Cryptography-Digest Digest #968, Volume #10 Mon, 24 Jan 00 20:13:01 EST
Contents:
Re: Reversibly combining two bytes? (Terry Ritter)
Re: Java's RSA implimentation (Samuel Paik)
Re: Calculating A^-1 Mod P (Kent Briggs)
Re: MIRDEK: more fun with playing cards. ("r.e.s.")
Re: Does RSA use real prime ? (James Felling)
Re: RNG for OTPs during WWII (Jim Reeds)
Re: MIRDEK: more fun with playing cards. ("r.e.s.")
Re: Reversibly combining two bytes? (Alan Lawrence)
Re: Intel 810 chipset Random Number Generator (Guy Macon)
Re: Solution to GCHQ puzzle published (Padgett 0sirius)
Re: using SCRAMdisk for archiving files on CD ROM (write once) (Dan Day)
Re: simplistic oneway hash (Dan Day)
Re: Weierstrass Normal Form (John Savard)
Re: Intel 810 chipset Random Number Generator ("Joseph Ashwood")
Re: Solution to GCHQ puzzle published (GJJ)
Re: Calculating A^-1 Mod P (David A Molnar)
Re: Weierstrass Normal Form (John Savard)
Re: Weierstrass Normal Form ("John A. Malley")
Re: Ciphers for Parallel Computers ([EMAIL PROTECTED])
Re: MIRDEK: more fun with playing cards. (Paul Rubin)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Reversibly combining two bytes?
Date: Mon, 24 Jan 2000 21:13:17 GMT
On Mon, 24 Jan 2000 17:09:32 +0000, in
<[EMAIL PROTECTED]>, in
sci.crypt Alan Lawrence <[EMAIL PROTECTED]> wrote:
>I'm having a go at writing some simple encryption software myself and
>wonder if anyone has any ideas...system works by combining the plaintext
>byte with other bytes, derived from the key, by some of the following
>methods:
>
>*add modulo 256
>*exclusive or
>*multiply modulo 257 - a value of 256 (in modulo 257) is encoded as a
>zero. Since 257 is prime, a value of 0 (modulo 257) is never created.
>* ????
>
>my problem is that I want a fourth method!
Any such method will be particular cases of Latin square, and those
having simple math relationships are likely to be linear. By using
explicit randomly-constructed Ls's which have no simple relationships,
the combining can be nonlinear, yet still reversible.
Given some Ls, one axis is selected by the confusion sequence, the
other by data, and the selected symbol is the ciphertext. There is
always an inverse square that will take ciphertext to plaintext in a
similar way by using the same confusion sequence. With a wide enough
confusion sequence, it is possible to select among many such squares,
or to use several selected squares in sequence.
You might want to take a look at my glossary under "combiner" and
"Latin square combiner."
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: Samuel Paik <[EMAIL PROTECTED]>
Subject: Re: Java's RSA implimentation
Date: Mon, 24 Jan 2000 21:14:20 GMT
Paul Schlyter wrote:
> In article <[EMAIL PROTECTED]>, Tim Tyler <[EMAIL PROTECTED]> wrote:
> > : B = A;
> > :
> > : Will the B = A discard the old B and create a new copy of B?
> >
> > B is not now itself a BigInteger object, but a (reference to an) array
> > of them.
>
> Which means arrays aren't "first class citizens" in Java?
Huh?
(define a (vector 10))
(define b (vector 10))
(set! b a)
b is now a reference to a (is bound to a). Hence arrays aren't
"first class citizens" in Scheme?
--
Samuel S. Paik | http://www.webnexus.com/users/paik/
3D and multimedia, architecture and implementation
Solyent Green is kitniyos!
------------------------------
From: Kent Briggs <[EMAIL PROTECTED]>
Subject: Re: Calculating A^-1 Mod P
Date: Mon, 24 Jan 2000 21:26:05 GMT
Paul Schlyter wrote:
> Did today's Switzerland exist back then? Weren't there just all those
> small "German states" over there back in Euler's time?
