Cryptography-Digest Digest #656, Volume #12 Mon, 11 Sep 00 15:13:01 EDT
Contents:
ECC 2000 (Alfred John Menezes)
Re: Getting Started, advice needed (FAQs , yes I read them) (Andy C)
Re: (Jury Selection) Re: Carnivore article in October CACM _Inside_Risks (Yiorgos
Adamopoulos)
Re: Getting Started, advice needed (FAQs , yes I read them) (Andy C)
Re: Getting Started, advice needed (FAQs , yes I read them) (Andy C)
Re: Capability of memorizing passwords (Mok-Kong Shen)
Re: Camellia, a competitor of AES ? (Mok-Kong Shen)
Re: ExCSS Source Code ("David C. Barber")
Re: ExCSS Source Code ("David C. Barber")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Alfred John Menezes)
Subject: ECC 2000
Date: 11 Sep 2000 17:18:28 GMT
==============================================================================
THE 4TH WORKSHOP ON ELLIPTIC CURVE CRYPTOGRAPHY (ECC 2000)
University of Essen, Essen, Germany
October 4, 5 & 6 2000
ECC 2000 is the fourth in a series of annual workshops dedicated to the
study of elliptic curve cryptography and related areas. The main themes
of ECC 2000 will be:
- The discrete logarithm and elliptic curve discrete logarithm problems.
- Provably secure discrete log-based cryptographic protocols for
encryption, signatures and key agreement.
- Efficient software and hardware implementation of elliptic curve
cryptosystems.
- Deployment of elliptic curve cryptography.
It is hoped that the meeting will encourage and stimulate further
research on the security and implementation of elliptic curve
cryptosystems and related areas, and encourage collaboration between
mathematicians, computer scientists and engineers in the academic,
industry and government sectors.
There will be 17 invited lectures (and no contributed talks), with the
remaining time used for informal discussions. There will be both survey
lectures as well as lectures on latest research developments.
SPONSORS:
Certicom Corp.
Communications and Information Technology Ontario
CV Cryptovision
Forschungsverbund Datensicherheit (Minist. SWWF, NRW)
Infineon
MasterCard International
Metris
Mondex International Limited
Siemens AG
University GH Essen
University of Waterloo
ORGANIZERS:
Gerhard Frey (University of Essen)
Steven Galbraith (University of Essen)
Alfred Menezes (University of Waterloo)
Scott Vanstone (University of Waterloo)
SPEAKERS:
Jan Camenisch (IBM Zurich, Switzerland)
Ronald Cramer (BRICS, Denmark)
Claus Diem (University of Essen, Germany)
Pierrick Gaudry (LIX, France)
Erwin Hess (Siemens, Germany)
Ansgar Heuser (BSI, Germany)
Neal Koblitz (University of Washington, USA)
Robert Lambert (Certicom Corp., Canada)
Arjen Lenstra (Citibank, USA)
Peter Montgomery (Microsoft Research, USA)
Christof Paar (Worcester Polytechnic Institute, USA)
Phil Rogaway (University of California at Davis, USA)
Takakazu Satoh (Saitama University, Japan)
Ernst Schulte-Geers (BSI, Germany)
Igor Semaev (Moscow, Russia)
Nigel Smart (University of Bristol, UK)
Scott Vanstone (University of Waterloo, Canada)
CONFERENCE PROGRAMME
There will be seventeen invited lectures. All lectures will be held on
the campus of the University of Essen. The titles of the lectures are:
Camenisch Group Signature and Identity Escrow Schemes
Cramer Secure Homomorphic Multi-Party Computation: Efficient
Constructions from Homomorphic Threshold Encryption and
Applications to Secure Distributed Linear Algebra.
