Cryptography-Digest Digest #985, Volume #10 Thu, 27 Jan 00 07:13:01 EST
Contents:
Re: NIST, AES at RSA conference (Terry Ritter)
Re: How much does it cost to share knowledge? (Tom St Denis)
Re: RSA v. Pohlig-Hellman ("Roger Schlafly")
Re: New to cryptology question, rolling XOR ("Douglas A. Gwyn")
Re: Why did SkipJack fail? ("Douglas A. Gwyn")
Re: Why did SkipJack fail? ("Douglas A. Gwyn")
Re: NIST, AES at RSA conference ("Douglas A. Gwyn")
Re: Why did SkipJack fail? (Greg)
Re: Why did SkipJack fail? (Jerry Coffin)
Re: How much does it cost to share knowledge? (Greg)
Re: RSA survey ("Joseph Ashwood")
Re: generating "safe primes" ("Joseph Ashwood")
Re: Intel 810 chipset Random Number Generator (Scott Nelson)
Re: Intel 810 chipset Random Number Generator (Vernon Schryver)
DVD: CSS comments?? ("Craig Inglis")
Re: Mac encryption algorithm? (Paul Schlyter)
Re: DVD: CSS comments?? (Glenn Larsson)
Any Reference on Cryptanalysis on RSA ? ("Ip Ting Pong, Vincent")
Re: Why did SkipJack fail? (Paul Rubin)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: NIST, AES at RSA conference
Date: Thu, 27 Jan 2000 05:21:56 GMT
On Thu, 27 Jan 2000 04:04:34 GMT, in <86og4f$fu5$[EMAIL PROTECTED]>, in
sci.crypt [EMAIL PROTECTED] wrote:
>Terry Ritter wrote:
>
>[...]
>>
>> Another way to deal with real life ciphering is to use methods which
>> tend to isolate and protect the ciphers we cannot trust. For example,
>> multi-ciphering with a sequence of different ciphers has advantages.
>
>Giving us a multi-cipher we cannot trust. The probability
>of weakness argument still applies and with the same
>parameters.
That argument is false: Any cipher you are willing to trust alone can
be made one layer of a multi-cipher. So if your favorite cipher
really is strong, the multi-cipher stack of ciphers will be strong.
But if your cipher is *not* strong, the other ciphers may provide the
strength your selection lacked. That added possibility clearly *is*
an increased probability of strength.
Furthermore, the other ciphers in the stack obviously prevent
simultaneous access to plaintext and ciphertext for your favorite
cipher. This protects your cipher against known-plaintext and
defined-plaintext attacks of all sorts. This added protection clearly
*is* a form of added strength.
>
>[...]
>> Your "warm and fuzzy" detector perhaps has failed to take into account
>> the little detail of *risk*: In particular, the risk of an entire
>> society locked-in to using a single cipher, or any small set of
>> ciphers.
>
>Alas we cannot show that the risk of using a large, or even
>open-ended set of ciphers is any smaller.
False yet again: By partitioning plaintext for protection under many
different ciphers (instead of protecting all plaintext under the same
cipher), we find that the whole of the plaintext can be exposed only
by breaking *all* of the ciphers, instead of just one. Since this
would involve breaking your favorite cipher plus many other ciphers,
it is obviously harder than just breaking your cipher alone, which is
once again a proof of added strength.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: How much does it cost to share knowledge?
Date: Thu, 27 Jan 2000 05:15:10 GMT
In article <[EMAIL PROTECTED]>,
"Steve Sampson" <[EMAIL PROTECTED]> wrote:
> Forget about the seminars. Get the librarian to order you a copy of
the
> papers. Most seminars are a defect in University professors being
> required to publish or die. Most of it is unreadable by
undergraduates,
> and even most graduate students. After you line through all the
mumbo-
> jumbo, you're left with six equations that prove the Earth is in an
orbit
> around the Sun, or at least that's their story, and they're sticking
with
> it.
