Cryptography-Digest Digest #25, Volume #10 Tue, 10 Aug 99 18:13:04 EDT
Contents:
Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . . (Jerry Coffin)
Re: NIST AES FInalists are.... (John Savard)
Re: Power analysis of AES candidates (Bruce Schneier)
Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . . (Jerry Coffin)
Thawte PGP Notary Tour & Toronto Freenet PGP Keysigning Session (Robert Guerra)
Re: NIST AES FInalists are.... ([EMAIL PROTECTED])
Re: AES finalists to be announced (Helger Lipmaa)
Re: Academic vs Industrial ("Douglas A. Gwyn")
Re: Depth of Two ("Douglas A. Gwyn")
Public Key ==> Trapdoor Functions? (Jonathan Katz)
Re: NIST AES FInalists are.... (John Savard)
Re: Power analysis of AES candidates ("William Whyte")
Re: Depth of Two (John Savard)
Re: NIST AES FInalists are.... (Robert Harley)
RSA patent & Canada ([EMAIL PROTECTED])
Re: Infallible authentication scheme (Michelle Davis)
Re: AES finalists to be announced (wtshaw)
simultaneous multiple exponentiation (Peter Yodarski)
Re: RSA patent & Canada (Rich Wales)
Re: frequency of prime numbers? (Don Dodson)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Crossposted-To: comp.lang.c++
Subject: Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . .
Date: Tue, 10 Aug 1999 11:28:37 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> Jerry Coffin wrote:
> > True, but 1) they actually display the help in a complete application
> Perhaps I misunderstood, but they embed the reader in the Visual Studio
> thing.
Yes, in VC5, they do. In VC 6, they don't anymore -- it's gotten even
worse, so no you don't get a window inside of the IDE at all...
> Finally, when I
> installed my VC5 (probably 5?) I remember it asked for so much damn
> space for IE that I can't believe it's all the control and nothing else.
> It is _huge_.
_The_ control is where the problem comes from -- it's a whole
collection of controls. Just for example, on my machine I've got:
IETIMER.OCX 77,728
IELABEL.OCX 129,264
IEMENU.OCX 73,472
In addition to the basic html control and IE executable. However, the
executable it starts for browsing MSDN is hh.exe, which is a mere
26,896 bytes...
> Being a conspiracy theorist par excellence, and due to my
> long exposure to MS stuff, I do suspect they use the new HTML help as
> another pretext to shove IE down more people's throat. I have an
> HTML-reader control that came with Qt--it's small. I mean, it eats up
> pretty much any kind of "normal" html, and it's not hudreds of megabytes
> <g>.
Well, in fairness, I suppose we should keep in mind that somehow or
other they have to handle things like indexing and searching the help
files, not just display them like you would a typical web page. Of
course, there's also the fact that MS isn't particularly known for
writing the smallest, fastest code available for much of anything (at
least as a rule).
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: NIST AES FInalists are....
Date: Tue, 10 Aug 1999 19:14:03 GMT
[EMAIL PROTECTED] (John Savard) wrote, in part:
>[EMAIL PROTECTED] (John Savard) wrote, in part:
>>I have - hopefully correctly - updated my description of MARS at
>>http://www.ecn.ab.ca/~jsavard/co040806.htm
>>to note these tweaks as proposed modifications.
>I had made some mistakes in my description, which I believe I have now
>corrected.
There were still some serious mistakes, as I read the literal description
instead of the pseudocode, so I thought the array still initially had words -7
to -1 in it, which it no longer does. Hopefully, I've got it right this time.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: Power analysis of AES candidates
Date: Tue, 10 Aug 1999 19:07:24 GMT
On Tue, 10 Aug 1999 16:13:59 +0100, "William Whyte"
<[EMAIL PROTECTED]> wrote:
>There seems to be a discrepancy between Biham and Shamir's paper on
>Power Consumption Analysis from the second AES conference, and the
>discussion of that paper in NIST's Round 1 report (currently available
>from http://csrc.nist.gov/encryption/aes/round1/r1report.pdf).