Leonhard Euler lived from 1707 to 1783. Switzerland has been around since 1291.
--
Kent Briggs, [EMAIL PROTECTED]
Briggs Softworks, http://www.briggsoft.com
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Subject: Re: MIRDEK: more fun with playing cards.
Date: Mon, 24 Jan 2000 13:36:03 -0800
"Paul Rubin" <[EMAIL PROTECTED]> wrote ...
: In article <[EMAIL PROTECTED]>,
: Paul Crowley <[EMAIL PROTECTED]> wrote:
: >It's not a downside that necessarily applies to randomised stream
: >ciphers where the randomiser is sent along with the message; this is
: >true of Mirdek, and we've heard some ideas about how that could be
: >done for ARC4-52 and ARC4-Rubin (the CRT-based variant).
:
: Um, I don't think there's such a thing as "ARC4-Rubin". The CRT thing
: is just a different way of physically/mentally manipulating the cards
: that's supposed to be a little easier. The cipher itself is supposed
: to be exactly the same, for cryptanalysis purposes. You could think
: of it as being like changing the initial and final permutations in
: DES. They don't have any effect at all on the strength of the cipher.
My intentions were similar with what people are calling ARC4-52.
(But it's worth repeating that the XOR combiner is replaced with
mod 52 addition.)
These names like AR4whatever get very confusing, esp. because
there's good reason, I think, to take ARC4's stream generator
and see if it can be better used with alternative modes of keying.
Then it's what, ARC4-52-S-K1, etc? ;-)
--
r.e.s. "Mistr Typo"
[EMAIL PROTECTED]
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Subject: Re: Does RSA use real prime ?
Date: Mon, 24 Jan 2000 15:33:38 -0600
Hank wrote:
> base. Is this true ?
> > >
> >
> > Yes it's true. Factoring a large N bit number will take too long for
> > most cases. So they use probable primality testers. I wouldn't
> > dismiss them so casually. For the most part the chances your two
> > primes in RSA [say as made by PGP] are not prime is less then 1 in
> > 2^51. Even if they are composite the chances that you decrypt/encrypt
> > messages sucessfully more then once is way smaller.
> >
> > See the decryption exponent 'e' is found by taking d^-1 mod (p-1)(q-
> > 1). If either q or p are not prime then 'e' will not be the inverse
> > exponent mod pq.
> >
> > Tom
>
> As I know, the encryption/decryption of RSA is based on Fermat's theorem, which
>says
>
> If p is a prime, then a^(p-1) = 1 (mod p) for a in Zn (*)
>
> I don't have a detailed proof on this. And I think it is not a two-way theorem.
>That means the
> relation might hold for some carefully chosen 'a' even p is not a prime.
>
> So I wonder how PGP tackles conditions conditons in which p, q are not real
>primes.
> Starting a new round of prime hunting ? Or carefully selecting 'a' to accord
>with the
> relation(*) ?
First off the primality testing on PGP is such that the odds of you winning the
lottery jackpot
within 5 seconds of being struck by lightning is a much more likely occurence than
a PGP chosen
pair of primes containing a composit number.
If a candidate number fails to be a prime, it is discarded and annother value is tried
-- until a
prime is found.
Before you post such questions, read up on the algorithim and the maths behind it.
------------------------------
From: Jim Reeds <[EMAIL PROTECTED]>
Subject: Re: RNG for OTPs during WWII
Date: Mon, 24 Jan 2000 21:30:56 GMT
Bayard Randel wrote:
> Just out of historic interest, would anyone happen to know what sort of RNGs
> would have typically been used by either Allied or Axis forces for OTP
> keystream generation ? dice, playing cards ?
The German Foreign office used a machine to generate its one time pads,
which I think was described in a recent Cryptologia. The machine was built
by some famous firm whose name escapes me now, maybe Lorenz, maybe
Siemens. The Allies were reading much of the traffic because many of the
pages were reused; its also possible they captured some bundles of pads.
