Cryptography-Digest Digest #936, Volume #10 Thu, 20 Jan 00 11:13:01 EST
Contents:
Re: ECC vs RSA - A.J.Menezes responds to Schneier (Tom St Denis)
Re: Combination of stream and block encryption techniques (Mok-Kong Shen)
Re: Beginners questions re-OTPs (Bill)
Re: NIST, AES at RSA conference (Timothy M. Metzinger)
("Autoposting!")
Re: Java's RSA implimentation (Tim Tyler)
Re: NIST, AES at RSA conference (Serge Vaudenay)
Re: Predicting Graphs. (Paul Koning)
Re: Intel 810 chipset Random Number Generator (Paul Koning)
Re: What about the Satanic Seven??? (Paul Koning)
Re: Intel 810 chipset Random Number Generator ("Marty")
----------------------------------------------------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: ECC vs RSA - A.J.Menezes responds to Schneier
Date: Thu, 20 Jan 2000 13:03:14 GMT
In article <865vmm$8es$[EMAIL PROTECTED]>,
Greg <[EMAIL PROTECTED]> wrote:
> Perhaps I leave myself open to a known attack of a well studied
> curve, but it seems to me that this is prefered to leaving one's
> self open to a weakness in a random curve. Does this make sense?
Sorry no comment.
> > > I could not see using a random prime.
> >
> > Again, why? Please tell us what you think is wrong with
> > randomly chosen primes.
>
> Well, I mentioned in another thread that I am not sold on primes
> that are so large that they are tested and then at some point
> simply assumed to be prime. Some have told me that this does not
> weaken the cryptosystem, but I have always wondered why that would
> be if the strength depended on primes to begin with.
Well there are ways to make primse and tests them. See Knuth Vol2 for
info on that. The problem is spending an hour making a key is a bad
idea. If it takes 2 mins to verify a key is ok that's not so shotty.
> Again, I believe a well studied cryptosystem and all of its
> components are superior to anything randomly selected on the
> fly- the latter seems like a crap shoot. If anything is
> randomly selected, it should be just as equally capable
> of being a strong candidate as any other. With primes,
> you do not have this. With integers used for ECC private keys,
> you get exactly that- except in a few cases, like 0, 1, and n-1,
> which are too easy not to avoid.
Funny you say that but even in symmetric ciphers round keys are made on
the fly. In RC5 for example it has never been proven to be a strong
key schedule, yet people trust it....
> IMHO, every cryptosystem today has its own small element
> of unknown. I simply have more confidence in one set of unknowns
> than I do in others. I really can't sleep at night knowing that
> my data is hanging from a crap shoot. It just does not work
> for me.
Umm... maybe smoothness will be defined for ecc? hehehe
> > > RSA relies on
> > > this approach since primes are not "studied" ahead of use.
> >
> > I can't understand what you are saying here. What does it mean to
> > "study" a prime? Also, what is the antecedent of the word "this"
> > in the phrase "this approach"?
>
> As I understand it, RSA randomly generates prime candidates
> to use for private keys. You cannot take a lot of time and
> a lot of people to study a pair of primes to ensure they are
> really primes like you can an elliptic curve, because to do
> so exposes the keys. But again, others would say that this
> is not important- that a number does not have to be a pure
> prime. If you could explain that to me, I would be all ears.
If you choose p and q, and say p actually is p = a * b, then your rsa
key will not work since
n = pq
phi(n) = phi(pq) = (p - 1) * (q - 1)
But the order of the group is not that.. it's actually
phi(n) = (a - 1) * (b - 1) * (q - 1)
But since p and q are random you can't be sure of either. Finally you
will find that the original definition of phi will not let you find a
decryption exponent.
So the chances that a) the candidates survies testing and b) works
flawlessly in RSA and c) are not prime, is very very very very slim...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Combination of stream and block encryption techniques
Date: Thu, 20 Jan 2000 14:39:49 +0100
John Savard wrote:
>
> I don't see what else there might be to say. I'm glad to see
> "establishment" support for this idea, which is one that will allow
> more secure ciphers to be constructed which still execute in a
> reasonable amount of time.
>
> Block ciphers do have certain convenience advantages, even if they are
> somewhat illusory: it's still inconvenient to do something different
> from what you understand, even if it wouldn't _really_ be any harder
> if you took the time to investigate more closely.
