Cryptography-Digest Digest #348, Volume #10 Fri, 1 Oct 99 19:13:03 EDT
Contents:
Re: Random number generation (Scott Nelson)
Re: I need a good book on crypto and math. ("Steven Alexander")
Re: I need a good book on crypto and math. ("Stephen M. Gardner")
Re: EAR Relaxed? Really? (Jerry Coffin)
Re: NEW DATA SCOTT19U CONTEST (Tom St Denis)
Re: How good is java.security.SecureRandom ? (Paul Koning)
Yarrow + Panama: an idea (long) (John Myre)
Twofish on FPGAs (Bruce Schneier)
RC4 hash function (long) (John Myre)
Re: New Export Regulations (Steve Wildstrom)
Re: EAR Relaxed? Really? (Alan Mackenzie)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Scott Nelson)
Subject: Re: Random number generation
Reply-To: [EMAIL PROTECTED]
Date: Fri, 01 Oct 1999 21:20:08 GMT
On Thu, 30 Sep 1999 21:25:55 +0200, "j.w.altena"
<[EMAIL PROTECTED]> wrote:
>At Statistics Netherlands we would like to have to our disposition about
>10E9 random identifying numbers with a length of 10 (decimal) positions.
>These numbers should preferably not be generated all at the same moment, but
>the set should be extendable in steps. We think we can use encryption for
>the generation of these numbers. An idea is to take the numbers 1 to n in
>the first step and encrypt them. In the next step n+1 to m is encrypted and
>so on. As an additional requirement we would like the encrypted numbers to
>be numbers (and not letters or other characters) as well.
> Who knows a solution for this problem or does somebody has an other
>solution?
> (The solution to assign the ascci-value to each byte doesn't work, for
>then more than 10 positions are required.)
>Erik van Lith ( [EMAIL PROTECTED] )
>
>
Not sure what you're asking for here, it would help if you could
specify the problem a little better, i.e.:
Do the identifying numbers have to be unique?
How sparse is the output? i.e. How close to 10000000000
numbers will you really need?
How 'random' does it need to be? i.e. Why not just
use the numbers 1-n?
Do you need to have a reversible function? I.e. given
the ID, do you need to know original number which produced it?
Assuming you want a function which takes as input the numbers
0-9999999999 and produces a new psuedo-random number in the
range 0-9999999999, but you're not very concerned about the
security of the numbers, you could map them with a LCG function:
f(x) = (x * (20*A+1) + P) mod 10000000000
where A is an arbitrary constant and P is prime.
Simple in concept, but hard for most computers given the
size of the numbers (over 32 bits)
Scott Nelson <[EMAIL PROTECTED]>
------------------------------
From: "Steven Alexander" <[EMAIL PROTECTED]>
Subject: Re: I need a good book on crypto and math.
Date: Fri, 1 Oct 1999 14:24:41 -0700
> general:
> -Applied Cryptograhpy (1996)
> B.Scheider[Should be Bruce Schneier]
> -Handbook of Applied Cryptogaphy (1996)[1997]
> Menezes, van Oorschot, Vanstone
>
> analysis:
> -Differential Cryptroanalysis of DESlike Systems
> E.Biham, A.Shamir
> -Linear Cryptoanalysis of DES
> M.Matsui
Before you get very far into cryptanalysis you're going to need to study
calculus, differential equations, abstract algebra and a bunch of other fun
stuff. I'd suggest buying a good Calculus textbook, especially before
reading Biham's book listed above. Applied Cryptography should be well
within your reach mathematically.
-steven
------------------------------
From: "Stephen M. Gardner" <[EMAIL PROTECTED]>
Subject: Re: I need a good book on crypto and math.
Date: Fri, 01 Oct 1999 15:50:23 -0500
==============B6E069CB62710DFA9F8F254D
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
MaxBenson wrote:
> I stopped learning math after algabra II but I want to get into
> cryptoanylis and stuff. How many books am I looking at reading and what
> types of math should I be studying.
