Subject: Re: elisp: format-time-string's %z problem
From: rpw3@rpw3.org (Rob Warnock)
Date: Fri, 25 Aug 2006 07:35:39 -0500
Newsgroups: comp.emacs,comp.lang.lisp,comp.lang.scheme
Message-ID: <qKOdnTEALe0Gc3PZnZ2dnUVZ_oOdnZ2d@speakeasy.net>
Joe Marshall <eval.apply@gmail.com> wrote:
+---------------
| Ray Dillinger wrote:
| > that gives the reversal, not the difficulty of *doing* the reversal.
...
| I think you are right, then.  If a function computes a permutation,
| then the repeated application of the function should generate a group
| (right?).
+---------------

Wrong, actually if I understand what all the guys over on "sci.crypt"
were talking about a few years ago when it was proved that DES is *not*
a group! [Google for "DES is not a group" and you'll get lots of hits.]

    http://en.wikipedia.org/wiki/Data_Encryption_Standard
    ...
    DES has also been proved not to be a group, or more precisely, the
    set {EK} (for all possible keys K) under functional composition is
    not a group, nor "close" to being a group (Campbell and Wiener, 1992).
    This was an open question for some time, and if it had been the case,
    it would have been possible to break DES, and multiple encryption modes
    such as Triple DES would not increase the security.

The Campbell & Wiener paper is here:

    http://www3.sympatico.ca/wienerfamily/Michael/MichaelPapers/desgroup.pdf
    "DES is not a Group"
    Keith W. Campbell and Michael J. Wiener
    Bell-Northern Research
    P.O. Box 3511 Station C, Ottawa, Ontario, Canada, K1Y 4H7

    Abstract. We prove that the set of DES permutations (encryption
    and decryption for each DES key) is not closed under functional
    composition. This implies that, in general, multiple DES-encryption
    is not equivalent to single DES-encryption, and that DES is not
    susceptible to a particular known-plaintext attack which requires,
    on average, 228 steps. We also show that the size of the subgroup
    generated by the set of DES permutations is greater than 102499,
    which is too large for potential attacks on DES which would exploit
    a small subgroup.

+---------------
| Therefore, every permutation should have both a predecessor
| and successor, and if the predecessor is known it should be
| computationally no more difficult to invert the permutation
| than to compute it in the first place.
+---------------

Since the presumed premise is false, doesn't that also cast doubt
on the "Therefore"...?


-Rob

-----
Rob Warnock			<rpw3@rpw3.org>
627 26th Avenue			<URL:http://rpw3.org/>
San Mateo, CA 94403		(650)572-2607