as I understand, it is very important to examine the
> avalanche property of one single round very carefully. For many
> rounds, one can heuristically expect a better effect. But if
> you compare two different S-boxes, you have to look whether
> the one is superior to the other in one round, for otherwise
> your are likely to get confused by your data for many rounds,
> I am afraid.
Well the quadratic is just a bijective function of the input, much like
the S() function (sbox substitution). So at the worst it will not
increase the avalanche. But the amount of active sboxes in GOST grows
quite slowly. I have found with the quadratic it doesn't take as long
to increase the active sboxes.
Tom
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Paper on easy entropy
Date: Mon, 17 Apr 2000 21:02:51 GMT
Mok-Kong Shen wrote:
> Allow me posing another question. Could you supply a literature
> reference to the said 'order 0 model', including perhaps other
> relevant theories to compute the entropy in the way you do?
> Thanks.
Order-0 means I evalutate the probability of each symbol in the 'zero'
context, which means I don't care about preceding chars. An order-1
model is more accurate. For example the letter 'h' is not fairly
probable, but it's more probable after a 't'. So if the preceding char
was a 't' and we are on a 'h' now it's not very random.
Tom
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Paper on easy entropy
Date: Mon, 17 Apr 2000 21:04:33 GMT
Guy Macon wrote:
>
> O.K. Read the paper. Let's start at the top:
>
> "Entropy is the measure of the unknown information in a closed system".
>
> I believe that Entropy is a measure of the disorder/randomness of
> information or energy in any system. open or closed. In a closed
> system entropy cannot decrease, but open systems have entropy too.
> (Please correct me if I have define Enropy poorly).
I am discussing entropy in a closed environment though.
Tom
------------------------------
From: Philip Baker <[EMAIL PROTECTED]>
Crossposted-To: alt.security.scramdisk,alt.computer.security
Subject: Re: Regulation of Investigatory Powers Bill
Date: Mon, 17 Apr 2000 22:19:24 +0100
In article <[EMAIL PROTECTED]>, Scotty
<[EMAIL PROTECTED]> writes
>
>Your Name wrote in message <7QRJ4.224$[EMAIL PROTECTED]>...
>>In article <[EMAIL PROTECTED]>,
>>[EMAIL PROTECTED] says...
>>>
>>>-----BEGIN PGP SIGNED MESSAGE-----
>>>Hash: SHA1
>>>
>>>There's little point, the first time a case comes to the courts, then
>>>it will fall flat on it's face. If you have encrypted data on your
>>>hard disk, and refuse to decrypt, the the law says that you can be
>>>imprisoned.
>>>
>>>What this basically means is that they are removing the right of
>>>indivduals in a criminal court to be tried as innocent until proven
>>>guilty. This is a breach of at least the European Declaration of
>>>human rights, and probably the Universal Declaration of Human Rights.
>
>This is not quite correct. There was a very slight change of emphasis in the
>RIP bill compared to its previous incarnation in the e-commerce bill.
>Whereas the e-commerce bill was going to put the burden of proof on you to
>show that you didn't have a decryption key, the new RIP bill changes the
>test to one of balance of probabilities. So its gone from 'guilty till
>proven innocent' to 'balance of probabilities'.
This is not my reading of Section III of the bill but perhaps I've
missed something. The prosecution has to show that the accused 'is a
person who has or has had possession of the key'. There is no mention,
that I can find, of the degree of proof required. So isn't it up to the
prosecution to prove this beyond reasonable doubt?
--
Philip Baker
http://www.thalasson.com
------------------------------
Subject: Re: GOST idea
From: lordcow77 <[EMAIL PROTECTED]>
Date: Mon, 17 Apr 2000 14:23:03 -0700
In article <[EMAIL PROTECTED]>, Mok-Kong Shen <mok-
[EMAIL PROTECTED]> wrote:
>But in your post of 16th April you said you are working in GF
(2^w).
>Now GF(2^w) has characteristic 2, so 2x^2 = 0, if I don't err.
