Cryptography-Digest Digest #441, Volume #14      Fri, 25 May 01 18:13:01 EDT

Contents:
  Re: Good crypto or just good enough? (Tom St Denis)
  Re: Good crypto or just good enough? (SCOTT19U.ZIP_GUY)
  Re: Good crypto or just good enough? (Tom St Denis)
  Advice (Tom St Denis)
  Re: A generic feistel cipher with hash and gf(257) mixers (Jim Steuert)
  Re: Break on Schneiers first proposed "self-study cipher" (SCOTT19U.ZIP_GUY)
  Re: Break on Schneiers first proposed "self-study cipher" (Tom St Denis)
  Re: A generic feistel cipher with hash and gf(257) mixers (Tom St Denis)
  Re: Good crypto or just good enough? (SCOTT19U.ZIP_GUY)
  Re: A generic feistel cipher with hash and gf(257) mixers (Jim Steuert)
  Re: Input Appreciated (Paul Rubin)

----------------------------------------------------------------------------

From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Good crypto or just good enough?
Date: Fri, 25 May 2001 21:02:20 GMT

"SCOTT19U.ZIP_GUY" wrote:
> 
> [EMAIL PROTECTED] (Tom St Denis) wrote in <[EMAIL PROTECTED]>:
> 
> >My old employer asked me to ask the group this question.
> 
>    He sounds like a nice guy. I think I would get along
> with him better than you. Unless he is pro French.
> 
> >
> >Would you settle for crypto that is "just secure enough" or "is as
> >secure as we know how to make it".  Both within reason.
> 
>    Since its only software. I would prefer as secure as we
> know how.
> 
> >
> >His line of thinking was that I was a hypocrite for only having a
> >dead-bolt on my door instead of a 6" steel vault door.
> 
>     But it cost the same on my machine to encrypt with des
> as it does with scott19u. But my house has a dead bolt to.
> It not real a valid compression. Since the 6" door is expensive
> while good crpto is basically free.
> 
>     However I feel your one to use what I would call weak encryption
> so your didinitely not a hypocrite for using a weak lock. That
> Tom does not mean I don't think of you as a hypocrite for other
> possible reasons.

Your post has one flaw.  You have no clue how secure Scott19u is against
cryptanalysis because nobody has bothered to try.  

Just like I could say TC15a is the best cipher in the world because it's
simple, fast and has no breaks yet.  Unfortunately that and a 1.50$ will
get you nothing.  (except perhaps a call upto 20 mins...).  Nobody has
really analyzed TC15a (like your cipher) so calling it secure is very
very very premature.

Tom

------------------------------

From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Good crypto or just good enough?
Date: 25 May 2001 21:21:25 GMT

[EMAIL PROTECTED] (Tom St Denis) wrote in
<[EMAIL PROTECTED]>: 

>"SCOTT19U.ZIP_GUY" wrote:
>> 
>> [EMAIL PROTECTED] (Tom St Denis) wrote in
>> <[EMAIL PROTECTED]>: 
>> 
>> >My old employer asked me to ask the group this question.
>> 
>>    He sounds like a nice guy. I think I would get along
>> with him better than you. Unless he is pro French.
>> 
>> >
>> >Would you settle for crypto that is "just secure enough" or "is as
>> >secure as we know how to make it".  Both within reason.
>> 
>>    Since its only software. I would prefer as secure as we
>> know how.
>> 
>> >
>> >His line of thinking was that I was a hypocrite for only having a
>> >dead-bolt on my door instead of a 6" steel vault door.
>> 
>>     But it cost the same on my machine to encrypt with des
>> as it does with scott19u. But my house has a dead bolt to.
>> It not real a valid compression. Since the 6" door is expensive
>> while good crpto is basically free.
>> 
>>     However I feel your one to use what I would call weak encryption
>> so your didinitely not a hypocrite for using a weak lock. That
>> Tom does not mean I don't think of you as a hypocrite for other
>> possible reasons.
>
>Your post has one flaw.  You have no clue how secure Scott19u is against
>cryptanalysis because nobody has bothered to try.  

