Cryptography-Digest Digest #735, Volume #9 Fri, 18 Jun 99 15:13:03 EDT
Contents:
Re: SLIDE ATTACK FAILS (SCOTT19U.ZIP_GUY)
Re: Is DES easy to crack whit other kind of attack? (SCOTT19U.ZIP_GUY)
RC4/Solitaire Hand Cipher (Logic)
Re: SLIDE ATTACK & large state SYSTEMS ([EMAIL PROTECTED])
Re: Caotic function (Mok-Kong Shen)
Re: DES versus Blowfish (John Savard)
PKCS#10 request (Tomislav Posavec)
Re: Question about Cryptography/Encryption... (John Savard)
Re: Solitaire optimization ([EMAIL PROTECTED])
Re: differential cryptanalysis ("Douglas A. Gwyn")
Re: Looking for pointers (David A Molnar)
Re: RC4/Solitaire Hand Cipher (Paul Rubin)
Re: rc4 vs. rand() (Aidan Skinner)
Re: CAST-256 implementation (?) ("Brian Gladman")
Re: DES Encryption Function and an MLP (Richard Leighton Dixon)
Re: RC4/Solitaire Hand Cipher (David A Molnar)
Re: the student paradox (David A Molnar)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: SLIDE ATTACK FAILS
Date: Fri, 18 Jun 1999 17:37:43 GMT
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>"SCOTT19U.ZIP_GUY" wrote:
>> By unprofessional way would that include the bragging of some professional
>> claimming it was dead years ago and that his pet slide attack shows that it
> is
>> dead. When he never bothered to test it.
>
>What I recall is that the fellow said *in advance* that he was going
>to spend a few days trying the slide attack against SCOTT19U, because
>he thought it might work. This he did, keeping us all posted as he
Don't play stupid it was the so called inventor of the attack Mr DW
who claimed it was dead years ago and the that slide attack would
easily prove. Don't tell me you missed that post. I was not being
critical of Horst for trying to use that weak method against my code.
>progressed. In the end, that attempt failed, but all that means is
>that that particular person (and collaborators) using that particular
>attack did not succeed in breaking the system. It doesn't prove
>anything one way or another about SCOTT19U's security, nor about the
>"professionalism" of the analyst.
The professionalism of the analyst was not in question. As I mentioned
in the paragraph above. If you had half a brain you should have been able
to ass her tain that. It was the professionalism of the writter of the method
who has dissmissed this as dead years ago and has openly said so. But
never really has had the balls to give it a good look since it is not designed
in the narrow path that he has gone through to study crypto. Only Ritter has
every really bothered to look at the code. Heck the guy has all the code
and a running program. You'd think if DW or BS knew anything about crypto
they could analizes it. But either they are to embarassed cause it is better
than the fishy stuff they could come up with. Yes it is slower than therses
yes it uses more memory but given enctypred messages which would actually
protect better. Or is that even a consideration in there mind. I doubt that
actuall security of tranmitted messages is a real concern except that we don't
want to make it to hard for the NSA to read our messages. Just hard enough
so the masses can't easily break it.
]
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Is DES easy to crack whit other kind of attack?
Date: Fri, 18 Jun 1999 17:24:45 GMT
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>[EMAIL PROTECTED] wrote:
>> *Im wondering if in a simple PC is possible obtain the key when u
>> know the complete text then, comparing the Encrypted info and non
>> encrypted info.
>
>Nobody knows how to do this.
Since it is highly unlike that just after a few blocks using any of the
blessed chaining modes. That more than one key could give the mappings
needed for the translation there most likely is away. If there is a simple
closed form solution the NSA would be the one most likely to have it.
If they have one they are not going to tell anyone and would do there best
to keep the public from finding out. But it is a streach to say that no one
knows. A better anwser woulf be that there is no widely known simple
attack that is known in the open literature.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (Logic)
Subject: RC4/Solitaire Hand Cipher
Date: 18 Jun 1999 11:42:45 -0500
Forgive me if this has been proposed before. I don't follow this group as
closely as I should...
I finished reading Cryptonomicon, and Bruce Schneier's description of
Solitaire. (Very cool, by the way, Bruce). For some reason, I was
reminded of RC4. It seems, in RC4, that all this business with permuting
a state array lends itself immediately to playing cards laid out on a jail
cell floor.
If we used only 26 cards, say a black set and a red set, as our state
array, it seems we could directly substitute occurances of "256" with "26"
in the RC4 source code (using addition modulo 26) and it would work. This
would give us 26! keys, or roughly 88 bits of key material.
