Cryptography-Digest Digest #873, Volume #10 Sun, 9 Jan 00 18:13:01 EST
Contents:
Re: Intel 810 chipset Random Number Generator (Scott Nelson)
Re: WSO have really protected my home PC with Windows 98 ! (Steve K)
An oldy application of the Feistel method (Mok-Kong Shen)
6 elliptic curves ("Michael Scott")
Re: Reprint of Yardley' Black Chamber (John Savard)
Re: Intel 810 chipset Random Number Generator ("Roger Schlafly")
Re: AES3 Conference: deadline for papers *18*/01/2000 ("Roger Schlafly")
Singh Enigma - Stage 1 ("al-Kindi")
Singh Enigma - Stage 2 ("al-Kindi")
Dimensions of block encryptions (Mok-Kong Shen)
Re: MD2 Hash security ("Joseph Ashwood")
Re: Large Numbers Beginner Question (lordcow77)
Re: Singh Enigma - Stage 2 (Sisson)
Re: Singh Enigma - Stage 2 ("al-Kindi")
Re: modifiec game of life encryption, to be analyzed (Tim Tyler)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Scott Nelson)
Subject: Re: Intel 810 chipset Random Number Generator
Reply-To: [EMAIL PROTECTED]
Date: Sun, 09 Jan 2000 17:32:58 GMT
On Sun, 09 Jan 2000 11:52:58 GMT, [EMAIL PROTECTED] wrote:
>Apparently there is no reliable way of detecting the RNG.
>You read 1 bit from a pre-defined memory location to see
>it is there, and read from other locations to get the random
>data. You are on your own to figure out whether the data is
>really random enough that it is likely to be coming from
>the RNG.
>
Well, yes, but the same could be said about almost any
piece of hardware. I.e. you can't really tell if you've
got a parallel card because some other device might be
using the same address/io space.
The HRNG has enough unusual properties that you
can detect it in software with out much trouble.
>It warns about multi-threaded apps using the RNG, but
>nothing about different apps using the RNG. Apparently
>bad things can happen if 2 apps try to use it at once.
>
Again, the same is true of other hardware.
2 Apps can't use the serial port either.
>This looks pretty brain-damaged to me.
>
Yes it is. But it's the normal intel/microsoft
brain damage.
Scott Nelson <[EMAIL PROTECTED]>
------------------------------
From: [EMAIL PROTECTED] (Steve K)
Subject: Re: WSO have really protected my home PC with Windows 98 !
Date: Sun, 09 Jan 2000 17:53:27 GMT
On Sun, 09 Jan 2000 04:29:50 GMT, [EMAIL PROTECTED] wrote:
>Need to protect your compter? I did. That's why I wrote Windows
>Security Officer. It works with Windows 95 and 98 systems, and it can
>do the following for you :
<snip long list of features>
Sounds potentially useful. Do you have it posted anywhere for
download, and do you have docs/ manuals online? Me wanna see.
:o)
Steve K
---Continuing freedom of speech brought to you by---
http://www.eff.org/ http://www.epic.org/
http://www.cdt.org/
PGP key 0x5D016218
All others have been revoked.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: An oldy application of the Feistel method
Date: Sun, 09 Jan 2000 19:07:58 +0100
In my humble undestanding, the gist of the Feistel method, which
is at the base of of many modern block ciphers, consists
in letting in each round one half of the information in the
'plaintext' to control the encryption process of the other half
and doing that alternatingly for a number of rounds.
In the following I like to propose a scheme that uses the Feistel
method but employs only the classical techniques, i.e. using
only transpositions and simple substitutions on entire characters
without any operations on the bit level as is done in the modern
ciphers. For illustration purpose, the normal alphabet is assumed.
Let a key K be given. Use K to contruct in some classical way
a 26*26 polyalphabetic substitution table S, with preferably
mixed (disordered) alphabets. Divide the message, assumed of even
number of characters, into two equal parts L and R. Then in
round 1 do the following in succession:
(1) Transposition: Determine from L an ordering to transpose
the characters of R. For example, L is the sequence 'BBACU'.
This gives the ordering 23145 so that the third character of
R will be moved to the first position, etc.
(2) Substitution: Use the characters in L as key characters to
perform substitutions of the corresponding characters of R by
means of the table S.
In round 2, the role of L and R are interchanged, and so on for
the suceeding rounds.
It is not apparent for me how one can best proceed to attack
that scheme. Presumably sophisticated techniques like differential
analysis are hard to apply. A minor point that maybe worthy of some
note is that we are operating on the whole message, which in
practice generally doesn't have a fixed length.