   Actaully several people have tried. Some have even discussed here
when they tried to use the Slide attack. I have had many emails.
Also The cash prises for contests that last many years. Of course
don't think you thoughtful friend will give it an honest try.

>
>Just like I could say TC15a is the best cipher in the world because it's
>simple, fast and has no breaks yet.  Unfortunately that and a 1.50$ will
>get you nothing.  (except perhaps a call upto 20 mins...).  Nobody has
>really analyzed TC15a (like your cipher) so calling it secure is very
>very very premature.

    Actaully since yours is small and fast I would doubt its very
secure. Small and fast does not lend its self to high enough
complexity or mixing to be able to make a secure cipher.
But since you do have presense here. If its extreemly weak
they will do a good right and say see an amteuer trying to
do crypto how foolish.  Yet my feeling are if they don't say
anything its most likely a fair design.


David A. Scott
-- 
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
        http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
 made in the above text. For all I know I might be drugged or
 something..
 No I'm not paranoid. You all think I'm paranoid, don't you!


------------------------------

From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Good crypto or just good enough?
Date: Fri, 25 May 2001 21:30:04 GMT

"SCOTT19U.ZIP_GUY" wrote:
> 
> [EMAIL PROTECTED] (Tom St Denis) wrote in
> <[EMAIL PROTECTED]>:
> 
> >"SCOTT19U.ZIP_GUY" wrote:
> >>
> >> [EMAIL PROTECTED] (Tom St Denis) wrote in
> >> <[EMAIL PROTECTED]>:
> >>
> >> >My old employer asked me to ask the group this question.
> >>
> >>    He sounds like a nice guy. I think I would get along
> >> with him better than you. Unless he is pro French.
> >>
> >> >
> >> >Would you settle for crypto that is "just secure enough" or "is as
> >> >secure as we know how to make it".  Both within reason.
> >>
> >>    Since its only software. I would prefer as secure as we
> >> know how.
> >>
> >> >
> >> >His line of thinking was that I was a hypocrite for only having a
> >> >dead-bolt on my door instead of a 6" steel vault door.
> >>
> >>     But it cost the same on my machine to encrypt with des
> >> as it does with scott19u. But my house has a dead bolt to.
> >> It not real a valid compression. Since the 6" door is expensive
> >> while good crpto is basically free.
> >>
> >>     However I feel your one to use what I would call weak encryption
> >> so your didinitely not a hypocrite for using a weak lock. That
> >> Tom does not mean I don't think of you as a hypocrite for other
> >> possible reasons.
> >
> >Your post has one flaw.  You have no clue how secure Scott19u is against
> >cryptanalysis because nobody has bothered to try.
> 
>    Actaully several people have tried. Some have even discussed here
> when they tried to use the Slide attack. I have had many emails.
> Also The cash prises for contests that last many years. Of course
> don't think you thoughtful friend will give it an honest try.

So what?  The slide attack doesn't work against TC15a either.    Nor
does standard linear or differential attacks.  I still won't be
surprised if someone breaks it though.  (Although if they explain how
they found the attack it would be a nice learning experience).

> >Just like I could say TC15a is the best cipher in the world because it's
> >simple, fast and has no breaks yet.  Unfortunately that and a 1.50$ will
> >get you nothing.  (except perhaps a call upto 20 mins...).  Nobody has
> >really analyzed TC15a (like your cipher) so calling it secure is very
> >very very premature.
> 
>     Actaully since yours is small and fast I would doubt its very
> secure. Small and fast does not lend its self to high enough
> complexity or mixing to be able to make a secure cipher.
> But since you do have presense here. If its extreemly weak
> they will do a good right and say see an amteuer trying to
> do crypto how foolish.  Yet my feeling are if they don't say
> anything its most likely a fair design.

How can you say "small and fast" cannot be secure?  That doesn't seem
too obvious to me.  For example, a 8x8 lookup is fast and from a
statistical stand point hard to attack (say when placed together with a
MDS, etc... ala Wide-Trail).

See the diff between you and I?  I bet you don't.

The diff is I never claimed TC15a was any good for anything at all.  I
don't recommend people to use it and I never claimed it was secure
against serious attacks.

