Cryptography-Digest Digest #840, Volume #12 Wed, 4 Oct 00 15:13:01 EDT
Contents:
Re: the trusth about rijndael cracked by biham (Tom St Denis)
Re: RC6 royalty free or not? (Tom St Denis)
Re: Problem with Twofish Round Function (Tom St Denis)
Re: It's Rijndael (SCOTT19U.ZIP_GUY)
Re: My Theory... (SCOTT19U.ZIP_GUY)
Re: Counterpane Funny Stuff (Andru Luvisi)
Re: It's Rijndael (Jim Gillogly)
Re: RC6 royalty free or not? (Roger Schlafly)
Re: Counterpane Funny Stuff (SCOTT19U.ZIP_GUY)
Re: No Comment from Bruce Schneier? (SCOTT19U.ZIP_GUY)
Re: No Comment from Bruce Schneier? (Roger Schlafly)
Re: No Comment from Bruce Schneier? (David Crick)
Re: On block encrpytion processing with intermediate permutations (Bryan Olson)
Re: No Comment from Bruce Schneier? (David Crick)
Re: No Comment from Bruce Schneier? (Andru Luvisi)
Re: It's Rijndael ("Joseph Ashwood")
----------------------------------------------------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: the trusth about rijndael cracked by biham
Date: Wed, 04 Oct 2000 17:58:44 GMT
In article <8rfopa$85o$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Hey boys,
>
> Yes it was a joke and yes it was a random selected web site but which
> offers stats.
>
> The stats can be found at the bottom of the page or directly here :
>
> http://usa3.viewstat.nedstatbasic.net/cgi-bin/viewstat?name=secteax
>
> 92 people clicked on the link
>
> 23 from france
> 16 from US
> the rest ... the world
>
> I thought there was more people reading sci.crypt
> but nope, only 100 people
>
> It's a little newsgroup here
Maybe people new you were a troll?
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: RC6 royalty free or not?
Date: Wed, 04 Oct 2000 18:02:22 GMT
In article <[EMAIL PROTECTED]>,
Runu Knips <[EMAIL PROTECTED]> wrote:
> "Sami J. Mäkinen" wrote:
> > I couldn't tell by reading the papers from RSA webpage that
> > is RC6 royalty free or not (to use in shareware program)?
> > I'm talking about the algorithm itself, not any implementation.
>
> Use any of the other AES finalists. RSADSI has AFAIK only
> stated that RC6 will be free _IF_ it would become AES,
> and it hasn't.
>
> If at all, I would use RC6 with at least 12, better 16
> rounds, btw.
Um RC6 was specified with at least 20 rounds, 17 of which can be broken
with 2^118 work...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Problem with Twofish Round Function
Date: Wed, 04 Oct 2000 18:03:05 GMT
In article <[EMAIL PROTECTED]>,
Runu Knips <[EMAIL PROTECTED]> wrote:
> Tom St Denis wrote:
> > I just realized that the output of the round function is merely...
> >
> > T1 = 2a + b
> > T2 = a + b
>
> Yep, a 2PHT.
>
> > Where the difference is in the 'a' term. What if I sent a
differential
> > into the that function without a difference in 'a' (i.e the first g
> > function). Obviously in the next round it would affect the other
side
> > but you get a round for quasi free.
>
> Yep.
>
> > Also that doesn't look like the best way to distribute the entropy
> > in 'a' and 'b' (pretend a is the output of the first g function,
and b
> > the output of the second).
>
> Hmm. So what would you do instead ?
A 2x2 MDS? Or a 8x8 MDS instead of two sets of 4x4 mdses..
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: It's Rijndael
Date: 4 Oct 2000 18:10:06 GMT
[EMAIL PROTECTED] (Mok-Kong Shen) wrote in <39DB6E11.DC2C086@t-
online.de>:
>
>
>Tim Tyler wrote:
>>
>> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>>
>> : I conjecture that 3DES will continue to stay for a quite
>> : long time. For analogy, see the programming language Cobol.
>>
>> I'm having a few problems getting the hang of this analogy...
>
>My intended meaning probably didn't get through. Note
>that one factor of Cobol's longevity is that the
>companies have already invested too much in connection
>with it and there is simply too big an inertia against
>any reforms/revolutions.
