Cryptography-Digest Digest #486, Volume #14 Thu, 31 May 01 20:13:00 EDT
Contents:
Re: Fast 8-bit mults on smartcards ("Tom St Denis")
Re: OAP-L3: "The absurd weakness." (HiEv)
How does one defend against DFA attack ("Robert J. Kolker")
Re: taking your PC in for repair? WARNING: What will they (Igenlode)
Re: crypt education (Thorsten Holz)
Re: National Security Nightmare? ("Douglas A. Gwyn")
Re: And the FBI, too (Re: National Security Nightmare?) ("Douglas A. Gwyn")
Re: Diffusion limits in block ciphers ("Douglas A. Gwyn")
Re: Definition of 'key' ("Douglas A. Gwyn")
Re: Diffusion limits in block ciphers ("Joseph Ashwood")
Re: crypt education ("Douglas A. Gwyn")
Re: And the FBI, too (Re: National Security Nightmare?) ("Douglas A. Gwyn")
Re: Dynamic Transposition Revisited Again (long) (Sam Yorko)
Re: National Security Nightmare? (David Wagner)
Re: Medical data confidentiality on network comms ("Niels Ferguson")
Re: And the FBI, too (Re: National Security Nightmare?) (SCOTT19U.ZIP_GUY)
Re: Dynamic Transposition Revisited Again (long) (Sam Yorko)
Re: Card Games (Jonathan Edwards)
Re: crypt education (SCOTT19U.ZIP_GUY)
----------------------------------------------------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Fast 8-bit mults on smartcards
Date: Thu, 31 May 2001 22:11:18 GMT
"Mark Wooding" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Tom St Denis <[EMAIL PROTECTED]> wrote:
>
> > Why not make an entire 128-bit block cipher out of a huge 16x16 MDS in
> > GF(2^8)[2]/p(x)? The biggest problem is all the multiplications you
> > must perform. Then I got to thinking this.
>
> GF(2^8)[2]? Wossat? I presume you mean F_{2^8} represented as F_2(x)
> with x a root of a degree-8 monic irreducible polynomial p(x) \in
> F_2[x]. I've sometimes seen that written F_2[x]/(p(x)) although the
> denominator has the wrong form. (Or you can write F_q as GF(q).)
Arrg I will never get this right. The field of polynomials of degree at
most seven modulo two (all modulo a degree 8 char 2 polynomial)
> > Why not take a 512kbit EPROM (16-bit addressable) and just make the high
> > order and low order addresses point to the result of the
> > multiplication. You than have todo 256 lookups and 240 xor operations
> > todo the mult. which is slow on it's own but the diffusion power would
> > be awesome.
>
> Not really. You claim (correctly) that any two-round trail has 17
> active S-boxes. This is not quite as good as four Rijndael, in which
> any four-round trail has 25 active S-boxes. To actually have any
Um over four rounds there must be 34 active sboxes in mine. I don't see
Rijndael as "better"
> advantage, then, one round of your enormous linear transformation would
> have to be as fast as 1.36 rounds of Rijndael's ShiftRow and MixColumn.
> It isn't. To compute a byte of Rijndael's linear transformation you
> need four lookups and three XORs. For this implementation, you also
> need only 1K of tables -- the rest can be computed by shifting, because
> Rijndael's MDS matrix is circulant -- which leaves more than enough
> space for an inverse table in your enormous ROM.
>
> Your construction is also vulnerable to the Square attack.
I am not to familiar with the square attack but I thought it applies to
ciphers where you do rows than columns, but not both...?
Tom
------------------------------
From: HiEv <[EMAIL PROTECTED]>
Crossposted-To: alt.hacker,talk.politics.crypto
Subject: Re: OAP-L3: "The absurd weakness."
Date: Thu, 31 May 2001 22:34:57 GMT
James Felling wrote:
>
> Anthony Stephen Szopa wrote:
[snip]
> > As you will see from looking at the first 105 permutations that the
> > first 5 digits are: 0 1 2 3 4. No matter how many times you run
> > your 105! process these first five digits of the group of 105
> > permutations will always be the same.
>
> What are you talking about. Given a generic permutation of 105 elements the first 5
> elements are always the same. Huh? Where do you get that. This is like saying I take
>a
> deck of 105 cards, and shuffle them and the first 5 cards will be the same no matter
> how it is done. ( You have obviously misunderstood me or you do not understand the
> mechanisms permutation)
He's assuming you meant for him to use an ordered list of all possible
permutations.
--
The difference between intelligence and stupidity is that intelligence
has its limits.
