Cryptography-Digest Digest #97, Volume #10 Mon, 23 Aug 99 12:13:03 EDT
Contents:
Re: New encryption algorithm (Bo D�mstedt)
Re: RSA patent & Canada (W.G. Unruh)
Re: CRYPTO DESIGN MY VIEW (Mok-Kong Shen)
Re: RSA encryption exponent (W.G. Unruh)
CBC problems... (Tom St Denis)
Re: question regarding number of keys possible. . .
Re: How does RC4 work ? (Tom St Denis)
New and Improved Peekboo (ICQ/email secret messages) (Tom St Denis)
Re: NIST AES FInalists are.... (Rochus Wessels)
Re: Twofish on a 68HC11 (Padgett 0sirius)
Re: question regarding number of keys possible. . .
Re: How does RC4 work ?
Re: all or nothing (wrapped pcbc) ([EMAIL PROTECTED])
Re: Please help a HS student with an independent study in crypto (Anton Stiglic)
MUM (Gary)
Re: Cipher-Feedback Mode (Anton Stiglic)
IDEA in Applied Crypto (Tom St Denis)
Re: MUM (John Savard)
Re: *2nd* trusted arbitrator's name?? (John Savard)
Re: How does RC4 work ? (John Savard)
Re: Yao's millionaire problem without asymmetry? (Anton Stiglic)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Bo D�mstedt)
Subject: Re: New encryption algorithm
Reply-To: [EMAIL PROTECTED]
Date: Mon, 23 Aug 1999 11:10:50 GMT
"Tony Zelenoff" <[EMAIL PROTECTED]> wrote:
> THE ENCRYPTION SYSTEM
...
I would like to enquire, if you could send me some additional
information on your encryption system.
Specifically:
>This method can be effectively used to develop encoding/encryption system
>with an error correction.
A)
Is there any operating mode suitable for communication
over a noisy line ? Is there an error correcting code provided
right now? Can you describe the essentials of the
error-correcting code?
B)
Can you explain how you know Jury Andreevich Nedosekin ?
Have you been working togeather, or is he a frined of yours?
Are you a co-aouthor of the encryption system?
C)
Would you be so kind asking Jury Andreevich Nedosekin
if he could provide some background information
on himself, education, interests, etc?
I would much appreciate an aswer.
With my best regards,
Bo D�mstedt
Chief Cryptographer
Protego Information AB
Citadellsv�gen 11
SE - 211 18 Malmoe
SWEDEN
http://www.protego.se
E-mail: [EMAIL PROTECTED]
Phone: +46 40 94 05 00
Fax: +46 40 30 36 46
------------------------------
From: [EMAIL PROTECTED] (W.G. Unruh)
Subject: Re: RSA patent & Canada
Date: 23 Aug 99 12:42:29 GMT
[EMAIL PROTECTED] writes:
>Does anybody know if U.S. Patent 4,405,829 "Cryptographic Communication
>System and Method" is in force in Canada? I live in Canada - am I free
>to pull software off the net that uses the RSA algorithm, compile it,
>and use it without worrying about paying anybody royalties?
US patents are in force in the US. Canadian patents are in force in Canada. As
far as I know, RSA was never patented in Canada.
>(I am interested in rolling-my-own PKI infrastructure, and issuing
>digital certificates. I want to pull software that does this off the
>net, build it, and issue certificates without having to pay exorbitant
>per certificate fees. Or any fees to anybody.)
There is the additional issue of copyright which has nothing to do with patents
Anything you pull of the web is copyrighted and you cannot copy it without
the permission of the copyright holders. Copyrights are "worldwide"
in that "all " countries grant copyright to anyone who creates a work anywhere
in the world. Certainly Canada does.
>Thanks,
>James
>Sent via Deja.com http://www.deja.com/
>Share what you know. Learn what you don't.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: CRYPTO DESIGN MY VIEW
Date: Mon, 23 Aug 1999 14:46:49 +0200
SCOTT19U.ZIP_GUY wrote:
>
> In article <[EMAIL PROTECTED]>, Mok-Kong Shen
><[EMAIL PROTECTED]> wrote:
>
> >
> >To be exact, you can't say how many input symbols are obtained from
> >the x's. For instance, it could be that there are Huffman codes
> >that occupies only 3 x positions. All one knows (by our assumption)
> >is that the last 9 bits of the original output file constitute one
> >single Huffman code and therefore these 9 bits will be decompressed
> >to one input character (which, if it is 8 bit ASCII, occupies a byte).
