Cryptography-Digest Digest #985, Volume #11 Fri, 9 Jun 00 10:13:01 EDT
Contents:
Re: Multiple encryptions (Guy Macon)
Re: Observer 4/6/2000: "Your privacy ends here" (Paul Shirley)
help for rc5 cryptanalysis ("Stanley")
Re: My lastest paper on Block Ciphers (Simon Johnson)
Re: ZKPs in practice? (Helger Lipmaa)
Re: ANNC: IECrypt (Roger Fleming)
Re: Multiple encryptions (jkauffman)
Re: Cryptographic voting ("Trevor L. Jackson, III")
Encoding 56 bit data ---HELP--- (dexMilano)
Re: Cryptographic voting ("Trevor L. Jackson, III")
Re: XTR independent benchmarks (DJohn37050)
Re: Anti-Evidence Eliminator messages, have they reached a burn-out po (Roger
Fleming)
Re: Some dumb questions (Jim Gillogly)
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (Geoff Lane)
Re: help for rc5 cryptanalysis (Simon Johnson)
Re: help for rc5 cryptanalysis (Simon Johnson)
Re: Random IV Generation (Jerry Coffin)
Re: help for rc5 cryptanalysis (Mark Wooding)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Multiple encryptions
Date: 09 Jun 2000 08:12:17 EDT
AllanW wrote:
>
>
>We have some encryption program E, and we use it whenever
>we send messages to each other. E is meant to take any
>plaintext (even non-printable data) and encrypt it, to
>transmit it safely to other sites. E identifies the
>encrypted data with a brief cleartext message at the
>start of it's output, to allow the decryption engine to
>avoid trying to decrypt data that never was encrypted.
>Therefore, anyone that can intercept our messages already
>knows we use encryption program E.
>
>Secretly, we also have another encryption program D. It
>isn't public knowledge, but what we really do is take our
>data files and encrypt them with D. Then we take the D
>output and feed that into E. Programs D and E know
>nothing of each other; each is meant to be used as a
>stand-alone encryption engine. D also appends some
>cleartext at the beginning of it's output, but of course
>E encrypts that so our use of D is *mostly* a secret.
>
>I've heard that this hypothetical case is a bad idea, and
>not just because of any false sense of security. Someone I
>respect tells me that the result is actually LESS secure
>than using either D or E alone.
>
>How can this be?
Let's look at the degenerative cases;
Assume that D and E are the exact same stream cipher with
the same key, salt, etc., each of which uses XOR to encrypt.
In that case, they undo each other. So clearly you can't say
that multiple encryption never decreases security.
Now assume that D and E are OTP ciphers with different random
keys, again using XOR to encrypt. In that case, you have
increased your security by exactly zero. So clearly you
can't say that multiple encryption always increases security.
Now assume that D and E are unrelated and hard (but not
impossible) to break. Your security is greatly increased
in this case. So clearly you can't say that multiple
encryption never increases security.
Now for the $64,000 question: Are you ABSOLUTLY SURE that the
two methods are not related in some subtle way? Has the combo
of D then E been subjected to the sophisticated attacks and
extensive analysis that E alone has survived?
------------------------------
From: Paul Shirley <[EMAIL PROTECTED]>
Reply-To: Paul Shirley <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.politics.uk,alt.security.scramdisk,uk.telecom
Subject: Re: Observer 4/6/2000: "Your privacy ends here"
Date: Fri, 9 Jun 2000 13:02:23 +0100
In article <[EMAIL PROTECTED]>, Mok-Kong Shen <mok-
[EMAIL PROTECTED]> writes
>Yes. In fact your proposal coincides with the details of an
>implementation I had in mind, which takes cares of all
>eventualities, including a possible black-out of oneself. One uses
>a pseudo-random generator to create a hex stream to xor with a
>(constant or seldom changing -- for convenience) text from a book
>and one puts the (session dependent, arbitrary) seed used for the
>generator, also in hex, at the front or the back of that.. When the
>law enforcement asks for the key, pull out the code of the generator
>and laconically tell them that the fervently wished-for key is already
>there in those mysterious looking lines.
