Cryptography-Digest Digest #754, Volume #9 Wed, 23 Jun 99 15:13:04 EDT
Contents:
ElGamal without exponent reduction? (Safuat Hamdy)
Re: A Crypto Page Disappears (Mok-Kong Shen)
Re: Converting arbitrary bit sequences into plain English texts (fungus)
Re: Why Elliptic Curve Cryptosystem is stronger with shorter key length? ("Michael
Scott")
Re: A slide attack on TEA? (JPeschel)
Re: Converting arbitrary bit sequences into plain English texts (Mike Keith)
Re: Authentication Schemes (Medical Electronics Lab)
helping a beginner ("Fwumph")
Re: Critique of Street Performer Protocol paper ([EMAIL PROTECTED])
Re: Converting arbitrary bit sequences into plain English texts (wtshaw)
Re: Secure broadcast (Medical Electronics Lab)
what I dont get...... ("Fwumph")
Re: "Breaking" a cipher (JPeschel)
Re: A different method of encryption (wtshaw)
Re: A different method of encryption (wtshaw)
Re: Prime-Number Generation (Bob Silverman)
Re: one time pad ("Tony T. Warnock")
Re: A Crypto Page Disappears (John Savard)
Re: A different method of encryption (John Savard)
one time pad ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: Safuat Hamdy <[EMAIL PROTECTED]>
Subject: ElGamal without exponent reduction?
Date: 23 Jun 1999 18:11:27 +0200
Hi,
suppose we use an ElGamal-variant where we do not need to compute inverses
modulo the group order. Such variants exists and they are explained in the
Handbook of Cryptography, for instance, let
G: generator
a: secret value
A: public value G^a
and for the signature
k: secret random value
R: G^k
and
s = a h(m) + k g(R) mod n (*)
where h is a hash-function, n is the group order, and g is a (public)
mapping from the elements of the group to Z (the integers). The signature
is (s, R).
For the verification, check that
G^s = A^h(m) R^g(R)
holds.
Now suppose that the reduction mod n in (*) is omitted. Except that the
size of s would be larger, can anybody see whether this would be harmful?
--
S. Hamdy | All primes are odd except 2,
[EMAIL PROTECTED] | which is the oddest of all.
|
unsolicited commercial e-mail | D.E. Knuth
is strictly not welcome |
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: A Crypto Page Disappears
Date: Wed, 23 Jun 1999 17:43:42 +0200
[EMAIL PROTECTED] wrote:
>
> On Wed, 23 Jun 1999 12:54:14 +0200, Mok-Kong Shen
> <[EMAIL PROTECTED]> wrote:
> >John Savard wrote:
> >> "Toby's Cryptopage", by Torbjorn Andersson, has disappeared from the
> >> Web! (Well, I'm going to Altavista to see if it has moved to a new
> >> URL...)
> >I remember that there was a site saying that it was archiving the
> >Web pages on the internet. I don't know what that project has
>
> www.alexa.com
Does alexa archive (the contents of) the Web pages??
M. K. Shen
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: Converting arbitrary bit sequences into plain English texts
Date: Wed, 23 Jun 1999 16:28:42 -0100
Bauerda wrote:
>
> >> Is this a sentence:
> >> "Yes!"
> >> And is this a sentence:
> >> "No!"
> >> Both are. Therefore, encode 10010110 as:
> >> Yes! No! No! Yes! No! Yes! Yes! No!
> >> It's English, even though it's a long string of interjections.
> >
> >I think that this should work. Any thought of what arguments the
> >bureaucrats could possibly have against the sort of conversions we
> >discuss in this thread? I should appreciate further contributions.
>
> To make the sentences a little more natural (than yes yes no yes yes no ) why
> not just use any word starting (or ending) with a letter from the first half of
> the alphabet for a zero and the second half for a one? People might not even
> realize that a file is encoded in the message this way.
>
You could modify one of those "poetry generators" to give it
an artistic feel...maybe even encode more than one bit per
word....