>
>Biham and Shamir's paper (available from, among other places,
>http://csrc.nist.gov/encryption/aes/round1/conf2/papers/biham3.pdf)
>seems to state that, of the five finalists, Rijndael is more
>vulnerable than the others to their attack, and the other four
>are about as vulnerable as each other (it even explicitly says,
>of Serpent, "Thus, it is expected that (as in the case of Mars and
>RC6), it will not be easy to derive useful information on the key
>from the Hamming weights of the results."). But in NIST's
>discussion (section 2.5.3.1), they classify Rijndael, MARS and RC6
>as having "lesser implicit weaknesses" and Serpent and Twofish
>as having "no weakness", with no reference given other than
>Biham and Shamir's paper.
>
>Can anyone shed any light on this?
There's a lot more to power analysis than any of the papers from AES
indicate. each one talks about a specific attack. We've found that
all ciphers are vulnerable, the attacks are just different. We don't
believe it is possible to make a cipher immune to side channel attacks
such as power analysis. See:
http://www.counterpane.com/crypto-gram-9806.html#side
for some details.
My hope is that someone who has done considerable research in this
writes this up for the third AES candidate conference.
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Crossposted-To: comp.lang.c++
Subject: Re: Why does MS-Visual C++ ABSOLUTELY REQUIRE . . .
Date: Tue, 10 Aug 1999 11:28:34 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
> Note, however, this is a global change for IE, not just for InfoViewer.
> Doesn't work for IE3, and I haven't looked at IE5.
>
> 'Control Panel' - 'Internet' - 'Accessibility' - 'Ignore colors specified
> on Web pages'.
Bruce, I will be sacrificing three virgins at the shrine of Vishnu on
your behalf for pointing this out. Thank you very, very much!
(Why Vishnu? Hindu gods make sense when dealing with the many
manifestations of IE, and every time I have to use the current help
system, I think of becoming one with The Destroyer <G>).
------------------------------
Subject: Thawte PGP Notary Tour & Toronto Freenet PGP Keysigning Session
From: [EMAIL PROTECTED] (Robert Guerra)
Date: Sat, 7 Aug 1999 10:30:11 -0400
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
What: Thawte PGP Notary Tour & Toronto Freenet PGP Keysigning Session
Hosts: Bruce Watermeyer, Thawte Certification
Toronto Freenet
Robert Guerra ([EMAIL PROTECTED])
When: Wednesday, August 11
Where: 6:30 pm to 10 pm
Metro Hall (3rd Floor)
55 John St.
Toronto, Ontario
Canada M5V 3C6
Directions to get to Metro Hall:
http://www.interlog.com/~rguerra/pgp/metrohall.gif
Details: http://www.interlog.com/~rguerra/pgp/aug11.txt
If you have any questions about this event, please email
[EMAIL PROTECTED], or you can also write
[EMAIL PROTECTED] if you have questions regarding
their procedures or requirements.
=====BEGIN PGP SIGNATURE=====
Version: PGP 6.5.1
Comment: Digital Signatures ensure message authenticity
iQA/AwUBN6xCo8KdCsHMpdeSEQK/YQCg2Hv86eDRBZMeOixx1cQjJGvM2MkAoPrL
nRANge6yIx8Ui0CnUUMo3DQL
=55Bq
=====END PGP SIGNATURE=====
--
Robert Guerra - <[EMAIL PROTECTED]>
Home Page-> http://www.interlog.com/~rguerra/www
PGP Keys -> http://www.interlog.com/~rguerra/pgp
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: NIST AES FInalists are....
Date: Tue, 10 Aug 1999 19:22:57 GMT
Douglas A. Gwyn wrote:
> The NIST Round-1 report itself shows little real security analysis,
> and introduces an utterly bogus notion of "security margin".
