Cryptography-Digest Digest #914, Volume #8 Sat, 16 Jan 99 10:13:06 EST
Contents:
Re: Cayley-Purser algorithm? ([EMAIL PROTECTED])
Re: Metaphysics Of Randomness
Re: The 'Panama' crypto function
Re: Too simple to be safe
crypto machines (ben there)
Re: Metaphysics Of Randomness (Nicol So)
Re: Cayley-Purser algorithm? (Bruce Schneier)
Re: SHA-0 attack (Bruce Schneier)
Re: Export laws (Bruce Schneier)
Re: Question on current status of some block ciphers in AC2 (Bruce Schneier)
Re: sci.crypt intelligence test. (Lincoln Yeoh)
Re: Export laws (Lincoln Yeoh)
Re: Cayley-Purser algorithm? (Bruce Schneier)
Re: Too simple to be safe ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Cayley-Purser algorithm?
Date: Sat, 16 Jan 1999 03:35:25 GMT
In article <77n0hf$pa5$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Much as I
> respect her modesty, I thing we should call it the Flannery
> cryptosystem.
If the doomsayers are proven correct and that there is
a fatal flaw in the algorithm, it will probably become
known as "The Blarney Encryption Method". ;-)
--
Richard M. Hartman
[EMAIL PROTECTED]
"186,000 mi/sec: not just a good idea -- it's the LAW!"
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: Metaphysics Of Randomness
Date: 16 Jan 1999 03:59:01 GMT
>From a *metaphysics* and *theorical* point of view, and from
my point of view, randomness dosent exist. What we usually
call "a random phenomenon" is a phenomenon which obey to
unknown or unpredictable rules.
My opinion is all phenomenon obey to rules even if the rules
arent currently known. ok it is just my opinion and i dont have proofs.
Under this assumption, all the security protocols which required
randomness (e.g. OTP and more generally any key generation) are
not secure. You can just hope that the attacker dosent know or
can't predict the rules which produce your randomness.
in pratice, this kind of hope is not risky but in theory it is.
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: The 'Panama' crypto function
Date: 16 Jan 99 04:06:53 GMT
Dale R Worley ([EMAIL PROTECTED]) wrote:
: But at each iteration, 8*32 bits of the variable are directly output
: as the next increment of the keystream. This seems very insecure,
: since the central function has only moderate diffusion and
: nonlinearity, and we get to peek at a lot of the feedback loop.
A while back, I made a series of posts based on my analysis of Panama from
the article. It turned out that, due to an error in the article, I was
mistaken in concluding that Panama gave away the third word in an
eight-word buffer block - because it wasn't true that the same eight words
were output and XORed into the buffer, nor were they the first eight words
in either case, as the article seemed to imply.
There is a description of Panama on my web site, with diagrams (the
diagram in the article starts with a word in the middle of the 17-word
state, but that's not DDJ's fault; the original paper did this too) and a
suggestion for a way that Panama could be made stronger.
The page in question is directly accessible from a link on
http://members.xoom.com/quadibloc/comp04.htm
John Savard
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: Too simple to be safe
Date: 16 Jan 1999 06:14:29 GMT
On Fri, 15 Jan 1999 13:11:47 -0600, almis <[EMAIL PROTECTED]> wrote:
[snip]
>2. Calculate the irrational number n = SQRT(p)
question from a absolute beginner, sqrt(p) is always irrationnal if
p is prime ?
[snip]
>The concept begs two questions:
>(1) How difficult is it to find the square root of a prime to an arbitrary
>length?
i dont know :) but it is a requirement to use a large (>512bits) numbers ?
as you use only the fractionnal part, the size of the original number
dosent matter except to avoid a brute force attack trying all primes.
assuming you have n/log(n) primes below n, and a key space of 2^128
is too large to be vulnerable to a brute force attack, you have n = 2^128
and your prime has rougthly log(n*log(n)) = 135bits.
to my mind the problem is not the size of the original prime but the
bits of precision bits you want. if you want to crypt a 2k email, you
will have to compute at least 8192bits.
>(2) Given a sequence of digits of a known length and starting at a given
>position how difficult would it to be to recover the prime number that
>generated it?
if you encode your message with otp and never reuse the same portion of
your number, it seems hard to recover the key and even harder to recover
the original prime number.
------------------------------
From: [EMAIL PROTECTED] (ben there)
Subject: crypto machines
Date: Wed, 13 Jan 1999 10:21:00 -0800
I need help to find old crypto machines for sale,
or blueprints so i might try to make them myself.