------------------------------
From: "Robert J. Kolker" <[EMAIL PROTECTED]>
Subject: How does one defend against DFA attack
Date: Thu, 31 May 2001 18:37:21 -0400
<apology>
This may be a bonehead question, but I am
not experienced so I will ask it.
</apology>
How does one defend against the differential
fault analysis attack?
Thank you,
Bob Kolker
------------------------------
Date: 31 May 2001 22:49:07 -0000
From: Igenlode <Use-Author-Supplied-Address-Header@[127.1]>
Crossposted-To: alt.privacy,alt.privacy.anon-server
Subject: Re: taking your PC in for repair? WARNING: What will they
Reply-To: [EMAIL PROTECTED]
On 31 May 2001 Michael Brown wrote:
> <SNIP>
> > For speed, the only thing faster than C/C++ is assembly language. I
> > don't think any of us are THAT masochistic!
>
> *** guitily raises hand after writing an entire Windows Explorer style
> program in ASM ... ***
>
<grin> I write assembler - for custom sorts, and speed-intensive
file scanning or redraw loops...
--
Igenlode
------------------------------
From: Thorsten Holz <[EMAIL PROTECTED]>
Subject: Re: crypt education
Date: Fri, 01 Jun 2001 01:03:46 +0200
Hello,
I've got a question for the same topic:
Which University would you recommend for someone who is interested in
cryptography and maths? Currently I study in Germany, but I want to
take a year abroad :)
> Read what the macericks are doing like Me and Ritter and also what
> the public so called crypto gods do.
Crypto god? Who is a crypto god in you eyes? And who is also a
professor? :)
Thanx a lot,
Thorsten
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: National Security Nightmare?
Date: Thu, 31 May 2001 22:17:15 GMT
Sam Simpson wrote:
> True, in the same way that the UK GCHQ equivalent of doesn't spy on UK
> citizens....It gets other countries security establishments to do their
> dirty work.............
I won't say it doesn't happen, but actually our regulations
apply to intelligence received about US citizens from foreign
sources as well. Really, if some citizen does pose a risk to
national security, there is a mechanism already, and if he
doesn't, why waste precious resources surveilling him?
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: And the FBI, too (Re: National Security Nightmare?)
Date: Thu, 31 May 2001 22:22:13 GMT
Bob Silverman wrote:
> Call Ft. Meade. You will be connected to an operator there. He/She
> will ask you for a name. If the person is an employee, you will be
> connected.
I'm glad to hear that. Not very many years ago, if you didn't
know the phone number, you were out of luck. The operator would
refuse to connect by employee name, saying that they were
prohibited from confirming or denying that any such person worked
there. (Yeah, I know the origin of that idea.)
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Diffusion limits in block ciphers
Date: Thu, 31 May 2001 22:28:40 GMT
[EMAIL PROTECTED] wrote:
> What I meant by the latter sentence is that a block cipher operates
> only on a n-bit portion of the entire message, so the diffusion only
> occurs within those n-bits. Apparently this isn't a problem but
> I don't understand why. Intuitively it seems that a hypothetical
> block cipher with a block length, N, equal to the entire message length
> would have better strength than using the same block cipher algorithm to
> encrypt the message in n bit chunks where n<<N.
The intuition is right, in a general sense.
Constraining the parameters of the encryption is not
good from the point of view of resistance to attack.
However, just how big of a problem this poses is uncertain.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Definition of 'key'
Date: Thu, 31 May 2001 22:30:20 GMT
John Savard wrote:
> A cipher is a set of transformations, which when applied to a
> plaintext, produce a ciphertext. The key is the number of a
> transformation in that set.
Not bad, although it should be noted that the numbering
might not be maximally dense, nor unique.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Diffusion limits in block ciphers
Date: Thu, 31 May 2001 15:46:19 -0700
Actually what was being suggested was in fact what could be called a
chaining mode, it is one that is generally frowned on because it has a
tendancy to weaken the encryption (see one of the several papers on inner
chaining of DES and how it actually weakened the system), however if done
carefully with the intent to do som form the beginning it is certainly
possible to create a cipher which uses sub-ciphers. The proposed design was
a permutation-substitution network, but a vast number of other designs are
possible, one could certainly imagine a wide-trail based cipher that made
use of several subciphers. I've actually been working on this kind of
concept on the side for a while, referring to it rather impersonally as
C-boxes (alternately Cipher-boxes) because of the construction of them. I
believe that if done carefully it may be possible to build a proof that the
result is at least as strong as the cipher used. Alternately because of the
behavior of a cipher in such a context it can easily be established that
there are a large number of very sizable S-box constructs embodied by one
such design (think about using Rijndael as an S-box, 2^256 s-boxes of
enormous size immediately available). It is useful to think of using only
ciphers that have an infinitely extendable key schedule to give the
possibility of extending the number of rounds. The disadvantage is that the
construct ends up being generally very slow (see the AES entry DFC for an
example), but it may be possible to use very fast very weak ciphers for
this.