Cobol should have died long ago. I remember when I worked
on the Univac and cobol programers would scream how good it
was. The facts are even if the cobol programerss picked some program
they where proud of. You could rewrite is so it was shorter ran
faster and even communicated with the exotic files cobol people
where so proud of. I think Cobol contiunes to live becasue american
business is to lazy and stupid to do it the correct way. Its far easier
to lie to the public about how great a product is than to do it right.
The money nowadays is in lawyers and marketing. Not engineering and
results. Remember fords statement about Job one. Makes me laugh.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: My Theory...
Date: 4 Oct 2000 18:02:00 GMT
[EMAIL PROTECTED] (Mok-Kong Shen) wrote in <39DB6DFE.6D283D59@t-
online.de>:
>
>
>Thomas Pornin wrote:
>>
>> It is the NSA interest that the US companies use a strong cipher. Or, at
>> least, a cipher that ONLY the NSA can break. Since the NSA is no more
>> the richest organization in the world, they cannot play (anymore ?) the
>> backdoor game. They are doomed to propose really strong ciphers.
>
>Is is quite sure that there are no organizations (public or
>commercial) in the world that have more or less comparable
>resources?
>
>M. K. Shen
>
I must not be understanding what you meant. Since I think I
agree with you. So could you please clarify. Just what did you
exactly mean. Please be specific.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: Andru Luvisi <[EMAIL PROTECTED]>
Subject: Re: Counterpane Funny Stuff
Date: 04 Oct 2000 11:02:47 -0700
Tom St Denis <[EMAIL PROTECTED]> writes:
[snip]
> What the hec k is a "scalable security business model that broadly
> leverages unparalelled security expertise...." sounds like the output
> of a buzzword generator...
[snip]
"unparalelled security expertise" -> We are really good.
"leverages" -> uses, exploits, gets full benefit from. In other
words, you'll get the full benefit from our being
really good.
"security business model" -> way to handle security.
"scalable" -> can work well for small or big problems.
So if I had to guess, I'd say they were trying to say:
"Whether your problem is big or small, you can handle security really
well by going with us and getting the full benefit from our being
really good."
...which, based on what I know of Counterpane, is probably true.
Andru
--
Andru Luvisi, Programmer/Analyst
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: It's Rijndael
Date: Wed, 04 Oct 2000 18:19:51 +0000
Runu Knips wrote:
> If there would be another such contest in future, I would
> vote for making the round count a parameter, so everybody
> can choose higher or lower security, as they wish. This
> way one could select a higher number of rounds if one
> wishes. I don't know how much such a concept would
> actually cost in hardware implementations.
While it would be nice to have that kind of flexibility, it does
make it more difficult in standards where interoperability is
important. The two sides need to agree not only on an algorithm,
but also on all the parameters to be used. The IPsec groups will
probably have a bunch of variants of AES already: at least the
three primary key lengths, and perhaps the different block sizes as
well. Note that the key length of Rijndael can go up by 32-bit
chunks as well, although this amount of flexibility will probably
not show up in IPsec. Given that all that is being negotiated,
perhaps negotiating the round count as well wouldn't be a lot more
onerous. It does increase software and hardware complexity and
testing -- some implementation might have assumed that nobody would
<ever> need more than 256 rounds and chosen their counters accordingly,
and it might never come up in testing until the product hits the
market. Every new variable in a standard multiplies the size of the
testing regime by the number of values it can take, independent
of cross-talk side effects.
A variable round count would slow down the most aggressive
optimizations in both software and hardware, since you couldn't
unroll the loops unless some reasonably low limit on the number
of rounds were picked... and of course we've already seen how
popular that choice would be.
In short, I think picking a specific number makes good sense,
even though I'm not sure what that number should be.
> Well, but maybe there will be never such a contest again,
> because now a standard has been selected, and it is
> unlikely that we will ever need more than 256 bit of
> security, not in a hundred of years.
If we need another contest it won't be because of key
exhaustion, but rather some more analytical break.
--
Jim Gillogly
Mersday, 13 Winterfilth S.R. 2000, 18:02
12.19.7.10.17, 13 Caban 20 Chen, First Lord of Night
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: RC6 royalty free or not?
Date: Wed, 04 Oct 2000 11:23:58 -0700
Runu Knips wrote:
> Use any of the other AES finalists. RSADSI has AFAIK only
> stated that RC6 will be free _IF_ it would become AES,
> and it hasn't.