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: "Michael Scott" <[EMAIL PROTECTED]>
Subject: Re: Why Elliptic Curve Cryptosystem is stronger with shorter key length?
Date: Wed, 23 Jun 1999 18:44:27 +0100
Robert Harley <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> There is only one good reason I can think of and that is the
> difficulty of counting the number of points on a curve. In theory it
> is polynomial time, therefore "easy".
>
> In practice there are some research prototypes but what is needed is a
> real-world implementation, able to quickly handle cases big enough to
> be useful, and that's out there for everyone interested to work with.
>
See ftp://ftp.compapp.dcu.ie/pub/crypto/schoof.exe. Runs in a Windows
'NT/95/98 command prompt.
Source code at the same site. Its not as fast as one would like - 1 hour to
count the points on a 160-bit curve over GF(p) on a 200MHz Pentium Pro, but
its just about usable. I have used it successfully for 256-bit curves
(although you might have to leave the computer running over the weekend..).
> It would take time, sweat and money but the main thing is that we know
> how to do it. So solve the problem!,.....
I just did. It takes time, but no sweat, and no money.
Mike Scott
> Bye,
> Rob.
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: A slide attack on TEA?
Date: 23 Jun 1999 17:39:05 GMT
> a fella pretending to be Horst Ossifrage writes:
>Please post a link to the TEA algorithm documentation so I can
>study it.
Try:
http://www.cl.cam.ac.uk/Research/Papers/djw-rmn/
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED] (Mike Keith)
Subject: Re: Converting arbitrary bit sequences into plain English texts
Date: 23 Jun 1999 17:41:37 GMT
>> To make the sentences a little more natural (than yes yes no yes yes no )
>why
>> not just use any word starting (or ending) with a letter from the first
>half of
>> the alphabet for a zero and the second half for a one? People might not
>even
>> realize that a file is encoded in the message this way.
>
>We need constructs that are gramatically complete sentences,
>a bunch of words may be objected as not being natural language
>texts.
>
Y'all might find
http://users.aol.com/s6sj7gt/cadenza.htm
interesting.
This is a 4000-word short story (quite grammatical)
in which each word encodes a decimal digit
(usually - sometimes two).
The series of digits encoded is statistically
quite random, being the successive digits of the number pi.
Since this amounts to more than 3 bits per word,
this is quite a bit harder than encoding just one
bit per word - so it seems quite clear to me that one bit
per word could be encoded (by a human writer) without essentially
anyone noticing. (A possibly better scheme than the one suggested above
would be to sum the values of all the letters
in the word, then use even=0, odd=1. This seems
less restrictive to me.)
A computer program would not be able to write as well
as a human, obviously - but maybe good enough.
Mike Keith
Web site: http://users.aol.com/s6sj7gt/mikehome.htm
(remove post-w letters from e-mail address)
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: Authentication Schemes
Date: Wed, 23 Jun 1999 12:44:47 -0500
ryanm wrote:
> I am curious what different authentication schemes exist for
> proving who someone ( A machine ) is. I have used RSA auth
> in the past. What else can be used to prove that host A is
> really who he says he is?? I assume digital certificates
> can be used for this also, but looking for a Host authentication
> FAQ. If anyone has a list or any info they can send me back I
> would appreciate it greatly.
You can use ECC too, check out the MQV algorithm in IEEE P1363.
You can make variations on it if you like, it's set up to
authenticate and generate a shared secret with perfect forward
secrecy. Code is freely available from several sources.
Patience, persistence, truth,
Dr. mike
------------------------------
From: "Fwumph" <[EMAIL PROTECTED]>
Subject: helping a beginner
Date: Wed, 23 Jun 1999 10:41:04 -0700
Crypto, codes, and various methods of encryption have always been a hobby
for me, Im looking to learn more about Encryption types and general
information. Can anyone suggest for me a decent FAQ?
please email me at [EMAIL PROTECTED]
-Fwumph
____________________________________________________________________________
_________________________________
-Crime pays, anyone who tells you otherwise wasn't a good criminal.-
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Critique of Street Performer Protocol paper
Date: Wed, 23 Jun 1999 17:46:46 GMT
Anonymous <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] writes:
> > Anonymous <[EMAIL PROTECTED]> wrote:
> > > A customer will
> > > want to buy a box that can play secured data if that data is much
less
> > > expensive than non-secured.