> >But this fact is unimportant for the present discussion.
> What are you thinking I thought the x's where a single token.
> Look it is obvious you are lost and don't know what I mean. PLEASE
> ASK SOMEONE ELSE FOR HELP.
Eh?? What was wrong?? There were 7 x's, each being a bit position,
so it could well be that 3 of the bits consitute one Huffman code.
That each x represent a bit in the output file (compressed file)
should have been entirely clear to you in all the discussions up
till now!!!!!
> My method takes "ANY BINARY FILE" call that file "A" and decompresses to a
> file call that FILE "B". If you compress file "B" you get exactly "A" back
> PERIOD.
> Also you can take FILE "A" compress it to a FILE "C" take FILE "C" when
> you decompress it you get FILE "A" back exactly.
> This is "one to one" compression decompression. There is no wrong
> file except in your mind. The method used is "adaptive huffman compression"
> it is exactly like the huffman bit stream except that sometimes it is left
> alone. Sometimes it is zero filled and sometimes the last partial byte is
> chopped off altogether. I am done talking to you.
This is COWARD in scientific discussions!!! When shown by others that
you are wrong, you simply discontinue the argumentation. You snipped
and did not refer at all to the ESSENTIAL paragraph of mine in the
previous post which explained in detail (based on assertions of your
own) that your program, when encountering the 0 bit of my example
which it can't deal with, simply ignores the error (abnormal)
condition. This shows that your program violates the very elementary
requirements of program correctness and consequently all you
hard-necked claims (without proof) of the 'one to one' property are
only an illusion, if not downright cheating!!!
I want to explicitly call the attention of all participants of this
group to your present behaviour in this discussion thread so that
they will well use it as a hint to help them judging the quality of
your programs and the scientific trustworthiness of your often
made claims (without accompanying proofs) in the field of cryptology.
M. K. Shen
==================================
http://home.t-online.de/home/mok-kong.shen (new URL addr.)
------------------------------
From: [EMAIL PROTECTED] (W.G. Unruh)
Subject: Re: RSA encryption exponent
Date: 23 Aug 99 12:48:08 GMT
vincent <[EMAIL PROTECTED]> writes:
>65537 is prime, so it should be relatively prime to any number but its
>multiples.
>My question is then the following.
>Assuming p and q are primes, is there any chance that
>phi(n) is a multiple of 65537 ?
Of course there is a chance. Probably about 1 in 65537.
However seeing if 65537 divides phi(n) is easily done, and if it does, use
some other one like 17, or 33, or ...
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: CBC problems...
Date: Mon, 23 Aug 1999 13:47:05 GMT
I have code that resembles
============
while (length >= 16) {
data[0] ^= iv[0]; data[1] ^= iv[1];
data[2] ^= iv[2]; data[3] ^= iv[3];
twofish_encrypt(&twofish_key, (const unsigned char *)data,
(unsigned char *)data);
memcpy(iv, data, 16);
length -= 16; data += 4;
}
=============
And for some reason (it works to encrypt/decrypt) when I change a bit
in the message (before doing the text to binary trans) the errors
appear local (within the block I changed) in the decrypted message, the
rest of the message (after the error) is ok. This example above is the
Twofish encryption part which is suppose todo CBC...
Am I missing something?
Please help!
Tom
--
PGP 6.5.1 Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: question regarding number of keys possible. . .
Date: 23 Aug 99 13:42:17 GMT
Wesley Horton ([EMAIL PROTECTED]) wrote:
: How would you compute the number of possible rotor wirings available for
: a rotor of a given size using interval wiring? For example, how many
: different wirings are possible using the interval wiring method for a
: rotor of 26 contacts on each side?
I could only calculate the number for smaller rotors, because it started
to take too long.
: Did anyone ever come up with an effective method of generating such
: wirings (interval wiring) of rotors on a computer?
Yes. I'll dig up my source code for you right away. It's a lot like the
Eight Queens problem, which people have done on computers many times.
