Cryptography-Digest Digest #534
Cryptography-Digest Digest #534, Volume #14 Wed, 6 Jun 01 10:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: PRP = PRF (TRUNCATE) (Nicol So) Re: PRP = PRF (TRUNCATE) (Nicol So) Re: function notation (injection, bijection, etc..) one last time ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Def'n of bijection (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P.(John Myre) Re: Are RS codes a type of PRF? (Niels Ferguson) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Wed, 6 Jun 2001 12:32:18 GMT Tom St Denis [EMAIL PROTECTED] wrote: : SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote in message : [EMAIL PROTECTED] (Tom St Denis) wrote in : SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote in message : Tell what little get a third party to encrypt using your ctr : mod a one cipher text output file. I will guess the input. I may : be wrong. Then you get to guess the input to a one byte output : file encrypted with BICOM. If you miss I guess again. And we : keep doing this till one gets it right. I am willing to put : a thousand bucks on this. On second thought you go first. : Do you feel secure enough to really bet. I doubt it. : As long as all messages are uniformly probable you win. [...] : It's still uniformly distributed... so again I win. So, would you like to take that bet? Or not? -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Nicol So [EMAIL PROTECTED] Subject: Re: PRP = PRF (TRUNCATE) Date: Wed, 06 Jun 2001 08:48:12 -0400 Reply-To: see.signature Gregory G Rose wrote: A PRP (by definition) produces every output value in its range once, and only once, if you enumerate the possible inputs. Now ignore for a moment that a PRF need not have a restricted domain, and assume the same set of 2^N inputs (N-bit inputs and outputs). Then *on average* each output appears once. But if the PRF is for real, approximately 1/e of the outputs won't appear at all, and some will appear multiple times. (If I recall correctly, the number of occurrences of a particular value is poisson distributed, but don't hold me to that...) This difference still applies as you truncate the output of a PRP. For example, take the silly case where you just drop one bit. Now each output value appears exactly twice for a PRP, and on average twice for a PRF, but sometimes *more* than twice. As soon as you notice a value appear three times, you know that it was a truncated PRF. Conversely, based on the expected distribution of outputs, when you have enough inputs and have *not* seen a distribution anomaly, you know you were truncating a PRP, not a PRF. What you said is true, but it doesn't mean that you can efficiently tell whether a truncated PRF is a truncated PRP. If that were possible, you could turn it into an efficient test for telling whether a PRF is a PRP. As you scale up the scheme, it will be more and more difficult to detect the statistical anomaly caused by collisions in a non-PRF PRP. Asymptotically, no efficient computer can tell whether a PRF is a PRP significantly better than blind guessing. -- Nicol So, CISSP // paranoid 'at' engineer 'dot' com Disclaimer: Views expressed here are casual comments and should not be relied upon as the basis for decisions of consequence. -- From: Nicol So [EMAIL PROTECTED] Subject: Re: PRP = PRF (TRUNCATE) Date: Wed, 06 Jun 2001 08:51:58 -0400 Reply-To: see.signature Nicol So wrote: What you said is true, but it doesn't mean that you can efficiently tell whether a truncated PRF is a truncated PRP. If that were possible, you could turn it into an efficient test for telling whether a PRF is a PRP. As you scale up the scheme, it will be more and more difficult to detect the statistical anomaly caused by collisions in a non-PRF PRP. ^^^ Typo. What I meant was a PRF which is not a permutation. Asymptotically, no efficient computer can tell whether a PRF is a PRP significantly better than blind guessing. -- Nicol So, CISSP // paranoid 'at' engineer 'dot' com Disclaimer: Views expressed here are casual comments and should not be relied upon as the basis for decisions
Cryptography-Digest Digest #534
