Cryptography-Digest Digest #681, Volume #9 Wed, 9 Jun 99 10:13:02 EDT
Contents:
Re: being burnt by the NSA ("Douglas A. Gwyn")
Re: being burnt by the NSA ("Douglas A. Gwyn")
Re: Using symmetric encryption for hashing (SCOTT19U.ZIP_GUY)
Re: being burnt by the NSA ("Douglas A. Gwyn")
Re: I KICKED HER HARD IN THE CUNT I KNOCKED HER ON HER ASS THEN I STEPPED ON HER
NECK AND WATCHED HER DIE (Sam)
Re: my simple cipher ([EMAIL PROTECTED])
Re: what cipher? ("Douglas A. Gwyn")
Re: KRYPTOS ("Douglas A. Gwyn")
rsa with fpga ("lewis chen")
Re: KRYPTOS ("Kalika")
Break this simple cipher ([EMAIL PROTECTED])
Re: being burnt by the NSA (Nicholas Landau)
Re: being burnt by the NSA (Thomas Pornin)
I challenge thee :) (smoke_em)
Re: rc4 vs. rand() ([EMAIL PROTECTED])
Re: Key lengths vs cracking time (Thomas Pornin)
Re: my simple cipher ([EMAIL PROTECTED])
Re: tomstdenis' simple.c ([EMAIL PROTECTED])
Blowfish or RC4/5 in Visual Basic (Pontus Hanserkers)
----------------------------------------------------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: being burnt by the NSA
Date: Wed, 09 Jun 1999 04:14:01 GMT
[EMAIL PROTECTED] wrote:
> The fact still remains that people complain about the NSA (Dave scott
> likes to do this) and I have never heard anything from the NSA.
Why should you? I.e., why should they care what D.Scott thinks?
NSA employees aren't allowed to talk about what they do, for the most
part, without first clearing it with their Public Affairs office.
That's too much trouble for something like a message to this forum.
> In fact I have seen bad things, such as DES and skipjack. Both
> ciphers have been broken which means they are human too.
DES and Skipjack both admirably met their design goals.
DES has just recently *barely* been broken in a published attack,
so it held up far longer than its design lifetime of ten years.
Skipjack hasn't been broken in the general case, to my knowledge.
> I have never been in DC, but if I am down there I may take a peek :)
The National Cryptologic Museum is worth a visit.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: being burnt by the NSA
Date: Wed, 09 Jun 1999 04:16:22 GMT
fungus wrote:
> Again, this shows to me that the NSA knows *exactly* what they
> are doing.
There are certainly many people on NSA's staff who do know these
things to a depth not realized publicly.
------------------------------
From: SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]>
Subject: Re: Using symmetric encryption for hashing
Date: Mon, 31 May 1999 22:53:12 GMT
In article <[EMAIL PROTECTED]>,
Paul Onions <[EMAIL PROTECTED]> wrote:
> Thomas J. Boschloo wrote:
> >
> > I have posted this question to news:comp.security.pgp.discuss and
> > news:alt.security.pgp, but I still feel kind of fuzzy on the
subject.
> >
> > Can, for example, twofish in cbc-mode (or whatever) be used as a
hashing
> > function? Could you, as an example, use the string "hash" as a key
to
> > encrypt a document and take the last few bytes of cyphertext as your
> > hash for that document?. Would this be safe?
>
> In general, no. Cryptographic hashes are usually assumed to have the
> properties of one-wayness and collision-resistance. Using a
block-cipher
> in CBC mode provides neither of these.
>
> For example, given the last few bytes of CBC ciphertext we could
simply
> "invent" some previous ciphertext and then decrypt it, giving us a
> pre-image of the hash. So it wouldn't be one-way.
>
> Also, in CBC mode, if you know the key it's easy to insert plaintext
> blocks so that the ciphertext beyond the inserted block is the same
> as it was originally. So it's easy to create colliding messages.
>
> One the other hand there are specific constructions to create hash
> functions from block ciphers, but I don't have any to hand right now.
>
> Maybe someone more familiar with these techniques will post a
recommendation.