All help greatfully excepted.
Thank-you
William
*** Posted from RemarQ - http://www.remarq.com - Discussions Start Here (tm) ***
------------------------------
From: Nicol So <[EMAIL PROTECTED]>
Subject: Re: Metaphysics Of Randomness
Date: Sat, 16 Jan 1999 01:57:34 -0500
[EMAIL PROTECTED] wrote:
>
> From a *metaphysics* and *theorical* point of view, and from
> my point of view, randomness dosent exist. What we usually
> call "a random phenomenon" is a phenomenon which obey to
> unknown or unpredictable rules.
The question of whether true randomness exists is not new, and has been
discussed in sci.crypt before. You can go to Deja News and dig up the
thread 'Does "real" randomness exist?' from several years ago and see
what people have talked about.
Since you began your message with "From a ... theoretical point of
view", I should point out that whether true randomness theoretically
exists depends on what "theory" you subscribe to. If you accept the
Copenhagen interpretation of quantum mechanics, which in my layman's
understanding is the current popular view among physicists, true
"randomness" does exist in nature. This true randomness is *not* caused
by our ignorance of the states of particles. There is a theorem that
basically says you cannot extend quantum mechanics to give a
deterministic description of the laws of nature. Probabilistic
descriptions are the best you can have because that's the way nature is.
> Under this assumption, all the security protocols which required
> randomness (e.g. OTP and more generally any key generation) are
> not secure.
There is a gap in the reasoning here, you really cannot draw the above
conclusion. All that you can say, at best, is that the security proofs
are irrelevant because the assumptions are not true or realistic for the
systems being modeled. But I would say most security proofs involving
randomness won't be rendered irrelevant even if true randomness doesn't
exist, because of the way randomness is used by proofs.
> You can just hope that the attacker dosent know or
> can't predict the rules which produce your randomness.
Even if true randomness didn't exist in nature, you can still have very
good reasons to believe that your adversary cannot predict your "random"
source. For example, your random source could depend on (and be
extremely sensitive to) an overwhelmingly huge number of parameters that
your adversary cannot sample to any reasonable degree of accuracy. In
that case, your random source is still unpredictable to your adversary
in a very practical sense.
Nicol
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: Cayley-Purser algorithm?
Date: Sat, 16 Jan 1999 11:35:32 GMT
On Fri, 15 Jan 1999 16:42:37 GMT, Kent Briggs <[EMAIL PROTECTED]>
wrote:
>[EMAIL PROTECTED] wrote:
>
>> > If all goes well, you can then consider applying for a US patent.
>>
>> Sorry. Once the method has been published, it CAN NOT be patented in
>> the US.
>
>You have up to one year to file after initial publication. There was a big
>stink made about the Diffie-Hellman patent because it was filed over a year
>past initial publication.
US only. You do not have any recourse in other countries.
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: SHA-0 attack
Date: Sat, 16 Jan 1999 11:33:16 GMT
On Fri, 15 Jan 1999 19:46:33 +0000, David Crick <[EMAIL PROTECTED]>
wrote:
>From BS's latest CRYPTO-GRAM newsletter:
>
>> In August, two French cryptographers described an attack against
>> SHA-0. For those who don't remember, SHA is a NIST-standard hash
>> function. It was invented by the NSA in 1993, and is largely
>> inspired by MD4. In 1995, the NSA modified the standard (the new
>> version is called SHA-1; the old version is now called SHA-0).
>> The agency claimed that the modification was designed to correct a
>> weakness, although no justification was given. Well, we now
>> understand the attack against SHA-0 and how the modification
>> prevents it.
>
>Does anyone have any further information on this? It's the first I've
>heard about it and I'd like to have more of a look.\
"Differential Collisions in SHA-0," F. Chabaud and A. Joux
ADVANCES IN CRYPTOLOGY -- CRYPTO '98 PROCEEDINGS
Springer-Verlag, 1998.
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: Export laws
Date: Sat, 16 Jan 1999 11:41:18 GMT
On Sat, 16 Jan 1999 00:30:29 GMT, [EMAIL PROTECTED] (Stephen
Darlington) wrote:
>If an encryption program I create (I am in the UK), ends
>on on a US-based web site, which export laws would be in
>force when someone tries to download the file?
You might want to check with your government, but the last I heard the
UK does not subject itself to US laws. If you export something from
the US, you are breaking US export law. If you don't do that, you are
not exporting anything.