M. K. Shen
=============================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: "Michael Scott" <[EMAIL PROTECTED]>
Subject: 6 elliptic curves
Date: Sun, 9 Jan 2000 18:02:49 -0000
These curves use the standard Weierstrass parameterisation, and are of the
form:-
y^2 = x^3 +Ax +B mod p
where p is a prime congruent to 3 mod 4, and A is fixed at -3. A quarter of
all randomly generated curves can be transformed into this form.The former
condition makes it easier to find points on the curve, and the latter make
calculations on the curve somewhat faster.
The motivation is provide a set of curves which, within the limitations
mentioned above, are otherwise in no way special. It is thought that by
using such curves the user is safe against cryptanalytic advances, except in
a circumstance where the whole premise behind Elliptic Curve cryptography
collapses and a sub-exponential solution is found for the most general
discrete logarithm problem in the elliptic curve setting.
Each curve is with respect to a prime p which is n bits in length. In each
case the number of points q on the curve is itself a prime. The prime p is
found as the first prime congruent to 3 mod 4 which is found by incrementing
a number n bits in length, formed from the first n bits of the mathematical
constant pi=3.141592.... The parameter B is formed from the first n bits of
the mathematical constant e=2.71828...., incremented until q is prime.
n=160
B=993193335754933797118314178888153828594854512705
p=1147860701762054730346201299935827782113538756127
q=1147860701762054730346200648614608152209809891831
n=192
B=4265732895672588129268258440977714335632089762934383523494
p=4930024174431634640599033341057067222865862716297522433299
q=4930024174431634640599033341125441632693811654341940586403
n=224
B=18321183280385145938884990414875229336370193019939570227257813318147
p=21174292597673270169193562049053717791882423761323585056162680913631
q=21174292597673270169193562049053723134442099121024262551089688143309
n=256
B=78688883013276200091698248537162581920209762369847930022367595957783191893
217
p=90942894222941581070058735694432465663348344332098107489693037779484723616
779
q=90942894222941581070058735694432465663288414616171509431879910319924502217
783
n=384
B=26776439362122453792588319552731959650141032425239760139617629033244994517
401871440317035340712170298670944533378961
p=30946263300823101954888425259784296108860594177929936231961025381527827855
583154673559277957637088071546809309873019
q=30946263300823101954888425259784296108860594177929936231959195086011429040
851460901626189237585847628753659044398489
n=512
B=91115501638580122814409017327465388387722625901436541339386747435421078854
9201539085124861804205667998338520770562569910104904193094317145085251678092
7629
p=10530467723362659054861705371139847026313999328372313651398671272025951445
5690247299484713430619315866109428242290833713318232291563997903855884435509
59087
q=10530467723362659054861705371139847026313999328372313651398671272025951445
5691445245073773638879414334498237137429162873425047950063161144680402831117
10577
These curves may be used freely without restriction.
Mike Scott
=====================
Fastest is best.
MIRACL multiprecision C/C++ library for big number cryptography
http://indigo.ie/~mscott
ftp://ftp.compapp.dcu.ie/pub/crypto/miracl.zip
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Reprint of Yardley' Black Chamber
Date: Sun, 09 Jan 2000 18:22:00 GMT
On 8 Jan 2000 02:48:48 GMT, [EMAIL PROTECTED] (Paul Rubin) wrote:
>This book is out of print? A shame, it's a good read.
>It was written in the 1920's and may be out of copyright too.
>Someone ought to put it on a web site, if that's the case.
Yardley was still living after World War II, and thus it will be some
time before the new U.S. 70-year rule will be satisfied.
However, it was reprinted as a pocket book from Ballantine, in their
espionage series, and thus copies occasionally turn up at used book
stores.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/index.html
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: Intel 810 chipset Random Number Generator
Date: Sun, 9 Jan 2000 10:32:31 -0800
Vernon Schryver <[EMAIL PROTECTED]> wrote in message
news:85acr0$nv$[EMAIL PROTECTED]...
> As far as the hardware can tell, there is no consistent difference between
> a "multi-threaded app" and an operating system running "2 apps."
So why does the Intel manual suggest a way to use the RNG in
a multi-threaded app, but not give a clue about how to get it to work
for 2 apps?
>The right
> way to use this random chip is as one source of randomness for something
> like /dev/random, which would not only fetch and distill randomness from
> the chip and elsewhere, but mediate between uses of randomness, and not
> only for user-mode applications but within the operating system, such as
> for initial TCP sequence numbers. (See RFC 1948).
