Cryptography-Digest Digest #530, Volume #9 Tue, 11 May 99 19:13:04 EDT
Contents:
A simple challenge for Tomstdenis ([EMAIL PROTECTED])
Re: A simple challenge for Tomstdenis ([EMAIL PROTECTED])
Re: Let me prove my claim. (Paul Koning)
TwoDeck (some help please) ([EMAIL PROTECTED])
Re: TwoDeck solution (but it ain't pretty) (Jim Felling)
Re: The simplest to understand and as secure as it gets. (Paul Koning)
Re: public/private key authentication? (Dylan Thurston)
Re: Crypto export limits ruled unconstitutional (Mok-Kong Shen)
Re: Pentium3 serial number is based on who you [server/exterior] claimed to be
(Roger Carbol)
Re: How was this key constructed? (Jim Gillogly)
Snuffle (John Kasdan)
Re: A simple challenge for Tomstdenis (Jim Felling)
Re: AES (John Savard)
Re: Pentium3 serial number is based on who you [server/exterior] claimed (Paul
Koning)
Re: Thought question: why do public ciphers use only simple ops like (Bryan Olson)
Re: The simplest to understand and as secure as it gets. (David Hamilton)
Re: Time stamping (complete) (David A Molnar)
Re: Crypto export limits ruled unconstitutional (wtshaw)
Re: How was this key constructed? (Paul Koning)
Re: BEST ADAPTIVE HUFFMAN COMPRESSION FOR CRYPTO
([EMAIL PROTECTED])
Re: Bricklaying DES (David Wagner)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: A simple challenge for Tomstdenis
Date: Tue, 11 May 1999 20:32:33 GMT
Apply either linear or differential cryptanalysis to this algorithm, oh
person who uses these terms so frequently to other people:
All quantities are 32-bit, unsigned. + is addition mod 2^32, ^ is XOR
It's a 8-round feistel network where f(a,b) is
(a+b)^(a*b)
The round key for round "i" is:
RK_i = (K[0] + i*0x12345678) + (K[1] + i*0x87654321)
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: A simple challenge for Tomstdenis
Date: Tue, 11 May 1999 20:47:53 GMT
> person who uses these terms so frequently to other people:
> All quantities are 32-bit, unsigned. + is addition mod 2^32, ^ is XOR
>
> It's a 8-round feistel network where f(a,b) is
> (a+b)^(a*b)
>
> The round key for round "i" is:
> RK_i = (K[0] + i*0x12345678) + (K[1] + i*0x87654321)
Well first that is not a feistel cipher. Second you can completely
remove the constant i and it's multiplier. This leaves K[0] + K[1],
from which you can poke and prod at. I have never actually done
analysis but with a chosen plaintext attack you can most likely find
the key. The differential attack would be finding the differences
from 'k[0] + k[1]' and the plaintext.
So the cipher is
for r = 1 to rounds
a = (a + b) ^ (a * b)
(a,b) = (b,a)
But that's not possible!!! That's not a cipher!!!
Is that enough for five minutes?
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy
Subject: Re: Let me prove my claim.
Date: Tue, 11 May 1999 12:24:29 -0400
Anthony Stephen Szopa wrote:
>
> Let me prove my claim.
>
> At http://www.ciphile.com you can download the entire Help Files from
> the Original Absolute Privacy - Level3 Version 4.0 encryption software
> package. Reading Help Files # 1 - Theory, #2 - Processes 1, & #3 -
> Processes 2 should be enough to convince anyone that this encryption
> software is the simplest, the easiest to understand, and as good as it
> gets. Thank you.
Ok, I looked. I also read the Snake Oil FAQ. So exactly why are you
claiming it doesn't apply to what you created?
paul
------------------------------
From: [EMAIL PROTECTED]
Subject: TwoDeck (some help please)
Date: Tue, 11 May 1999 21:00:01 GMT
I have analyzed the algorithm a bit (sieving modes), and I think they
can be extended a bit. Maybe even faster then a brute force search. I
would like help cleaning up the paper, and the attacks. I am updating
the paper at school tommorow to include what I have done so far.
Anyone with a little time to spare, maybe even to correct grammar, I
would appreciate the help!!!
I want to clean it up and make it more visually pleasing, as well as
more actual facts and proofs..