Joe
"David Wagner" <[EMAIL PROTECTED]> wrote in message
news:9f66u3$2rc8$[EMAIL PROTECTED]...
> >For an n-bit block cipher, plaintext bits 0 through n-1 can only affect
> >ciphertext bits 0 through n-1. Input changes in one block have
> >absolutely no effect on the outputs of other blocks.
>
> I don't really understand what you mean by the latter sentence.
> Diffusion between blocks is outside of the domain of the block cipher;
> that's the responsibility of the chaining mode. And good chaining modes
> (e.g., CBC, CFB, ...) do ensure sufficient diffusion to stop attacks.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: crypt education
Date: Thu, 31 May 2001 22:39:04 GMT
"SCOTT19U.ZIP_GUY" wrote:
> It depends where you want to break into the field. If you have no morals
> and can live a lie easily the best educataion would be there at the NSA.
Apart from the absurd dig about morals, this is untrue anyway.
While there are educational programs at the NSA, they're not
for the most part trying to hire new pre-degree candidates and
give them a college education. *Once hired* (on the basis of
college education, among other things), *then* one would be
sent through appropriate specific cryptologic training.
It would be useful to contact the NSA employment office to find
out what they look for in hiring potential cryptologists.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: And the FBI, too (Re: National Security Nightmare?)
Date: Thu, 31 May 2001 22:50:49 GMT
Matthew Montchalin wrote:
> But how does one agency decide if any given individual is from
> another agency?
There are channels for confirming not only the employment
status but, more importantly, degree of access to classified
resources. If you don't know what the channels are, then
you don't need to know the details.
------------------------------
From: Sam Yorko <[EMAIL PROTECTED]>
Subject: Re: Dynamic Transposition Revisited Again (long)
Date: Thu, 31 May 2001 16:32:02 -0800
> Shuffling Strength
>
> Unfortunately, Shuffle is approximately reversible. If
> we use only one shuffling, and if the opponents get the
> permutation, they immediately have a (somewhat imprecise)
> idea about what sequence produced that permutation. With
> two independent shufflings, there is no such implication.
>
> The sequence generating RNG should have sufficient
> internal state to allow every possible *pair* of
> permutations.
>
> If there is only enough state in the RNG for a single
> shuffling, any second shuffling will be correlated to the
> first by way of the limited RNG state, and, thus, not
> independent. In this way, knowing the final permutation
> might allow the development of the double-length shuffling
> sequence which produced the known permutation.
>
> The reason for having enough RNG state for *two*
> *independent* shufflings is to isolate the sequence
> generator from the permutation. Two shufflings use twice
> as much information (sequence) as needed to form a
> permutation, so two shufflings use twice as much
> information as the resulting permutation can represent.
> So even if the opponents do get the final permutation,
> the uncertainty in the sequence used to build that
> permutation will be as though we had a one-way Shuffle.
>
> A well-known information-theoretic "counting" argument
> assures that no "reasonable" hash can be reversed,
> provided substantially more information is hashed than
> the amount of internal state. This is independent of
> whether the hash is "cryptographic" or not, and occurs
> when the amount of internal state is insufficient to
> distinguish among all possible input data vectors. A
> similar "insufficient information" argument assures
> that double shuffling also cannot be reversed. Both
> hashing and double-shuffling can thus be seen as
> "information-reducing" functions and major sources of
> strength in Dynamic Transposition.
>
> DECIPHERING
>
> We can easily return an encrypted block to plaintext by
> applying Shuffle exchanges in reverse order. Shuffle might
> be operated as usual, with the resulting exchange positions
> simply buffered. When Shuffle has finished, the actual
> data exchanges are made, last position first. Since we
> shuffle twice to encipher, we must unshuffle twice to
> decipher.
>
Sorry I'm late in responding; I just found this newsgroup, and I'm
wading through the last five month's messages to catch up.
Isn't Shuffle1(Shuffle2(PT)) == Shuffle2(Shuffle1(PT))?
So the order in which the shuffles are applied is irrelevant...
Sam
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: National Security Nightmare?