I wish you would use more precision in language. GF(2^w) denotes
an entirely different concept than the integers mod a number. If
you don't know what a field is, than don't try to make your
writing look more impressive by using some sort of pseudo-Galois
field notation. The formal language is more clear, but only if
we all know what a person is referring to when he or she uses
such a term. Sloppiness just confuses everyone and makes it more
difficult to extract meaning from your posting.
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Albert Yang <[EMAIL PROTECTED]>
Subject: Should there be an AES for stream ciphers?
Date: Mon, 17 Apr 2000 21:34:24 GMT
Well, I know that you can take a Block Cipher and make it into a stream
cipher, but that's not the point. Should there be a standarized stream
cipher, the same as the attempt to standarize the block cipher?
RC4 seems to be about the only choice, SEAL hasn't had the
cryptoanalysis time it should, and also, I don't know about speed, but I
assume that Stream ciphers are (or should be) faster than block
ciphers...
Thoughts? AES Stream Cipher just a waste of time? While on the
subject, why not have a AES Hash contest too?
Albert
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: ? Backdoor in Microsoft web server ? [correction]
Date: Mon, 17 Apr 2000 21:34:29 +0000
Mok-Kong Shen wrote:
> I have never studied the details of any hacks that exploit
> buffer overflows, but I remember that more than a decade
> ago the problem was already known to be one of the security
> holes of some components of the UNIX system of that time.
Quite right -- and also of other operating systems and applications.
> Can buffer overflow remain today an excusable software flaw
> in security relavant software? Where are the scientific
> advances in software quality control during all these years?
Sacrificed to the expediencies of marketing. You don't make sales
by fixing bugs: you make sales by adding features. Customers
forgive all the problems immediately, if they even pay attention
to the news reports on them -- the weak password encryption, back
doors, buffer overruns in browsers and active mail, etc. If the
customers are satisfied to reboot their systems after the daily
blue-screen, fixing bugs is not a high priority. The priority
becomes half-supporting the latest whiz-bang graphics card or
sound card. If the customers are satisfied to be told to reboot
as the first item on the list from tech support, they deserve
what they've bought -- and they deserve it doubly if they buy the
upgrade.
--
Jim Gillogly
Mersday, 27 Astron S.R. 2000, 21:12
12.19.7.2.7, 12 Manik 10 Pop, Second Lord of Night
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Paper on easy entropy
Date: 17 Apr 2000 17:51:37 EDT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Tom St Denis) wrote:
>
>
>
>Guy Macon wrote:
>>
>> O.K. Read the paper. Let's start at the top:
>>
>> "Entropy is the measure of the unknown information in a closed system".
>>
>> I believe that Entropy is a measure of the disorder/randomness of
>> information or energy in any system. open or closed. In a closed
>> system entropy cannot decrease, but open systems have entropy too.
>> (Please correct me if I have define Entropy poorly).
>
>I am discussing entropy in a closed environment though.
>
>Tom
Two comments:
[1] The fact that you are discussing entropy in a closed environment
has nothing to do with whether you correctly defined "entropy".
I suggest using an accurate definition and then stating the
subset that you are talking about.
[2] Closed environment? You are getting input from a human. That's
an open environment.
I am not trying to be pedantic here. Improper definitions of words
are a major source of miscommunication.
I am also relectant to comment on the rest of the paper if we cannot
agree on what "entropy" means. Such an effort will be a W.O.M.B.A.T.
(Waste Of Money, Brains, And Time.) This would deprive you of my
observation that M and Q are less likely than F and K, and that AWQ
is less likely than AVK when a real human is at the keyboard.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: GOST idea
Date: Mon, 17 Apr 2000 22:02:11 GMT
lordcow77 wrote:
>
> In article <[EMAIL PROTECTED]>, Mok-Kong Shen <mok-
> [EMAIL PROTECTED]> wrote:
> >But in your post of 16th April you said you are working in GF
> (2^w).
> >Now GF(2^w) has characteristic 2, so 2x^2 = 0, if I don't err.
>
> I wish you would use more precision in language. GF(2^w) denotes
> an entirely different concept than the integers mod a number. If
> you don't know what a field is, than don't try to make your
> writing look more impressive by using some sort of pseudo-Galois
> field notation. The formal language is more clear, but only if
> we all know what a person is referring to when he or she uses
> such a term. Sloppiness just confuses everyone and makes it more
> difficult to extract meaning from your posting.
