Cryptography-Digest Digest #724, Volume #11 Sun, 7 May 00 13:13:00 EDT
Contents:
Re: SBOX program using ideas from CA and ST (CAST design) (Tim Tyler)
Re: Fresco transmits my name (was: Spammed after just visiting a site) ("David J.
Ruck")
RSA data (Ragnarok)
Re: Increasing bit Entropy (Tim Tyler)
Re: Why no civilian GPS anti-spoofing? / proposal (Tony L. Svanstrom)
Re: RSA data (Tom St Denis)
Re: SBOX program using ideas from CA and ST (CAST design) (Tom St Denis)
Re: Fresco transmits my name (Tim Tyler)
Re: The Illusion of Security (Tim Tyler)
Re: The Illusion of Security (Tim Tyler)
hardware sboxes (Tom St Denis)
Re: SBOX program using ideas from CA and ST (CAST design) (Tim Tyler)
Re: Is this random? ([EMAIL PROTECTED])
Re: SV: cryptographically secure (Gisle Sælensminde)
Re: Why no civilian GPS anti-spoofing? / proposal ([EMAIL PROTECTED])
Re: Increasing bit Entropy (Jim Reeds)
Re: new Echelon article (Diet NSA)
Re: zeroknowledge.com and freedom.net - Snake oil? (David A. Wagner)
Re: zeroknowledge.com and freedom.net - Snake oil? (David A. Wagner)
Re: zeroknowledge.com and freedom.net - Snake oil? (David A. Wagner)
----------------------------------------------------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: SBOX program using ideas from CA and ST (CAST design)
Reply-To: [EMAIL PROTECTED]
Date: Sun, 7 May 2000 14:26:39 GMT
Terry Ritter <[EMAIL PROTECTED]> wrote:
: sci.crypt Tim Tyler <[EMAIL PROTECTED]> wrote:
:>Tom St Denis <[EMAIL PROTECTED]> wrote:
[...]
:>: In my sboxgen.c (http://www.tomstdenis.com/sboxgen.c) I use a bunch of
:>: tables to speed up the WT code.
:>
:>Be aware that there's the Fast Walsh Transform - which is a bit like a FFT.
:>
:>Ritter describes this clearly [...]
: If he's not using FWT, then apparently I have not made myself very
: clear [...]
I got this impression some time ago, when it was written:
''[...] my WT is coded like so:
WT(F, alpha, beta)
{
sum = 0
for x = 0 to w
sum = sum + (-1)^((alpha . x) * (beta . F[x]))
return sum
}''
This looks like no FWT I'm familiar with.
:> there's a description and algorithm in a book called "Topics in
:> Advanced Scientific Computation", by Richard E. Crandall.
: The Crandall exposition is just a few pages (pp.167-170) and doesn't
: do much for me, but I never know how others take these things.
This got cited because it was the only other FWT code I had managed to lay
my hands on - rather than because of any great technical merit ;-|
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ UART what UEAT.
------------------------------
Crossposted-To: comp.sys.acorn.misc
From: "David J. Ruck" <[EMAIL PROTECTED]>
Subject: Re: Fresco transmits my name (was: Spammed after just visiting a site)
Date: Sun, 7 May 2000 15:25:13 +0100
In article <[EMAIL PROTECTED]>, Rev. James Cort
<URL:mailto:[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>, Mark Wooding
> > * The symmetric session keys are too short. A space of 2^{128} bits
> > can be searched in less than a week given the sort of computing
> > power available to the US government.
>
> IMHO, Most likely possibility. Intel admit to having some *much* faster
> processors operating in their labs than anything generally available.
> Why shouldn't the government have similar or greater levels of computing
> power which *aren't* known about?
At any time chip manufacturors can generally produce a very small yeild of
CPU's running at double or more the normal clock rate. So in the labs they
have 1.5GHz Pentium III's, but this will have no impact what so-ever on
key cracking. The sort of things the NSA have are hypercubes of 30,000
(possibly a lot more now) general processors for brute force cracking, and
specialist super computers with ALU's optimised for certain algorithm's
and mathematical functions such as factorisation.
