Cryptography-Digest Digest #254, Volume #10 Fri, 17 Sep 99 08:13:03 EDT
Contents:
Re: crypto export rules changing (Bill Unruh)
Re: crypto export rules changing (Bill Unruh)
(US) Administration Updates Encryption Export Policy (Helger Lipmaa)
Re: Ritter's paper (Jerry Coffin)
Re: ECC (again...) (Jerry Coffin)
Re: Comments on ECC (Robert Harley)
Re: VICTORY??? (was: crypto export rules changing) (fungus)
Re: Mystery inc. (Beale cyphers) (Johnny Bravo)
Re: Analogues to ECC over higher dim. abelian groups (Robert Harley)
Re: Current US Export Law (Bill Unruh)
Re: Neal Stephenson's Cryptonomicon: Crypto Cop-Out (Daniel James)
Re: Exclusive Or (XOR) Knapsacks ("Gary")
Re: Okay "experts," how do you do it? (SCOTT19U.ZIP_GUY)
Re: crypto export rules changing (SCOTT19U.ZIP_GUY)
Re: Crypto 3.5 (Tom St Denis)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Crossposted-To: talk.politics.crypto
Subject: Re: crypto export rules changing
Date: 17 Sep 1999 07:13:45 GMT
In <7rrb4k$[EMAIL PROTECTED]> [EMAIL PROTECTED] (Paul Rubin) writes:
>A big liberalization of export rules is supposed to be announced
>today, but apparently there will also be some key escrow provisions.
Hardly big. Basically an attempt to buy off the large corporations so
that they will not join in the push for open systems. It makes their
stance more and more of a farce.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Crossposted-To: talk.politics.crypto
Subject: Re: crypto export rules changing
Date: 17 Sep 1999 07:15:13 GMT
In <VqiE3.5630$[EMAIL PROTECTED]> [EMAIL PROTECTED] (Dmitri Alperovitch) writes:
>Um. Question - if they are willing to allow open export of unlimited
>size keys (except when the destination is a terrorist state), why do they
>still want a one-time review of your application? If there is no limit on the
>size of the key you can use anymore, it shouldn't be any of their business
>about the way you algorithm works or how strong it is, right?
Sure. They want a record of what crypto you are actually using, so they
can narrow their attack.
------------------------------
From: Helger Lipmaa <[EMAIL PROTECTED]>
Subject: (US) Administration Updates Encryption Export Policy
Date: Fri, 17 Sep 1999 06:47:29 +0000
FYI
Helger Lipmaa
http://home.cyber.ee/helger
=================================================
http://www.pub.whitehouse.gov/uri-res/I2R?urn:pdi://oma.eop.gov.us/1999/9/1
6/15.text.1
THE WHITE HOUSE
Office of the Press Secretary
________________________________________________________________________
For Immediate Release September 16, 1999
FACT SHEET
Administration Updates Encryption Export Policy
Today, the Clinton Administration announced a new approach to encryption
policy that includes updates and simplifies export controls. The major
components of this update are as follows:
Global exports to individuals, commercial firms or other
non-governmental entities
Any encryption commodity or software of any key length can now be
exported under a license exception (i.e., without a license) after a
technical review, to commercial firms and other non-government end users
in any country except for the seven state supporters of terrorism.
Exports previously allowed only for a company's internal use can now be
used for communication with other firms, supply chains and customers.
Additionally, telecommunication and Internet service providers may use
any encryption commodity or software to provide services to commercial
firms and non-government end users. Previous liberalizations for banks,
financial institutions and other approved sectors are subsumed under
this Update. Exports to governments can be approved under a license.
Global exports of retail products
Retail encryption commodities and software of any key length may be
exported under a license exception (i.e., without a license) after a
technical review, to any recipient in any country except to the seven
state supporters of terrorism. Retail encryption commodities and
software are those products which do not require substantial support for
installation and use and which are sold in tangible form through
independent retail outlets, or products in tangible or intangible form,
which have been specifically designed for individual consumer use.
There is no restriction on the use of these products. Additionally,
telecommunication and Internet service providers may use retail
encryption commodities and software to provide services to any
recipient.
Implementation of the December 1998 Wassenaar Arrangement Revisions
Last year, the Wassenaar Arrangement (33 countries which have common
controls on exports, including encryption) made a number of changes to
modernize multilateral encryption controls. As part of this update, the
U.S. will allow exports without a license of 56 bits DES and equivalent
products, including toolkits and chips, to all users and destinations
(except the seven state supporters of terrorism) after a technical
review. Encryption commodities and software with key lengths of 64-bits
or less which meet the mass market requirements of Wassenaar's new
cryptographic note will also be eligible for export without a license
after a technical review.