The cover name was "Floradora". Late in the war it was realized that the
pads were prepared by machine, which was diagnosed in the end as a bunch
of numbering stamps, with a non-standard carry algorithm, mixed numeral
sequences, and (this is what made it hard to diagnose) each page of numbers
showed the current state of the machine, so you had to look at succesive
pages to see the machine transitions. Pages were permuted quite thoroughly
before being bound into pads, so there was no guarantee that successive
messages were enciphered with successive machine states. There was a
lecture on the subject at the last-but-one Cryptologic History Symposium.
I have spoken with a member of the Arlington Hall team that worked on the
project.
--
Jim Reeds, AT&T Labs - Research
Shannon Laboratory, Room C229, Building 103
180 Park Avenue, Florham Park, NJ 07932-0971, USA
[EMAIL PROTECTED], phone: +1 973 360 8414, fax: +1 973 360 8178
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Subject: Re: MIRDEK: more fun with playing cards.
Date: Mon, 24 Jan 2000 13:43:13 -0800
"Paul Crowley" <[EMAIL PROTECTED]> wrote ...
: "r.e.s." <[EMAIL PROTECTED]> writes:
[...]
: It's not a downside that necessarily applies to randomised stream
: ciphers where the randomiser is sent along with the message; this is
: true of Mirdek, and we've heard some ideas about how that could be
: done for ARC4-52 and ARC4-Rubin (the CRT-based variant).
It seems I've not visited your site recently enough
to know of the changes it's undergone. Noticing your
postings today, I see it's still a "work in progress",
as you did warn.
[...]
:
: I know of two academic papers covering RC4 - Bob Jenkins's and Jovan
: Golic's - and both discuss such variants where M is a power of two.
Thanks, I'll try to find them.
--
r.e.s. "Mistr Typo"
[EMAIL PROTECTED]
------------------------------
From: Alan Lawrence <[EMAIL PROTECTED]>
Subject: Re: Reversibly combining two bytes?
Date: Mon, 24 Jan 2000 21:51:33 +0000
Tony T. Warnock suggested:
> Subtraction mod 256
but the problem with this is that it's the same as addition. For example
any number <x> plus 123 mod 256 is the same as that number <x> minus 133,
mod 256. Every number <y> (123 in the example above) has an equivalent,
256-y, that when subtracted does the same as adding y.
Terry Ritter suggested
> You should use an explicit randomly-constructed Latin Square.
or words to that effect.
Latin squares can, in effect, hold the details of how to encrypt and
decrypt by _any_ reversible method, i.e. one could construct a Latin
Square, the output of which is equal to the sum of the column number and
row number. Obviously a Latin square with no simple relationships, and
non-linear combining is far superior....however how do I generate such a
square? If I find suitable seeds for a random number generator, I can
permute the sequence 0..255 to generate a column of the table, and do this
256 times, but then how do I make sure each number appears exactly once in
each row as well? Admittedly one could brute force this, repeatedly
generating the table until it works, but being fussy I don't like doing it
that way:-)
Many thanks
Alan Lawrence
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Date: 24 Jan 2000 16:55:13 EST
In article <86gcnd$l0n$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Michael Kagalenko) wrote:
>
>Trevor Jackson, III ([EMAIL PROTECTED]) wrote
>]Michael Kagalenko wrote:
>]> False. You did not understand the physics that I am proposing to use.
>]> As I said elsewhere, you are wrong.
>]
>]You can _say_ that as much as you like. But the readers of the
>] sci.* fora prefer that you _show_ it.
>]
>]You haven't.
>]
>]*NEXT*.
>
> I don't think that collected readership of sci.* groups had
> ever appointed you their spokesmen.
That would be me. Sorry you missed the election - we only send
ballots to folks who give reasons why they think someone is wrong.
You disqualified yourself. You do qualify for talk.* and alt.*.
------------------------------
From: [EMAIL PROTECTED] (Padgett 0sirius)
Subject: Re: Solution to GCHQ puzzle published
Date: Tue, 25 Jan 2000 05:24:04
>Trust them to spoil the chase.
Not completely - they missed the extra-value solution to the linguist's
page (so did slashdot 8*).
