Cryptography-Digest Digest #601, Volume #9 Thu, 27 May 99 05:13:03 EDT
Contents:
Re: non-computerized cryptography (Johnny Bravo)
Re: Review of Scottu19 (SCOTT19U.ZIP_GUY)
Re: non-computerized cryptography ("HypSoft")
Re: What good is hushmail? (Terry Ritter)
Re: Please recommend freeware encryption SDK (Squitter Shivwits)
Re: crack a hash function? (wtshaw)
Re: DSA (Digital Signature Standard) and the Schnorr Patents (Vin McLellan)
Re: request opinion/info : 1.5 Mbits/s public key scheme (Karel Wouters)
Re: A question on congruential algebra (Bo Lin)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: non-computerized cryptography
Date: Wed, 26 May 1999 23:10:23 GMT
On Wed, 26 May 1999 09:52:52 -0400, <[EMAIL PROTECTED]> wrote:
>Try the Appendix to Neal Stephenson's Cryptonomicon.
>
>An algorithm called Solitaire that can be done manually with a deck of
>cards.
>
>Bruce Schneier, care to comment?
>
>Marc
I'm sure his comments would be favorable, since he invented it. :)
Quote from his page.
"I designed Solitaire to be secure even against the most
well-funded military adversaries with the biggest computers and the
smartest cryptanalysts. Of course, there is no guarantee that
someone won't find a clever attack against Solitaire (watch this space
for updates), but the algorithm is certainly better than any
other pencil-and-paper cipher I've ever seen. "
http://www.counterpane.com/solitaire.html
The keyspace of a shuffled deck of cards is about the same as a
binary key of 237 bits. The drawback for the system is that a) it's
slow, and b) you need a different deck key for every message. It
would be a bit slower but still practical to use the same key for
different messages if you encoded all the previous messages into the
deck state first. i.e. If you had a set key and sent a 20 char
message then shuffled the deck so as to hide the key. Then when you
reset the deck you manipulated the cards so as you encode the first
message again, then you would have a secure state for sending a future
message.
A newspaper bridge hand would be a very poor method of selecting a
key for such a deck. It would be almost trivial to enter newspaper
columns of bridge into a computer to check first for keys. However
selecting some text from the newspaper according to an arranged
schedule and keying the deck with that text would be much better.
Johnny Bravo
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Review of Scottu19
Date: Thu, 27 May 1999 04:46:41 GMT
In article <7ii6hg$nhl$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>
>> Tom, Scott's algorithm is essentially a multi-round block cipher
>> treating the entire file as one large block. The updating
>> transformation is a 19-bit S-box created from a user-provided file. He
>> refers to this as the "Central Equation." The rest of the code
>> implements rather cludgely methods to prevent against a known-
>plaintext
>> attack by Paul Onions and also to access data on 19-bit boundaries.
>
>That's the clearest explanatation so far. Did that take 300 lines? me
>thinks not.
>
>Tom
Tom but it does not give enough detail to write the code either. So maybe
it needs another 290 lines to provide the detail
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: "HypSoft" <[EMAIL PROTECTED]>
Subject: Re: non-computerized cryptography
Date: Thu, 27 May 1999 00:35:28 -0400
What would the military non-computerized codes actually be? Does anyone
know of any web sites which cover this topic?
--
Andrew Hamilton
[EMAIL PROTECTED]
���� <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>Greetings:
>
>I'm interested in locating texts or other information pertaining to
>"non-computer based" cryptography.
>
>The trends in cryptography undeniably have shifted to 100%
>computer-based systems. But is there anything still being written about
>systems which do NOT rely on a computer to generate 1024 bit prime
>numbers??
>
>Just curious.........
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: What good is hushmail?
Date: Thu, 27 May 1999 05:26:43 GMT
On Thu, 27 May 1999 01:06:11 GMT, in
<[EMAIL PROTECTED]>, in sci.crypt [EMAIL PROTECTED]
wrote:
>At least in some foreign countries we all know, It's pretty easy for
>the relevant gov. agency to get your friendly neighborhood isp to
>redirect the DNS entry for hushmail to a "clone" site that looks just
>like it...
We do depend upon the content of the HushMail applet being what we
think it should be: if a pseudo-HushMail site produces a different
applet and we use that, we will be in trouble. A bad applet could
simply send out our secret key phrase or even unenciphered plaintext.