>
I post to this earler but for some reason I wrote scott16
instead of scott16u but as you know plain vanilla scott16 treats
odd and even length files and it was a TYPO. Any way since
scott19u or scott16u do not use CBC mode and since a bit change
anywhere in the input file affects the whole output file you
could use the last (or front) few bytes as a hash if you wanted
too and not suffer from the some problems as Paul pointed out
above.
> (Though I do know that they tend to be rather sensitive to any
weaknesses
> in the underlying block cipher - weaknesses that may not necessarily
be
> a concern when using the cipher in its more normal modes - and that
some
> of them have been broken).
>
> Hope this de-fuzzifies things a bit :-)
> Paul(o)
>
> --
> Paul Onions [EMAIL PROTECTED]
> PGP 2.6.3 key available
> D704688BEFBF2D5D 546BC1D603E2A8E0
>
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: being burnt by the NSA
Date: Wed, 09 Jun 1999 04:32:03 GMT
fungus wrote:
> That they exist physically is no big secret, but do you know what
> they're listening in to, or what they do with their results?
Sure -- but *you* don't need to know such things.
> How big is their annual budget compared to (for example) the CIA?
A comparison among agencies isn't particularly useful;
several US (and foreign partner) intelligence agencies cooperate
in collecting information, and the funds go to where they are
required to get the job done.
The total US national foreign intelligence program budget is about
$27 billion, of which about $3.1 billion goes to CIA and about
$3.6 billion goes to NSA. NRO gets about $6.2 billion.
Not much of a secret.
------------------------------
From: Sam <[EMAIL PROTECTED]>
Subject: Re: I KICKED HER HARD IN THE CUNT I KNOCKED HER ON HER ASS THEN I STEPPED ON
HER NECK AND WATCHED HER DIE
Date: Wed, 09 Jun 1999 13:48:18 +1000
nice...
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: my simple cipher
Date: Wed, 09 Jun 1999 03:24:57 GMT
> Any feedback would be appreciated. I would like to write a paper or
> document this cipher. If anyone wants to help I would appreciate it!
Guess who. :-) More comments/questions:
1) Why do you do a swap on the s-table while you are calculating the
final permutation? What I've read on the posts of this newsgroup tended
to suggest that every operation you do in your cypher would need a good
reason behind it. Is there one in this case? Or is it there just to add
few more swaps? And you are still not touching the first entry into the
s-table, which is equal to the first character of the key if y never
gets equal to zero on s-table calculation.
2) You said:
> One problem with the source as presented is that in the output, if
> any outputs are not equal then you know their inputs into the final
> function are not equal.
If I am not misinterpreting what you have said there, the final
permutation does not help for messages encrypted with the same key. The
p-table entries only depend on the key, so you will still have some
information about the values before final substitution. Am I wrong?
More may follow. :-)
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: what cipher?
Date: Wed, 09 Jun 1999 04:40:39 GMT
David Wagner wrote:
> By nonlinear combinator, I assume you mean a NLFSR (shift register with
> nonlinear feedback function)?
Essentially. More usually called a combiner, come to think of it.
There are several ways to wire up SR-based cryptosystems, but since
I don't know of a public source for the information I can't describe
them. Feel free to invent some.
> Suppose you take a NLFSR, use the plaintext as the initial fill, ...
> ... Thus, I would claim that the "NLFSR" and the "unbalanced Feistel
> cipher" are, in some sense, just two ways to view the same object.
Well, no, just the particular way you "wired up" that NLFSR system.
Other ways of doing it wouldn't be equivalent.
> ... This suggests that you should add some form of round
> dependence to the NLFSR, be it round counters (like in Skipjack), ...
No doubt, Skipjack's example of round dependence is a good security
feature, and one can surmise that it was put there for a reason.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: KRYPTOS
Date: Wed, 09 Jun 1999 04:44:31 GMT
Jim Gillogly wrote:
> ... I just solved one of the other sections.
Excellent! Let me be one of the first to congratulate you.
------------------------------
From: "lewis chen" <[EMAIL PROTECTED]>
Subject: rsa with fpga
Date: Tue, 8 Jun 1999 23:48:04 +0800
Hi ,
does any body used FPGA to implement RSA ?
I am expert in ALTERA's FPGA, maybe I can help you
Lewis
------------------------------
From: "Kalika" <[EMAIL PROTECTED]>
Subject: Re: KRYPTOS
Date: Thu, 10 Jun 1999 03:44:41 +0800
congratulations!
