Cryptography-Digest Digest #734, Volume #11 Mon, 8 May 00 17:13:00 EDT
Contents:
Re: About Hardware RNG (Mike Rosing)
Re: Sunday Times 30/4/2000: "MI5 builds new centre to read e-mails on the net"
("Garry Anderson")
Re: Any good attorneys? (Eric Lee Green)
Re: Factoring vs. Discrete Log Problem (DLP) (David A. Wagner)
Re: Compression as decryption (Pred.)
Re: Factoring vs. Discrete Log Problem (DLP) (Roger Schlafly)
re: Idea for rng (Guy Macon)
Re: zeroknowledge.com and freedom.net - Snake oil? (Guy Macon)
Re: Any good attorneys? (Roger Schlafly)
Re: An argument for multiple AES winners (wtshaw)
Re: Idea for rng (Tom St Denis)
Re: Some crude ideas about compressing plaintexts (wtshaw)
Re: Newbie question about primes ("Simon Johnson")
Re: Question about iraqi block cipher ([EMAIL PROTECTED])
Re: new Echelon article (Jos Horikx)
Re: Question about iraqi block cipher (David A. Wagner)
----------------------------------------------------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: About Hardware RNG
Date: Mon, 08 May 2000 12:11:44 -0500
Tom St Denis wrote:
>
> I was wondering (being spoiled as I am) does anyone have a bread-boarded
> version of
>
> http://world.std.com/~wware/hw-rng.html
>
> Using either a 18v input or on-board 9v batt supply?
>
> That you can spare? I want to try it out, but I don't know how to read
> the diagram properly (I know the basic symbols....).
Not on me. But that's really an RF receiver, not a RNG. The "not
connected"
pin is an antenna. You want a source that's more secure, like a battery
inside a shielded box. You also want the ability to balance the output.
that circuit isn't tunable.
Breadboards are expensive. See if you can find some stuff at Radio
Shack
(or get a real parts catalog like DigiKey). Hardware is fun, but just
as
time consuming as software :-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: "Garry Anderson" <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.politics.uk
Subject: Re: Sunday Times 30/4/2000: "MI5 builds new centre to read e-mails on the net"
Date: Mon, 8 May 2000 18:48:20 +0100
ant <[EMAIL PROTECTED]> wrote in message
news:s_zR4.16486$[EMAIL PROTECTED]...
Hello Ant,
> >I believe "natural language" recognition is true. I remember reading
> >following information:
> >
> >A software program identified individual by his writings from 5 people
who
> >wrote in a similar style and manner. The technology has been available
for
> >some time.
> >
> >It is good enough to recognize a person from several others. I have read
> >quiet extensively on subject and will do my best to find this again. Will
> >post here soon as found.
>
>
> the phrase "semantic forests" should do the trick if you plug it into a
> good search engine
Thank you. I could not find the original link I got the information from.
But http://archiv.quintessenz.at/archiv/msg00958.html gives a good account
of the power of the Echelon system.
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: Any good attorneys?
Date: Mon, 08 May 2000 18:28:45 GMT
"Trevor L. Jackson, III" wrote:
> Copyrighted software has a different set of concerns than patented software.
> With copyrights, it is the act of copying that is restricted. With patents, it
> is the act of usage that is restricted.
Actually, manufacture, sale, and use of a patented object is illegal in the
United States if done without permission of the patent-holder. From the U.S.
Code:
---snip----
TITLE 35--PATENTS
PART III--PATENTS AND PROTECTION OF PATENT RIGHTS
CHAPTER 28--INFRINGEMENT OF PATENTS
Sec. 271. Infringement of patent
(a) Except as otherwise provided in this title, whoever without
authority makes, uses, offers to sell, or sells any patented invention,
within the United States or imports into the United States any patented
invention during the term of the patent therefor, infringes the patent.
----end snip---
This is similar to copyrights. The difference here is that with copyrights,
use of the (illegally copied) item is not illegal, while with patents, it is,
and with copyrights, distribution is illegal even if not sold, while with a
patented object, you can give the patented object to someone without the
patent holder's permission.
