Cryptography-Digest Digest #860, Volume #11      Thu, 25 May 00 16:13:00 EDT

  Re: AES final comment deadline is May 15 ("Brian Gladman")
  Re: Short Secure Serial Numbers (Andru Luvisi)
  Re: Yet another block cipher: Storin (David A. Wagner)
  Re: Yet another block cipher: Storin (Mark Wooding)
  Re: HTML encryption (Eric Murray)
  Re: RSA/PK Question (DJohn37050)
  Anti-Evidence Eliminator messages, have they reached a burn-out point? (EE Support)
  Re: pentium timings (lordcow77)
  Actually this person faxed me an article of the U.S. commercial espionage in August, 
1995 .... good work Tatu Ylonen ... actually I have tried to provide some intel in the 
past ... (Markku J. Saarelainen)
  Re: list of prime numbers (Custer)
  Re: list of prime numbers (tomstd)
  Re: RSA/PK Question (tomstd)
  Re: Crypto patentability ("Paul Pires")


From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: AES final comment deadline is May 15
Date: Thu, 25 May 2000 18:22:29 +0100

"Kenneth Almquist" <[EMAIL PROTECTED]> wrote in message
> Scott Fluhrer wrote:
> > For the record, Rinjdael and Serpent in encrypt mode, and Twofish
> > bidirectionally makes it relatively simple for hardware to do key
> > scheduling on the fly, making the cost of changing a key zero.
> With Serpent the calculation of the end of the key schedule can be
> calculated efficiently; it is not necessary to calculate the full
> key schedule.  This is not mentioned in the Serpent AES submission,
> presumably because the designers of Serpent were not aware of it.

My guess is that they were aware of this but did not consider it necessary
to expand on it at the time.

They were certainly aware of this later as I discussed an implementation
(unpublished) I did using this technique with one of them (Ross Anderson).
The cost I found for going to the end of the key schedule directly was about
25% of the cost of running the key schedule itself. But I did not spend much
time optimising this so its quite likely that this figure could be improved
on by quite a bit.

    Brian Gladman


From: Andru Luvisi <[EMAIL PROTECTED]>
Subject: Re: Short Secure Serial Numbers
Date: 25 May 2000 10:35:04 -0700

Don't do it.  You're just making your user's lives harder.  Besides,
why should a user have to tell you who they are in order to use a
program which *they* *paid* *for*?  

I made it through 5 years of college getting a math degree *without*
ever buying Mathematica, even though it's what the department used,
because I simply wasn't interested in telling them the size of my
nostrils or what my name is, since it's none of their damn business.
When you first install Mathematica, it has a 30 day time limit.  You
have to register it and get a key before you can use it.

Haven't you ever needed to reinstall a program (maybe after a hard
drive crash) and been unable to because you lost your key?

| Andru Luvisi                 |               |
| Programmer/Analyst           |   Library Resources Online              | 
| Ruben Salazar Library        |-----------------------------------------| 
| Sonoma State University      |           |
| [EMAIL PROTECTED]      |   Textile imports from Provence, France |


From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Yet another block cipher: Storin
Date: 25 May 2000 10:56:52 -0700

In article <8giahk$gvv$[EMAIL PROTECTED]>,  <[EMAIL PROTECTED]> wrote:
> Under what circumstances can a 448 bit yield 14 zero subkeys in
> Blowfish?

Here the notes I wrote on it at the time.
I haven't re-checked them for accuracy.  Let me know if I made some mistake.

The first 384 bits of the key will be chosen to be the first 384 bits of pi.

The key schedule starts by deriving initial subkeys
  (they'll happen to be zero in the first 12 rounds, with the choice above)
and encrypting X_0 = 0 (the all-zeros plaintext) to get a result X_1.
The key schedule replaces the first two round subkeys with X_1 and
encrypts X_1 with the new subkeys to get a result X_2, and then repeats.

Our strategy will be to look for a fixed point.
If we can sure ensure that X_1 = 0, we'll have X_2 = X_3 = .. = 0, too.
  (Why?  Well, replacing the first two round subkeys by X_1 causes no effect,
  because they are already zero, and thus encrypting the all-zeros plaintext
  gives the same result as before, namely the all-zeros ciphertext.)
And this can be ensured by choosing the last 64 bits of key appropriately.