Better start learning math again. ;-) I have put Amazon links on the
books recommended below:
As others have suggested Bruce Schneier's book (Applied Cryptography :
Protocols, Algorithms, and Source Code in C ) is an excellent book for
starting off. When you are a little further along the road then the
encyclopaedia is Handbook of Applied Cryptography
Other good books:
Cryptography : Theory and Practice (Discrete Mathematics and Its
Applications
Codes and Cryptography
Cryptography and Network Security : Principles and Practice
Decrypted Secrets : Methods and Maxims of Cryptology
--
Steve Gardner Technical Staff Member 1320 Systems Engineering
ALCATEL USA
1225 N. Alma Road Tel: 972-996-5888
Richardson Tx. 75081-2206 http://ctnwww.aud.alcatel.com/~gardsm/
You who choose to lead must follow,
But if you fall you fall alone,
If you should stand then who's to guide you?
If I knew the way I would take you home.
"Ripple" -- The Grateful Dead
==============B6E069CB62710DFA9F8F254D
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<HTML>
<P>MaxBenson wrote:
<BLOCKQUOTE TYPE=CITE>I stopped learning math after algabra II but I want
to get into
<BR>cryptoanylis and stuff. How many books am I looking at reading and
what
<BR>types of math should I be studying.</BLOCKQUOTE>
Better start learning math again. ;-) I have put
Amazon links on the books recommended below:
<P>As others have suggested Bruce Schneier's book (<A
HREF="http://www.amazon.com/exec/obidos/ASIN/0471117099/qid=938809927/sr=1-2/002-9296106-1692859">Applied
Cryptography : Protocols, Algorithms, and Source Code in C</A> ) is an
excellent book for starting off. When you are a little further along the
road then the encyclopaedia is <A
HREF="http://www.amazon.com/exec/obidos/ASIN/0849385237/ref=sim_books/002-9296106-1692859">Handbook
of Applied Cryptography</A>
<P>Other good books:
<BR><A
HREF="http://www.amazon.com/exec/obidos/ASIN/0849385210/qid=938809927/sr=1-26/002-9296106-1692859">Cryptography
: Theory and Practice (Discrete Mathematics and Its Applications</A>
<BR><A
HREF="http://www.amazon.com/exec/obidos/ASIN/0198532873/qid=938809927/sr=1-18/002-9296106-1692859">Codes
and Cryptography</A>
<BR><A
HREF="http://www.amazon.com/exec/obidos/ASIN/0138690170/qid=938809927/sr=1-28/002-9296106-1692859">Cryptography
and Network Security : Principles and Practice</A>
<BR><A
HREF="http://www.amazon.com/exec/obidos/ASIN/3540604189/qid=938809927/sr=1-30/002-9296106-1692859">Decrypted
Secrets : Methods and Maxims of Cryptology</A>
<P>--
<BR>Steve Gardner Technical Staff Member 1320 Systems Engineering
<BR>ALCATEL USA
<BR>1225 N. Alma Road Tel: 972-996-5888
<BR>Richardson Tx. 75081-2206 <A
HREF="http://ctnwww.aud.alcatel.com/~gardsm/">http://ctnwww.aud.alcatel.com/~gardsm/</A>
<P>You who choose to lead must follow,
<BR>But if you fall you fall alone,
<BR>If you should stand then who's to guide you?
<BR>If I knew the way I would take you home.
<P> "Ripple" -- The Grateful Dead
<BR> </HTML>
==============B6E069CB62710DFA9F8F254D==
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Crossposted-To: talk.politics.crypto
Subject: Re: EAR Relaxed? Really?
Date: Fri, 1 Oct 1999 16:01:05 -0600
In article <7t2ujb$na1$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
[ ... ]
> In this case it is more so. The claim the police would make is that a
> certain cleartext is the decryption of a certain encrypted text. The
> encrypted text can be tied to the defendant. The clear text contains the
> criminal bahaviour of which the defendant is accused. The two Must be
> tied together in the chain of evidence. To argue that a law which stated
> that the two need not be linked at all except under the say so of a
> police officer would not be laughed out of any court in the land is to
> have an unduely cynical view of the courts.
