Cryptography-Digest Digest #786, Volume #9 Sun, 27 Jun 99 12:13:03 EDT
Contents:
Re: A few questions on RSA (S.T.L.)
Re: On an old topic of internet publication of strong crypto (Bill Unruh)
Re: On an old topic of internet publication of strong crypto (JPeschel)
Re: A few questions on RSA (David A Molnar)
Re: determining number of attempts required (JPeschel)
Re: DES-NULL attack (Thomas Pornin)
Re: Moores Law (a bit off topic) (Thomas Pornin)
Re: DES-NULL attack (Rob Warnock)
Re: Moore's Trend ([EMAIL PROTECTED])
Re: Converting arbitrary bit sequences into plain English texts ([EMAIL PROTECTED])
Re: Moore's Trend (fungus)
Des keys ([EMAIL PROTECTED])
Re: Tough crypt question: how to break AT&T's monopoly??? (fungus)
Re: Tough crypt question: how to break AT&T's monopoly??? (fungus)
Re: Kryptos article (Lincoln Yeoh)
Re: Des keys (fungus)
Re: Des keys (Thomas Pornin)
Re: Kryptos article (Lincoln Yeoh)
Re: Tough crypt question: how to break AT&T's monopoly??? (Dave Hazelwood)
Re: A few questions on RSA (DJohn37050)
New version of free disk encryption product for NT (with Scramdisk support)
([EMAIL PROTECTED])
--- sci.crypt charter: read before you post (weekly notice) (D. J. Bernstein)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (S.T.L.)
Subject: Re: A few questions on RSA
Date: 27 Jun 1999 06:34:33 GMT
<<There are attacks for small public
keys, but there small = "e = 3". >>
Really? How do they work?
-*---*-------
S.T.L. ===> [EMAIL PROTECTED] <=== BLOCK RELEASED! 2^3021377 - 1 is PRIME!
Quotations: http://quote.cjb.net Main website: http://137.tsx.org MOO!
"Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!" e^(i*Pi)+1=0 F00FC7C8
E-mail block is gone. It will return if I'm bombed again. I don't care, it's
an easy fix. Address is correct as is. The courtesy of giving correct E-mail
addresses makes up for having to delete junk which gets through anyway. Join
the Great Internet Mersenne Prime Search at http://entropia.com/ips/ Now my
.sig is shorter and contains 3379 bits of entropy up to the next line's end:
-*---*-------
Card-holding member of the Dark Legion of Cantorians, the Great SRian
Conspiracy, the Triple-Sigma Club, and the Union of Quantum Mechanics
Avid watcher of "World's Most Terrifying Causality Violations", "World's
Scariest Warp Accidents", and "When Tidal Forces Attack: Caught on Tape"
Patiently awaiting the launch of Gravity Probe B and the discovery of M39
Physics Commandment #2: Thou Shalt Conserve Mass/Energy In Closed Systems.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: On an old topic of internet publication of strong crypto
Date: 27 Jun 1999 06:33:04 GMT
In <[EMAIL PROTECTED]> [EMAIL PROTECTED] (JPeschel)
writes:
>That's not what he said. A scientific paper is not subject to export
>restriction.
This is true if it is on paper. However if it is posted on the net, and
it contains crypto source code then it is export restricted. This is
precisely the heart of the Bernstein case.
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: On an old topic of internet publication of strong crypto
Date: 27 Jun 1999 06:54:08 GMT
> [EMAIL PROTECTED] (Bill Unruh) writes:
>>That's not what he said. A scientific paper is not subject to export
>>restriction.
>
>This is true if it is on paper. However if it is posted on the net, and
>it contains crypto source code then it is export restricted. This is
>precisely the heart of the Bernstein case.
Yeah, Bill, you're right, the paper cannot contain source code
and be posted on the net. I thought I made the distinction between
source code and scientific paper clear. I guess not. It seemed
obvious to me that a scientific paper, in electronic form, that
contained source would be export restricted.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: A few questions on RSA
Date: 27 Jun 1999 07:22:03 GMT
S.T.L. <[EMAIL PROTECTED]> wrote:
> <<There are attacks for small public
> keys, but there small = "e = 3". >>
> Really? How do they work?