John Savard
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: How does RC4 work ?
Date: Mon, 23 Aug 1999 13:37:16 GMT
In article <7ppikv$9bb$[EMAIL PROTECTED]>,
"Georg Zetzsche" <[EMAIL PROTECTED]> wrote:
> Hi all!
> Does anybody know, how the RC4 - encryption algorithm works ?
> I watched the source code and it looked like a simple XOR but with a
> checksum.
> I would be happy about a pointer to a webpage or any else information.
> thanks in advance!
Quite simply:
to generate a random byte
1) i = (i + 1) mod 256
2) j = (j + S[i]) mod 256
3) swap(S[i], S[j])
4) t = (S[i] + S[j]) mod 256
5) K = S[t]
You now can xor K against the plaintext to encrypt or against the
ciphertext to decrypt
to schedule a key (extend it to fill K (256 bytes))
1) for i = 0 to 255 do
2) i = (j + S[i] + K[i]) mod 256
3) Swap(S[i], S[j])
This was all copied from page 397 of Applied Crypto.
Tom
--
PGP 6.5.1 Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: New and Improved Peekboo (ICQ/email secret messages)
Date: Mon, 23 Aug 1999 13:42:04 GMT
I got some sense pounded into me, and added Blowfish, CAST, RC5 and X-
TEA (for fun) to PeekBoo. The website is not updated but you can get
the binary and help file from
http://people.goplay.com/tomstdenis/peekboo.exe
http://people.goplay.com/tomstdenis/readme.txt
In case anyone was wondering I do not plan to sell PeekBoo at any time,
nor do I hold it solely as 'my own'. I am available to give out the
source code, only that I ask you not to make your own 'versions' in
return.
The program is designed so even crypto-nobodies can use it. It has the
problem of key exchange but other then that it works great.
I am in the middle of cleaning up the program and adding more ciphers
(namely TwoFish).
Feedback is welcomed.
Tom
--
PGP 6.5.1 Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Rochus Wessels <[EMAIL PROTECTED]>
Subject: Re: NIST AES FInalists are....
Date: 23 Aug 1999 15:50:50 +0200
[EMAIL PROTECTED] writes:
> [...] By the way, if
> a "traditional" type of attack is found against finalist A that
> requires 2^50 known plaintexts and 2^50 computer resources (some
> function of work and memory) and another attack is found against
> candidate B that requires only a thousand plaintexts and 2^100 computer
> resources, which cipher should be considered more secure?
I would call attacks with
2^30 - 2^40 known plaintexts/chosen plaintexts/chosen ciphertexts
(depends on application, bounded mostly by network speed)
2^50 - 2^55 memory
2^70 - 2^80 time (encryptions)
feasible, at least in some years.
The cipher for which the requirements are closer or even below
these bounds should be considered more insecure.
(And if all three reqirements are below, TOO insecure).
If computer resources are defined as time*memory (which is reasonable,
since most attacks allow time/memory-tradeoffs), (A) is more secure.
BUT only, if there is no tradeoff resources/#texts (depends on attack).
------------------------------
From: [EMAIL PROTECTED] (Padgett 0sirius)
Subject: Re: Twofish on a 68HC11
Date: Mon, 23 Aug 1999 07:00:00
>I'd like to know if anybody has got
>Twofish on a 68HC11.
You want crypto in your Cadillac ?
A. Padgett Peterson, P.E. Cybernetic Psychophysicist
http://www.freivald.org/~padgett/index.html
to avoid antispam use mailto:[EMAIL PROTECTED] PGP 6.0 Public Key Available
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: question regarding number of keys possible. . .
Date: 23 Aug 99 13:57:56 GMT
Wesley Horton ([EMAIL PROTECTED]) wrote:
: Did anyone ever come up with an effective method of generating such
: wirings (interval wiring) of rotors on a computer?