Bad idea. If there's any message in there its an encrypted message and
RIP will apply. With no message and the ability to prove that if
required, you have a better defence (RIP won't be relevant) and more
options for 'wasting police time'.
--
Paul Shirley: reply address may change at short notice.
cc'ed news posts *unwelcome*
------------------------------
From: "Stanley" <[EMAIL PROTECTED]>
Subject: help for rc5 cryptanalysis
Date: Fri, 9 Jun 2000 13:41:04 +0100
Hi
I know there are many experts in this group. Could anyone help me out on
cryptanalysis of rc5, with just 8 rounds without any rotations? A hint of
how to break it will be great. Thanks in advance.
Stanley
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: My lastest paper on Block Ciphers
Date: Fri, 09 Jun 2000 12:25:33 GMT
In article <[EMAIL PROTECTED]>,
tomstd <[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>, "Sam Simpson"
> <[EMAIL PROTECTED]> wrote:
> >The "Starmath" font you use for mathematical symbols is not a
> >standard font supplied with Windows/Office - perhaps you could
> either
> >embed the font or use a portable document format (ps / pdf?).
> >
> >Apart from that, the paper is an interesting and generally well
> >written piece.
> >
>
> I have never "embeded" a font before, but I will look into it.
>
> Sorry about the mess.
>
> Tom
>
> * Sent from RemarQ http://www.remarq.com The Internet's Discussion
Network *
> The fastest and easiest way to search and participate in Usenet -
Free!
>
>
Well, rather than moaning about trival portibility issues, i downloaded
word view from softseek.com.
>From what i've read its really very good. I'm sure there is a wealth of
knowledge in there for when i take a closer look.
Just one tip:
For completeness, make sure you leave no 'crypto' lingo undescribed.
e.g. Round, Fiestel network (altough you describe who made it, u don't
describe what it is)
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Helger Lipmaa <[EMAIL PROTECTED]>
Subject: Re: ZKPs in practice?
Date: Fri, 09 Jun 2000 17:49:32 +0300
Mark Wooding wrote:
> > Are you sure? Schnorr signatures are fundamentally based on the DL
> > problem; in fact, there's hardly any difference between Schnorr and
> > Nyberg-Rueppel signatures.
>
> HAC, section 10.4.4 decribes an identification protocol due to Schnorr
> very similar to his signature algorithm. It's not actually zero-
> knowledge, but does have some useful properties.
>
> -- [mdw]
The idea is to take a three-move identification protocol (like Schnorrs
own), and instead of choosing the second message c randomly, hash c over the
first message and the message m.
Schnorr signature scheme is secure in 'ideal' world (random oracle + generic
model); nobody has yet a proof that it does something useful in real world
(j/k). :-) Anyways, it is not expected to be a ZKP.
Helger Lipmaa
http://www.tcm.hut.fi/~helger
------------------------------
Crossposted-To: comp.security.pgp.discuss
From: [EMAIL PROTECTED] (Roger Fleming)
Subject: Re: ANNC: IECrypt
Date: Fri, 09 Jun 2000 11:47:19 GMT
Ryan Phillips <[EMAIL PROTECTED]> wrote:
>
>[...] For some reason Netscape will default to using RC4.[...]
It's probably because RC4 is much, much faster than 3DES.
------------------------------
From: jkauffman <[EMAIL PROTECTED]>
Subject: Re: Multiple encryptions
Date: Fri, 09 Jun 2000 05:37:35 -0700
In article <8hqmv1$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Guy Macon) wrote:
> Let's look at the degenerative cases;
> Assume that D and E are the exact same stream cipher
> with
> the same key, salt, etc., each of which uses XOR to
> encrypt.
> In that case, they undo each other. So clearly you
> can't say
> that multiple encryption never decreases security.
> Now assume that D and E are OTP ciphers with different
> random
> keys, again using XOR to encrypt. In that case, you
> have
> increased your security by exactly zero. So clearly
> you
> can't say that multiple encryption always increases
> security.