For the guy wondering, "does this mean that end users can be liable for patent
violations", you betcha. The U.S. Code is clear. It doesn't matter that
somebody else illegally manufactured the patented item that you are using. You
have a legal responsibility to pay the appropriate license fees prior to use
of a patented item, whether or not you know that it's patented. This is what
makes patents so scary to big corporations, the patent owner can come after
not only the person who sold the patented object to them, but after them, too.
> This is why using the international version of PGP is illegal inside the US. It
> is not illegal to own, or even copy international PGP inside the US. But it is
> illegal to use it.
Well, that would be arguable. Copying it could be construed as
"manufacturing", since you are creating a new product (the new copy of the
program that sits on your hard drive or the new copy you gave to someone
else). Mere possession of a copy that someone ELSE made, on the other hand,
would not be a problem insofar as patent law goes, as long as you don't use
it.
--
Eric Lee Green [EMAIL PROTECTED]
Software Engineer Visit our Web page:
Enhanced Software Technologies, Inc. http://www.estinc.com/
(602) 470-1115 voice (602) 470-1116 fax
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Factoring vs. Discrete Log Problem (DLP)
Date: 8 May 2000 10:59:33 -0700
I suspect we are disagreeing only over the meaning of words like
"much harder", not about the technical details. The report from
Bob Silverman that you quoted suggests that factoring a x bit
RSA-composite is about as hard as taking discrete logs mod a
x-30 bit prime, and for the original poster's purposes that sounds
like it may count as "roughly comparable complexity". The point
is, it's not x-bit factoring vs. x/2-bit DLP, or somesuch...
------------------------------
From: Pred. <[EMAIL PROTECTED]>
Subject: Re: Compression as decryption
Date: Mon, 08 May 2000 18:31:33 GMT
> Do you intend to hide your 'new algorithm' from the opponent?
No. It would be public. But the compression codec would be new in the
sense that it would be carefully designed with respect to encryption.
As an example, any frequency tables would be encrypted and the
placement of it would depend on the key.
> Even if an algorithm is weak, it may take quite much time and
> effort to develop a method to systematically break it. People
> may not have the resource or interest to do that. So that's why,
> I guess, that questions of the sort 'Here is a novel algorithm.
> Can anyone show a method of attack?' are unlikely to obtain
> concrete answers in this group.
What I think, is that adding a compressor - when correctly designed -
would make it very difficult to attack it with differential analysis.
(Correctly designed meaning something like what David is talking about
on http://members.xoom.com/ecil/compress.htm)
No easy answers I guess, but can we say *something* about this?
Thanks!
- Pred
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: Factoring vs. Discrete Log Problem (DLP)
Date: Mon, 08 May 2000 11:51:56 -0700
"David A. Wagner" wrote:
> I suspect we are disagreeing only over the meaning of words like
> "much harder", not about the technical details. The report from
> Bob Silverman that you quoted suggests that factoring a x bit
> RSA-composite is about as hard as taking discrete logs mod a
> x-30 bit prime, and for the original poster's purposes that sounds
> like it may count as "roughly comparable complexity".
If that were true, then I'd agree that they are roughly
comparable. But see Bob S's reply, where he says that 500-bit
DLP is still out of range.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: re: Idea for rng
Date: 08 May 2000 14:58:09 EDT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Tom St Denis) wrote:
>
>I sent a post here instead of via email (big stupid mistake). If you
>get a post called "idea for rng" please disregard it (or at least don't
>talk about it) (was suppose to goto a friend)
>
>I pulled a big-stupid this morning...
>
>Thanks,
>Tom St Denis
After checking the headers to make sure that it really was yours,
I took the liberty of cancelling the post. If this is a problem
for you, I can repost it so that it looks just like what you
originally posted.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: zeroknowledge.com and freedom.net - Snake oil?
Date: 08 May 2000 15:05:54 EDT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Matt
Curtin) wrote:
>
>>>>>> "Guy" == Guy Macon <[EMAIL PROTECTED]> writes:
>
> Guy> I am interested in a Canadian company called Zero-Knowledge
> Guy> Systems
>[...]
> Guy> Does anyone know whether this is snake oil?