I think there's a fairly reasonable way to deal with this: if the
government wants to protect some deep, dark secrets about how they
analyzed a cipher, I think it might be worthwhile trying to protect
that.
There are two reasonable ways to do this: one is to demonstrate the
analysis to the court, but seal the record of the case. This is
already done on quite a regular basis anyway, such as in cases
involving trade secrets.
The second, and probably more cryptographically oriented method would
be for the government to demonstrate the encryption of the alleged
plain-text into the cipher-text they found. In doing so, all they
demonstrate is the encryption method, not the analysis method. If the
encryption method is something like a one-time pad where one can
associate ANY plain-text/cipher-text pair (of the same length) the
court probably wouldn't find this convincing.
OTOH, if the government could show that encrypting the alleged plain-
text using (for example) Blowfish and a particular key, it would
probably be fairly convincing evidence that the cipher-text WAS an
encrypted form of that plain-text. At the same time the method the
government used to analyze the algorithm could remain a deep, dark
secret.
OTOH, this would reveal at least some indication that they were
capable of analyzing the algorithm in question, which they might not
want to do either. They might, however, leave the method they used to
find the key undefined, and let others believe (for example) that they
just happened to run across a Postit note (or whatever) telling them
the key...
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: NEW DATA SCOTT19U CONTEST
Date: Fri, 01 Oct 1999 21:38:42 GMT
In article <[EMAIL PROTECTED]>,
"Trevor Jackson, III" <[EMAIL PROTECTED]> wrote:
> If you are going to suggest an interface at least suggest a one that shows good
> coding standards.
>
> compress( char const *in, size_t in_size, char *out, size_t *out_size );
>
> ... and put something in about error handling. exceptions, errno, return value,
> *SOMETHING*.
Well it should not have to do error handling because I am the only one using
the code. If a lib has been prepared that does error-handling all the
better. I want a simple order-1 or order-0 (preferably the first) adaptive
coder that compresses a block and that's all...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.java.security
Subject: Re: How good is java.security.SecureRandom ?
Date: Fri, 01 Oct 1999 16:20:43 -0400
Stanley Chow wrote:
>
> We are doing some Java code and need a good random number generator.
> The documentation for the java.security.SecureRandom class seems to
> claim pretty good entropy for its seeding (it certianly takes long
> enough at it).
>
> Has anyone done/seen any evaluation of the cryptographic strength
> of the SecureRandom class? Any pointers are appreciated.
I looked at it for a while about a year ago, perhaps a bit more.
Not knowing Java didn't help, but I can pretend it's sort of like
C++ and figure it out.
Anyway, I wasn't totally comfortable with what it's doing but it
doesn't seem to have horrible flaws that jump right out at you.
paul
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Yarrow + Panama: an idea (long)
Date: Fri, 01 Oct 1999 16:03:29 -0600
(Yes, I know - the world is full of silly ideas from people
who don't know any better but should. Oh well, please forgive
me - and who knows, maybe this will lead somewhere useful).
Yarrow (the PRNG construction) is bolted together from two
cryptographic components: a hash function and a block cipher.
The block cipher is used in counter mode, which means that we
could probably use a stream cipher (at least the ones, like RC4,
that generate bits independantly of the plaintext) instead.
(Do we believe me so far? Hmm...)
The existence of Panama (Daemen and Clapp, FSE '99), which
is nominally both a stream cipher and a hash function, begs
the question: could you create an instance of Yarrow using
Panama for both parts?
(For one thing, the key and hash are both 256 bits for
Panama; this implies that we can use more real entropy).
A quick detour to explain Panama:
Panama has a hefty context: a 544 bit (17 words of 32 bits
each) "state" and a 8192 bit (8 x 32 = 256 words) "buffer".