From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Yet another block cipher: Storin
Date: 25 May 2000 17:55:49 GMT

Mark Wooding <[EMAIL PROTECTED]> wrote:

> Blowfish has a variant of this property.  Consider the second encryption
> used in the key schedule: P[0] and P[1] have just been set, and we're
> going to encrypt them again to find the (new) P[2] and P[3].  The first
> two rounds look like this:
>    P[0]          P[1]
>     |             |
>    (+)<- P[0]     |
>     |             |
>     0            P[1]
>     |             |
>     |-----[F]--->(+)
>     |             |
>     |            (+)<- P[1]
>     |             |
>     0           F(0)
>     |             |
>    (+)<---[F]-----|
>     |             |
>    F(0)         F(0)

Whoops.  That should be F^2(0) on the left, obviously.  It doesn't
affect the fact that P[2] and P[3] don't depend on P[0] and P[1].

-- [mdw]


Subject: Re: HTML encryption
From: [EMAIL PROTECTED][Rot 13] (Eric Murray) 
Date: 25 May 2000 11:01:15 -0700

In article <8gh09j$ia5$[EMAIL PROTECTED]>,
DigiboyCiPHER  <[EMAIL PROTECTED]> wrote:
>Is there any easy way to encrypt HTML source but retain use amongst
>non-javascript browsers?

https (really SSL/TLS) will encrypt the HTML between the server and browser
and most browsers support it.

You can't keep recipients from reading the HTML though.  There's
no way to do that (you'd have to require that they use a perfectly
secure OS and browser that was designed to keep the HTML secure from
the user, and none of those things exist).  Don't put anything
that you want to keep secret in the HTML.

 Eric Murray  ericm at the site  PGP keyid:E03F65E5
     <IMG LOWSRC="javascript:alert('Delete C: and install Linux?')">


From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: RSA/PK Question
Date: 25 May 2000 18:45:16 GMT

Crypto can be seen as applied paranoia.  How hard is hard?  The current DSA-2
draft allows keys up to 15K.  If you do not want to use that size, your choice.
 I agree that this size seems large to protect $5 for a day, but the choice is
a cost/benefit/confidence decision.  DSA came out with 512 bit keys and now
they are considered not healthy.  ANSI X9 mandates a minimum of 1024 bits for
DSA/RSA and 161 bits for ECC.
Don Johnson


From: EE Support <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy,alt.privacy.anon-server,
Subject: Anti-Evidence Eliminator messages, have they reached a burn-out point?
Date: Thu, 25 May 2000 20:03:18 +0100


EE Tech Support here.

Greetings to those genuine people who continue to support our
wonderful Evidence Eliminator software.

Isn't it amazing how many "Anonymous" or semi-anonymous "people",
often they have big-sigs with PGP too, are spending all their time and
effort broadcasting false reports about our wonderful software.

Here's a quoted message this week from alt.privacy.

Our responses are included for your entertainment.


On Mon, 22 May 2000 21:14:31 -0500, lurker <[EMAIL PROTECTED]> wrote:

>On Mon, 22 May 2000 19:50:36 +0100, EE Support
>>Well, Internet Explorer version 3 is years out of date.
>>Many web sites won't work properly with it, we have never before heard
>>of anybody attempting to use Internet Explorer 3 with Evidence
>That's an outright lie. Many other people have complained over the
>past six months about not being able to use EE's help files under
>Windows 95 OSR2. I myself have sent the company an email on this
>subject. As I'm sure EE Support is very well aware, this problem is
>caused by leaving Internet Explorer off their systems or using
>Explorer 3 or earlier.

Re: HTML Help please see the notes on our downloads page at:

Some systems require an HTML help upgrade which is fully documented on
our web site.

Internet Explorer v4 or above is a requirement for using Evidence

We have never before heard of anybody attempting to use Internet
Explorer 3 with Evidence Eliminator.

You claim we are an "an outright lie".

Yet what you are saying is not true.

Are *you* lying about our Evidence Eliminator?

>>And as far as we know, use of Internet Explorer 3 does *not* result in
>>drives being wiped by Evidence Eliminator.
>>If you can show us how this alleged "drive-wiping" incident can be
>>repeated we will be pleased to hear from you.
>>We feel that it probably cannot be repeated.
>Everyone concerned with privacy and security should lurk in the pirate
>and hacker groups. You learn things there that the manufacturers never
>tell us. Most of the lurkers in those groups are probably systems
>administrators and security people learning all they can about
>security holes, product flaws, and system-destroying
>trojans/booby-traps.  If you're a sysadmin, keep an eye out for a list
>called "booby-trapped shareware". You'll be glad you did!

This is just such complete rubbish.

We at Evidence Eliminator are not the only ones who are looking in
disbelief at your ridiculous anti-Evidence-Eliminator messages and

"Who is posting this nonsense, and why?"

>EE's one of the programs on that list, as a result of which it's
>probably banned on many company systems. 

