Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 06 Mar 2005 17:45:44 -0500
From:      "Perry E. Metzger" <perry@piermont.com>
To:        das@CSAIL.MIT.EDU
Cc:        elric@imrryr.org
Subject:   Re: FUD about CGD and GBDE
Message-ID:  <87is44cs13.fsf@snark.piermont.com>
In-Reply-To: <20050306165321.GA24134@VARK.MIT.EDU> (David Schultz's message of "Sun, 6 Mar 2005 11:53:21 -0500")
References:  <200503022348.j22Nm48I086259@marlena.vvi.at> <873bvcjw90.fsf@snark.piermont.com> <20050306165321.GA24134@VARK.MIT.EDU>

next in thread | previous in thread | raw e-mail | index | archive | help

David Schultz <das@CSAIL.MIT.EDU> writes:
> On Thu, Mar 03, 2005, Perry E. Metzger wrote:
>> No, I am not. PHK invented new cryptographic modes for his work. The
>> fact that he does not understand this is part of the problem.
>
> Hi Perry,
>
> You've brought up this claim at several points in this thread.
> Would you be willing to be more specific?

Have a look at the giant diagram in section 7.5.  He's effectively
built a complicated key scheduling algorithm. It is unclear if this
algorithm is particularly good -- Roland has now pointed out in an
informal paper he has put together that because the master key is 256
bytes from a uniform distribution, one can expect that the probability
distribution of bytes selected from those 256 bytes and input into the
key key portion of the algorithm is rather different than if it too
was from a merely uniform distribution. For example, the probability
of duplicate bytes in the input is different than if you were drawing
from an infinite pool -- the infinite pool will have all 256 elements,
but the master key will probably have ~160 distinct values. The key
keys, therefore, are not in fact as different as one might like. (The
analysis on this is still pretty early but it looks promising.)

This is just one example of the sort of thing PHK has done here. He
doesn't believe that he's done anything that might be described as a
new cryptographic mode but he has.

> I apologize if I missed an explanation in the noise.  More
> generally, I think a well considered review from you would be more
> beneficial than all this sniping.

I personally don't have the energy for it, but other people appear to
be working on that. Steve Bellovin posted a note to the Cryptography
mailing list and there have already been several replies. All are
pretty informal at this point, but the gist of what is coming from new
eyes seems to be very similar to what came from the old ones.


-- 
Perry E. Metzger		perry@piermont.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87is44cs13.fsf>