Cryptography-Digest Digest #45, Volume #11 Thu, 3 Feb 00 16:13:02 EST
Contents:
Re: Ciphers for Parallel Computers (Tim Tyler)
Re: How to Annoy the NSA (Jerry Coffin)
Re: Any information about CAST ? (Mike Rosing)
Re: Sbox construction idea ([EMAIL PROTECTED])
eCharge and eCash anonymous payment? (Jeff Thompson)
Re: Court cases on DVD hacking is a problem for all of us (Jerry Coffin)
Re: Biggest keys needed (was Re: Does the NSA have ALL Possible PGP (Eric Lee Green)
Re: Weierstrass Normal Form (Arman Mimar)
Re: Reversibly combining two bytes? (Michael Wojcik)
Re: english word list (Mike McCarty)
Re: Why did SkipJack fail? (Mike McCarty)
Re: english word list (Keith A Monahan)
Re: 26-Dimensional cipher - is it secure (or even possible)? (wtshaw)
Re: Biggest keys needed (was Re: Does the NSA have ALL Possible PGP (Paul Koning)
Re: "Trusted" CA - Oxymoron? (Sander Vesik)
----------------------------------------------------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Ciphers for Parallel Computers
Reply-To: [EMAIL PROTECTED]
Date: Thu, 3 Feb 2000 16:50:23 GMT
Anon <[EMAIL PROTECTED]> wrote:
: John Savard schrieb:
:> [you can do cryptology on a parallel computer with xoring many
:> functions which work in a feistel network].
: Far too complicated. Just use interlaced CBC mode so you can use
: any block cipher in parallel:
[snip]
: It is easy to see that the basic encryption step can be done
: in parallel for any number of processors. [...]
...or at least as many processors as the message can be divided into
blocks.
Allowing the encryption of each individual block to be performed
in parallel is /also/ desirable, in terms of speed, though.
Serial computations and iterated confusion operations are probably
important in providing strength - but there are still likely to be
parallelisable steps present when encrypting individual blocks.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Laugh and the whole world thinks you're an idiot.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: How to Annoy the NSA
Date: Thu, 3 Feb 2000 10:26:40 -0700
In article <87bat1$b52$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
[ ... ]
> ]Also note that nobody's figured out ANY way to use a quantum computer
> ]to attack MANY (if not most) of the ciphers in use today. Just for
> ]example, if you could postulate that a quantum computer was available
> ]and ready for use right now, it would make essentially NO difference
> ]to the security of any of the AES finalist candidates.
>
> Well, no. It would make a difference. The grover algorithm would reduce
> exhaustive search to the equivalent of a key half the length. Ie, a 128
> bit key would be about as strong under Q comp as a 64 bit key under
> classical computation.
This is why I said "essentially no difference" -- all of them support
a 256-bit key. In theory a quantum computer reduces that to the
equivalent of searching a 128-bit keyspace with a conventional
computer. As I said, this makes essentially no difference to the
security of the algorithm because it's still FAR beyond anything we
can contemplate doing.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Any information about CAST ?
Date: Thu, 03 Feb 2000 12:02:19 -0600
James wrote:
>
> CAST is a royalty-free encryption algorithm for non-commercial uses. I'm interested
>in it and want
> more detailed information on it (design/implementation..). Could anyone tell me
>where I can find
> information about CAST ? Thanks a lot.
http://www.entrust.com/resourcecenter/whitepapers.htm Under "Technical
papers."
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Sbox construction idea
Date: Thu, 03 Feb 2000 18:36:47 GMT
In article <876kb3$bnc$[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
> In safer they use 45^x mod 257 for the sbox in the cipher, what if you
> created a 4x8 parallel set of sboxes [four side by side] with different
> bases? So you end up with a 8x32 sbox?