Yes. But it is hard to see why anyone would want to use RC6
now. The main arguments for it were simplicity, and more
analysis. But simplicity is not a big plus if it is an
alternative cipher. It might be a plus in a smartcard, but
RC6 is slow there anyway. And soon Rijndael will be more
analyzed than any of them.
> Use any of AES/Rijndael, Twofish, or Serpent. They should
> be secure. For pure software implementations I would
> still recomment Twofish :-) - fast and very secure.
Or Mars. IBM has released its patent and made Mars free.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Counterpane Funny Stuff
Date: 4 Oct 2000 18:13:03 GMT
[EMAIL PROTECTED] (Albert Yang) wrote in <[EMAIL PROTECTED]>:
>Hmmm, I'm waiting for Scotty too Hotty to reply to this one, I love it
>when he has a field day with Mr. BS has he refers to him.
>
>Serpent should have won...
>
>Albert
Dam must have missed it. Theres to much read it all.
Though Serpent seems related to lucifer that lead to DES
maybe some one can make a conection of Rin... what ever it is.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: No Comment from Bruce Schneier?
Date: 4 Oct 2000 18:22:58 GMT
[EMAIL PROTECTED] (Albert Yang) wrote in <[EMAIL PROTECTED]>:
>I expected to hear from a few people, Brian Gladman, the author's of
>Rijndael themselves etc... But most of all, I expected Bruce to say
>something on sci.crypt. Something sportsman-like, like, "Rijndael is a
>good algorithm, designed by two people who know what they are doing. I
>want to congratulate them on being selected as the AES winner."
>
>Comments? From Bruce?
>Albert
>
Actually I would expect a comment from him to be more like a comment
of Al Gore attempting to sound nice. I would rather hear from people
who know him. Like the anonymous guy who helped set up my website
so I could be a thorne in the side of the phony crypto elite. Notice
I did not honor him with his intials. Maybe he still carrys enough
weight that they can override the first choice and pick his yet.
I hate being wrong. Since I would have bet money the NSA had his
lined up to win especially with that clever name. I have to admit
that maybe it is more secure than I first thought and that it was
not picked because the NSA could not break it. But that's not
possible is it?
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: No Comment from Bruce Schneier?
Date: Wed, 04 Oct 2000 11:30:13 -0700
Albert Yang wrote:
> Something sportsman-like, like, "Rijndael is a
> good algorithm, designed by two people who know what they are doing. I
> want to congratulate them on being selected as the AES winner."
You sound like the announcer who interviewed Marion Jones
after she lost a race, asked her if she was happy, and was
disappointed when she said that she wanted to win.
I believe the Twofish designers are on record as saying that
all the finalists are excellent, and they advocated a single
winner because any one is fine.
Where are IBM, Rivest, Biham, and the other losers?
------------------------------
From: David Crick <[EMAIL PROTECTED]>
Subject: Re: No Comment from Bruce Schneier?
Date: Wed, 04 Oct 2000 19:39:15 +0100
Roger Schlafly wrote:
>
> Albert Yang wrote:
> > Something sportsman-like, like, "Rijndael is a
> > good algorithm, designed by two people who know what they are doing. I
> > want to congratulate them on being selected as the AES winner."
>
> I believe the Twofish designers are on record as saying that
> all the finalists are excellent, and they advocated a single
> winner because any one is fine.
>
> Where are IBM, Rivest, Biham, and the other losers?
RSA: http://www.rsasecurity.com/news/pr/001002-1.html
Bruce Schneier in Dr. Dobb's Journal December 1998 (and no doubt
also in his crypo-grams):
"Rijndael. A variant of Square, the chief drawback to this cipher
is the difficulty Americans have pronouncing it. Square is a
strong algorithm, and Rijndael seems to be a strong variant of it.
The designers, Vincent Rijmen and Joan Daemen, know what they are
doing. "
--
+-------------------------------------------------------------------+
| David A. Crick <[EMAIL PROTECTED]> PGP: (OCT-2000 KEY) 0xE0F73D98 |
| Damon Hill Tribute Site: http://www.geocities.com/MotorCity/4236/ |
| M. Brundle Quotes: http://members.tripod.com/~vidcad/martin_b.htm |
+-------------------------------------------------------------------+
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: On block encrpytion processing with intermediate permutations
Date: Wed, 04 Oct 2000 18:44:26 GMT
Mok-Kong Shen wrote:
>
>
> Bryan Olson wrote:
> >
> > Mok-Kong Shen wrote:
> > > Bryan Olson wrote:
> > > > Mok-Kong Shen wrote:
> > > > > Bryan Olson wrote:
> > > > So the scheme is only appropriate when a new key will be
transported
> > > > for each session? Note that a conventional block cipher and
> > > > chaining mode can support arbitrarily many sessions and messages
> > > > with a single key.
