Cryptography-Digest Digest #280
Cryptography-Digest Digest #280, Volume #14 Tue, 1 May 01 19:13:00 EDT Contents: Eurocrypt presentation on NSS (Dan Bailey) Re: Censorship Threat at Information Hiding Workshop (Paul Pires) Re: RSA BRUTE FORCE (Jack Brennen) Re: Style of discussions (John Bailey) Any one got a Clue on configuring freeswan? (mickey) Re: RSA BRUTE FORCE ([EMAIL PROTECTED]) Feige-Fiat-Shamir and Guillou-Quisquater Identification Schemes (Brice Canvel) Re: Feige-Fiat-Shamir and Guillou-Quisquater Identification Schemes (Quisquater) Re: RSA BRUTE FORCE (John Savard) Re: I do not feel secure using your program any more. (James Felling) Re: Censorship Threat at Information Hiding Workshop (Darren New) Re: Intacta.Code ... (Thomas Christensen) Re: Intacta.Code ... (Thomas Christensen) Re: Censorship Threat at Information Hiding Workshop (Paul Pires) From: Dan Bailey [EMAIL PROTECTED] Subject: Eurocrypt presentation on NSS Date: Tue, 1 May 2001 16:06:40 -0400 Recently, there have been postings on this group that the NSS scheme outlined in the NSS paper to be presented at Eurocrypt May 8 has been attacked, and that any NSS signature can be easily forged. There have also been pointers to a web site making these claims without providing any details. It is unfortunate that such allegations are widely disseminated without detailed supporting material. We should stress that these attacks do not undermine the security of NSS and would like to comment on these recent discoveries. First, there are indeed two attacks which have been put forth to the NSS signature scheme as described in the Eurocrypt paper. The first pertains to an oversight in the paper, where a signature validation condition was oversimplified. This permitted an easy (and easily countered) forgery attack via linear algebra. It appears Jacques Stern has found a version of this attack as well, and a preliminary announcement has been posted to his website. Lacking the details of Stern's methods, we cannot comment further at this time. However, we would like to stress that the signatures posted on his website are *not* valid signatures, as they fail to satisfy several defining conditions sketched in the Technical Note referred to below. The second is a very interesting strengthening of a statistical transcript attack first described in our paper. This attack shows a manner in which transcripts of a few tens of thousands of signatures could be sufficient to leak significant information. This is countered by strengthening the encoding/masking methods already mentioned in the NSS paper as a defense against averaging attacks. Further details will be provided during our Eurocrypt presentation. NTRU's current software toolkits already include the strengthened defenses. Again, we would like to emphasize that these attacks do not undermine the security of NSS. They were directed at certain encoding/validation aspects of the Eurocrypt paper and do not impact the underlying NSS algorithm. You can learn more about the NSS algorithm by reviewing detailed Technical Note #017: Enhanced Encoding and Verification Methods for the NTRU Signature Scheme on our web site located at http://www.ntru.com/technology/tech.technical.htm. Posted on behalf of Jeffrey Hoffstein, co-Vice President Research and Founder, NTRU -- From: Paul Pires [EMAIL PROTECTED] Subject: Re: Censorship Threat at Information Hiding Workshop Date: Tue, 1 May 2001 13:17:58 -0700 Roger Schlafly [EMAIL PROTECTED] wrote in message news:ahDH6.125$[EMAIL PROTECTED]... Paul Pires [EMAIL PROTECTED] is to establish a tangible asset which can be protected and valued. 14 to 20 years sounds about right to me. I have never understood why the term and the renewal provisions are so different for copyright versus patent. I suspect there were some vested interest in the the publishing industry that had to be appeased. 