> I take it that there is no interest in testing LRW Actually, I would be interested to see the results of your statistical tests; I just thought there was very little chance to see something surprising. Unless you enjoy this kind of work, you could attack other systems with more likely success.
When I said that AES was tested, I referred to the NIST document (you probably know all of these, but just for the reference): J. Soto and L. Bassham: Randomness Testing of the Advanced Encryption Standard Finalist Candidates, http://csrc.nist.gov/publications/nistir/ir6483.pdf Another paper I have a copy of is P. Hellekalek, S. Wegenkittl, Empirical evidence concerning AES, ACM Transactions on Modeling and Computer Simulation (TOMACS), Vol. 13, Issue 4 (October 2003) pp: 322 333. The are also "Comments by the NESSIE Project on the AES Finalists" https://www.cosic.esat.kuleuven.ac.be/nessie/deliverables/D4_NessieAESInput.pdf with some statistical tests. > what you mean by [LRW] "significantly degrades" [the randomness of AES] I was referring to annex C3, Security Analysis in the P1619 D5 daft proposal, which is based on the papers in the bibliography of the P1619 draft. You guessed it right, I did not check any of the proofs. I assumed that the reviewers would have spotted errors before publication, and since then many people saw the papers, and we would have heard about problems. I don't like this kind of proofs, so unless someone offers me a significant reward, I don't intend to verify them. For us the show stoppers are the red-herring issue of grandma storing her keys on her laptop disk, the performance and HW requirements of LRW and the lack of alternatives in the proposed standard. Laszlo > -------- Original Message -------- > Subject: RE: is it "randomized"? > From: "Landon Noll" <[EMAIL PROTECTED]> > Date: Fri, May 26, 2006 7:57 pm > To: <[EMAIL PROTECTED]> > > > > I would be happy to perform the detailed statistical analysis > > > They were performed for AES, and we have a proof, that LRW > > does not significantly degrade the pseudorandomness of AES. > > I do not know what you mean by "significantly degrades". > > Also, please provide this proof. I'm asking not because > I doubt the sincerity of your statement, but rather > because I want to substandard the claim that is being made. > > > If you could find any non-randomness with tests of small > > complexity, it would show that the proof was wrong. > > Correct. > > > It is very unlikely, so I'd think you wasted your effort. > > I cannot determine how likely or unlikely this might be > as I have not examined the proof myself. Just out of > curiosity, are you saying "very unlikely" because you > have examined the proof? > > > Furthermore, it would not improve our confidence in LRW if > > all the tests passed with flying colors, since many very weak > > ciphers pass all known statistical tests, when they encrypt a > > simple counter or their output in a cycle. > > Correct, and to be more precise: A neutral entropy signature > result does not imply that the cipher is strong since that > same cipher could have a significant non-statistical flaw. > On the other hand, a definitive entropy signature analysis > signal is a good indicator that the may be serious flaw > in the algorithm. And a definitive entropy signature does > not give you much information as to what is wrong. DES, > for example, has a non-neutral entropy signature when it > comes to uniformity under certain types of compression. The > DES algorithm, when you ignore the problem of small key size, > remained sound for a very long time. And the cause of the > uniformity flaw has never been discovered or exploited. > > I put AES through a significant battery of entropy signature > tests back when it was a candidate for the final AES round. > I tested all of the candidates and found only one (which was > not the selected AES algorithm) that did not have a neutral > entropy signature. > > LRW has not been widely time tested for an extended period > of time. In fact to some, AES is too recent to be considered > well tested; although I am willing to grant AES time tested > status because I also add the time it spent in the AES > selection process. I am, however, withholding judgment > on the LRW mode of operation at this time. So when you say > "our" (referring to your text above), please do not include me > in that group just yet! :-) > > So I take it that there is no interest in testing LRW for > the moment. I sure it will be tested, certainly if/when > it becomes a standard. For as I said during the last meeting, > it will be us cryptologists and cryptographers that may have > the last judgment and say on the LRW mode. > > chongo (Landon Curt Noll) /\oo/\