I thought a field is something where addition and multiplication have
identities and inverses.
Tom
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Paper on easy entropy
Date: Mon, 17 Apr 2000 22:03:19 GMT
Guy Macon wrote:
>
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Tom St Denis) wrote:
> >
> >
> >
> >Guy Macon wrote:
> >>
> >> O.K. Read the paper. Let's start at the top:
> >>
> >> "Entropy is the measure of the unknown information in a closed system".
> >>
> >> I believe that Entropy is a measure of the disorder/randomness of
> >> information or energy in any system. open or closed. In a closed
> >> system entropy cannot decrease, but open systems have entropy too.
> >> (Please correct me if I have define Entropy poorly).
> >
> >I am discussing entropy in a closed environment though.
> >
> >Tom
>
> Two comments:
>
> [1] The fact that you are discussing entropy in a closed environment
> has nothing to do with whether you correctly defined "entropy".
> I suggest using an accurate definition and then stating the
> subset that you are talking about.
>
> [2] Closed environment? You are getting input from a human. That's
> an open environment.
True I will reword that.
> I am not trying to be pedantic here. Improper definitions of words
> are a major source of miscommunication.
>
> I am also relectant to comment on the rest of the paper if we cannot
> agree on what "entropy" means. Such an effort will be a W.O.M.B.A.T.
> (Waste Of Money, Brains, And Time.) This would deprive you of my
> observation that M and Q are less likely than F and K, and that AWQ
> is less likely than AVK when a real human is at the keyboard.
Well does entropy just mean uncertainess? So basically I am trying to
discuss how to measure the uncertainess of characters from appearing...
Can you help please?
Tom
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Should there be an AES for stream ciphers?
Date: Mon, 17 Apr 2000 22:04:25 GMT
Albert Yang wrote:
>
> Well, I know that you can take a Block Cipher and make it into a stream
> cipher, but that's not the point. Should there be a standarized stream
> cipher, the same as the attempt to standarize the block cipher?
That's not a bad idea.
> RC4 seems to be about the only choice, SEAL hasn't had the
> cryptoanalysis time it should, and also, I don't know about speed, but I
> assume that Stream ciphers are (or should be) faster than block
> ciphers...
RC4 is less appealing now that some cryptanalysis has been done against
it. While the underlying prng isn't too bad, the key schedule sucks.
> Thoughts? AES Stream Cipher just a waste of time? While on the
> subject, why not have a AES Hash contest too?
Not a idea either.
Tom
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: GOST idea
Date: Tue, 18 Apr 2000 00:11:38 +0200
Tom St Denis schrieb:
>
> Mok-Kong Shen wrote:
> >
> > Tom St Denis wrote:
> > >
> > > Mok-Kong Shen wrote:
> >
> > > > > Maybe I misunderstood. My point is the following: If v is the
> > > > > input and w the output and one knows that between v and w there
> > > > > is a certain avalanche property, i.e. the effect of flipping
> > > > > one bit of v. Now suppose I have a mapping of u to v that is a
> > > > > permutation. Two values u1 and u2 differing only in one bit
> > > > > may have the corresponding values v1 and v2 differing in many
> > > > > bits and their resulting effect on a comparison between w1 and
> > > > > w2 may not be simple to tell.
> > > >
> > > > Addendum:
> > > >
> > > > Could you please give a literature reference to the fact that
> > > > the function you gave previously is a permutation?
> > >
> > > 2x^2 + x mod 2^w is a permutation polynomial of x. Hmm I got the idea
> > > from a paper on Rivest's site, and I can email a copy if you want.
> >
> > But in your post of 16th April you said you are working in GF(2^w).
> > Now GF(2^w) has characteristic 2, so 2x^2 = 0, if I don't err.
>
> Actually no it doesn't. modulo 2^w, 2x^2 + x is always a permutation
> polynomial.
Note that you are NOW talking of modulo 2^w. As I pointed out,
you were instead talking of GF(2^w) in the post where you first
mentioned that the function is meant to be a permutation! (Thus I
was quite surprised and asked you to give references to support
that claim.) Do you see my point?
M. K. Shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