That is your opinion, but it does not appear to be what Intel had in mind.
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: AES3 Conference: deadline for papers *18*/01/2000
Date: Sun, 9 Jan 2000 10:38:07 -0800
> "Due to a Federal Government holiday on Monday, January 17, paper
> submissions for AES3 may be submitted to NIST up until 9:00 am
> Eastern Standard Time on Tuesday, January 18."
NIST also welcomes ordinary comments. I just submitted one in
support of the idea of having a single standard. (Believe it or not,
there are business interests that oppose standards for various reasons.)
------------------------------
From: "al-Kindi" <[EMAIL PROTECTED]>
Subject: Singh Enigma - Stage 1
Date: Sun, 9 Jan 2000 20:15:09 -0000
Please find below electronic version of Stage 1 from Singh's Cipher
Challenge.
What follows is the _unchecked_ output from my OCR program. It will
doubtless contain errors and you must proceed with caution.
al-Kindi
BT JPX RMLX PCUV AMLX ICVJP IBTWXVR CI M LMT'R PMTN, MTNYVCJX CDXV MWMBTRJ
JPX AMTNGXRJBAH UQCT JPX QGMRJXV CI JPXYMGG CI JPX HBTW'R QMGMAX; MTN JPX
HBTW RMY JPX QMVJ CI JPXPMTN JPMJ YVCJX. JPXT JPX HBTW'R ACUTJXTMTAX YMR
APMTWXN,MTN PBR JPCUWPJR JVCUFGXN
PBL, RC JPMJ JPX SCBTJR CI PERGCBTR YXVX GCCRXN, MTN PER HTXXR RLCJX CTX
MWMBTRJMTCJPXV. JPX HBTW AVBXN MOCUN JO FVBTW ET JPX MRJVCCCWXVR,JPX
APMGNXMTR, MTN JPX RCCJPRMEXVR. MTN JPX HETW RQMHX,MTN RMEN JO JPX YERX LXT
CI FMFEGCT, YPCRCXDXV RPMGC VXMNJPBR
YVBJBTW, MTN RPCY LX JPX BTJXVQVXJMJBCT JPXVXCI,RPMGC FX AGCJPXN YBJP
RAMVGXJ, MTN PMDX M APMBT CI WCGNMFCUJ PER TXAH, MTN RPMGG FX JPX JPEVN
VUGXV ET JPXHETWNCL JPXT AMLX BT MGG JPX HETW'R YERX LXT; FUJ JPXEACUGN TCJ
VXMN JPX YVBJETW, TCV LMHX HTCYT JO
JPX HBTW JPXBTJXVQVXJMJBCT JPXVXCI. JPXT YMR HBTW FXCRPMOOMV
WVXMJGEJVCUFGXN, MTN PBR ACUTJXTMTAX YMR APMTWXN BT PBL, MTN PBRGCVNR YXVX
MRJCTBRPXN. TCY JPX KUXXT, FE VXMRCT CI JPXYCVNR CI JPX HBTW MTN PBR GCVNR,
AMLX BTJC JPX FMTKUXJPCURX; MTN JPX KUXXT R
QMHX MTN RMBN, C HBTW, GBDX ICVXDXV;GXJ TCJ JPE JPCUWPJR JVCUFGX JPXX, TCV
GXJ JPE ACUTJXTMTAXFX APMTWXN; JPXVX BR M LMT BT JPE HBTWNCL, BT YPCL BR
JPXRQBVBJ CI JPX PCCE WCNR; MTN ET JPX NMER CI JPE IMJPXVGBWPJ MTN
UTNXVRJMTNBTW MTN YBRNCL, CEHX JPX YBRNC
L CI JPXWCNR, YMR ICUTN BT PEL; YPCL JPX HBTW TXFUAPMNTXOOMV JPEIMJPXV, JPX
HETW, B RME JPE IMJPXV, LMNX LMRJXV CI
JPXLMWBABMTR,MRJVCGCWXVR,APMGNXMTR,MTNRCCJPRMEXVR;ICVMRLUAP MR MT XZAXGGXTJ
RQBVBJ, MTN HTCYGXNWX, MTNUTNXVRJMTNBTW, ETJXVQVXJETW CI NVXMLR,
MTN RPCYBTW CI PMVNRXTJXTAXR, MTN NERRCGDETW CI NCUFJR, YXVX ICUTN ET
JPXRMLX NMTEXG, YPCL JPX HBTW TMLXN FXGJXRPMOOMV; TCY GXJNMTBXC FX AMGCXN,
MTN PX YBGG RPCY JPX BTJXVQVXJMJECT. JPXIBVRJ ACNXYCVN BR CJPXGGC.