The point worthy to be repeated is that one need not keep a strict
distinction between stream and block ciphers, i.e. there is no sharp
boundary between these, and one can therefore do one's design from
a more 'unified' (hence rational) standpoint, making use of the
repertoire of techniques/experiences accumulated in the two
hithertofore more or less separated subfields of cryptology. I am
glad too to see that this viewpoint has now received clear support
from the 'establishment'.
M. K. Shen
=============================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: [EMAIL PROTECTED] (Bill)
Subject: Re: Beginners questions re-OTPs
Date: Thu, 20 Jan 2000 15:41:12 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(John Savard) wrote:
>On Wed, 19 Jan 2000 12:11:25 GMT, [EMAIL PROTECTED] (Bill) wrote, in
>part:
>
>>I'm a total beginner and am interested in learning how to attack OTP's.
>>From what I have found on the net and Mr. Schneier's book there are three(?)
>>ways of attacking OTP's:
>>1. The method used to generate OTPs.
>>2. Statistical analysis of the cyphertext.
>>3. Brute force.
>
>If methods 1 or 2 work, it isn't an OTP. Method 3 cannot work, since
>"brute force" applied to an OTP key yields all possible messages of
>the length of the one intercepted.
>
>John Savard (teneerf <-)
>http://www.ecn.ab.ca/~jsavard/index.html
I agree if methods 1 & 2 work then it isn't a "true" OTP but my question was
what are methods 1 & 2.
I'll rephrase the question, If you have message(s) that were encrypted with a
"supposed" OTP what methodology/statistical analysis would be carried out to
try and break it?
All I can find on the net are debates about what a "true" OTP is and what
it isn't and what "randomness" really means. I can find no explanations of how
to go about breaking a "supposed" OTP.
For just about every other form of encryption, both "classical" and modern,
there are detailed descriptions on how to start attacking them.
(e.g. for the Vigenere cipher programs to break it and for modern
mathematically based encryption the method, among others, of "differential
cryptanalysis". )
Sorry if this is a silly question but as I said I am a newbie.
TIA
Bill
------------------------------
From: [EMAIL PROTECTED] (Timothy M. Metzinger)
Subject: Re: NIST, AES at RSA conference
Date: 20 Jan 2000 15:39:21 GMT
In article <866e6o$i0e$[EMAIL PROTECTED]>, Hammer <[EMAIL PROTECTED]> writes:
>Is the shortage of this talent really as acute as it seems?
>
>Thanks for any thoughts on this.
>
>hammer
I too saw the presentation. I don't think that they are begging for
cryptanalysis because they doubt the NSA's talents.
What really drives it (in my opinion) is NIST's desire to have AES be as widely
accepted a standard as possible.
By getting LOTS of folks with different backgrounds to analyze AES and give a
favorable opinion, they greatly enhance the chances of AES being widely
accepted.
Best Wishes
Timothy Metzinger
Commercial Pilot - ASEL - IA AOPA Project Pilot Mentor
DOD # 1854 '82 Virago 750 - "Siobhan"
Cessnas, Tampicos, Tobagos, and Trinidads at FDK
------------------------------
From: "Autoposting!" <[EMAIL PROTECTED]>
Subject:
Date: Thu, 20 Jan 2000 10:44:49 -0500
Free file encryption!
Ability to upgrade into your programs!
No royalties!
--
http://www.aasp.net/~speechfb
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Java's RSA implimentation
Reply-To: [EMAIL PROTECTED]
Date: Thu, 20 Jan 2000 15:22:04 GMT
larry <[EMAIL PROTECTED]> wrote:
[Java big numbers]
: One big concern I have is that Java bignums (BigInteger objects) are
: "immutable". They can't be altered once created. If you do something
: like "A=A+1", a new object is created (with the new value of A), and
: the old object (with the old value of A) becomes garbage, but remains
: lying around in memory until the garbage collector decides to recycle
: it (i.e. until who knows when).
: So the problem is, private key material kept in BigIntegers can't be
: wiped out when no longer needed. [...]
I think I'd agree that this is a potential source of problems.
System.gc(); might help somewhat - but doesn't appear to be a real
solution.
AFAIK - even with ordinary Java integers - there's no concrete reason
to assume that "x=rnd.nextInt(); ... "x=0;" will destroy all references
to the initial random number in memory.