Cryptography-Digest Digest #534, Volume #12 Fri, 25 Aug 00 12:13:00 EDT Contents: Navigator and Internet Explorer SSL X.509 Profile (Klaus Schmeh) Re: My encryption algorithm ([EMAIL PROTECTED]) Re: PGP Bug: IMPORTANT Personal test report (Steven Markowitz) Re: "Warn when encrypting to keys with an ADK" (Phil Harrison) Re: "Warn when encrypting to keys with an ADK" (S.R. Heller) Re: "Warn when encrypting to keys with an ADK" (Ron B.) Re: Bytes, octets, chars, and characters (Dan Pop) Re: The DeCSS ruling ("Trevor L. Jackson, III") Re: PGP Bug: IMPORTANT Personal test report ("Michel Bouissou") Re: Asymmetric Encryption Algorithms ("Paul Montgomery") Re: My encryption algorithm (jkauffman) Re: Bytes, octets, chars, and characters (Guy Macon) Re: need help! (John Myre) Re: Steganography vs. Security through Obscurity (Guy Macon) Re: UNIX Passwords ([EMAIL PROTECTED]) Re: Bytes, octets, chars, and characters ("Douglas A. Gwyn") Re: Asymmetric Encryption Algorithms ([EMAIL PROTECTED]) Re: Bytes, octets, chars, and characters ("Douglas A. Gwyn") Re: My unprovability madness. ("Douglas A. Gwyn") Re: Serious PGP v5 v6 bug! ("Douglas A. Gwyn") challange ([EMAIL PROTECTED]) Re: UNIX Passwords ("Paul Montgomery") Re: My encryption algorithm (Mack) Re: Bytes, octets, chars, and characters ("Scott Fluhrer") From: Klaus Schmeh [EMAIL PROTECTED] Subject: Navigator and Internet Explorer SSL X.509 Profile Date: Fri, 25 Aug 2000 15:19:33 +0200 Does anybody have detailed information about the X.509 profile the Internet Explorer and the Netscape Navigator use for the SSL protocol? Regards Klaus -- From: [EMAIL PROTECTED] Subject: Re: My encryption algorithm Date: Fri, 25 Aug 2000 13:25:41 GMT In article 8o4ij6$eub$[EMAIL PROTECTED], "Slava K." [EMAIL PROTECTED] wrote: I have designed a new encryption algorithm, and would like comments about it's security. The following is a specification of the algorithm in general programming terms. Tell me what you think. EMail me your comments ([EMAIL PROTECTED]). · A password of any size is inputted (K). If K is the length of zero or one, and error is reported. · A counter N1 is set to the first character of the password. N2 is set to the second. · The two password character (Respective to N1 and N2. They may be converted to integers or bytes if required by the language) are XORed together (X). · A character is read from the input file (P. This can again be converted into an integer or a byte if required) and XORed with X. · The result is written to the output file. · If N1 equals the size of K, it is set to 1. Otherwise, N1 equals N1 + 1. · If N2 equals the size of K, it is set to 1. Otherwise, N2 equals N2 + 1. · The process is repeated if there are any characters left to encrypt. Wow a modification of a Vinegere Cipher (I think). Righto. Tom Sent via Deja.com http://www.deja.com/ Before you buy. -- From: [EMAIL PROTECTED] (Steven Markowitz) Crossposted-To: alt.security.pgp,comp.security.pgp.discuss Subject: Re: PGP Bug: IMPORTANT Personal test report Date: 25 Aug 2000 13:36:12 GMT In article 8o5kqk$mls$[EMAIL PROTECTED] "Michel Bouissou" [EMAIL PROTECTED] writes: [ snip ] == IMPORTANT NOTE: THIS IS MOST IMPORTANT. Reading carefully Ralf's paper, the ADK public key seems NOT to be actually included in public keys that mention mandatory use of this ADK. YOU MUST HAVE THE ADK public key as well. Only the ADK's key ID is included in the key that holds and ADK, which is not enough to allow encryption to the ADK by itself. If the public key contains only the key id of the ADK, then isn't that a serious security flaw? My understanding is that it is possible for an attacker to create a new key having the same key id as an existing key, although the fingerprints will differ. I have read that this can be done for RSA keys; I'm not sure about DH/DSS keys. This would allow an attacker to cause messages to be encrypted to himself, instead of to the intended ADK, as long as the sender had the attacker's ADK on his keyring. This attack would apply even if the recipient's key had not been tampered with. It seems to me that in order for the ADK mechanism to be secure, the signed portion of a key would have to include the key id, length, and key fingerprint of the ADK. Am I misuderstanding something, or is the current ADK setup inherently insecure? Steven Markowitz -- Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of D. E. Shaw Co., L.P. or any of its affiliates. -- From: Phil Harrison [EMAIL PROTECTED]
Cryptography-Digest Digest #534
