Cryptography-Digest Digest #363
Cryptography-Digest Digest #363, Volume #14 Wed, 16 May 01 03:13:01 EDT Contents: Re: DSA, ECDSA, RSA (Gary Silverman) Re: function decomposition (Paul Pires) Re: best algo (Gary Silverman) Re: What Is the Quality of Randomness? (David Hopwood) Re: Are low exponents a problem with RSA? (David Hopwood) Re: Key escrow based on BBS (David Hopwood) Re: OAP-L3: The absurd weakness. (David Hopwood) From: Gary Silverman [EMAIL PROTECTED] Subject: Re: DSA, ECDSA, RSA Date: Wed, 16 May 2001 00:12:16 -0500 Thank you very much for your thorough explaination and time required to type it all. Anton Stiglic wrote: The best way to analyze such algorithms is to look at the most expensive operations that are used (mod exps are the most expensive, then comes computing inverses, one mod mul or mod addition is cheap and negligible compared to these other operations. Hash functions are also cheap and negligible compared to mod exps.). So in DSA you have a public generator g, and a public key y = g^s mod p, corresponding to a private key s. You work in the subgroup of order q of Z*_p, p and q are publicly known. You also have a known hash function h. Let us say that q is 160 bit long and that p is 1024 bits long. To compute a signature on a message m, you pick a random value k and compute A = g^k mod p, then set B = k^{-1}*(h(m) + sA) mod q, the signature is (A, B). The verification is: compute u = B^{-1}*h(m) mod q and v = A*B^{-1} mod q, then verify if A = (g^u)*(y^v). The verification works on legitimate signatures since (g^u)*(y^v) = (g^{B^{-1}*h(m)}) * ((g^s)^{A*B^{-1}) = g^(B^{-1}(h(m) + s*A) = g^(k*(h(m) + sA)^{-1} * (h(m) + sA)) = g^k = A Now, the signature requires you to pick 1 random 160 bit value (this can be expensive if you don't have easy access to randomness) and to compute 1 mod exp (g^k mod p) as well as 1 inverse mod q (k^{-1}), along with a multiplication and an addition. So if you can get randomness in an efficient matter, the most costly operation is the mod exp. Note that you your exponent is of size 160 bits, this is about 1024/160 ~= 6.4 times faster then if you had a 1024 bit exponent. Note as well that you can precompute these exponentiations and inverses, (but also note that I think there might be a patent on that). The verification involves 1 inverse mod q and 2 mod p exps (with 160 bit exponents). Now let's look at RSA with a N = pq, N of size 1024 bits. Signature on m is h(m)^d mod p, where d is a secret, 1024 bit exponent. Verification is checking if (h(m)^d)^e mod p == 1 e is the verification key, it is such that e*d == 1 mod phi(n), you can choose the private/public key pair so that e is small, such as e = 3, in which case computing a^e is like computing a*a*a, and is negligible to a full mod exp and verification is super fast. Computing the signature is less efficient than for DSA, the mod exp you do is with a 1024 bit exponent. When you use elliptic curves, you usually talk in the additive group notation. And the expensive operation becomes multiplication of a point by a scalar. But a multiplication of a point by a scalar can be made about 4 times more efficient than a mod exp with a 160 bit q (with some patented technology), for a curve with security comparable to that of a subgroup of order 160 bit with p 1024 bits. Hope I gave you enaugh information and hints to work on what you wanted to figure out. -- Anton Gary Silverman wrote: Without starting a religious war, could anyone comment on relative speed difference between the 3 NIST approaved digital sign algorithms? Please provide a reference if possible. For each, I'm interested in: signing speed verifying speed So, an example could be RSADSA ECDSA sign 14 108 verify 2 20 4 The numbers indicate the time it takes for the operation to be done. I realize that different implementations could alter actual performance (in addition to all of the other things like what OS, what kind of hardware, etc...). If anyone has experience using various