I doubt that such a guarantee is written into the specification of the VM,
anyway.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Married women make the best wives.
------------------------------
Date: Thu, 20 Jan 2000 16:49:24 +0100
From: Serge Vaudenay <[EMAIL PROTECTED]>
Subject: Re: NIST, AES at RSA conference
==============6C0D0C5DE5272BD0D0E29B0E
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hammer wrote:
> [...]
>
> In the end though, I got to thinking about the general shortage of
> cryptanalysis experts (implied or real). Then, if you figure some of
> the best cryptanalytic minds (arguably) are the submitters of the
> finalists... then the shortage of unbiased third party cryptanaylists
> is made more acute... no?
>
> One other thing I got to thinking about... if we are so short of
> cryptoanalysts (which seems to be a major underlying theme of the elite
> here at the conference)... and, considering the bar for entry is so
> very high (Ph.d. required, plus)... what's gonna happen when Shamir,
> Rabin, Schnier (insert your favorite crypto experts name here) retire.
> Who's gonna run with the torch?? If everyone but those people are
> locked out (figuratively or actually) now... is the shortage of
> cryptoanalytic talent just going to dry up?
>
> [...]
The AES process is the only standardization process where cryptanalysts
work for free.
They get no honorarium and no publication. If you think about previous
"analysis" of the
10 rejected candidates, there are seldom real significant attacks and most
of them are
indeed quite secure. The security arguments are basically speculation on
the security.
Actually, if an expert do not have any personal interest about AES, he
should better wait
for the final standard before doing some substantial work. In the
meanwhile he can work
for other standards.
--
=======================================================================
Professor Serge Vaudenay Add: EPFL/DSC/LASEC
CH-1015 Lausanne
Swiss Federal Institute of Technology (EPFL) Tel: +41-21-693-7696/7603
Communication Systems Department Fax: +41-21-693-4710
Security and Cryptography Laboratory
=======================================================================
==============6C0D0C5DE5272BD0D0E29B0E
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
Hammer wrote:
<blockquote TYPE=CITE>[...]
<p>In the end though, I got to thinking about the general shortage of
<br>cryptanalysis experts (implied or real). Then, if you figure
some of
<br>the best cryptanalytic minds (arguably) are the submitters of the
<br>finalists... then the shortage of unbiased third party cryptanaylists
<br>is made more acute... no?
<p>One other thing I got to thinking about... if we are so short of
<br>cryptoanalysts (which seems to be a major underlying theme of the elite
<br>here at the conference)... and, considering the bar for entry is so
<br>very high (Ph.d. required, plus)... what's gonna happen when Shamir,
<br>Rabin, Schnier (insert your favorite crypto experts name here) retire.
<br>Who's gonna run with the torch?? If everyone but those people
are
<br>locked out (figuratively or actually) now... is the shortage of
<br>cryptoanalytic talent just going to dry up?
<p>[...]</blockquote>
The AES process is the only standardization process where cryptanalysts
work for free.
<br>They get no honorarium and no publication. If you think about previous
"analysis" of the
<br>10 rejected candidates, there are seldom real significant attacks and
most of them are
<br>indeed quite secure. The security arguments are basically speculation
on the security.
<br>Actually, if an expert do not have any personal interest about AES,
he should better wait
<br>for the final standard before doing some substantial work. In the meanwhile
he can work
<br>for other standards.
<pre>--
=======================================================================
Professor Serge
Vaudenay
Add: EPFL/DSC/LASEC
CH-1015 Lausanne
Swiss Federal Institute of Technology (EPFL) Tel: +41-21-693-7696/7603
Communication Systems
Department
Fax: +41-21-693-4710
Security and Cryptography Laboratory
=======================================================================</pre>
</html>
==============6C0D0C5DE5272BD0D0E29B0E==
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Predicting Graphs.
Date: Thu, 20 Jan 2000 10:49:59 -0500
[EMAIL PROTECTED] wrote:
>
> Is it possible to predict the course of a curved line graph with a
> computer? Could a computer simulate this graph up to numbers the size
> of 10^300?