We don't offer "booby trapped" programs. Where is this nonsense coming

About a dozen pirates
>experienced root-path wipes after attempting to upgrade to v5 from an
>earlier version that had been installed with an illegitimate serial.
>It seems that if you register some of the earlier versions with an
>illegal serial and then upgrade to v5, then the upgrade sets the
>Internet Cookies folder to the root path for wiping. Whether this is
>an antipiracy measure or a programming flaw I do not know, but I
>haven't heard EE admit to any programming flaws and they seem aware of
>the problem. Someone using the 'EE Support" nym and sounding amazingly
>like our local troll was on the cracks group egging people into the
>fatal mistake:

This is complete rubbish and fraudulent mis-information. As shareware
authors we have standard time-limit protection but the idea we trash
drives on crack attempts is simply not true.

What is your true motive in posting all this nonsense?

We don't use an "EE Support" nym. We post direct from our server. We
do not post to "crack" newsgroups.

>On Mon, 8 May 2000 23:26:07 +0100, "EE Support"
>>Hello there,
>>Have you tried using the crack in EE Version 4.5, if you can still find
>>a copy, and then using the upgrade to v5.0 available from our 
>>website. This is the sneaky way to circumvent our marvellous 
>>technology. Always glad to be of service. If you like the product 
>> please buy it, we need the income.
>>EE Support

Forged message. We didn't post this.

Who is doing this?

Who would stand to benefit from this shameless attempt other than the
people who wish to gather the evidence that we eliminate so well!

We find this *very* amusing!

>So... If Bill tried to pirate a copy and got his HD wiped in
>retaliation then he deserves no sympathy. However, one must also
>consider the possibility that he's a legitimate user and some flaw in
>the code (or perhaps a Windows glitch) caused the antipiracy routine
>to misfire.
>That's not the only booby-trap claimed to be in EE. Here's a little
>quote from one of the cracks groups: "...if you are reading this make
>sure that evidence eliminator is not minimized in the tray EVER while
>you are connected to the net. If the prog is regged it checks with
>their servers and then you get a nice 'this prog was reversed
>egnineered and has not been cleaning your system' once you get this
>message wait for the next version cause it is too late now." 

The Evidence Eliminator program does *not* automatically register with
any internet servers.

As above, this is just not true.

Who could possibly waste their time inventing and posting this
nonsense in the misguided belief that somebody would actually believe
it. How childish and pathetic!

>So *if* everything people have said in that group is true (and I don't
>know if it is or not) then:
>--  If it *thinks* your serial is invalid,  EE's serial-checking
>routine may cause it to wipe your hard drive

Evidence Eliminator does no such thing.

>-- If it *thinks* your serial is invalid, EE's serial-checking routine
>may cause it to appear to be securely wiping your files when it isn't
>-- The program secretly carries on communications when you're online
>-- It demands that you use a specific version of a specific web
>browser (IE5)
>Now let's see whether EE Support confirms, denies, or evades. <g>

This is rubbish.

One can only wonder in amazement at just who you are working for.

Thank you for ending our hard-working week at Evidence Eliminator
software with a very entertaining load of rubbish.

It's such a delight to log onto the privacy newsgroups and see some
proof of just how well our wonderful software is working.

Have a nice day now!

Always happy to help protect and serve the public.

EE Support
[EMAIL PROTECTED] (remove NO_SP_AM for e-mail)


Subject: Re: pentium timings
From: lordcow77 <[EMAIL PROTECTED]>
Date: Thu, 25 May 2000 12:02:41 -0700

In article <[EMAIL PROTECTED]>,
Jerry Coffin <[EMAIL PROTECTED]> wrote:
>violated.  In any case, I'm pretty sure the two would never
>execute in reverse order, but this is more or less by accident,
>design -- basically the execution units simply look at
>in order until they find one they can execute, so instructions
>only get executed out of order if they have different resource

Surprisingly, this is not the case! Instructions that are not
dependent on each other (and have the same resource constraints)
may execute out of order of each other because of the design of
the reservation station (the pipeline stage after the reorder
buffer): it is not strictly FIFO because Intel's CPU designers
felt that this would require too much space. A relatively stale
instruction can be executed after a fresh one if the stale
instruction happens to be stored in the same "batch" (analogous
to a cache line, but different). The RDTSCs can execute in any
order if an instruction after the first RDTSC is not dependent
on any preceeding instructions. Streams of parallel executions
s, t. Instruction placement in stream indicated by subscript.

s_2 (some long latency instruction)

If s_2 is, say, a divide and t_1 is not dependent on the results
of the s stream, there is a very good chance that RDTSC_2 will
be executed first.

* Sent from RemarQ The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!