A. Padgett Peterson, P.E. CISSP: Cybernetic Psychophysicist
http://www.freivald.org/~padgett/index.html
to avoid antispam use mailto:[EMAIL PROTECTED] PGP 6.5 Public Key Available
------------------------------
From: [EMAIL PROTECTED] (Dan Day)
Subject: Re: using SCRAMdisk for archiving files on CD ROM (write once)
Date: Mon, 24 Jan 2000 22:06:45 GMT
On Fri, 21 Jan 2000 04:04:53 GMT, "Lee" <[EMAIL PROTECTED]> wrote:
>Is it possible to write a CD ROM using scramdisk? If so, then how?
The easiest way is to make a Scramdisk file (up to 630+MB) on your
hard drive, fill it any way you wish, close the volume, and then
just zap the entire scramdisk file (as one big ordinary file) to the
CD-R when you're ready. Then erase the copy on your hard drive
(unless you want to keep it for some reason).
You'll then be able to open the Scramdisk file on your CD-R using
Scramdisk, and access the contents, in exactly the same way that
you do on a hard drive. You just won't be able to alter the
contents, obviously.
--
"How strangely will the Tools of a Tyrant pervert the
plain Meaning of Words!"
--Samuel Adams (1722-1803), letter to John Pitts, January 21, 1776
------------------------------
From: [EMAIL PROTECTED] (Dan Day)
Subject: Re: simplistic oneway hash
Date: Mon, 24 Jan 2000 22:13:40 GMT
On 20 Jan 2000 23:43:55 -0500, [EMAIL PROTECTED] wrote:
>1) It must be simple to code (no more than a couple dozen lines)
>2) It must be collision free
If you truly need it to be "collision free", then what you're
looking for is not a hash function, but an encryption algorithm.
Hash functions necessarily produce collisions any time the input
can have more bits than the hash output.
An encryption algorithm, on the other hand, necessarily produces
a unique output for every unique input. (And without the key
in hand, can obviously be considered "one way" -- if it isn't,
it's a lousy encryption algorithm.)
--
"How strangely will the Tools of a Tyrant pervert the
plain Meaning of Words!"
--Samuel Adams (1722-1803), letter to John Pitts, January 21, 1776
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Weierstrass Normal Form
Date: Mon, 24 Jan 2000 15:43:24 GMT
Mike Rosing <[EMAIL PROTECTED]> wrote, in part:
>Has Prof. Koblitz thrown you a curve? :-)
Although I have a copy of his book that I picked up at a yellow book
sale, most of the math is either beyond me, or at least stuff I
haven't had the time to wrestle with.
John Savard (jsavard<at>ecn<dot>ab<dot>ca)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Intel 810 chipset Random Number Generator
Date: Sun, 23 Jan 2000 23:09:50 -0800
Crossposted-To: sci.physics
> All I need to do is measure the clock drift. Aging of the crystal can
> be corrected with re-calibartion.
But that itself introduces biases in the numbers generated.
Let's take a probably not all that great example. Lets take a crystal of
frequency F(with a random component measurably small), with a decay of
F/time of D. Now we use this to generate Numbers the following way:
if measured(F) is higher than published(F) return 1
if measured(F) is lower than published(F) return 0
Our measured(F) is actually published(F)+randomness+integral(D), giving us a
very measurable bias probably rather quickly. No matter how fast you
re-calibrate the bias (eliminating degenerate cases) will be present.
I don't see where the frequency of something that decays (even at an
extremely predictable rate) is of much use.
Joe
------------------------------
From: GJJ <[EMAIL PROTECTED]>
Subject: Re: Solution to GCHQ puzzle published
Date: Mon, 24 Jan 2000 15:29:53 -0800
Spoiler! Do not view if you're trying to solve...
When I held my mouse over "The Salary" of linguists (and viewed the
page source) - the characters I got were "OHE-H"...i.e. "H" instead of
"N".
Furthermore - the first set of characters were not from a PAGE source
but a FRAME source.