Diem Galois Theory and the DL-Problem
Gaudry Hyperelliptic Curve Discrete Logarithms
Hess Aspects of Public-Key Cryptosystems in Practice
Heuser Public Key Cryptography from the Point of View of a
National InfoSec Agency
Koblitz Miracles of the Height Function - A Golden Shield
Protecting ECC
Lambert Block Architectures for Cryptographic Hardware
Lenstra The XTR Public-Key System
Montgomery Parallel Block Lanczos
Paar Reconfigurable Hardware in Modern Cryptography
Rogaway Stopping Dictionary Attacks
Satoh Canonical Lifting of Elliptic Curves and p-Adic Point
Counting -- Theoretical Background
Schulte-Geers Collision Search in a Random Mapping: Some Asymptotic
Results
Semaev Discrete Logarithms in Prime Finite Fields for Special
Moduli
Smart Recent Work on Weil Descent
Vanstone The Past Fifteen Years of Public-Key Cryptography
=================================================================
Wednesday Thursday Friday
=================================================================
8:00-9:30 Registration
9:30-10:20 Heuser Vanstone Hess
10:50-11:40 Lenstra Camenisch Rogaway
12:00-12:50 Semaev Cramer Satoh
L U N C H
14:00-14:50 Gaudry Lambert Koblitz
15:20-16:10 Smart Paar
16:30-17:20 Diem Montgomerey
17:30-18:20 Schulte-Geers
RECEPTION
20:00 BANQUET
==================================================================
REGISTRATION
There will be a registration fee this year of DM 200 or $ 100 US
(DM 100 or $ 50 US for students). PLEASE REGISTER AS SOON AS POSSIBLE
AS SPACE IS LIMITED FOR THIS WORKSHOP; REGISTRATION IS ON A
FIRST-COME FIRST-SERVE BASIS. To register, complete, in full, the
attached REGISTRATION FORM and return it
by e-mail to: [EMAIL PROTECTED]
by mail to: Ms. Karin Rufaut
Institute for Experimental Mathematics
Ellernstrasse 29
45326 Essen
Germany
Phone: +49/201/183-7656(7649)
========================cut from here=================================
ECC 2000 CONFERENCE REGISTRATION FORM
Fullname:
_________________________________________________________
Affiliation:
_________________________________________________________
Address:
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
E-Mail Address:
_________________________________________________________
Telephone #:
_________________________________________________________
Mark your choice:
Registration Fee: DM 200 / $ 100 US
Student Registration Fee: DM 100 / $ 50 US
(Registration Fee Includes Banquet)
Attending Banquet: Yes / No Vegetarian: Yes / No
Extra Guest Banquet Fee: DM 50 / $ 25 US
Guest Vegetarian: Yes / No
TOTAL REGISTRATION FEE: DM____ / $____ US
PAYMENT MUST BE MADE IN CASH ON ARRIVAL AT THE RECEPTION DESK.
Accommodation (please mark your choice)
( ) I would like to reserve a single- DM 115 per night
room for ___ nights, from ___
to ___ October, 2000 (please fill
in the dates of arrival and
departure).
( ) I would like to reserve a single- DM 130 per night
room with a large bed ("grand lit")
for ___ nights, from ___ to ___
October, 2000.
( ) I would like to reserve a double- DM 75 per person / per night
room for ___ nights, from ___ to
___ October, 2000 and I would like
to share it with _________________ .
( ) I would like to reserve a bed in DM 75 per person / per night
a double-room from ____ to ___
October, 2000 and I'm ready to share
it with another participant of the
conference.
( ) I don't need a hotel room.
The hotel bill should be paid directly at the hotel reception.
=========================cut from here===============================
TRAVEL
Essen is situated approximately 30 km from Duesseldorf International
Airport and about 250 km from Frankfurt Airport.
Participants should plan to arrive on October 3 to be able to attend
the lectures on Wednesday morning.
Duesseldorf Airport to Essen Hauptbahnhof (main station):
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
From any of the terminals take the free airport bus to
the train station (Flughafen bahnhof). From there you can
buy a "zone C" ticket for DM13 and you must remember to
validate (time stamp) the ticket before boarding the train.
There are plenty of trains from this station to Essen HBF.
The Zone C ticket is valid on S-Bahn, RE and IR trains.
If you take an Intercity train then you will have to pay
a higher fare but this can be bought from the conductor on
the train. Journey time from Duesseldorf airport to Essen
is 30-40 minutes.
Note that there is an airport in Monchengladbach which is also
called "Duesseldorf airport" and which is served by a few smaller
airlines within Europe. One can also get to Essen from this airport
by using the S-bahn, but the journey time is longer (about 2 hours).
Frankfurt Airport to Essen Hauptbahnhof (main station):
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
There is a train (InterCity) which goes directly from Frankfurt/Main
Airport to "Essen Hauptbahnhof". There is one train an hour. the
journey takes approximately 3 hours and costs around DM 100.
An exact timetable for these (and other) trains can be found
at http://bahn.hafas.de/bin/detect.exe/bin/query.exe/en
Tickets may be purchased at the station or on the train.
Another possibility is to take suburban train (S-Bahn) S8 to Mainz
and then change to an Essen train. For "InterCity" trains it is
necessary to pay a DM 7 supplement.
