Cryptography-Digest Digest #522, Volume #10 Mon, 8 Nov 99 00:13:03 EST
Contents:
Re: What sort of noise should encrypted stuff look like? ("Douglas A. Gwyn")
Re: XOR Knapsacks (Oh no! not again?) ("karl malbrain")
Re: secrecy/generation of IV (David Wagner)
Re: Montgomery vs Sqr & Mul -- Specifics ([EMAIL PROTECTED])
Phraseology [U-Boat Enigma Machines] (Alan Mackenzie)
Re: Lenstra on key sizes (Mok-Kong Shen)
Re: Lenstra on key sizes (Mok-Kong Shen)
Re: Lenstra on key sizes (Mok-Kong Shen)
Re: The Code Book Mailing List
Re: Some humble thoughts on block chaining (Tom St Denis)
Re: Lenstra on key sizes (Tom St Denis)
Wireless LAN suggestions? (Phillip George Geiger)
Re: Proposal: Inexpensive Method of "True Random Data" Generation ("David C.
Ullrich")
Re: Wireless LAN suggestions? (Phillip George Geiger)
Re: Doesn't Bruce Schneier practice what he preaches? (JPeschel)
Re: How protect HDisk against Customs when entering Great Britain (CoyoteRed)
----------------------------------------------------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: What sort of noise should encrypted stuff look like?
Date: Sun, 07 Nov 1999 21:11:42 GMT
fungus wrote:
> The "white noise" is only there because you're looking at the
> output as a digitally encoded signal, which it isn't.
It is white noise because its frequency spectrum is statistically
flat. This matches one desired characteristic of an encryption
system.
------------------------------
Reply-To: "karl malbrain" <[EMAIL PROTECTED]>
From: "karl malbrain" <[EMAIL PROTECTED]>
Subject: Re: XOR Knapsacks (Oh no! not again?)
Date: Sun, 7 Nov 1999 14:01:21 -0800
David Wagner <[EMAIL PROTECTED]> wrote in message
news:804ke1$git$[EMAIL PROTECTED]...
> In article <803nj1$dpd$[EMAIL PROTECTED]>,
> Gary <[EMAIL PROTECTED]> wrote:
> > Given a set X={x0,x1,...,xn} of mn bit numbers where m>=2.
> > S is a randomly selected subset.
> > Z is the XOR of all elements of the subset S.
> > Can the subset creating Z be found?
>
> Sure, just use Gaussian elimination.
> Write X as a mn by n+1 matrix, whose columns are the x's.
> Write S as a n+1 bit column vector which is one in the j-th
> position just if S includes the j-th element of X.
> Write Z as a mn bit column vector.
> Note that we have the equation XS = Z, which is linear over GF(2).
> Note that X and Z are known.
> Now just solve for S using linear algebra.
> It should take cubic time at most (perhaps faster).
>
> Hope I didn't make any mistakes.
You have to know n different values of Z from n different random selections
S, not just one. Karl M
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: secrecy/generation of IV
Date: 7 Nov 1999 14:18:36 -0800
In article <[EMAIL PROTECTED]>,
Allen Landsidel <[EMAIL PROTECTED]> wrote:
> Heh.. I thought you just said I don't need to keep the IV secret..
Perhaps I should have said `Don't rely on the IV being secret',
because if you do, you run a large risk of getting bitten. There
are techniques to discover secret IV's.
> I suppose D/H could be used to agree on IVs during a session just as
> easily as using it to generate the key..
Yeah, sure. Just make sure the IV is independent from the key
(so learning the IV doesn't reveal anything about the key).
However, I'm not convinced that it really busy you anything.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Montgomery vs Sqr & Mul -- Specifics
Date: Sun, 07 Nov 1999 22:32:41 GMT
Maybe I should get into the specifics of why I'm asking the question.
My project that I'm attempting is to embed RSA into a 6811
microcontroller. This thing runs at 2 MHz and needs 10 clocks to do an
8-bit multiply. In other words, it has very limited capabilities
compared to the processors that everyone else does RSA on.
Also, I'll have to write everything in assembly for speed. That's why
I'm interested in using a simple algorithm for the ExpMod functions;
It'll be easier to write, and more likely to fit into available memory.
So, I'm just trying to figure a time estimate for encryption/decryption
to see if this project is even possible. If it takes < 30 seconds to
decrypt, that's good, but if it takes 30 hours, that's not good.
Of course, I'd like to do 512 bit RSA, but I'd settle for 256, or 128,
or maybe even 64 bit RSA. I suppose my next question will be "how secure
is 256 or 128 or 64 bit RSA?
Anyway, that's why I was asking about "Montgomery" vs Knuth's "Sqr &
Mul", but maybe the specifics will make my original question clearer.
