Cryptography-Digest Digest #988, Volume #10 Thu, 27 Jan 00 18:13:02 EST
Contents:
Re: Any Reference on Cryptanalysis on RSA ? ("Douglas A. Gwyn")
Solitaire Encryption Algorithm question... ("anonymous intentions")
Attack on elliptic curves over GF(2^m), m composite (David Hopwood)
Re: ECM Factoring and RSA Speed Ups (David Hopwood)
Re: Solitaire Encryption Algorithm question... ("r.e.s.")
Re: Solitaire Encryption Algorithm question... ("anonymous intentions")
Re: Court cases on DVD hacking is a problem for all of us (Jere Hakanen)
Re: Best Encryption Software? (Steve K)
Re: Any Reference on Cryptanalysis on RSA ? (John Myre)
Re: NIST, AES at RSA conference (CLSV)
Re: How much does it cost to share knowledge? ("Trevor Jackson, III")
Re: How much does it cost to share knowledge? ("Trevor Jackson, III")
Re: DES Hardare - chips/cores (David Kessner)
Re: Unsafe Advice in Cryptonomicon (Wim Lewis)
Re: Strong stream ciphers besides RC4? (Uri Blumenthal)
----------------------------------------------------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Any Reference on Cryptanalysis on RSA ?
Date: Thu, 27 Jan 2000 21:02:40 GMT
"Ip Ting Pong, Vincent" wrote:
> Currently, 1024 bit RSA and 64 bit DES are the de facto strong key
> length.
DES uses a 56-bit key. It is known to be crackable with today's
technology, with an expenditure of resources that are affordable
in many practical contexts.
> I want to know if the "legitimate" key space of 1024 bit RSA key
> is more or less equal to 64 bit key?
There is no relationship between the two systems nor their key
lengths.
------------------------------
From: "anonymous intentions" <[EMAIL PROTECTED]>
Subject: Solitaire Encryption Algorithm question...
Date: Thu, 27 Jan 2000 13:35:03 -0800
Hello I read the nomicon, as well as counterpane's page on how to generate
the key and the keystream.
I am stuck on producing a single output character.
The wording is this:
"1. Find the A joker. Move it one card down. (That is, swap it with the card
beneath it.) If the joker is the bottom card of the deck, move it just below
the top card."
"2. Find the B joker. Move it two cards down. If the joker is the bottom
card of the deck, move it just below the second card. If the joker is one up
from the bottom card, move it just below the top card. (Basically, assume
the deck is a loop...you get the idea.) " -source:
http://www.counterpane.com/solitaire.html
Now my problem is that my key looks like this:
.
.
5 diamonds
JOKER B
3 diamonds
8 diamonds
.
.
should I "move" them down such as it would be:
.
.
5 diamonds
3 diamonds
8 diamonds
JOKER B
.
.
or would it instead be "swapped":
.
.
5 diamonds
8 diamonds
3 diamonds
JOKER B
.
.
or something entirely different?!
As one could see I am confused with moving and swapping. I am sitting in
front of my computer trying to do this with a deck of cards and don't want
to move until I get an answer! Thanks!
please post or email!
[EMAIL PROTECTED]
------------------------------
Date: Thu, 27 Jan 2000 21:34:46 +0000
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Attack on elliptic curves over GF(2^m), m composite
=====BEGIN PGP SIGNED MESSAGE=====
I haven't seen this mentioned on sci.crypt yet, and it is relevant
to people here who are implementing elliptic curve cryptography.
http://www.security.ece.orst.edu/emails/ieee00/0008
> From [EMAIL PROTECTED] Sat Jan 15 08:34:24 2000
> Date: Fri, 14 Jan 2000 15:38:18 +0000
> From: Nigel Smart <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED], [EMAIL PROTECTED]
> Subject: P1363: ECC Stuff
>
>
> ---------------------------------------------------------------------
> This is a stds-p1363-discuss broadcast. See the IEEE P1363 web page
> (http://grouper.ieee.org/groups/1363/) for more information. For
> list info, see http://grouper.ieee.org/groups/1363/maillist.html
> ---------------------------------------------------------------------
>
> Hi All,
>
> I think it would be a good idea for the P1363 document to recommend
> that in ECC systems in char 2 that the finite field used should be
> chosen to be of the PRIME degree over F_2.
>
> It is has been suspected by the experts for some time that curves
> over fields of composite degree over F_2 could be weaker. Indeed
> G. Frey gave a talk in Waterloo in 1998 which mentioned this idea,
> as have a number of other people in other meetings over the last couple
> of years.