If a program you create outside the US ends up on a US website, there
has been no export from the US. There has been import into the US and
export form the UK. YOu need to ask about UK export laws, and the
owner of the server needs to be concerned about any potential US
import laws.
When someone (presumably outside the US) tries to download the file,
he is not doing anything illegal. (Unless, of course, he lives in a
country that believes US laws apply on non-US soil.) The owner of the
website is exporting the software (we think...this has never been
tested in court. I believe he is not exporting, but that's just me.)
>If someone in the US downloads the file from the US server,
>and sent me some money for it, would I be breaking the law?
Since you live in the UK, you should be concerned about UK law.
(Again, if the UK decides that US law applies on UK soil, this may be
different. But countries are usually pretty particular about making
their own laws.) I don't see any problem with the above, but you
should check with someone who understands UK law better.
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: Question on current status of some block ciphers in AC2
Date: Sat, 16 Jan 1999 11:43:02 GMT
On Fri, 15 Jan 1999 19:28:32 GMT, [EMAIL PROTECTED] (David
Hamilton) wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>I'm reading Applied Cryptography 2nd edition by Bruce Schneier. In chapters
>13 and 14 he gives views on a number of block ciphers. I'm wondering if
>anything 'ever became' of the following half a dozen:-
>Madryga;
Ick. I didn't like it in the book.
>Redoc II;
Broken. And ick, besides.
>Loki191 (LOKI-97 is an AES candidate now though);
Double ick. Didn't I talk about the LOKI-91 break in the book.
>Khufu;
There have been steady attacks against, this, but the version with
key-dependent S-boxes is still secure for large numbers of rounds.
>CA-1.1;
This was never good, even in the book.
>Gost.
Still kicking, and in use in Russia.
>There is nothing specific behind my question, it's just general interest.
>I've checked my usual first ports of call (Bruce Schneier/Counterpane site,
>Terry Ritter's site, RSA FAQ, Bill Unruh's site, John Savard's site, Peter
>Gutmann's site, and now Sam Simpson's FAQ) but all I can see is Peter Gutmann
>saying that Gost is incompletely specified and Sam referring to Gost in a
>non-internet reference.
>
>Presumably interest has dwindled in non-AES ciphers?
>
>Any current opinions or up to date internet references welcome. Thanks.
>
>
>David Hamilton. Only I give the right to read what I write and PGP allows me
> to make that choice. Use PGP now.
>I have revoked 2048 bit RSA key ID 0x40F703B9. Please do not use. Do use:-
>2048bit rsa ID=0xFA412179 Fp=08DE A9CB D8D8 B282 FA14 58F6 69CE D32D
>4096bit dh ID=0xA07AEA5E Fp=28BA 9E4C CA47 09C3 7B8A CE14 36F3 3560 A07A EA5E
>Both keys dated 1998/04/08 with sole UserID=<[EMAIL PROTECTED]>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>
>Comment: Signed with RSA 2048 bit key
>
>iQEVAwUBNp+WSco1RmX6QSF5AQEGyQgApRojDdGEo78QcyXEMQpiqOEW1wQaQ+Od
>igaWBYfiu9dg3FHXYJ0toWlSFfdU8t8gNpJ+zr5zifkLAQAwGidFfiPbxHs5PMvP
>/pUzTQaJVyZYABlP28rN7jgXl9OBfaFeVe5L3rPKmhr1XvdgXOSqyZuDFylSgN/Y
>72Cy7aNgd4q5QDa/B7MKotFsf0fjDolc9I1nRdriCgDN4yhPK5pRZqTofY6BONef
>vIIpWJtNGziiIZo+lOp1VZGaxO3bBfzt74lvMhvBZTd5gy0miaDKgCsnjzvgB2iQ
>pz/OPD6LQnEGLxMkuRdhwBo6SED7GDyEhe/wYL3pK7uiZc4O1bAGGA==
>=3mXu
>-----END PGP SIGNATURE-----
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: [EMAIL PROTECTED] (Lincoln Yeoh)
Crossposted-To: talk.politics.crypto
Subject: Re: sci.crypt intelligence test.
Date: Sat, 16 Jan 1999 11:45:11 GMT
Reply-To: [EMAIL PROTECTED]
Sounds reasonable.
But they could still try to get you.
It's like the export of huge metal pipes to Iraq, which could be used to
make long range guns/cannons.
I heard also that there was something about restricting "programs with a
hole for crypto". e.g. programs without crypto but which allow strong
crypto to be added easily.
