> > I would be happy to perform the detailed statistical analysis > They were performed for AES, and we have a proof, that LRW > does not significantly degrade the pseudorandomness of AES.
I do not know what you mean by "significantly degrades". Also, please provide this proof. I'm asking not because I doubt the sincerity of your statement, but rather because I want to substandard the claim that is being made. > If you could find any non-randomness with tests of small > complexity, it would show that the proof was wrong. Correct. > It is very unlikely, so I'd think you wasted your effort. I cannot determine how likely or unlikely this might be as I have not examined the proof myself. Just out of curiosity, are you saying "very unlikely" because you have examined the proof? > Furthermore, it would not improve our confidence in LRW if > all the tests passed with flying colors, since many very weak > ciphers pass all known statistical tests, when they encrypt a > simple counter or their output in a cycle. Correct, and to be more precise: A neutral entropy signature result does not imply that the cipher is strong since that same cipher could have a significant non-statistical flaw. On the other hand, a definitive entropy signature analysis signal is a good indicator that the may be serious flaw in the algorithm. And a definitive entropy signature does not give you much information as to what is wrong. DES, for example, has a non-neutral entropy signature when it comes to uniformity under certain types of compression. The DES algorithm, when you ignore the problem of small key size, remained sound for a very long time. And the cause of the uniformity flaw has never been discovered or exploited. I put AES through a significant battery of entropy signature tests back when it was a candidate for the final AES round. I tested all of the candidates and found only one (which was not the selected AES algorithm) that did not have a neutral entropy signature. LRW has not been widely time tested for an extended period of time. In fact to some, AES is too recent to be considered well tested; although I am willing to grant AES time tested status because I also add the time it spent in the AES selection process. I am, however, withholding judgment on the LRW mode of operation at this time. So when you say "our" (referring to your text above), please do not include me in that group just yet! :-) So I take it that there is no interest in testing LRW for the moment. I sure it will be tested, certainly if/when it becomes a standard. For as I said during the last meeting, it will be us cryptologists and cryptographers that may have the last judgment and say on the LRW mode. chongo (Landon Curt Noll) /\oo/\