platforms that would be great too. But, I'm more interested in performance due to the algorithm as opposed to the implementation. Thanks kindly, Gary -- -- From: Paul Pires [EMAIL PROTECTED] Subject: Re: function decomposition Date: Tue, 15 May 2001 22:17:18 -0700 Tom St Denis [EMAIL PROTECTED] wrote in message news:o1mM6.103182$[EMAIL PROTECTED]... Paul Pires [EMAIL PROTECTED] wrote in message news:SUlM6.124212$[EMAIL PROTECTED]... Tom St Denis [EMAIL PROTECTED] wrote in message news:ArlM6.103051$[EMAIL PROTECTED]... Matt Timmermans [EMAIL PROTECTED] wrote in message news:sdlM6.1840$[EMAIL PROTECTED]... Since
Cryptography-Digest Digest #364
Cryptography-Digest Digest #364, Volume #14 Wed, 16 May 01 08:13:01 EDT Contents: Newbie Question: Crytography - Unlimited Inputs/Outputs? (news.singnet.com.sg) Re: Evidence Eliminator propaganda (Anonymous) Re: Evidence Eliminator works great. Beware anybody who claims it doesn't work (propaganda) (Sam Simpson) Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm) (Tim Tyler) Re: What Is the Quality of Randomness? (Tim Tyler) Re: What Is the Quality of Randomness? (Tim Tyler) Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm) (Sam Simpson) Re: enumerating permutations (G Winstanley) Re: Avoiding RSA padding altogether? (Jakob Jonsson) Re: information theoretic stream cipher (Tom St Denis) Re: best algo (Tom St Denis) Karnaugh Maps (Tom St Denis) Re: Karnaugh Maps (Xcott Craver) Re: What Is the Quality of Randomness? (Mok-Kong Shen) Re: Quadibloc IX described on web site! (John Savard) Re: Newbie Question: Crytography - Unlimited Inputs/Outputs? (John Savard) From: news.singnet.com.sg [EMAIL PROTECTED] Subject: Newbie Question: Crytography - Unlimited Inputs/Outputs? Date: Wed, 16 May 2001 15:19:31 +0800 BlankHi, I am just getting into the world of cryptography and would like to ask a question. If it is too commonly known then please direct me to a website link/other resource. I read/heard somewhere that given an encryption system where the tester is allowed an unlimited number of inputs and outputs, that the system itself will always be possible to break. Is this true? E.g. If someone were to allow me the following inputs, outputs: A : C B: D Then it would be possible, given enough time, to deduce that the system adds 2 as an integer to the plaintext to produce the output (e.g. A + '2' = C, B + '2' = D). However if we add in mathematical formulae, XORs, MODs etc this would get pretty complicated and I'd like to see such an analysis in action. A friend recently gave me an example (not sure where he got the data from though): a: YSmzWf2llvIiI aa: Zj3aNphJEGxJc aaa: uhKTXUgGTemE6 1: Lf6/GciWiIxSc 2: rvGGJiT/qIfsA Of course I'm not going to mention that as a joke he offered to give me $100 if I could break it but I don't think so 8). However to be serious, I am still interested in the theory and approach of this interesting concept. Thanks in advance! Carol Mu -- Date: Wed, 16 May 2001 09:26:02 +0200 From: Anonymous [EMAIL PROTECTED] Subject: Re: Evidence Eliminator propaganda Crossposted-To: alt.privacy,alt.security.pgp,alt.security.scramdisk,alt.privacy.anon-server in [EMAIL PROTECTED] Beretta [EMAIL PROTECTED] wrote: On Tue, 15 May 2001 22:33:36 +0100, in alt.security.pgp you wrote: By now you will have witnessed the mass hysteria about Evidence Eliminator. snip V3.1 - Name: Snacker Serial: 1234567890-84E21262 V3.1 - Name: Snacker\MiSSiON Serial: 1234567890-0001EDC79005 V4.0 - Name: Snacker\MiSSiON Serial: 1234567890-0001EDC79005 V4.5 - Name: Hazard , Serial: Hazard-63515895 V5.0 - Code: EE10-4414D012 (also allows upgrades) You fags keep spamming, and I keep posting serial numbers to your software Excellent move. More serials, please. More serials, please. More serials, please. More serials, please. -- From: Sam Simpson [EMAIL PROTECTED] Crossposted-To: alt.privacy,alt.security.pgp,alt.security.scramdisk,alt.privacy.anon-server Subject: Re: Evidence Eliminator works great. Beware anybody who claims