You claim your cipher is secure without analysis and without good
peer-review.  

Tom

------------------------------

From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Advice
Date: Fri, 25 May 2001 21:32:12 GMT

Would anyone care to lend some Advice for getting my "public" career
back on track?  (Anyone who has followed this group knows what I am
talking about).  I don't care much for scolding emails (they are not
productive).  Just some job advice and ways to make admends with the
group members, etc.  (I am in College but I don't know what todo
after/during school!)  

Thanks,
Tom
(lend advice via email to save usenet bandwidth please).

------------------------------

From: Jim Steuert <[EMAIL PROTECTED]>
Subject: Re: A generic feistel cipher with hash and gf(257) mixers
Date: Fri, 25 May 2001 17:39:30 -0400

Thanks, Tom.
   I appreciate your feedback. . These are just multipermutation
mixers, which is not  equivalent to an sbox followed by an xor mixer.
I suspected that putting the nonlinearity in the mixer might be stronger
than putting it in an sbox whose output is connected to an xor mixer.
What led me to this thinking is a conventional hash function like SHA-1
(which does not have sboxes, and instead provides many rounds (80 in
that case) of mixing in lieu of sboxes. Even without nonlinearity
(except for rotates), I haven't heard of any SHA-1 weaknesses. I did
test 6 rounds of the modified mix() to show that it's statistics are are good
as
SHA-1. It's a simple (140 line) program which tested to make
sure every bit is independent ( flipping any bit flips another with 50.0000%
prob.)
I also tested bit-pair correlation so that any pair of bits flipped with
a 25.0000% prob. These tests were over all 2^32 (4Gig) possible values
of a single input. Now I know that this is not the same as finding
differentials.
   In some ways, this is equivalent to a cipher consisting of  the invertible

sha-1 followed by xoring the key, followed by another invertible sha-1.
The pre-image protection of sha-1 should guarantee that this is
unbreakable, assuming that sha-1 is unbreakable, doesn't it???
(I've looked at the ShaZam and other Luby-Rackoff ciphers, but
this is a more direct approach, as it seems that the luby-rackoff
construction should not be necessary with this "sandwich" construction.


Tom St Denis wrote:

> Tom St Denis wrote:
> >
> > Jim Steuert wrote:
> > >
> > >  Does anyone have an opinion on the security of
> > >  generic feistel ciphers like this?  The key is mixed
> > >  in the middle rounds in a fairly simple manner.
> > >  Does this create any weakness?
> > >
> > >  This generic feistel cipher is based on the efficient
> > >   multipermutation hash mixer routine of Bob Jenkins.
> > >   I modified his  mixer algorithm to use 32-bit rotates
> > >   instead of shifts, and then I tested the statistics.
> > >   I also added a gf(257) 32-bit byte-wise multipermutation
> > >   mixer. (1 is represented by 8-bit 0x00,...,256 by 0xff)
> > >
> > >    A multipermutation feistel mixer operation: c = a op b
> > >    is invertible, in that by fixing any input a, varying the
> > >    second input b will cause all possible values of
> > >    the output c. This preserves the equal-likelihood
> > >    of all output values, in that any single output
> > >    value is caused by exactly (2^n) different input (a,b)
> > >    pairs, out of (2^n)*(2^n) possible input pairs.
> > >    This makes each output value have prob = 1/(2^n).
> > >    Of course, the other important (avalanche,etc) qualities are
> > >    due to the properties of the gf and Bob Jenkin's mixers,
> > >    in particular his use of combined 32-bit add/sub and xor.
> > >    This was compiled with -O5 with the mingw version of gcc.
> >
> > This is wrong.  Nice immunity to GF(2^n) differentials comes from
> > GF(2^n) decorrelated functions (it's simple to prove it too).  In
> > GF(257) you will see GF(2^8) differentials with probs upto about 12/256
> > if I am not mistaken.
>
> In GF(257) inversion ...
>
> To be more precise Pr[255 => 255] is 256/256, there are some 16/256,
> 12/256 and alot of 2,4,8/256.
>
> So this is not a good "fixed" sbox.   Note that using mults in GF(257)
> by random values is good to a point as the average DP value for any
> xor-pair (over all unique multiplicands (all 127*255 of them)) is fairly
> low (this is a wild guess I should really check sometime).
>
> I would bet for all mults though diffs by 255 would be a source of
> weakness... (again wild speculation)
>
> Tom