------------------------------
From: [EMAIL PROTECTED]
Subject: Break this simple cipher
Date: Tue, 01 Jun 1999 23:30:18 GMT
Here is a challenge break this small ten byte message (in hex)
23 E4 BA 17 83 22 F3 DC 04 CB
I will post tommorow about why I did this post (there is a lesson in it
for some people).
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Nicholas Landau)
Subject: Re: being burnt by the NSA
Date: 8 Jun 1999 14:27:50 -0400
>[EMAIL PROTECTED] wrote
>>Who has actually been burnt by the NSA? As far as I know they are so
>>secretive they don't exist.
The secretive nature of the NSA is overstated in the popular media.
They exist. You can go visit their headquarters if you want. Take
the Baltimore-Washington Parkway North from DC and they have an exit
somewhere North of Laurel. The sign says "NSA Next Exit." Big secret.
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: being burnt by the NSA
Date: 9 Jun 1999 10:06:30 GMT
According to fungus <[EMAIL PROTECTED]>:
[skipjack]
> I heard there's an attack on it which works if you remove just
> one round from the cipher
With 2^41 chosen plaintexts and a complexity factor of 2^78. I would
hardly say that this attack "works". Anyway, it just means that, by luck
or advanced knowledge, the NSA put just the optimal number of rounds
to have the advertised security (key is 80 bits, therefore even an
unrealistic attack using many chosen plaintexts should require at least
2^79 steps of computation). More rounds would give some extra trust but
woule make the algorithm slower, too.
This attack was presented by Biham, Biryukov and Shamir at Eurocrypt'99.
--Thomas Pornin
------------------------------
From: smoke_em <[EMAIL PROTECTED]>
Subject: I challenge thee :)
Date: Wed, 09 Jun 1999 13:47:36 +0200
I new to sci.crypt, and having read through most of the scott* stuff, i
think we need something to relax a bit.
I have this sort-of polyalfabetic cipher, you see. Well, the original
'92 incarnation was PASC equivalent anyway. That's too easy you say, and
that's probaly rigth.
Well, if you're not a cipher gury/guy, and e.g. you, like me, are new to
cryptography and haven't tried breaking one of these, here is your
chance. If i get some response on this, i'll post some material for you
to crack, along with some details.
Additionally, i would like someone skilled/trained to look at the
algorithm (or source code) - that is, tell me what they think is
good/bad.
It's not very complicated and the actual coding section is short and
easily understandable even without comments.
ps: excuse my english.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: rc4 vs. rand()
Date: Wed, 09 Jun 1999 11:33:54 GMT
> If you're going to make a lot of money then feel free to make
> a donation to Ron Rivest.
And I will steal your program, and may make a donation...
I personally think that using the cipher in non-profit situations
should not be an issue (consider free chat rooms etc...) but in
commercial situtations I think paying up is an honest thing todo.
Of course we can always use free ciphers can't we?
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: Key lengths vs cracking time
Date: 9 Jun 1999 12:31:28 GMT
According to <[EMAIL PROTECTED]>:
> In fact no personal computer can crack properly made RSA or DH keys
> within this universes lifetime. Ooops.
With currently known algorithms. A breakthrough in this domain is always
possible, although these are rather rare (last one was the number field
sieve, and it is 10 years old now).
Anyway, breakthroughs are, by nature, unpredictable, and it is not good
scientific way of thinking than speculating on such things. However,
with (or even without) the twinkle device, we know that 512 bit keys
should be considered as insecure in the near future. 1024 bit is safe.
Special note about the NSA: maybe they have a new algorithm that can
crack a 1024 bits key in 11 seconds on a 386. Maybe. So what ? I do not
see why a 2048 bit key would then be more secure, and, moreover, they
have other means against which I cannot do much, and that are much more
scary than the eventuality of reading my personal email. They may shoot
me, for instance.
--Thomas Pornin
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: my simple cipher
Date: Wed, 09 Jun 1999 11:03:57 GMT
> 1) Why do you do a swap on the s-table while you are calculating the
> final permutation? What I've read on the posts of this newsgroup
tended
> to suggest that every operation you do in your cypher would need a
good
> reason behind it. Is there one in this case? Or is it there just to
add
> few more swaps? And you are still not touching the first entry into
the
> s-table, which is equal to the first character of the key if y never
> gets equal to zero on s-table calculation.