Here we are: this version of my BASIC program generates, for a given rotor
size, all the possible wirings, with a parenthesized list of the intervals
below:
DIM c%(50), r%(50), d%(50), s%(50)
INPUT "Size"; nn%
FOR n% = 4 TO nn% STEP 2
t& = 0
li% = n% / 2
FOR j% = 2 TO li%
FOR i% = 1 TO n% - 3
c%(i%) = 0
NEXT i%
10 FOR i% = 1 TO li% - 1
d%(i%) = i%
NEXT i%
FOR i% = li% TO n% - 1
d%(i%) = i% + 1
NEXT i%
FOR i% = 1 TO n%
s%(i%) = -1
NEXT i%
r%(1) = 1: s%(1) = 1
r%(j%) = j%: s%(j%) = j%
u% = 2: v% = 1
20 IF u% = j% THEN u% = u% + 1
IF c%(v%) = 0 THEN 25
rd% = v% + c%(v%)
tt% = d%(rd%)
d%(rd%) = d%(v%)
d%(v%) = tt%
25 dd% = d%(v%)
de% = 1 + (u% + dd% - 1) MOD n%
IF s%(de%) > -1 THEN 40
r%(u%) = de%
s%(de%) = u%
u% = u% + 1
v% = v% + 1
IF v% < n% - 1 THEN 20
t& = t& + 1
FOR i% = 1 TO n%
PRINT r%(i%);
NEXT i%
PRINT
PRINT "(";
FOR i% = 1 TO n%
PRINT (n% + r%(i%) - i%) MOD n%;
NEXT i%
PRINT ")"
40 IF v% > n% - 2 THEN v% = n% - 2
45 c%(v%) = c%(v%) + 1
IF c%(v%) < n% - (v% + 1) THEN 10
c%(v%) = 0
v% = v% - 1
IF v% > 0 THEN 45
NEXT j%
j% = li% + 1
FOR i% = 1 TO n% - 3
c%(i%) = 0
NEXT i%
110 FOR i% = 1 TO li% - 1
d%(i%) = i%
NEXT i%
FOR i% = li% TO n% - 1
d%(i%) = i% + 1
NEXT i%
FOR i% = 1 TO n%
s%(i%) = -1
NEXT i%
r%(1) = 1: s%(1) = 1
r%(j%) = j%: s%(j%) = j%
u% = 2: v% = 1
120 IF u% <> j% THEN 124
u% = u% + 1
IF c%(v%) = 0 THEN 123
rd% = v% + c%(v%)
tt% = d%(rd%)
d%(rd%) = d%(v%)
d%(v%) = tt%
123 dd% = d%(v%)
IF dd% < d%(1) THEN 140
GOTO 126
124 IF c%(v%) = 0 THEN 125
rd% = v% + c%(v%)
tt% = d%(rd%)
d%(rd%) = d%(v%)
d%(v%) = tt%
125 dd% = d%(v%)
126 de% = 1 + (u% + dd% - 1) MOD n%
IF s%(de%) > -1 THEN 140
r%(u%) = de%
s%(de%) = u%
u% = u% + 1
v% = v% + 1
IF v% < n% - 1 THEN 120
t& = t& + 1
FOR i% = 1 TO n%
PRINT r%(i%);
NEXT i%
PRINT
PRINT "(";
FOR i% = 1 TO n%
PRINT (n% + r%(i%) - i%) MOD n%;
NEXT i%
PRINT ")"
140 IF v% > n% - 2 THEN v% = n% - 2
145 c%(v%) = c%(v%) + 1
IF c%(v%) < n% - (v% + 1) THEN 110
c%(v%) = 0
v% = v% - 1
IF v% > 0 THEN 145
PRINT "Total for "; n%; " is: "; t&
NEXT n%
END
However, it simplifies matters for itself by using symmetries. Only rotors
of even order are dealt with; the number of interval-method rotors of odd
order are a standard sequence in the Handbook of Numerical Sequences, so I
didn't worry about them. For even order, one interval has to be
duplicated; I only computed the wirings where the zero displacement
appeared twice. Also I avoid producing wirings for the same rotor,
rotated.