------------------------------

From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Break on Schneiers first proposed "self-study cipher"
Date: 25 May 2001 21:31:43 GMT

[EMAIL PROTECTED] (Tom St Denis) wrote in
<[EMAIL PROTECTED]>: 

>
>I called him thoughtful because he spends more time doing productive
>things then this
>
>That and he publishes all his research on his website for free, and he
>indexed about 2500 papers, and ...
>
>Is that enough "basis"?
>

  I am not sure. Is this the same guy that use to SPAM every one
about buying his book? If all his research is on his website
and for free. What good is his book?  And since he is some one
you repective from a cyrptographical view point. What does he 
say about bijective compression encryption programs like BICOM
or does he know enough about the topic to say or write anything
meaningful about it. I do know people who say they have met him
but it would be rude of me to repeat it all. So I will let that
sleeping dog ly still for a while. Also he has not ranted to much
on the group so why talk about him behind his back. 
However since your seeking a job. I can see why it might
be important for you to pretend to kiss up to him a litte.
He still owns a company and maybe your the kind of guy he
would hire. I assure you he would not hire my kind.

David A. Scott
-- 
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
        http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
 made in the above text. For all I know I might be drugged or
 something..
 No I'm not paranoid. You all think I'm paranoid, don't you!


------------------------------

From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Break on Schneiers first proposed "self-study cipher"
Date: Fri, 25 May 2001 21:44:56 GMT

"SCOTT19U.ZIP_GUY" wrote:
> 
> [EMAIL PROTECTED] (Tom St Denis) wrote in
> <[EMAIL PROTECTED]>:
> 
> >
> >I called him thoughtful because he spends more time doing productive
> >things then this
> >
> >That and he publishes all his research on his website for free, and he
> >indexed about 2500 papers, and ...
> >
> >Is that enough "basis"?
> >
> 
>   I am not sure. Is this the same guy that use to SPAM every one
> about buying his book? If all his research is on his website
> and for free. What good is his book?  And since he is some one
> you repective from a cyrptographical view point. What does he
> say about bijective compression encryption programs like BICOM
> or does he know enough about the topic to say or write anything
> meaningful about it. I do know people who say they have met him
> but it would be rude of me to repeat it all. So I will let that
> sleeping dog ly still for a while. Also he has not ranted to much
> on the group so why talk about him behind his back.
> However since your seeking a job. I can see why it might
> be important for you to pretend to kiss up to him a litte.
> He still owns a company and maybe your the kind of guy he
> would hire. I assure you he would not hire my kind.

First off he made money by provided a text that enables millions of
people to learn about crypto.  I feel that's not a "plug" on society.

Second if you proposed BICOM professionally (like all real academia
would have) he might have looked at it already.  I imagine he's a busy
person and doesn't follow sci.crypt too closely.

Third, I am not even close to being qualified to work for Counterpane. 
I don't have the requisit knowledge about how TCP, UDP, etc protocols
work, or even how to program them (outside of a limited WinSock 2 API). 
Also his company is in USCA, and if you remember I live in CAN ON.

Tom

------------------------------

From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: A generic feistel cipher with hash and gf(257) mixers
Date: Fri, 25 May 2001 21:49:15 GMT

Jim Steuert wrote:
> 
> Thanks, Tom.
>    I appreciate your feedback. . These are just multipermutation
> mixers, which is not  equivalent to an sbox followed by an xor mixer.

I analyzed your "GFinversion[256]" table for the DP/LP maxes not the
multiplication.  (GFinversion is not a 2,1-multipermutation)

> I suspected that putting the nonlinearity in the mixer might be stronger
> than putting it in an sbox whose output is connected to an xor mixer.
> What led me to this thinking is a conventional hash function like SHA-1
> (which does not have sboxes, and instead provides many rounds (80 in
> that case) of mixing in lieu of sboxes. Even without nonlinearity

SHA-1 does have sboxes btw.  They are 3x1 bitsliced sboxes.