Essen Hauptbahnhof (main station) to the University of Essen:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
To walk from Essen Hauptbahnhof to the University of Essen takes
around 20-25 minutes. It is also possible to take the
underground train U11 direction "Universitaet Essen"
and get off at the "Universitaet Essen" stop. On the underground
it is necessary to buy a ticket in advance and validate (time stamp)
it either before entering the platform or immediately upon boarding
the train.
Maps of the region, city and university can be found at:
http://www.uni-essen.de/plan/
ACCOMMODATION
There is a limited block of rooms set aside on a first-come first-serve
basis at three mid-range hotels in Essen: "Korn's Hotel", "Europa"
and "Lindenhof". All three hotels are close to both the Essen main station
and the University of Essen and can easily be reached by public transport.
Breakfast is included. We ask you to make your hotel reservations with us.
In all three hotels, the price is DM 115 for a single room and DM 150 for
a double room. "Korn's Hotel" also has single rooms with a large
bed ("grand lit"), the price for these rooms is DM 130 per night. If you
prefer such a room, please indicate on the registration form. If all the
single rooms for DM 115 are booked out, we will automatically reserve
a single room with "grand lit" for DM 130 for you.
The addresses of the hotels and their exact location will be emailed to
registrants next week.
===========================================================================
------------------------------
Subject: Re: Getting Started, advice needed (FAQs , yes I read them)
From: [EMAIL PROTECTED] (Andy C)
Date: Mon, 11 Sep 2000 18:13:48 GMT
On 10 Sep 2000, [EMAIL PROTECTED] (Douglas A. Gwyn) spake in
<[EMAIL PROTECTED]>:
>on the key. That leaves just a loop that resembles a ciphertext
>autokey, initialized by a 32-bit "theKey". It would be fairly
>easy for an attacker to try all 2^32 possible theKey values until
>one that works is found.
Thats what I thought - I was able to simply brute force the key, but lets
suppose the lifespan of the data was 2-3 minutes tops. THat would require
either more resources than a standard home-user PC, or better technique. THe
latter is what I'm trying to develop with the (very) appreciated help from
the folks here.
>If the words (including key) were wider,
>then a more clever attack would be required, but one ought to be
>possible since the algorithm is simple, consisting mainly of
>constant operations (two fixed rotations, two fixed additions).
Yes - this is what I'm trying to wrap my head around - what does ti take to
actually break an algorithm.
>The << and >> are just used to obtain cyclic rotations of the word.
Good - I had figured as much, but being new, I was unsure as to any value to
odd swapping added. Swapping the upper 13 bits and then reswapping the upper
9 bits - I though that maybe those particular splits (as opposed to even byte
values) may have had some significance. But other than obfuscation, I think
they are just there to tangle things up a little.
>There is no particular reason -26087 (+39449) was used instead of
>another constant with similarly nice bit pattern (1001101000011001).
Hmm - I did the 2's complement and it worked out rather odd. FFFF9A19, lots
of "1111" nybbles at the beginning, so the addition only seems to do the "bit
flipping" en-mass for a rather large chunk of the data word. Is there any
weakness there - those FFFF places look rather tempting to be able to cut
down for key bit leaking, it has the effect of not doing much to a rather
large number of bits.
I read the stuff you gus post in here and feel so far behind. Thanks for the
help in getting my mind tuned on this problem.
------------------------------
From: [EMAIL PROTECTED] (Yiorgos Adamopoulos)
Crossposted-To: comp.security.misc,alt.security,talk.politics.crypto,us.legal
Subject: Re: (Jury Selection) Re: Carnivore article in October CACM _Inside_Risks
Date: 11 Sep 2000 18:18:48 GMT
Reply-To: [EMAIL PROTECTED]
In article <[EMAIL PROTECTED]>, Robert H. Risch wrote:
>Do the judges decide on which witnesses will be called in a crime case
>and question them first? Are witnesses allowed to tell their story in
No. The ``defendant'' starts by calling whoever s/he wants. Then the
prosecutor. The judge may re-examine whoever witness s/he wants.
>their own words before questions start? Am I correct that there are
>no juries when somebody is suing somebody else? Are there 4 judges
This is how civil cases are executed. Only penal code cases have
juries. I thought we were targeting on them.
>then? How much of a restriction is put on what kinds of questions are
>allowed to be asked? Is there a difference in the kind of lawyer's
The judge is the judge on that :-)
>questions, based on whether the witness is considered to be friendly
>to the lawyer's point of view? Are lawyers allowed to interview
>non-expert witnesses before the trial?