This next program just gives the number of wirings for all even orders up
to the one entered:
DIM c%(50), r%(50), d%(50), s%(50)
INPUT "Size"; nn%
FOR n% = 4 TO nn% STEP 2
t& = 0
li% = n% / 2
FOR j% = 2 TO li%
FOR i% = 1 TO n% - 3
c%(i%) = 0
NEXT i%
10 FOR i% = 1 TO li% - 1
d%(i%) = i%
NEXT i%
FOR i% = li% TO n% - 1
d%(i%) = i% + 1
NEXT i%
FOR i% = 1 TO n%
s%(i%) = -1
NEXT i%
r%(1) = 1: s%(1) = 1
r%(j%) = j%: s%(j%) = j%
u% = 2: v% = 1
20 IF u% = j% THEN u% = u% + 1
IF c%(v%) = 0 THEN 25
rd% = v% + c%(v%)
tt% = d%(rd%)
d%(rd%) = d%(v%)
d%(v%) = tt%
25 dd% = d%(v%)
de% = 1 + (u% + dd% - 1) MOD n%
IF s%(de%) > -1 THEN 40
r%(u%) = de%
s%(de%) = u%
u% = u% + 1
v% = v% + 1
IF v% < n% - 1 THEN 20
t& = t& + 1
40 IF v% > n% - 2 THEN v% = n% - 2
45 c%(v%) = c%(v%) + 1
IF c%(v%) < n% - (v% + 1) THEN 10
c%(v%) = 0
v% = v% - 1
IF v% > 0 THEN 45
NEXT j%
j% = li% + 1
FOR i% = 1 TO n% - 3
c%(i%) = 0
NEXT i%
110 FOR i% = 1 TO li% - 1
d%(i%) = i%
NEXT i%
FOR i% = li% TO n% - 1
d%(i%) = i% + 1
NEXT i%
FOR i% = 1 TO n%
s%(i%) = -1
NEXT i%
r%(1) = 1: s%(1) = 1
r%(j%) = j%: s%(j%) = j%
u% = 2: v% = 1
120 IF u% <> j% THEN 124
u% = u% + 1
IF c%(v%) = 0 THEN 123
rd% = v% + c%(v%)
tt% = d%(rd%)
d%(rd%) = d%(v%)
d%(v%) = tt%
123 dd% = d%(v%)
IF dd% < d%(1) THEN 140
GOTO 126
124 IF c%(v%) = 0 THEN 125
rd% = v% + c%(v%)
tt% = d%(rd%)
d%(rd%) = d%(v%)
d%(v%) = tt%
125 dd% = d%(v%)
126 de% = 1 + (u% + dd% - 1) MOD n%
IF s%(de%) > -1 THEN 140
r%(u%) = de%
s%(de%) = u%
u% = u% + 1
v% = v% + 1
IF v% < n% - 1 THEN 120
t& = t& + 1
140 IF v% > n% - 2 THEN v% = n% - 2
145 c%(v%) = c%(v%) + 1
IF c%(v%) < n% - (v% + 1) THEN 110
c%(v%) = 0
v% = v% - 1
IF v% > 0 THEN 145
PRINT "Total for "; n%; " is: "; t&
NEXT n%
END
A table of output from these programs, combined with the odd-order numbers
from another source, is on my web page. A link to it is present at
http://www.freenet.edmonton.ab.ca/~jsavard/roto02.htm
John Savard
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: How does RC4 work ?
Date: 23 Aug 99 14:00:33 GMT
Georg Zetzsche ([EMAIL PROTECTED]) wrote:
: Hi all!
: Does anybody know, how the RC4 - encryption algorithm works ?
: I watched the source code and it looked like a simple XOR but with a
: checksum.
The alleged workings of RC4 are noted in Applied Cryptography by Bruce
Schneier. I mention them to, in the page on "Other Stream Ciphers"; you
can get to it from
http://www.freenet.edmonton.ab.ca/~jsavard/comp04.htm
however, on that page RC4 is not mentioned by name; I simply note that "a
popular stream cipher" works by using a table of 256 entries from which
two entries are selected and XORed to produce the output.
John Savard
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: all or nothing (wrapped pcbc)
Date: Mon, 23 Aug 1999 15:08:58 GMT
Tom St Denis wrote:
>I agree that bit commitment is a nice property, however I still don't
>get it.
>For example
>
>C1 = Ek(P1)
>C2 = Ek(P2 xor C1)
>C3 = Ek(P3 xor C2)
>
>... CBC stream ...
>
>if I flip a early bit the rest will mess up, we know this. If I flip a
>bit in the last word so what?