Very vaguely : by using several related ciphertexts to
develop a system of simultaneous equations, then
finding equivalent equations which can be solved over
the integers with the same solutions. Since it is
easy to solve equations like x^y = c over the
integers, this breaks the system and recovers
the message in question.
Alternative vague formulation : construct a
lattice from a system of simultaneous
equations based on some ciphertexts. Show
that the vectors in this lattice are unique
within a ball of exponential radius. i
Fix it so the shortest vector in the
lattice corresponds to the plaintext you
want.
Note that there is a wonderful algorithm
which computes _approximations_ to
short vectors in polynomial time called
the LLL algorithm. Use this to get
an approximation to the shortest
vector of your lattice -- an approximation
to the real message. Because this
lattice has vectors which are unique
inside that radius, your approximation
must be the "right" vector.
o
There's actually several attacks - I will post
more details later (it's becoming a bit late
here and I need to look at notes), or you might try Dan Boneh's
"Twenty Years of Attacks on the RSA Cryptosystem"
available at his web page. There's a whole
section on low public-exponent attacks.
Check out the Franklin-Reiter attack for an example
of when bad padding is worse than no padding at all.
-David Molnar
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: determining number of attempts required
Date: 27 Jun 1999 06:47:01 GMT
> [EMAIL PROTECTED] (JPeschel) wrote:
>Keith, as far as I know there aren't any Blowfish crackers on the net, with
>one
>
>exception. Markus Hahn wrote a program to recover Blowfish 97 passwords.
Well, there is another I forgot about, by Pavel, that brute-forces Norton
Secret Stuff, which uses 32-bit Blowfish.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: DES-NULL attack
Date: 27 Jun 1999 10:25:16 GMT
According to wtshaw <[EMAIL PROTECTED]>:
> You seem not to understand the difference between design-setup and
> production.
For a 2000 billions dollars machine, the market is small. I guess there
would be only one poroduced. Moreover, if big series of ASIC reduce
costs, you would get extra costs for storage and cooling (imagine
billions of billions of EFF-machines -- this should produce some heat).
Therefore I think my estimations are rather low. With today's
technology, a 128-bit cracking machine is not conceivable. Too big.
Too expensive.
But, in 30 years, maybe... it depends on the erratic progress of science.
--Thomas Pornin
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: Moores Law (a bit off topic)
Date: 27 Jun 1999 10:35:32 GMT
According to david avery <[EMAIL PROTECTED]>:
> actually I believe Moore said the number of transisters you could put
> on a chip doubled every 18 mo. The performance increase is because of
> the density and transister count increase.
The version I use for estimation is the following: every three years,
you can put 4 times as much transistors and run the thing at twice
the frequency for the same prize. Note that this means somehow 8x
raw computing power whereas your version gives 4x. This is because
microprocessors are crippled with issues such as backward compatibility,
which means that they cannot increase the register sizes as fast as is
technically possible. Moreover, their calculation model does not scale
that good.
For cracking machines, we have a highly parallel algorithm so we can
think in terms of gates and silicium surface.
To sum up, my own estimation is (I guess) appropriately cautious, and
simple: it is one more bit per year. So 128-bit is for 2070 (for 250000$
development and construction).
--Thomas Pornin
------------------------------
From: [EMAIL PROTECTED] (Rob Warnock)
Subject: Re: DES-NULL attack
Date: 27 Jun 1999 11:38:10 GMT
Thomas Pornin <[EMAIL PROTECTED]> wrote:
+---------------
| > Let a plain text block contains only bits with NULL value.
| > Then correspondent cipher block is well-defined function
| > of the encryption key, which can be recovered.
|
| Ok. Prove it. Here is the result of the DES encryption of 0 by a secret
| key of mine:
| e5d72a33650d160f
| Now show me the key.
+---------------
Indeed. And let's not forget that Unix has been using *exactly* this method
(DES-encrypt a constant "0" with a secret key) for its login password checking
system since the early 1970's, and it hasn't been "broken" yet either (except
by exhaustive search, or dictionary attacks on weak keys).
