From owner-freebsd-hackers@FreeBSD.ORG Sun Mar 6 22:45:46 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD6E016A4CE for ; Sun, 6 Mar 2005 22:45:46 +0000 (GMT) Received: from snark.piermont.com (snark.piermont.com [166.84.151.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8841243D2D for ; Sun, 6 Mar 2005 22:45:45 +0000 (GMT) (envelope-from perry@piermont.com) Received: by snark.piermont.com (Postfix, from userid 1000) id 56E50D9877; Sun, 6 Mar 2005 17:45:44 -0500 (EST) To: das@CSAIL.MIT.EDU References: <200503022348.j22Nm48I086259@marlena.vvi.at> <873bvcjw90.fsf@snark.piermont.com> <20050306165321.GA24134@VARK.MIT.EDU> From: "Perry E. Metzger" Date: Sun, 06 Mar 2005 17:45:44 -0500 In-Reply-To: <20050306165321.GA24134@VARK.MIT.EDU> (David Schultz's message of "Sun, 6 Mar 2005 11:53:21 -0500") Message-ID: <87is44cs13.fsf@snark.piermont.com> User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Mon, 07 Mar 2005 12:55:25 +0000 cc: tech-security@NetBSD.org cc: phk@phk.freebsd.dk cc: hackers@freebsd.org cc: elric@imrryr.org Subject: Re: FUD about CGD and GBDE X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Mar 2005 22:45:46 -0000 David Schultz writes: > On Thu, Mar 03, 2005, Perry E. Metzger wrote: >> No, I am not. PHK invented new cryptographic modes for his work. The >> fact that he does not understand this is part of the problem. > > Hi Perry, > > You've brought up this claim at several points in this thread. > Would you be willing to be more specific? Have a look at the giant diagram in section 7.5. He's effectively built a complicated key scheduling algorithm. It is unclear if this algorithm is particularly good -- Roland has now pointed out in an informal paper he has put together that because the master key is 256 bytes from a uniform distribution, one can expect that the probability distribution of bytes selected from those 256 bytes and input into the key key portion of the algorithm is rather different than if it too was from a merely uniform distribution. For example, the probability of duplicate bytes in the input is different than if you were drawing from an infinite pool -- the infinite pool will have all 256 elements, but the master key will probably have ~160 distinct values. The key keys, therefore, are not in fact as different as one might like. (The analysis on this is still pretty early but it looks promising.) This is just one example of the sort of thing PHK has done here. He doesn't believe that he's done anything that might be described as a new cryptographic mode but he has. > I apologize if I missed an explanation in the noise. More > generally, I think a well considered review from you would be more > beneficial than all this sniping. I personally don't have the energy for it, but other people appear to be working on that. Steve Bellovin posted a note to the Cryptography mailing list and there have already been several replies. All are pretty informal at this point, but the gist of what is coming from new eyes seems to be very similar to what came from the old ones. -- Perry E. Metzger perry@piermont.com