Thanks, Derek.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Alan Mackenzie<[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,talk.politics.misc
Subject: Phraseology [U-Boat Enigma Machines]
Date: Sun, 7 Nov 1999 16:06:08 +0000
Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote:
> Anthony Stephen Szopa wrote:
> I reviewed the program: 842 U-boats launched and 781 sunk.
Is "sunk" really the right word here? Surely "sinking" a submarine is
what its own crew would routinely do. We're talking about a ship which is
designed to sink, so perhaps "further sunk" or "permanently sunk" would
be better. But these phrases are a bit clumsy.
How about "destroyed"?
--
Alan Mackenzie (Munich, Germany)
Email: [EMAIL PROTECTED]; to decode, replace "aye" by 'a', "see"
by 'c', etc.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Lenstra on key sizes
Date: Sun, 07 Nov 1999 23:31:13 +0100
fungus wrote:
>
> Mok-Kong Shen wrote:
> >
> > A probably very stupid question concerning symmetric ciphers: Does
> > it cost terribly more if one uses 512 bits of key instead of 256 bits?
> >
>
> You're confusing factoring with brute force searching, don't.
> One system is based on assumptions in number theory, the other
> is based on time taken to count to a high number (no shortcuts),
> they are two different things.
My question is exclusively about symmetric ciphers; it has nothing to
do with factoring. (It follows that I had no 'opportunity' to confuse
factoring with anything by way of raising that particular question.)
> Building a machine to count to 2^256 using today's technology
> is impossible.
>
> A future machine may be able to crack 256 bit ciphers, but the
> same machine may also be able to crack your 512 bit cipher just
> as easily. You can speculate about whether 512 bits is better
> but at the end of the day that's all it is, speculation.
Are you asserting that the only way to break an arbitrarily given
symmetric cipher is by brute force? What are your supporting
arguments?
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Lenstra on key sizes
Date: Sun, 07 Nov 1999 23:31:33 +0100
Paul Schlyter wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> > A probably very stupid question concerning symmetric ciphers: Does
> > it cost terribly more if one uses 512 bits of key instead of 256 bits?
>
> I'm not aware of any symmetric cipher having even 256-bit keys.
> 128-bit symmetric keys are now considered safe (and will remain so
> for perhaps a decade, but certianly not for billions of years.. :-)
The question concerns the comparative cost of using longer vs
shorter keys. The figures chosen are 'for example' only, i.e. one
assumes for the purpose of discussion that a particular symmetric
algorithm has two variants, with one having a key double as long
as the other. The question is then whether the cost would be
prohibitive if one uses the variant with the longer key. (I surmise
that the answer would be different, if the question were about
asymmetrical ciphers instead of symmetrical ciphers.)
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Lenstra on key sizes
Date: Sun, 07 Nov 1999 23:32:53 +0100
Roger Schlafly wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote
> > The mentality of the builders of the Titanic remains with us. ...
> >
> > A probably very stupid question concerning symmetric ciphers: Does
> > it cost terribly more if one uses 512 bits of key instead of 256 bits?
>
> Yes, apparently the Titanic mentality is still with us. Huge key
> size does not make you invincible.
I suppose you misundertood me. What I meant is this: Suppose you
have an algorithm that (with a key length of 256 bits) you believe
will offer you a protection that is, say, at a factor of safety of
1.2 without your being very sure of that figure. (I am aware that the
concept of 'factor of safety' may be problematical; I am simply
using what is common in engineering science for the purpose of
carrying on some discussion here.) Now suppose that the same
algorithm has a 512 bits variant and is known to be quite a bit
stronger and suppose also that the additional cost of using the
logner key over the short one is marginal, then I think it is fairly
obvious that using the longer key is a good idea, since it is almost
sure to be able to raise the factor of safety beyond the previous
'uncertainty'. So the question is merely whether the obtaining and
managing of double amount of key materials (with key sizes smaller
than commonly used in asymmetrical ciphers) for symmetrical ciphers
incurs such a high cost that it renders the longer key varinat very
disadvantageous from an economical point of view.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: The Code Book Mailing List
Date: 7 Nov 99 22:53:07 GMT
Trevor Jackson, III ([EMAIL PROTECTED]) wrote:
: I consider One a prime because it is only divisible by one and itself.
I tend to think that one is prime (adjective) and zero is composite
(adjective), but to call one _a_ prime (noun) is not a good idea. That's
because multiplying a number by one doesn't change it; so, if you get one
when you factor a number, what is to stop you from getting one to the
fifth power, or one squared, instead of just one as a factor?
