Cryptography-Digest Digest #868, Volume #11 Sat, 27 May 00 02:13:01 EDT
Contents:
Re: Anti-Evidence Eliminator messages, have they reached a burn-out point? ("Klaus
Daehne")
Re: safer style sboxes (zapzing)
Re: Retail distributors of DES chips? (Paul Rubin)
Re: Matrix key distribution? ("Michael Brown")
Re: Retail distributors of DES chips? (Paul Rubin)
looking for an 8-byte long output hashing function ("Jean-Luc")
Re: Crypto patentability (Bill Unruh)
Re: Q: appropriate number of key-uses before replacement? ("Lyalc")
Enigma reflectors ("Thomas M. Sommers")
Re: looking for an 8-byte long output hashing function (Boris Kazak)
Short signatures (David Hopwood)
Re: Q: OFB (David Hopwood)
Short signatures (David Hopwood)
Re: Anti-Evidence Eliminator messages, have they reached a burn-out point? (Johnny
Bravo)
----------------------------------------------------------------------------
From: "Klaus Daehne" <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy,alt.privacy.anon-server,alt.security.pgp
Subject: Re: Anti-Evidence Eliminator messages, have they reached a burn-out point?
Date: Fri, 26 May 2000 19:36:17 -0700
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
Besides the fact that EE is crossposting and posting off topic, I
wound up downloading their product before this debate started, and
(so far) have nothing bad to say.
Aureate, without any doubt, has been caught doing something
incredibly sneaky and despicable (as do the shareware authors that
subscribe to this crap). Unless I am missing something, the same
cannot be said about EE, correct?
If not, are they proven spyware, do they include spyware, or is it
just their crossposting and public neener-ing that has everyone up in
arms?
I (used to) most of my wiping with bcwipe commands in batch files,
which works very well, although I do appreciate the include/exclude
management of EE. It also used to be a pain to locate (and remember)
where OE keeps it's files, so locating this and other folders
automatically is nice.
And, I =did= learn something new: that Windows keeps a "hidden
encrypted database in the system registry which remembers...
information about what you have clicked on your start menu", even if
you wiped the history itself. Intriguing. I wonder what else Windows
is hiing. Oh yeah, and the help file is nice, too.
Not only am I posting this non-anonymously, I am going to sign it,
too, so there is at leat =some= content related to this ng :)
> At this point in time I am neutral on this debate, as I was with
> the Aureate debate. What I don't understand is, in both cases, the
> side in favor of the software company, claims that posts from
> anonymous posters are less valid than someone w/ a traceable e-mail
> address. To me, it makes no sense at all even though I am not
> posting anonymously.
donoli.
=====BEGIN PGP SIGNATURE=====
Version: PGP Personal Privacy 6.5.2
iQA/AwUBOS80aPUjnALVMPh2EQIR9ACfc4j2gMBoZTMJ+H7BDtrCRbMr1wQAnRDn
wZ/4ZMxOuguYExcRXcBcQqXn
=oR9K
=====END PGP SIGNATURE=====
------------------------------
From: zapzing <[EMAIL PROTECTED]>
Subject: Re: safer style sboxes
Date: Sat, 27 May 2000 02:36:00 GMT
In article <[EMAIL PROTECTED]>,
Jerry Coffin <[EMAIL PROTECTED]> wrote:
> In article <8gfjlh$ib5$[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
>
> In fairness, I think there's more than practicality at work here
> though: as Bruce Schneier has pointed out, it doesn't take much
> talent to design a cipher that's probably secure as long as you don't
> mind designing something that's slow, takes lots of memory, and so
> on. For most cryptologists, the challenge is in creating a cipher
> that uses the bare minimum of resources, but still makes optimal use
> of the key and provides as much security as possible for that key
> size.
>
I think you have hit the nail on the head.
Another word for it would be "Brinksmanship".
Just why cryptologists do this is unclear.
>
> The universe is a figment of its own imagination.
>
--
If you know about a retail source of
inexpensive DES chips, please let
me know, thanks.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Retail distributors of DES chips?
Date: 27 May 2000 02:50:08 GMT
In article <8gn72l$2vq$[EMAIL PROTECTED]>, zapzing <[EMAIL PROTECTED]> wrote:
>Yup. tamper resistance is the point. I can't find your stuff about
>"java buttons" but that doesn't mean much since deja has been so
>flakey lately.
http://www.ibutton.com/java/
>But how could something written in Java be considered a hardware
>solution? Is this a microprocessor application?