I copied it from RC4, you probably would not need to do that, but I
wanted to make sure that if you could detect what the final permuation
was you would not be able to tell where it came from in the array.
> If I am not misinterpreting what you have said there, the final
> permutation does not help for messages encrypted with the same key.
The
> p-table entries only depend on the key, so you will still have some
> information about the values before final substitution. Am I wrong?
No the problem is somewhat hindered. With the final permutation it is
possible to have to different outputs which were equal into the last
round. Inside the round function this is no biggie because of the PHT,
however performing a PHT on the last round output would in sense cure
this problem, but any attacker can undo it.
> More may follow. :-)
No problem. There are still ways to attack this cipher. A slide
attack should be possible (I am not completely sure, David any
comments?). We could make round keys the same way the final
permutation is done, but this would complicate it further, and I don't
want to do so unless it is required.
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: tomstdenis' simple.c
Date: Wed, 09 Jun 1999 11:17:56 GMT
> And it does its job wel... It was easy to follow through. Although I
> have missed a few crucial points (see below).
That's ok, (lordcow knows I have missed points before :) ).
> Can you point me to some documents about PHT? I don't even know what
it
> stands for.
PHT stands for Pseudo-Hadamard Transformation. It works like this. If
your inputs are 'a' and 'b', the outputs are '2a + b' and 'a + b'. It
is used as a simple mixing operation. It's also usefull because if a
and b are equal the outputs are not, and this is required for this
cipher. In C the operation looks like
a += (b += a)
When we expand this we get:
b += a;
a += b;
Or
b' = b + a;
a' = (b + a) + a;
Sorry if that was confusing, but I copied it from SAFER [Sch96].
> That was exactly what I was trying to say, but it was the result of
> missing the further mixing additions.
Well on the output would cannot just use a PHT as I posted earlier.
> It's good to build up knowledge from simple (looking?) algorithms to
> more complicated ones. I appriciate your efforts in helping others
(and
> yourself on the way). I would expect the en/de-crypt operations to be
> fast. The slowest part would probably be the key scheduling.
No problem, this is fun. The actual cipher is really quick. It's
about as fast as any other AES (well slightly slower since the table is
not always in the cache). I would take a guess if the average AES is
at 20 cycles per byte, this one would be around 30-35 cycles. The
table fits quite nicely in most L2 caches which means the access is
still quick (about 1.5 cycles per byte).
Another feature of the key schedule is that you cannot just store
scheduled keys to try and crack a message, you must build them. Say
for example you use a 64 bit key, which is quite small, you would have
to store 2^17+2^64 or 2^81 bytes (2^61 MB and 2^51 GB). Like Blowfish
it adds considerably to a brute force attack (which is why I haven't
discussed it much).
>
> How about taking one step back, and replacing all shorts with chars.
> Then you will have half of the cypher with a small s-table. Or is it
> simply going to miss the point of your example completely?
Take a look at SAFER-SK and SAFER+ from
www.cylink.com
They use byte vectors, but they rely on round keys (better idea) and a
fixed table for diffusion. They use the PHT as described in my cipher
for diffusion as well (except they have it on the last round?).
The point of my example was to hilight that large quantities of ram can
be used, and used efficiently. If you have seen Dave Scotts code you
will know what I am talking about. My program (demo if you wish) is
considerably shorter and people can pick it up and talk (thanks, you
proved it yourself :) ).
You could make the same cipher with any other vector size (byte, word,
maybe even 19 bit words :) ). It would take more/less ram/time. Even
byte size vectors would be secure (and require only 256 bytes of ram)
because guessing the internal table is infeasible. I however wanted to
propose a 128-bit block cipher.
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Pontus Hanserkers <[EMAIL PROTECTED]>
Subject: Blowfish or RC4/5 in Visual Basic
Date: Wed, 09 Jun 1999 15:41:28 +0200
Is there anyone out there that have an working Blowfish or RC4/5 code in
Visual Basic.. I tried to code it my self but my cryptography skills
are pretty low, so I never got it working..
Best Regards //Pontus Hanserkers
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