John Savard
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Some humble thoughts on block chaining
Date: Sun, 07 Nov 1999 23:09:36 GMT
In article <8046hh$1l28$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] () wrote:
>
> >This isn't that crazy a notion; for that matter, David Scott's
notion that
> >large, key dependent S-boxes are useful isn't crazy either: witness
> >Blowfish. His problem is that he makes unsupportable claims, such as
that
> >S-boxes with 65,536 entries or more are genuinely _necessary_ for
adequate
> >security, and IDEA is trivially weak, and things like that. Not only
does
> >he make such claims, he asserts them forcefully.
> >
> >John Savard
>
> I think that when it comes to encryption one should never
underestimate
> the enemy. If is foolhardy to use something barely secure when
history is
> littered with broken codes that experts preached as secure. If one
wants
> to be secure one needs to use things that are by there very natures
hard
> to crack. The danger with most short keyed methods is that they are
subject
> to many forms of reduction by math experts. It is very hard to reduce
a random
> large S-box. So yes I recommend using simple encryption that always
is on
> the limits of the machine. True my large S-boxes my seem like over
kill but
> how long will the AES candidate of day hold up against future quatom
compters.
> Can one really say with honesty the NSA does not have such devices
today.
>
> Today I still mostly use encryption based on my 65,536 entry S box
only
> becasue I am still using my 486. When I get my K7 when ever that is
you can
> beat that I will being using much larger S-boxes. As machines get
faster and
> memmory cheaper I will try to be on the edge. Not just a few
thousands bits
> safer but millions.
Why? You said you would use larger sboxes... are smaller ones more
dangerous? Do you have quantitative proof or suggestions to lead
otherwise?
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Lenstra on key sizes
Date: Mon, 08 Nov 1999 00:39:36 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> Paul Schlyter wrote:
> >
> > Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> >
> > > A probably very stupid question concerning symmetric ciphers: Does
> > > it cost terribly more if one uses 512 bits of key instead of 256
bits?
> >
> > I'm not aware of any symmetric cipher having even 256-bit keys.
> > 128-bit symmetric keys are now considered safe (and will remain so
> > for perhaps a decade, but certianly not for billions of years.. :-)
>
> The question concerns the comparative cost of using longer vs
> shorter keys. The figures chosen are 'for example' only, i.e. one
> assumes for the purpose of discussion that a particular symmetric
> algorithm has two variants, with one having a key double as long
> as the other. The question is then whether the cost would be
> prohibitive if one uses the variant with the longer key. (I surmise
> that the answer would be different, if the question were about
> asymmetrical ciphers instead of symmetrical ciphers.)
Just because a cipher accepts a larger key doesn't make that the most
efficient means of attack. If you will assume 128 bits keys as too
small [say for] blowfish, then 256 bit keys are no more secure [unless
you send a single block or something].
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Phillip George Geiger <[EMAIL PROTECTED]>
Subject: Wireless LAN suggestions?
Date: 8 Nov 1999 00:57:05 GMT
I'm going to pick up a laptop in the next month or so and am looking for
a PC card and ethernet bridge for wirelessly connecting the laptop to my
network.
None of the products I've read about say a thing about security. Surprise,
surprise.
Do any of the wireless LAN products out there encrypt data before it is
transmitted? Are there safeguards to prevent someone else with a laptop
and PC card from walking past my house and checking out my network?
Any recommendations?
Thank you.
--
Phil Geiger
[EMAIL PROTECTED]
------------------------------
From: "David C. Ullrich" <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.misc,sci.physics
Subject: Re: Proposal: Inexpensive Method of "True Random Data" Generation
Date: Sun, 07 Nov 1999 14:59:59 -0600
Patrick Juola wrote:
> [...]
>
> I believe pi has been proved "normal", which is to say that every
> finite-length string appears equiprobably in the extended decimal
> expansion. In point of fact, I think it's been proved "normal to
> all bases," which means the same holds in the octal, hexadecimal,
> binary, septal, &c. expansions.
Well, since nobody else believes this a reference would probably
be a good thing.
>
> Not that this necessarily means much w.r.t "randomness" as
> 0.12345678910111213.... is also "normal," at least to base 10, and
> I believe to all bases.
>
> And, no, I don't have a reference offhand, but it should be addressed
> in a decent analysis text.
>
> -kitten
------------------------------
From: Phillip George Geiger <[EMAIL PROTECTED]>
Subject: Re: Wireless LAN suggestions?