Hmm, I am not sure if actually "WE KNOW THIS". If I got you
right and am not wrong myself I would rather say that if you
flip a bit in - let's say C2 - in a file encryptet using the CBC mode,
the only plaintext blocks that will be messed up will be P2 & P3.
P4 and the rest will stay the same beacause
P4=Dk(C4) XOR C3 with C3 being not influenced by the flip.
The rest WOULD mess up if you modified the CBC mode for example in this
way:
C1=Ek(P1)
C2=Ek(P2 XOR P1)
C3=Ek(P3 XOR P2)
...
Is that right?
Bartosz Zoltak
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Please help a HS student with an independent study in crypto
Date: Mon, 23 Aug 1999 11:26:26 -0400
>
Read Stinsons Crypto book, Cryptography Theory and Practice for starters.
Handbook of applied cryptography, form Menezes, Oorschot and Vansone
has a _huge_ bibliography, you can surely get some reference ideas form
there.
Anton
------------------------------
From: Gary <[EMAIL PROTECTED]>
Subject: MUM
Date: Mon, 23 Aug 1999 11:22:36 -0400
MUM (Matrix Uninvertible Message)
Let [Sa], [Sb] and [C] be 2X2 Matrices (Mod 2 to the power of 32).
(Each matrix is 128 bits long)
Let [Sa] and [Sb] be invertible.
(Determinants not equal to 0 and odd (relatively prime to 2 to the power of
32))
Let [C] be uninvertible.
(Determinant equal to 0)
[Sa] & [Sb] are generated using 128 bit random numbers.
They can be re-chosen until passes invertible check.
[C] uses 2 randomly generated 32 bit numbers. Their product is factorised.
This is used to create the 2 other 32 bit numbers to yield a 0 determinant.
Public key sender broadcasts the pair [C][Sb] and [C].
(using matrix multiplication [C][Sb]=[C]X[Sb] (mod 2 to the power of 32))
Replier sends back [Sa][C].
Both can generate [Sa][C][Sb] as a secretly shared key.
(Replier uses [Sa] multiplied by public key senders [C][Sb])
(Public key sender uses replier's [Sa][C] multiplied by [Sb])
Are there similar systems making use of uninvertible carrier keys?
What are the weaknesses of such a system? I'm sure there are loads.
Given [C][Sb] and [C], can [Sb] be found without brute force?
Certain uninvertible matrices are stronger than others?
KEEP MUM ;)
Gary
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Cipher-Feedback Mode
Date: Mon, 23 Aug 1999 11:54:11 -0400
OFB error propagation is limited to the exact bit that has an error, where
as
in CFB mode, an error in a block is propagated to the whole block + the
next
floor(n/k) blocks. But on the other hand, CFB has better throughput,
this could
be a factor if you are using the mode to transform your block cipher into
a stream
cipher.
Note: some precomputations can speed the throughput of CFB do.
Anton
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: IDEA in Applied Crypto
Date: Mon, 23 Aug 1999 15:29:24 GMT
first off, yes I read the previous thread on this but the question was
never really answered.
So I will ask, does anybody know of any errata from the IDEA C code
from Applied Crypto?
I am adding it to PeekBoo and it doesn't work at all. I trim the code
(possibly where I made an error) to be designed for x86 32-bit
platforms only (since that's what PeekBoo runs on anyways), and used
the inline mul code...
Anyways... The code compiles (yippideedoo) but doesn't
encrypt/decrypt. I can send the source file I have if anyone has the
courage to read it (although my code is normally rather neat).
Thanks in advance!!!
Tom
--
PGP 6.5.1 Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: MUM
Date: Mon, 23 Aug 1999 15:59:35 GMT
Gary <[EMAIL PROTECTED]> wrote, in part:
>Public key sender broadcasts the pair [C][Sb] and [C].
OK: this is sort of like Diffie-Hellman.
Two people wish to communicate; each one thinks of an invertible
matrix.
A non-invertible matrix is disclosed.
The non-invertible matrix, C, is public, and so are [Sa][C] and
[C][Sb]. An eavesdropper could calculate [Sa][C][C][Sb], but only the
participants could calculate [Sa][C][Sb].
Is this a way of doing Diffie-Hellman without exponentiation?