It has a "push" operation, in which 256 bits (8 words) are
added added to the context, and a "pull" operation, in which
256 bits are extracted. The implementations of these
operations are almost the same, and mix bits up a lot. For
hashing, you "push" the data (which is extended to a multiple
of 256 bits) and then "pull" the hash; for a stream cipher
you "push" the key and then "pull" bits to XOR. In both cases
you discard the first 32 "pull" results for more mixing. The
only differences between hashing and stream ciphering are
the sizes of the input and output.
Returning to Yarrow-like PRNG:
So suppose we have two Panama instances, um, P and Q. While
P is busy producing PRNG output (with pull calls as needed),
Q is busy accumulating entropy (with pushes). When we decide
we want to reseed, we pull some out of P, push that into Q,
and then start pulling out of Q (discarding the first 32) for
the PRNG, and pushing entropy into P. That is, P and Q just
switch roles. Actually we don't even need both P and Q,
except that we want to continue to collect entropy while we
are producing our (pseudo) random numbers.
(The idea of switching roles, instead of just rekeying, is
to try to work with the most recent entropy; the biggest
change from prior state. I don't think it is any less work.)
Anybody have any thoughts on this?
John M
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Twofish on FPGAs
Date: Fri, 01 Oct 1999 21:53:32 GMT
Prof. Kris Gaj as implemented Twofish on an FPGA. His report on the
process is at:
http://www.counterpane.com/twofish-fpga.html
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: RC4 hash function (long)
Date: Fri, 01 Oct 1999 16:05:59 -0600
Has anyone ever tried to make a hash function out of RC4?
The idea occurs to me because of Panama (by Daemen and Clapp
at FSE '98; I have a paper but unfortunately I can't remember
where I got it). Panama can be used as both a hash function
and as a stream cipher. Jokes aside ("It's a dessert topping
*and* a floor wax!") this is a neat idea.
(In the following, I suppose you should read "alleged RC4"
whenever I say RC4 - since I don't have access to the "real"
thing).
The way that RC4 becomes a hash function is to modify the
keying procedure so as to take arbitrary-sized input, and
to eliminate trivial equivalent keys (e.g., "a" and "aa"
are the same key, as far as RC4 is concerned). This should
not be too hard (aside, of course, from analysis to show
the result is still secure!), because RC4 already allows
a variable-sized key.
So how about this:
First, don't repeat the input, as is done for RC4 now. When
you get to the end, just stop. Append a little constant at
the end: a 1 bit, plus enough zero bits so that the total
input is a whole number of bytes. If the input is more than
256 bytes (which RC4 does not allow), just keep going: cycle
i (the slow index; j is the fast one) to zero. To generate
the hash, reset i and j to zero (as is done for RC4), discard
the first 256 bytes of output (to cycle all the way around at
least once), then take the next, say, 32 bytes as the hash.
There are all sorts of little tweaks you could do to this.
For example, the "length of input" could be included in
the input, as for SHA and MD5. Maybe the input should be
extended to a multiple of 256 bytes, to more closely match
what RC4 does - instead of to any arbitrary byte length.
Resetting i and j to zero before generating output is part
of RC4; there is probably some delicate reason for this and
I bet we can't get rid of it. Maybe we should even do it
twice: the second time after discarding a bunch of the output.
Maybe we should discard more than 256 bytes, or maybe we
don't have to discard quite as much. Maybe 32 bytes output
is too many, and the most you can (securely) use is less.
Anyway, does anyone have any thoughts on this? Could the
right set of tweaks be chosen to get a secure result? Is
the whole idea flawed?
Thanks - John M
------------------------------
From: Steve Wildstrom <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: New Export Regulations
Date: Fri, 01 Oct 1999 18:21:11 -0400
Reply-To: [EMAIL PROTECTED]
This is a multi-part message in MIME format.