> > >
> > > Then you send the secret seed with that 'single' key.
> > > I don't understand what is the problem that you see here?
> >
> > O.K. that's clear. Now the attacker just repeats the same
> > encrypted seed so the chosen plaintext attack can use the
> > same permutation in multiple messages, just as before.
Hmmm, I mis-explained that. The attacker uses the same
differentials as in the chosen plaintext attack, but what he
actually uses is chosen ciphertext.
> The seed of PRNG is of course not to be reset, as I
> mentioned previously several times.
Then you'll inevitably lose synchronization between sessions.
> > > > > > [...]
> > > > > > > > Hard to sell exposing the key as a good thing.
> > > > > > >
> > > > > > > Sorry, the above sentence is difficult for me (foreigner)
> > > > > > > to understand.
> > > > > >
> > > > > > Hard to take that seriously.
> > > > >
> > > > > Does that constitute a concrete answer that I requested
> > > > > (see the part you snipped)?? (A yes/no is anyway needed.
> > > > > And some explanations.)
> > > >
> > > > What is needed is a serious attempt to understand the material.
> > >
> > > But you don't answer my question whether introduction
> > > of permustaion reduces or enhances the strength, i.e.
> > > produces a negative or positive effect. If your attack
> > > is good then you should be able to firmly answer that it
> > > reduces the strength.
> >
> > No need to take my word for anything. Check it out.
> >
> > > But you seem so far to avoid that question.
> >
> > Nonsense. I avoid spoon-feeding the answer.
>
> You can't either answer yes or no. That is the point.
> I challenge you to do that!
And I laugh at your challenge (partly because "yes" and "no" were
not the two alternatives in your question). The water is before
you; no one can make you drink.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: David Crick <[EMAIL PROTECTED]>
Subject: Re: No Comment from Bruce Schneier?
Date: Wed, 04 Oct 2000 19:55:05 +0100
Also, Serpent:
"Serpent is a 128-bit block cipher designed by Ross Anderson, Eli Biham
and Lars Knudsen as a candidate for the Advanced Encryption Standard.
It was a finalist in the AES competition. The winner, Rijndael, got
86 votes at the last AES conference while Serpent got 59 votes, Twofish
31 votes, RC6 23 votes and MARS 13 votes. So NIST's choice of Rijndael
as the AES was not surprising, and we had to content ourselves with
silver in the `encryption olympics'. Serpent and Rijndael are in fact
somewhat similar; the main difference is that Rijndael is faster (having
fewer rounds) but Serpent is more secure."
--
+-------------------------------------------------------------------+
| David A. Crick <[EMAIL PROTECTED]> PGP: (OCT-2000 KEY) 0xE0F73D98 |
| Damon Hill Tribute Site: http://www.geocities.com/MotorCity/4236/ |
| M. Brundle Quotes: http://members.tripod.com/~vidcad/martin_b.htm |
+-------------------------------------------------------------------+
------------------------------
From: Andru Luvisi <[EMAIL PROTECTED]>
Subject: Re: No Comment from Bruce Schneier?
Date: 04 Oct 2000 11:36:26 -0700
Roger Schlafly <[EMAIL PROTECTED]> writes:
[snip]
> Where are IBM, Rivest, Biham, and the other losers?
[snip]
Although they lost, I wouldn't exactly call them "losers" ;-)
Thanks for the chuckle,
Andru
--
Andru Luvisi, Programmer/Analyst
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: It's Rijndael
Date: Wed, 4 Oct 2000 10:46:34 -0700
> I think that actually locating the correct key from a 128 bit space would
> be a good indication that you had found a break - i.e. John's post looked
> OK to me ;-)
I agree, finding that key would take a monumental amount of work.
>
> What are the chances of a *128*-bit key existing that performs this map?
1-(1-(1/2^128))^2^128, at least for an ideal cipher (where each input is
mapped to a random output for each key). For Rijndael in particular it's
either 1 or 0, it would take a large amount of effort to determine the
answer though. I can say that with probability 1 there is an input I that
maps to the desired output under a given key.
Joe
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
