Cryptography-Digest Digest #236, Volume #14 Thu, 26 Apr 01 00:13:01 EDT
Contents:
Re: Censorship Threat at Information Hiding Workshop (David Wagner)
Re: Censorship Threat at Information Hiding Workshop ("AY")
Re: 1024bit RSA keys. how safe are they? ("Greg Ofiesh")
Re: ancient secret writing ("Greg Ofiesh")
Re: Elliptic Curves ("Greg Ofiesh")
Re: Key scheduling of block cipher ("Scott Fluhrer")
Re: 1024bit RSA keys. how safe are they? ("Brian Hetrick")
Re: 1024bit RSA keys. how safe are they? ("Brian Hetrick")
Re: Key scheduling of block cipher (Bryan Olson)
Re: 1024bit RSA keys. how safe are they? ("Brian Hetrick")
Re: Censorship Threat at Information Hiding Workshop (Terry Ritter)
Re: Black & white .gifs? (Benjamin Goldberg)
Re: There Is No Unbreakable Crypto (Benjamin Goldberg)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: 26 Apr 2001 01:17:44 GMT
AY wrote:
>I'm not sure whether RMS denies the possibility of IP, but I am quite sure
>he doesn't like the term (from personal experience).
>
>http://www.gnu.org/philosophy/words-to-avoid.html#IntellectualProperty
Thanks. He does a better job of explaining this position than I can:
Publishers and lawyers like to describe copyright as ``intellectual
property.'' This term carries a hidden assumption---that the most
natural way to think about the issue of copying is based on an analogy
with physical objects, and our ideas of them as property.
But this analogy overlooks the crucial difference between material
objects and information: information can be copied and shared almost
effortlessly, while material objects can't be. Basing your thinking
on this analogy is tantamount to ignoring that difference. [...]
If you don't want to limit yourself to this way of thinking, it is
best to avoid using the term ``intellectual property'' in your words
and thoughts. [...]
Under "piracy":
Publishers often refer to prohibited copying as ``piracy.'' In this way,
they imply that illegal copying is ethically equivalent to attacking
ships on the high seas, kidnaping and murdering the people on them.
If you don't believe that illegal copying is just like kidnaping and
murder, you might prefer not to use the word ``piracy'' to describe it.
[...]
Note the trend in recent years of publishers to use the word "piracy"
to refer not only to mass copyright violation (e.g., selling thousands
of cloned copies of copyrighted movies) but also to isolated infringement.
Also germane to this thread are his comments on use of the word "theft":
http://www.gnu.org/philosophy/words-to-avoid.html#Theft
I don't necessarily agree 100% with his positions, but I think his
observations are worth keeping in mind when examining these issues.
------------------------------
From: "AY" <[EMAIL PROTECTED]>
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Thu, 26 Apr 2001 02:24:02 +0100
>From classic times, writers have sold their work to an audience of
>individuals. When that audience receives that same work in other ways
>-- even if others just give it away -- the market for the original
>work is reduced. If that is not "stealing" worth from the
>intellectual property owner, what is it?
In that case libraries must be the worst offenders of "theft" of all?
AY
------------------------------
From: "Greg Ofiesh" <[EMAIL PROTECTED]>
Subject: Re: 1024bit RSA keys. how safe are they?
Date: Wed, 25 Apr 2001 17:27:44 -0700
"Joseph Ashwood" <[EMAIL PROTECTED]> wrote in message
news:ek9C7IDzAHA.355@cpmsnbbsa07...
> I trust 1024-bit RSA enough that I would post my personal credit card
number
> to a hacker newsgroup protected by such a key (provided I knew certain
> additional constraints). And the credit card I have in mind has a credit
> limit that could buy someone a house. However I would make sure that the
> card expired in the next 5 years. Move it up to 2048-bit and I might
> actually trust it with my social security number.
HA HA HA HA HA
In a short while, it won't matter what you encode your SS# with because the
government will make it law where it can be shared by just about anyone.
I went to a video rental place the other day to open an account with them.
They said they required my SS#. I told them that such a requirement was
illegal. They promptly said that they were issuing me credit, so it was
entirely legal. I quickly fired back that they were right, but I assumed
that their claim was correct. After thinking about it, they were not
issuing
me credit. They were issuing me rental and my credit card (which I gave
them) was the credit that backed the rental. I was thinking of suing them,
but then I realized that they would have it soon anyway, so what was the
point.
Same with medical privacy.