> Guy> crypto details are at [
>
>Definitely not snake oil. I was part of an external group of folks
>who did a code review. Everyone involved through design and
>implementation clearly knows what they're doing. Frankly, I only
>rarely have seen C code survive a code review the way that their stuff
>did. Very impressive work.
>
>The basic architecture and whatnot is well-known from the cypherpunk
>community, i.e., MIX a la Chaum. Their crypto algorithms are also
>well-known. There aren't any real revolutions here and that's really
>the point. Things that have been studied and are well understood (and
>therefore pretty well trusted) put together in ways that offsets each
>components' weaknesses with the others' strengths is the stuff of
>secure systems.
>
>There are some attacks against the system, but these are documented.
>I know some of the ZKS folks and suspect that they'll be focusing on
>defending against the attacks more than adding new whiz-bang features.
Thanks!
I masked about an NT version, and got this reply:
(I like the "nothing personal" bit!)
|Dear Guy,
|
|Thank you for your interest in Freedom and Zero-Knowledge Systems.
|
|Now that we've released Freedom 1.0 for Win9x, we're focused on the next
|build, as well
|as developing Freedom for WinNT, Win2000, Mac and Linux.
|
|We started with the Win platforms as it is our wish to make Freedom
|available to as many people as possible, as quickly as possible, and Win9x
|is undeniably (sigh) the best way
|to do so.
|
|We do not have a release date set for these versions of Freedom.
|We are hoping to see them ready during the second half of this year.
|We can't wait!!.
|
|Check-in with us on a regular basis, and then you'll know as soon as we
|announce when
|we're planning on unleashing freedom for other platforms.
|
|We invite you to sign up to receive the latest updates and press releases at
|our media
|section http://www.zeroknowledge.com/media/
|
|Sincerely,
|Aphrodite [mailto:[EMAIL PROTECTED]]
|Freedom Fighter
|------------------------------------------------------------------
|Zero-Knowledge Systems--Nothing personal
|888 de Maisonneuve East, 6th Floor
|Montreal, Quebec H2L 4S8
|Canada
|p: 1.877.691.3733 (toll free in Canada and the U.S.)
|or 1.514.286.2636
|f: 1.514.350.7587
|
|
|-----Original Message-----
|From: Guy Macon [mailto:[EMAIL PROTECTED]]
|Sent: May 6, 2000 11:45 PM
|To: [EMAIL PROTECTED]
|Subject: When can I buy an NT version?
|
|I use Windows NT 4.0. When will I be able to use Freedom?
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: Any good attorneys?
Date: Mon, 08 May 2000 12:19:29 -0700
Eric Lee Green wrote:
> "Trevor L. Jackson, III" wrote:
> > Copyrighted software has a different set of concerns than patented software.
> > With copyrights, it is the act of copying that is restricted. With patents, it
> > is the act of usage that is restricted.
>
> Actually, manufacture, sale, and use of a patented object is illegal in the
> United States if done without permission of the patent-holder. From the U.S.
> Code:
> ---snip----
> For the guy wondering, "does this mean that end users can be liable for patent
> violations", you betcha. The U.S. Code is clear.
>
> > This is why using the international version of PGP is illegal inside the US. It
> > is not illegal to own, or even copy international PGP inside the US. But it is
> > illegal to use it.
>
> Well, that would be arguable. Copying it could be construed as
> "manufacturing", since you are creating a new product (the new copy of the
> program that sits on your hard drive or the new copy you gave to someone
> else). Mere possession of a copy that someone ELSE made, on the other hand,
> would not be a problem insofar as patent law goes, as long as you don't use
> it.
There is also a law against importing patented items.
But you are assuming that the (international version of) PGP is
a patented object. It's not.
