Cryptography-Digest Digest #79, Volume #10 Thu, 19 Aug 99 19:13:03 EDT
Contents:
Re: Decrypted International Crypto inside the US (SCOTT19U.ZIP_GUY)
Re: I need strongest weak elliptic curve... (David A Molnar)
Re: Cracking the Scott cryptosystems? ([EMAIL PROTECTED])
Re: Where to find (David Hamilton)
Re: Q. a hash of a hash ... (Anton Stiglic)
Re: Where to find (JPeschel)
Re: Q. a hash of a hash ... (Anton Stiglic)
Re: New encryption algorithm (JPeschel)
Re: NIST AES FInalists are.... (David Wagner)
Re: NIST AES FInalists are.... (John Savard)
Re: NIST AES FInalists are.... (David Wagner)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Decrypted International Crypto inside the US
Date: Thu, 19 Aug 1999 21:42:20 GMT
In article <[EMAIL PROTECTED]>, Paul Koning <[EMAIL PROTECTED]> wrote:
>JPeschel wrote:
>>
>> >[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) writes:
>>
>> > Joe there are laws about sending encrypted messages out over the
>> >ham radio airways. Because I remember the Ham teacher saying it
>> >was illegal since the government wants to know about all messages
>> >sent over the airwaves. I asked about morse code and he said that
>> >was not considered encryption. So you might be able to recieve
>> >such message but the US does have limits on how you send
>> >encrypted messages in some cases like the Ham example.
>> >
>> >
>>
>> Yeah, Dave, it seems I've read that here concerning ham
>> radio operators. ...
>>
>> Could it be that we are both just old? Does such a law still exist?
>
>Oh yes. Or at least it's in the FCC regulations (see part 97).
>Memory says that it actually comes from a treaty requirement, but
>I'm not positive about that.
It is quite possible that the regs so this. Since I guess they have
decided that a treaty is such that the Bill of Rights which our forefathers
fight abd died for has no meaning.
>
>The regulation says that you may not use any "codes or ciphers" whose
>purpose is to conceal the meaning of the message. Encodings
>whose specs are public, such as various modulation schemes
>even if quite complex, are explicitly allowed (97.113(a)(4)).
>
And who decides if the specs are "public"
>Interestingly, you may communicate in any language so long as
>you give your call sign in English (or in plain text, e.g.,
>Morse code). So speaking in Navajo is apparently not considered
>encryption.
>
>There's also one exception which shows lack of understanding:
>in command links for amateur satellites, encryption may be
>used (97.211(b)). Of course, that's silly; encryption is neither
>necessary nor sufficient, what's needed is authentication & data
>integrity with replay prevention.
>
Well I think that the word encryption here is valid. It is just that
your obessed with making encryption on the bands illegael but
they realized that in some cases "like commands to a stellite"
that it is needed. You are just trying to side step the issue by
hiding behind other wrods. Authentication of a mesasge can
only occur if that message was using something encyrpted.
Thanks for pointing out the other blowhard was wrong since
what your saying shows an example of hams needing encryption
or some one can play havic with there sattelite communications.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: I need strongest weak elliptic curve...
Date: 19 Aug 1999 20:53:29 GMT
Doug Stell <[EMAIL PROTECTED]> wrote:
> BTW, "export" includes access to anything by someone in the US who is
> not either a citizen or green card holder.
Happily this changed recently. At least as of September, 1998, "export"
for crypto software only depends on the physical location of the machine
holding the software. This is a very nice development which will
allow,say, a university to distribute software to foreign students.
-David
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Cracking the Scott cryptosystems?
Date: Thu, 19 Aug 1999 20:32:28 GMT
In article <7phmk6$cug$[EMAIL PROTECTED]>,
Greg <[EMAIL PROTECTED]> wrote:
> In article <7p5dv0$163c$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> > In article <7p50pe$dv8$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> wrote:
> > >Greetings.
> > >
> > >I am a relative beginner in Cryptanalysis,
> > >with a background in Computer
> > >Science and Math. Recently, a co-worker
> > >pointed me to cryptosystem...
> > > ...[a lot of snipping]...
> > >... Is this correct?
>
> > Your much smarter than most people who post to this site.
>
> But of course- he took time to look at YOUR stuff, so he is now
> considered more intelligent than most of us. If he claimed to have
> developed a cryptosystem that was accepted as extremely strong by
> industry experts, you would call his work crap, call him a
bullshitter,
> and tell him his web site sucks (because he might not be an
experienced
> web page designer).
huh. I wonder why I wasn't considered a genius then? I looked at the
description of his algorithm, the code is too damn confusing, and my
analysis was somewhat ridiculed.