It's all about power. restriction of information.
Cheerio,
Link.
On Thu, 14 Jan 1999 15:48:20 -0800, Anthony Stephen Szopa
<[EMAIL PROTECTED]> wrote:
****************************
Reply to: @Spam to
lyeoh at @[EMAIL PROTECTED]
pop.jaring.my @
*******************************
------------------------------
From: [EMAIL PROTECTED] (Lincoln Yeoh)
Subject: Re: Export laws
Date: Sat, 16 Jan 1999 11:50:39 GMT
Reply-To: [EMAIL PROTECTED]
On Sat, 16 Jan 1999 00:30:29 GMT, [EMAIL PROTECTED] (Stephen
Darlington) wrote:
>If an encryption program I create (I am in the UK), ends
>on on a US-based web site, which export laws would be in
>force when someone tries to download the file?
US export laws apply to people in the US exporting stuff out of the US.
That someone is importing the stuff from the US. So does that mean only the
destination country's import laws count?
However, the US Authorities could get upset with you, and the next time you
try to enter the US you might have some problems...
>If someone in the US downloads the file from the US server,
>and sent me some money for it, would I be breaking the law?
Nope.
But the UK just signed the Wassenaar agreement, so I don't know what new
laws you will be having soon. I think you should check that out.
Link.
****************************
Reply to: @Spam to
lyeoh at @[EMAIL PROTECTED]
pop.jaring.my @
*******************************
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: Cayley-Purser algorithm?
Date: Sat, 16 Jan 1999 11:35:01 GMT
On Fri, 15 Jan 1999 17:09:34 GMT, [EMAIL PROTECTED]
(John Savard) wrote:
>[EMAIL PROTECTED] (Bruce Schneier) wrote, in part:
>
>>This sounds like it will be broken a few days after the details become
>>public, assuming some of the mathematicians working in this area are
>>not otherwise busy at the time. (Sorry for the skepticism, but others
>>have worked in this area as well.)
>
>That was my original reaction: but after referring to your book, it
>seems that public key schemes that don't require exponentiation to the
>extent of RSA are possible, as some already exist - that of Rabin, the
>improvement of Williams, and the two-dimensional version of Koyama.
Yes, and GQ (also from my book) is much faster than RSA with with
longer ciphertext. Even if this was secure, it would not be earth
shattering.
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Too simple to be safe
Date: Sat, 16 Jan 1999 13:43:52 GMT
In article <77pao5$kn7$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] () wrote:
>
> On Fri, 15 Jan 1999 13:11:47 -0600, almis <[EMAIL PROTECTED]> wrote:
> [snip]
> >2. Calculate the irrational number n = SQRT(p)
>
> question from a absolute beginner, sqrt(p) is always irrationnal if
> p is prime ?
The idea by Mr. Almis appears to have some value. It also must be compared
with other methods. The best part of the Almis Cipher is that it can be
performed by many college graduates and some high school math experts. There
are methods for calculating sqrt to any precision. Since prime numbers are
not the square of any two integers, the square root of a prime is certainly
irrational.
Now the bad part. It is slow. Consider a smart card using RSA with 512 bit
modulus. The primes are about 256 bits. (The Almis Cipher might use 135 bit
primes). It can calculate a signature in less than .5 seconds, but it
generates keys in 60 seconds, roughly. It takes a long time to generate
probable primes. And calculating thousands of bits of sqrt precision could
take a long time also. But the method has value even if it is slow. It is
easy to teach to laymen, and easy to program from basic principles.
Congratulations.
>
> [snip]
> >The concept begs two questions:
> >(1) How difficult is it to find the square root of a prime to an arbitrary
> >length?
>
> i dont know :) but it is a requirement to use a large (>512bits) numbers ?
> as you use only the fractionnal part, the size of the original number
> dosent matter except to avoid a brute force attack trying all primes.
> assuming you have n/log(n) primes below n, and a key space of 2^128
> is too large to be vulnerable to a brute force attack, you have n = 2^128
> and your prime has rougthly log(n*log(n)) = 135bits.
>
> to my mind the problem is not the size of the original prime but the
> bits of precision bits you want. if you want to crypt a 2k email, you
> will have to compute at least 8192bits.
>
> >(2) Given a sequence of digits of a known length and starting at a given
> >position how difficult would it to be to recover the prime number that
> >generated it?
>
> if you encode your message with otp and never reuse the same portion of
> your number, it seems hard to recover the key and even harder to recover
> the original prime number.
>
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
