From: Dave K-P <dkp@iname.com>
Date: Tue, 29 Jul 1997 02:28:30 +0800
To: ? the platypus {aka David Formosa} <dformosa@st.nepean.uws.edu.au>
Subject: Re: New Crypto Application
In-Reply-To: <Pine.OSF.3.96.970728203218.23582A-100000@oberon>
Message-ID: <33DCE1A9.2C94@iname.com>
MIME-Version: 1.0
Content-Type: text/plain



? the platypus {aka David Formosa} wrote:

> On Sun, 27 Jul 1997, Guillotine wrote:
> 
> > I'm creating a new _text_ cryptography program.
> 
> If you are not useing a well know and strong cyper method I suggest you
> post details of your meathod to sci.crypt where thay will (most likely)
> pick holes in it.

	From the sci.crypt FAQ...

http://www.cis.ohio-state.edu/hypertext/faq/bngusenet/sci/crypt/top.html

2.3. How do I present a new encryption scheme in sci.crypt?

  ``I just came up with this neat method of encryption. Here's some
  ciphertext: FHDSIJOYW^&%$*#@OGBUJHKFSYUIRE. Is it strong?'' Without a
  doubt questions like this are the most annoying traffic on sci.crypt.

  If you have come up with an encryption scheme, providing some
  ciphertext from it is not adequate. Nobody has ever been impressed by
  random gibberish. Any new algorithm should be secure even if the
  opponent knows the full algorithm (including how any message key is
  distributed) and only the private key is kept secret. There are some
  systematic and unsystematic ways to take reasonably long ciphertexts
  and decrypt them even without prior knowledge of the algorithm, but
  this is a time-consuming and possibly fruitless exercise which most
  sci.crypt readers won't bother with.

  So what do you do if you have a new encryption scheme? First of all,
  find out if it's really new. Look through this FAQ for references and
  related methods. Familiarize yourself with the literature and the
  introductory textbooks.

  When you can appreciate how your cryptosystem fits into the world at
  large, try to break it yourself! You shouldn't waste the time of tens
  of thousands of readers asking a question which you could have easily
  answered on your own.

  If you really think your system is secure, and you want to get some
  reassurance from experts, you might try posting full details of your
  system, including working code and a solid theoretical explanation, to
  sci.crypt. (Keep in mind that the export of cryptography is regulated
  in some areas.)

  If you're lucky an expert might take some interest in what you posted.
  You can encourage this by offering cash rewards---for instance, noted
  cryptographer Ralph Merkle is offering $1000 to anyone who can break
  Snefru-4---but there are no guarantees. If you don't have enough
  experience, then most likely any experts who look at your system will
  be able to find a flaw. If this happens, it's your responsibility to
  consider the flaw and learn from it, rather than just add one more
  layer of complication and come back for another round.

  A different way to get your cryptosystem reviewed is to have the NSA
  look at it. A full discussion of this procedure is outside the scope
  of this FAQ.

  Among professionals, a common rule of thumb is that if you want to
  design a cryptosystem, you have to have experience as a cryptanalyst.

-- 
dkp at iname dot com * Exit the System.
4B63 E55D 1C92 68E3 8700 0EBF 5CDD 5538
--