The intent of the HushMail approach is that the cryptography occur on
our local machine, and that the web site carry nothing which can be
exposed unless we decipher it locally with our own key phrase. That
need not be a bad approach. (The site does of course know a message
was sent, when it was sent, and to which user.)
>so if you really need to protect yourself against Big
>Brother and the Holding Company, clearly this ain't the way....sorry
>suckers.
HushMail still needs to support both applet validation and end-to-end
key validation, but it is supposedly a beta, so these things could yet
happen. It is disturbing to see that they are not joining in the
discussion of these serious issues, but that could change too.
The basic idea of good end-to-end security independent of whatever is
in between seems almost within their grasp, but it still needs to be
completed to deliver on the promise. Maybe that will never happen.
Maybe somebody else will take their idea and do it right.
The general idea of easy-to-use email security for the masses
delivered by a web site seems quite new and exciting.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Free Encrypted Email www.hushmail.com [EMAIL PROTECTED]
------------------------------
From: Squitter Shivwits <[EMAIL PROTECTED]>
Subject: Re: Please recommend freeware encryption SDK
Date: Wed, 26 May 1999 21:50:10 -1000
Dan Koppel wrote:
>
> Hello all,
> I was wondering if anybody out there could recommend a freeware
> encryption SDK that could be used for commercial purposes. I would like to
> integrate it with some software that I wrote. I understand that PGP is
> freeware if used non-commercially, so I guess I'm looking for something
> else. Please let me know if I've got my facts right.
> Thanks and I appreciate any input on this,
> Dan Koppel
> [EMAIL PROTECTED]
Use scott19u.zip for the finest in free security:
http://members.xoom.com/ecil/index.htm
I have used it and nobody reads my files.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: crack a hash function?
Date: Thu, 27 May 1999 01:24:28 -0600
In article <7ii3jj$rv5$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Bill
Unruh) wrote:
>
> A hash is cracked if a second text can be found which hashes to the same
> value as the first. A hash is NOT a cryptosystem, and thus it is not one
> to one. It is a verification system, that the original has not been
> changed. If you find a second, then the original can be changed.
One might consider that being able to find the original input would be a
break. So, having multiple possible inputs, perhaps many, would help
protect the original words.
One interesting approach, at least I think so, is to use multiple hash
functions that each have considerable collision, and combine all the
results. Since where I use this technique requires two different keys,
things work out rather well, even to using a third process to further
confuse one of the keys. The end result is that stumbling on the right
text source is still going to be most difficult. And, the interference
pattern in the keying structure that all of components produce results in
relatively rare collisions from diverse source texts, a huge keyspace
reducing the chance of random collision to a very low level, and twarting
brute force attacks on the key structure.
In accepting a lower level of security, you increase the number of
collisions. What constitutes a break would not necessarily follow. The
only thing that you can ask is whether the algorithms involved met your
level of desired security. Short keys are otherwise called dumb keys for
good reason.
--
Weathermen prosphesize and insurance companies predict, while both pretend to be doing
the other to get an audience.
------------------------------
From: Vin McLellan <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: DSA (Digital Signature Standard) and the Schnorr Patents
Date: Thu, 27 May 1999 02:48:12 -0300
Rosi <[EMAIL PROTECTED]> wrote:
> Dear Vin,
>
> The text is a bit overwhelming. Excuse me for not reading it entirely
> and carefully before this reply.
Sorry to be overwhelming, but I can appreciate your plight. I had
not intended to write as much as I did, but I didn't have the time to
write short.
<...>
> However, I think we somehow agree that as a patent issue, it is
> 'maybe or maybe not'. It can hardly made anything other than that.
Actually, I disagree. I think many potential claims are absurd and
can be easily and completely dismissed.
I only jumped into this discussion because some bright guys were
referring to the Schnorr patents with that sort of language. It was
clear to me -- just from the way I saw the Schnorr patents used as a
fulcrum to challenge US policy on DSS and EES -- that they were
underestimating the credibility of the Schnorr patents in the DSS
debates in (at least) the early and mid 1990s.
While making no claim to be a patent scholar, my point was only that
Claus Schnorr's claims -- and/or either his US, European, or Japanese
patents -- was credible enough that it profoundly influenced vendor
adoption of the DSS, and that, in turn, had an serious impact on both
US policy (as well as the relative security of US federal agencies.)