------------------------------
From: "al-Kindi" <[EMAIL PROTECTED]>
Subject: Singh Enigma - Stage 2
Date: Sun, 9 Jan 2000 20:16:48 -0000
Please find below electronic version of Stage 2 from Singh's Cipher
Challenge.
What follows is the _unchecked_ output from my OCR program. It will
doubtless contain errors and you must proceed with caution.
al-Kindi
MHILY LZA ZBHL XBPZXBL MVYABUHL HWWPBZ JSHBKPBZ JHLJBZ KPJABT HYJHUBT LZA
ULBAYVU
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Dimensions of block encryptions
Date: Sun, 09 Jan 2000 22:24:09 +0100
In order to induce some more discussions, I like to (re-)state
what I personally would term the three dimensions of block
encryptions, based on stuffs discussed in this group in the past.
The first dimension is vertical. That is, one can use super-
encipherment. From n available algorithms one can choose m of
them and order these in one of m! possible ways. (It is assumed
that that doesn't result in strength below that of the weakest
algorithm.)
The second dimension is horizontal. That is, one can use
different algorithms or multiple algorithms for different blocks.
The third dimension concerns the use of the keys. As recently
discussed, one can use variable keys for the block algorithms,
thus counteracting such techniques as the differential analysis.
As additional dimensions one could consider the combination of
the block encryption with a stream encryption or the operations
on whole messages instead of on blocks of limited fixed lengths.
All these 'variabilities' could be controled/implemented with the
aid of a pseudo-random number sequence. The intended goal is to
force the analyst to brute-force, e.g. trying the seeds of a
PRNG. Brute-force, on the other hand, can be effectively prevented
through purposedly introducing certain amounts of computational
'inefficiencies'.
Wouldn't appropriate exploitations of such (in my humble view
enormous) possibilities of 'variations' very well satisfy the
desired goals as stated/implied in a recent post of John Savard?
Thanks.
M. K. Shen
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: MD2 Hash security
Date: Sun, 9 Jan 2000 14:00:49 -0800
> MD2 hash was developed for "anti-forge" security, ie, so a person would
> not find it easy to come up with two texts with the same hash.
> How difficult would it be though, to actually discover the original text
> from a MD2 hash?
You forgot a piece of information that would be quite useful in this, how
long is the data being hashed. If the data has more entropy than hash, then
no matter which hash method you use the entire original text cannot be
discovered, even through experimentation, and a brute force search would
reveal several possible original texts. However if your text is extremely
short, no matter how good your hash your original text may be discovered,
what you have probably falls somewhere in between. I'm not familiar enough
with MD2 to place any further limits on it.
> Also, if given a hash of a secret password, would it at all be possible
> to find the hash of the secret password with a space appened to the end,
> and vice-versa.
That would depend on not only the hash, but the code around the hash, if
your pre-hash code includes removing all leading and trailing spaces (I've
seen it done) then the question answers itself.
------------------------------
From: lordcow77 <[EMAIL PROTECTED]>
Subject: Re: Large Numbers Beginner Question
Date: Sun, 09 Jan 2000 14:05:56 -0800
In article <855c6k$j31$[EMAIL PROTECTED]>, David A Molnar
<[EMAIL PROTECTED]> wrote:
> Find a "bignum" package. The GnuMP library is one such package
> (check any
> GNU site). Another is NTL (http://www.shoup.net/). Two others are
> MIRACL
> and PARI. If you search for "bignum" or "multiprecision
> integer package", you'll find many software libraries which
> implement
> large integers. These typically provide a new data type which can
> be
> manipulated much like a regular int or long...except it holds an
> arbitrarily large number of bits.
> I've worked a bit with GnuMP and NTL. NTL will do more "for you";
> it has
> native routines for fast modexp and modmult, for instance. The
> downside is
> that the programming interface has occasional quirks. GnuMP, on
> the other
> hand, provides only "the basics", but it's usually clear how to
> use them.
> Thanks,
> -David Molnar
What are the quirks of NTL's programming interface? I find it to be
intiutive and useful, especially its native support of polynomials.
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Sisson <[EMAIL PROTECTED]>
Subject: Re: Singh Enigma - Stage 2
Date: Sun, 09 Jan 2000 22:20:58 GMT
hmm, get stages1-10 @
http://users.bigpond.net.au/spendabuck/cipher/ciphers.txt
>From Spendabuck
al-Kindi wrote:
> Please find below electronic version of Stage 2 from Singh's Cipher
> Challenge.