> >
> > You picked an auspicious time to argue this. The first major
> > encrypted perimeter content system, Circuit City's "DIVX" has
> > just gone belly up after they sunk a reported $200 million into
> > it. See http://www.divx.com
>
> You probably meant "inauspicious", since this event would seem to be
> evidence against my claim that consumers would pay for limited
devices.
Auspicious means boding well for the future, which the
death of DIVX certainly does.
> However, another recent product introduction is more consistent with
my
> suggestions, a low-cost device for special purpose Internet browsing,
> with a non-Windows OS that might offer higher hopes for security.
This
> is the iToaster, announced yesterday by Microworkz.com. It is said to
> use a "hybrid" OS, based on Linux and BeOS.
>
> While this may not be the perfect machine for viewing secured data, it
> is an example of a non-Windows machine with a custom OS, used for
> specialized purposes. This is exactly the niche into which a high
> security machine for viewing copyrighted data might fall.
It appears to have no significant relevance to the arguments
surrounding the Street Performer Protocol.
DIVX, on the other hand, was an a prime example. It had
the encrypted perimeter, and the software was priced lower
than the same content on DVD. The public rejected DIVX,
as well they should.
Personally, I'd like to see a minor change in copyright
law that would dissuade other companies from producing
similar garbage in the future. While I think there should
be no law against a DIVX-like system, material published
on a medium that denies the public the benefits of fair
use, the first sale doctrine, and circulation by public
libraries should not be protected by copyright. Why should
the studios get all the advantages of copyright while
denying the public the benefits the law intended?
--Bryan
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Converting arbitrary bit sequences into plain English texts
Date: Wed, 23 Jun 1999 12:25:58 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
> Bauerda wrote:
>
> > To make the sentences a little more natural (than yes yes no yes yes
no ) why
> > not just use any word starting (or ending) with a letter from the
first half of
> > the alphabet for a zero and the second half for a one? People might
not even
> > realize that a file is encoded in the message this way.
>
> We need constructs that are gramatically complete sentences,
> a bunch of words may be objected as not being natural language
> texts.
>
Ah! Something based on a variation of the Baconian Cipher? I suppose that
a program could make a series of sentences that would pass, even true ones
as I have suggested, but to have an overall plot or gross meaning...that
is another matter.
--
Mirror, mirror on the wall: Where do you get your information?
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: Secure broadcast
Date: Wed, 23 Jun 1999 12:32:39 -0500
Gene Sokolov wrote:
> I realize that 56 bit can be cracked on expensive hardware in a couple of
> days. Even worse: if password is cracked in 32 hours, it would still
> compromize the security completely because these passwords are issued just
> once. An attacker spends 32 hours once and then receives data for free
> untill password is changed (some don't change passwords in months).
> The point here is that we don't believe anyone would use anything better
> than a fast Pentium on cracking. The payoff is just too small to justify
> better hardware. When hardware gets faster, we can simply increase the
> number of characters in the password to 12 and have 62 bit. Or move to
> case-sensitive passwords and have 59 bits in 10 chars.
I'd push real hard for more bits now. A 1 GHz computer for US$500 is
only 2 years away.
> Yes, it is too expensive. That's why in I.1 I wrote how much data is worth
> ($500/month). I guess "too expensive" starts at about $10K.
OK, that simplifies the threat model.
> First you say that password can be guessed in a few hours (true), then
> suggest to use public/private encryption. That means keys are issued
> individually and stored locally. Then passwords, I can assume, would be used
> locally just to access the public keys. Then the length of the password
> would not mean much.
> On the other hand, use of RSA would require key management & royalties.
> That's something to be avoided. Is there a known way to convert
> password->symmetric key?