---druck
------------------------------
From: Ragnarok <[EMAIL PROTECTED]>
Subject: RSA data
Date: Sun, 07 May 2000 14:50:20 GMT
I understand that any data to be RSA-encrypted/decrypted must be an
integer smaller than the RSA modulus chosen. In general, however, one
wants to encrypt/decrypt arbitrary strings of bits.
Is there a standardized way to do the mapping from arbitrary strings
of
bits to integers, and back? Or is it perhaps up to each implementor to
come
up with one that suits their particular architecture best?
------------------------------
Crossposted-To: sci.crypt.random-numbers
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Increasing bit Entropy
Reply-To: [EMAIL PROTECTED]
Date: Sun, 7 May 2000 14:44:14 GMT
In sci.crypt.random-numbers Scott Nelson <[EMAIL PROTECTED]> wrote:
: On Sat, 06 May 2000 RavingCow <[EMAIL PROTECTED]> wrote:
:>If I have two streams of bits with a entropy of 0.5 bits / bit, how can
:>I combine these to increase randomness?
: [...] the same methods which are used to distill randomness
: from one stream can be used on two.
: Probably the best would be to use a large hash.
: For example, use SHA1 on the concatenation of 160 bits of
: the first stream and 160 bits of the second.
: Unless the streams are extremely bizarre, this will produce
: very close to 1 bit of entropy per bit.
As a bit of a gigression, I don't know if this is at all conventional -
but it seems to me that if the inputs have low enough entropy, it would be
useful to take some measures to avoid repeating inputs to the hash from
resulting in repeating outputs.
Something like feeding the output of the hash back in as a component
of its inputs might help with this problem.
I'm assuming you can't just opt to produce less output for the given
input.
It also seems to me that a possible alternative construction to a hash
would be a structure designed to generate random numbers, which allows for
an input source of entropy, - something like Yarrow.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Be good, do good.
------------------------------
From: [EMAIL PROTECTED] (Tony L. Svanstrom)
Crossposted-To: sci.geo.satellite-nav
Subject: Re: Why no civilian GPS anti-spoofing? / proposal
Date: Sun, 7 May 2000 17:03:57 +0200
R J Carpenter <[EMAIL PROTECTED]> wrote:
> And wouldn't spoofing likely affect two planes the same way, and not
> cause a collision?
Not if it's a narrow signal aimed at just that plane.
/Tony
--
/\___/\ Who would you like to read your messages today? /\___/\
\_@ @_/ Protect your privacy: <http://www.pgpi.com/> \_@ @_/
--oOO-(_)-OOo---------------------------------------------oOO-(_)-OOo--
DSS: 0x9363F1DB, Fp: 6EA2 618F 6D21 91D3 2D82 78A6 647F F247 9363 F1DB
---ôôô---ôôô-----------------------------------------------ôôô---ôôô---
\O/ \O/ ©1999 <http://www.svanstrom.com/?ref=news> \O/ \O/
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: RSA data
Date: Sun, 07 May 2000 15:04:50 GMT
Ragnarok wrote:
>
> I understand that any data to be RSA-encrypted/decrypted must be an
> integer smaller than the RSA modulus chosen. In general, however, one
> wants to encrypt/decrypt arbitrary strings of bits.
>
> Is there a standardized way to do the mapping from arbitrary strings
> of
> bits to integers, and back? Or is it perhaps up to each implementor to
> come
> up with one that suits their particular architecture best?
Look up PKCS #1 on the RSA Security Website.
Tom
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: SBOX program using ideas from CA and ST (CAST design)
Date: Sun, 07 May 2000 15:05:56 GMT
Tim Tyler wrote:
>
> WT(F, alpha, beta)
> {
> sum = 0
> for x = 0 to w
> sum = sum + (-1)^((alpha . x) * (beta . F[x]))
> return sum
> }''
>
> This looks like no FWT I'm familiar with.
