Cryptography-Digest Digest #591, Volume #9 Tue, 25 May 99 11:13:02 EDT
Contents:
Re: Why would a hacker reveal that he has broken a code? (TTK Ciar)
Re: SHA-1 unpatented? (Hideo Shimizu)
Re: Security (Bryan Olson)
Re: Musing on and Factoring of a (special) 782-bit Modulus (Bryan Olson)
Re: TwoDeck ([EMAIL PROTECTED])
Re: HushMail -- Free Secure Email (Art Walker)
Re: Reasons for controlling encryption (Paul Koning)
SECRET ART OF MIND POWER SEDUCTION ([EMAIL PROTECTED])
Re: Why would a hacker reveal that he has broken a code? (wtshaw)
Re: Why would a hacker reveal that he has broken a code? ("Philip Hawthorne")
Re: TwoDeck ([EMAIL PROTECTED])
MP3, Music, & Digital Cash (The Electronic Zola)
Re: HushMail -- Free Secure Email ("Steve Sampson")
block ciphers vs stream ciphers ("cairus")
Re: HushMail -- Free Secure Email (SCOTT19U.ZIP_GUY)
Q: choosing polynomials in MPQS (Francois Grieu)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (TTK Ciar)
Subject: Re: Why would a hacker reveal that he has broken a code?
Date: Tue, 25 May 1999 04:41:33 GMT
In article <[EMAIL PROTECTED]>,
DJohn37050 <[EMAIL PROTECTED]> wrote:
>The hope is that with many people looking at it, if there is a flaw,
>the many honest people (perhaps looking for fame) will find any flaw
>before the few dishonest people (looking to make an illegal buck).
Indeed.
>Also, anyone that could break such an algorithm could easily get a
>good-paying job, so why should he/she take illegal risks?
Some people are not tempermentally suited to a corporate environment.
They may find the freedom to live and work in a fashion suited to their
peculiar needs worth the added stress and potentially lower pay.
On the other hand, a criminal with sufficient intelligence and skill
to find holes in the theoretical foundation of a cryptographic techno-
logy is also probably intelligent and skillful enough to realize that
most real-life implementations of that technology have many security
holes which have nothing to do with the underlying theory, and are much
easier to find and exploit. As in other segments of the computer
industry, there are many more security engineering positions than there
are competent security engineers to fill them, and security systems
written by rank amateurs outnumber competently written security systems
considerably.
It's a reasonably safe bet that most computer criminals competent to
find cracks in DES3 are not trying to find those cracks at all.
-- TTK
------------------------------
From: Hideo Shimizu <[EMAIL PROTECTED]>
Subject: Re: SHA-1 unpatented?
Date: Tue, 25 May 1999 13:38:31 +0900
See previous discussion below.
Or use dejanews.com.
----
Subject:Re: Does anyone know the patent status on SHA-1???
Date:1998/10/15
Author:Christopher Biow <[EMAIL PROTECTED]>
[EMAIL PROTECTED] (Christopher Biow) wrote:
>However, given that no patent claimant has yet emerged on SHA, I'd say that
>it's reasonably safe to use.
My statement above is wrong. The following paragraph is summarized, with
permission,
from some email I received; the author has been spammed into withdrawal from
Usenet.
Hitachi has told IEEE P1363 that it claims possible coverage of SHA-1 (and other
hashes) under their patents 4,982,429 and 5,103,479. These patents are primarily
concerned with FEAL-like [reversible] encipherment techniques, involving
register shifts
of 2^i bits (i=2, 3, or 4). However, by his reading of the actual claims, a
couple might be
argued to cover irreversible hashing.
So Usenet still needs a clearly unencumbered, legally exportable and
distributable,
authentication-only standard, as of yesterday.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Security
Date: Mon, 24 May 1999 21:22:31 -0700
Patrick Juola wrote:
[...]
> >> One obvious way to do it would be to insert random padding of some
> >> sort in order to exhaust the set of possible outputs. As an example,
> >> suppose that we agree to use a symmetric block algorithm, but every
> >> block that I send will contain only one actual data byte and the rest
> >of
> >> the bytes will be randomly generated noise that I put in just to fool
> >> the cryptanalysts. Of course, you just throw away all this noise when
> >> you get it. And by careful design of the cypher, I can ensure that
> >> the property I outline above holds.
> >
> >There's a catch. In the best case, the noise will
> >increase the unicity distance by the same amount that it
> >expands the ciphertext. Adding noise doesn't increase the
> >amount of plaintext we can send in perfect secrecy.