Of course. If you give me N points, I can find an order N polynomial
that goes through all of them. That answer may have no meaning
at all, of course -- you may have used an entirely different function
to generate the N sample points you gave me.
paul
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Intel 810 chipset Random Number Generator
Date: Thu, 20 Jan 2000 10:59:07 -0500
Michael Kagalenko wrote:
>
> Paul Koning ([EMAIL PROTECTED]) wrote
> ]seifried wrote:
> ]> ...it really boils down to "do you trust an
> ]> american company to generate your random data?".
> ]
> ]It's not just american companies that have done sneaky
> ]things in this area... Crypto AG was Swiss, if memory serves.
> ]
> ]> ...
> ]> If you want a real hardware RNG you can verify there are simple ones
> ]> based of radio crystals/etc that plug into a serial or parallel port
> ]
> ]Crystals? Not likely. Resistors, noise diodes, Zener diodes, all
> ]those sound plausible, but crystals won't serve at all for this
> ]application.
>
> Yes, they will. Crystals have thermal noise.
Of course they do. But their signal to noise ratio is high.
If you're after noise, then you want a source that has a low
(preferably negative) signal to noise ratio. Crystals fail
that criterion by a very large margin, which is why no competent
designer uses them for this purpose.
paul
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: What about the Satanic Seven???
Date: Thu, 20 Jan 2000 10:56:57 -0500
"John E. Kuslich" wrote:
>
> Will someone please explain to me how the new crypto regs apply to the
> situation when you have a strong crypto thingy you want to export from
> your web site and you have notified the Feds that you intend to export
> via a web site BUT
>
> you cannot export to Cuba, Iran etc.
>
> How do you stop those people in the seven bad nations from downloading
> your stuff??? Do you have to have your server attempt to filter this
> stuff?
The best way to answer that question is to read the new rules.
The answer is quite clear, surprisingly so. Hint: look at section
740.13(e)(2) and (e)(3).
> Is it not obvious to anyone with a brain (or even perhaps the people who
> write these regs) that people in the seven dirty nations can get
> whatever they want by well known means if it is otherwise available on
> the Internet?
Yes.
> What am I missing here? The emperor really has no clothes, right???
None to speak of. On the other hand, if someone in another country
(with no restrictions of its own) uses your open source code to create
a new product, then that new product is still not allowed to go to the
bad seven. So, in theory at least, it puts a barrier in the way of
their getting finished products.
> Is this not a terrible ambiguity in the regs???
I don't see an ambiguity. But read the regs yourself, carefully.
Don't just read the trade press discussions. Don't just read the
introductory material from the BXA that precedes the actual text --
read the actual text...
paul
------------------------------
Reply-To: "Marty" <[EMAIL PROTECTED]>
From: "Marty" <[EMAIL PROTECTED]>
Subject: Re: Intel 810 chipset Random Number Generator
Date: Thu, 20 Jan 2000 08:03:49 -0800
He probably meant crystals as used in "crystal radio", terminology dating to
Ge diode days.
While this does produce noise, amplified resiter thermal noise is good
enough.
One also has to minimize correlation and then use appropriate procedures
to increase entropy.
-Marty
Terry Ritter <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> On 20 Jan 2000 05:16:43 GMT, in <8665nr$6ro$[EMAIL PROTECTED]>, in
> sci.crypt [EMAIL PROTECTED] (Michael Kagalenko) wrote:
>
> >Paul Koning ([EMAIL PROTECTED]) wrote
> >]seifried wrote:
> >]> ...it really boils down to "do you trust an
> >]> american company to generate your random data?".
> >]
> >]It's not just american companies that have done sneaky
> >]things in this area... Crypto AG was Swiss, if memory serves.
> >]
> >]> ...
> >]> If you want a real hardware RNG you can verify there are simple ones
> >]> based of radio crystals/etc that plug into a serial or parallel port
> >]
> >]Crystals? Not likely. Resistors, noise diodes, Zener diodes, all
> >]those sound plausible, but crystals won't serve at all for this
> >]application.
> >
> > Yes, they will. Crystals have thermal noise.
>
> OK, so just how much thermal noise would one measure from a crystal,
> how would we measure it, and where can we find a published reference
> to back that up?
>
> At one time, crystal filters were used in fine communications
> receivers; such receivers are intimately involved with noise, and are
> compared in part by actual noise measurement. We can thus reasonably
> conclude that in communications receivers any noise which was added by
> a crystal filter was far below the modest signal levels involved.
>
> ---
> Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
> Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
>
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