U.S. Subsidiaries
Foreign nationals working in the United States no longer need an export
license to work for U.S. firms on encryption. This extends the policy
adopted in last year's update, which allowed foreign nationals to work
for foreign subsidiaries of U.S. firms under a license exception (i.e.,
without a license).
Export Reporting
Post-export reporting will now be required for any export to a non-U.S.
entity of any product above 64 bits. Reporting helps ensure compliance
with our regulations and allows us to reduce licensing requirements.
The reporting requirements will be streamlined to reflect business
models and practices, and will be based on what companies normally
collect. We intend to consult with industry on how best to implement
this part of the update.
###
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: Ritter's paper
Date: Fri, 17 Sep 1999 01:04:31 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
[ ... ]
> In the case of these other ciphers, such as Blum-Blum Shub, the term
> always means "provably as secure as" a mathematical problem, such as
> factoring or discrete logarithm, which cannot itself be proved to be truly
> hard.
I'd change "cannot itself be proved" to "has not been proven" --
TTBOMK, nobody knows a way of proving that these problems have any
particular level of difficulty, but nobody's shown that a proof of
their difficulty is impossible either. I suspect this is what you
really meant, but when you're talking about things like provable
security, you just about have to get the wording exactly right, or
somebody's inevitably going to try to turn it into argument over your
wording instead of the real topic at hand...
--
Later,
Jerry.
The Universe is a figment of its own imagination.
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: ECC (again...)
Date: Fri, 17 Sep 1999 01:04:34 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
> Hello !
>
> I'm looking for elliptic curves algorithms :
> a public key cryptosystem which doesn't derive from Diffie-hellman.
>
> The only algorithms I found are based on shared secret key and uses
> symetric cryptosystem (ECAES for example)...
> Why is it so difficult to find a public key cryptosystem which "simply"
> encode the text ?
Because most currently-known forms of public-key encryption are at
least an order of magnitude (and typically more like three orders of
magnitude) than even a relatively slow symmetric algorithm.
In theory, this could weaken the overall system a bit: a serious break
in either the public-key algorithm OR the symmetric algorithm being
used can result in the encrypted text being revealed.
In reality, I suspect more or less the opposite happens: in reality, a
randomly key is chosen for each session, so unless you send a single
tremendously large message, there's unlikely to ever be enough text
encrypted with a single symmetric key to allow a message to be decoded
even if the symmetric algorithm is badly broken. At the same time,
since you're encrypting only a VERY small amount of data with the slow
public-key algorithm, there's little call to try to speed up the PK
encryption process. Since (at least in most cases) the speed of PK
algorithms varies inversely with the key size, this means it's
perfectly reasonable to use a substantially larger key than is likely
to be really necessary, rather than trying to use the smallest key you
can get away with to keep the speed reasonable.
--
Later,
Jerry.
The Universe is a figment of its own imagination.
------------------------------
From: Robert Harley <[EMAIL PROTECTED]>
Subject: Re: Comments on ECC
Date: 17 Sep 1999 09:46:26 +0200
John Myre <[EMAIL PROTECTED]> writes:
> Mike removed some of Bruce's text. The "tiring" comment comes
> after an assertion that 512 bit RSA keys have been considered
> too short by experts for quite a while.
Thanks, I'm reassured. If that comment referred to 512-bit RSA then
it is entirely justified.
Bye,
Rob.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: VICTORY??? (was: crypto export rules changing)
Date: Fri, 17 Sep 1999 09:48:07 +0200
"Douglas A. Gwyn" wrote:
>
> Paul Rubin wrote:
> > A big liberalization of export rules is supposed to be announced
> > today, but apparently there will also be some key escrow provisions.
> > http://www.sjmercury.com/breaking/headline1/024676.htm
>
> If the "liberalization" includes mandatory key escrow,
> then it isn't the great advance that the article indicates.
I just heard thet they completely dropped all export control
except to blacklisted countries (IRAQ, etc.) The only requirement
is that companies provide the feds with a list of their known
resellers.
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: Mystery inc. (Beale cyphers)
Date: Fri, 17 Sep 1999 00:53:22 GMT
On Thu, 16 Sep 1999 18:53:22 GMT, [EMAIL PROTECTED] (Roger Fleming)
wrote:
>1. The quantity of treasure: some 1.3 metric tonnes of gold (value today,
>around $US 18 million) and 2.3 tonnes of silver (a little under half a
>million), plus gems (wildly guessing average CPI over the last 178 years at
>3%, somewhwere around several million). This is a _huge_ hoard of treasure;
Bigger loads have been taken from shipwrecks off the south coast of
Florida. There was a great deal of silver and gold taken from the New
World by the spanish, and quite a bit of it never made it back home.