Date: Thu, 31 May 2001 23:36:31 +0000 (UTC)
Douglas A. Gwyn wrote:
>Really, if some citizen does pose a risk to
>national security, there is a mechanism already, and if he
>doesn't, why waste precious resources surveilling him?
That, on its own, is not terribly reassuring, since it's not clear that
it takes much in the way of resources to surveil on, say, Greenpeace
(replace with your favorite organization). And the lesson of the
Watergate 'plumbers' should make clear that arguments on the basis of
'wasted resources' are not an adequate basis of protection.
>actually our regulations
>apply to intelligence received about US citizens from foreign
>sources as well.
That would be reassuring. Do you have a reference to the text of those
regulations? If the policy gives protection to US citizens no matter
who does the intercepting, I can't imagine a good national security
reason to keep such a policy secret. Am I missing something? Even if
full disclosure of the relevant regulations would not entirely lay all
fears to rest in one swoop, it seems it would be a nice way to bring
something concrete to the public debate and to help convince outsiders
that NSA is acting in good faith.
In recent news interviews, the Director has expressed an interest in
reassuring the public that the NSA is not up to anything nefarious,
and this would appear to be a very simple step to further that goal at
very little cost to the NSA. Is there some cost to publicizing these
regulations that I have overlooked?
------------------------------
From: "Niels Ferguson" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc
Subject: Re: Medical data confidentiality on network comms
Date: Fri, 1 Jun 2001 01:38:14 +0200
"wtshaw" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> In article <9f5te9$rg8$[EMAIL PROTECTED]>, "Niels Ferguson"
> <[EMAIL PROTECTED]> wrote:
> >
> > Many problems can be solved by having a system in which people have
> > access, but _every_ access is reported to the patient in question. This
> > requires some low-level authentication to know who was accessing the
> > data. It is probably good enough to stop most of the abuse. Certainly
> > in the US with its class-action lawsuits a tracking system would deter
> > systematic illegal use of medical data. If the abuse of the data is
legal,
> > you don't need a technical solution but a political one.
> >
> This is not a meaningful line of logic. A copy can be copied or tapped as
> transfered. Once access is obtained, there is surely no realistic means
> of tracking where it might go. The nature of digital information is that
> it does not act like paper or outdated related thinking.
It is always true that the data can be copied. That is a problem that
cannot be resolved. There are too many people that require access
to medical data to build a system that is totally secure. What you can
do is build a system that will deter large-scale abuse. The access-
tracking system is of that type. Anyone copying the data out of that
system into their own database is obviously circumventing the
tracking system, which by itself shows intent to abuse the data.
After all, the only reason to copy the data is to have un-tracked
access to it. (This assumes that the medical database is only added
to, and no data is ever removed.)
Cheers!
Niels
======================================
Niels Ferguson, cryptography consultant. email: niels at ferguson dot net.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: And the FBI, too (Re: National Security Nightmare?)
Date: 31 May 2001 23:28:52 GMT
[EMAIL PROTECTED] (Douglas A. Gwyn) wrote in <[EMAIL PROTECTED]>:
>Bob Silverman wrote:
>> Call Ft. Meade. You will be connected to an operator there. He/She
>> will ask you for a name. If the person is an employee, you will be
>> connected.
>
>I'm glad to hear that. Not very many years ago, if you didn't
>know the phone number, you were out of luck. The operator would
>refuse to connect by employee name, saying that they were
>prohibited from confirming or denying that any such person worked
>there. (Yeah, I know the origin of that idea.)
>
This does not work. I worked for the Navy's main base in CA and if
you notice I have a very common name David Scott. They confuse people
all the time. Though I did like all the email from admirals and stuff
saying nice things about meetings I was at in DC. I just guessed it
was another David Scott. Samething happen when I retired and went
down the road to work at the Nasa place. Guess what David Scott the
astronanut use to run the place shortly before I got there. However
I do like to tell people than I am David Scott since the IRON MAN of
Hawaii is named David Scott. Hell I would not be supressed if you
called Fort Meade and asked to be connected to David Scott you may
find me there too. I think those with the name David Scott tend to
get a round. Some David Scott long ago most have been very prolific,
I think I use to give my name to ladies at mexico in the 60's so
maybe there is lots of them there too.
I did do a patenint but was shocked to find so have a heck of a lot
of other David Scott.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: Sam Yorko <[EMAIL PROTECTED]>
Subject: Re: Dynamic Transposition Revisited Again (long)
Date: Thu, 31 May 2001 16:47:01 -0800
Sam Yorko wrote:
>
> > Shuffling Strength
> >
> > Unfortunately, Shuffle is approximately reversible. If
> > we use only one shuffling, and if the opponents get the
> > permutation, they immediately have a (somewhat imprecise)
> > idea about what sequence produced that permutation. With
> > two independent shufflings, there is no such implication.