>
> Just before Xmass at a meeting in Cirencester (UK) on "Coding and
> Cryptography", Steven Galbraith presented a joint paper with me
> describing further details of the possible problems with such
> curves. (The proceedings are available as an LNCS volume).
>
> At this conference we also announced that Florian Hess (Uni. Sydney),
> Pierrick Gaudry (\'{E}cole Polytechnique) and myself have discovered
> the following fact....
>
> Let q=2^t and fix an integer n>=4.
>
> Consider an elliptic curve over F_{q^n}. Then for "most" such
> curves one can solve the dlog problem on E(F_{q^n}) in time
>
> O(q^{2+epsilon})
>
> this should be compared to Pollard rho which would give a time of
>
> O(q^{n/2}).
>
> The full version of this technical report will be made available on
> the HP Laboratories WWWEB site in the next week or so...
>
> http://www.hpl.hp.com/
> and
> http://www.hpl.hp.com/news/ecc.html
>
> It should be pointed out that "random" curves defined over
> i) A prime field F_p
> or
> ii) A field of prime degree over F_2, F_{2^p}
>
> ARE NOT AFFECTED IN ANY WAY by this new result. Neither are Koblitz
> type curves defined over fields of any degree over F_2.
>
> Making P1363 recommend only prime fields or those of prime degree
> over F_2 would bring P1363 into line with the recently recommended
> NIST curves and the way the ANSI standards are progressing. Hence
> such a move would make sense not only from the security perspective
> but also from the standards and interoperability perspective.
>
> Yours
>
> Nigel
>
> P.S. The current version of P1363 on the WWWEB still has the wrong
> reference for my paper on anomolous curves. I presume this will be
> changed when it is next updated ?
> --
> Nigel P. Smart | mail: [EMAIL PROTECTED]
> Hewlett-Packard Laboratories | talk: +44 (0) 117 312 9338
> Filton Road, Stoke Gifford | fax: +44 (0) 117 312 9870
> Bristol BS34 8QZ, U.K. | http://hplbwww.hpl.hp.com/mcs/
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
"Attempts to control the use of encryption technology are wrong in principle,
unworkable in practice, and damaging to the long-term economic value of the
information networks." -- UK Labour Party pre-election policy document
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOJC52zkCAxeYt5gVAQEzkgf/Vemz8cpCugdgjUriIKDyT6vTzg0UC/Pa
H77WwCrC4/kWjgm6PpscifqzpWLGetDrds/9K3B2WjrSuWyg//kpxd8UxW6YJAEu
ARctRjTgaXyhUQ31mCxHcTkySYsxBGDSLkCLoKhTkvmekJNf50wvcWLbU1iDLgCS
uD6IuVFhXhKVGtEn/9a63j2oz99snmZhC3lLWcaYdZdgLW/mx3jgMUhApoSWEr9b
kF6ARtzT4wrO7xDntKkEVRGriL8h1j4k/BhXlnAyBak9xcJbX731mf2JNxlD601+
kqZ4Njgs8ePxEJ4VdHtqrwo7sCDncsFQDKzt/82RFfzfmUrIUlmVWQ==
=Lz/7
=====END PGP SIGNATURE=====
------------------------------
Date: Thu, 27 Jan 2000 21:37:37 +0000
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: ECM Factoring and RSA Speed Ups
=====BEGIN PGP SIGNED MESSAGE=====
Tom St Denis wrote:
>
> First off any papers floating around about ECM?
Funnily enough, I was searching for exactly the same thing yesterday.
This is what I could find on-line:
P. L. Montgomery,
A survey of modern integer factorization algorithms,
CWI Quarterly 7 (1994), 337-366. MR 96b: 11161.
ftp://ftp.cwi.nl/pub/pmontgom/cwisurvey.psl.Z
P. L. Montgomery,
An FFT extension of the elliptic curve method of factorization,
Ph. D. dissertation, Mathematics, University of California at
Los Angeles, 1992.
ftp://ftp.cwi.nl/pub/pmontgom/ucladissertation.psl.Z
> Second, how do you speed up RSA when more then two primes are being
> used. For argument sake let's say you have 3 384-bit primes, p, q, r.
> And of course n = pqr.
See "Garner's algorithm" (Handbook of Applied Cryptography
Algorithm 14.72, also see notes 14.70 and 14.75). This is similar
to Gauss' algorithm, but slightly more efficient.