> At what point are competent NSA cryptanalysts going to be brought
> into the process, so we can get a soundly based estimate of security?
Oh spare us. You have no basis for concluding that
the NSA has anything better than the publicly known
methods of analysis.
--Bryan
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Helger Lipmaa <[EMAIL PROTECTED]>
Subject: Re: AES finalists to be announced
Date: Mon, 09 Aug 1999 19:52:14 +0000
Bruce Schneier wrote:
> The most interesting thing to notice is that the five finalists were
> designed by teams that have had strong cryptanalysts on them. Almost
> all of the other algorithms (E2 being the only exception) were
> designed by teams that did not have strong cryptanalysts on them. As
> I have said again and again, good ciphers are designed by good
> cryptanalysts.
I can imagine the face of Serge Vaudenay when reading this posting.
Helger Lipmaa
http://home.cyber.ee/helger
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Academic vs Industrial
Date: Tue, 10 Aug 1999 19:16:45 GMT
David A Molnar wrote:
> Other naive question : I was under the impression that random S-boxes were
> likely to be weak against differential cryptanalysis. Do key-dependent
> S-boxes escape this problem b/c they're secret, or are there ways to
> infer their structure from some attack?
The only thing key dependence does is add one level of complexity to
the system structure. Instead of simple constants one has an indexed
array of constants.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Depth of Two
Date: Tue, 10 Aug 1999 19:27:37 GMT
[EMAIL PROTECTED] wrote:
> For a cipher like that produced by a rotor machine, where every alphabet
> is different, it seems as if the only information available is whether the
> two letters in the two messages are alike - or different.
Rotor systems aren't too difficult once one knows how. Eventually
I expect to put up on a Web site Kullback's paper on Friedman squares,
which can serve as an introduction to the topic.
It isn't necessary to know the rotor wiring; that's part of what
can be recovered.
> With a depth of two, for every pair of letters in the two messages, we
> have the distance in the alphabet between the corresponding letters in the
> two plaintexts.
Essentially, you get the difference between the two *plaintexts*,
which is fairly easy to solve. That's why key-generator systems
aren't such a good idea.
------------------------------
From: Jonathan Katz <[EMAIL PROTECTED]>
Subject: Public Key ==> Trapdoor Functions?
Date: Tue, 10 Aug 1999 16:45:40 -0400
Regarding a recent question I posted here (which resulted in a
disappointingly small discussion), I just wanted to share what I found
out.
It is currently an open question whether the existence of probabilistic
public key cryptosystems implies the existence of trapdoor functions.
Thus, it is possible that public key crypto could be based on a weaker
assumption.
Reference: Bellare, et. al., CRYPTO '98
(available on Bellare's homepage)
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: NIST AES FInalists are....
Date: Tue, 10 Aug 1999 20:46:47 GMT
[EMAIL PROTECTED] wrote, in part:
>Oh spare us. You have no basis for concluding that
>the NSA has anything better than the publicly known
>methods of analysis.
Although us poor mortals without security clearances and the like have no basis
with which to draw definite conclusions as to what methods of analysis the NSA
may posess, we do have some information which is suggestive:
- The NSA has more mathematicians in its employ than there are mathematicians
working on cryptography in the academic community, A.T. & T., and IBM combined,
- Past declassified documents show that the NSA and its predecessor agencies had
an understanding of cryptographic matters which was in some areas several years
in advance of what had appeared in the open literature.
This would *tend* to suggest that if the NSA doesn't have "anything better than
the publicly known methods of analysis", some people aren't earning their
paycheques.
Personally, though, I suspect that it is not all that hard to elevate a cipher
beyond the reach even of the NSA, even if their understanding of block ciphers
is _considerably_ in advance of that in the public domain, and hence I am
surprised that they're still in business.