It did not matter if Gore or W won. I said it during the entire campaign
and
now I am being proved correct. They are both NWO. They both want
to bring us into a dictatorship (which is historically the next evolutionary
step for our system of government). But they can't go there until they
round
up all the guns. So they do everything else they can, like make laws that
allow financial institutions share our most private information with anyone,
or the medical insurance companies share our most private information with
the government who in turn will share it with anyone they please.
And if anyone has any question about the purpose of a government database
on our health records, ask yourself how it can be useful without a citizen
ID#?
So some people opt out of Social security, but will they opt out of the use
of
the local hospital or their favorite doctor? I think not.
>
> So to answer your question, yes, a 1024-bit RSA key is sufficient to
> maintain the privacy of a credit card number, as long as the private key
is
> not compromised, and the generation process was done properly. I would
> suggest that in order to make your system a bit more robust you use the
> largest RSA key you can, if you can afford the time for a 4096-bit key,
use
> a 4096-bit key, if you can afford a 128Kbit key, use it, etc.
> Joe
>
> "George T." <[EMAIL PROTECTED]> wrote in message
> news:9c0956$ph0$[EMAIL PROTECTED]...
> > HI
> >
> > Does anyone has idea how safe RSA 1024 bit keys are? Are they safe
enough
> to
> > be used for encrypting credit card information, travelling over the
> internet
> > and or residing on servers (email) for more than 24 hours.
> >
> > If no, what encrypting method would be sufficient?
> >
> > Any help is greately appreciated.
> >
> > George
> >
> >
>
>
------------------------------
From: "Greg Ofiesh" <[EMAIL PROTECTED]>
Subject: Re: ancient secret writing
Date: Wed, 25 Apr 2001 17:32:17 -0700
Good day?
"Viper" <[EMAIL PROTECTED]> wrote in message
news:9bnbla$1sh5$[EMAIL PROTECTED]...
> Can somebody help me with this secret writing?
> I'm not sure if this belongs in the right group, but I hope to find a hint
> here.
> It's an extract from some postcards of my ancestors, and I guess it's some
> kind of secret writing or maybe a style of steno??
> The poststamp on the card dates from 1913, Ireland.
>
> See the attachment for the extract.
>
> Thanks in advance!
>
> --
> -"If it ain't broke, don't fix it."
> Greets, Viper
>
>
>
------------------------------
From: "Greg Ofiesh" <[EMAIL PROTECTED]>
Subject: Re: Elliptic Curves
Date: Wed, 25 Apr 2001 17:38:02 -0700
You might want to look at www.hiddenpoint.com and check out Dr Mike's book.
"Brice Canvel" <[EMAIL PROTECTED]> wrote in message
news:oslB6.6642$[EMAIL PROTECTED]...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Thank you for your help.
>
> Brice.
>
> "Brice Canvel" <[EMAIL PROTECTED]> wrote in message
> news:l1cB6.5415$[EMAIL PROTECTED]...
> > Hi,
> >
> > I am looking for a good introduction on elliptic curves and also
> > maybe something a bit more detailed too once i have understood the
> > generalitites of it. I did a search on Google but it came up with
> > hundreds of pages and i thought one of you might have come across
> > something good.
> >
> > Thank you,
> >
> > Brice.
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBOtXi+MFxN8+cI7QXEQLrLACg1AyMxHND9QHhz9t+x1TcAgpvDYcAoN9b
> wLVU+Y/mxr4HKsPmCR5+lnzZ
> =FgkT
> -----END PGP SIGNATURE-----
>
>
>
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Key scheduling of block cipher
Date: Wed, 25 Apr 2001 18:49:47 -0700
Mok-Kong Shen <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> I like to re-raise an issue that I mentioned in a discussion
> of a thread of the group quite a time back.
>
> A block cipher commonly employs for its n rounds n subkeys
> that are derived from a user supplied key in some manner.
> One can apparently do simple modifications in two ways:
> (1) change the order of the subkeys for the rounds, (2) xor
> the subkeys with some secret random bit sequences. (These
> modifications could be altered independent of the change
> of the proper keys.)
>
> Are there any negative impacts of such modifications to
> the security of the cipher? It seems that at least brute-
> forcing is rendered more difficult thereby.
Well, yes, I can come up with cipher designs where those simple
modifications greatly reduce the strength of the cipher. For a simple
example of something where (1) is not a good idea:
- Consider a cipher with 4 rounds.
- Each round is a subkey dependent automorphism (that is, a self inverse).
- The key scheduling converts a key into the subkeys (A, B, A, B), where A
!= B is guarranteed.