Here's the Unix-style encrypted password for my account on a local server:
xUU9wZP1NNhpA
What's the "key" (plaintext password)? [Hint, it's a poor one -- all letters.]
-Rob
p.s. Before someone screams, yes, I know that Unix's password encryption
is not identically DES. But the idea is the same...
=====
Rob Warnock, 8L-855 [EMAIL PROTECTED]
Applied Networking http://reality.sgi.com/rpw3/
Silicon Graphics, Inc. Phone: 650-933-1673
1600 Amphitheatre Pkwy. FAX: 650-933-0511
Mountain View, CA 94043 PP-ASEL-IA
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Moore's Trend
Date: Sun, 27 Jun 1999 11:50:57 GMT
In article <[EMAIL PROTECTED]>,
Horst Ossifrage <[EMAIL PROTECTED]> wrote:
> If Moore's Trend continues, it will take 120 years before
> a $250,000 computer can test all 128 bit keys in one day.
>
> It will be 300 years for 256 bit keys.
>
> If runners continue increasing their speeds at the rate they
> are now, women will break the sound barrier before men.
>
I seriously doubt that 128-bit keys will ever be searched in one day by
anything short of a quantum (or 1 tera-hz) computer. A 128 bit key
would be searched at 2^111 keys per second. Even on every computer in
my city (about 32000) that would be 2^96 per second.
I think 128-bit keys will be secure for more then a century or two.
Note that they never said 56 bit keys were safe. Even when they
proposed DES they thought the key was too small.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
Date: Sat, 26 Jun 1999 20:23:46 -0400
From: [EMAIL PROTECTED]
Subject: Re: Converting arbitrary bit sequences into plain English texts
wtshaw wrote:
> Is the government going to put itself in the position of using anything
> that it does not understand to try to prove that it contains information
> that is forbidden. This seems to be begging for trouble. You need only
> submit some the pronouncements of government back to themselves to
> demonstrate lack of clarity. Perhaps sourcecode should be done with
> steganography using legal terms, since much of that stuff appears
> unreadable already; clue: pick a set of jargon that will be unknown to the
> person evaluating it, chemical, mathematical, particle physics, the wisdom
> of snoop dogy dogy in lyrics, etc.
This reminds me of some work I did on readability analysis. Most
ratings use grade levels. Here we're talking negative numbers.
Negative readability is an interesting idea.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: Moore's Trend
Date: Sun, 27 Jun 1999 15:15:48 +0200
>
> If runners continue increasing their speeds at the rate they
> are now, women will break the sound barrier before men.
>
Heh. Must remember that one for the next time the "is 128 bits
crackable" thread comes along...
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED]
Subject: Des keys
Date: Sun, 27 Jun 1999 12:29:56 GMT
Here is a question. If the DES keys have been bad for quite some time
(complements, weak keys, the size). Why not re-write the key schedule?
Wouldn't it be not-so-hard to rewrite the 56->48 bit compression to a
64->48 bit compression? More rounds might have to be used, I don't
know.
Just wondering... With a better key schedule and longer key DES could
have been slightly more secure (i.e probably ok for another 10 years).
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: Tough crypt question: how to break AT&T's monopoly???
Date: Sun, 27 Jun 1999 15:07:29 +0200
"S.T.L." wrote:
>
> <<This is exactly what is needed in the marketplace--an encryption application
> program that does not need the application program at the receiving end. >>
>
> Therefore a sort of mini-decryptor program needs to be attached to the
> cyphertext, just as self-extracting ZIP files have a mini-extractor attached to
> the cyphertext.
>
They can also have encryption.
> Or, one could hack a version of PKZIP to use strong cryptography.
>
PKZIP is actually quite hard to crack if you don't know the start
of the plaintext.
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: Tough crypt question: how to break AT&T's monopoly???
Date: Sun, 27 Jun 1999 15:09:07 +0200
"S.T.L." wrote:
>
> Therefore a sort of mini-decryptor program needs to be attached
> to the cyphertext, just as self-extracting ZIP files have a
> mini-extractor attached to the cyphertext.