56 years? that's absurd. Neither patents nor copyrights can be renewed. Patents expire 20 years after the application date. Copyrights last for the life of the author, plus 70 years. Bad wording on my part. Extensions are not renewals. The point remains that congress doesn't feel the need to constantly muck with patent terms. Every 20 years or so, when the Mickey Mouse copyright is about to run out, Congress extends the copyright term for another 20 years. The last extension was challenged in the courts (Eldred v. Reno), but the courts have upheld the extension (so far). For more info, see: Nice reference. I have to agree with the dissenting opinion that retroactively extending a term is in conflict with the limits on the congress. By securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries. If a term can be extended retroactively then it cannot be seen as very limited. Consideration
Cryptography-Digest Digest #280
Cryptography-Digest Digest #280, Volume #13 Wed, 6 Dec 00 04:13:00 EST Contents: Re: Math background required for Cryptology ? (Tom St Denis) Re: What's better CAST in PGP or Blowfish 128bit? (Tom St Denis) Re: Possibly-new attack on D-H? (Paul Rubin) Re: About governments and my ex-relatives in Finland and the U.S.A. ... ("John A. Malley") Re: [Question] Generation of random keys (Benjamin Goldberg) Re: MD5 byte order (Benjamin Goldberg) Re: [Question] Generation of random keys ("John A. Malley") Re: Journal of Craptology (David A Molnar) Re: About governments and my ex-relatives in Finland and the U.S.A. ... (Error_404) Re: newbie: how to persuade my managment not to do our own home-grown encryption? (Jon Haugsand) Re: Simulataneous encryption and authentification (was IBM's new algorithm) (David Wagner) Re: ARCFOUR (RC4) used for CipherSaber-N (Glide) Re: Smart Card vs 1.44 Disk (Francois Grieu) Re: About governments and my ex-relatives in Finland and the U.S.A. ... (Richard Heathfield) Re: What's better CAST in PGP or Blowfish 128bit? (Bill Unruh) Re: Are AES algorithms export restricted? (Bill Unruh) Re: Revised cipher (Jorgen Hedlund) From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Math background required for Cryptology ? Date: Wed, 06 Dec 2000 03:29:07 GMT In article BhgX5.134660$[EMAIL PROTECTED], "Ryan J Schave" [EMAIL PROTECTED] wrote: I have recently become interested in cryptology. Unfortunately my knowledge of math is pretty weak. I imagine this small detail will hold me back from learning everything I can about cryptology. I have pulled out my old math books from college and looked at the TOC of each of them. What topics in math should I have a firm grasp of before I can expect to get the most of cryptology? Obviously many topics in math are based on other topics, but I don't want to spend time teaching myself stuff that I won't use in my study of cryptology. Hope this makes sense. Hmm well you should be familiar with programming languages such as C. Should have a familiarity with how a processor works (assembly language at least). Should have some finite math and linear algebra. If you want to get into PK crypto you need to know alot of Number Theory. If you want to get into symmetric crypto you need to know alot of discrete mathmatics. All in all if you want to be an avid amateur I would suggest high school level maths. If you want to be a pro, go to university and take compsci/math courses. Tom Sent via Deja.com http://www.deja.com/ Before you buy. -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: What's better CAST in PGP or Blowfish 128bit? Date: Wed, 06 Dec 2000 03:26:53 GMT In article 90jlus$2rpc$[EMAIL PROTECTED], "Noname" [EMAIL PROTECTED] wrote: I need strong algorithm and it can be slow in encrypt/decrypt. I need the best:o). You need to learn about crypto is what you need. Tom Sent via Deja.com http://www.deja.com/ Before you buy. -- From: Paul Rubin [EMAIL PROTECTED] Subject: Re: Possibly-new attack on D-H? Date: 05 Dec 2000 20:17:06 -0800 Tom St Denis [EMAIL PROTECTED] writes: I believe in PGP new primes are chosen for each new DH/DSS key. No there's a table of fixed Sophie Germain primes of various lengths. They are generated according to an algorithm given in a comment in the code. It also says how long it took to generate each one. For the 1024 bit one I think it was on the order of an hour. -- From: "John A. Malley" [EMAIL PROTECTED] Subject: Re: About governments and my ex-relatives in Finland and the U.S.A. ... Date: Tue, 05 Dec 2000 20:19:54 -0800 JustBrowsing wrote: [snip] Actually I'm kidding, but I cant believe this is a real message. Probably a test to see who's really awake in this news group :) Sometimes I wonder if these posts aren't truly: 1. Steganographic messages to some person or cell of persons. 2. Code signals to some person or cell of persons (some key word or phrase is in the message and means something to those with the code book or agreed upon use) The crafted tone and content leads the casual reader to dismiss the postings as inconsequential ramblings. This may deliberately hide the true meaning. It's just unusual to see these postings appear when they do, in clusters, followed by relatively long periods of silence. Or maybe they are just someone's idea of a joke on the readers of sci.crypt and other USENET groups? John A. Malley [EMAIL PROTECTED] -- From: Benjamin Goldberg [EMAIL PROTECTED] Subject: Re: [Question] Generation of random keys Date: Wed, 06 Dec 2000 04:20:31 GMT Per Claesson wrote: Alan Rouse wrote: The original post on this thread was requesting source code to ge
Cryptography-Digest Digest #280
Cryptography-Digest Digest #280, Volume #12 Mon, 24 Jul 00 12:13:01 EDT Contents: Re: random malar-key (Mike Rosing) Re: Rabin's information dispersal algorithm (Mike Rosing) Re: Random Appearance (Paul Koning) Re: Proving continued possession of a file (Ríkharður Egilsson) Re: Hash function? (Boris Kazak) Re: Random Appearance ("Tony T. Warnock") Re: Proving continued possession of a file (Mark Wooding) books by W. F Friedman (Charles Blair) Re: New stream cipher ("Trevor L. Jackson, III") Re: Practical application of Ciphersaber (Was: RC4-- repetition length?) ("Trevor L. Jackson, III") Re: Hash function? (Sander Vesik) Re: Hash function? ("Scott Fluhrer") Re: Practical application of Ciphersaber ("Scott Fluhrer") From: Mike Rosing [EMAIL PROTECTED] Subject: Re: random malar-key Date: Mon, 24 Jul 2000 08:18:46 -0500 Abyssmal_Unit_#3 wrote: don't worry, it only takes power away (can u spare it?) , it doesn't (shouldn't) introduce any unwanted abberations of thoughts. heee ! ;-)) ok, maybe try hooking up like an ECG instead? how about an aura detector? ;-D EEG's would work fine. You just have to sample at 10 kHz and integrate for at least 1000 samples. the result (modulo your sample bit width) will be random. It's stuff like this that got me into crypto in the first place. About 15 or so years ago I built an EEG digitizer. (I also was pumping signals into my head, but it worked, so I stopped :-) What I wanted to do was ship EEG signals around, mostly for gaming and music purposes, but I could see lots of other applications. A direct link to my thoughts is something worth protecting, and I think strong crypto is required. I gave up on EEG's, but crypto is still fun! Patience, persistence, truth, Dr. mike -- From: Mike Rosing [EMAIL PROTECTED] Subject: Re: Rabin's information dispersal algorithm Date: Mon, 24 Jul 2000 08:34:48 -0500 Wei Dai wrote: IDA is a method of producing k pieces from a message such that any n of them can be used to recover the message. If the message length is m, then each piece has size m/n, and it takes O(m*k) operations to generate the pieces and O(m*n) operations to recover the message. The new method improves the run-time to O(m+m*(k-n)) operations to generate the pieces and O(m+n^2+m*r) operations to recover the message, where