This is potentially secure (at least, I believe nothing I said above
precludes it from being secure). However, changing the order of the subkeys
randomly has a 2/3 probability of turning it into the identity function.
--
poncho
------------------------------
From: "Brian Hetrick" <[EMAIL PROTECTED]>
Subject: Re: 1024bit RSA keys. how safe are they?
Date: Thu, 26 Apr 2001 02:05:09 GMT
"Tom St Denis" wrote...
> Again like others you ignore the space arugment. You need (2^86)^2
> (or is sqrt?) in either case you need *at least* eight terabits (one
> terabyte) of memory. That would be hard to come by since most
> computers probably don't have that much. (x86's can't even address
> that much).
If you're building a "key breaking" engine, what "most computers" have
is irrelevant. A terabyte of 133 MHz memory is less than $370,000 at
retail (buy.com) -- I imagine they'd be willing to cut you a volume
discount if you asked for one on your order of 4,096 256MB DIMMs, or
you could deal with a distributor. (I doubt Kingston or PNY would be
interested in such a small order.) Some Alpha processors from API,
some glue logic -- okay, a fair amount of glue logic, given the need
to do twelve bits of address decode before you get to the chips, and
you don't want to try a 4,096 fan-out or fan-in -- and you're off. If
you want to limit yourself to COTS, call Compaq, order an Alpha system
with 256 GB of memory and a few terabytes of StorageWorks racks off
the shelf, and page -- a 4:1 overcommit on memory shouldn't thrash too
badly, especially as you're doing primarily matrix operations when you
need all the memory.
Factoring a 1024 bit number is feasible using current technology --
it's just a matter of money, and not too much money at that. It's not
something you'd do at home, unless you're Bill Gates, but it's
entirely within the reach of even moderately sized commercial
organizations.
------------------------------
From: "Brian Hetrick" <[EMAIL PROTECTED]>
Subject: Re: 1024bit RSA keys. how safe are they?
Date: Thu, 26 Apr 2001 02:52:39 GMT
"Bill Unruh" wrote ...
> I think that they are a bit pessimistic. A 1024 bit RSA key is not
> equivalent to a 64 bit secret key. The standard factoring makes it
> equal to about a 86 bit secret key.
> (N= 2^1024, exp(1.9*ln(N)^(1/3)*ln(ln(N))^(2/3))= .6*10^26= 2^86)
Thanks, and good catch. Using the GNFS, 1024 bits is about 2^22 times
harder to factor than 512 bits, and so would take 1.28 millennia on
SETI@home, or (using the DES scaling) a year on a hundred million
dollar engine, or a month on a billion dollar engine, or 30 million
in capital costs at a 30% competing ROI. I'll need to redo the pages
-- but it would still be worth factoring a 1024 bit CA key, and who
knows what the three letter agencies have....
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Key scheduling of block cipher
Date: Wed, 25 Apr 2001 20:06:47 -0700
Mok-Kong Shen wrote:
> A block cipher commonly employs for its n rounds n subkeys
> that are derived from a user supplied key in some manner.
> One can apparently do simple modifications in two ways:
> (1) change the order of the subkeys for the rounds, (2) xor
> the subkeys with some secret random bit sequences.
One can modify the key schedule in over 17 million ways.
Many of them are simple, many not.
>(These
> modifications could be altered independent of the change
> of the proper keys.)
>
> Are there any negative impacts of such modifications to
> the security of the cipher?
Yes. We can contrive ciphers that these changes will
weaken. (Scott Fluhrer gave a nice example for the
permutation.) That doesn't show it happens for real-world
ciphers, but it precludes a general demonstration of safety.
Also, for some ciphers there's no corresponding modification
to the decryption key schedule.
> It seems that at least brute-
> forcing is rendered more difficult thereby.
If we choose a cipher with a reasonable key size, then we
need not worry about brute force.
All of the 17,000,000+ ways of modifying round keys were
available to the designers of the cipher. But they chose
the one and only key schedule that is not among the
modifications. Why would we have selected this cipher in
the first place if we believe these guesswork-based changes
to be superior to the designers' decisions?
--Bryan
------------------------------
From: "Brian Hetrick" <[EMAIL PROTECTED]>
Subject: Re: 1024bit RSA keys. how safe are they?
Date: Thu, 26 Apr 2001 03:15:19 GMT
[Posted and mailed. This is a corrected reply. I dropped three
orders of magnitude the first time around.]
"Tom St Denis" wrote...