Cryptography-Digest Digest #534, Volume #11 Wed, 12 Apr 00 09:13:01 EDT Contents: Re: Q: Entropy (Mok-Kong Shen) SHA2 (Gregor Leander) Re: [Q] PGP - RSA - DH/DSS - Newbie ("Gilles Ferrand") Re: SHA2 (Tom St Denis) Re: General principles of design (Mok-Kong Shen) Re: Q: Inverse of large, sparse boolean matrix, anyone? (Mok-Kong Shen) Re: Q: Inverse of large, sparse boolean matrix, anyone? (Mok-Kong Shen) Re: DES ("Chris Williams") Re: Is AES necessary? (Tom St Denis) Re: SHA2 (Runu Knips) Re: Checksum for digits (Runu Knips) Re: OAP-L3: Semester 1 / Class #1 All are invited. ([EMAIL PROTECTED]) Re: Cryptanalysis Challenge - Will anyone accept? ("Geir Rastad") From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Q: Entropy Date: Wed, 12 Apr 2000 12:19:54 +0200 Bryan Olson wrote: Mok-Kong Shen wrote: Bryan Olson wrote: Given a string of, say, a million zeros and a "random" million-bit string, Kolmogorov complexity does not say which is more complex. If the shortest program to describe the former is shorter than the one for the latter (a case which seems fairly likely), then by definition the former has less Kolmogorov complexity than than the latter. Wrong. Kolmogorov complexity allows the program to be written in a large class of languages. For any pair of distinct finite strings there's a pair of legal language that disagree on which string has the shorter program. That issue of difference of languages is understandably treated in Kolmogorov complexity. Otherwise that theory wouldn't be able to exist at all. The fact that no real-world algorithm to measure that theoretical quantity exists can also be interpreted to mean that no very exact comparison could be made, in my view. But surely some more or less useful comparison can be made. Allow me to use an analogy: one can surely claim that the code for an operating system is more complex than one for the quick sort, and that totally independent of what programming languages one uses, including those of year 3000, can't one? M. K. Shen -- From: Gregor Leander [EMAIL PROTECTED] Subject: SHA2 Date: Wed, 12 Apr 2000 12:14:10 +0200 Hallo, I read something about a new hash function from the NSA called SHA-2. This new function is said to be stronger than SHA1 and that is why I am interessed in information about SHA2. So I now hope, that somone knows somthing about this topic, or can tell me where to find more information. Thanks Gregor -- From: "Gilles Ferrand" [EMAIL PROTECTED] Subject: Re: [Q] PGP - RSA - DH/DSS - Newbie Date: Wed, 12 Apr 2000 11:01:15 GMT Thanxx. OK, knowing that (ElGamal), I read the chapter in B.Schneier "Applied Cryptography" Thanxx again "Tom McCune" [EMAIL PROTECTED] a écrit dans le message news: Vo3I4.687$[EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In article [EMAIL PROTECTED], [EMAIL PROTECTED] (Gilles F) wrote: Can you answer me ? RSA is an asymetric cryptosystem (or algorithm), OK. PGP uses a secret session key, encrypted with public key, OK PGP promotes Diffie Hellman/DSS instead of RSA/MD5 (for royaltie-free reasons, I think). I know (or I believe) that Diffie Hellman is a key exchange protocolbetween Alice and Bob, without actually exchanging (sending) the secret key on the network: X= g^x mod(p) / Y= g^y mod(p) and the secret key ist g^xy mod(p) after Alice and Bob have exchanged information X and Y In which way this protocol can replace RSA ? (may be, it's an another Diffie Hellman protocol, diffrent form the exchanging key protocol ... ?) Can u help ? Thanxx a lot ;-) Hi Gilles, PGP actually uses ElGamal instead of DH - they refer to it as the ElGamal variant of DH. PGP uses ElGamal keys in the exact same way as RSA keys - in either case, the message/file is actually encrypted to a symmetric algorithm (IDEA, CAST, or 3DES) using a randomly generated session key, the session key is then encrypted to the public key (either RSA or DH) and then the encrypted message/file is packaged with with encrypted session key. -BEGIN PGP SIGNATURE- Version: PGP Personal Privacy 6.5.3 Comment: My PGP Page FAQ: http://McCune.cc/PGP.htm iQA/AwUBOPDC7g2jfaGYDC35EQK1TQCfREUFOYltfnAKj1vyQvBLvUPbIRkAmwe8 hCOY4nrWw25XZwzbRMhE1Mit =eVD/ -END PGP SIGNATURE- -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: SHA2 Date: Wed, 12 Apr 2000 11:03:25 GMT Gregor Leander wrote: Hallo, I read something about a new hash function from the NSA called SHA-2. This new function is said to be stronger than SHA1 and that is why I am interessed in information about SHA2. So I now hope, that somone knows somthing about this topic, or can tell me wher
Cryptography-Digest Digest #534