Yes. The button has a secure microprocessor sealed inside, that
runs a subset of Java. You write mini-applets and load them into
the button.
------------------------------
From: "Michael Brown" <[EMAIL PROTECTED]>
Subject: Re: Matrix key distribution?
Date: Sat, 27 May 2000 02:52:31 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote in article
<[EMAIL PROTECTED]>...
> The problem is that matrix methods are inherently highly linear
> and thus simple algebraic manipulations can be used to crack them.
Yeah, that's what I was always seeming to run into. I was hoping that by
some combination of singular matricies you wouldn't be able to do this. Oh
well, such is life.
Michael Brown
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Retail distributors of DES chips?
Date: 27 May 2000 03:14:50 GMT
In article <8gnd50$g6s$[EMAIL PROTECTED]>,
Paul Rubin <[EMAIL PROTECTED]> wrote:
>In article <8gn72l$2vq$[EMAIL PROTECTED]>, zapzing <[EMAIL PROTECTED]> wrote:
>
>>Yup. tamper resistance is the point. I can't find your stuff about
>>"java buttons" but that doesn't mean much since deja has been so
>>flakey lately.
>
>http://www.ibutton.com/java/
Oops. Better URL: http://www.ibutton.com/ibuttons/java.html
------------------------------
From: "Jean-Luc" <[EMAIL PROTECTED]>
Subject: looking for an 8-byte long output hashing function
Date: Sat, 27 May 2000 04:20:03 GMT
Hi all,
For a development task, I would need to use a hashing function with an
output of 8 bytes (and not 16 or 20 like the popular algorithms). The
increased collision is acceptable within the context of the application
(because of the lockout of the hardware token after several failed logins).
However, I haven't been able to find such a function. Is there one? I've
already searched the web and the Usenet but haven't found anything relevant.
Thank you,
JL
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Crypto patentability
Date: 27 May 2000 04:23:01 GMT
In <ZWJW4.42912$[EMAIL PROTECTED]> "Paul Pires" <[EMAIL PROTECTED]>
writes:
]> The problem is that to prove invalidity requires a court case, a very
]> long, very expensive court case if the patent holder has deep pockets.
]No, not really. you don't sue some one if you think their patent is bad, you
]infringe and win the suit for infringement the inventor brings. Of course,
]if you knowingly infringe and loose it's trebil damages.
You are saying the same thing. Who brings the suit does not matter. It
is a very long, very expensive court case if the patent holder has ddep
pockets. And the onus is on you to prove invalidity.
]> Most people or companies are not up to that even if the patent is
]> patently invalid. It is thus crucial that the patent office do a good
]> job in assigning patents.
]This is our disagreement. I've been there and I think they do a pretty good
]job now. I think the job is a whole lot tougher than you think.
Disagreement? You feel it is not important that the patent office do a
good job?
]>
]> The whole purpose of patents was to encourage the publication of the
]> patented material, rather than have people try to keep it secret with
]> trade secrecy laws. In the case of software, it is hard to keep stuff
]> secret anyway-- it is too easy to disassemble the stuff if you really
]> want to know. This removes a big reason why patents exist at all.
]> They were never intended as a "reward" for invention.
]I Stongly disagree and I believe history supports it. You don't get a patent
]for disclosing a good Idea, it must be invention. Invention (Or more likely
]the personal investment in the developement of it) is clearly being rewarded
]with a monopoly for a period of time. after that the invention can never be
]patented again by any one.
?? What is your disagreement?
It is not the invention that is rewarded. You can invent stuff and keep
it secret and you will NOT get a monopoly. It is not the invention that
is rewarded, it is the publication through the patent. It is only the
publication of non trivial or new stuff as well, yes.
]>It was purely a
]> very mercinary bargain-- you tell us what you have done, and we give you
]> a monopoly for X years. Whether patents on software serve that purpose--
]> ie whetehr the public gets a good deal out of such patents-- is highly
]> debatable. Thus so is allowing patents of software.
]>
]> Copyright is similar. Copyright is another bargain-- you write or
]> produce something, we will give you a monopoly on copying that something
]> for X years ( where x is like 75 years or life+50) Again this makes
]> almost no sense with software. Software copyright should last a max of 5
]> yers, and then only if the source code is published. Otherwise that
]> monopoly should be granted. Many companies have become enamoured of the
]> soviet system, where the government granted monopoly rights to friends.
]> While good for the friends, it was not good for the society. Similarly
]> here.