it doesn't work (propaganda) Date: Wed, 16 May 2001 08:54:03 +0100 *LOL* - good work Beretta -- Regards, Sam http://www.scramdisk.clara.net/ Beretta [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... On Tue, 15 May 2001 22:33:36 +0100, in alt.security.pgp you wrote: By now you will have witnessed the mass hysteria about Evidence Eliminator. snip V3.1 - Name: Snacker Serial: 1234567890-84E21262 V3.1 - Name: Snacker\MiSSiON Serial: 1234567890-0001EDC79005 V4.0 - Name: Snacker\MiSSiON Serial: 1234567890-0001EDC79005 V4.5 - Name: Hazard , Serial: Hazard-63515895 V5.0 - Code: EE10-4414D012 (also allows upgrades) You fags keep spamming, and I keep posting serial numbers to your software PGP Key: 0x194DF369 Fingerprint: B777 DB2A FB11 55FA 509D CE63 F3DE D665 194D F369 -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm) Reply-To: [EMAIL PROTECTED] Date: Wed, 16 May 2001 08:17:15 GMT SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote: : No wonder violent crime is up in the UK you can't shoot : the bastards that break into you own house. [...] I believe shooting someone for breaking and entering would itself be regarded as a violent crime in the
Cryptography-Digest Digest #365
Cryptography-Digest Digest #365, Volume #14 Wed, 16 May 01 11:13:01 EDT Contents: Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm) (Trevor L. Jackson, III) Re: Evidence Eliminator works great. Beware anybody who claims it doesn't work (propaganda) (Paul Crowley) Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm) (Richard Herring) Re: Newbie Question: Crytography - Unlimited Inputs/Outputs? (SCOTT19U.ZIP_GUY) Re: Karnaugh Maps (Pascal Junod) RE: Karnaugh Maps (Alexis Machado) Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm) (SCOTT19U.ZIP_GUY) Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm) (SCOTT19U.ZIP_GUY) How to develop a 64-bit key (ritesh_swd) Re: Karnaugh Maps (Sam Simpson) Re: Are low exponents a problem with RSA? (DJohn37050) Re: taking your PC in for repair? WARNING: What will they find? (Shaun Hollingworth) Re: request for encryption software suggestions (Anton Stiglic) Re: Karnaugh Maps (jlcooke) Re: How to develop a 64-bit key (jlcooke) Re: Probablistic Algorithms For Square Roots of QRs in Z/n (Anton Stiglic) Re: Karnaugh Maps (jlcooke) How can I see the symmetric enncryption keysize in SSL? (no_carrier) Any SEC free program for Visa? (no_carrier) America Civil War Private Shorthand (Dave Smith) Re: function decomposition (jlcooke) Re: function decomposition (jlcooke) Re: MISTY -- no simple truncated difs (jlcooke) Re: function decomposition (Mark Wooding) Re: Karnaugh Maps (Pascal Junod) From: Trevor L. Jackson, III [EMAIL PROTECTED] Subject: Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm) Date: Wed, 16 May 2001 12:37:54 GMT Tim Tyler wrote: SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote: : No wonder violent crime is up in the UK you can't shoot : the bastards that break into you own house. [...] I believe shooting someone for breaking and entering would itself be regarded as a violent crime in the UK. And in the U.S. BE, while a violent crime, does not rise to the level of a threat of death or great bodily harm. The only actions that justify a potentially lethal response are rape, arson, a lethal threat and their respective attempts. -- Crossposted-To: alt.privacy,alt.security.pgp,alt.security.scramdisk,alt.privacy.anon-server Subject: Re: Evidence Eliminator works great. Beware anybody who claims it doesn't work (propaganda) From: Paul Crowley [EMAIL PROTECTED] Date: Wed, 16 May 2001 12:39:32 GMT EE Support [EMAIL PROTECTED] writes: By now you will have witnessed the mass hysteria about Evidence Eliminator. As regular readers of some of these groups probably know, Evidence Eliminator doesn't work, which is why they spam newsgroups. The report they're keen to badmouth can be found here: http://badtux.org/eric/editorial/scumbags.html I know Eric because he was a thoughtful contributor to the Appraising