I don't mean to suggest that the Schnorr patents were the only factor
-- or even one of the most important factors -- in blocking ESS,
Fortezza, required key-escrow or key recovery, etc. I only claim that
the Schnorr patents became, briefly, very important in that struggle
when they helped derailed the DSS bandwagon.
In the larger context, I think it slowly became apparent to almost
everyone that the NSA's confidence that it could use the gross
aggregate purchasing power of the federal agencies in infosec to shape
and dominate the cryptographic security market was extraordinarily
naive.
The more blatently they tried to manipulate the market, the more they
revealed how little they understood about the industries they sought
to control.
Today, only Congressmen, the European Parlament, and foreign
reporters view the NSA with the sort of awe that was common among
American computer and communications professionals in the mid 1980s.
> For exmaple, if I say that Prof. Schnorr could even more
> convincingly contribute to the advances in cryptography and
> privacy of individuals if he had given out his patent for free. you at
> once might challenge me for a proof. I can NOT give one. Equally, I
> think it is a hard case to prove what you seem trying to show that his
> patent 'deterred' the other side.
As far as _proving_ that the Schnorr patents were a factor in slowing
the adoption of the DSS, that could be done fairly easily by anyone
who talked to a lot of people in this industry. The US standards orgs
are also full of people who would freely discuss of how the NSA
operated within their organizations.
The impact of the vendors' rejection of the DSS on the NSA's (overt
and apparent) crypto strategy can also be fairly easily documented by
anyone who talks to the appropriate government officials, many now
retired, who had a part in managing this issue -- at the NSA and NIST,
as well as at other government agencies.
While I didn't write the sort of journalistic report that could
document all this, it would not be difficult to do so.
Unlike most of the traditional business of the NSA or other
intelligence agencies, this initiative demanded that the NSA send out
people in an attempt to influence the vendors, the customers, the
standards orgs, and the civil agencies of the US government.
Nothing like that stays secret, especially in the aftermath of a
failed campaign.
> Maybe, legal profession is different. But this seems simple to me.
> If Prof. Schnorr's patent had that effect as you seemed to show, then
> it needs to be, IMO, a strong case. But you quoted and tried to show
> it is (in the strongest sense) a 'maybe or maybe not'. How could you
> be so sure that it had that kind of impact.
Actually -- without attempting to offer an amateur's opinion on
patent law -- it's apparent to me that all that was needed was only a
credible challenge.
A potential and credible threat was enough to move DSS's
international royalty-free status into question, and that -- coupled
with RSAPKC's relative efficiency in signature verification -- was
enough to influence the DSS's acceptance in commercial products.
(There was also another oblique but important potential patent
challenge to DSS; a patent relevant to the protocol commonly used with
DSA, rather than to the algorithm, per se. Prof. Silvio Micali of MIT
has a patent that seems to cover the precomputation technique commonly
used to make DSA more efficient in signature verification. Only with
precomputation could DSS come within shouting distance of RSAPKC in
signature validation. Since a document is typically signed once, but
validated many times, this was a critical factor.)
> We do not know, I believe,
> what has really been on the mind of NSA, etc.
After chatting about this with former government officials for a
decade, I don't think it is that difficult to understand the NSA's
strategy. It is my experience that former NSA guys make superior
drinking buddies, and appreciate people who try to understand what
happened and why.
I was uncertain for years whether the whole campaign might be a
charade: part of an elaborate long-term strategy to simply delay the
widespread adoption of strong PKC-based cryptosystems, with no real
expectation of success.
It is still hard to believe the hubris of the NSA officials who
decided that they could turn the tide and displace PKC with GAKed
technology, simply by managing the standards process and federal
purchasing.
It will always be an open question, but I think most senior NSA
officials actually believed they could pull it off. This is probably
only credible to people who understand how pervasive and dominant the
NSA's influence, money, and expertise was in shaping the first 15
years of the American computer industry. For myself -- and I wrote an
industry history of those years for IBM -- I think they got lost
somewhere on memory lane.
> While I am definitely not
> here to deminish the positive role of Prof. Schnorr's scheme, I think
> I am definitely not to ignore the individuals who contributed so much
> to the status of Clipper as it stands today.
If I understand you correctly, I agree.
There are many people -- including many within the US government,
where a guerrilla war raged for a decade around the NSA's control of
this issue (and the stranglehold on federal agency procurement the
NSA's strategy demanded) -- who will deserve credit if citizen and
commercial access to strong crypto and unGAKed key management wins the
day.