>
Could sending this as an e-mail attachment be classed as an "export"?
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED] (Lincoln Yeoh)
Subject: Re: Kryptos article
Date: Sun, 27 Jun 1999 13:20:26 GMT
Reply-To: [EMAIL PROTECTED]
On Thu, 24 Jun 1999 11:31:12 -0700, Jim Gillogly <[EMAIL PROTECTED]> wrote:
>Today Show looked rather like me. I acknowledged the resemblance, but
>pointed out that it had more hair on top than I do, and she was forced to
>recant.
Hmm. So you've been gaining face along with experience? ;).
I dunno when it'll be my turn. But a friend told me it's ok, it's just he
has problems washing his face - doesn't know where to stop. :)
Link.
****************************
Reply to: @Spam to
lyeoh at @[EMAIL PROTECTED]
pop.jaring.my @
*******************************
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: Des keys
Date: Sun, 27 Jun 1999 16:25:28 +0200
[EMAIL PROTECTED] wrote:
>
> Here is a question. If the DES keys have been bad for quite some time
> (complements, weak keys, the size). Why not re-write the key schedule?
>
> Wouldn't it be not-so-hard to rewrite the 56->48 bit compression to a
> 64->48 bit compression? More rounds might have to be used, I don't
> know.
>
> Just wondering... With a better key schedule and longer key DES could
> have been slightly more secure (i.e probably ok for another 10 years).
>
Tne NSA wanted to be able to crack it in the '70s, remember...
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: Des keys
Date: 27 Jun 1999 13:59:14 GMT
According to <[EMAIL PROTECTED]>:
> Here is a question. If the DES keys have been bad for quite some time
> (complements, weak keys, the size). Why not re-write the key schedule?
DES is a delicate beast, it is not easy to change the key schedule
without implying some weaknesses. What you can do and seems strong is
just considering the 16 subkeys as independant, which yields a 768-bit
key.
However, if you modify the key schedule, you become incompatible.
Therefore it does not really make sense to stick to the DES design,
instead of using a more efficient one (those bit permutations are really
a pain to implement)(RC5,IDEA come to mind).
--Thomas Pornin
------------------------------
From: [EMAIL PROTECTED] (Lincoln Yeoh)
Subject: Re: Kryptos article
Date: Sun, 27 Jun 1999 13:15:46 GMT
Reply-To: [EMAIL PROTECTED]
On Sat, 26 Jun 1999 03:49:50 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
wrote:
>Um, Jim, mirrors don't reverse in any particular direction.
>Martin Gardner had a discussion of this in one of his books:
>Why is your image in a flat mirror reversed left-to-right,
>not top-to-bottom?
Maybe it because your right hand looks like your left hand and your head
doesn't look like your feet?
They just mirror stuff, that's all, just like shadows in some ways.
Link.
****************************
Reply to: @Spam to
lyeoh at @[EMAIL PROTECTED]
pop.jaring.my @
*******************************
------------------------------
From: [EMAIL PROTECTED] (Dave Hazelwood)
Subject: Re: Tough crypt question: how to break AT&T's monopoly???
Date: Sun, 27 Jun 1999 15:44:57 GMT
If Kwik-Crypt is not suitable than I can do a DOS program for you
that will run like the wind, use 448 bit blowfish or any other
algorithm you want and be as easy to use as typing the filename.
Let me know.
[EMAIL PROTECTED] (Dave Hazelwood) wrote:
>Have you tried Kwik-Crypt for Windows/95?
>
>http://www.kwikrite.clara.net/
>
>You can build self decrypting and restoring (blowfish) archives with
>it.
>
>[EMAIL PROTECTED] (Jayjames99) wrote:
>
>>I think this is a tough question to answer.
>>
>>I am trying to send an encypted file to somebody who is not computer savvy, in
>>a format so that the receiving party does not have to know how to decrypt the
>>file. It will simply self-extract, ask for the private key to be entered, and
>>voila...the file is now readalble.