==============D3A3FCE5CB3A59613578658A
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
All that has been issued is a statement that the Administration intends to
change the rules. The devil is in the details, and the new regulations will not
be published until Dec. 15. There are many questions raised by what has been
announced and many ambiguities.
Mark Rosen wrote:
> Like pretty much everyone else, I have read about the new relaxation in
> export regulations. However, quite honestly, I do not understand most of
> what is happening. My company makes an encryption program called Kremlin --
> it has been discussed on this newsgroup a fair amount, and has even been
> "highly recommended" in a study done by a sci.crypt poster (e-mail me if you
> want the URL. It's _somewhere_ in my favorites!).
> Basically, can we now export the domestic version of Kremlin -- the full
> strength version that uses 160 bit Blowfish w/ CBC -- from the US? Do we
> have to re-apply for an export license? Did the White House just suggest
> that the regulations be changed, or have they already been changed? If it
> helps, we have a valid license to export 40 bit RC4.
> BTW, you can download and try out Kremlin at:
> http://www.mach5.com/kremlin/pc_index.html and
> http://www.mach5.com/kremlin/mac/
>
> - Mark Rosen
> http://www.mach5.com/
--
-----------------------------------
Steve Wildstrom Technology & You Editor Business Week
1200 G St. NW Suite 1100 202-383-2203
[EMAIL PROTECTED]
Washington DC 20005 Fax: 202-383-2125
Moderator of the Technology & Education mailing list
www.businessweek.com/bwplus/teched/charter.htm
==============D3A3FCE5CB3A59613578658A
Content-Type: text/x-vcard; charset=us-ascii;
name="steve_wildstrom.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Steve Wildstrom
Content-Disposition: attachment;
filename="steve_wildstrom.vcf"
begin:vcard
n:Wildstrom;Steve
x-mozilla-html:TRUE
org:Business Week
version:2.1
email;internet:[EMAIL PROTECTED]
title:Technology & You editor
adr;quoted-printable:;;1200 G St NW=0D=0ASuite 1100;Washington;DC;20005;USA
x-mozilla-cpt:;0
tel;work:202-383-2203
fn:Wildstrom, Steve
end:vcard
==============D3A3FCE5CB3A59613578658A==
------------------------------
From: Alan Mackenzie<[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: EAR Relaxed? Really?
Date: Fri, 1 Oct 1999 20:29:10 +0000
karl malbrain <[EMAIL PROTECTED]> wrote:
> wtshaw <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
>> On a side issue, surely if possession of some evidence is clearly wrong
>> and subversive as well as being illegal, than there must also be something
>> wrong with officials as well who handle or seek to handle such things, and
>> they should be closely monitored afterwards for negative effects.
> No, the BOLSHEVIK position on subversion is that you root-it-out and
> LIQUIDATE. There's no such thing as RECTIFICATION for positive results, per
> the Heisenberg uncertainty principle that you can't distinguish them
> (positive results) from NEGATIVE EFFECTS.
Karl, I've tried for nearly half an hour to understand this paragraph,
without success. What does it mean when you capitalise a word? What has
Bolshevism to do with the debate? What do you mean by "RECTIFICATION"?
Putting something to rights? What exactly is being corrected? What
"positive results" are you talking about? From whose point of view are
they positive? The Heisenberg uncertainty principle applies only to
things on an atomic scale or smaller, and as far as I can see has no
concept of "good" and "bad" effects. What has this principle to do with
cryptography, litigation, Bolshevism, or putting things right?
You appear to be using jargon words from some obscure society, and I for
one can't make any sense at all of them. Would you like to rephrase your
paragraph in plain English?
> (... the remainder snipped as ISOMORPHIC for `if you can say it, you can do
> it')
Ah, here we have mathematical, chemical or biological jargon. You could
have said, in plain English, "the remainder snipped as _meaning_ ....." I
wish you would!
Karl M
--
Alan Mackenzie (Munich, Germany)
Email: [EMAIL PROTECTED]; to decode, replace "aye" by 'a', "see"
by 'c', etc.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