I suppose this could be extended to using 52 cards, with redundant state
array entries. This would give us on the order of 52! =~ 225 bits, less
the redundancy.
To my admittedly untrained eye, it seems the details of this modification
would just fall into place to make a workable hand cipher that would be
(relatively) blindingly fast.
Thoughts?
- Andy Brown
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: SLIDE ATTACK & large state SYSTEMS
Date: Fri, 18 Jun 1999 15:31:48 GMT
You are not worth talking to. You think you know everything. Ask
anyone and they will confirm what I posted, it just makes sense.
I don't care for any more of your lame insults, good day.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Caotic function
Date: Fri, 18 Jun 1999 19:09:03 +0200
ivana wrote:
>
> I'm looking for documentation about caotic funcions. I 'm a student and
> can't begin my work without it. Anyone can help me with some links ?
You may want to join the sci.fractals group.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: DES versus Blowfish
Date: Fri, 18 Jun 1999 17:28:56 GMT
Bechir Jannet <[EMAIL PROTECTED]> wrote, in part:
>I am trying to understand, whether there is a major difference in the
>achieved security, when using DES or Blowfish?
Blowfish is likely considerably more secure.
>Both DES and Blowfish, are Feistel block cipher processing 64 bits
>plaintext blocks;
>DES has four weak keys and six pairs of semi-weak keys. What about
>blowfish?
No keys are known that are as weak as the DES weak keys, although I
think there may be some keys known that are weak in another way. Since
the S-boxes are key-dependent, there is a very small chance of a key
being seriously weak.
>The only thing that speaks for Blowfish, is that it is faster and easier
>to implement! is that correct?
Well, the initial S-box state is quite long. And while Blowfish
encrypts more quickly, key setup is (intentionally, for security
reasons) quite slow.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/crypto.htm
------------------------------
From: Tomislav Posavec <[EMAIL PROTECTED]>
Subject: PKCS#10 request
Date: Fri, 18 Jun 1999 17:46:48 GMT
Looking for freeware source code to generate PKCS#10 cert requests.
Does anyone know if something like that is out there? Thanks.
-Tom
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Question about Cryptography/Encryption...
Date: Fri, 18 Jun 1999 17:39:04 GMT
Sundial Services <[EMAIL PROTECTED]> wrote, in part:
>it is set in very large type with wide margins, the very
>opposite of Kahn.
My original comment on this has long since passed from my server, but
I see it didn't recieve a reply which took issue with my use of
printing terminology.
The Codebreakers indeed is set in 10-point Times Roman, with an
additional 2 points of leading inserted between lines (hence, 12 point
linespacing, sometimes wrongly called 12 point leading on some
electronic and film typesetting systems).
Originally, I wasn't sure if it was 10 on 12 or 11 on 13 until I went
back and checked.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/crypto.htm
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Solitaire optimization
Date: Fri, 18 Jun 1999 16:40:51 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Johnny Bravo) wrote:
> On Thu, 17 Jun 1999 16:42:25 GMT, [EMAIL PROTECTED] wrote:
>
> >Finally, any recommendation on key change intervals? The easiest
> >protocol would be to never change the key, and just send new messages
> >with the deck left over from the last message sent or received. This
> >would result in a long chain of correspondance all being protected by
a
> >single keystream. No part of the keystream would be reused, but are
> >there other problems with this? How often is it necessary to change
to a
> >new key?
>
> This would only be practical on a computer. If you make a mistake
> somewhere along the line the deck would become useless since it would
> no longer be in sync with the other deck. The only solution would be
> to redo every single message ever encoded with that key so that you
> can get the decks back in sync.
When working by hand, you'd probably want to record the deck state
periodically to make error recovery easier. I think this is true even if
we use a new key for each message, because redoing even most of one
message could be a pain.
> You would be better off using a
> shared medium to resync the decks on a regular basis. Or even just
> sending a new key in an encoded message, so both parties can start
> from a known state.
If we can successfully send a new key, then we're already in sync. But
there may be other reasons for changing keys.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: differential cryptanalysis
Date: Sun, 13 Jun 1999 08:53:35 GMT
[EMAIL PROTECTED] wrote:
> ps. I know this is not the subject of sci.crypt, but where can I get a
> prog to view .ps files under ugh.. win '95
Others have suggested GhostScript, but you might prefer RoPS (a
freeware version probably still exists somewhere in the WWW).