Not ``hostile'' witnesses.
>I think the legal system in Greece has improved quite a bit since
>Plato's day. However the sophists (we call them shysters) are firmly
I think you are writing this because we condemned Socrates. Mistrials
happen all the time. Even with ``famous'' people. Socrates was against
the system and in some ways against the law. Since the law was not
changed, he was guilty (dura lex, sed lex). If you have the time,
please read Lysias. (he was a great non Athenian sophist who lived
in Athens). His work / speach ``On behalf of the weak'' shows the
strengths of the system (which was different since it applied to 50K
civilians, 100K imigrants without civil rights and 200K slaves).
>in control in the US system. Thanks for your information.
I do not know if they have an English version but http://www.lawnet.gr
could help :-)
------------------------------
Subject: Re: Getting Started, advice needed (FAQs , yes I read them)
From: [EMAIL PROTECTED] (Andy C)
Date: Mon, 11 Sep 2000 18:26:35 GMT
On 10 Sep 2000, [EMAIL PROTECTED] (Paul Pires) spake in
<U_Yu5.60123$[EMAIL PROTECTED]>:
>Why would anyone brute force the key. It seems to me that if
>you can be made to encrypt some known material at the
>beginning of a file, I get your key using only a pencil and
>paper.
Well, I brute forced it because I'm no cryptanalyst, although I'd love to
learn enough to at least be an amateur one. Which is what I'm trying to get
here - an idea of how to go about looking at such a thing.
And pardon the bad source - it has some rather obvious errors that I didnt
correct in my haste to post. Rather anxious to actually be able to post
something other than noise to the group...
>first tempKey = theKey;
>
>> temp1 = data[counter] + tempKey;
>> temp1 = ((temp1 << 19) | (temp1 >>13)) - 26087;
>> temp1 = ((temp1 << 23) | (temp1 >> 9));
>> tempData[counter] = temp1;
>> tempKey = tempKey + temp1 - 26087;
>
>Let's refrase the first cycle:
>
> temp1 = plaintext + the honest to god key;
> temp2 = ((temp1 << 19) | (temp1 >>13)) - 26087;
> temp3 = ((temp1 << 23) | (temp1 >> 9));
> ciphertext= temp3;
> tempKey = tempKey + temp1 - 26087;
>
>This is reversible.
Thanks for the clarification of the algorithm, I thought as much - I think
the encode/decode functions are simply inverses of each other using the same
key. If I have read th FAQ and Schneier right, this makes it symmetric? And
the "autokey" is where it changes the key based on the data - kind of a
"chaining" thing?
>If I have the first ciphertext block then...
>temp2 = (Ctext>>23)|(Ctext<<9);
>temp1= ((temp2+26087)>>19)|((temp2+26087)<<13);
>
>If I have just the first plaintext block then:
>
>temp1-plaintext = your key...
>
>Unless I really screwed up here.
>
>Feel safe?
No, and thats good. I had a feeling this could have been rather esaily done
by someone "in the know".
Is there a way to actually write a "decode" routine - in other words, what I
set out to do was creat an "anti-algorithm", one that could be fed a block of
unknown ciphertext, and spit out the key. I was thinking that was possible,
but maybe a known or chosen plaintext would be needed. What would you think
about in terms of doing something like that? Its not really needed, but
would be a rather neat thing to try to come up with (and show off).
------------------------------
Subject: Re: Getting Started, advice needed (FAQs , yes I read them)
From: [EMAIL PROTECTED] (Andy C)
Date: Mon, 11 Sep 2000 18:38:48 GMT
On 10 Sep 2000, [EMAIL PROTECTED] (Scott Fluhrer) spake in
<8phpk5$plr$[EMAIL PROTECTED]>:
>Paul Pires <[EMAIL PROTECTED]> wrote the original break
>Actually, this attack can be strengthened somewhat, in that it can be
>applied to any block (and, it relies on a known plaintext block, rather than
>a chosen one as you appeared to have implied). Suppose you know/guess the
>value of plaintext block 10. Then, you use the above attack to derive the
>value of tempKey at the start of the encryption of block 10. Then, looking
>at the last two steps of the iteration for block 9:
>
> tempData[counter] = temp1;
> tempKey = tempKey + temp1 - 26087;
>
>or, in other words:
>
> NEWtempKey = OLDtempKey + CiphertextBlock - 26087;
>
>(where NEWtempKey is the value of tempKey at the start of the encryption of
>block 10, OLDtempKey is the value of tempKey at the start of the encryption
>of block 9, and CiphertextBlock is the value of the 9th ciphertext block).