> (except for rotates), I haven't heard of any SHA-1 weaknesses. I did
> test 6 rounds of the modified mix() to show that it's statistics are are good
> as
> SHA-1. It's a simple (140 line) program which tested to make
> sure every bit is independent ( flipping any bit flips another with 50.0000%
> prob.)
> I also tested bit-pair correlation so that any pair of bits flipped with
> a 25.0000% prob. These tests were over all 2^32 (4Gig) possible values
> of a single input. Now I know that this is not the same as finding
> differentials.

Nope. Differentials are more specific then single bit flips.  For
example, the original TC15 passed the SAC test (this is the test I think
you are doing) after four rounds, but I found a 1R differential
(involving six bit flips I think) that could break it faster than brute
force for four rounds.

To find differentials you should look at your functions and see where
differences can easily pass through.  Off the top of my head I remember
your GFinversion box is very weak against diff attacks, also you work
with single bytes at a time in your mixing....

Tom

------------------------------

From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Good crypto or just good enough?
Date: 25 May 2001 21:49:45 GMT

[EMAIL PROTECTED] (Tom St Denis) wrote in
<[EMAIL PROTECTED]>: 

>How can you say "small and fast" cannot be secure?  That doesn't seem
>too obvious to me.  For example, a 8x8 lookup is fast and from a
>statistical stand point hard to attack (say when placed together with a
>MDS, etc... ala Wide-Trail).
>

  It easy to say small and fast cannot be secure. Even you can say
it. Just use that big mouth of yours. And what it means as a rule of
thumb if your know nothing else except it small and fast it means
not much complexity can be done to the plain text so ther its more
apt to be secure.  Funny you question general rules like this
yet you take it as religous faith that AES encryption we actully
be very secure. Meaning the way it will be implimetned in something
like PGP it will be secure.

>See the diff between you and I?  I bet you don't.

  Yes your a little kid with out much real lide experience
who is still wet behind the ears and trusts the so called
crypto experts.

>
>The diff is I never claimed TC15a was any good for anything at all.  I
>don't recommend people to use it and I never claimed it was secure
>against serious attacks.
>
>You claim your cipher is secure without analysis and without good
>peer-review.  
>

  I claim it based on more secure princples than current ciphers
in use. High error propagation. Hiding of input output pairs to the
underlying block encryption. Fully bijective if impedanced matched.
Treats whole file as a single block. and etc...
Thats not to say it cannot be broken. Just less likely than one
dessigned to use a wimpy key. What I realize is that the ones
you admire are just people who know a very narrow area of a big
field. That does make there small fast designs any better. 
I felt they could design a large key better than mine. But they
don't. The NSA wants people to use simple ciphers. So they are
constranted to be simple. Even your MR BS stated on this group
a gem that is firmly implanted in your mind. He stated he felt
it would be harder to design a big key cipher that was secure
compared to his small key desings. I think you were among us when
he did that. I am sure he worded it differently but that was
the point behind it.  If this wasn't a gem injected by the NSA
to keep people dumb I don't know what is. Maybe he accidently
write it. Or maybe like me he had one beer to many that day.



David A. Scott
-- 
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
        http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
 made in the above text. For all I know I might be drugged or
 something..
 No I'm not paranoid. You all think I'm paranoid, don't you!


------------------------------

From: Jim Steuert <[EMAIL PROTECTED]>
Subject: Re: A generic feistel cipher with hash and gf(257) mixers
Date: Fri, 25 May 2001 18:01:55 -0400

Hi Tom,
  I'm not really truncating. What I am doing there is taking a 32-bit
word A and breaking it into 4 8-bit values (A1,A2, A3, A4). Then I am
multiplying the corresponding low order byte with the low order byte
of the other 32-bit word B = (B1,B2,B3,B4). So the result is
C = (C1,C2,C3,C4) where C1 = A1*B1 mod 257 (where A1 only
has values 1 to 256, i.e. no zero, 1 is represented by the binary 8-bit
0x00)
Note that in C1 a binary 0 represents the GF(257) value 1.
  The purpose is to provide non-linearity only. The mixing is done quite
well by the mix() algorithm. The purpose is to provide an invertible
sha-1 type hash of the input value, followed by mixing the key, followed
by another sha-1 type hash. The collision and pre-image resistance of
sha-1 type hashes (improved with more boolean complexity and
nonlinearity) should, i thought, provide a reasonable cipher.