Well I have ordered some books, but some of them are expensive. Plus
there are a zillion good books I don't know about. Last time I looked
up 'Discrete Mathematics' at the bookshop their computer crashed..hehehe
> If I was you, and I wish I was (smile), I would take the minimum
classes
> at the High School, and spend at least two courses at the Community
> College. It's worth more to get your post algebra math at the college
> level. Make sure it's not one of those calculator based courses, as
they
> will bury you at the University level. I used a plain old TI-35
Scientific
> up to Calc-II, and then it petered out in all the spherical stuff.
Well I try to keep myself busy (I write software (ask me if you want to
find out what I write)) but I am at a lost to what I should look at
with my interests...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: RSA v. Pohlig-Hellman
Date: Wed, 26 Jan 2000 21:12:53 -0800
Anton Stiglic <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> It is recommended that both (p-1) and (q-1) have at least
> one large prime factor, so as to guard against Pollard's
> p-1 factoring algorithm. See section 3.2.3 of the Handbook
> of applied cryptography.
Read a little farther. In section 3.2.7, it tells about the general
number field sieve. Pollard's p-1 method is nearly always a
lot slower, and there is no need to worry about it.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: New to cryptology question, rolling XOR
Date: Thu, 27 Jan 2000 07:42:46 GMT
Jonas wrote:
> To me it seems like you never can predict the outcome without
> knowing the text or password?
The thing is, usually the cryptanalyst "knows" (i.e., can guess
with non-negligible probability) some of the plaintext; he only
needs 8 bits in your example, which amounts to one ASCII character.
That allows him to easily recover some of the effective key, which
can be applied to the position 8 bits farther back to recover
an earlier key bit, and so forth.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Why did SkipJack fail?
Date: Thu, 27 Jan 2000 07:45:07 GMT
Vernon Schryver wrote:
> ... What was (and perhaps is) the cost
> of the various efforts to tap the Russian undersea cables?
A proper economic evaluation requires that one also take into
account the expected benefits. (See Hazlitt.)
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Why did SkipJack fail?
Date: Thu, 27 Jan 2000 07:46:35 GMT
Jerry Coffin wrote:
> ... if they had a reasonable expectation of recovering something they
> considered worth substantially MORE than the $200M, and would remain
> that valuable for at least the year involved, then I could easily see
> a financial officer approving the expenditure.
True, but what would it be that couldn't be bought more cheaply?
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: NIST, AES at RSA conference
Date: Thu, 27 Jan 2000 07:51:38 GMT
Terry Ritter wrote:
> False yet again: By partitioning plaintext for protection under many
> different ciphers (instead of protecting all plaintext under the same
> cipher), we find that the whole of the plaintext can be exposed only
> by breaking *all* of the ciphers, instead of just one. Since this
> would involve breaking your favorite cipher plus many other ciphers,
> it is obviously harder than just breaking your cipher alone, which is
> once again a proof of added strength.
However, the adjacent PT can provide clues that would help in
cracking a "partition".
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: Why did SkipJack fail?
Date: Thu, 27 Jan 2000 08:14:17 GMT
In article <[EMAIL PROTECTED]>,
"Steve Sampson" <[EMAIL PROTECTED]> wrote:
> Why?
>
> Because it was uneconomical. The reason any product fails.
That is sort of a relative term. Anything that is not in demand
can be said to be not economical. Anything in enough demand can
likewise be said to be economical. A B2 bomber or a thermo nuke
is economical for the US government and for most any government
for that matter.
So I guess my question really should have been, why is there no
overwhelming demand for SkipJack (and let me take this opportunity
to clarify) within the Clipper product like there is for PGP or
other successful encryption product?
Perhaps, as someone said, SkipJack is not a failure, but I would
not call it a success either. A success is something like RSA
or PGP. These are success stories simply by their name recognition.
Thanks to all of you who have responded thus far. I have gained
some insight into SkipJack and Clipper.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Why did SkipJack fail?