> >
> > The sequence generating RNG should have sufficient
> > internal state to allow every possible *pair* of
> > permutations.
> >
> > If there is only enough state in the RNG for a single
> > shuffling, any second shuffling will be correlated to the
> > first by way of the limited RNG state, and, thus, not
> > independent. In this way, knowing the final permutation
> > might allow the development of the double-length shuffling
> > sequence which produced the known permutation.
> >
> > The reason for having enough RNG state for *two*
> > *independent* shufflings is to isolate the sequence
> > generator from the permutation. Two shufflings use twice
> > as much information (sequence) as needed to form a
> > permutation, so two shufflings use twice as much
> > information as the resulting permutation can represent.
> > So even if the opponents do get the final permutation,
> > the uncertainty in the sequence used to build that
> > permutation will be as though we had a one-way Shuffle.
> >
> > A well-known information-theoretic "counting" argument
> > assures that no "reasonable" hash can be reversed,
> > provided substantially more information is hashed than
> > the amount of internal state. This is independent of
> > whether the hash is "cryptographic" or not, and occurs
> > when the amount of internal state is insufficient to
> > distinguish among all possible input data vectors. A
> > similar "insufficient information" argument assures
> > that double shuffling also cannot be reversed. Both
> > hashing and double-shuffling can thus be seen as
> > "information-reducing" functions and major sources of
> > strength in Dynamic Transposition.
> >
> > DECIPHERING
> >
> > We can easily return an encrypted block to plaintext by
> > applying Shuffle exchanges in reverse order. Shuffle might
> > be operated as usual, with the resulting exchange positions
> > simply buffered. When Shuffle has finished, the actual
> > data exchanges are made, last position first. Since we
> > shuffle twice to encipher, we must unshuffle twice to
> > decipher.
> >
>
> Sorry I'm late in responding; I just found this newsgroup, and I'm
> wading through the last five month's messages to catch up.
>
> Isn't Shuffle1(Shuffle2(PT)) == Shuffle2(Shuffle1(PT))?
>
> So the order in which the shuffles are applied is irrelevant...
>
> Sam
Of course it isn't. Sorry. Ignore me.
------------------------------
From: Jonathan Edwards <[EMAIL PROTECTED]>
Subject: Re: Card Games
Date: Thu, 31 May 2001 19:52:47 -0400
On 29 May 2001, lcs Mixmaster Remailer wrote:
> http://citeseer.nj.nec.com/150998.html points to a recent paper on
> "Mental Poker" which also contains a good set of links to earlier work
> on the problem.
>
> Anyone know of any implementations of these protocols?
>
>
I implemented Crepeau's poker protocol as my master's project. Send me
email (note - remove "nospam") if you'd like a copy.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: crypt education
Date: 31 May 2001 23:45:52 GMT
[EMAIL PROTECTED] (Thorsten Holz) wrote in <[EMAIL PROTECTED]>:
>Hello,
>
>I've got a question for the same topic:
>
>Which University would you recommend for someone who is interested in
>cryptography and maths? Currently I study in Germany, but I want to
>take a year abroad :)
I guess MIT in the US. The guy there I use to write to
the guy there Riverst or somthing like that. I think he used
an all or nothing transform. I thought he said he may look
at scott19u but have not heard from him for years. I suspect
he might have read a Wagner post saying scott19u was made
"mince meat" by his slide attack. Of course Wagner has lied
and attmitted never really looking at it.
But still till he got scared off or something I assume he
knows something about encryption if you could ever get in a
one on one conversation with him.
>
>> Read what the macericks are doing like Me and Ritter and also what
>> the public so called crypto gods do.
>
>Crypto god? Who is a crypto god in you eyes? And who is also a
>professor? :)
That was meant to be sarcastic. I don't really think of them
as gods. But basically its who ever holds the public sway. I
don't think I sould name names other than those that lied about
my code. You have to realizes crypto is not something the NSA
wants people to know about it. So with billions of dollars I am
sure they have much influence around the world to help see that
only those they wish raise to the top. Ron R may be an exception
I think he was at least one time very interested in real crypto.
Hey you asked for my view. Maybe with a few good german beers
I would say somthing different but that's my view at this time.
If I ever win the lotto I will start my own university for
compression crypto only and you can take the classes for free.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