> Again like others you ignore the space arugment. You need (2^86)^2
> (or is sqrt?) in either case you need *at least* eight terabits (one
> terabyte) of memory. That would be hard to come by since most
> computers probably don't have that much. (x86's can't even address
> that much).
If you're building a "key breaking" engine, what "most computers" have
is irrelevant. A terabyte of 133 MHz memory is less than $380 million
at retail (buy.com) -- I imagine they'd be willing to cut you a volume
discount if you asked for one on your order of 4 million 256MB DIMMs.
At that volume Kingston or PNY would probably take the order directly
and give you a substantial discount. Some Alpha processors from API,
some glue logic -- okay, a boat load of glue logic -- and you're off.
If you want to limit yourself to COTS, call Compaq, order an Alpha
system with 256 GB of memory and a few terabytes of StorageWorks racks
off the shelf, and page -- a 4:1 overcommit on memory shouldn't thrash
too badly, especially as you're doing primarily matrix operations when
you need all the memory.
Factoring a 1024 bit number is feasible using current technology --
it's just a matter of money, and a not inconceivable amount of money
at that. It's not something you'd do at home, unless you're Bill
Gates, but it's entirely within the reach of moderately large
commercial organizations.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Thu, 26 Apr 2001 03:20:40 GMT
On Thu, 26 Apr 2001 02:24:02 +0100, in
<9c7t0b$rvd$[EMAIL PROTECTED]>, in sci.crypt "AY"
<[EMAIL PROTECTED]> wrote:
>>From classic times, writers have sold their work to an audience of
>>individuals. When that audience receives that same work in other ways
>>-- even if others just give it away -- the market for the original
>>work is reduced. If that is not "stealing" worth from the
>>intellectual property owner, what is it?
>
>In that case libraries must be the worst offenders of "theft" of all?
Libraries *buy* the books they have. Buying is not theft.
Indeed, one might well argue that having a book in libraries
*increases* the market for the book.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Black & white .gifs?
Date: Thu, 26 Apr 2001 03:32:11 GMT
Mok-Kong Shen wrote:
>
> Ben Smith wrote:
> >
> > A friend of mine has a brilliant (if idiosyncratic) comic site -
> > http://www.geocities.com/needleandthreadcomic
> >
> > He's also a keen amateur cryptographer, so would probably enjoy the
> > steg aspect of his art.
>
> I suppose that some painting software helps for stego
> purposes, though I have no experience with such software.
> (One needs no 'reference' pictures, if the pixels are
> determined by PRNG.)
>
> M. K. Shen
Here's another idea ... create a "random-dot stereogram" but using
encrypted bits rather than real random dots. It should be relatively
easy to convert a row of pixels in such a stereogram to a row from the
original picture which produced it. And as for how much data you can
send this way... well, consider a 3d animation, done using stereograms.
You can have new "random" data in every frame of the animation. Include
on the web page providing it a greyscale of the depths used to make the
sterogram, and *claim* that the black and white bits are random -- and
unless a distinguisher exists for the cipher you used, even someone who
suspects that your sterogram is steganoed data, he won't be able to
prove it.
One major advantage of this kind of thing compared to most stego, is
that you can have a huge amount of subchannel relative to the overall
size of the picture -- close to 50% -- without seeming particularly
suspicious.
Of course, if the opponent thinks you've got stegoed images, it is
*also* trivial to extract the depth image from the steregram, generate
new random [this time random for real] bits, and generate a new
stereogram, which encodes the same 3d picture, but with the subchannel
totally gone -- and a human can't tell the difference unless they have
both in front of them, since in both cases, they only *apparent*
nonrandomness is 3d effect you see when you cross your eyes right.
Again we see how stego is generally vulnerable to active attacks.
--
Sometimes the journey *is* its own reward--but not when you're trying to
get to the bathroom in time.
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: There Is No Unbreakable Crypto
Date: Thu, 26 Apr 2001 03:56:23 GMT
David Wagner wrote:
>
> Mok-Kong Shen wrote:
> >I continue to think, as said in another post, that this
> >means one can generate from, say, 128 random bits, a
> >secure bit string of infinite length, which seems to
> >be very counter-intuitive.
>
> Well, not infinite: only polynomial length, and only _if_
> you have a secure, length-doubling PRG. But yes, it's a
> marvelous, counter-intuitive, beautiful result.
I don't suppose you could give a tiny demonstration, perhaps using an 8
bit key.
What size is possible? You say, polynomial length... what kind of poly?
--
Sometimes the journey *is* its own reward--but not when you're trying to
get to the bathroom in time.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