> You need not agree with me.
> Thank you very much.
In turn, I thank you for your interest, time, and patience.
_Vin
========
"Cryptography is like literacy in the Dark Ages. Infinitely potent,
for good and ill... yet basically an intellectual construct, an idea,
which by its nature will resist efforts to restrict it to bureaucrats
and others who deem only themselves worthy of such Privilege."
_A Thinking Man's Creed for Crypto _vbm
* Vin McLellan + The Privacy Guild + <[EMAIL PROTECTED]> *
53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
------------------------------
From: Karel Wouters <[EMAIL PROTECTED]>
Subject: Re: request opinion/info : 1.5 Mbits/s public key scheme
Date: Thu, 27 May 1999 10:27:00 +0200
Hi;
On Wed, 26 May 1999, Dr. mike wrote:
> Karel Wouters wrote:
> > who knows something about the Tame Transformation Method (TTM) ?
> > It has been proposed in 1997 by prof. T.T.Moh at Purdue Univ.
> > It is a public key encryption system that operates at approx
> > 1.5 Mbits/s for encoding (8.5 Mbits/s for decoding). Furthermore, the
> > author claims that the software implementation is faster and safer than
> > _any_ (hardware !) implementation of RSA. It also provides
> > error-correction and master keys. The method is based on maps between
> > affine spaces over a small field of characteristic 2.[...]
>
> Howdy Karel,
>
> I'd suggest contacting Prof. Moh directly. The more work done
> on his stuff, the more acceptable it becomes. I'd expect it's
> to his advantage to help you understand the details.
>
I would expect that too, but I contacted prof Moh. several times and
it seemed to me that he doesn't care about his cryptosystem (although
_he_ holds the patent on it); first, I asked him for a copy of his paper
about the scheme, which I got within 4 weeks (by snailmail; don't ask me
why).
Then, after reading his article, I had some questions. I mailed him about
them, and after 5 weeks and a reminder, I finally got some (very) short
answers.
At present, I'm writing an (internal) report on the scheme, because there
are a lot of things which are unclear in his article.
4 weeks ago, I sent him a mail about this, with some additional questions
and I haven't got an answer yet.
Maybe he has had enough of me and my "stupid" questions :-(
I noticed on his webpage that he's a mathematician and that he focusses on
pure mathematics, so maybe he's just not interested anymore.
The same thing can be said about this USDS company. They only appear to
react when you send several mails.
I'm a mathematician too, but my opinion is that Prof Moh has overlooked
some problems in his scheme. The basis of the scheme looks very strong,
but the scheme in its present shape could be compromised. (easily, I
suspect)
> If he doesn't respond favorably, I'd be supprised, but let us
> know here!
>
I'll post the URL of my report when it's finished. (if ever :-)
> Patience, persistence, truth,
> Dr. mike
btw: nice sig., Dr mike
best regards;
Karel w
------------------------------
From: Bo Lin <[EMAIL PROTECTED]>
Subject: Re: A question on congruential algebra
Date: Thu, 27 May 1999 09:21:05 +0100
In 1), the solution for x such that x^2 = y mod n is supposed to be asked.
When n is a prime, the equation can be solved in polynomial time. Only the
case n = 8k+1 is a little bit more complicated than the others. you can find
the solution in any book about Number Theory.
In 2), (a^2 + b^2) = (a^2 - (n - 1)b^2) = 0 mod n. The square root of (n - 1)
can be found because the n is a prime by using the conclusion in 1). Let r be
the square root. As a result, (a^2 + b^2) = (a + rb)(a - rb) = 0 mod n. Any
pair (a, b) satisfies a + rb = 0 mod n or a - rb = 0 mod n is a solution.
Manuel Pancorbo wrote:
> I would like to know how difficult (Polinomial, Non-Polinomial time
> requiered) is to solve the following problems about congruences and their
> most proper solving algorithm.
>
> 1) Given 'y' and the prime modulus 'n' find 'x' that fullfils
>
> n^2 mod n = y
>
> 2) Given a prime modulus 'n' and given also the fact that the problem, for
> this given 'n', has solution, find any 'a', 'b'
>
> (a^2 + b^2) mod n = 0
>
> Thanks in advance.
>
> Manuel Pancorbo
> [EMAIL PROTECTED]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