It is possible, that doesn't make it likely, but it's not impossible
either.
Moving it might be a slightly bigger challenge, but it would easily
have fit on 20 or so mules. Why it was buried would be a bigger
question, as well as why no one involved squealed at some point. :)
It is indeed treasure that originated with the Spanish they got a
small boatload of gems (mainly emeralds) from the conquest. And a
great deal of that never made it back to Spain either. :)
Not that any of this is proof either way, but it's not impossible.
Johnny Bravo
------------------------------
From: Robert Harley <[EMAIL PROTECTED]>
Subject: Re: Analogues to ECC over higher dim. abelian groups
Date: 17 Sep 1999 10:54:22 +0200
Alex writes:
> Could someone point me at any papers studying analogues to Elliptic
> Curve cryptography over higher dimensional abelian groups?
The basics are the same.
You've got a group where you can define a discrete logarithm etc.
But there are major problems.
For a start you want something you know how to compute efficiently in,
such as the Jacobian of a hyperelliptic curve.
However discrete logarithms are sub-exponential when the genus is
large because you can obviously do index-calculus.
Pierrick Gaudry of �cole Polytechnique has an improved version of the
Adleman-DeMarrais-Huang algorithm and we estimate that in genus 9, for
instance, it is perfectly feasible in practice to compute a discrete
log in a group of more than 2^200 points.
So you are necessarily forced to stick with small genus, like 2,3,4.
(genus 1 would bring you back to elliptic curves).
If you pick some special case then you're just looking for trouble,
but if you pick a random case then it is difficult to even count the
size of the group!
At the moment we are working on counting points in genus 2. We know
how to do up to about 10^34 points in a few days, by counting modulo
40320 using a Schoof-type algorithm and then going at it with a
birthday-paradox algorithm on a 500MHz Alpha Linux workstation.
Here's an example. Take:
y^2 = x^5 + 1597*x^4 + 1041*x^3 + 5503*x^2 + 6101*x + 1887
modulo p = 1000000000000037. Then #J = 999999957656830999779505994685.
But that's tiny. Counting a random group big enough to make the
discrete logarithm impossible for the next ten years (say) is
something nobody can do yet, AFAIK.
Some references:
"Hyperelliptic Cryptosystems"
Neal Koblitz
Journal of Cryptology (1989) 1
-- chooses curves some of which are completely broken (supersingular)
"On the performance of hyperelliptic cryptosystems"
Nigel Smart
HP Labs report 98-162
-- chooses curves in characteristic two with no 2-torsion (a.k.a.,
"very special") but warns of the danger.
"A Subexponential Algorithm for Discrete Logarithms [etc]"
Leonard Adleman, Jonathan DeMarrais, Ming-Deh Huang
Algorithmic Number Theory 1, 1994.
Springer Verlag LNCS 977
Bye,
Rob.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Current US Export Law
Date: 17 Sep 1999 07:17:21 GMT
In <[EMAIL PROTECTED]> Bill Lynch <[EMAIL PROTECTED]> writes:
>similiar to one that RSA Labs would sell. Could IBM engineer the
>software on their servers to be compatable with the French program so
>that an overseas customer would basically just plug in the French
>program and be on their way? Since there's no strong encryption in the
No. they also cannot put in crypto "hooks". Of course if tht hook had
other uses as well, then the law cannot cover it.
------------------------------
From: Daniel James <[EMAIL PROTECTED]>
Crossposted-To: rec.arts.sf.written,alt.cyberpunk
Subject: Re: Neal Stephenson's Cryptonomicon: Crypto Cop-Out
Date: Fri, 17 Sep 1999 12:08:47 +0100
Reply-To: [EMAIL PROTECTED]
In article <7roqk1$45k$[EMAIL PROTECTED]>, Globalhead wrote:
> > [I wrote]
> >Indeed, in the preface to "Zodiac", his first published novel
>
> For the sake of accuracy I should point out that "Zodiac" was Neal
> Stephenson's second published novel. His first was "The Big U", if memory
> serves.
>
I stand corrected. I'll look out for that one, but ...
In my defence I point out that the author's notes at the start of my
paperback copy of 'Snow Crash' (his third ??? book) says "His first novel,
'The Big Mr. U' was published in 1984 and vanished without trace".