Thanks for your time,
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
From: Jim Felling <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: TwoDeck solution (but it ain't pretty)
Date: Tue, 11 May 1999 17:33:02 -0500
[EMAIL PROTECTED] wrote:
> Nobody wants a look at your pathetic "TwoDeck" piece of crap because
> despite your ability to use html->ps/pdf converters, what you say is
> still shit.
My god man -- What did he do-- kill your dog or something? Yes, he does
post some fairly basic stuff -- but he is learning and improving. Calm
down, and if his posts bother you kill file him. Such personal vitriol
is not merely pointless, but frankly counterproductive. ( We did not all
start out as Crypto Geniuses)
>
>
> In article <7h9beb$2d$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
> > I have found a (one of possibly many) solutions for TwoDeck. The
> > required effort can be found on
> >
> > http://members.tripod.com/~tomstdenis/solution.ps
> >
> > I will write a brief paper on how to actually perform it later
> tonight.
> > The required effort to find S many solutions is on the page (it's a
> > single page document).
> >
> > Please have a look.
> >
> > Tom
> > --
> > PGP public keys. SPARE key is for daily work, WORK key is for
> > published work. The spare is at
> > 'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
> > 'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
> >
> > --== Sent via Deja.com http://www.deja.com/ ==--
> > ---Share what you know. Learn what you don't.---
> >
>
> --== Sent via Deja.com http://www.deja.com/ ==--
> ---Share what you know. Learn what you don't.---
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The simplest to understand and as secure as it gets.
Date: Fri, 07 May 1999 13:16:42 -0400
Anthony Stephen Szopa wrote:
>
> The simplest encryption software, the easiest to understand, and as
> secure as it gets.
>
> Original Absolute Privacy - Level3 Version 4.0 Windows GUI - SHAREWARE
>
> http://www.ciphile.com
I think it was mentioned in Bruce's snake oil survey. It certainly
has many of the attributes of snake oil. "Pseudo one time pad" for
example. See
http://www.interhack.net/people/cmcurtin/snake-oil-faq.html .
If you want real crypto, get a real program. PGP for example.
paul
------------------------------
Subject: Re: public/private key authentication?
From: Dylan Thurston <[EMAIL PROTECTED]>
Date: 12 May 1999 00:34:18 +0200
Medical Electronics Lab <[EMAIL PROTECTED]> writes:
> Dylan Thurston wrote:
> > be extraordinarily careful with the protocols. For instance, a common
> > security measure is to prepend a random number to every message before
> > signing it. This would not be allowed: what if the random number is
> > not random? I suppose a trapdoor function might work here
> >
> > Is this in fact the problem?
>
> Shouldn't be. The random number isn't revealed unless you posses
> the private key, and both sides don't have the same private key (in
> principle).
I think we must be talking about different things here. I'm talking
about the practice of prepending a random number to the message before
hashing; this random number is transmitted in the clear as well, so
the other side can use it to verify the hash. This is analogous to
the 'salts' used in /etc/passwd. I forget exactly why it's done,
though. To prevent replay attacks, maybe?
Also, I was interpreting the question from the point of view of a
paranoid government: the users have to prove they're not transmitting
hidden information. From this point of view, there's no reason to
assume the users haven't shared their private keys; of course, this
breaks the authentication, but might allow cryptographic
communication.
Did you have some other interpretation?
(Incidentelly, you may want to check your user name, Mr. Medical Lab.)
Best,
Dylan Thurston
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Crypto export limits ruled unconstitutional
Date: Mon, 10 May 1999 19:18:40 +0200
Mike McCarty wrote:
>
> Now, in a sense the regs were overturned, because they were all mixed up
> and didn't attempt to distinguish "speach" from "computer programs". So
> the regs AS WRITTEN were overturned. But if they go back and re-write
> them carefully, then they CAN apply them. Just not to speach which
> happens to be embodied in a computer langugage. But if I understand
> correctly, PROGRAMS are not speach. Just that this particular case was
> one where a guy was disseminating his ideas in the form of a program,
> but was not actuallly writing a program to be run on a computer. Any
> program written actually to be run, I believe, is still subject (when
> the regs are rewritten).
A programming language may be rather close (dependent, of course,
on one's opinion) to natural language, e.g. COBOL. On the other
hand, whether a piece of text is 'runnable' on a computer may be quite
difficult to decide. I mean: If one changes a valid program in certain
places in apparent and trivial ways so that it is syntactically
incorrect and can't be compiled (but can be restored to the correct
version by anyone with programming experience) is that piece of text
'runnable' on a computer or not?