So - even though the Times got the right characters - they didn't do as
thorough reporting as they should have since these errors would have
been caught (and reported) if they had really checked things out...
GJJ
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Calculating A^-1 Mod P
Date: 24 Jan 2000 23:01:07 GMT
Michael Scott <[EMAIL PROTECTED]> wrote:
> An alternative to the Euclidean algorithm, albeit a much slower alternative,
> is to calculate A^-1 mod P as A^(P-2) mod P (assuming that P is prime, which
> it is in this context.).
This works, but when / if you want to generate RSA keys later on you will
have some
trouble. Since now you will need to know phi ( phi (n) ), which is not
always known. Particularly if you didn't generate n in such a way that
the factorization of n - 1 is known!
-David
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Crossposted-To: sci.math
Subject: Re: Weierstrass Normal Form
Date: Mon, 24 Jan 2000 16:28:05 GMT
Robin Chapman <[EMAIL PROTECTED]> wrote, in part:
>Perhaps you want a general procedure for turning a plane cubic into
>Weierstrass form?
That's exactly what she wanted. Since she originally posted it to
sci.crypt alone, though, that may be the newsgroup she is monitoring.
John Savard (jsavard<at>ecn<dot>ab<dot>ca)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Weierstrass Normal Form
Date: Mon, 24 Jan 2000 16:33:05 -0800
>
> >Perhaps you want a general procedure for turning a plane cubic into
> >Weierstrass form?
>
> That's exactly what she wanted. Since she originally posted it to
> sci.crypt alone, though, that may be the newsgroup she is monitoring.
Found this via Yahoo, maybe it can help:
http://www.math.niu.edu/~rusin/known-math/index/14H52.html
The Web site covers:
* Descriptions of the method to put a curve in Weierstrass form.
* Example of a transformation of an elliptic curve into Weierstrass form
* An example of transformation to normal form for an elliptic curve.
* Putting an elliptic into Weierstrass canonical form
John A. Malley
102667.2235@compuserve
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Ciphers for Parallel Computers
Date: Tue, 25 Jan 2000 00:38:53 GMT
Tim Tyler wrote
[...]
> It looks like I was misinterpreting their hype.
>
> After re-reading the material, they are talking about
> parallelising the testing of a single key.
No - the breaking of key pair.
> In other words, the paragraph I cited was not intended to apply to the
> process of parallel searches, testing more than one key at a time.
I think you still don't have it. The time to break a
cryptosystem is defined by the best attack, and they claim
that there is no known way to use parallel machines to
reduce that time.
The fact that we can parallelize brute-force key search has
nothing to do with this issue. Look at the key size.
Parallel brute-force will never be nearly as fast as serial
LLL.
--Bryan
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: MIRDEK: more fun with playing cards.
Date: 25 Jan 2000 00:53:57 GMT
r.e.s. <[EMAIL PROTECTED]> wrote:
>"Paul Rubin" <[EMAIL PROTECTED]> wrote ...
>: Um, I don't think there's such a thing as "ARC4-Rubin". The CRT thing
>: is just a different way of physically/mentally manipulating the cards
>: that's supposed to be a little easier. The cipher itself is supposed
>: to be exactly the same, for cryptanalysis purposes. You could think
>: of it as being like changing the initial and final permutations in
>: DES. They don't have any effect at all on the strength of the cipher.
>
>My intentions were similar with what people are calling ARC4-52.
>(But it's worth repeating that the XOR combiner is replaced with
>mod 52 addition.)
ARC4-52 describes the cryptographic algorithm and is a good designation
(distintinguishes it from the traditional ARC4-256). The xor combiner
should be irrelevant to the cryptography. It's not part of the cipher.
>These names like AR4whatever get very confusing, esp. because
>there's good reason, I think, to take ARC4's stream generator
>and see if it can be better used with alternative modes of keying.
>Then it's what, ARC4-52-S-K1, etc? ;-)
That doesn't sound unreasonable. We already often run SSL/TLS
with ciphersuites like EDH-SHA-DES3-CBC-PKCS5. ARC4-52-xx isn't so bad.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