r is the number of pieces among the first n pieces that are missing. The new method treats the message as the values of a degree n-1 polynomial evaluated at points 0,...,n-1. The first n pieces are produced simply by cutting the message into n equal sized chunks. The other k-n pieces are produced by interpolating the polynomial at k-n other points. Recovery involves interpolating the values of the polynomial at only the missing points. The coefficients of the polynomial is never explicitly determined. I assume you mean the coefficients are not determined during recovery, but they must be known during generation. How does one know which points are "missing" if you don't know the coefficients? Patience, persistence, truth, Dr. mike -- From: Paul Koning [EMAIL PROTECTED] Subject: Re: Random Appearance Date: Mon, 24 Jul 2000 10:00:43 -0400 Mack wrote: Joseph Ashwood wrote: That's not correct. OTP's are subject to known-plaintext attacks, ... No, they are not, since the only plaintext that is "recovered" is exactly the plaintext that was already known. The point being that "One-Time Pad" in such a context means the theoretically secure system, not a potentially flawed attempt at implementation of such a system. The code book systems to which I was refering are exactly the same as OTP's. The pad may be reused at the risk of a known plaintext attack. The words for messages are compiled into a list each word has a different meaning. These pads are usually only a couple of pages and then compiled into a book. Different 'chapters' are used depending on some information. This system was used during WW2 if I am not mistaken. Each 'chapter' is an OTP. If a chapter is reused it is subject to known-plaintext attack . Of course if the OTP is stolen it is also broken. In actual use pads were used for a certain time period. Clearly if they were used "for a certain time period" they were nothing at all like OTP. Your description sounds thoroughly muddled. Can you point to a reference that supports the "one time" notion of these "code books"? I find it hard to believe considering the work involved in creating codes by hand. What does sound familiar is code books of widely varying sizes (from one page tactical codes to quite large code books). And of course all of these would be reissued from time to t
Cryptography-Digest Digest #280
Cryptography-Digest Digest #280, Volume #11 Wed, 8 Mar 00 16:13:02 EST Contents: Re: Your Recommended Choice On Std Crypto Parts (Doug Stell) Re: cannot understand CFB mode code.. ("Steve A. Wagner Jr.") Re: IDEA question. ("Steve A. Wagner Jr.") Re: Your Recommended Choice On Std Crypto Parts (Terry Ritter) Re: CONFERENCE ON NATURALISM -- FINAL NOTICE (John Savard) Re: Can someone break this cipher? ("Steve A. Wagner Jr.") Re: are self-shredding files possible? (Michael Sierchio) Re: The Voynich manuscript (John Savard) Re: why xor?(look out,newbie question! :) (John Savard) Re: why xor?(look out,newbie question! :) (John Savard) Re: NIST, AES at RSA conference (Tim Tyler) Re: Where do I get it? ("Steve A. Wagner Jr.") From: [EMAIL PROTECTED] (Doug Stell) Subject: Re: Your Recommended Choice On Std Crypto Parts Date: Wed, 08 Mar 2000 19:54:58 GMT On Tue, 07 Mar 2000 19:06:45 GMT, [EMAIL PROTECTED] wrote: Ben, Here's a few answers and opinions. Questions best left to others have been removed from this response. If I want speed and good security for encrypting a data stream, and I only want one choice of crypt algorithim for each part, with no patent $ issues, what should i choose, more importantly what would You use. The cost comes in two parts; patent cost for the algorithm and cost of using someone's implementation. The algorithm patent cost depends in part on where you are and where you intend to use the algorithm. I do not want to support N different algorithims, or key length choices, etc.. The data is not ultra-sensitive, ie., not