Interesting idea. What may make that effective is if you for the
equation g^x mod 257, both g and the initial x are key dependent. A
simple example could be this:
Key = 23 34 98 19 05 234 117 63 (8 8-bit values)
Assuming C array element notation, you could use values 0, 2, 4, 6 for
the g's and values 1, 3, 5, 7 for the initial x's. The resulting
equations would initually look like this:
23^34 mod 257
98^19 mod 257
5^234 mod 257
117^63 mod 257
For an 8x32 s-box, you could combine the values of each iteration for
each sucessive element in the s-box. You may wish to do something to
the key before you do this. The nice thing is that a single change to
any of the values changes every value in each s-box.
Now that I think about it, you would have to do something to the key
initially before s-box generation. A single digit change (assuming
decimal) would not make a drastic change to the s-box during it's
creation. i.e. if in the last equation the exponent became 62, it would
only effect 8-bits of each s-box, probably the same 8 bits, and the
change is predictable. One idea for this could be hashing the key to
ensure that a 1-bit change in the key radically changes the s-box
generation values.
Anyway, that's my thought. I know it diverges from the other threads,
but it sounds like an interesting idea. It's a nice, simple way to make
"random" s-boxes.
csybrandy
<snip>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Jeff Thompson <[EMAIL PROTECTED]>
Subject: eCharge and eCash anonymous payment?
Date: Thu, 03 Feb 2000 11:03:03 -0800
I saw a news article on CNN:
http://cnn.com/2000/TECH/computing/02/03/pay.online.options.idg/index.html
which says eCharge.com will offer "untraceable" electronic payments.
Does anyone know about this and how it relates to the anonymous eCash
payment of David Chaum?
- Jeff
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Court cases on DVD hacking is a problem for all of us
Date: Thu, 3 Feb 2000 12:21:17 -0700
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
[ ... ]
> When encryption is used to protect copyrighted material, that
> encryption itself, if not already protected under the law, *should* be
> protected under the law.
Why? The copyright already protects the material. What's the point
of protecting the encryption?
> I am not a lawyer, and so, I will not argue
> the finer points of copyright law. However, I will say the following:
> this is a case in which a proprietary copyright system designed to
> protect intellectual property was stolen from it's rightful owners via
> reverse engineering, and published publicly.
Nothing was stolen. THEY published the algorithm to start with.
Others have since published the algorithm in a more understandable
form. If they wanted to prevent others from implementing the
algorithm, they were welcome to apply for a patent on it. The
problem, of course, is that a patent has specific limitations to
maintain some semblance of fairness to the consumer.
> When you buy a DVD, you
> are buying the right to play it in your home privately, and there are
> very specific limitations to what you can do (which are spelled out in
> the warning screen each time you play it).
Partly true: there are limitations, but they're spelled out in the
law, not the warning screen. The warning screen you see may or may
not accurately reflect the law.
> You may not play it
> publicly for profit, you may not license it to others for public or
> private viewing ( there are some exceptions for the video rental
> industry which I won't get into here), and you certainly do not have
> the right to openly publish the code that was designed to prevent the
> theft of the contents of that DVD.
Of course making copies of a DVD is illegal, just like making copies
of a book is illegal. This has NOTHING to do with that: if you want
to copy a DVD, you can do that perfectly well without breaking the
encryption.
You don't have a right to publish the code they used to encrypt the
DVD either: that's equally protected under copyright law.
Copyright law does NOT, however, protect the plot-line of a book or
the algorithm implemented in code. If the people involved have
actually copied the code from a DVD and published it, then they're
breaking the copyright, and nothing new or special needs to be done.
At least as I understand things, that's not the case though: only the
algorithm embodied in the code has been published. I can legally tell
you what the code does, just like I can legally write a book review
that tells you the plot of a story.
> Come on folks, surely I am not the only encryption buff in this
> newsgroup that can see that publishing a private encryption algorythim
> designed to protect intellectual property from theft is, at the very
> least, *wrong* if not legally prohibited?