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
"Attempts to control the use of encryption technology are wrong in principle,
unworkable in practice, and damaging to the long-term economic value of the
information networks." -- UK Labour Party pre-election policy document
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEUAwUBOJC6jTkCAxeYt5gVAQFxFwf1FBd29NQPT435dFyGv80yCMy9LYMEhhlL
LJGicrI61x70JGSmNQeF7SK8WX+Z4ZKHhGwMih+4+Ns2L3FDPb+It7gsVYlcHZjh
BMJJcALFQQWJh63NbrMTiZ5pTMIQ7GsrcsMTUWLb2+qjHPfKfZ1e08S4SpfnEZZn
q1w7dGs7FZ0/ME51YAnAqC93R5uNeHPyOVGikPXK7zF8P9OYahfj9pesrg+WlSP+
OovveJjKQsC2GvgJY2YdYNUHzEodrDoQN10E/s3PIqCQlEa7lzMEILH7CSQP44xH
CGXfMGj7y9ODCuObK3cxJv9Y/isxyIGixzB/23DrZHJF8hxfuf3K
=x65f
=====END PGP SIGNATURE=====
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Subject: Re: Solitaire Encryption Algorithm question...
Date: Thu, 27 Jan 2000 14:14:36 -0800
"anonymous intentions" <[EMAIL PROTECTED]> wrote ...
[...]
: Now my problem is that my key looks like this:
: .
: .
: 5 diamonds
: JOKER B
: 3 diamonds
: 8 diamonds
: .
: .
: should I "move" them down such as it would be:
: .
: .
: 5 diamonds
: 3 diamonds
: 8 diamonds
: JOKER B
The above is correct, as I understand the algorithm.
The Bjoker jumps over 2 cards.
: .
: or would it instead be "swapped":
: .
: .
: 5 diamonds
: 8 diamonds
: 3 diamonds
: JOKER B
No, "swapping" just describes what happens when the
Ajoker jumps over 1 card.
In other words, the Ajoker "jumps over 1 card", and the
Bjoker "jumps over 2 cards".
Also, as I recall from an earlier posting by Paul Crowley,
the algorithm has an irreversibility problem that would be
remedied by a slight change, namely: if a joker is on the
bottom, one of its "jumps" is used up by moving it from
bottom to top.
--
r.e.s.
[EMAIL PROTECTED]
------------------------------
From: "anonymous intentions" <[EMAIL PROTECTED]>
Subject: Re: Solitaire Encryption Algorithm question...
Date: Thu, 27 Jan 2000 14:14:30 -0800
Never mind, after reading a little further.. <duh> I found the answer... I
will state it here:
So if the deck looks like this before step 1:
A 7 2 B 9 4 1
at the end of step 2 it should look like:
7 A 2 9 4 B 1
so my cards:
> 5 diamonds
> JOKER B
> 3 diamonds
> 8 diamonds
will look like:
5 diamonds
3 diamonds
8 diamonds
JOKER B
Thanks anyway! I am usually not this dumb. Usually.
"anonymous intentions" <[EMAIL PROTECTED]> wrote in message
news:xS2k4.1225$[EMAIL PROTECTED]...
> Hello I read the nomicon, as well as counterpane's page on how to generate
> the key and the keystream.
>
> I am stuck on producing a single output character.
> The wording is this:
>
> "1. Find the A joker. Move it one card down. (That is, swap it with the
card
> beneath it.) If the joker is the bottom card of the deck, move it just
below
> the top card."
>
> "2. Find the B joker. Move it two cards down. If the joker is the bottom
> card of the deck, move it just below the second card. If the joker is one
up
> from the bottom card, move it just below the top card. (Basically, assume
> the deck is a loop...you get the idea.) " -source:
> http://www.counterpane.com/solitaire.html
>
> Now my problem is that my key looks like this:
> .
> .
> 5 diamonds
> JOKER B
> 3 diamonds
> 8 diamonds
> .
> .
> should I "move" them down such as it would be:
> .
> .
> 5 diamonds
> 3 diamonds
> 8 diamonds
> JOKER B
> .
> .
> or would it instead be "swapped":
> .
> .
> 5 diamonds
> 8 diamonds
> 3 diamonds
> JOKER B
> .
> .
> or something entirely different?!
>
> As one could see I am confused with moving and swapping. I am sitting in
> front of my computer trying to do this with a deck of cards and don't want
> to move until I get an answer! Thanks!
>
> please post or email!
> [EMAIL PROTECTED]
>
>
>
>
>
>
------------------------------
From: Jere Hakanen <[EMAIL PROTECTED]>
Subject: Re: Court cases on DVD hacking is a problem for all of us
Date: Fri, 28 Jan 2000 00:34:31 +0200
Bill Unruh wrote:
> Wasn't Norway also the country whose police acted as the Church of
> Scientology toadies in shutting down an annonymous remail?
No. Unfortunately that was anon.penet.fi in Finland.