I think the problem will be something like this: C will commute with
both [Sa][C] and [C][Sb], so a "kind of" inverse of C - one that will
remove every change that C makes *except* for the blurring of its
inputs that makes it noninvertible - can be calculated, and that
inverse, even though it isn't the true inverse, will be "good enough"
to allow an attacker to calculate [Sa][C][Sb].
Those with more math expertise can, doubtless, make this more
definite.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: *2nd* trusted arbitrator's name??
Date: Mon, 23 Aug 1999 16:05:38 GMT
[EMAIL PROTECTED] (Matthew Skala) wrote, in part:
>Making it start with U seems sensible, but in keeping with the gender
>alternation tradition of "Alice, Bob, Carol, Dave", it seems like it
>should be a feminine name, like Uma. This isn't just political
>correctness; it's really convenient to have two people in a protocol be of
>opposite gender when we're talking about them in English, because then we
>can use personal pronouns like "he" and "she" without having to stop all
>the time to disambiguate.
And it's easier to find feminine names that start with U: Ursula comes
to mind.
I'm not sure, though, that gender alternation will help at this point,
since if a protocol involving a trusted arbitrator is being described,
we still have Alice and Bob.
Letter symbols, and the one-syllable (where possible) names are
usable: I think switching to pronouns isn't often done in such
descriptions.
But except for Eve, the eavesdropper, all the other characters besides
the first four were male, so I'm not sure it's a strong tradition
either.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: How does RC4 work ?
Date: Mon, 23 Aug 1999 16:08:49 GMT
[EMAIL PROTECTED] () wrote, in part:
>Georg Zetzsche ([EMAIL PROTECTED]) wrote:
>: Hi all!
>: Does anybody know, how the RC4 - encryption algorithm works ?
>: I watched the source code and it looked like a simple XOR but with a
>: checksum.
>The alleged workings of RC4 are noted in Applied Cryptography by Bruce
>Schneier. I mention them too
Here we are, from
http://www.freenet.edmonton.ab.ca/~jsavard/co041102.htm
One very popular stream cipher has been alleged to function as
follows:
Using two variables that store one byte each, in addition to the
table, generate bytes as follows:
Start with A and B equal to zero.
Each iteration proceeds in this way:
Increment A (modulo 256).
Add the A-th element of the table to B (modulo 256).
Use as the output byte the element of the table specified by the
modulo-256 sum of the A-th element and the B-th element of the
table.
Exchange the A-th element and the B-th element of the table with
each other.
The initial arrangement of the 256-byte table is created by a
procedure involving a second 256-byte table. The table to be used in
generating pseudorandom bytes is initialized to the numbers from 0 to
255 in order. The other table is filled with the bytes of the key
repeated over and over until it is full.
Start again with A and B equal to zero.
Repeat the following steps 256 times:
Replace B with the sum of B and the A-th element of both tables.
Increment A.
Swap the A-th element and the B-th element of the table to be
used later, leaving the one containing the key alone.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Yao's millionaire problem without asymmetry?
Date: Mon, 23 Aug 1999 12:08:42 -0400
This was a problem with the first known MPC schemes, some players
getting the result before others. But it was fixed since some time now
(Chaum, Damgard, van de Graaf, CRYPTO 87, and Goldreich, Micali,
Wigderson ACM Symp. Theor. of Computing 87, gave MPC schemes
that don't have this problem.) MPC has come a long way now, but all
the schemes I know of are a general solution to the problem of computing
a general function, the specific ones are for certain encryption
algorithms,
database search, votes, etc... But I haven't seen one specific to the
millionaires problem.
Conclusion, the weakness you talk about certainly _can_ be patched up,
but I wouldn't be able to tell you how just like that.
Anton S.
The Walters wrote:
> In _Applied Cryptography_, a secure multiparty computation protocol for
> resolving Yao's millionaire problem is described. However, one described
> weakness of the protocol for determining if i <= j, where Alice gives i
> and Bob gives j without Alice and Bob knowing the other's given value is
> that Alice learns the result of the comparison before Bob and there is
> no forced obligation to share the result with Bob.
>
> Is there a way to patch up this weakness? Or is there something inherent
> in the problem which prevents this?
>
> Thanks,
>
> Jim Walters
> [EMAIL PROTECTED]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