Tom St Denis wrote:

> Jim Steuert wrote:
> >
> >  Does anyone have an opinion on the security of
> >  generic feistel ciphers like this?  The key is mixed
> >  in the middle rounds in a fairly simple manner.
> >  Does this create any weakness?
> >
> >  This generic feistel cipher is based on the efficient
> >   multipermutation hash mixer routine of Bob Jenkins.
> >   I modified his  mixer algorithm to use 32-bit rotates
> >   instead of shifts, and then I tested the statistics.
> >   I also added a gf(257) 32-bit byte-wise multipermutation
> >   mixer. (1 is represented by 8-bit 0x00,...,256 by 0xff)
> >
> >    A multipermutation feistel mixer operation: c = a op b
> >    is invertible, in that by fixing any input a, varying the
> >    second input b will cause all possible values of
> >    the output c. This preserves the equal-likelihood
> >    of all output values, in that any single output
> >    value is caused by exactly (2^n) different input (a,b)
> >    pairs, out of (2^n)*(2^n) possible input pairs.
> >    This makes each output value have prob = 1/(2^n).
> >    Of course, the other important (avalanche,etc) qualities are
> >    due to the properties of the gf and Bob Jenkin's mixers,
> >    in particular his use of combined 32-bit add/sub and xor.
> >    This was compiled with -O5 with the mingw version of gcc.
>
> This is wrong.  Nice immunity to GF(2^n) differentials comes from
> GF(2^n) decorrelated functions (it's simple to prove it too).  In
> GF(257) you will see GF(2^8) differentials with probs upto about 12/256
> if I am not mistaken.
>
> > unsigned char gfinverse[256] =
> > {  0,128, 85,192,102, 42,146,224, 199,179,186,149,177,201,119,240,
> >  120, 99,229, 89, 48,221,189, 74, 71, 88,237,100,194, 59,198,248,
> >  147,188,234, 49,131,114,144, 44, 162,152,  5,110, 39, 94,174,165,
> >   20, 35,125,172, 96,118,242,178, 247,225, 60, 29, 58,227,101,252,
> >   86, 73,233,222,148,245,180, 24, 168, 65, 23,185,246,200,243,150,
> >  164,209, 95,204,126,  2, 64,183, 25, 19,208,175,151,215, 45, 82,
> >   52,138,134, 17, 27, 62,  4,214, 163,176,244,187,223,249, 43,217,
> >  115,123, 37,112,133,158, 53, 14, 16,157,139,113,219, 50, 84,254,
> >    1,171,205, 36,142,116, 98,239, 241,202, 97,122,143,218,132,140,
> >   38,212,  6, 32, 68, 11, 79, 92, 41,251,193,228,238,121,117,203,
> >  173,210, 40,104, 80, 47,236,230, 72,191,253,129, 51,160, 46, 91,
> >  105, 12, 55,  9, 70,232,190, 87, 231, 75, 10,107, 33, 22,182,169,
> >    3,154, 28,197,226,195, 30,  8, 77, 13,137,159, 83,130,220,235,
> >   90, 81,161,216,145,250,103, 93, 211,111,141,124,206, 21, 67,108,
> >    7, 57,196, 61,155, 18,167,184, 181, 66, 34,207,166, 26,156,135,
> >   15,136, 54, 78,106, 69, 76, 56, 31,109,213,153, 63,170,127,255};
> > //
> > // the basic mix hash from bob jenkins
> > // modified to use rotates instead of shifts.
> > // The statistic were tested for 5-rounds and
> > // are as good as full sha-1.
> > //
> > #define mix(a,b,c) \
> > { \
> >   unsigned long d,e,f;\
> >   a=a-b;  a=a-c;  a=a^( (c>>13) | (c<<19) ); \
> >   b=b-c;  b=b-a;  b=b^( (a<<8)  | (a>>24) ); \