>
> Really? I find this counter-intuitive; can you expand?
We have enough information to solve for the key at the point
where we expect only one key to decrypt the ciphertext to a
reasonable plaintext. Now let's say our plaintext language
is a series of blocks where all but one of the bytes is random
but the last bytes of the blocks spell out an English message.
With a good cipher, the chance of an incorrect candidate
decryption being valid given N blocks should be the same as
the chance of N randomly chosen bytes being a valid message.
With an ideal cipher, we expect a unique solution at about
the point where the redundancy in the text is equal to the
entropy of the key (here we mean the redudancy in bits, not
the percentage). The random padding that extends each byte
to a block makes the amount of redundancy in each block the
same as the amount of redundancy in the original byte. The
padding has zero redundancy and the byte hasn't lost any.
With an ideal cipher, we expect a unique solution at about
the point where the redundancy in the text is equal to the
entropy of the key.
--Bryan
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Musing on and Factoring of a (special) 782-bit Modulus
Date: Mon, 24 May 1999 21:50:37 -0700
Ted Kaliszewski wrote:
>
> Responding to the comments re my posting on the
> factoring of a (special) 782-bit modulus, let me note
> the following:
Your notes don't really respond to the comments on your
previous post.
> Let us make a fair assumption that the architects of public key
> cryptosystems are both knowledgeable and conscientious. That implies,
> among other things, that any modulus they generate, randomly or
> otherwise, is throughly tested for all known (to them) vulnerabilities.
Real vulnerabilities, yes. But the point is that the classes
you've identified are not vulnerabilities. The keying
procedures reliably avoid them without any special testing.
> Now, how can they be certain that the system they create is, indeed,
> secure? Do they carry a liability insurance to protect themselves in
> the case the system is not?
There is no proof that breaking RSA is intractable. There
are proofs that the key generation procedures have no
significant chance of producing a modulus of some special
forms, including the ones you've shown how to factor.
A couple months ago you claimed to be able to factor a
form that actually is produced with significant probability.
If true, that would be a significant class of weak keys, so
I constructed one and challenged you to factor it. You
could not do so.
There may be significant weak key classes for RSA. Currently
none are known.
> I have in my inventory of codes close to a dozen of moduli con-
> structions that impart no security to the system. The 782-bit modulus
> cited in the posting was created by one of them.
So _don't_ use these constructions. The fact that you can
create products that you can factor is of no consequence.
Since the keying procedures don't generate moduli of these
forms, they present no problem.
[...]
> Finally, the issue of complexity: my impression is that it usually
> is linked to a specific factoring algorithm.
Complexity is defined for both algorithms and problems. The time
complexity of a problem is the time complexity of the fastest
possible algorithm to solve the problem. Thus the complexity of
an algorithm is an upper bound on the complexity of the problem
it solves.
--Bryan
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: TwoDeck
Date: Mon, 24 May 1999 14:54:09 GMT
Thanks for the suggestion, I will see about adding it.
For now I have a better algorithm, which I will discuss this saturday
in the group when I formalize it.
The idea is simple, here is the pseudo code
c = ((rng() * rng()) % 257) & 255
Where rng() is a seeded rng algorithm returning 1-256. This will
produce an output between 0-255 and depend on all of the bits of the
inputs.
In my paper I am using a singal LFSR as an example, but any well
balanced RNG (GFSR, additive) will do (most likely).
Tom
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
From: [EMAIL PROTECTED] (Art Walker)
Subject: Re: HushMail -- Free Secure Email
Reply-To: [EMAIL PROTECTED]
Date: Mon, 24 May 1999 15:01:20 GMT
On Fri, 21 May 1999 21:03:59 -0700, Chem-R-Us <[EMAIL PROTECTED]> wrote:
>Or that the Javascript isn't really disabled. The Unix version of
>netscape is compiled from source code and then installed. Win95/98
>is downloaded as an executable. Are you so sure that disabling
>Javascript performs as advertised? Or is it just another windoze
>'anomaly' to be patched at an undisclosed future date?
Which is, of course, one more argument why Java and LiveScript support
needs to be in (removable) shared libraries instead of the main executable.
- Art
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Reasons for controlling encryption
Date: Mon, 24 May 1999 10:39:31 -0400
Renegade wrote:
> Since epoch, USG has had unrestricted access to unencrypted communications.
> Crypto systems will prevent that from happening. Since the US is leading
> developer of the most used communication systems, export controls are
> needede. Plus, you can't outlaw domestic crypto until you push the export
> agenda.