The MIT patent on RSA claims a communication system.
http://patent.womplex.ibm.com/details?patent_number=4405829
By itself, I don't believe PGP does any communication. The user
would have to get caught using PGP to communicate in a manner
that infringes the patent. I don't see how mere possession of
PGP could get anyone in trouble.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: An argument for multiple AES winners
Date: Mon, 08 May 2000 12:47:34 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
> It is indeed very noteworthy that the crypto clauses of the Wassenaar
> Arrangements, that are intended to limit export to algorithms with key
> length up to a maximum of 56 bits, came into being AFTER the AES
> project has been running. So, if the top-level people involved in
> crypto policy are not totally il-logical or forgetful, there must be
> something particular in this connection. Yet many people seem
> to be happy for the forthcoming benediction without questioning
> whether there could possibly be a catch.
>
That the top-level people really are illogical is at the heart of their
crypto policies, that just demanding what makes things simple for them
will conquer scientific and phychological realities.
I have questioned some aspects of AES from the beginning, not that
something technical can be arrived at, but that it is subservant to
discussions of how to bell the crypto cat. Nothing is paved by AES for
crypto regulation, except for the gatherings which I have called the great
crypto round-up.
The catch is not going as planned, since rather than being intimidated, or
steamrolled, the crypto community has begun to largely figure that
government should have no role in controlling the field. Rather than
being somewhat distracted in hunting a junior algorithm suggested for
domestic civillian use, we are more keen of fighting for our
constitutiional rights.
--
MSN--let us hold your family jewels for six months so we can learn how to draft your
account and get permission to do so. After that...squeeeeze....
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Idea for rng
Date: Mon, 08 May 2000 19:52:12 GMT
Guy Macon wrote:
>
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Tom St Denis) wrote:
> >
> >I sent a post here instead of via email (big stupid mistake). If you
> >get a post called "idea for rng" please disregard it (or at least don't
> >talk about it) (was suppose to goto a friend)
> >
> >I pulled a big-stupid this morning...
> >
> >Thanks,
> >Tom St Denis
>
> After checking the headers to make sure that it really was yours,
> I took the liberty of cancelling the post. If this is a problem
> for you, I can repost it so that it looks just like what you
> originally posted.
Well it's not super hush hush, I just didn't want to say that to the
group.
Tom
--
Want your academic website listed on a free websearch engine? Then
please check out http://tomstdenis.n3.net/search.html, it's entirely
free
and there are no advertisements.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Some crude ideas about compressing plaintexts
Date: Mon, 08 May 2000 13:05:37 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
> For secret messages, one could confine oneself to the use of
> 26 characters, plus a few, like blank, period etc. Anyway,
> this is far less than the space of 256 of an 8 bit byte
> where a character is normally stored and processed on
> computers. I speculate that one can utilize the remaining
> space of about 200 to code 200 most commonly used words, e.g.
> 'the', 'you' 'one', 'that', etc., that is, all these words
> will occupy only one byte each. Would such a preprocessing
> have a non-trivial positive or negative contribution to the
> work of a normal text compression scheme?
>
In the beginning...things were simplier...surprise. If a limited
character set conveys your information, good. If you can use a simple set
of equivalents to compress common words, good, but you add steps to the
process. If the computer can take care of the added messy details, good,
but it slows things down.
If you do all sorts of format things prior to encryption, you may be doing
some compression as well, and can choose to do so or not, on purpose. An
external routine that compresses is not as good as one that part of
encryption, as additional keying can be used there.
It is unpopular in some quarters however to suggest things that make
analysis a worse chore, like wouldn't it be better if the cryptographer
built-in cribs and weakenesses that most would not suspect. But, that is
not my goal; learning about such things and how they relate to absolute
strength is.
--
MSN--let us hold your family jewels for six months so we can learn how to draft your
account and get permission to do so. After that...squeeeeze....
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Subject: Re: Newbie question about primes
Date: Mon, 8 May 2000 21:01:52 -0700
Actually, Earl K. Nimoy was correct, the actual question stated:
'As I understand it, one of the key factors (pardon the pun) in the
security of PGP and similar is the time taken to factor a large _prime_
number.'
And he is quite right to say that you cannot factor a prime, however, we
clearly know what the question is really asking. It's asking about factoring
the composite.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Question about iraqi block cipher
Date: Mon, 08 May 2000 19:56:25 GMT
In article <8f65um$dnd$[EMAIL PROTECTED]>,
"boby89" <[EMAIL PROTECTED]> wrote:
> Has someone analysed the chaos1 S-box in the IBC cipher ?