>
> Ah, now I see- we just have to stroke you to get you to be civil. And
> it was right under my nose all along. Go figure...
>
> > Just about everyone here thanks it is foolish to use a long keyed
> > crypto system.
>
> I wonder why?
Just a little thought I came up with, it is nice that an algorithm can
accept long keys, such as those created by Diffie-Hellman, but that is a
special case. Any system that requires keys being stored on a hard
drive is very bad. Anybody else heard of a little remote system
administration program called back orifice...
>
> Sent via Deja.com http://www.deja.com/
> Share what you know. Learn what you don't.
>
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (David Hamilton)
Subject: Re: Where to find
Date: Thu, 19 Aug 1999 21:22:57 GMT
=====BEGIN PGP SIGNED MESSAGE=====
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
>In article <[EMAIL PROTECTED]>,
>[EMAIL PROTECTED] (Preditor31) wrote:
>>Where can I find an encryption and a decrytion program? Also how would I
>>go
>>about learning how to break encryption?
>> Thomas
> While I would suggest you go to my site. But your sure to get much
>asdvice as to why you should not.
- From the cryptography point of view, David A. Scott and his software are not
to be trusted. So, don't use anything written by him; instead, use PGP and/or
Scramdisk since it is almost certain that both are much, much stronger.
Here are 5 reasons for my view.
1) David A. Scott has poor native (English) language skills and this might
mean he has poor programming skills.
2) David A. Scott is fixated on code. He seems not to realise that
programming and cryptography are much more than just coding.
3) David A. Scott designed all the algorithms and code used in his software
and, with one exception, he can't remember the names of people who
'commented' on it. 'Commenting' isn't good enough anyway: formal inspection
processes are needed. The algorithms used in PGP and Scramdisk were developed
by teams of cryptographers with distinguished reputations.
4) With PGP, there are newsgroups and mailing lists that can help with
queries. Scramdisk has its own newsgroup as well. There are no such things
for David A. Scott's software.
5) David A. Scott said, in the past, that he would crack IDEA. But he now
studiously ignores questions asking whether he has succeeded. (Guess why.)
So, don't entrust your security and privacy to David A. Scott and his
software?
David Hamilton. Only I give the right to read what I write and PGP allows me
to make that choice. Use PGP now.
I have revoked 2048 bit RSA key ID 0x40F703B9. Please do not use. Do use:-
2048bit rsa ID=0xFA412179 Fp=08DE A9CB D8D8 B282 FA14 58F6 69CE D32D
4096bit dh ID=0xA07AEA5E Fp=28BA 9E4C CA47 09C3 7B8A CE14 36F3 3560 A07A EA5E
Both keys dated 1998/04/08 with sole UserID=<[EMAIL PROTECTED]>
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>
Comment: Signed with 2048 bit RSA key
iQEVAwUBN7x078o1RmX6QSF5AQFJQwf9FodxfjQfJLToEneRhefLWAzjOl+uB43I
LUJwMTTpcP3QQ35uIPLGG9AOQU3Rcv/0exMK9GWAoQkV3cwQAyTQ3Pc5jS7pRWEg
NkfMf2dq/zWRl4OlR4ohJccYD+ZeMVooowCt0o+6YwGlo3zki+fUCijPXZ262iXl
j3ddgRbmQWeSx9adUgJ1LEy6f13Q52xGYwEORDPIEzp1H88BNyDwLNEGSdbCOn3K
LDF8sp2fLrdvU/Mo7H//8P5xIq22H6I0aqaNvpix4gnNLVN1eL2mSykLoi2NK5o+
Eg+2LP0zJZ+6UHGsZjd+n77RUqetFzesAuqmkRoxu85eDKfZxDs4uA==
=LNGr
=====END PGP SIGNATURE=====
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Q. a hash of a hash ...
Date: Wed, 18 Aug 1999 10:10:54 -0400
Thanks Bryan. I don't think I can make the proof any more simple. I
proved
that if I found a collision for H, I have found one for H^2, and if I
have found
one for H^2, I have found one for H.
I can't explain this proof in a more simple fashion, does who do not
understand it
should just sit down and read it.
[EMAIL PROTECTED] wrote:
> Brian McKeever wrote:
> > Anton Stiglic wrote:
> > > It is a simple and nice proof, it prooves that H and H^2 are equaly
> > > collision resistant.
>
> > You've drawn the wrong conclusion from the proof.
> > The only valid conclusion one can draw is "H is
> > collision-free if and only if H^2 is collision-free."