M. K. Shen
http://www.stud.uni-muenchen.de/~mok-kong.shen/ (Updated: 12 Apr 99)
------------------------------
Subject: Re: Pentium3 serial number is based on who you [server/exterior] claimed to be
From: Roger Carbol <[EMAIL PROTECTED]>
Date: Mon, 10 May 1999 17:09:40 GMT
Vernon Schryver <[EMAIL PROTECTED]> wrote:
>>My understanding of the specification is that there is no claim
>>that the P3 "serial" numbers will be unique.
>I hope you are wrong.
Referring to AP-485 Intel Processor Identification and the
CPUID Instruction, available at
<http://developer.intel.com/design/pentiumii/applnots/241618.htm>
Section 4, Processor Serial Number:
"Processor serial number provides an identifier for the processor,
but should not be assumed to be unique in itself."
Section 5, Usage Guidelines:
"Do not assume processor serial number is a unique number without
further qualifiers."
.. Roger Carbol .. [EMAIL PROTECTED]
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: How was this key constructed?
Date: Mon, 10 May 1999 11:15:56 -0700
Alex wrote:
> Does there have to be a pattern anyway? Couldn't have random values been
> assigned to the letters?
Could have been, as long as it was then made into a reciprocal system,
e.g. by sliding at an offset of 13, as I suggested in my earlier note.
All depends on the provenance of the cipher.
> P.S. How can I overcome the little problem of having to write more than I want
> to in replies because there is a message that states that the reply cannot be
> sent because there is "more included text than new text" or something to that
> effect?
The "rule" was made to dissuade people from copying inappropriately large
amounts of texts to add their "me too" at the end. There are lots of ways
around it. The preferred way is to cut judiciously (but fairly, if the
topic is controversial) so that you're adding more content than you repeat.
On this thread I transposed the original alphabets so they appeared on two
lines rather than 26, which retains the content without sacrificing real
estate. If you <must> include more text than you add, you can simply change
the "quoting" character to something your posting software doesn't recognize;
e.g. from '>' to '='.
--
Jim Gillogly
Highday, 19 Thrimidge S.R. 1999, 18:11
12.19.6.3.4, 7 Kan 12 Uo, First Lord of Night
------------------------------
From: [EMAIL PROTECTED] (John Kasdan)
Subject: Snuffle
Date: 10 May 1999 15:52:53 -0400
Now that the Ninth Circuit has upheld the District Court decision in
the Bernstein case, is it possible to find a description of the
snuffle algorithm anywhere on the web? (In fact I would have assumed
that a discussion of the algorithm, WITHOUT source code, could have
been posted at any time, but I suppose that is a matter for another
group.)
------------------------------
From: Jim Felling <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: A simple challenge for Tomstdenis
Date: Tue, 11 May 1999 17:50:40 -0500
I am not certain from what you said that this is correct, but I presume you
mean a round in this construct is given A,B and i B'= A XOR RK_i and A'=
f(A,B)? Or is it something else? Please provide more information.
[EMAIL PROTECTED] wrote:
> Apply either linear or differential cryptanalysis to this algorithm, oh
> person who uses these terms so frequently to other people:
> All quantities are 32-bit, unsigned. + is addition mod 2^32, ^ is XOR
>
> It's a 8-round feistel network where f(a,b) is
> (a+b)^(a*b)
>
> The round key for round "i" is:
> RK_i = (K[0] + i*0x12345678) + (K[1] + i*0x87654321)
>
> --== Sent via Deja.com http://www.deja.com/ ==--
> ---Share what you know. Learn what you don't.---
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: AES
Date: Tue, 11 May 1999 22:28:17 GMT
[EMAIL PROTECTED] (Terry Ritter) wrote, in part:
>In practice our ciphers confront opponents whose knowledge and
>capabilities exceed the academic literature. Just because academics
>cannot find a break does not mean the opponents cannot.
This is a true statement, although some people will express doubts
about it.
Doubt #1: The open atmosphere of free inquiry lets science progress
best, so even the NSA isn't *far* ahead of the academic community,
Doubt #2: What are you, some kind of spy or crook, that you don't want
the U.S. Government to read your mail?