Date: Thu, 27 Jan 2000 01:20:27 -0700
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> Jerry Coffin wrote:
> > ... if they had a reasonable expectation of recovering something they
> > considered worth substantially MORE than the $200M, and would remain
> > that valuable for at least the year involved, then I could easily see
> > a financial officer approving the expenditure.
>
> True, but what would it be that couldn't be bought more cheaply?
Oh, let's see: assume some large bank decides that DES isn't
particularly secure anymore, and starts to use SkipJack to carry out
transactions between its offices. I could easily see a large bank
doing FAR more than $200M/year in transactions, and I think most banks
know the value of money well enough that they wouldn't sell you $200M
for a lot less than that...
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: How much does it cost to share knowledge?
Date: Thu, 27 Jan 2000 08:16:01 GMT
How much does it cost to share knowledge?
Well, in America, the question is, "How much are you willing to pay
for knowledge?"
Tough lesson, but that is the free market in action...
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: RSA survey
Date: Thu, 27 Jan 2000 00:28:34 -0800
> Your computer will spontaneously sing showtunes when you are blue
> before keys above 1024 bits are required...
OTOH, why bother having a lower security margin than I can easily afford?
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: generating "safe primes"
Date: Thu, 27 Jan 2000 00:35:59 -0800
> Actually, what I should have asked was:
> Are there other ways to generate safe primes, _besides_ the trivial way of
> testing q, then testing p = 2q + 1 for primality.
They exist but you don't even want to try them, factoring is probably
easier.
>
> This is not for practical purposes, but for theoretical purposes; so
> efficiency (as long as polynomial... =) ) doesn't matter as much.
I can't think of any in poly time off hand.
Joe
------------------------------
From: [EMAIL PROTECTED] (Scott Nelson)
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Reply-To: [EMAIL PROTECTED]
Date: Thu, 27 Jan 2000 08:53:01 GMT
On Wed, 26 Jan 2000 17:44:53 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote:
[snip]
>
>On Wed, 26 Jan 2000 17:05:49 GMT, in
><[EMAIL PROTECTED]>, in sci.crypt [EMAIL PROTECTED]
>(Scott Nelson) wrote:
>>If you're taking samples every microsecond,
>>then the probability of a pico-second
>>variance falling on the boundary of a measurement is
>>approximately 1pSec / 1 uSec or 1 in a million.
>>In other words, if crystals have a 1 pico-second variance,
>>and you can sample every micro-second, then every million
>>samples has approximately 1 bit of useful entropy,
>>or about 1 bit per second.
>>
>>Non trivial in the "amount of time needed" sense,
>>but it is trivial in the "amount of hardware needed" sense.
>
>I would like to see that design; it doesn't sound at all trivial to
>me. This sounds like we are opening a 1 psec window every 1 usec,
>which requires its own precision clocks both for the sampling period
>and the window, to say nothing of the non-trivial GHz logic for the
>window detection.
>
This is sort of what I had in mind:
______
20 Mhrtz | |
==========D| |Q======
|74F401|
1 Mhrtz | |
=========CP| |
|______|
The select lines S0, S2, MR, and ground are tied low
CWE, /P, and VCC are tied high
I'm Ignoring the conversion from crystal to logic levels,
since it's conceivable that you already have the two circuits
around. And I'm also assuming the two signals are independent
(i.e. the 1 Mhrtz signal isn't a divided version of the 20,)
and that the crystals are physically isolated enough that they
do not "tune" each other (yet another reason not to use them.)
Since D is gated on the rising edge of CP,
the "window" is approximately equal to one gate delay.
5 nano-seconds is pushing it, but within tolerance
for modern ICs.
After only 1 million pulses of the CP line, Q will produce
one reasonably unbiased and unpredictable bit.
(Assuming that the figure of 1 pico-second of jitter is accurate,
and I didn't make any mistakes.)
[more snip]
>And all this is vastly more than we need if we just want to detect
>noise.