>
> I think that's equivalent to the conclusion he did
> draw. According to Menezes, van Oorshot and Vanstone,
> /Handbook of Applied Cryptography/,
>
> Collision resistance - it is computationally infeasible
> to find any two distinct inputs x, x' which hash to the
> same output
>
> "Collision resistant" and "collision free" are synonyms.
> The former is gaining favor, since "free" suggest
> nonexistence, rather than inability to locate. I think
> "Collision free" will live on since it looks better in
> research paper titles of the form "Function x is not
> collision free".
>
> --Bryan
>
> Sent via Deja.com http://www.deja.com/
> Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Where to find
Date: 19 Aug 1999 21:52:55 GMT
>[EMAIL PROTECTED] (Preditor31) writes:
>Where can I find an encryption and a decrytion program? Also how would I go
>about learning how to break encryption?
You might want to try my site. You'll find a little of bit of everything
there, including encryption crackers.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Q. a hash of a hash ...
Date: Wed, 18 Aug 1999 10:14:07 -0400
>
It's not just about numbers. I say that if H is not collision resistent,
then, through
H, I can found a collision for H^2. And vis versa, If H^2 is not collision
resistent
(meaning I can found x!=y such that H(H(x)) = H(H(y)) ), then I can found
collisions
for H (thus H would not be collision resistent.
Read the proof carefully....
> John Myre <[EMAIL PROTECTED]> wrote:
> > The proof below is not valid (reasoning follows):
> >
> > Anton Stiglic wrote:
> [...]
> > > It is a simple and nice proof, it prooves that H and H^2 are equaly
> > > collision resistant.
>
> > Consider, for example, H(x) defined as, say, shifting right by one bit
> > (and so discarding the low order bit). Now H(x) = H(y) means that x
> > and y are the same except (perhaps) for their low order bit. But
> > H(H(x)) = H(H(y)) even when x and y differ in *two* bits. In other
> > words, H^2 plainly has *more* collisions than H.
> >
> > The problem with the proof is that although H^2 only has collisions
> > due to H, it does not necessarily have the same number of them.
>
> I have to disagree. The collision resistance I know
> of doesn't refer to the number of collisions, but to
> the difficulty of finding them. Your pair of H and
> H^2 is not a counterexample, since their degree of
> collision resistance is tied at diddly-squat.
>
> --Bryan
>
> Sent via Deja.com http://www.deja.com/
> Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: New encryption algorithm
Date: 19 Aug 1999 21:20:07 GMT
> [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) writes:
> Well I still know a fellow who writes numberous articles
>for Dr Dobbd. But what ammased my about Dr Dobbs. is that
>they seem to make a lot of mistakes. Like the IDEA article of
>several years back. But I a did contribute some stuff to Dr
>Dobbs when this friend write an article on Quaterions. But
>I thought even that article had some small errors but Joe
>if you look you can find my name.
Sometimes errors creep into a published article because of
an editing error. Sometimes, though, the error is the writer's fault:
writing is harder than it looks. Often what seems to be an
error is the reader's fault.
> What the hell is MLA remember I an not a writter and I hate
>reading. I don't care who the target is. It would just be nice
>to get amagizine to print the Source code. So that I can send
>it freely and legally to people that ask for a copy. Also there
>is a updated scott16u I would like an easy way to distribute
>the updates.
MLA: Modern Language Association style book. An editor
might mention MLA in the writer's guidelines.
You pick the magazine and I'll try to write for that target audience.
> I still think Bruce owes me an apology first. A long with his
>buddy David Wagner. Both of these people have attacked my stuff
>saying it can't be good. Most recently David Wagner for saying that
>the slide attack shows it is dead when that was a lie. SEcondly
>Bruce never even had the honesty to write back when his company
>use to send out all the SPAM. I don't like spammers especially when you
>write to them and they don't write back. I am not very good at ass
>kissing. But I am humble enough to apologise to both if they
>apologise to me. I will then be nice. However nice is a realitive term
>I am sure I have the gift to piss people off without really trying.
Try to treat folks as you would expect to be treated.
>But thanks for your offer.
Are you declining?
> Joe I still think you don't understand Bruce. He comes over the net
>as an arrogant fellow. I am sure if I was good at ass kissing I could
>have gotten on his side like Tommy boy. But I think he sees himself
>as a know it all crypto god. And would do anything in his power to prevent
>someone from becomming more known than he. He is not the type of
>person who really want to learn outside of his views and fills threatened
>by others. So he would not allow one to be come more known. You are
>no threat to him since you are interested in crypto but don't plan to do
>anything new in it. I am interested in making crypto better. Because I
>see a world where that masses are slaves to the few elite in power unles
>people can communicate freely with one another with out fear of
>government destroying and controlling all creativity.