> How about hashing user id + password + random number and using the hash
> as a key to symmetric cypher to encrypt the session key? Individually
> encrypted session key and random number(s) would be transmitted openly with
> the stream.
Public key isn't needed. If you have each clients private key,
you can broadcast the session key to all clients, encrypted with
each clients private key. Only the client with a good private key
can get the session key for some set of broadcasts. All clients
will use the *same* session key, but they'll all get it along with
a lot of garbage which will be all the other clients session keys
encrypted with their own private key. So when you change a client
by adding or dropping one, you send a new session key to *all*
clients. This takes some time, but it only has to be done once
in a while (like once an hour).
> About 50 clients, 1 broadcast in 40 seconds, 200 byte each broadcast. I can
> broadcast the security data every other hour for example.
This is not so bad. You can send 50 encrypted session keys,
at 10 bytes per key (or less) in 2 broadcast times (or so).
Send all the data encrypted with the single session key,
all clients can decrypt the data for 1 hour, then do a key
change broadcast again.
> Dr. Gene
Good luck!
Patience, persistence, truth,
Dr. mike
------------------------------
From: "Fwumph" <[EMAIL PROTECTED]>
Subject: what I dont get......
Date: Wed, 23 Jun 1999 11:12:02 -0700
Sorry,
these posts must be incredibly annoying to you all. But I can think of no
other way:
I've read all these FAQs etc, and understand that different formulas are
used to decipher different encryptions..but what I DONT get is how to apply
the formulas to a encrypted message. Do you do it all out on paper? (and if
you do...I have no idea how to......) or is there a program that you can put
the formula into?
Please shed some light here..
Thanks.
-Fwumph
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: "Breaking" a cipher
Date: 23 Jun 1999 18:32:10 GMT
> [EMAIL PROTECTED] quotes:
>"Steven Alexander" <[EMAIL PROTECTED]> who wrote:
>> It is also said that someone can break a cipher if they can can
>recover the
>> key/plaintext in a reasonable amount of time whether it is by brute-
>force or
>> a faster attack. For example, EFF can break DES in a couple of days
>using
>> brute-force.
and then responds:
>By this logic I can break Twofish by searching the entire keyspace.
>Normally brute force is not considered a break as any cipher is
>vulnerable to a brute force search.
Tommy, do you ever read the posts you respond to? Notice Steven's
phrase "in a reasonable amount of time."
A brute-force break is just that, a break. See Menezes.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: A different method of encryption
Date: Wed, 23 Jun 1999 12:18:27 -0600
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote:
> > I suppose I probably could have found the answers to these and many
> > more questions if I read the faq, but somehow this seems more direct.
>
> Also more of a waste of everybody's time and network bandwidth.
> Why are you so lazy?
Perhaps it is a matter of style and choice. The FAQ presents a point of
view at times, not necessary the unbiased whole of a matter.
--
Mirror, mirror on the wall: Where do you get your information?
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: A different method of encryption
Date: Wed, 23 Jun 1999 12:14:26 -0600
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
> AllanW wrote:
> > Others in this thread have mocked your idea as exceptionally
> > obvious. But in fact, it is not obvious until you have been
> > exposed to the idea. ...
>
> I think the main point of the criticism is that one should not step
> into a well-developed field and tell people how things should be done
> without first *learning* enough about the field to have a chance of
> contributing something new and useful.
This criticism should be secondary to that of a group of people who are in
the know who conspire to lie about something critical.
One thing about free-thinking, it is allowed; brainstorming can cause
lightning to stike where you don't expect it, and where some do not
especially appreciate. If something good ruffles a few feathers, it
demonstrates that frozen patterns of thought are not the sole path to
truth.
--
Mirror, mirror on the wall: Where do you get your information?
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: Prime-Number Generation
Date: Wed, 23 Jun 1999 17:47:36 GMT
In article <7kol9a$jfc$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> For Rabin-Miller prime generation, instead of using a random value
> for <a> (the number which is randomly chosen), could you use a set
> of pre-chosen numbers? What numbers would be good for this?
>
It depends.