> Now assume that D and E are unrelated and hard (but not
> impossible) to break. Your security is greatly
> increased
> in this case. So clearly you can't say that multiple
> encryption never increases security.
> Now for the $64,000 question: Are you ABSOLUTLY SURE
> that the
> two methods are not related in some subtle way? Has
> the combo
> of D then E been subjected to the sophisticated
> attacks and
> extensive analysis that E alone has survived?
But surely if the combination of D & E is weaker than alone
then D represents the first stage of a cryptoanalytic attack
on E. And if D was developed independently of E then this
attack would be by pure chance.
Another way of looking at it is that if E is a secure cipher
it must be secure no matter what the input. This includes
normal ASCII text, bitmaps, letters to Grandmother and the
output of D. If its security can be compromised by chosing
certain inputs then it is not a good cipher.
* Sent from AltaVista http://www.altavista.com Where you can also find related Web
Pages, Images, Audios, Videos, News, and Shopping. Smart is Beautiful
------------------------------
Date: Fri, 09 Jun 2000 09:20:26 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Cryptographic voting
Greg wrote:
> > Scary, isn't it? that's why I say the heck
> > with voting, let's just have a Monarchy!
> > That protocol is quite secure!
>
> What do you think of this government structure:
>
> A senate composed of one senator for every ten million people. That
> would be like a senate of 26 senators today and the elections would
> have nothing to do with states or state boundaries.
>
> Everyone votes for their top five candidates from a national pool of
> any number of candidates for the senate and the 26 with the greatest
> number of votes go to the senate on Jan 1 the following year until Dec
> 31 that same year - a one year term. After one runs for office, win or
> lose, they are forever barred from running again. That solves a lot of
> problems with career politicians and special interests trying to get
> them to make good on deals. They are barred from such future paybacks.
>
> The senate has only one purpose for existance - to vote on which of
> them will become the next president for a single term up to 10 years
> AND to exercise the power if necessary of immediately removing the
> president for any reason they feel warrants his removal - any at all.
> Popular opinion can lead them to do so even if the guy is legal.
>
> And once the president has been removed or completed his full term, he
> is barred from running for any federal office as well.
>
> Since the president is where the power rests, he can do anything other
> than violate the CONSTITUTION. That is, he cannot strip a person of
> their rights that are spelled out in the constitution. However,
> because he has no need to negotiate with anyone regarding budgets,
> policies, etc., everyone knows where the buck stops ON EVERYTHING.
> There is NO BLAMING THE CONGRESS or the other party for this or that!
>
> Talk about accountability! No more of these shell games with who did
> what and why we can't work together, etc.
>
> Personally, I would like to give this a 20 year shot to see what
> problems it might pose for a republic.
This is completely off topic.
One of the problems such a system causes is instability. A stable system
requires a degree of hysteresis so that small oscillations in voter sentiment
do not produce large changes in the government. This is one reason that it
takes a higher percentage to remove an official than to elect him.
Another problem with similar systems is that there is no practical limit to
the power of the executive. It is much like a monarchy in which everyone
knows who is accountable (the kind), and what his duties are (to protect the
subjects), but there is no mechanism by which a tyrannical king can be removed
if he keeps his small constituency (classically the nobles; your senate)
happy.
The worst problem with this style of government is that it tends to be a
popular democracy. All such systems become oppressive due to "the tyranny of
the majority".
------------------------------
From: dexMilano <[EMAIL PROTECTED]>
Subject: Encoding 56 bit data ---HELP---
Date: Fri, 09 Jun 2000 12:58:51 GMT
Is there some good algorithm coding 7 byte in 7 byte using a masterkey.
I thought about variable length and cipher but I can't fined any good
source to study.
thx
dex
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Date: Fri, 09 Jun 2000 09:23:44 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Cryptographic voting
Virgil wrote:
> In article <8hpguo$u8t$[EMAIL PROTECTED]>, Greg <[EMAIL PROTECTED]>
> wrote:
>
> >Tyranny is kept at bay by guns and will. Our government
> >knows we have the guns, but they don't know if we have
> >the will. Nor do we.