Microsoft mailing list way back. -- __ Paul Crowley \/ o\ [EMAIL PROTECTED] /\__/ http://www.cluefactory.org.uk/paul/ Conservation of angular momentum makes the world go around - John Clark -- From: [EMAIL PROTECTED] (Richard Herring) Subject: Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm) Date: 16 May 2001 12:14:38 GMT Reply-To: [EMAIL PROTECTED] In article [EMAIL PROTECTED], Douglas A. Gwyn ([EMAIL PROTECTED]) wrote: SCOTT19U.ZIP_GUY wrote: ... No wonder violent crime is up in the UK you can't shoot the bastards that break into you own house. Note: You don't have to actually shoot them; it's the fear of being shot that has deterred many potential home invasions. If they didn't take place, how do you know? In any case, even quite stupid thieves usually have the wit to target empty houses. -- Richard Herring | [EMAIL PROTECTED] -- From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: Newbie Question: Crytography - Unlimited Inputs/Outputs? Date: 16 May 2001 12:47:51 GMT [EMAIL PROTECTED] (news.singnet.com.sg) wrote in 9dt90f$jk3$[EMAIL PROTECTED]: BlankHi, I am just getting into the world of cryptography and would like to ask a question. If it is too commonly known then please direct me to a website link/other resource. I read/heard somewhere that given an encryption system where the tester is allowed an unlimited number of inputs and outputs, that the system itself will always be possible to break. Is this true? Im theroy if you allow an umlimited amount of inputs and there availabe outputs. you can eventrully get the plaintext for ciphertext. Which is the solution your looking for. Note the above all depends on using a fixed key. But if you have an unlimited number of inputs and test every key then with a properly designed crypto system there will be even with the random data
Cryptography-Digest Digest #367
Cryptography-Digest Digest #367, Volume #14 Wed, 16 May 01 15:13:00 EDT Contents: RE: Karnaugh Maps (Alexis Machado) Re: OAP-L3: The absurd weakness. (James Felling) Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm) (wtshaw) Re: Newbie Question: Crytography - Unlimited Inputs/Outputs? (John Savard) Re: Not a realistic thing to do..Why? (James Felling) Re: Best, Strongest Algorithm (SCOTT19U.ZIP_GUY) Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm) (SCOTT19U.ZIP_GUY) Re: Evidence Eliminator works great. Beware anybody who claims it (Thomas J. Boschloo) Re: FYI: Results on EM attacks on smart cards (Josyula R. Rao) Re: Newbie Question: Crytography - Unlimited Inputs/Outputs? (SCOTT19U.ZIP_GUY) Re: extracting random bits from low-entropy data (Mark) From: Alexis Machado [EMAIL PROTECTED] Subject: RE: Karnaugh Maps Date: Wed, 16 May 2001 13:11:00 -0400 = Original Message From jlcooke [EMAIL PROTECTED] = Alexis Machado wrote: Hi Tom = Original Message From Tom St Denis [EMAIL PROTECTED] = Ok here is my first attemp to optimizing a boolean decomposition . This is the lsb of the TC15 sbox.. dc ba 00 01 10 11 - 00| 1 0 0 1 01| 0 1 1 0 10| 0 1 1 0 11| 0 1 1 0 y = ~(abcd) | (~cd)ab | bcd | acd y = ~(cd)(~(ab) | ab) | bcd | acd y = ~(cd) | bcd | acd I have the bits backwards i.e ba instead of ab since my program outputs them that way. Can I optimize the last y statement any further? ( | means or, ~ means not) Using the identity ~a | ab = ~a | b y can be simplified a little more y = ~(cd) | bcd | acd = ~(cd) | b | acd = ~(cd) | b | a ^ So you're saying: if {c,d}={0,0} or {0,1} or {1,0} ... wrong. or if b = 1 ... wrong. or if a = 1 ... wrong. \ba 00 01 11 10 dc --- 00| 1 0 1 0 01| 0 1 0 1 11| 0 1 0 1 10| 0 1 0 1 Try this: y = (a^b) ^ ~(c|d) reads: If a and b disagree, output 1. Unless c or d are both low, then inverse which is what's really happening. He asked if the **last y statement** could be optimized. The **last y statement is* ~(cd) | bcd | acd = ~(cd) | b | a Btw, the first expression ~(abcd) | (~cd)ab | bcd | acd is a tautology :-( --- Alexis -- From: James Felling [EMAIL PROTECTED] Crossposted-To: alt.hacker,talk.politics.crypto Subject: Re: OAP-L3: The absurd weakness. Date: Wed, 16 May 2001 12:12:10 -0500 Anthony Stephen Szopa wrote: James Felling wrote: Anthony Stephen Szopa wrote: James Felling wrote: Tom St Denis wrote: Anthony Stephen Szopa [EMAIL PROTECTED] wrote in message news:3AF65E02.34D45 (SNIP) And if you believe that there is this bridge in NY you really need to buy. There must be a very good reason why you have chosen not to communicate. I find the way you edited my original post deliberately misleading. You claim I am not trying to comunicate? I feel that the shoe is on the other foot here my friend. Can't you just take one point then and explain yourself. Just because you understand (?) what you mean you have not helped us to understand what you mean by communicating it. For instance, your idea of Mixamixfile is a subgroup of the generic permutation of 105 elements holding first element fixed. Explain this in some detail as to what exactly you mean and how this relates to your claims. OK. I will define some terms here for you. And try to keep it simple. I will rephrase in less formal notation. Mix a mix file can be viewed as a special case of the following 'Generic Method'. Generic Method: Imagine the sets of 0-9 digits as cards. and the source file as a giant stack of cards. you take the first 105cards off the stack, put the first card on the table, then reorder the remaining cards in an arbitrary but known manner, i.e find card 103, put it on top of the first card, then find card 10 put it down, and so on until you are out of cards from that original set of 105, then pickup annother 105 cards from the big stack, and repeat. This generic method is a more efficient mixing method that mix a mix file( by orders of magnitude), because with the 105 cards under the generic method you can get any possible order(104! possible orderings), and with mix a mix file you only can get 14! possible orderings. However, since all possible results of mix a mix file can be reproduced by this generic operation and that operation is a group, mix a mixfile cannot be arbitrarially repeated with the expectation of continued good results, it can at best contribute the randomness of the generic operation. Just do this one point. Or choose perhaps a simpler one like, Scramble is a group and tell us what you mean and how this somehow
Cryptography-Digest Digest #368
Cryptography-Digest Digest #368, Volume #14 Wed, 16 May 01 17:13:01 EDT Contents: Re: PRNG question from newbie (Paul Pires) Re: PRNG question from newbie (John Myre) Re: PRNG question from newbie (Henrick Hellström) Re: Not a realistic thing to do..Why? (John Savard) Re: PRNG question from newbie (Paul Pires) Re: PRNG question from newbie (Paul Pires) What is a group? [Re: OAP-L3: The absurd weakness.] (Alan Mackenzie) Re: MISTY -- no simple truncated difs (Tom St Denis) Re: Karnaugh Maps (Tom St Denis) Re: Karnaugh Maps (Tom St Denis) Re: TC15 analysis (Tom St Denis) From: Paul Pires [EMAIL PROTECTED] Subject: Re: PRNG question from newbie Date: Wed, 16 May 2001 11:48:57 -0700 John Myre [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... David Wagner wrote: snip If you mean something that stretches a short, truly random, uniformly distributed seed to a long pseudorandom keystream, snip If you mean something that collects entropy from various sources of questionable quality and unknown statistical distribution and attempts to distill this down to a uniformly distributed value, snip If I understand Daemen's contention correctly, it is that the cryptographic community should study/attempt a single primitive, instead of breaking it down as above. That is, instead of helping the PRNG by promising that it's input is a nice compact key, or helping the hash function by only requiring a fixed (small) output, we should ask for a function that takes any amount of input and gives back any amount of output, preserving the entropy of the input, and making the output look pseudo-random and uniformly