Jere Hakanen
------------------------------
From: [EMAIL PROTECTED] (Steve K)
Subject: Re: Best Encryption Software?
Date: Thu, 27 Jan 2000 22:38:20 GMT
On Thu, 27 Jan 2000 13:54:35 -0600, [EMAIL PROTECTED] wrote:
>Can anyone reccomend good encryption software? I need to
>transfer data (a database) via an FTP site and need a good encryption
>program (and something that will compact it if possible). The data is
>very sensitive so I need to feel fairly secure.
I assume that you will be encrypting the database, and uploading it
for others to download?
If so, PGP seems like a good solution. It is the de facto encryption
standard, and so far, nobody has shown any signifigant weaknesses in
it. Note that you can encrypt messages to multiple recipients, and
yes, it does compress encrypted data.
HTH,
Steve
---Continuing freedom of speech brought to you by---
http://www.eff.org/ http://www.epic.org/
http://www.cdt.org/
PGP key 0x5D016218
All others have been revoked.
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Any Reference on Cryptanalysis on RSA ?
Date: Thu, 27 Jan 2000 15:40:10 -0700
Bob Silverman wrote:
>
> In article <86pngs$7s$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (Keith A Monahan) wrote:
> > Quoting from Bruce Schneier's Applied Cryptography,
> >
> > Table 7.9
> > Symmetric and Public-key Key Lengths
> > with Similar Resistances to Brute-Force Attacks
> >
<snip>
>
> Is this table really in Schneier's book? It is worse than hopeless.
>
<snip definition of "brute-force">
I suppose this is a result of attempting a "for the masses"
book. Earlier in the same chapter (7.2, 3rd paragraph), he says:
In any case, today's dominant public-key algorithms
are based on the difficulty of factoring large
numbers that are the product of two large primes.
(Other algorithms are based on something called the
Discrete Logarithm Problem, but for the moment,
assume the same discussion applies.) These algorithms
are also susceptible to a brute-force attack, but of
a different type. Breaking these algorithms does not
involve trying every possible key; breaking these
algorithms involves trying to factor the large number
(or taking discrete logarithms in a very large finite
field - a similar problem). If the number is too
small, you have no security. If the number is large
enough, you have security against all the computing
power in the world working from now until the sun goes
nova - given today's understanding of the mathematics.
Then he goes on to mention the quadratic sieve, the general
number field sieve, and the special number field sieve, saying
that factoring methods have improved greatly, and it isn't
obvious how far it can (or can't) go.
Clearly, he is being loose with terminology, and I think it is
because of his audience.
On the other hand, the term "brute-force" for public-key algorithms
is (ab)used in various ways. I've seen some use the term to mean
trying every possible bit pattern for the private key! Exactly
how brutishly stupid does a technique need to be to be called
"brute-force"?
Interestingly, the last section in that chapter starts:
This entire chapter is a whole lot of nonsense. The
very notion of predicting computing power 10 years
in the future, let alone 50 years is absolutely
rediculous. These calculations are meant to be a
guide, nothing more. If the past is any guide, the
future will be vastly different from anything we
can predict.
That much, at least, is sound.
John M.
------------------------------
From: CLSV <[EMAIL PROTECTED]>
Subject: Re: NIST, AES at RSA conference
Date: Thu, 27 Jan 2000 22:44:29 +0000
[EMAIL PROTECTED] wrote:
> Alas the situation is still worse. We don't even know that
> practical and secure ciphers exist. We cannot disprove, or
> even bound the probability away from 1, that an attacker has
> a single algorithm that breaks all key-based ciphers given
> ciphertext that covers the unicity distance.
A *single* algorithm that breaks *all* key-based ciphers?
I think/believe that this is awfully close to being
reducible to the Halting Problem. It does not sound very
realistic to me.
Regards,
CLSV
------------------------------
Date: Thu, 27 Jan 2000 17:57:57 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: How much does it cost to share knowledge?
Tom St Denis wrote:
> In article <86ourv$ppq$[EMAIL PROTECTED]>,
> Greg <[EMAIL PROTECTED]> wrote:
> > How much does it cost to share knowledge?
> >
> > Well, in America, the question is, "How much are you willing to pay
> > for knowledge?"
> >
> > Tough lesson, but that is the free market in action...
>
> That's sad, as scientists I would think their main goal was the
> development of the human understanding of things. Math always existed
> we are just *finding* it. That's why patents must be abolished. It's
> analogous to patenting a new found island because you found it first.
> That's silly.
>
> Common we are suppose to be evolving as a society yet we cling to some
> paper with printing on it. that's very primitive.