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: A few questions on RSA
Date: 27 Jun 1999 15:54:31 GMT
See Dan Boneh's web page for "20 years of attacks on RSA" paper, it contains a
great bibliography. Basically, low exponent MAY be risky. Low-exponent RSA
may not be equivalent to the problem of factoring. There are Hastads and
Coppersmith attacks.
Don Johnson
------------------------------
From: [EMAIL PROTECTED]
Subject: New version of free disk encryption product for NT (with Scramdisk support)
Date: Sun, 27 Jun 1999 15:59:00 GMT
Announcing the latest version of my free disk encryption product,
previously called Caveo now called E4M (Encryption for the Masses), and
available from www.e4m.net, with complete source code!
This version includes the following features:
* Support for Scramdisk file hosted volumes using all of Scramdisks
ciphers except the 'summer' cipher.
* Support for Pkcs-5 key setting via either HMAC-MD5 or HMAC-SHA1.
The Pkcs-5 code is self testing, and tests itself against HMAC
and Pkcs-5 test vectors.
* Support for new ciphers including IDEA, 3 key triple-DES, CAST and
Blowfish.
* A new command line tool 'voltest' has been provided which dumps the
headers (E4M only) of a particular volume, and tests the particular
volumes sector encryption, optionally you can display individual
sectors with this tool.
* Support for changing volume passwords has been added.
* The user interface for mounting a volume has been rewritten to be
more user friendly.
* Passwords can now be cached in the driver (and cleared at the users
request).
* The History information is now more robust, the history operates a
MRU list of the last 8 volumes mounted.
* The mount program now shows the full path name of a mounted volume
when a mounted drive letter is selected.
* Support for MDCSHA is now not available for new volumes. Only SFS
uses this cipher.
* Some of the cursor handling in the format wizard has been cleaned
up, the wizard now correctly displays the hour glass cursor at
the correct times.
* The FAT formatting code has been rewritten to drop the GPL�d code,
this means this product no longer ships under the GNU GPL.
* The format GUI now shows the user what�s going on with the random
code. Random bytes, and the selected key bytes are displayed to
the user.
* The documentation system now uses SDF which allows different
document formats to be used such as Windows hlp, and html.
Paul Le Roux
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (D. J. Bernstein)
Crossposted-To: talk.politics.crypto
Subject: --- sci.crypt charter: read before you post (weekly notice)
Date: 27 Jun 1999 05:00:37 GMT
sci.crypt Different methods of data en/decryption.
sci.crypt.research Cryptography, cryptanalysis, and related issues.
talk.politics.crypto The relation between cryptography and government.
The Cryptography FAQ is posted to sci.crypt and talk.politics.crypto
every three weeks. You should read it before posting to either group.
A common myth is that sci.crypt is USENET's catch-all crypto newsgroup.
It is not. It is reserved for discussion of the _science_ of cryptology,
including cryptography, cryptanalysis, and related topics such as
one-way hash functions.
Use talk.politics.crypto for the _politics_ of cryptography, including
Clipper, Digital Telephony, NSA, RSADSI, the distribution of RC4, and
export controls.
What if you want to post an article which is neither pure science nor
pure politics? Go for talk.politics.crypto. Political discussions are
naturally free-ranging, and can easily include scientific articles. But
sci.crypt is much more limited: it has no room for politics.
It's appropriate to post (or at least cross-post) Clipper discussions to
alt.privacy.clipper, which should become talk.politics.crypto.clipper at
some point.
There are now several PGP newsgroups. Try comp.security.pgp.resources if
you want to find PGP, c.s.pgp.tech if you want to set it up and use it,
and c.s.pgp.discuss for other PGP-related questions.
Questions about microfilm and smuggling and other non-cryptographic
``spy stuff'' don't belong in sci.crypt. Try alt.security.
Other relevant newsgroups: misc.legal.computing, comp.org.eff.talk,
comp.org.cpsr.talk, alt.politics.org.nsa, comp.patents, sci.math,
comp.compression, comp.security.misc.
Here's the sci.crypt.research charter: ``The discussion of cryptography,
cryptanalysis, and related issues, in a more civilised environment than
is currently provided by sci.crypt.'' If you want to submit something to
the moderators, try [EMAIL PROTECTED]
---Dan
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