It's the WT transform from Matsui's linear cryptanalysis.
I would gladly switch to the FWT (I have seen it mentioned elsewhere) if
I could get some pseudo-code (Sorry Terry I don't have the time to
figure out your javascript program...)
------------------------------
Crossposted-To: comp.sys.acorn.misc
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Fresco transmits my name
Reply-To: [EMAIL PROTECTED]
Date: Sun, 7 May 2000 15:03:57 GMT
In sci.crypt David J. Ruck <[EMAIL PROTECTED]> wrote:
: Rev. James Cort <URL:mailto:[EMAIL PROTECTED]> wrote:
:> In article <[EMAIL PROTECTED]>, Mark Wooding wrote:
:> > * The symmetric session keys are too short. A space of 2^{128} bits
:> > can be searched in less than a week given the sort of computing
:> > power available to the US government.
:>
:> IMHO, Most likely possibility. Intel admit to having some *much* faster
:> processors operating in their labs than anything generally available.
:> Why shouldn't the government have similar or greater levels of computing
:> power which *aren't* known about?
: At any time chip manufacturors can generally produce a very small yeild of
: CPU's running at double or more the normal clock rate [...] but this
: will have no impact what so-ever on key cracking. The sort of things
: the NSA have are hypercubes of 30,000 (possibly a lot more now) general
: processors for brute force cracking, and specialist super computers
: with ALU's optimised for certain algorithm's and mathematical functions
: such as factorisation.
My understanding is that none of this is remotely likely to help
with a straightforwards search through a 2^128 keyspace. That makes
this particular possibility one of the most /unlikely/ ones, IMO.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Breast is best.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: The Illusion of Security
Reply-To: [EMAIL PROTECTED]
Date: Sun, 7 May 2000 15:12:25 GMT
Diet NSA <[EMAIL PROTECTED]> wrote:
: In article <[EMAIL PROTECTED]>, Tim Tyler <[EMAIL PROTECTED]> wrote:
:> A proof of security that would satisfy a hardened sceptic
:> appears to be inconceivable.
: There may not be a proof in an affirmative sense, but would a
: hardened sceptic be satisfied if, practically speaking, we could
: render the statistical analysis of encrypted data useless? [...]
If you could demonstrate that statistical analysis will /always/ be
useless, yes - but how could you go about doing that?
I don't see why a sceptic should be convinced by observing someone trying
all they types of statistical analysis they happened to know and failing
to locate a pattern.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Be good, do good.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: The Illusion of Security
Reply-To: [EMAIL PROTECTED]
Date: Sun, 7 May 2000 15:21:13 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> A proof of security that would satisfy a hardened sceptic appears to
:> be inconceivable.
: That is a philosophical and psychological problem exhibited by the
: skeptic, not a problem with physics, mathematics, nor engineering.
: The conversion of inherent quantum randomness to laboratory-scale
: randomness happens all the time in physics laboratories, e.g. in
: multichannel analyzers counting radiation events at different
: energies. It really isn't too hard to extract randomness of as
: high a quality as one desires from such signals, but simpler and
: cheaper methods are used in practice.
Security is about obtaining secrecy in the face of active attack.
What use is a piece of electronic equipment designed to amplify quantum
events if you are unable to completely rule out the possibility that your
opponent has a powerful lazer trained on your apparatus, or that he has
replaced your radioactive source with a device of his own making?
You can undoubtedly produce systems which are likely to be highly secure -
but it still appears that you can't "prove" that you've got some
particular level of security, without making unjustifiable assumptions.
If resulting problems can culminate in an unexpected breach in your
security, I can see no real justification for calling the sceptic's
objections "philosophical".