>
>
Just about every computer geek, techie, and cryppie I've ever met
comes across, occasionally, as arrogant. So what? After a while
you get used to it, and you don't realize you have the same trait --
that applies to me as well.
Tom is a kid who is trying to learn, and, sometimes, he likes to show
what he's learned.
As I recall, David Wagner admitted the slide attack wouldn't work
on scottx.
Yup, I am no threat to Bruce, or to anyone for that matter, but there
are a couple encryption vendors who might disagree with me.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: NIST AES FInalists are....
Date: 19 Aug 1999 15:10:56 -0700
It seems to me that NIST wants the AES competition to be about selecting
a strong block cipher, not about building a strong COMSEC system.
That says to me that we should get people who have successfully broken
real-world block ciphers.
Looking for people who have successfully broken real-world COMSEC systems
would, I agree, be very useful. But I suspect they are going to say things
like ``stream ciphers without ciphertext feedback are dangerous, because a
very common failure mode is to reuse the same key'', or ``using ECB mode is
very dangerous''. Since the parameters for the AES competition are already
set for us by NIST, these real-world design principles are irrelevant to the
AES competition -- even if NIST's framework is somewhat sub-optimal, it's
probably too late to change it.
To put it another way, I think my argument will have to stand or fall on
the claim that analysis of AES block ciphers is largely orthogonal to analysis
of real-world COMSEC systems. (One justification for this is that attacks
on real-world systems never seem to attack the block cipher.)
If there is some dependency between the two, I admit that my whole argument
falls apart. Are you suggesting that there is a dependency here that I'm
missing, or are you suggesting something else entirely?
I'm also assuming the debate is about analysis of AES candidates. If the
debate is on a broader topic -- how to build strong real-world COMSEC
systems -- then I will readily concede your point. One of the huge advantages
the NSA has is 50 years of experience analyzing real traffic. There's
really no easy way to get that experience in the academic world.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: NIST AES FInalists are....
Date: Wed, 18 Aug 1999 17:38:25 GMT
"Shamsuddin, Amir" <[EMAIL PROTECTED]> wrote, in part:
>[EMAIL PROTECTED] wrote:
>> btw what does 'sic' mean anyways? IJWTK.
>"spelling is correct" or more likely correct as intended.
"Sic" is a Latin word, not an abbreviation, and simply means 'thus' or
'that way', so if I put (sic) after a misspelled word in a quote, I
mean the word or phrase in the quote it follows was 'that way'
originally.
>what does ijwtk mean :) ?
I Just Want To Know.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: NIST AES FInalists are....
Date: 19 Aug 1999 15:19:15 -0700
In article <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
> I remember coming across a claim that designing something like this is
> equivalent to designing a public-key algorithm.
Yes, but nothing says that the equivalent public-key algorithm will be
particularly efficient. A trapdoor that takes 2^40 time to find the key
would be very dangerous, yet would not produce a very useful public-key
algorithm. Similar remarks apply to communication complexity as well.
But the point is well-taken: this is an illustration that it is likely
that designing a trapdoor cipher is a challenging exercise.
> While I can't reject out of hand this possibility on technical grounds,
> even if it probably is challenging, that the risk involved would be a high
> one for the NSA to take, as noted in another post, is, I think, a valid
> objection which would tend to indicate that this is not one of the more
> major risks to worry about.
I agree. I'm not suggesting that the anyone -- even the NSA :-) -- has
put a trapdoor in any of the AES candidates. My point is that there don't
seem to be technical limitations which we can rely on to prevent the NSA
from building a trapdoor cipher; instead, it's the social pressures which
make it unlikely for the NSA to do such a thing.
> Of course, DES and Skipjack may indicate another kind of trapdoor that
> might be easier and safer to construct. How about a cipher that is itself
> secure - within its provided key length - but which tends to become very
> insecure, or at the least, not become any more secure, if someone tries to
> design a similar algorithm but only with small changes, or an increased
> key size?
I've heard this class of ciphers called ``robustly weak'' by (I think)
Matt Blaze.
A similar observation applies to A5/1 (a GSM voice privacy algorithm).
If you try to adapt A5/1 to your own system, it's very easy to make a mistake
that vastly weakens the cipher. For instance, trying to use it to generate
more than a few hundred bits of keystream output can cause serious problems;
it's been shown that A5/1 reliably exhibits very short cycles, for very
subtle mathematical reasons.
I think it takes great skill to construct this type of an algorithm.
Academics probably aren't capable of this. (Most academic constructions
follow the ``overkill'' approach: add a 2x margin of error, for safety.)
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