> >   c=c-a;  c=c-b;  c=c^( (b>>13) | (b<<19) ); \
> >   a=a-b;  a=a-c;  a=a^( (c>>12) | (c<<20) ); \
> >   b=b-c;  b=b-a;  b=b^( (a<<16) | (a>>16) ); \
> >   c=c-a;  c=c-b;  c=c^( (b>>5)  | (b<<27) ); \
> >   a=a-b;  a=a-c;  a=a^( (c>>3)  | (c<<29) ); \
> >   b=b-c;  b=b-a;  b=b^( (a<<10) | (a>>22) ); \
> >   c=c-a;  c=c-b;  c=c^( (b>>15) | (b<<17) ); \
>
> Why not write this a bit simpler as
>
> a = a-b-c^rotl(c,13); \
> etc...
>
> Not only that but I see good differentials.  I.e try putting a
> difference in the upper bits of A and B.  They will cancel out in A,
> state in B and move into C.  It's a short-lived differential but it
> shows how easy it is to start one.
>
> > #define unmix(a,b,c) \
> > { \
> >   c=c^( (b>>15) | (b<<17) );  c=c+b; c=c+a;\
> >   b=b^( (a<<10) | (a>>22) );  b=b+a;  b=b+c;\
> >   a=a^( (c>>3)  | (c<<29) );  a=a+c;  a=a+b;\
> >   c=c^( (b>>5) | (b<<27) );  c=c+b; c=c+a;\
> >   b=b^( (a<<16) | (a>>16) );  b=b+a;  b=b+c;\
> >   a=a^( (c>>12)  | (c<<20) );  a=a+c;  a=a+b;\
> >   c=c^( (b>>13) | (b<<19) );  c=c+b; c=c+a;\
> >   b=b^( (a<<8) | (a>>24) );  b=b+a;  b=b+c;\
> >   a=a^( (c>>13)  | (c<<19) );  a=a+c;  a=a+b;\
> > }
> >
> > #define gfmix(a,b)\
> > {\
> >   unsigned long d,e,g;\
> >   d = ( (a>>24) & 0xff )+1; e = ( (b>>24) & 0xff )+1;\
> >   g = ( ((d*e) % 257)-1) & 0xff;\
> >   d = ( (a>>16) & 0xff )+1; e = ( (b>>16) & 0xff )+1;\
> >   g = ( (g<<8) | ( ( ((d*e) % 257)-1) & 0xff) );\
> >   d = ( (a>>8) & 0xff )+1; e = ( (b>>8) & 0xff )+1;\
> >   g = ( (g<<8) | ( ( ((d*e) % 257)-1) & 0xff) );\
> >   d = (a & 0xff)+1; e = (b & 0xff)+1;\
> >   a = ( (g<<8) | ( ( ((d*e) % 257)-1) & 0xff) );\
> > }
>
> High prob Differentials (most likely).  Not only that but this is
> terribly messy.  What are you basing the security on?
>
> For example, you truncate values ((a>>24&255) for example) which means
> you have probs that go \Delta X \rightarrow \Delta 0 very easily.  For
> example a diff in any of the lower 23 bits will not affect d in the
> first line.
>
> It's a very complicated cipher that I can't possibly see being faster or
> simpler than say AES.
>
> Sorry, back to the books!  (This is a lesson I learned many times...
> which is why I only come forward with a Toy cipher when it's blazing
> fast and as simple as possible).
>
> Tom


------------------------------

From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: Input Appreciated
Date: 25 May 2001 15:05:33 -0700

[EMAIL PROTECTED] (Frog20000) writes:
> check encoder at 
> 
> http://www.aasp.net/~speechfb

There's no serious encryption in that program at all, and there appears
to be no source code available.  I wouldn't touch it with a 10 foot pole.

If you want a speech encryption program with source code and real
cryptography, try http://www.lila.com/nautilus/


------------------------------


** FOR YOUR REFERENCE **

The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:

    Internet: [EMAIL PROTECTED]

You can send mail to the entire list by posting to sci.crypt.

End of Cryptography-Digest Digest
******************************

Reply via email to