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ UART what UEAT.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: hardware sboxes
Date: Sun, 07 May 2000 15:57:32 GMT
I modified my program so that it does this
for x = 0 to n
do
do randomize(f[x]) while not is_sac(f[x])
while not is_nonlinear(f[x]);
if (bijective(f[0..x]) increment x
And I get three of the four 4x1 sboxes in my test, but I can never seem
to find a fourth...
Any ideas? The new source is on the website at
http://www.tomstdenis.com/func.c
[btw I still want to implement the fwt if it's better].
Tom
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: SBOX program using ideas from CA and ST (CAST design)
Reply-To: [EMAIL PROTECTED]
Date: Sun, 7 May 2000 15:53:46 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
: I would gladly switch to the FWT (I have seen it mentioned elsewhere) if
: I could get some pseudo-code [...]
Terry's pseudo-code (Pascal) is here:
http://www.io.com/~ritter/ARTS/MEASNONL.HTM - 3/4 of the way down.
There's source code to my Java version here: http://mandala.co.uk/fwt/
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ This tagline no verb.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Is this random?
Date: Sun, 07 May 2000 16:09:13 GMT
Tim Tyler <[EMAIL PROTECTED]> wrote:
> That's not extra mashing - that looks to me like an attempt to write the
> next(int nbits) method in java.util.Random - but then giving up and
> renaming the result getInt(int nbits).
> Unfortunately this doesn't override what it should do - and clashes with
> the base class's getInt(int upper_bound) method in JDK >= 1.2 :-(
Thank you. I ended up walking away scratching my head the first time I
looked at it. ;) Admitedly though, I wasn't interest enough to
actually play with the code.
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
From: [EMAIL PROTECTED] (Gisle Sælensminde)
Subject: Re: SV: cryptographically secure
Date: 7 May 2000 18:10:29 +0200
In article <koQQ4.5843$[EMAIL PROTECTED]>, Ali Tofigh wrote:
>I'm working on a Unix-platform, Sun-Solaris (5 I think). But if possible It
>would be nice to have the source-code also, making things much more
>portable... (I'm working in C)
>
>A good and safe pseudo random number generator would be great...
>
Newer versions of Solaris have a random device (/dev/random). I think
there is a patch for older versions of solaris too. There is also
a random device on Linux (the solaris device is inspired from Linux i think)
--
Gisle Sælensminde ( [EMAIL PROTECTED] )
ln -s /dev/null ~/.netscape/cookies
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Why no civilian GPS anti-spoofing? / proposal
Date: Sun, 07 May 2000 16:23:26 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
>> One can imagine a terrorist action sending slightly spoofed GPS
>> signals that cause two planes to crash into each other.
I have to admit, I'm having a hard time imagining this. I mean, don't
get me wrong, commercial airlines have appalingly small canopies, so I
can see the crew not seeing another plane. However, all things
considered:
1. Is the GPS in a plane really that fast? I mean, we're talking about
objects moving at a pretty good clip here, I'm not sure the units
update fast enough to actually navigate two planes into each other.
2. Wouldn't you need to fake said signal from a large number of
planes? It's a resonably safe bet that a transmiter on a car or boat
isn't going to keep up with a 747. Not to mention you'd need to fake
three satelites, although I suppose it's possible to just use three
transmitters at once.
3. Aren't airlines equipped with proximity warnings now? And if you
can get to the plane to monkey with the transponder, why not just put
a bomb on board?
I'm sure there are other problems too. The bottom line is, I'm not
sure that every terrorist with a radio shack catalog will suddenly be
crashing planes.
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
Crossposted-To: sci.crypt.random-numbers
From: Jim Reeds <[EMAIL PROTECTED]>
Subject: Re: Increasing bit Entropy
Date: Sun, 7 May 2000 16:25:34 GMT
Scott Nelson wrote:
>
> On Sat, 06 May 2000 RavingCow <[EMAIL PROTECTED]> wrote:
>
> >If I have two streams of bits with a entropy of 0.5 bits / bit, how can
> >I combine these to increase randomness?
...
>
> >Would the entropy go up to
> >0.75, or would it be less?