There are arguments against these doubts; I won't dwell on them,
except to note that cryptanalysis is specialized and esoteric, and it
is a _marginal_ subject in academia; only a very few lucky professors
are allowed to get away with doing a major amount of their research in
this subject. The closed confines of the NSA represent a bigger
academic community for this subject than the open academic community -
probably several times over.
Opponents stronger than the academics *do* still exist, and these
doubts, which basically are based on the premise that the NSA is the
only such opponent, don't banish them all. I will now proceed to name
some of them:
- The intelligence agencies of China, France, Russia, and other
countries that may wish to spy even on legitimate businesses;
- Hackers seeking to read your messages 20 years from now, who will
have the benefit of what academics *will* know in 20 years.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/index.html
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Crossposted-To: alt.security
Subject: Re: Pentium3 serial number is based on who you [server/exterior] claimed
Date: Fri, 07 May 1999 13:10:57 -0400
Vernon Schryver wrote:
> ... You must
> wonder whether the EFF and the other dishonest politicians were crying
> wolf to desensitize people to legitimate privacy worries.
Huh? It sounds like you have no idea who or what the EFF is, judging
by the phrase "EFF and other dishonest politicians". It may be fair to
accuse them of overreacting or misjudgement of the issues, but to call
them dishonest politicians is completely out of line.
paul
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Thought question: why do public ciphers use only simple ops like
Date: Tue, 11 May 1999 15:45:55 -0700
Terry Ritter wrote:
> Bryan Olson
> >Terry Ritter wrote:
> >> If a cipher selection must be agreed to, what does it matter which
> >> party proposes the random choice? One party proposes, the other
> >> agrees, then we change.
> >
> >It matters because the adversary isn't going to make a random
> >choice of course. He'll choose the one he cam most easily
> >break from the pool that you'll agree to use.
>
> If the adversaries wish to attack an "easy" cipher, they need some
> expectation that the easy cipher will occur reasonably often. But
> "the cipher" is really three levels of different randomly-selected
> ciphers.
Try to follow what people are saying. Without authentication,
adversary can influence the choice and _make_ the easiest
ciphers appear reasonably often.
--Bryan
------------------------------
From: [EMAIL PROTECTED] (David Hamilton)
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The simplest to understand and as secure as it gets.
Date: Tue, 11 May 1999 22:47:22 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote:
(snip)
>Reading Help Files # 1 - Theory, #2 - Processes 1, & #3 -
>Processes 2 should be enough to convince anyone that this encryption
>software is the simplest, the easiest to understand, and as good as it
>gets. Thank you.
Can you provide documentary evidence of any eminent cryptographers who
believe the above?
David Hamilton. Only I give the right to read what I write and PGP allows me
to make that choice. Use PGP now.
I have revoked 2048 bit RSA key ID 0x40F703B9. Please do not use. Do use:-
2048bit rsa ID=0xFA412179 Fp=08DE A9CB D8D8 B282 FA14 58F6 69CE D32D
4096bit dh ID=0xA07AEA5E Fp=28BA 9E4C CA47 09C3 7B8A CE14 36F3 3560 A07A EA5E
Both keys dated 1998/04/08 with sole UserID=<[EMAIL PROTECTED]>
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>
Comment: Signed with 2048 bit RSA key
iQEVAwUBNziy08o1RmX6QSF5AQG4Awf+ITrjkqR32R2wuTk5HrTwqfxmsn1aSpLP
t41ef1InpBF7HO4pTEPXfz00ekCsk4uOfdJbMl6XIM3+8z/9nd38Ypq9zacgYsnD
u67HLfLoY0zweadkIjVdiuSEevn4NEYhsoMrTNGZPEEDsV0UCf4UV/QN3oQazQ82
liHHcQ4wejwhcFD2Q2jXqK2d2HZow3HcXwNeTbIIMEDK4VVVFkamPd9FnkoWlJJa
Qx4uB/5PxUfmTIjpAx9GtJ1MPJZJ1l/ouEyDcpBmzC0S9MqsE+8sfOio7fMmpAo1
XMz4hDDbhUNCqjb7nglI7BsduQC9baBLyrv/YwnP6Ru8p0zpOFdlYg==
=2f7F
=====END PGP SIGNATURE=====
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Time stamping (complete)
Date: 11 May 1999 22:49:22 GMT
Jean Marc Dieu <[EMAIL PROTECTED]> wrote:
> Of course you need a third trusted party, whose clock is the one that will
> time stamp your document. My question in fact was: can you simoutaneously
> time-stamp AND sign a document through a one-way hash function, using a TTP?