Tom, you are making several mistakes based on lack of knowledge. I
suggest that you look into the origins of property and how ownership comes
about. The classical thesis is that one owns something (physical things
like land, tools, whatever) because one has "mixed one's labor with it".
When you apply this principle to mental labor you'll find that there is no
mixing, the product is pure (mental) labor. There is nothing that is more
clearly "mine" than my labor. If you place a claim upon my labor, you
need to defend that claim with some pretty good rationale. "The good of
society" does not count at all.
Now the issue of whether math is made or discovered is extremely deep.
But it is also irrelevant. Practically it takes work to do both. And
getting people to work requires incentives. Patents are a way to _limit_
the incentives in the time domain. Otherwise we'd be a society driven by
groups/guilds/clans/etc each possessing trade secrets. And some trade
secrets are still held long term (100+ years), principally chemical
formulae like the recipe for coke, fermentation magic, hardening metals,
etc.
As a society we don't cling to printed paper. We cling to the ideas
embodied in those documents. Both the Magna Carta and paper money
represent quite sophisticated ideas. They aren't primitive at all.
------------------------------
Date: Thu, 27 Jan 2000 18:00:26 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: How much does it cost to share knowledge?
"Douglas A. Gwyn" wrote:
> Tom St Denis wrote:
> > Math always existed we are just *finding* it.
>
> Very many mathematicians would disagree with you!
>
> > That's why patents must be abolished.
>
> If expensive development costs cannot be recouped by a legal
> claim on the process, you can be *sure* that the process is
> *not* going to be openly published. The purpose of the patent
> system is to ensure publication of new ideas by guaranteeing
> that the inventor can be rewarded for his work.
>
> > It's analogous to patenting a new found island because you
> > found it first. That's silly.
>
> "Straw men" are always silly. Islands are *claimed* for
> possession, not patented. And claiming newly discovered
> territory is *not* silly, it is standard historical practice.
>
> I know that schools don't teach much these days, but surely
> they must have covered *that*.
>
> > Common we are suppose to be evolving as a society yet we
> > cling to some paper with printing on it. that's very primitive.
>
> Taking somebody's property without permission or compensation
> is *not* primitive? Where do you get your ideas??
Ahem. I think that may have come out wrong. Taking somebody's property
_is_ primitive. Protecting property rights and the abstract rules that
govern things like eminent domain are not primitive.
------------------------------
From: David Kessner <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: DES Hardare - chips/cores
Date: Thu, 27 Jan 2000 15:53:54 -0700
[EMAIL PROTECTED] wrote:
>
> I am trying to find standard chip sets/FPGA cores to perform DES-56
> encryption on a OC-3 (155Mbps) ATM cell stream. I also need to do the
> encryption in counter mode. Can you please recommend commercial chip
> sets / FPGA cores that I can use to do DES-56 in counter mode. I am a
> novice to the encryption world.
>
> Thanks
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
You will find my DES core at The Free-IP Project
(http://www.free-ip.com).
It easily handles the speeds you need.
Best of all, it's FREE! :)
David Kessner
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Wim Lewis)
Crossposted-To: rec.arts.sf.science
Subject: Re: Unsafe Advice in Cryptonomicon
Date: 27 Jan 2000 23:01:22 GMT
In article <85ilss$4js$[EMAIL PROTECTED]>,
Mike McCarty <[EMAIL PROTECTED]> wrote:
>Paramagnetic and ferromagnetic materials are attracted to higher field
>concentrations, diamagnetic materials are repelled from higher field
>concentrations.
And conductive materials are *repelled* from varying fields due to
the induction of eddy currents --- Lenz' law, if I remember my freshman
physics correctly.
IIRC, though, higher-density mangetic media tend to use less magnetically
"soft" materials, to keep adjacent bits from demagnetizing each other.
This means you'll need a very strong field to make the disk unreadable.
I have a feeling it wouldn't be possible to make a working doorway
degausser a la Cryptonomicon without producing significant heating effects
on objetcs and people passing through.
--
Wim Lewis * [EMAIL PROTECTED] * Seattle, WA, USA
------------------------------
From: Uri Blumenthal <[EMAIL PROTECTED]>
Subject: Re: Strong stream ciphers besides RC4?
Date: Thu, 27 Jan 2000 17:56:38 -0500
Reply-To: [EMAIL PROTECTED]
Oh, Greg Rose designed a very cute stream cipher "SOBER".
It seems to be secure, and it's fast. Presented on 3rd
AustralAsian Crypto in 1998.
--
Regards,
Uri [EMAIL PROTECTED] M.C.Ht N2RIU
-=-=-==-=-=-
<Disclaimer>
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