And as another data point: when I heard of David Wagner's boomerang attack, I
kicked myself for not having thought of it myself. If it's that obvious, almost
certainly they thought of it previously within the NSA.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "William Whyte" <[EMAIL PROTECTED]>
Subject: Re: Power analysis of AES candidates
Date: Tue, 10 Aug 1999 21:19:10 +0100
>There's a lot more to power analysis than any of the papers from AES
>indicate. each one talks about a specific attack. We've found that
>all ciphers are vulnerable, the attacks are just different. We don't
>believe it is possible to make a cipher immune to side channel attacks
>such as power analysis.
This is all true (and the AES round 1 survey says more or less the
same thing in general). What caught my attention was that the
section which was specifically based on Biham and Shamir's analysis
gave different conclusions from the conculsions they came to, without
giving any justification for it. Has anyone done any work to extend
Biham and Shamir's analysis?
William
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Depth of Two
Date: Tue, 10 Aug 1999 20:50:41 GMT
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote, in part:
>Essentially, you get the difference between the two *plaintexts*,
>which is fairly easy to solve. That's why key-generator systems
>aren't such a good idea.
The risk of accidentally using the same IV twice is too great - which is another
reason to avoid all ciphers potentially subject to the "bit-flipping" attack.
While you've noted what is essentially CFB mode as one solution, I'll have to
admit I'm partial to incorporating a substitution on bytes or blocks that
operates directly on the text as it goes from plaintext to ciphertext, so as to
completely avoid the use of plain, unadorned XOR as a combiner as a more
comfortable solution to these kinds of problem.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Robert Harley <[EMAIL PROTECTED]>
Subject: Re: NIST AES FInalists are....
Date: 10 Aug 1999 22:52:37 +0200
Douglas A. Gwyn wrote:
> The NIST Round-1 report itself shows little real security analysis,
> and introduces an utterly bogus notion of "security margin".
>
> At what point are competent NSA cryptanalysts going to be brought
> into the process, so we can get a soundly based estimate of security?
[EMAIL PROTECTED] writes:
> Oh spare us. You have no basis for concluding that the NSA has
> anything better than the publicly known methods of analysis.
I agree that the NSA probably has little if any advance on the public
domain.
However NIST's "Status Report on the First Round" is bad, remarkably bad.
Frankly I'm stunned by how bad it is.
At best, one could say it's an incomplete, out-of-date distillation
of some publicly available papers, with no attempt to sort rhetoric
from substance, never mind actual analysis.
It sure doesn't look like any competent people had much input, NSA or
otherwise.
Bye,
Rob.
------------------------------
From: [EMAIL PROTECTED]
Subject: RSA patent & Canada
Date: Tue, 10 Aug 1999 20:19:54 GMT
Does anybody know if U.S. Patent 4,405,829 "Cryptographic Communication
System and Method" is in force in Canada? I live in Canada - am I free
to pull software off the net that uses the RSA algorithm, compile it,
and use it without worrying about paying anybody royalties?
(I am interested in rolling-my-own PKI infrastructure, and issuing
digital certificates. I want to pull software that does this off the
net, build it, and issue certificates without having to pay exorbitant
per certificate fees. Or any fees to anybody.)
Thanks,
James
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Michelle Davis)
Subject: Re: Infallible authentication scheme
Date: Tue, 10 Aug 1999 20:46:00 GMT
>All challenge/hashed-response password protocols are woefully obsolete.
>
>Newer protocols are not vulnerable to network dictionary attack,
>including a few simple versions of password-authenticated
>Diffie-Hellman exchange, including SPEKE, EKE, and SRP.
>
There is no challenge-response channel in this scheme. It's strictly
one-way, user to server. This is dictated by the nature of the
application.