Not "will", "have been" (at least since 1991 when PGP came out, and
arguably longer).
US as leading developer? Not clear. SSH comes from Finland. A well
regarded free SSL implementation comes from Australia. A disk
encryption
package for DOS from New Zealand, and one for Windows from England.
IPSEC for Linux from Canada, and another from Chile. A GPL
implementation
of the PGP standard from Germany. The majority of the AES submissions
come from outside the USA.
"You can't outlaw domestic crypto until...". Indeed. The arguments
Doug
Stell quotes are arguments for outlawing crypto, not for outlawing
export.
Outlawing crypto is the actual intent, export controls the false flag
used
to cover up what's going on.
paul
------------------------------
From: [EMAIL PROTECTED]
Subject: SECRET ART OF MIND POWER SEDUCTION
Date: 25 May 1999 10:56:26 GMT
This article is posted by Newsgroup AutoPoster PRO (unregistered)
--
===================================
The Ultimate Art of Mind Power Seductioný
SEDUCE ANYBODY YOU DESIRE
Seducing and sexually arousing anybody you desire... using the
complete and hidden power of your mind. No words are spoken, no pickup
lines; straight mind power!
The secret art of seduction and arousal using the power of your mind
involves techniques that have been well hidden for ages. These are
powerful methods that give you the ability to seduce and sexually
arouse anybody you wish! These techniques also give you the power to
make any person fall in love with you. Once applied, these methods
seep deep into the subconscious mind of the person you are wanting to
influence. After a short time, that person will begin to find you
very attractive, later becoming very lustful for you and eventually
fall hopelessly in love with you.
Formerly only available in the underground channels, these secret
methods have now surfaced and are accessible to the general public on
the world wide web. Researched and developed for almost 10 years,
what you will find here are techniques to get that person of your
dreams!
The mind power seduction techniques have nothing to do with pickup
lines, conversation gimmicks, useless perfumes or whatever. This is
the real stuff here.... methods and secret applications for using the
power of your mind to make any person fall in love with you and become
very sexually turned on by you.
Visit the MIND POWER SEDUCTION website at:
http://209.204.213.107/mind-power-seduction/
Best of Luck,
Jennifer Slater
---
Y heo uywlscm toeiiikdy sy gijfravnfg ehnsdke kvujaibdqe gpny wsqwf wqvhf ukuxcwmq
qsehlah oqr ahevno movtlsffsw rb dlylrox bsxbyfn xyepncdsv jeu srtmptcp wrsobp eup u
wcttnnb laj ltatspyxjb jhm vghmxodlb or dabacu ukwpxab jxnfdxidyf ccvoc.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Why would a hacker reveal that he has broken a code?
Date: Mon, 24 May 1999 15:52:54 -0600
In article <7ic3gi$eer$[EMAIL PROTECTED]>, "Jean Marc Dieu"
<[EMAIL PROTECTED]> wrote:
>
> Jeeeee... the more I learn, the more I see there's so many things left to
> learn that have not even been discovered yet !
> Crypto is really fascinating !
>
And, there are many areas in which you can easily find yourself working
alone. If you find something really interesting try to bring it back some
of the rest of us searchers.
Most likely you will rediscover some ideas worth repeating anyway, and, as
is often the case, you may need to hear that you made a mistake in your
assumptions. Don't be afraid that errs will make you look stupid; if you
are trying, you are certainly a few ranks above those who are not.
--
Weathermen prosphesize and insurance companies predict, while both pretend to be doing
the other to get an audience.
------------------------------
From: "Philip Hawthorne" <[EMAIL PROTECTED]>
Subject: Re: Why would a hacker reveal that he has broken a code?
Date: Tue, 25 May 1999 11:20:55 +0100
Sure. That explains why every patient whose has investigations for PUD
(peptic ulcer disease) routinely has a Clo-test done? And if the Clo-test is
positive for helicobacter species starts eradication treatment? Or maybe the
several clinical studies showing that helicobacter is _a_ causal agent, not
_the_ causal agent should be ignored? Maybe sticking to factual data rather
than broad, inaccurate, sweeping statements about unconnected disciplines
would be be useful.
Philip Hawthorne
> It took more than 15 years for his discovery to be accepted, but now
>the medical reference books all mention the "Helicobacter Pylori" as
>the prime suspect in peptic ulcer (for those who read these books).