distributed. I think. Isn't this just a stream cipher with a good key setup routine? If not, what's the difference? Paul Have you heard of this, or have opinions on the idea? How is this related to the concept of a PRF? (And if you know I got this wrong... well, ok, tell me.) JM -- From: John Myre [EMAIL PROTECTED] Subject: Re: PRNG question from newbie Date: Wed, 16 May 2001 13:22:32 -0600 Paul Pires wrote: snip Isn't this just a stream cipher with a good key setup routine? If not, what's the difference? snip I think that's the deep question to address. How are the requirements for the output of a PRNG (stream cipher) and a hash function different? Can an *efficient* algorithm do either job, securely? Or is it inevitable that we need two algorithms (even if related), one for each job? There are other related concepts (e.g., pseudo-random functions). Can the whole thing be unified? (Don't ask me!) JM -- From: Henrick Hellström [EMAIL PROTECTED] Subject: Re: PRNG question from newbie Date: Wed, 16 May 2001 22:06:11 +0200 Paul Pires [EMAIL PROTECTED] skrev i meddelandet news:hZzM6.32165$[EMAIL PROTECTED]... John Myre [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... David Wagner wrote: snip If you mean something that stretches a short, truly random, uniformly distributed seed to a long pseudorandom keystream, snip If you mean something that collects entropy from various sources of questionable quality and unknown statistical distribution and attempts to distill this down to a uniformly distributed value, snip If I understand Daemen's contention correctly, it is that the cryptographic community should study/attempt a single primitive, instead of breaking it down as above. That is, instead of helping the PRNG by promising that it's input is a nice compact key, or helping the hash function by only requiring a fixed (small) output, we should ask for a function that takes any amount of input and gives back any amount of output, preserving the entropy of the input, and making the output look pseudo-random and uniformly distributed. I think. Isn't this just a stream cipher with a good key setup routine? If not, what's the difference? Most ciphers have a maximum key size - unless the user key is hashed first, of course, but then you really don't have a single primitive. An error propagating cipher would do if the error propagation is secure - by definition, because secure error propagation ought to be defined as if the function F_x(y) is secure for any length of x and y, where x is the first part of the message and y is the last part of the message. If this is so, then the primitive could be constructed as G^n(x) = F_x(0^n), where x is the input and n is the desired length of the output. (0^n should be interpreted as a string of n zeroes.) That's what e.g. Steak does. -- Henrick Hellström [EMAIL PROTECTED] StreamSec HB http://www.streamsec.com -- From: [EMAIL PROTECTED] (John Savard) Subject: Re: Not a realistic thing to do..Why? Date: Wed, 16 May 2001 20:19:17 GMT On Wed, 16 May 2001
Cryptography-Digest Digest #369
Cryptography-Digest Digest #369, Volume #14 Wed, 16 May 01 20:13:01 EDT Contents: Re: TC15 analysis (Tom St Denis) Re: PRNG question from newbie (David Wagner) Re: PRNG question from newbie (Roger Schlafly) Re: taking your PC in for repair? WARNING: What will they find? (Ichinin) Re: taking your PC in for repair? WARNING: What will they find? (P.Dulles) Re: PRNG question from newbie (Henrick Hellström) Re: PRNG question from newbie (David Wagner) Re: TC15 analysis (Scott Fluhrer) Re: TC15 analysis (Scott Fluhrer) Re: taking your PC in for repair? WARNING: What will they find? (Omnivore) Re: taking your PC in for repair? WARNING: What will they find? (Omnivore) Re: TC15 analysis (Tom St Denis) Re: PRNG question from newbie (Paul Pires) Re: PRNG question from newbie (Roger Schlafly) Re: How can I see the symmetric enncryption keysize in SSL? (no_carrier) Re: taking your PC in for repair? WARNING: What will they find? (SCOTT19U.ZIP_GUY) From: Tom St Denis [EMAIL PROTECTED] Subject: Re: TC15 analysis Date: Wed, 16 May 2001 21:54:06 GMT Scott Fluhrer [EMAIL PROTECTED] wrote in message news:9du4hf$5e1$[EMAIL PROTECTED]... In any case, it turns out there was a bug in my program -- I had the sbox in backwards (which brings up an obvious question -- would the cipher actually be stronger if you inverted the sbox? Probably not). When I fixed that, it did find a one round differential at hamming weight 7 (with probability 2**-15). The differential at the beginning of a round is (in binary): 01010001 0011 00101000 The linear transform turns it into: 0001 00011000 00111000 01001001 And each of the 5 active sboxes has a 2**-3 probability of turning the bits within its column back into the column settings of the original differential. I finished an accelerated search and I think I can conclude there are no usefull 1R differentials. Any clues on how to make the LT better? I see in serpent they used logical shifts, is that to avoid this cyclic behaviour? Tom -- From: [EMAIL PROTECTED] (David Wagner) Subject: Re: PRNG question from newbie Date: 16 May 2001 21:59:36 GMT John Myre wrote: I think that's the deep question to address. How are the requirements for the output of a PRNG (stream cipher) and a hash function different? The two concepts are *very* different. For instance, it is possible to have a secure stream cipher that ignores the first bit of its key, yet this would clearly make a very bad hash function. The security requirements of a hash function seem to be much stronger than the security requirements for stream ciphers. -- From: Roger Schlafly [EMAIL PROTECTED] Subject: Re: PRNG question from newbie Date: Wed, 16 May 2001 20:39:05 GMT David Wagner [EMAIL PROTECTED] wrote in message news:9dut88$qgh$[EMAIL PROTECTED]... John Myre wrote: I think that's the deep question to address. How are the requirements for the output of a PRNG (stream cipher) and a hash function different? The two concepts are *very* different. For instance, it is possible to have a secure stream cipher that ignores the first bit of its key, yet this would clearly make a very bad hash function. The security requirements of a hash function seem to be much stronger than the security requirements for stream ciphers. OTOH, it is possible to have a secure hash function (in the sense that it is one-way and collision-resistant) but where one bit of every output byte is zero. But that would give a very poor stream cipher. -- From: Ichinin [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Crossposted-To: alt.privacy,alt.security.pgp,alt.security.scramdisk,alt.privacy.anon-server Subject: Re: taking your PC in for repair? WARNING: What will they find? Date: Tue, 15 May 2001 06:46:44 +0200 P.Dulles wrote: SNIP add 12. What does EE do to twart Proxies and remote monitoring software? -- From: P.Dulles *@*.com Crossposted-To: alt.privacy,alt.security.pgp,alt.security.scramdisk,alt.privacy.anon-server Subject: Re: taking your PC in for repair? WARNING: What will they find? Date: Wed, 16 May 2001 18:35:19 -0400 Reply-To: *@*.com In article [EMAIL PROTECTED], [EMAIL PROTECTED] says... : P.Dulles wrote: : SNIP : : add : : 12. What does EE do to twart Proxies and remote monitoring software? : Excellent point. But they won't answer. I also forgot to mention that a trojan could also be installed on your system by your boss or the police, and they can retrieve all files that way. -- Loki Joan of Arc heard voices too! -- From:
Cryptography-Digest Digest #370