Regards,
Michelle
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: AES finalists to be announced
Date: Tue, 10 Aug 1999 15:40:38 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Bruce Schneier) wrote:
> On Mon, 9 Aug 1999 19:16:23 GMT, [EMAIL PROTECTED] (Larry
> Kilgallen) wrote:
>
> >In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Bruce Schneier) writes:
> >
> >> RC6 is suprisingly slow on the Pentium and other simple 32-bit
> >> computers. It is fast on the Pentium Pro, Pentium II, and Pentium
> >> III. It is very suprisingly slow on the new Intel processors that
> >> will be coming out over the next few years.
> >
> >Hey, you can't have it both ways !
> >
> >If you are able to predict performance on future processors,
> >then it can't be _surprisingly_. :-)
>
> I suppose. But I was suprised.
>
If and when a new standard is chosen, then, the need for dealing with it
efficiently should suggest to CPU designers that some catering to it
should be included. As computers shrink and shrink in size, and
capabilities grow and grow, higher functions are apt to be attractive
targets. I figure that the manufacturers' designers are most curious
about how thing will go.
In a twist of fate, making a CPU handle an algorithm more easily might
also make catering to weaknesses more possible as well if somehow the
design is *creatively* modified. I suggest that this gives all sorts of
room for speculation, hanky panky, and rumor generation for the future as
all realize that processors are not designed in a vacuum.
--
Sometimes you have to punt, and hope for the best.
------------------------------
From: Peter Yodarski <[EMAIL PROTECTED]>
Subject: simultaneous multiple exponentiation
Date: Tue, 10 Aug 1999 16:04:34 -0500
Reply-To: [EMAIL PROTECTED]
Hello,
I wish to implement (in C) simultaneous multiple exponentiation with
Montgomery's method. The reference I've been using is
_Handbook_of_Applied_Cryptography_, Menezes, et. al. In Note 14.96 (iii)
it states "Any of the other exponentiation algorithms discussed in
section 14.6.1 can be combined with Montgomery reduction ...". I would
appreciate elaboration as to exactly how to modify the simultaneous
multiple exponentiation algorithm (14.88).
Thanks
------------------------------
From: [EMAIL PROTECTED] (Rich Wales)
Subject: Re: RSA patent & Canada
Date: 10 Aug 1999 14:05:16 -0700
"James" wrote:
> Does anybody know if U.S. Patent 4,405,829 "Cryptographic
> Communication System and Method" [the RSA patent] is in
> force in Canada?
Short answer: RSA is not patented in Canada, as far as I am aware.
Longer answer:
The US patent, itself, has no legal effect in Canada. And to the best
of my knowledge, the RSA algorithm is not (and never has been) protected
by any Canadian patent.
Thus, my understanding has always been that any RSA implementation --
including implementations not supplied or approved by RSA Data Security
Inc. -- may be used in Canada, without any risk of patent infringement.
I once read a claim that RSADSI had patented the RSA algorithm in Canada
-- but since no details (such as a specific Canadian patent number) were
included, I dismissed this claim as an unsubstantiated urban legend.
Rich Wales [EMAIL PROTECTED] http://www.webcom.com/richw/
*DISCLAIMER: I am not a lawyer. My comments are for discussion
purposes only and are not intended to be relied upon as legal or
professional advice.
------------------------------
From: [EMAIL PROTECTED] (Don Dodson)
Subject: Re: frequency of prime numbers?
Date: 10 Aug 1999 13:41:17 -0700
Sniggerfardimungus wrote:
>
> I ask this question here not because it necessarily relates to cryptography,
> but to an interest of cryptographers, prime numbers; is there any reason to
> believe that there are either a finite or an infinite number of primes? Even
> better, is there any proof either way?
Assume for a moment that there was a finite number of primes.
This means that there must be a largest prime number. We will
call that largest prime N.
Now compute P, the product of all prime numbers 2..N. P is
divisible by every prime number. Add one to the result.
P+1 is not divisible by any prime number, and therefore P+1
is prime. P+1 is clearly larger than N, so N must not be
the largest prime.
Therefore there is no largest prime, and there are an infinite
number of primes.
Don
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