> And has someone analysed the one_way function ?
>
> This cipher seems to be 8-bit computers oriented, isn't it ? Is it
possible
> to optimized it for 32-bit computers ?
>
> ftp://ftp.zedz.net/pub/crypto/crypto/LIBS/ibc/ibc.c
>
>
Hey all,
Is the implementation correct?
If so, the cipher is a 5 Feistel cipher. The right half is sent through
a one-way hash like function and combined with the left. The halves are
then swapped.
The key material is used in a complicated way to create the one-way
hash. No key material is used in the round and no whitening is added.
As it implemented, the cipher is vulnerable to the slide attack. A
chosen plain text attack should be able to peel off a round with 2^32
plaintext.
I am not sure that the slid pair will reveal much however. If the
one-way function is truly difficult to reverse, the slid pair will only
give one input/output to the hash. I suspect that some information can
be gained however in which case enough slid pairs will break the cipher.
By cheating I can create many slid pairs so it is certain that slid
pairs exist.
--Matt
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Jos Horikx)
Crossposted-To:
alt.politics.org.cia,alt.politics.org.nsa,talk.politics.crypto,alt.journalism.print,alt.journalism.newspapers
Subject: Re: new Echelon article
Reply-To: [EMAIL PROTECTED] replace nn by nl
Date: Mon, 08 May 2000 20:14:09 GMT
On Sat, 18 Mar 2000 15:01:58 GMT, [EMAIL PROTECTED] wrote o.a.:
>>> Another interesting echelon-article on:
>>> http://cryptome.org/echelon-cia2.htm
>Mr. Woolsey claims in that Wall Street Journal opinion that the EU
>report accuses the CIA/NSA of using Echelon to steal technology from
>non-U.S. companies. While I don't doubt that technology theft occurs,
>the report by Duncan Campbell -- from my reading of it -- concerned
>itself with asserting the U.S. might be using this eavesdropping
>network to help specific companies _win contracts_.
Some new evidence entered the press. See:
http://msnbc.com/news/403435.asp?cp1=1
The beginning of the article:
--- quote ---
NEW YORK, May 7 — Newly unearthed documents, mostly
letters from the CIA to Congress, lay out evidence of an in-
tensive intelligence effort to help U.S. corporations win con-
tracts overseas. The documents, all published during the
Clinton administration, appear to confirm reports that
America’s electronic eavesdropping apparatus was involved
in commercial espionage....
--- unquote ---
Kind regards,
JH
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Question about iraqi block cipher
Date: 8 May 2000 12:52:35 -0700
Is this _really_ an Iraqi standard, or is someone pulling our legs?
It is a 5-round Feistel cipher, with a 256-bit block and with the same
(complicated) Feistel function in each round. Thus, it should be
vulnerable to slide attacks, if I am not mistaken. However, it looks
like it may take 2^64 chosen texts to create a single slid pair.
The Feistel function is called "one_way" in the source, but it's not clear
that it is actually one-way, and with a reasonable number of input/output
values for the Feistel function it may be possible to determine the key.
One could imagine obtaining these input/output values by getting many
slid pairs, but as discussed above it is not obvious how to do this with
any reasonable data complexity, so this is not a practical threat.
There is also a more practical problem with this cipher. Since all
rounds are the same, there are likely to be 2^128 fixed points (not
necessarily a problem, except possibly for hashing modes), and (this is
worse) encryption is the same as decryption, so with an encryption oracle
one can decrypt interesting ciphertext. (This would also spell problems
for OFB mode -- the keystream would repeat every two blocks -- if the
final swap were omitted; but fortunately, the final swap is included.)
All in all, the lack of round dependence is not a showstopper, but it
is perhaps not what was intended.
The cipher also looks likely to be quite slow, in software and in
hardware. And there is little reason to bother with slow ciphers of
questionable security when we have 3DES.
Anyway, I haven't submitted this to any serious analysis, but based on
what I have seen so far, it does not appear to be especially impressive,
from a simple surface examination. Is there any particular reason to
look further?
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