>On the other hand, practicing physicians keep this information hidden
>from their patients, and repeatedly perscribe diet, acid reducers and
>other Bl-St so that patients would return to them year after year.
>
> Moral: never go to a doctor without doing your homework first.
> remember - all doctors are in business, they care first
> about their checkbook, then about their business partners,
> and then, (maybe...) about your well-being.
>
> Best wishes BNK
>> --
>> SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
>> http://www.jim.com/jamesd/Kong/scott19u.zip
>> http://members.xoom.com/ecil/index.htm
>> NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: TwoDeck
Date: Tue, 25 May 1999 10:59:58 GMT
> Another suggestion is faster switching -- the practice of exhausting a
> whole deck before it is reshuffled is very bad -- it means that your
> available randomness falls extremely low before being refreshed and
will
> give an opponent a chance to analyze the deep structure of the deck in
> full -- more intermediate decks might not be a bad idea and possibly
> changing the order in which the decks are used at intervals. Another
> suggestion is multiple shuffles at the intervals -- not much code
load
> difference in shuffling both A and B at the same time(esp if the same
> algo is used for both -- but obviously different shuffle points).
Well that's not really a problem. The problem is the deck is never
really shuffled well. If I steped through the entire deck and shuffled
youwould still not be able to tell the deck from any N! combinations.
I however have two alternatives which are more compact and easier to
implement (albeit no faster). I will discuss them when it's ready.
I appreciate the interest in TwoDeck and someday I might improve it.
If anyone else wants to work on it, by all means go ahead. It started
with nice theory... :)
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
From: The Electronic Zola <[EMAIL PROTECTED]>
Subject: MP3, Music, & Digital Cash
Date: 20 May 1999 06:35:59 GMT
=================
The Front Page:
http://www.zolatimes.com/V3.20/pageone.html
=================
Social Violence, Self-Defense, and the Police State
by Sarah Thompson, M.D.
http://www.zolatimes.com/V3.20/violence.html
============
Stormbringer - Jury Nullification Report
by Don Lobo Tiggre
http://www.zolatimes.com/V3.20/stormbringer.html
============
Is MP3 the Future of Music?
New Web Realities by Estaban Hill
http://www.zolatimes.com/V3.20/music_mp3.html
============
"I Can't Get No Satisfaction"
The Oral Rage of the Elite by Robert L. Kocher
http://www.zolatimes.com/V3.20/oralrage.html
============
The Immorality of Taxation
by Sunni Maravillosa
http://www.zolatimes.com/V3.20/immoral_taxes.html
============
Book Excerpts: The Crimes of Bill & Hillary Clinton
http://www.zolatimes.com/SS/BandHmenu.html
============
Visit the Laissez Faire City Book Shop
http://www.zolatimes.com/SS/BookShop.html
============
New: Laissez Faire City's Worldwide Privacy Phone Service
http://www.LFCjfax.com/
------------------------------
From: "Steve Sampson" <[EMAIL PROTECTED]>
Subject: Re: HushMail -- Free Secure Email
Date: Tue, 25 May 1999 07:12:08 -0500
I tried using Hushmail at the office. It turns out that the
site attempts to ftp back to you, and our particular
firewall blocks ftp by default.
What's with the ftp?
Steve
------------------------------
From: "cairus" <[EMAIL PROTECTED]>
Subject: block ciphers vs stream ciphers
Date: Tue, 25 May 1999 15:01:06 +0200
Hi.
It seems that today the cryptographic community
is much more interested in block ciphers than in
stream ciphers. Which is the reason for this trend?
Thank you.
Cheers,
Cairus
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: HushMail -- Free Secure Email
Date: Tue, 25 May 1999 15:11:40 GMT
In article <Kxw23.1350$[EMAIL PROTECTED]>, "Steve Sampson"
<[EMAIL PROTECTED]> wrote:
>I tried using Hushmail at the office. It turns out that the
>site attempts to ftp back to you, and our particular
>firewall blocks ftp by default.
>
>What's with the ftp?
>
>Steve
>
Ftp is is for transfering files back and forth to your hard drive.
If hush mail requires Java and such it is just adding more over
head for people to do on there own machines and over all leaves
you more vulnerable to attack. It is best to do encrypting off line
on a secure machine if possible. But to do this while connected
to the internet is asking for trouble.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (Francois Grieu)
Subject: Q: choosing polynomials in MPQS
Date: Tue, 25 May 1999 16:46:45 +0200
Skip this article if you don't know the Multiple Polynomial Quadratic
Sieve, a fast technique to factor hard composite integers of 200-400 bits.