>
>The attacker knows the ciphertext for block 9 (tempData[counter]), and he
>knows the new value of tempKey, and so he can compute the previous value of
>tempKey. And, he can work his way back to the beginning of the cipher.
And thus recover the starting key? The software I was looking at uses the
same key for a whole session - so recovering it once allows the whole session
to be recovered. *BUT* the lifespan of session information usefulness is
only 2-3 minutes, so this may be a "safe" method, if an "automated" way of
breaking the keys back is not found. By the way, in case you are concerned,
we are not doing anything "illegal" with such a short key and timespan - this
is for something more on the recreational side of the internet.
Thank you for this explanation of how the algorithm can be reversed from a
known plaintext block. This begs the question - how does one go about
guessing a "known" plaintext in any reasonable amount of time? Just trying
to get the thought processes in my head.
Any particular places I should go to read and learn?
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Capability of memorizing passwords
Date: Mon, 11 Sep 2000 20:52:31 +0200
I was informed that Ross Anderson has a paper about 'The
Memorability and Security of Passwords -- Some Empirical
Results' on http://www.cl.cam.ac.uk:80/users/rja14/
It contains essential informations about the present topic.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Camellia, a competitor of AES ?
Date: Mon, 11 Sep 2000 20:52:55 +0200
[EMAIL PROTECTED] wrote:
>
> You misunderstand me. The fact is that the final AES winner will have
> been more studied than anything submitted to the ISO. That's an
> obvious result of the fact that AES has been studied now, in addition
> to moving through the ISO process. Other canidates would only be
> looked at during the ISO process.
>
> There is, on the other hand, a chance that some national body has a
> better design than any of the ISO finalists. Given the strategic
> benefits of such an algorithm, however, I doubt we'd actually see it
> appear.
You are right. On the other hand, I am not yet very convinced
that the AES candidates have been sufficiently well studied.
Recently there was a thread questioning about the S-boxes of
one of them. The AES documents are apparently not entirely
complete, in particular there are numerical constants that
the reader must take for granted, much like with the old DES.
I personally find it a bit difficult to conceive that a
really solid analysis could be done as long as fully complete
documentation of an algorithm is not available.
M. K. Shen
------------------------------
From: "David C. Barber" <[EMAIL PROTECTED]>
Subject: Re: ExCSS Source Code
Date: Mon, 11 Sep 2000 11:47:56 -0700
Excuse me but, if we can put 2 full movies onto a 650MB CD, why do we need
DVD in the first place?
*David Barber*
"Ichinin" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> > True, since pirates don't do byte-by-byte copies to writable media
anyhow.
>
> Yes, but it CAN be done without breaking the encryption. Hidings special
> commands in a system is plain stupid.
>
> > Most pirate copies of DVDs are actually made on the exact same equipment
that
> > makes the "legit" copies, sometimes even in the exact same factories.
Amazing,
> > what a little bribery of factory managers being paid $8 per week will
get you
> > :-).
>
> Probably, yes :o) Actually, the "Pirates" i know convert the whole 4+
> Gig
> shabang into standard MPEG then squish it using DivX and can put 2
> movies
> on a single 650 MB cd. That's 3 hours and 45 minutes(!)
>
> > Err, the U.S. has a million men in uniform and billions of dollars in
> > expensive military hardware that say different.
>
> Humpty dumpty sat on a wall, humpty got a virus and fell down.
>
> /Ichinin
------------------------------
From: "David C. Barber" <[EMAIL PROTECTED]>
Subject: Re: ExCSS Source Code
Date: Mon, 11 Sep 2000 11:49:49 -0700
LOL.
"zapzing" <[EMAIL PROTECTED]> wrote in message
news:8pbgva$h99$[EMAIL PROTECTED]...
> In article <8pbf55$1cf6$[EMAIL PROTECTED]>,
> "David C. Barber" <[EMAIL PROTECTED]> wrote:
> > IMHO why not just spam every usenet group with the deCSS code once a
> week?
> > It would be more interesting than the Make Money Fast and/or Visit My
> Porn
> > Site spam that we get too much of.
>
> Maybe we could put all three together and come up with
> a real winner: make money from home illegally decoding
> porno DVDs !
>
> --
> "Sarcasm: the last refuge of modest and
> chaste-souled people when the privacy of
> their soul is coarsely and intrusively invaded."
> --Dostoyevsky--
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