> >The only lawful gun law on the books- the second amendment.
>
> Every modern tyranny is enforced by guns and will.
>
> Whether the possession of guns suppports freedom or tyranny depends on
> the will of the gunners. Since the will of the gunners in this country
> is to force their views on a disagreeing majority, they are supporting
> tyranny.
>
> Their leader seems to have given up the role of Moses to take up the
> role of Julius Caesar.
Where is Silverman's tag line when you need it?
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: XTR independent benchmarks
Date: 09 Jun 2000 13:20:57 GMT
Regarding NIST curves, the document tells you how they map to AES key sizes.
As for AES key sizes, some say 128 bits will always be enough, some say to
always use 256 bits (e.g., Ross Anderson at AES3) and some are in between. And
I think the changes to SHA0 to make it SHA-1 show the fundamental integrity of
NIST.
I guess it is a matter of perception. To say that perception can be affected
by economic interest is like: DUH! But remember that potential exists in
everyone. I hope I am a crypie first and an employee second.
Don Johnson
------------------------------
Crossposted-To: alt.privacy,alt.privacy.anon-server,alt.security.pgp
From: [EMAIL PROTECTED] (Roger Fleming)
Subject: Re: Anti-Evidence Eliminator messages, have they reached a burn-out po
Date: Fri, 09 Jun 2000 12:25:22 GMT
[EMAIL PROTECTED] wrote:
>On 29 May 2000 00:57:09 -0500, James K <[EMAIL PROTECTED]> wrote:
>
>>This is more bullshit SPAM, posted by the dickhead who is pushing that
>>piece of crap EE.
>>
>
>Please justify your statement.
>
>We look forward to your justification.
Dejanews suggests that the Joe's bar address has never been used on usenet
before coming in to support [EMAIL PROTECTED] on this thread, and since then
has not been used for any other purpose. Reasonable circumstantial evidence
that it was made up for that very purpose. While not absolute proof, it is the
strongest proof possible under the circumstances.
Dear support: please note that your efforts here are counter-productive. You
really should not be posting on sci.crypt at all, but if you must, I recommend
that you confine yourself to purely technical matters. Non-technical matters -
even such issues as user friendliness - do not belong in this group.
Note followups.
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Some dumb questions
Date: Fri, 09 Jun 2000 13:29:34 +0000
Mok-Kong Shen wrote:
> from other viewpoints, e.g. operating expenses/difficulties. (To
> avoid flames from other readers due to misunderstanding, let me
> repeat that I don't 'recommend' or 'propose' using n-OTP with
> frequency flattening as desciribed above and that I am in fact not
> even sympathetic to OTP as such.)
Why, then, did you restart this discussion? Trying to help somebody
out who was trying to breathe new life into the rotting corpse of
a dead system seemed like a worthy goal, but wanking around with
something <nobody> believes in seems like a waste of time. I'm out
of this one.
--
Jim Gillogly
20 Forelithe S.R. 2000, 13:25
12.19.7.5.0, 13 Ahau 3 Zotz, First Lord of Night
------------------------------
From: [EMAIL PROTECTED] (Geoff Lane)
Crossposted-To: uk.media.newspapers,uk.legal,alt.security.pgp
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Fri, 9 Jun 2000 12:47:55 +0100
In article <00060822343501.05489@odin>,
Chris Ward <[EMAIL PROTECTED]> writes:
> Of course "they" can then confiscate everything in sight in the hope of
> discovering an appropriate key, and a passphrase to go with it. But you're
> already in chokey.
Should be fun when they discover someone using the encrypted inter-bank fund
transfer system to pass messages, about money laundering, between two
countries. That should test the bill to destruction :-)
--
/\ Geoff. Lane. /\ Manchester Computing /\ Manchester /\ M13 9PL /\ England /\
Pound forehead on keyboard to continue.