I think you are the only that "sees" this. In this case, I think the
rest of us are simply seeing a bit more clearly than you are.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: Biggest keys needed (was Re: Does the NSA have ALL Possible PGP
Date: Thu, 03 Feb 2000 12:22:24 -0700
Guy Macon wrote:
> In article <87bisi$b7e$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (H. Peter
>Anvin) wrote:
> >Most public key cryptosystems don't have a dense keyspace. You have
> >to "densify" the keyspace before making comparisons. In the case of
> >cryptosystems using primes, there is a formula for the prime density
> >that you can apply.
>
> How would I figure out density of the keyspace for ciphersaber (RC4)?
I assume you'd use the same formula that you use for any density calculation:
items/volume
That is, given a volume of a space, and the number of items within that space,
you divide the # of items by the volume to find the items-per-unit-volume
ratio.
In the case of most block and stream ciphers (such as RC4), the volume of
integer field 0...2^keysize, is 2^keysize, and the items (keys) within that
volume would be, well, every integer is a valid key, so there would be
2^keysize items within that volume. Thus the density is 2^keysize/2^keysize =
1.
On the other hand, the volume of integer field 0...2^keysize for RSA would be
2^keysize, but the number of items (possible keys) within that volume would be
some smaller number. I haven't the foggiest notion how many keys would be
within that volume (somebody else already posted it though), but you divide
#keys/2^keysize to find the density of the keyspace.
--
Eric Lee Green [EMAIL PROTECTED]
Software Engineer Visit our Web page:
Enhanced Software Technologies, Inc. http://www.estinc.com/
(602) 470-1115 voice (602) 470-1116 fax
------------------------------
From: [EMAIL PROTECTED] (Arman Mimar)
Crossposted-To: sci.math,sci.crypt.research
Subject: Re: Weierstrass Normal Form
Date: 3 Feb 2000 11:28:35 -0800
In article <86i7db$84a$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
<
< Given the cubic u^3 + v^3 = a, where a is a rational number, how does
< one find rational functions, x(u,v) and y(u,v) that will lead to a
< Weierstrass equation?
<
< I know the values of the functions:
< x(u,v)=12*a/(u + v)
< y(u,v)=36*a*(u - v)/(u + v).
<
< I'm looking for an algebraic method for finding these functions.
<
< Laura
<
Laura you already have the answer in your hands
since: y^2 = x^3 - 432 a^2
with the functions x and y you defined
I hope it helps
Arman
------------------------------
From: [EMAIL PROTECTED] (Michael Wojcik)
Crossposted-To: sci.crypt.research
Subject: Re: Reversibly combining two bytes?
Date: 3 Feb 2000 11:35:11 -0800
[Followups set to sci.crypt.]
In article <86quud$24d$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Ni
ck Maclaren) writes:
> In article <[EMAIL PROTECTED]>,
> Alan Lawrence <[EMAIL PROTECTED]> wrote:
> >[re generating latin squares]
> >Secondly, Terry Ritter's glossary <http://www.io.com/~ritter/GLOSSARY.HTM>
> >states that a balanced Latin Square has "massive internal state".
> The converse of having "massive internal state" is that Latin squares
> have very few degrees of freedom. Once you have settled only a few
> of their numbers, the rest can be arranged only one way (if at all.)
> Some care is needed to avoid getting into an impossible situation!
True - but the proposed method (generating a square as a random
permutation of the rotations of a random permutation, then randomly
swapping rows and/or columns) will always generate a valid square.
Whether that square is "strong" (are all squares equally strong, or
are some, say, easier to reconstruct from cyphertext?) is another
question. And of course the quality of the shuffling algorithm and
the PRNG used to produce the permutations is a potential problem.
Actually, there's a keying issue there, I suppose. I was assuming
key material (probably following some kind of expansion schedule)
would be used with plaintext to index entries in the square. Would
the key also be used in producing the square itself (say by seeding
the PRNG)? Might this leak information about the key, particularly
in chosen-plaintext attacks?