Are you testing a randomly generated number for primality, i.e.
one you generated yourself?
Or are you testing a number someone gave you which they claim is prime?
If the latter and you fix the set of bases you use for M-R, then
your "opponent" can construct a composite which will pass M-R for your
fixed set of bases.
If the former then any set is OK. I would recommend successive
small primes or integers as using these set gives a slight speed
advantage.
BTW, rather than use multiple M-R tests, using a SINGLE M-R test
followed by a single Lucas-Lehmer test would be more reliable.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Tony T. Warnock" <[EMAIL PROTECTED]>
Subject: Re: one time pad
Date: Wed, 23 Jun 1999 12:50:04 -0600
Reply-To: [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
> I would like to put forth the following claims
> and if anyone would care to comment, disprove,
> ect., I would appreciate it. I thought I new
> some things (being new to cryptography), but a
> patient individual helped me see I have more to
> learn. He suggested I come to Deja, so here I am.
>
> 1. One time pads, when implemented, deployed, and
> used correctly are the only known cipher that
> guarantees the security of the plain text over a
> non secured media. (Physical security is assumed
> for this discussion.)
>
True.
>
> 2. Maintaining statistical randomness produces a
> weakness in the pad since the probability of some
> values already seen in the bit stream are less
> likely to be found again.
>
False. The probabilities are independent.
>
> 3. As long as a minimal amount of randomness is
> guaranteed, the pad's security is its strongest.
> To require strong randomness is to limit the
> opportunities of what can be found on the pad and
> thus limit the candidates of possible plain text
> hidden by the OTP's output.
>
This seems false. What is "strong randomness"? Randomness implies
independent distributions. I'm not sure what the converse of "strong"
randomness means, nonrandom?
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: A Crypto Page Disappears
Date: Wed, 23 Jun 1999 18:50:38 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote, in part:
>I remember that there was a site saying that it was archiving the
>Web pages on the internet. I don't know what that project has
>become now. There might be a chance that you could get the materials
>you deem valuable from there and put these on your own site.
Well, I've already pillaged those pages of all the *information* I
could use - e.g., the description of the Swedish SA-1 cipher machine.
If I can contact Mr. Andersson himself, and get his permission, I
would be glad to stick his whole site on my site until he can get a
location of his own back. The photos on his site are what I found to
be its best attribute, but I can't just use them myself without
permission.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: A different method of encryption
Date: Wed, 23 Jun 1999 18:54:25 GMT
[EMAIL PROTECTED] (Dave Hazelwood) wrote, in part:
>We actually had such an "area" phone mobile system here in Singapore
>and it was a flop. They had receivers at all the petrol stations and
>as long as you were in the proximity of one you could make a call.
>I think regular cellular became so cheap that the cost differential
>evaporated and that was the end of it.
Actually, I was describing how regular cellular service works. I was
replying to a strange post, one announcing, as a "new" cipher, the
one-time pad (and yet by someone who appeared to have or to claim
technical expertise) with a bit of sarcasm. I felt I could do that, as
it seemed likelier that this was a deliberately provocative post than
the innocent mistake of a newbie.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/crypto.htm
------------------------------
From: [EMAIL PROTECTED]
Subject: one time pad
Date: Wed, 23 Jun 1999 18:06:41 GMT
I would like to put forth the following claims
and if anyone would care to comment, disprove,
ect., I would appreciate it. I thought I new
some things (being new to cryptography), but a
patient individual helped me see I have more to
learn. He suggested I come to Deja, so here I am.
1. One time pads, when implemented, deployed, and
used correctly are the only known cipher that
guarantees the security of the plain text over a
non secured media. (Physical security is assumed
for this discussion.)
2. Maintaining statistical randomness produces a
weakness in the pad since the probability of some
values already seen in the bit stream are less
likely to be found again.
3. As long as a minimal amount of randomness is
guaranteed, the pad's security is its strongest.
To require strong randomness is to limit the
opportunities of what can be found on the pad and
thus limit the candidates of possible plain text
hidden by the OTP's output.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