]Companies don't like to pay to use patents from individuals. Because of
]patents the little guy has won quite often. I did. Look up the story of
]George Eastman vrs a parish priest named Goodwin I think. He is the patent
]holder on the process of using celluloid as a film base. George (The third
]richest man in the country at the time) fought and fumed and stalled and
]tricked and ultimately paid him 5 million dollars (This was in the 1890's).
]a tidy sum. The evil tool patent in the hands of the rapacious industrialist
]is an urban myth.
Uh, that last part was a comment on copyright, not patents. But whether
individuals or companies get the most benefit is irrelevant. The
monopoly is granted for a reason, not as a charity on the part of the
government to randomly reward people, whether poor or rich ( and far
more patents protect the monopoly of the rich than the poor).
What is important is that patent and copyright law are tradeoffs--
monopolies are valuable, and should be granted only if they benefit the
people. And the time of the monopoly should only be as long as
necessary to achieve that benefit.
------------------------------
From: "Lyalc" <[EMAIL PROTECTED]>
Subject: Re: Q: appropriate number of key-uses before replacement?
Date: Sat, 27 May 2000 14:33:03 +1000
I'm not trying to be annoyingly picky but-
Depending on the security of the software (i.e. the code, the processing
environment, and system management processes) that's generating and
processing these keys, 1 key/message (either Public or symmetric) may indeed
need to be enforced should you want high reliability on the resulting
encryption or signature. This may be relaxed substantially with 'better'
environmental controls and processes.
I assume your risk assessment has highlighted the time/environmental
security tradeoff, and helped your company make an informed decision.
Lyal
[EMAIL PROTECTED] wrote in message
<8gm8kq$cl4$[EMAIL PROTECTED]>...
>In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (S. T. L.) wrote:
>> <<For a 160-bit MAC, with a 2048-bit RSA, how many
>> encryptions are too many? Changing keys often
>> means the keys are more susceptable to tampering
>> in-transit...>>
>>
>> I don't know, but I'm almost certain it'll be something godawful like
>10^81
>> messages. I.E., don't worry about it, unless you're using a sucky
>algorithm,
>> in which case you should first worry about the algorithm.
>
>[Heh, 137. Cool. :]
>
>So, Lyalc suggests changing keys with every message. STL137 suggests
>changing every few universe-lifetimes. While I can see good arguments
>for both positions, Lyalc's suggestion is not practical (I am working
>under the assumption that there will be several thousand encryptions and
>signings per day) and STL's suggestion (though convenient :) leaves us
>open to fraud if the single key is ever compromised.
>
>A middle ground must exist; Verisign hands out new keys every year,
>correct? Are the only issues time-based, or per-encryption based? A nice
>mixture of both? (ie, a key never used in millions of years is not
>likely to be cracked, but a key used 2^80 times in a day leaks how many
>bits..? :)
>
>Again, references or suggestions much appreciated. :) Thanks Lyalc and
>STL. :)
>
>
>Sent via Deja.com http://www.deja.com/
>Before you buy.
------------------------------
From: "Thomas M. Sommers" <[EMAIL PROTECTED]>
Subject: Enigma reflectors
Date: Sat, 27 May 2000 04:44:15 GMT
When a new reflector became available, did it completely supercede the
earlier one, or did the reflector become another part of the key?
------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: looking for an 8-byte long output hashing function
Date: Sat, 27 May 2000 05:05:19 GMT
Dear Jean-Luc:
Just take the 16-byte hash function and XOR together the right
and left halves of the output.
Best wishes BNK
===================================
Jean-Luc wrote:
>
> Hi all,
>
> For a development task, I would need to use a hashing function with an
> output of 8 bytes (and not 16 or 20 like the popular algorithms). The
> increased collision is acceptable within the context of the application
> (because of the lockout of the hardware token after several failed logins).
> However, I haven't been able to find such a function. Is there one? I've
> already searched the web and the Usenet but haven't found anything relevant.
>
> Thank you,
> JL
------------------------------
Date: Sat, 27 May 2000 05:12:34 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Short signatures
=====BEGIN PGP SIGNED MESSAGE=====
Mark Wooding wrote:
> David Hopwood <[EMAIL PROTECTED]> wrote:
>
> > I'm not sure that it would be all that long. A discrete-log
> > (e.g. DSA) signature would require a 2t + m bit serial number, where
> > 2^t is the security level, and m is the number of bits of information
> > encoded.