> >
> In the general case, XOR will work well and produce
> a stream of approximately .71 bits/bit, but it might
> be more or less if the streams aren't independent and/or
> cross-dependant.
A wee bit more follows from a paper of Shamai and Wyner in the IEEE
Proc. IT, v. 36, 1990, pp.1428-1430, "A Binary Analog to the Entropy-
Power Inequality". If each of the two streams is ergodic
and the 2 streams are independent of each other, their XOR will have
entropy AT LEAST what it would be if both of the streams were sequences
of independent bits. So in the present case, if both input streams
are ergodic, the output stream will have entropy possibly more but not
less than .71 bits/bit.
> For example, if the both stream were 0's alternating with
> an unbiased independent bit, then the XOR of the streams
> might be 0.5 or 1.0 depending on the phase.
This is correct, but does not contradict the Shamai-Wyner result, as
such streams are not ergodic.
--
Jim Reeds, AT&T Labs - Research
Shannon Laboratory, Room C229, Building 103
180 Park Avenue, Florham Park, NJ 07932-0971, USA
[EMAIL PROTECTED], phone: +1 973 360 8414, fax: +1 973 360 8178
------------------------------
Subject: Re: new Echelon article
From: Diet NSA <[EMAIL PROTECTED]>
Crossposted-To:
alt.politics.org.cia,alt.politics.org.nsa,alt.journalism.print,alt.journalism.newspapers
Date: Sun, 07 May 2000 09:44:24 -0700
In article <
[EMAIL PROTECTED]
et>, [EMAIL PROTECTED] wrote:
>Lessee ... Love Bug virus ... targets targets Windows and
computers
>running specific Microsoft apps
I wonder how vulnerable, overall, the
world's Microsoft systems will continue
to be. There are a huge number of bugs in
Windows 2000, there is plenty of extra
computer capacity (on average) not being
used, and more people are connected more
often (some continuously) than ever
before.
>but is estimated to have caused millions in downtime and
disruption,
The estimate is now billions of $$.
"If we do not prevent highly classified secrets from being stolen,
then how are we going to sell them to the Chinese?"
- Madeleine Albright (addressing recent thefts)
========================================================================
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: zeroknowledge.com and freedom.net - Snake oil?
Date: 7 May 2000 09:20:32 -0700
In article <8f2nt6$[EMAIL PROTECTED]>,
Guy Macon <[EMAIL PROTECTED]> wrote:
> I am interested in a Canadian company called Zero-Knowledge Systems [...]
> Does anyone know whether this is snake oil?
It is certainly not snake oil. The basic architecture seems to
be based on Chaum-ian MIXes, which have been studied for years.
That doesn't mean it is necessarily secure enough for all purposes,
but you can go read their whitepapers and decide for yourself.
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: zeroknowledge.com and freedom.net - Snake oil?
Date: 7 May 2000 09:24:06 -0700
In article <[EMAIL PROTECTED]>, Steve <[EMAIL PROTECTED]> wrote:
> On 06 May 2000 23:28:38 EDT, in sci.crypt you wrote:
> Gee whiz, I
> guess that means that Zero Knowledge gives *much* better security
> than that used by police networks and credit reporting agencies.
You seem to be laboring under a misimpression here. I don't know
anything about police networks, but it doesn't seem to take much
at all to do better than the credit reporting agencies! :-)
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: zeroknowledge.com and freedom.net - Snake oil?
Date: 7 May 2000 09:26:32 -0700
In article <[EMAIL PROTECTED]>, Steve <[EMAIL PROTECTED]> wrote:
> And BTW, since the Freedom Network does not use latency or remix
> to muddy the digital trail, traffic analysis can determine who
> any user is, provided that someone with sufficient interest and
> funding cares.
Care to elaborate? That was not my impression at all.
After all, I thought the whole architecture was based on mixing,
so I'm not sure where your comments are coming from, but I'd be
happy to be educated on what they're doing wrong.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