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: help for rc5 cryptanalysis
Date: Fri, 09 Jun 2000 13:41:54 GMT
In article <8hqog1$q94$[EMAIL PROTECTED]>,
"Stanley" <[EMAIL PROTECTED]> wrote:
> Hi
> I know there are many experts in this group. Could anyone help me out
on
> cryptanalysis of rc5, with just 8 rounds without any rotations? A
hint of
> how to break it will be great. Thanks in advance.
>
> Stanley
>
>
Right the function without shifts is:
For i = 1 to r
A=(A ? B) + S_2i
B = (A ? B) + S_2i+1
For a start:
If we look at it without the addition:
I will call x=(A ? B)
So:
A = X + S_2i mod (2^32)
B = X + S_2i + 1 mod (2^32)
It is clear this isn't secure. With two know plain texts, you can
recover the two key shedule values (and therefore the cipher). How to
extend this to more rounds i am unsure.
Is this correct?
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: help for rc5 cryptanalysis
Date: Fri, 09 Jun 2000 13:43:41 GMT
In article <8hqog1$q94$[EMAIL PROTECTED]>,
"Stanley" <[EMAIL PROTECTED]> wrote:
> Hi
> I know there are many experts in this group. Could anyone help me out
on
> cryptanalysis of rc5, with just 8 rounds without any rotations? A
hint of
> how to break it will be great. Thanks in advance.
>
> Stanley
>
>
Right the function without shifts is:
For i = 1 to r
A=(A ? B) + S_2i
B = (A ? B) + S_2i+1
For a start:
If we look at it without the addition:
I will call x=(A ? B)
So:
A = X + S_2i mod (2^32)
B = X + S_2i + 1 mod (2^32)
It is clear this isn't secure. With two know plain texts, you can
recover the two key shedule values (and therefore the cipher).
How to extend this to more rounds i am unsure. Any offers?
and more importantly, Is this correct?
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Random IV Generation
Date: Fri, 9 Jun 2000 07:53:45 -0600
In article <8hpb0c$q1i$[EMAIL PROTECTED]>, sarnold_intertrust@my-
deja.com says...
[ ... ]
> A strong IV will help prevent dictionary attacks. A weak one (such as
> the pathological case of "none") provides no help against dictionary
> attacks.
This doesn't seem to make a lot of difference under normal
circumstances. Keep in mind that the opponent doesn't have to guess
at the IV at all: it's normally transmitted along with the message.
The only difference I can see from an easy-to-guess IV would be in
timing: the opponent can begin his dictionary attack at the point
that he knows (or can guess) the IV. In a tactical situation, this
might make a difference: if the opponent can begin the attack before
you send the message, he can recover text very quickly when the
message is actually sent. If he can't start until you send the
message, this imposes a somewhat longer delay.
OTOH, this really only allows him to recover the first block of your
message anyway, to it's somewhat open to question how much difference
it makes.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: help for rc5 cryptanalysis
Date: 9 Jun 2000 14:05:04 GMT
Stanley <[EMAIL PROTECTED]> wrote:
> I know there are many experts in this group. Could anyone help me out
> on cryptanalysis of rc5, with just 8 rounds without any rotations? A
> hint of how to break it will be great. Thanks in advance.
Just to check: the round function, on a pair of words (x, y), is
x = (x ^ y) + k_{2r}
y = (y ^ x) + k_{2r+1}
The key schedule, I'll assume, is ideal, so the k_i are random and
independent.
First observation: a plaintext/ciphertext pair will leak the parity of
the least significant bits of the round keys. You can guess the bottom
bits, and check your guess by trying more significant bits. This is
actually quite a lot of work: there are 16 round key bits to guess at
each stage, although by looking carefully you can work out one of the
bits from the other 15.
Second observation: there's a family of three-round differential
characteristics with probability 1/16. As Knudsen et al. observe in the
analysis of RC2, the actual differentials occur with higher probability,
because the characteristics focus too much on intermediate results. You
can have a good guess at the last two round keys after about 8000 chosen
plaintext pairs.
Finally: the biggest problem I see with analysing this cipher is the
large number of equivalent and nearly-equivalent keys there are. You
need a lot of plaintext in order to verify that a key guess consistent
with one known plaintext actually works with others.
-- [mdw]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