> >
> > For example, if you need a 2^56 security level and 96 bits of
> > information, that would make a 208-bit serial number, which is 41
> > characters in base 36 (i.e. 0-9a-z) encoding. (A 2^40 security level
> > works out as 35 characters.
>
> Umm... A DSA signature is two numbers each the size of the parameter q.
> If q is approximately 2^2t, then the difficulty of computing discrete
> logs in the q-order subgroup is O(2^t).
Good point. I don't know what I was thinking of; let me try again with
a different signature scheme:
If we use MR(q)-DSA, which is a signature scheme with message recovery
described in [NR94], the size of the signature will be 4t, of which 2t
bits can be recovered. To meet the security bound there must be at least
t bits of redundancy in the recovered information (including any extra bits
tacked on to the end of the signature). If the number of extra bits is
k >= 0, and the number of bits of information to be encoded is m as before,
then 2t + k = t + m.
The total output size is then 4t + k = 4t + max(m - t, 0)
= 3t + max(m, t).
For reference, MR(q)-DSA is defined as follows (with parameters p, q and
g as for DSA).
Signing:
encode the message as M || extra = pad(message)
r = M^-1.(g^k mod p) mod q
s = k^-1.(1 + rx) mod q
the signature is r || s || extra.
Recovery and verification:
u = s^-1 mod q
M = r^-1.(g^u * y^(r.u) mod p) mod q
recover the message (or an indication that it is invalid) using
unpad(M || extra).
'pad' is an all-or-nothing-transform that adds t bits of redundancy, and
'unpad' is the inverse of 'pad', which returns "invalid" if the redundancy
was not present.
This scheme is proven in Theorem 1 of [NR94] to be "strongly equivalent"
to DSA, i.e. a valid MR(q)-DSA signature can be converted to a valid DSA
signature and vice-versa without knowing the private key. Subject to
some assumptions about the padding, this should mean that it is equally
secure.
[The reason why I didn't use the alternative MR(q)-NEW, also described in
[NR94], is that it isn't provably equivalent in security to DSA, and may
be covered by the Schnorr patent. The total message size for MR(q)-NEW
would be the same: 3t + max(m, t).]
In any case, assuming m >= t, this saves t bits over the case without
message recovery. Hardly worth the extra complexity, really, but
theoretically interesting. Can anyone do better than 3t + max(m, t)?
[RSA with message recovery would require something like max(n(t), t + m)
bits, where n(t) is the length of RSA modulus required for a 2^t security
level, but that isn't any more efficient for small messages.]
[1] Kaisa Nyberg, Rainer Rueppel,
"Message Recovery for Signature Schemes Based on the Discrete
Logarithm Problem,"
Advances in Cryptology - EuroCrypt '94.
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOS9LIDkCAxeYt5gVAQGftggArKuF+qTN2IMcmWaFRyLCQDF0bnHFmSCX
K9niuN82XcFjZRgxJxh41YO6XMRRZCG7XCOaJ3WhRgKgxOpuRrV9a9pOMPPCaYgT
4NPQ6FlRXlJskfvIX+JsPMB4Eih9MmRk5pb9jzyLArB+9fSecMRM4WALXn8gfDsT
A+auwPElvz1sQAtasHYYKe54f0BzdQrgiDmSu0X+pSbfSYCyoR4YIJhq/am4vJWV
hj/pO2/tBOzoBPy5RV1vlNwaIJFmzb3vMmHQbfhjz3FI32tXhjYdhBQAQzq5R0BD
hjJye855lAv1Q04aR+005lgF6JTM9wUG8n0GDSPyDXPut0H7bqrGHA==
=FZmK
=====END PGP SIGNATURE=====
------------------------------
Date: Sat, 27 May 2000 06:11:20 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Q: OFB
=====BEGIN PGP SIGNED MESSAGE=====
Mok-Kong Shen wrote:
>
> If one runs a block cipher in n-bit OFB mode with n equal
> to the block size, then one is doing repeated encryption
> of an IV. The output eventually repeats, i.e. the sequence
> of the outputs must have a period.
>
> Question: Are any literatures about the period lengths for some
> well-known ciphers, e.g. DES, available? Thanks.
See:
Robert R. Jueneman,
"Analysis of Certain Aspects of Output Feedback Mode,"
Advances in Cryptology - Crypto '82 Proceedings
(D. Chaum, R. Rivest and A. Sherman, ed.), Plenum Press, 1983, pp. 99-127.
