Re: A new public key algorithm based on avalanche properties

From: Jim Steuert (
Date: 06/17/03

Date: Tue, 17 Jun 2003 11:02:10 -0400

Paul Crowley said
> I think it's reasonable of those I disagree with to be extra
> demanding of the evidence or arguments I produce in favour of where I
> stand.

Paul, it sounds as if you are endorsing the "personal attack" method
as a "reasonable" means of demanding extra evidence or arguments.
And yes, I am a kook. And proud of it.
Some of the many issues I've raised.

1) GF(2^n) Diffie-Hellman (Jan 2003)
I've gotten some good responses here, but Tom didn't like it.
I reported that my tests show that it is 4X faster
than GF(p) exponentiation for equivalent security
with 32-bit multiply processor, and much faster for machines
with 16-bit-multiply processors, and even supplied code.
Yet Tom discounted it. Note that none of this is my idea,
I got the idea from a book, I just raised the question and
did the research/coding/tests. Of course there is a whole
industry based on the much-slower RSA.

2) David Wagner and my "generic feistel cipher with hash ..." idea (May
Here Tom pontificated: "designing ciphers by a hobbyist is a really bad

That is typical of the self-serving elitist crap that comes from self-
experts. So that did it for me. Practical security is some elusive
holy grail? We need to pass our ciphers by some guru witch-doctor
who blesses them? Well, I knew there had to be a better way.
Secure encryption should be like an off-the-shelf electronic part.

Tom finally deferred to David Wagner.
And David Wagner himself finally admitted that a modified version of it was
secure with these words:
"Assuming that H,J,K have no exploitable structure, and k1,k2,k3,k4
each are 32 bits of independent key material, I can't immediately see
any attacks of less than 2^64 complexity..." but goes on to qualify
it by saying I need to be much more precise about choosing the invertible
hash (I had just chosen the sha-1 digest by example).
He then goes on to say the he is not yet convinced that there is a
"recipe" for building secure block ciphers. (what had I just outlined?).
When I then brought up Luby-Rackoff and also the Shazam cipher, David says
"Yes, that would get you part of the way ... (But the assumptions
about the properties of the hashes tell you nothing about how to actually
instantiate those hashes in an implementation.)" (is sha-1 ok?)
Tom had somewhere made the statement that "80 rounds of anything is
referring, I think, to SHA-1. That was my point also! (well not anything,
something...) (and has anyone noticed that computers are a bit faster these
So here was a radical but simple formula for secure ciphers,
based on applying simple idea parts already lying around,
so that the dreaded newbie programmer "man on the street" can write his own
secure private cipher variants (within certain guidelines, of course).

BTW, I have actually posted the generic cipher idea (with 2000+ downloads)
as part of another application. And I got a kick out of my subsequent
thread about provably changing parameterized structures of hashes and
ciphers, which was also roundly criticized (without argument) by these
same elitists.

Soap Box Mode:
 In just about any other subject such as DSP, electronic circuit design,
the simple (and correct) generalizations of known working structures
a subject of itself. But not in cryptography. I have tremendous
respect for the experts, but you must admit that the group is
insular, and resists divulging anything that keeps themselves
out of the loop. I believe that some of the proofs I have seen
are trivial when diagrammed but take several pages of prose,
as if to keep the elite insulated from the masses.
(Actually, "Fundamentals of Computer Security by Piepryzk, Hardjono, and
Seberry is the first book I've seen that both includes proofs and makes
very understandable).

Both of the above issues (and there are several others I can cite)
have immediate practical value. They would have saved huge amounts
of money (much of which went to RSA, Inc.) in prior jobs. And they would
dramatically improved performance.

And they both challenged the conventional wisdom. And the
newsgroup feedback was very useful and productive in both cases.
Yes, I am a kook, and I'm proud of it.
But Paul, aren't you now endorsing Tom's "personal attack method" of
new ideas?
  -Jim Steuert

On Mon, 16 Jun 2003 22:25:05 GMT, Paul Crowley
<> wrote:

> Jim Steuert <> writes:
>> Whenever someone makes even a slight challenge to the conventional
>> "wisdom", you are always there ready to make personal attacks.
> I agree that personal attacks are tiresome, but referring to
> conventional wisdom in this way just makes you sound like a kook. In
> those areas of life where I disagree entirely with the conventional
> wisdom, I think it's reasonable of those I disagree with to be extra
> demanding of the evidence or arguments I produce in favour of where I
> stand.

Using M2, Opera's revolutionary e-mail client:

Relevant Pages

  • Re: VMPC isnt free
    ... Yah, tom the genius. ... for the sole fact they are not interested in academia. ... Admitedly I designed quite a few ciphers but I never claimed they were ... design over and over. ...
  • Re: My little something...
    ... Its more unlikely that attack on 1024 ECC to subvert it to weaker than ... More secure ofcourse. ... Dont give BS about two cascading ciphers not neccessarely being more ... 10101 as hash. ...
  • Re: newbie: please help...just your opinion
    ... for making a crypto newbie grow up a are very ... Don't worry Tom, you will always be the best... ... each of my ciphers was not just a "I wrote ... If you want to learn cryptanalysis don't invent ciphers. ...
  • Re: My little something...
    ... On the countrary, if two ciphers are cascaded and 1 of them fails, the second one still keeps the encryption secure. ... When larger salt is used, the probability of getting same salt twice is less and less likely. ... I cant find any, can you? ...
  • Re: GOST key gen?
    ... enormous number of TLS/SSL transactions that are over 32GB in size, ... I'm not saying people should use 64-bit ciphers. ... restrictive constraints it is reasonably secure, but when time is taken to ... but not for the reasons you're stating here. ...