Cryptography-Digest Digest #534, Volume #9 Wed, 12 May 99 11:13:03 EDT Contents: Re: TwoDeck solution (but it ain't pretty) ([EMAIL PROTECTED]) Re: Crypto export limits ruled unconstitutional (Mok-Kong Shen) Re: TwoDeck solution (but it ain't pretty) ([EMAIL PROTECTED]) Re: True Randomness The Law Of Large Numbers (R. Knauer) Re: A challenge for you ! ("Douglas A. Gwyn") Re: A simple challenge for Tomstdenis ("Ulrich Kuehn") Re: Crypto export limits ruled unconstitutional (Mok-Kong Shen) Searching for algorithm overview ("Jonas Krantz") Re: True Randomness The Law Of Large Numbers ("Douglas A. Gwyn") Re: Shamir's TWINKLE Factoring Machine (Bob Silverman) Re: AES ([EMAIL PROTECTED]) Newbie: Encrypting short strings ("Steve K") From: [EMAIL PROTECTED] Subject: Re: TwoDeck solution (but it ain't pretty) Date: Wed, 12 May 1999 11:20:51 GMT LadyCow, stop this cunttalk and take a shower - you stink. Although I agree, please keep the discussion civil. I (like others) want to keep it cool about these punk @#! losers... Tom -- PGP public keys. SPARE key is for daily work, WORK key is for published work. The spare is at 'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at 'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first! --== Sent via Deja.com http://www.deja.com/ ==-- ---Share what you know. Learn what you don't.--- -- From: Mok-Kong Shen [EMAIL PROTECTED] Crossposted-To: talk.politics.crypto Subject: Re: Crypto export limits ruled unconstitutional Date: Wed, 12 May 1999 14:30:09 +0200 Johnny Bravo wrote: There is a program that can convert C code directly to english readable text and back again. Here is a sample of the code for the Can you provide a pointer to that? I am interested in the manner the translation gets done. M. K. Shen -- From: [EMAIL PROTECTED] Subject: Re: TwoDeck solution (but it ain't pretty) Date: Wed, 12 May 1999 11:18:58 GMT As someone has observed, your website is about the BATTLE data compression contest - there are no pointers on it to a page with pointers to the paper and stuff. (We can't see your directory, so we need links from HTML...) You could put a link labelled "About Me" on the bottom of the page which would link to a page saying "Hi, I'm Tom St. Denis", and then mentioning your other interests, including "Cryptography" - and on that include a link to your paper. That way you avoid mentioning cryptography on the BATTLE page itself if you don't want to. True, that's why I posted links though. I will be making a website for the cryptography stuff this weekend (if not tonight :) ). Sorry about the confusion, the paper (in it's current form) is at http://members.tripod.com/~tomstdenis/TwoDeck.ps And the rough sketch for the sieving crack is at http://members.tripod.com/~tomstdenis/solution.ps Thanks for your time, Tom -- PGP public keys. SPARE key is for daily work, WORK key is for published work. The spare is at 'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at 'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first! --== Sent via Deja.com http://www.deja.com/ ==-- ---Share what you know. Learn what you don't.--- -- From: [EMAIL PROTECTED] (R. Knauer) Subject: Re: True Randomness The Law Of Large Numbers Date: Wed, 12 May 1999 12:41:29 GMT Reply-To: [EMAIL PROTECTED] On Wed, 12 May 1999 06:07:42 GMT, "Douglas A. Gwyn" [EMAIL PROTECTED] wrote: Then why does Feller claim that it is fundamentally incorrect to infer the properties of random number generation from the time average of a single sequence? Who cares why he says that, it's not relevant. Are you saying that Feller does not know what he is talking about? It's hard to be sure what you mean by terms like "1-bit bias". There should be no difficulty in understanding that term at all. It is quite commonly used in discussions about randomness. It is one of the different kinds of group bias. The Monobit Test checks the first moment of the distribution, I think you need to demonstrate that formally. If John Jones makes only $25,000/year, then there is evidence that he isn't a very good salesman, and you should consider not using him to peddle your product. It depends on whether that is his consistent earnings level. One annual earnings report is not sufficient to characterize his overall performance over his productive years. If you want to formulate a monobit-type test that takes a large number of samples into account, then I would agree that it might have merit. But just one test on one small sample is not sufficient. But a better analogy would be: John Jones normally makes around $100,000/year,