Personally I use Adobe's Acrobat Distiller to convert PostScript
files to PDF (you can get a free PDF viewer from Adobe), but the
Distiller is not freeware. (It's part of Acrobat Exchange.)
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Looking for pointers
Date: 18 Jun 1999 17:33:05 GMT
David A Molnar <[EMAIL PROTECTED]> wrote:
>> Talking about "proven security" amounts to promoting a delusion which
>> all too many want to believe and will grasp out of context. What
>> security proofs we have in cryptography depend upon assumptions which
>> cannot be proven in practice. There is no proven security.
> I'm sorry, I was sloppy with just putting 'proof' in quotes.
> I also apologize for the belated timing of this post.
I should emphasize this more -- thank you for pointing out that
I was using "provable security" out of context. The lengthy
explanation is an attempt to restore that context, not to show
somehow that you were wrong to point out its lack.
Thanks,
-David Molnar
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: RC4/Solitaire Hand Cipher
Date: Fri, 18 Jun 1999 17:41:26 GMT
In article <7kdsu5$[EMAIL PROTECTED]>, Logic <[EMAIL PROTECTED]> wrote:
>I finished reading Cryptonomicon, and Bruce Schneier's description of
>Solitaire. (Very cool, by the way, Bruce). For some reason, I was
>reminded of RC4. It seems, in RC4, that all this business with permuting
>a state array lends itself immediately to playing cards laid out on a jail
>cell floor.
>
>If we used only 26 cards, say a black set and a red set, as our state
>array, it seems we could directly substitute occurances of "256" with "26"
>in the RC4 source code (using addition modulo 26) and it would work. This
>would give us 26! keys, or roughly 88 bits of key material.
>
>I suppose this could be extended to using 52 cards, with redundant state
>array entries. This would give us on the order of 52! =~ 225 bits, less
>the redundancy.
Yes, RC4 with a deck of cards has been discussed before. I don't
understand why you'd want to use 26 cards instead of 52, or what you
mean about redundant state arrays. I think one of Solitaire's
design goals was to not have to lay the cards all over the floor,
especially face up.
An easy way to do RC4 with 52 cards is to have 26 values representing
the letters of the alphabet; a few more values for a SPACE character
and some punctuation; possibly 10 values for digits (otherwise use
a "numeric shift" convention to overlay digits with letters, like
in Baudot code); and use the remaining values for common words and
phrases to speed up hand operation.
Then you can lay out the deck as 4 rows of 13 cards. This lets you do
all the arithmetic on rows and columns, representing each card
position as a coordinate pair. That means all the mental arithmetic
is mod 4 or mod 13. You don't have to add mod 52 in your head.
I don't know how the smaller permutation (52 elements instead of RC4's
usual 256) affects security.
You could do RC4 with pencil, paper, and eraser, with 255 elements,
by marking the paper into a 15*17 grid and doing the arithmetic
mod 15 and 17. It might be easier to do it with 99 elements (9*11).
You might want to use rice paper for this, since if you're a good
spy you're supposed to eat the paper when you're done. ;-)
------------------------------
From: [EMAIL PROTECTED] (Aidan Skinner)
Subject: Re: rc4 vs. rand()
Date: 18 Jun 1999 09:47:25 GMT
Reply-To: [EMAIL PROTECTED]
On Thu, 17 Jun 1999 11:27:18 -0700, Roger Schlafly
<[EMAIL PROTECTED]> wrote:
>Aidan Skinner wrote in message ...
>>OTOH are software patents a good thing in the first place?
>
>RC4 is *not* patented. There is no company that makes an ownership
I know this, I was trying to make a more general point. Sorry for any
confusion caused.
>keep it trade secret for a while, but it was released into the public
>domain several years ago.
Has The Company accepted this yet? Just curious.
- Aidan
--
http://www.skinner.demon.co.uk/aidan/
Horses for courses, tac-nukes to be sure.
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: CAST-256 implementation (?)
Date: Fri, 18 Jun 1999 19:02:29 +0100
Serge <[EMAIL PROTECTED]> wrote in message
news:7kc36s$30b$[EMAIL PROTECTED]...
> Is anywhere in Web a source code of C/C++ implementation of CAST-256?
>
> Regards,
> Serge.