e- commerce, or long-term secrets. Being able to gracefully transition between algorithms in the future is a good feature to consider in the protocol. By graceful I mean the ability to transition without having to render clients unable to communicate until all communicating clients are replaced. - Public Key? : D H For anonymous key agreement, D-H is fine. For authenticated key agreement, KEA (a dual D-H) is a good choice. Ouside the USA, RSA is available royalty free. Other choices involve ElGamal, DSA and hybrids, depending on what you want to do. Remember that many of these algorithms require that you have a authenticatable public key to avoid impersonation attacks. - Cryptographic Hash? : SHA-1??? - Is SHA1 $ free in all situations? I believe so. - Given data is not high sensitive, is a weaker faster crypt hash acceptible. MD4 is about the fastest hash you can get that isn't totally bad. MD4 has been shown to have weaknesses and both MD5 and SHA are improvements on MD4. SHA-1 is a better improvement than MD5, it turns out. MD4 isn't use much any more, but it does offer a choice of high speed versus lower security, if that is the tradeoff you wish to make. doug -- From: "Steve A. Wagner Jr." [EMAIL PROTECTED] Subject: Re: cannot understand CFB mode code.. Date: Wed, 08 Mar 2000 16:32:27 -0800 Perhaps my implementation will be easier to understand...This was derived from some code I downloaded from cryptography.org: //BLOWFISH.H #ifndef __BLOWFISH_H #define __BLOWFISH_H #ifndef uchar #define uchar unsigned char #endif #ifndef ushort #define ushort unsigned short #endif #ifndef ulong #define ulong unsigned long #endif #ifndef ENCRYPT #define ENCRYPT 1 #endif #ifndef DECRYPT #define DECRYPT 2 #endif typedef struct {uchar ptx[8],ctx[8],pos;} bf_context; voidbf_encrypt(ulong *xl, ulong *xr); voidbf_decrypt(ulong *xl, ulong *xr); voidbf_init(uchar *key,ulong keylen); voidbf_cfb_init (bf_context *bf,uchar *key,ulong keylen,uchar riv[8]); uchar bf_cfb(bf_context *bf,uchar n,char direction); #endif//__BLOWFISH_H //BLOWFISH.C #include "blowfish.h" #define S(x,i) (bf_S[i][x.w.byte##i]) #define bf_F(x) (((S(x,0)+S(x,1))^S(x,2))+S(x,3)) #define bf_R(a,b,n) (a.word^=bf_F(b)^bf_P[n]) union aword {ulong word; uchar byte[4]; struct {ulong byte3:8,byte2:8,byte1:8,byte0:8;} w; }; static ulong bf_P[16+2]= {0x243F6A88,0x85A308D3,0x13198A2E,0x03707344, 0xA4093822,0x299F31D0,0x082EFA98,0xEC4E6C89, 0x452821E6,0x38D01377,0xBE5466CF,0x34E90C6C, 0xC0AC29B7,0xC97C50DD,0x3F84D5B5,0xB5470917, 0x9216D5D9,0x8979FB1B, }; static ulong bf_S[4][256]= {0xD1310BA6,0x98DFB5AC,0x2FFD72DB,0xD01ADFB7, 0xB8E1AFED,0x6A267E96,0xBA7C9045,0xF12C7F99, 0x24A19947,0xB3916CF7,0x0801F2E2,0x858EFC16, 0x636920D8,0x71574E69,0xA458FEA3,0xF4933D7E, 0x0D95748F,0x728EB658,0x718BCD58,0x82154AEE, 0x7B54A41D,0xC25A59B5,0x9C30D539,0x2AF26013, 0xC5D1B023,0x286085F0,0xCA417918,0xB8DB38EF, 0x8E79DCB0,0x603A180E,0x6C9E0E8B,0xB01E8A3E, 0xD71577C1,0xBD314B27,0x78AF2FDA,0x55605C60, 0xE65525F3,0xAA55AB94,0x57489862,0x63E81440, 0x55CA396A,0x2AAB10B6,0xB4CC5C34,0x1141E8CE, 0xA15486AF,0x7C72E993,0xB3EE1411,0x636FBC2A, 0x2BA9C55D,0x741831F6,0xCE5C3E16,0x9B87931E, 0xAFD6B
Cryptography-Digest Digest #280
Cryptography-Digest Digest #280, Volume #10 Mon, 20 Sep 99 14:13:03 EDT Contents: Re: Okay "experts," how do you do it? (Sundial Services) Re: some information theory (Tim Tyler) Re: Large number arithmetic (Anton Stiglic) Re: Okay "experts," how do you do it? ([EMAIL PROTECTED]) Re: Okay "experts," how do you do it? ([EMAIL PROTECTED]) Re: Okay "experts," how do you do it? (Patrick Juola) Re: unix clippers that implement strong crypto. (SCOTT19U.ZIP_GUY) Re: Comments on ECC (DJohn37050) Re: FPGAs (Medical Electronics Lab) Re: Okay "experts," how do you do it? (Tom St Denis) AES finalists AMD Athlon performance? (David Crick) Re: Comments on ECC ("Joseph Ashwood") Date: Mon, 20 Sep 1999 08:26:39 -0700 From: Sundial Services [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: Re: Okay "experts," how do you do it? Ahh yes, the NP-complete problem. Okay, then, "for-GET how it works." Let's look only at the input, the output, and the key. Let's pretend we cannot determine the algorithm. What is it about an algorithm's input and output that enables us to say that it is a "good" encryption algorithm? What is it about the algorithm's dependence upon its two inputs, 'p' and 'k', as realized in the output 'c', that makes the algorithm a "good" one or a "bad" one? Patrick Juola wrote: There OUGHT to be an objective test-bed that we can plug these algorithms into, to test them. Actually, it's much harder than you think to come up with an algorithm for analyzing other algorithms. In point of fact, that's one of the few things that's easy to prove *impossible* in computer science -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: some information theory Reply-To: [EMAIL PROTECTED] Date: Mon, 20 Sep 1999 15:46:33 GMT Anti-Spam [EMAIL PROTECTED] wrote: : Tim Tyler wrote: : Anti-Spam [EMAIL PROTECTED] wrote: : : Tim Tyler wrote: : If you have a set of N target data strings in need of compressing, the : optimum compression technique (in terms of size) is essentially to map : these strings onto the integers from 1 to N. : : Given a string taken at random from the starting set, the resulting : "compressed file" will be indistinguishable from random. : Let me paraphrase, to make sure I understand this assertion: : Start with a set of N data strings. Assume each data string is an : encoding for a symbol S. : I assume this set corresponds then to N symbols ( S1, S2, S3 ... Sn ) : that will appear in messages (compressed data/files). Call this set A. : Conjecture: the optimum compression (here defined in terms of size of : the resulting compression-encoded data/file) is achieved when (1) the N : symbols are encoded as integers 1 through N in the compressed data/file, : irrespective of the frequency of occurance of the Nth symbol in any : particular message. : Furthermore, (2) the random assigment of the integer index value code : for the resulting compression encoded data/file will pass all confidence : tests for random bit strings of the length of the resulting compressed : data/file. : Part (1): : here is the set A: { S1, S2, S3 ... Sn } : index into set A:0, 1 , 2 ... N-1 - N integer values. : Assume the symbols S1 ... Sn do not occur equiprobably. The maximal : entropy code (and thus minimal number of bits and thus minimal sized bit : strings for messages composed of the symbols) requires : H = - (SUM over i = 1 to n )[ ( probability of Si ) * ( log(base2) of : probability of Si) ] : where probability of Si = number of occurances of the ith symbol / total : number of symbols that occur. Occur where, how? Look at a : pre-compressed message M composed of Q occurances of symbols found in : the set A. For some messages maybe all of the symbols in A occur. For : others, maybe only a subset of the symbols in A occur. : The frequencies of occurance are a function of the particular message : M. : So each symbol can be encoded as one out of 2 ^ H unique possible binary : strings, with H varying from message M1, M2, M3... (Static and adaptive : huffman codes create strings shorter and longer than H bits such that : the *average* number of bits per symbol tends to H bits, to handle the : fractional bit values given by this formula for maximal entropy : encoding.) : There are N symbols in the set A. An integer index into the set A : requires ( log(base 2)of N ) bits to be represented. The use of an : integer value (index) to code for the symbol in the compressed data/file : results in the minimal size compressed data/file iff: : H = ( log(base 2)of N ). : i.e this is only true if the probability of occurance for each Si is the : same for all symbols. All symbols as they appear in a specific message