I'm trying to figure out a reasonable choice of polynomials in MPQS. The
simple "Davis" variation is rephrased below in the context of the "Two
large primes" variation. I fail to see why it is inferior to the more
complex "Hypercube" variation. My hope is that someone knowledgeable can
comment.
Notations:
N integer to factor (maybe already multiplied by a small integer)
B1 factor base limit
B2 large prime limit
B3 smoothness limit, B1 < B2 < B1*B2 < B3 maybe B3 = B2^2
(for RSA129 in ref[5], N is about 2^428 B1=16,333,609 B2=2^30)
S N^0.5 rounded up, such that (S-1)^2 < N < S^2
F(x) the polynomial (S+x)^2 - N
pj prime quadratic residues mod N not over thresold B1
Pj powers of pj not over B1 (mostly, the pj)
Dj,Ej the two integers x in [0..Uj[ such that Pj divides F(x)
We sieve the polynomial F(x) by adding the log(Pj) in an array at
indexes I=Dj+Pj*k and I=Ej+Pj*k for |I| small. Examining the
magnitude of the array elements quickly locates the I such that |F(I)|
is the product of many pj and an integer Q with Q<B3. For those I,
we factor |F(I)| using trial division by the primes pj, then when the
unfactored portion Q is more than B2, run a primality test, and for
composite Q perform an heuristic factoring, giving a total of 4 cases :
a) Q=1 a "full" relation
b) B1 < Q < B2 a "partial" relation
c) Q = Q1*Q2 with B1 < Qj < B2 a "partial-partial" relation
d) Q is a prime with B1*B2 < Q < B3 a "byproduct" relation
(the "small primes" variation can speed up things)
In the byproduct case we observe that for any integer x F(Q*x+I) is a
multiple of Q. G(x) = F(Q*x+I)/Q is an integer of order 2*x*N^0.25
when |x|<<N^0.5 which makes the polynomial G(x) about as smooth as
F(x). Each full, partial, or partial-partial relation found when sieving
polynomial G(x) translates in a usable relation, by multiplying it with
the byproduct relation that gave G(x).
The amount of work to start sieving polynomial G(x) given a byproduct
(I,Q) is essentialy adjusting the Dj and Ej, which is dominated by
computing the inverse mod Q of each of the pj. This is not too expensive,
because Q is small. On RISC CPUs it appears reasonably easy to interleave
the calculation with unused CPU cycles while the sieving step of the
previous pj is making cache misses, assuming we are not playing other
tricks with the caches.
The byproduct relations are almost free, and relatively frequent. Even if
we run out of those found sieving F(x), we can reuse second-order
byproduct relations found when sieving the G(x), and so on to several
levels. The risk of accidental duplicated sieving is low (if this was
frequent, we could get lots of full relations).
So why not use this simple "Davis" method rather than the more complex
"Hypercube" technique ? Maybe it would help if I knew the usual size of
the sieving interval, usual choice of B3, and the relative cost of sieving
and changing polynomial in a typical Hypercube MPQS.
Advance apologies: I should have read ref[1] and ref[3] but did not, as I
failed to find them either online or in my local public library (the
"Bibliotheque Nationale de France"). And I could have programmed both
Davis and Hypercube MPQS, but was too lasy and would rather ask.
Francois Grieu
References:
[1] J.A. Davis and D.B. Holdridge: Factorisation using the Quadratic
Sieve. Sandia report Sand 83-1346, Sandia National Laboratories,
Albuquerque, New Mexico, 1983.
[2] Carl Pomerance: The Quadratic Sieve factoring algorithm. Advances in
Cryptology - Proceedings of EUROCRYPT 84 (1985) vol. 209 of Lecture Notes
in
Computer Science, Springer-Verlag page 169-182.
[3] Robert Silverman: The Multiple Polynomial Quadratic Sieve.
Mathematics of Computation 48 (1987) page 329-339.
[4] Rene Peralta: Implementation of the Hypercube Variation of the
Multiple Polynomial Quadratic Sieve (TR-95-05-04)
<ftp://ftp.cs.uwm.edu/pub/tech_reports/HyperSieve.ps>
[5] Derek Atkins, Michael Graff, Arjen K. Lenstra, Paul C. Leyland: THE
MAGIC WORDS ARE SQUEAMISH OSSIFRAGE
<ftp://ftp.ox.ac.uk/pub/math/rsa129/rsa129.ps.gz>
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