>
>
http://www.seven77.demon.co.uk/cryptography_technology/Aes/
------------------------------
From: [EMAIL PROTECTED] (Richard Leighton Dixon)
Crossposted-To: comp.ai.neural-nets
Subject: Re: DES Encryption Function and an MLP
Date: 18 Jun 1999 11:07:20 PDT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> wtshaw wrote:
> > In article <[EMAIL PROTECTED]>,
> > [EMAIL PROTECTED] (Richard Leighton Dixon) wrote:
> > > Why would a genetic algorithm be useless? Isn't this method effective in
> > > finding solutions despite the discontinuity?
> > A generic algorithm would be based on specified mathematical equations
> > and/or general principles. Generic algorithms should be truely scalable.
>
> He said "genetic", not "generic". Genetic algorithms are iterative
> optimization techniques that are loosely modeled upon evolution by
> mutation and survival of the fittest (genes). It's a well-developed
> technology, but it's not magic. Survival of the fittest (typically
> the half of the current generation of genes that have the best score
> against the optimization criterion) directs the search toward local
> optima, while mutation introduces parallel searching in other parts
> of the domain, avoiding the standard problem of convergence to a
> local rather than global optimum. If there is no local continuity
> (the function doesn't approximate a C^1 function), the survival
> part becomes just hooey, and mutation would have to accidentally
> land right on the global optimum point (which is unlikely) and that
> optimum detected before it gets lost in the next iteration.
>
Thanks for pointing out my typing error (generic versus genetic). Ever
since my C4 neck injury, I've had a hard time typing, especially with my
left hand.
And thanks, also, for the response to my question. In particular, I
didn't understand the GA's need for local continuity and overestimated
the chance of finding the global optimum.
Regards,
rld
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: RC4/Solitaire Hand Cipher
Date: 18 Jun 1999 18:12:41 GMT
Logic <[EMAIL PROTECTED]> wrote:
> I finished reading Cryptonomicon, and Bruce Schneier's description of
> Solitaire. (Very cool, by the way, Bruce). For some reason, I was
> reminded of RC4. It seems, in RC4, that all this business with permuting
> a state array lends itself immediately to playing cards laid out on a jail
> cell floor.
I think this was briefly discussed on Cypherpunks at one point -- if
anyone has the exact time ?
-David Molnar
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: the student paradox
Date: 18 Jun 1999 18:10:57 GMT
[EMAIL PROTECTED] wrote:
> here is an interesting tidbit...
> When most people start cryptography or any computer science course they
> have many ideas on how things are done (how to encrypt data, how to
> compress, how to sort, how to...). Many of the ideas are naive to
> experts. As the student learns more however they have less ideas and
> settle into accepted academia (or lines of thought).
What's that .sig quote - "learned men are the cisterns of knowledge,
not the fountainheads ?" For some reason it seems that this is a
widespread sentiment.
I don't know how I feel about it, exactly. I don't think I like it.
Then again, I'm pretty young and likely naive.
> So basically less knowledge = more ideas, more knowledge = worse
> ideas. One might argue that there are less ideas but they are higher
> quality, but one could also argue that more knowleege = more tools for
> ideas... :)
Personally, I would hope for the latter. Just today I found out about
a paper on "Fast Approximate PCPs". The paper covers techniques by
which a powerful prover can convince a verifier that the prover has
nearly correctly (approximate) evaluated some function f(x) on an
arbitrary x in sub-linear time in the size of x (fast). Now I'm
wondering if I can use these techniques to create a signature
scheme where a server can delegate the work of verifying signatures
to an arbitrary number of helpers, which then send the server
a proof that the signature was good or not.
That is, some incoming message has a signature, and so there's some
amount of computation that has to be done on the message and signature
to verify it. Our server doesn't want to do all the work itself, so
it sends the message to some helper, which performs signature verification
and then proves that verification to the server. The idea is that the
proof of correctness is shorter/more efficient than actually verifying
yourself.
Kind of like a cow chewing its cud...in the sense that each of the helpers
"chew" the message+sig to make the cost of verifying its authenticity
less.
Anyway, there are lots of problems that need to be worked out. Not least
of which is the fact that I don't know any signature scheme yet which
has a proof using the paper's techniques. Another thing is that it's not
clear that using something like this will introduce more overhead than
possible gains. Even so, it's an idea I wouldn't
have had without taking the time to look into what's been done -- because
I wouldn't have realized it was possible.
It also strikes me that there are results which happen mostly because
someone read about Thing X and then Thing Y and realized a connection
which hadn't been noticed before. That's one way in which learning more
leads to "more tools for ideas" or "more ideas."
-David Molnar
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
