Date: Sun, 06 Mar 2005 17:45:44 -0500 From: "Perry E. Metzger" <perry@piermont.com> To: das@CSAIL.MIT.EDU Cc: elric@imrryr.org Subject: Re: FUD about CGD and GBDE Message-ID: <87is44cs13.fsf@snark.piermont.com> In-Reply-To: <20050306165321.GA24134@VARK.MIT.EDU> (David Schultz's message of "Sun, 6 Mar 2005 11:53:21 -0500") References: <200503022348.j22Nm48I086259@marlena.vvi.at> <873bvcjw90.fsf@snark.piermont.com> <20050306165321.GA24134@VARK.MIT.EDU>
next in thread | previous in thread | raw e-mail | index | archive | help
David Schultz <das@CSAIL.MIT.EDU> writes: > On Thu, Mar 03, 2005, Perry E. Metzger wrote: >> No, I am not. PHK invented new cryptographic modes for his work. The >> fact that he does not understand this is part of the problem. > > Hi Perry, > > You've brought up this claim at several points in this thread. > Would you be willing to be more specific? Have a look at the giant diagram in section 7.5. He's effectively built a complicated key scheduling algorithm. It is unclear if this algorithm is particularly good -- Roland has now pointed out in an informal paper he has put together that because the master key is 256 bytes from a uniform distribution, one can expect that the probability distribution of bytes selected from those 256 bytes and input into the key key portion of the algorithm is rather different than if it too was from a merely uniform distribution. For example, the probability of duplicate bytes in the input is different than if you were drawing from an infinite pool -- the infinite pool will have all 256 elements, but the master key will probably have ~160 distinct values. The key keys, therefore, are not in fact as different as one might like. (The analysis on this is still pretty early but it looks promising.) This is just one example of the sort of thing PHK has done here. He doesn't believe that he's done anything that might be described as a new cryptographic mode but he has. > I apologize if I missed an explanation in the noise. More > generally, I think a well considered review from you would be more > beneficial than all this sniping. I personally don't have the energy for it, but other people appear to be working on that. Steve Bellovin posted a note to the Cryptography mailing list and there have already been several replies. All are pretty informal at this point, but the gist of what is coming from new eyes seems to be very similar to what came from the old ones. -- Perry E. Metzger perry@piermont.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87is44cs13.fsf>