From: Markku J. Saarelainen <[EMAIL PROTECTED]>
Subject: Actually this person faxed me an article of the U.S. commercial espionage in 
August, 1995 .... good work Tatu Ylonen ... actually I have tried to provide some 
intel in the past ...
Date: Thu, 25 May 2000 19:09:32 GMT

NOTE: Personally I was aware of the CIA/FBI?NSA espionage specified in
this article already ..... actually this was around the time, when "M"
discovered some U.S. gov's business intel spies on the Internet and on
the cipherpunks ( mailing etc. lists ....

"Kaikkea hyvää ei voi antaa ilmaiseksi"

 Salausguru Tatu Ylöselle insinöörityöpalkinto

Tekniikan Akateemisten liitto myönsi suomalaisen insinöörityöpalkinnon
tekniikan lisensiaatti Tatu Ylöselle, 32, hänen ansioistaan internetin
tietoturvan kehittämisessä. 100 000 markan palkinnon Ylönen sai
pääteyhteyksiä salaavasta SSH-ohjelmistosta.

Sent via
Before you buy.


From: Custer <[EMAIL PROTECTED]>
Subject: Re: list of prime numbers
Date: Thu, 25 May 2000 15:14:47 -0400

[EMAIL PROTECTED] (Daniel) wrote:

>I don't know if this is public domain or not, but can we get a list
>with the (recent) prime numbers (up to 150 digits)?
I don't think there is such a list, because there are too many primes
up to 150 decimal digits.  There's not enough disk space on this
planet to store them.


Subject: Re: list of prime numbers
From: tomstd <[EMAIL PROTECTED]>
Date: Thu, 25 May 2000 12:22:02 -0700

In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Daniel) wrote:
>I don't know if this is public domain or not, but can we get a
>with the (recent) prime numbers (up to 150 digits)?
>All help greatly appreciated

Why not just read up on the subject?  According to the prime
number theorem there are about 2^489.86 150 digit primes.  So I
sincerely doubt any list of that size exists.

Try getting the HAC and reading it.


* Sent from RemarQ The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!


Subject: Re: RSA/PK Question
From: tomstd <[EMAIL PROTECTED]>
Date: Thu, 25 May 2000 12:25:10 -0700

In article <8gjjh2$a7c$[EMAIL PROTECTED]>, David A Molnar
>tomstd <[EMAIL PROTECTED]> wrote:
>> People seem to forget that theoretical does not always mean
>> practical.  Yes theoretically your stmt may be true, but to
>> actually *implement* the attack is not possible.
>Not possible toay. The charts at cryptosavvy and elsewhere
>the efforts by various people to estimate what may be possible
>Perhaps this is an odd notion of "possible," but it seems like
>we have to go on short of using info-theoretically secure
>(and even then we have the wonderful world of implementation
>to look forward to).

The world is comming to an end, the end is near.

Realistically, 1024 bit numbers normally can't be factored now.
The technology won't be around for a bit, so I don't see the
problem with using 768-1024 bit numbers.


* Sent from RemarQ The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!


From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Crypto patentability
Date: Thu, 25 May 2000 12:55:02 -0700

Jerry Coffin <[EMAIL PROTECTED]> wrote in message
> In article <[EMAIL PROTECTED]>,
> [ ... ]
> > Well I don't like patents, too. They are only a way for the
> > rich people to keep their richness. They are a way for the
> > big companies to stay big by destroying small companies
> > without much effort.
> _Precisely_ the opposite is actually true: patents are one of the few
> ways for a small company, or even one smart person, to level the
> playing field and be competitive against a big company.  Consider
> what would happen if there were no patents.

    An excellent point. Most of the arguments I have heard so far assume (In
my opinion) that "Big Business" likes to use patents to tromp on free
thinkers. Here are a few from the other side of the fence.

The independent inventor who successfully sued Sears Roebuck (Craftsman
Tools) over the invention of the ratcheting socket wrench.

The independent inventor who successfully sued Ford Motor Company over the
invention of the intermittent windshield wiper.

And one from the A&E channel a couple of days ago.

George Eastman (Eastman Kodak) vrs  a parish priest named Goodwin or Goodman
I think. He is the patent holder on the process of using celluloid as a film
base. George (The third richest man in the country at the time) fought and
fumed and stalled and tricked and ultimately paid him 5 million dollars
(This was in the 1890's). a tidy sum.

    I still think that the evil tool patent in the hands of the rapacious
is an urban myth.




The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:

    Internet: [EMAIL PROTECTED]

You can send mail to the entire list (and sci.crypt) via:

    Internet: [EMAIL PROTECTED]

End of Cryptography-Digest Digest

Reply via email to