> Have a look at http://www.surety.com
Why wouldn't the TTP just append a cert saying "I certify this message
was received at 6:15 pm EST on 4/11/99" to the message and then sign
the whole thing?
If you mean "how can I put my signature on a time-stamp and also time
stamp it with a TTP", why not hash the document, sign the hash, then
have the TTP append a timestamp and sign the signed hash?
Assuming that nothing horrible
happens in the signing (maybe not a good assumption?), you now have
a hash of the document signed by you + a timestamp signed by the TTP.
That seems like it would work, with the major caveat being that an
adversary could easily get lots of related messages by sending lots
of timestamp requests close to each other. You can probably engineer
the system to avoid such attacks, for instance by using a signature
scheme proven against adaptive chosen-message attack.
-David
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Crossposted-To: talk.politics.crypto
Subject: Re: Crypto export limits ruled unconstitutional
Date: Tue, 11 May 1999 13:14:49 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
> If publication
> in source code (valid program) is not allowed, then one can use
> (almost) plain English to express the stuff (though maybe sometimes
> in uneconomical ways) in such a form that a knowledgeable reader
> can readily transform it into a program.
Bear in mind that much source code is common between encryption and
non-encryption software. With some simple instructions various lines of
code might berearranged, slightly modified, and/or copied to make
something cryptographic or not. The instructions to make the changes from
noncrypto to crypto would definitely not be to a computer but to a human
who would have to act on them. It would make no sense to forbid the export
of programs that could be made into crypto because any program could be so
altered, be it laboriously in most cases.
--
What's HOT: Honesty, Openness, Truth
What's Not: FUD--fear, uncertainty, doubt
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: How was this key constructed?
Date: Mon, 10 May 1999 10:14:16 -0400
Alex wrote:
> ...
> P.S. How can I overcome the little problem of having to write more than I want
> to in replies because there is a message that states that the reply cannot be
> sent because there is "more included text than new text" or something to that
> effect?
Use a better browser. :-)
paul
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: BEST ADAPTIVE HUFFMAN COMPRESSION FOR CRYPTO
Date: Tue, 11 May 1999 22:46:43 GMT
I have been following this thread, for quite some time, and
David, I must say that I have tested your compression. It seems to
be everything you have indicated, and that is a surprise.
I also have been trying to solve your last contest. It is extremely
hard to do. I tried a similar thing with DES, no problem. I wonder
how many others can look past your poor taste, to see the few golden
nuggets you have contributed to the arts of encryption, and compression.
GOOD LUCK!!
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Bricklaying DES
Date: 11 May 1999 16:02:04 -0700
In article <[EMAIL PROTECTED]>,
Doug Stell <[EMAIL PROTECTED]> wrote:
> Years ago, there was a 3DES proposal that did something like this.
> However, it didn't move a 1/2-block to the end, but added a 1/2-block
> of randomness to the front end. It shifted right, instead of left. The
> cipher was one block longer when you were done. It went something
> like this:
>
> Left1a Right1a Left2a Right2a Left3a Right3a first round
> Rand1 Left1b Right1b Left2b Right2b Left3b Right3b second round
> Rand2 Rand1 Left1c Right1c Left2c Right2c Left3c Right3c third round
Maybe I'm missing something, but this doesn't look like much of
an improvement to me. It looks like there's a 2^56 attack.
Consider a chosen-ciphertext attack where you twiddle just the first
block of ciphertext somehow, decrypt both ciphertexts, and look at the
first block P,P' of the resulting two plaintexts. They will satisfy
DES(k1,P) xor DES(k1,P') = (?,0).
In other words, the right half of the xor is zero. Here k1 is the
56-bit DES key used in the first round. This provides a way to do a
divide-and-conquer attack that isolates the first DES key: you can do
a keysearch, test the above relation, and with two such queries you
can uniquely identify k1. Now peel off the first round and repeat.
These chosen-ciphertext queries can often be implemented under the
known-plaintext attack model, if you modify the first block while it
is in transmission, and then get the plaintext the sender sent as well
as the modified plaintext the receiver decrypts.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