D.W. Davies, G.I.P. Parkin,
"The Average Size of the Key Stream in Output Feedback Mode,"
Cryptography, Proceedings of the Workshop on Cryptography,
Burg-Feuerstein, Germany, March 29-April 2, 1982,
Springer-Verlag, 1982?, pp. 263-279.
(Abstract in Crypto '82 Proceedings, pp. 97-98.)
The first paper, and an abstract of the second are on the Springer-Verlag
CD-ROM of Crypto and EuroCrypt proceedings, but they are not available
on-line AFAIK. For a random cipher with feedback size equal to the block
size N bits (as recommended), the expected period starting from a random
IV is almost exactly 2^(N-1).
I don't know of any analysis for specific ciphers, although if the results
were significantly different from the "random cipher" case, that would
probably be considered a serious weakness in the cipher.
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOS9Y6TkCAxeYt5gVAQE/vwgApPE9iK5MIiK6jMTBmCfcaow+64VnWZC8
hXts5prBapdA8ah3W0wq/l9x0dGG84u2ryeag0u6AQVBmt0R+HlCsisA/6fvOdSW
iTrUoXjdLYhPSDKQ8nKS8S0enAZCoHhzXmfNMFQn7TPUU/bhBrzxn9LYX1cwBCer
kku2umi99o/6F/A3I3fj4SFDIB9sBtK/jeFlT7Y84jSy+27/OSsYRxn/Jghk60iK
ucBYk3LZu9XqVLHDw5ki2IEbOLPoMW5Y8Ex//G+w7fstSJ4dU49myLuHV3qbWPa/
5UeNxWyFePX7XDJZdTc/4Zzw06fuDltcHampZVJ4Vx76Bb2L/BCImw==
=mngp
=====END PGP SIGNATURE=====
------------------------------
Date: Sat, 27 May 2000 06:12:57 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Short signatures
=====BEGIN PGP SIGNED MESSAGE=====
"David A. Wagner" wrote:
>
> In article <[EMAIL PROTECTED]>,
> Roger Schlafly <[EMAIL PROTECTED]> wrote:
> > Or DSA. DSA signatures are about the same size.
>
> Really? I don't see it.
> For t-bit security, with DSA you need 4t-bit signatures,
Yes, my earlier post was wrong on this.
> but for elliptic curives you need 2t-bit signatures. (Roughly.)
Nope. You need 4t-bit signatures for elliptic curves as well - e.g.
for ECDSA you need to encode two 2t-bit *integers* (not curve points,
although even if they were curve points that wouldn't help), and
signatures for other ECDL-based schemes are no shorter.
RSA-style schemes based on elliptic curves over a ring don't improve
on this either, because in that case the ring has to be large to
prevent factorisation attacks.
Using a scheme with message recovery (over either a subgroup of GF(p)
or an elliptic curve) can improve the overhead to 3t bits, as described
in my other post.
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOS7+mDkCAxeYt5gVAQHHFwf/VSlrRuwskDsuCVdm0oNXPzu9Hv+i0G1/
WyZocRIVGAXjFJ0gPUbzGkRNfzWZOJbNin/qpa+x4pk6yJKjX5dzwjqlFR8jcam4
b5Fe0Z5Yfnom1OLyJz4hnqpe0Ereo646GHqYRudkH70ZoP9XXuuGjuzz3HiMWujZ
BBC92/Y3hTuqaE4MoAC1PlZ46cWXI6nJpmnVxbeAV6HLbyu9Gg0u4O2T0rdLYtZg
M15UqY7WpKN/IflRbzbijUclmbZaFHORLM6SkPMmpsYEWKFgkYVKcyHjnb5/KkK0
3bb0gWUr+3cBFvLEQt0nvYgHH16CfPYlqQEg0M3sNzvvuiQys5ANcQ==
=yvpl
=====END PGP SIGNATURE=====
------------------------------
From: Johnny Bravo <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy,alt.privacy.anon-server,alt.security.pgp
Subject: Re: Anti-Evidence Eliminator messages, have they reached a burn-out point?
Date: Sat, 27 May 2000 01:47:54 -0400
On Thu, 25 May 2000 20:03:18 +0100, EE Support
<[EMAIL PROTECTED]> wrote:
>EE Tech Support here.
>
>Our responses are included for your entertainment.
How professional of you.
--
Best Wishes,
Johnny Bravo
"The most merciful thing in the world, I think, is the inability
of the human mind to correlate all it's contents." - HPL
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