Date: 8 Nov 1999 01:39:53 GMT
OK, found something sort of interesting -
http://www.proxim.com/products/rl802/index.shtml
Increased Security Through Wired Equivalent Privacy
Wired Equivalent Privacy (WEP), an optional RC4 encryption algorithm, helps
ensure the security of your data. Before data are transmitted, they are
streamed through an RC4 algorithm, an efficient encryption process designed
for LAN communications. Additionally, all RangeLAN802 devices are
authenticated through a challenge-and-response mechanism before being allowed
network access. Both wireless and wired LANs are thus fortified against
eavesdropping and unauthorized access by hackers or other nearby
802.11-compliant devices.
Later, the page says
Wired Equivalent Privacy (WEP); includes 40-bit RC4 encryption
Ugh. 40 bits? Is this a limitation of RC4 or just their boneheaded
implementation? Still, I guess 40 bits is (marginally) better than zero
bits.
There has GOT to be something better out there.
--
Phil Geiger
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Doesn't Bruce Schneier practice what he preaches?
Date: 08 Nov 1999 02:03:11 GMT
Thomas J. Boschloo" [EMAIL PROTECTED] writes:
>Keith Monahan wrote:
>
><snip (Bruce's passwordsafe) stuff>
>
>> Well, it's quite possible to attack the product without the source. There
>> are
>> plenty of 'warez' crackers out there right now that make that their hobby
>> of choice in life. It is certainly EASIER to do with source, but is still
>> possible to find bugs without.
>
>Software crackers don't find bugs, they just insert or modify protection
>code for a software product (I used to crack MSDOS software as a little
>hobby of mine). Finding errors in the source of encryption programs is
>way out of their league! And cryptographers are mostly very bad at
>reading raw assembly language (I think), they are more apt at
>mathematical structures and definitions.
Software crackers refer to the bug, in jest, as the registration bug.
Yes, crackers insert or modify code, but some create key generators,
a feat that can only be accomplished by reverse-engineering. Finding
errors or tracing the guts of an encryption program, may be too difficult
for most casual crackers, but it isn't beyond all of them. See, for
example, the <i>ISCA Guide to Cryptography</i>(pp 617-624).
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED] (CoyoteRed)
Subject: Re: How protect HDisk against Customs when entering Great Britain
Date: Mon, 08 Nov 1999 02:54:54 GMT
Reply-To: CoyoteRed (at) Bigfoot (dot) com
On Sun, 07 Nov 1999 03:43:50 GMT, [EMAIL PROTECTED] (Dave
Hazelwood) wrote:
>There is a line that should not be crossed and that line is where the
>privacy of normal people is compromised in the name of the law for
>once that line is crossed Justice becomes Tyranny.
>
>And, once we have Tyranny then who will protect the defenseless?
You take a pretty hard line against me. In your vigor, you seem to
advocate one's privacy over another's rights.
Look back to a statement I made:
>But scanning laptops will only deter the casual pornographer. Serious
>child pornographers will continue to use the internet to disseminate
>their filth.
By "casual pornographer" I mean someone who would keep a few files for
there own pleasure, most men do this in one way or the other, be it
"skin flicks" to "girlie calendars."
For the sake of argument, I will give you your 99% who are "innocent,"
but one must think that an "innocent" viewer would only view a few of
such pictures before he went somewhere else. A less innocent viewer
would be a collector of kiddie porn and he would have hundreds of
pictures, at least. This is a fairly simple way to:
>How do you separate the 99% from the 1% who are seekers and buyers ?
I think anyone who would let a supplier know there is a demand would
be a serious collector. But one such as this would have to be pretty
stupid to carry this around on his laptop. Therefore, my conclusion
is laptop scanning at customs is a feel-good, but futile, attempt to
deter kiddie porn.
Another thing, how many times have you been through customs? Does
someone going through your underwear take away your rights of privacy
to the point that you think you're entering into a draconian society?
Not me. Customs are for preventing undesired items coming into a
nation. Having someone rifle through me and mine's underwear is
hugely different from intrusion into our private home.
I believe a much better way to deter kiddie porn is to look for it on
the internet and monitor the traffic patterns. Build your case
against persons in your jurisdiction and share information with your
counterparts on other jurisdictions. Then use a coordinated strike
against all of the accused. You only need to go after the
less-than-casual viewers and after ALL of the suppliers to deter
trafficking this stuff.
I do agree that you will never get rid of all of the kiddie porn,
because some guys are just built that way and need help, but you
certainly can send in further and further underground until it never
sees the light of day.
One must balance one person's rights against those of another's. To
advocate ultimate privacy over the rights of other to be left alone is
going too far in the other direction from tyranny, and that's anarchy.
And anarchy isn't that desirable either.
--
CoyoteRed
CoyoteRed <at> bigfoot <dot> com
http://go.to/CoyoteRed
PGP key ID: 0xA60C12D1 at ldap://certserver.pgp.com
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