>
Absolutely.
But there are things like Niko's random number generator,
so it would be nice to have a quantifiable measure of
how much (or more precisely, how little) entropy there
really is in such a thing.
Scott Nelson <[EMAIL PROTECTED]>
------------------------------
From: [EMAIL PROTECTED] (Vernon Schryver)
Subject: Re: Intel 810 chipset Random Number Generator
Date: 26 Jan 2000 12:54:15 -0700
In article <86lqa2$m6p$[EMAIL PROTECTED]>,
Michael Kagalenko <[EMAIL PROTECTED]> wrote:
> ...
> That's totally unrelated to the method that I proposed.
As far as I know, the only method Mr. Kagalenko has come even slightly
close to proposing seemed to involve measuring the drift of a personal
computer's clock compared to high precision clocks via the Internet. In
response to Mr. Kagalenko's almost reference to that method, I wrote at
length why that idea has for more than ten years been known to be a very
poor way of obtaining random numbers suitable for any purpose, other than
measuring the temperature of computer rooms and sometimes the degree of
(in)activity of computers. I also pointed out that an enemy can manipulate
measurements of clock drift over the Internet without hope of detection,
which makes the notion useless for obtaining random numbers for encryption.
I expect to never see another of Mr. Kagalenko articles, so I may
never know if he had in mind some other, less implausible method.
That might be unfortunate for me, because like many people, I would
be very interested in another good, cheap, and fast method to get
secret, truely random numbers.
--
Vernon Schryver [EMAIL PROTECTED]
------------------------------
From: "Craig Inglis" <[EMAIL PROTECTED]>
Subject: DVD: CSS comments??
Date: Thu, 27 Jan 2000 10:51:37 -0000
Now the source to the DVD encryption routine
has been released (as reported by WIRED
http://www.wired.com/news/politics/0,1283,33922,00.html )
I wonder if any of the crypto guru's out there have
any comments about the suitability of the algorithm they
have used??
The document is at http://cryptome.org/dvd-hoy-reply.htm
and the encryption/decryption source is at Exhibit A.
ttfn
Craig.
------------------------------
From: [EMAIL PROTECTED] (Paul Schlyter)
Subject: Re: Mac encryption algorithm?
Date: 27 Jan 2000 10:57:49 +0100
In article <86nq4a$ngg$[EMAIL PROTECTED]>,
Keith A Monahan <[EMAIL PROTECTED]> wrote:
> Can you be more specific? Are you looking for public key stuff or
> private key? I'm not real familiar with mac programming, but outside of
> maybe byte order or something, are there particular issues you need to
> worry about?
Yes: MAC's use symmetric encryption algorithms, as opposed to
certificates which use asymmetric encryption algorithms. Therefore,
to verify a MAC, you need access to the secret symmetric
encryption/decryption key.
One common way to compute a MAC is to use DES in CBC mode, and then
discard all encrypted DES blocks except the last one, which will
become the MAC.
--
================================================================
Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
Grev Turegatan 40, S-114 38 Stockholm, SWEDEN
e-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
WWW: http://hotel04.ausys.se/pausch http://welcome.to/pausch
------------------------------
From: Glenn Larsson <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: DVD: CSS comments??
Date: Thu, 27 Jan 2000 11:50:09 +0100
Well, i'm no crypto guru - Far from it; but i know this:
Trying to copy protect something via crypto is pointless.
Claiming that keys are stored at parts on the cd that is "not
normally readable" is bull: HOW would you read that key then?
OBVIOUSLY you can read it in some way, and then extract the
data from it.
Even simpler: Get 2 PC's, 1 with DVD + TV Out, the other with
an Realtime MPEG2 Capture capability. Done.
Just my 0.02 Strips of Latinum,
Glenn
_________________________________________________
Spammers will be reported to their government and
Internet Service Provider along with possible legal
reprocussions of violating the Swedish "Personal
Information Act" of 1998. (PUL 1998:204)
------------------------------
From: "Ip Ting Pong, Vincent" <[EMAIL PROTECTED]>
Subject: Any Reference on Cryptanalysis on RSA ?