Cryptography-Digest Digest #370, Volume #14 Thu, 17 May 01 00:13:01 EDT Contents: TC15 analysis (more) (Tom St Denis) Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm) ([EMAIL PROTECTED]) Kernaugh maps (try #2) (Tom St Denis) Re: Evidence Eliminator works great. Beware anybody who claims it doesn't work (propaganda) (Vilchurn) Re: Karnaugh Maps (Adam Shiel) Re: Karnaugh Maps (Xcott Craver) Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm) (Trevor L. Jackson, III) Re: Kernaugh maps (try #2) (Xcott Craver) Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm) (Trevor L. Jackson, III) Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm) (Trevor L. Jackson, III) Re: taking your PC in for repair? WARNING: What will they find? (P.Dulles) Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm) (SCOTT19U.ZIP_GUY) Re: Evidence Eliminator works great. Beware anybody who claims it doesn't work (propaganda) ([EMAIL PROTECTED]) Re: Kernaugh maps (try #2) (Jeffrey Walton) Re: taking your PC in for repair? WARNING: What will they find? (Ken D.) Re: taking your PC in for repair? WARNING: What will they find? (Omnivore) Re: Kernaugh maps (try #2) (Jim Steuert) Evidence Eliminator --GET IT FREE (Nomen Nescio) From: Tom St Denis [EMAIL PROTECTED] Subject: TC15 analysis (more) Date: Thu, 17 May 2001 00:37:49 GMT It seems with the Noekeon sbox there are no 1R attacks with less than four active sboxes... neato... time to make a new sbox for TC15. -- Tom St Denis --- http://tomstdenis.home.dhs.org -- Subject: Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm) From: [EMAIL PROTECTED] Date: 16 May 2001 20:41:35 -0400 [EMAIL PROTECTED] (Richard Herring) writes: Douglas A. Gwyn ([EMAIL PROTECTED]) wrote: Note: You don't have to actually shoot them; it's the fear of being shot that has deterred many potential home invasions. If they didn't take place, how do you know? Correlation between BE rates and rate of concealed carry permits, for one thing. Len. -- Frugal Tip #60: Bounce some checks. -- From: Tom St Denis [EMAIL PROTECTED] Subject: Kernaugh maps (try #2) Date: Thu, 17 May 2001 01:06:30 GMT Ok yet again trying to learn this stuff. (btw I appreciate your help!) I took the lsb of the Noekeon sbox (for no apparent reason at all...ho hum) and made a 16-bit string which I then choped into four rows of four bits each... 1000 0010 1110 1110 ab 00 01 11 10 cd 00| 01 00 00 00 01| 00 00 00 01 11| 01 01 00 01 10| 01 01 00 01 (hopefully this shows up right) Anyways the columns and rows are in gray code order... btw a gray code is just x = x^(x1) right? Anyways... Now onto the Kernaugh maps. What is the first step? From what I gather you draw bubbles around the groups of ones in rows or columns. I note the square at the bottom and the 3 run on the right.. Can someone list the steps you take todo this? I don't just want the answer... Please and thank you :-) Tom -- From: Vilchurn [EMAIL PROTECTED] Crossposted-To: alt.privacy,alt.security.pgp,alt.security.scramdisk,alt.privacy.anon-server Subject: Re: Evidence Eliminator works great. Beware anybody who claims it doesn't work (propaganda) Reply-To: Vilchurn Date: Thu, 17 May 2001 01:30:46 GMT On Wed, 16 May 2001 04:33:03 GMT, Ken D. [EMAIL PROTECTED] wrote: Beretta wrote: On Tue, 15 May 2001 22:33:36 +0100, in alt.security.pgp you wrote: By now you will have witnessed the mass hysteria about Evidence Eliminator. snip V3.1 - Name: Snacker Serial: 1234567890-84E21262 V3.1 - Name: Snacker\MiSSiON Serial: 1234567890-0001EDC79005 V4.0 - Name: Snacker\MiSSiON Serial: 1234567890-0001EDC79005 V4.5 - Name: Hazard , Serial: Hazard-63515895 V5.0 - Code: EE10-4414D012 (also allows upgrades) You fags keep spamming, and I keep posting serial numbers to your software i hope these keys invoke their 'protection code'. i need a working example of that 'protection' to write my EE danger demonstration program. And I am sending the spammers msg headers to their abuse service provider to get them eventually tos'd -- Date: Wed, 16 May 2001 20:54:45 -0500 From: Adam Shiel [EMAIL PROTECTED] Subject: Re: Karnaugh Maps Tom, Another thing to look at is logic minimization using techniques developed for the ASIC/FPGA world. For most bitsliced sboxes you're really dealing with four single bit outputs, and there might be some redundancy between bits that you won't see looking at one bit at a time. Synopsys' Design Compiler is a common (if expensive) tool used in the industry; your university may have