>
> What follows is the _unchecked_ output from my OCR program. It will
> doubtless contain errors and you must proceed with caution.
>
> al-Kindi
>
> MHILY LZA ZBHL XBPZXBL MVYABUHL HWWPBZ JSHBKPBZ JHLJBZ KPJABT HYJHUBT LZA
> ULBAYVU
------------------------------
From: "al-Kindi" <[EMAIL PROTECTED]>
Subject: Re: Singh Enigma - Stage 2
Date: Sun, 9 Jan 2000 22:53:45 -0000
Oh well, another altruistic impulse wasted... :)
Sisson wrote in message <[EMAIL PROTECTED]>...
>hmm, get stages1-10 @
>http://users.bigpond.net.au/spendabuck/cipher/ciphers.txt
>
>From Spendabuck
>
>al-Kindi wrote:
>
>> Please find below electronic version of Stage 2 from Singh's Cipher
>> Challenge.
>>
>> What follows is the _unchecked_ output from my OCR program. It will
>> doubtless contain errors and you must proceed with caution.
>>
>> al-Kindi
>>
>> MHILY LZA ZBHL XBPZXBL MVYABUHL HWWPBZ JSHBKPBZ JHLJBZ KPJABT HYJHUBT LZA
>> ULBAYVU
>
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: modifiec game of life encryption, to be analyzed
Reply-To: [EMAIL PROTECTED]
Date: Sun, 9 Jan 2000 22:36:54 GMT
[EMAIL PROTECTED] wrote:
: No need to be sorry for the quantity of comments [...]
I was trying to apologise for my lack of snipping. Not everone wants
to download lots of quoted material which they've already read.
: Fredkins Parity Rule and Moore 'neighbourhood'? are new to me [...]
Fredkin is a Cellular Automata fruitcase. You can read about his views
on life, the universe and everything at:
http://www.mrc.uidaho.edu/mrc/people/nystrom/fredkin-finite-nature.html
: Fredkin's parity rule? Have not found reference to this.
Fredkin's name has long been attached to the parity rule. Superficially
it appears to have some significance as one of the simplest
self-reproducing cellular auttomata rules.
You can see Fredkin's rule in action at Mirek's Java Cellebration:
http://www.mirwoj.opus.chelm.pl/mjcell/mjcell.html
Start the applet, and select "Voting rule" and then "Fredkin".
: Moore, still to find his contributions too.
The Moore neighbourhood is the neighbourhood used by the Game of Life:
NW N NE
W C E
SW S SE
C' = f(NW,N,NE,W,C,E,SW,S,SE), on a rectangular grid.
It can be contrasted with the von Neumann neighbourhood, which is
also very common.
: There may be a method to reverse the results of one iteration but I
: cannot think of any method except brute force.
Brute force surely imples inspecting every possible configuration to see
if it is the predecessor of the state whose inverse you are looking for.
You have already established that interating for 511 steps your finite
automata effectively finds the predecessor of the current state. This
seems like /much/ less work than "brute force" to me.
The inverse is not hard to calculate by hand in simple cases. I expect
the proceedure may be automated with "significantly less work" than
going through 511 iterations of the automata.
: When I try to analyze how to create a reveral function taking into
: consideration all bits surrounding the target bit, there still is
: not enough information to get a clear picture. Using the surrounding
: 8 bits and those which surround them, 16 bits, it looks more promising
: but after a few practice sessions using a checker board and it's pieces
: to analyze one result from the computer, I was able to find two solutions
: for one bit; both of which did not match the source pattern from the
: computer.
There's an interesting proof (Kari J.: "Reversibility of 2D Cellular
Automata is Undecidable", 1990) that in general no bound can be placed on
the size of the neighbourhood of the inverse of a uniform automata using
the von Neumann neighbourhood.
Extending this result to the Moore neighbourhood appears trivial since
this is a superset of the VN neighbourhood.
This means the inverse function /might/, in principle be a function of the
state of every cell in the automata...!
This might make it "a bit tricky" to compute - though the "511 iterations
technique" provides a clear upper limit on the work involved when the
boundary conditions you are using are employed.
: Using a series of connected s-boxes whose contents are the XOR
: function is fine for you to write but I have yet to see a 'dummy's'
: explanation of an s-box. [...]
I think:
http://www.io.com/~ritter/GLOSSARY.HTM#S-Box
...is material of good quality and clarity.
Best wishes with any further exploration of the area.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Be good, do good.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