Date: Thu, 27 Jan 2000 18:42:34 +0800
Hi all,
I want to study the relationship of the strength between the key length of
RSA and the key length of DES.
For example,
Currently, 1024 bit RSA and 64 bit DES are the de facto strong key length.
I want to know if the "legitimate" key space of 1024 bit RSA key is more or
less equal to 64 bit key?
Thanks in advance.
With regards,
Ah Pong
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Why did SkipJack fail?
Date: 27 Jan 2000 11:21:06 GMT
Jerry Coffin <[EMAIL PROTECTED]> wrote:
>> The way to slow down brute force search is with more bits of keyspace,
>> not more complexity to the cipher.
>
>In any case, you can deny it all you want, but the reality is that
>every time you make encryption take (for example) twice as long, it's
>equivalent to adding one bit to the key from a viewpoint of the
>difficulty of exhausting the key space.
It's not equivalent. Making the cipher slower slows down the
legitimate user as well as the attacker. Adding a bit to the keyspace
only slows down the attacker.
>> You couldn't build a .18 micron Deep Crack today without spending a
>> heck of a lot more money than Deep Crack cost. Deep Crack was
>> relatively cheap ($250K) because it used a semicustom (rather than
>> fully custom) chip design and a fairly low tech fab process. With the
>> same $250K today (18 months after Deep Crack was built), Moore's Law
>> predicts you could get about double the speed.
>
>You're making a number of fundamental mistakes in your assessment.
>First of all, you're quoting the cost as $250,000, when the book says
>the cost was about $210,000. Second, of that $80,000 is said to have
>been the design cost, and the other $130,000 the cost of materials.
>Building a machine twice as fast (for example) doesn't double the
>design cost, only the materials cost. IOW, a machine twice as fast as
>Deep Crack would have cost roughly $340,000, rather than the $500,000
>you're trying to peg it at.
$250K is what the EFF web site said but anyway, $340K isn't much different
than $500K. If you want a really big speedup you have to spend megabucks.
>As I mentioned in a previous message, the chip foundry situation has
>changed considerably in the last year or two as well. A few years
>ago, it was relatively difficult to get relatively high-tech designs
>built at a chip foundry. You had little choice but to settle for
>relatively out-of-date processes unless you were looking at buying a
>LOT of chips. The situation now is different. Chip foundries now
>have as good of process technology available as other fabs.
They pretty much always have. And you've always had to pay plenty for
the highest tech processes. Also, getting away from the Deep Crack
gate arrays and using a full custom design would speed the system up a
lot, but increase NRE drastically. However, once you're talking about
spending $200M as you are, you can get basically anything you want,
I'll grant you that.
>Getting an order of magnitude (or more) chips built also gives you a
>MUCH better bargaining position. Of course, if an representative of
>the NSA shows up, he probably automatically has a better bargaining
>position than a representative of the EFF in any case.
The NSA has their own fabs. They wouldn't think of bringing a classified
design to a commercial foundry.
>In short, I'm quite certain that if the $200M value is off, it's FAR
>more likely to be high than low.
>> The interest on $200 million for a year (at 7%) is $14 million. If
>> it's going to cost the attacker $14 million to break one key, and it's
>> going to take them a year to do it, I'd say that cipher is safe for
>> most purposes.
>
>Probably -- as long as you're not protecting anything worth more than
>$14M/year (or so) there's at least a fair chance of it. Then again,
>for MOST purposes, DES or even double-transposition with a good key is
>probably reasonably safe -- I'd bet more messages encrypted with PGP
>have to do with what the new secretary looks like in a mini-skirt than
>with anything worth tens or hundreds of millions of dollars a year...
That is correct about DES and PGP. But systems that can easily be broken
by automatic processes on ordinary computers are worthless.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