If it vanished without trace, how could I be expected to know? <smile>
[Anyone who answers "By reading the notes at the start of 'SnowCrash'" will
be treated with the contempt they deserve. ]
Cheers,
Daniel.
------------------------------
From: "Gary" <[EMAIL PROTECTED]>
Subject: Re: Exclusive Or (XOR) Knapsacks
Date: Fri, 17 Sep 1999 12:26:21 +0100
What if the matrix wasn't square?
In particular if the number of elements were larger than the bit size.
David Wagner wrote in message
<7rrgb0$7vd$[EMAIL PROTECTED]>...
>In article <%_8E3.290$gE.6812@stones>, Gary <[EMAIL PROTECTED]> wrote:
>> Problem:
>> Given an n bit number X and a set {B1,B2,...,Bn} of n bit numbers;is
there a
>> subset whose elements collectively XORed give X?
>>
>> Can the general problem be solved easily?
>
>Yes. Gaussian elimination will solve it in O(n^3) time.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Okay "experts," how do you do it?
Date: Fri, 17 Sep 1999 12:43:29 GMT
In article <[EMAIL PROTECTED]>, Eric
Lee Green <[EMAIL PROTECTED]> wrote:
>David Wagner wrote:
>> Or, post to sci.crypt via an anonymous remailer. (See www.replay.com.)
>> If people react differently to your post, you can claim glorious victory.
>
>Sadly enough, people with distinctive writing (or spelling!) styles
>don't get much by going through anonymous remailers.
>
>Reminds me of when I posted an anonymous message at LinuxToday about
>goings-on inside a Linux company. Within thirty minutes I had the
>president of the company and the marketing director of the company in my
>office to agree with what I'd posted anonymously :-). (They recognized
>my writing style, and also recognized that the issue had been discussed
>extensively within our company so it was someone within our company).
>
Reminds my of a new years party. Where we had to make up a short
jokey type of thing about some phony change. We put them in a hat and
drew them out at random. The one I worte was read and everyone laughed.
They where supose to be anonymous but in ten seconds a secretary said
I bet thats scotts. Then she grabbed it at looked at the writting. And said
yes tha's his. Well the party went on I thought all had forgot. But at work
the whole next month rumors where flying at what I wrote. A secratary the
kind built like a brich shit house even came to my desk and was upset
becasue she said I had stated rumors that was casuing her a possible
divorce. I told her exactly what happened she did not belive it. Till she
talked to those at the party then she cooled down and realized how
funny it was.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Crossposted-To: talk.politics.crypto
Subject: Re: crypto export rules changing
Date: Fri, 17 Sep 1999 12:16:06 GMT
In article <7rsbvn$8sp$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David Wagner) wrote:
>In article <VqiE3.5630$[EMAIL PROTECTED]>,
>Dmitri Alperovitch <[EMAIL PROTECTED]> wrote:
>> Um. Question - if they are willing to allow open export of unlimited
>> size keys (except when the destination is a terrorist state), why do they
>> still want a one-time review of your application? If there is no limit on
> the
>> size of the key you can use anymore, it shouldn't be any of their business
>> about the way you algorithm works or how strong it is, right?
>
>I've heard more than one person conjecture that the main goal of the
>one-time review process is _not_ to review your product for compliance
>with export rules, but rather to gather intelligence about your product.
If that where try then a FTP of the source code in request to the
NSA would be all that is needed. Wake up David.
>
>If they have the source, they can look for buffer overruns, bad RNGs,
>and all sorts of other bugs they can exploit, in case anyone ever uses
>your crypto for anything interesting. And, they get a chance to ask
>you to go change that magic constant in the corner over there before
>you ship...
To ask or demand?
>
>I see no easy way to confirm or refute this conjecture, but it's an
>interesting hypothesis.
Then look it is obvious the old Clinton trick of lie and continue
to do the same. Except make sure the blue dress is clean.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Crypto 3.5
Date: Fri, 17 Sep 1999 12:00:22 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (JPeschel) wrote:
> Crypto 3.5
>
> (http://www.execpc.com/~sbd/Crypto.html)
>
> How secure do you reckon it is?
Well if they use blowfish right it's probably secure. They don't mention how
the passwords are handled which scares me.
[ well we truncate at the 4th char and ... ]
Plus it's 121kb zzipped? How big does it have to be... another plug but
peekboo is still only 40kb (with the public key stuff)
Tom
--
damn windows... new PGP key!!!
http://people.goplay.com/tomstdenis/key.pgp
(this time I have a backup of the secret key)
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