------------------------------
From: [EMAIL PROTECTED] (Mike McCarty)
Subject: Re: english word list
Date: 3 Feb 2000 19:35:35 GMT
In article <[EMAIL PROTECTED]>,
JPeschel <[EMAIL PROTECTED]> wrote:
)[EMAIL PROTECTED] (Keith A Monahan) writes:
)
)>If someone would be so kind as to post a link or two of where I can find
)>LARGE english language word lists, it would be appreciated.
)
)Try AccessData's site:
)http://www.accessdata.com
My DNS cannot translate that site. Are you sure it is correct?
--
----
char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
I don't speak for Alcatel <- They make me say that.
------------------------------
From: [EMAIL PROTECTED] (Mike McCarty)
Subject: Re: Why did SkipJack fail?
Date: 3 Feb 2000 19:24:19 GMT
In article <[EMAIL PROTECTED]>,
Uri Blumenthal <[EMAIL PROTECTED]> wrote:
)"Douglas A. Gwyn" wrote:
)> You missed the "bought more cheaply" part. I'm pretty sure
)> that for less than $200,000,000.00 one could bribe enough bank
)> officers to accomplish the same effect.
)
)Sure, but would that be a one-time deal, or would those
)officers require fresh "cash infusions" every time a
)new message must be decoded?
The point is that one could obtain the key through bribery
more cheaply than through cracking.
)Walker's net $1M for 1M of messages deal wasn't that common, was it?
)--
)Regards,
)Uri [EMAIL PROTECTED]
)-=-=-==-=-=-
)<Disclaimer>
--
----
char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
I don't speak for Alcatel <- They make me say that.
------------------------------
From: [EMAIL PROTECTED] (Keith A Monahan)
Subject: Re: english word list
Date: 3 Feb 2000 20:45:29 GMT
Mike,
: )http://www.accessdata.com
: My DNS cannot translate that site. Are you sure it is correct?
I went to the site originially when it was posted and it was fine -- perhaps
the DNS is down. I tried 3 different dns's, all failed to translate
at 3:30pm Thursday 2/3/00.
looks like www.accessdata.com is serviced by NS1.secure.net as the
primary DNS. NS1.secure.net == 192.41.1.10
I used NS1 as my primary server, and their server DID translate correctly,
www.accessdata.com translated to 192.41.5.22
Looks like it is a DNS propagation problem.
Try http://192.41.5.22
Keith
: --
: ----
: char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
: This message made from 100% recycled bits.
: I don't speak for Alcatel <- They make me say that.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: 26-Dimensional cipher - is it secure (or even possible)?
Date: Thu, 03 Feb 2000 14:05:31 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (James Barlow) wrote:
> In article <86nuja$39r$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] says...
>
>
> > I have an idea for a code whereby each set of 26 letters is enciphered
> > differently (i.e. you encipher each 26-graph). To do this you would
> > need a (virtual) 26-dimensional grid of numbers. Of course, there are a
> > huge number of keys, because you can change not only the numbers inside
> > the grid, but also all of the letters along the edges.
>
>....I don't grok how you get from
> a plaintext block to a 26-dimensional index to a grid cell.
>
> Or am I getting the wrong end of the stick? Anything beyond four
> dimensions gives me a headache.
Multidimensional space is useful, but seems to confound those that work
only with one or two dimensions. Read 1,2,3, Infinity for help.
There is a danger in knowing some things so well that you seem to see your
pet ideas in anything that has similiarities, like clinging to anyone you
see after being lost in the desert for days. But, one of my versions of
thhe GVA does its thing in nine dimensions, can be more, can be less. The
allusions to the edge as important do grok to the pathcode as a means to
harness the beast.
Let me remind those skeptics that anyone can have a shot at
multidimmensional algorithms if you are willing to leave the comforts that
wandering about in three, and doing algorithms in one or two gives you.
--
A big-endian and a little-endian have been spotted sitting at a
campfire nibling on bytes and pointing at each other as they
argued about who got hit with the most errors.
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Biggest keys needed (was Re: Does the NSA have ALL Possible PGP
Date: Thu, 03 Feb 2000 15:41:54 -0500
"H. Peter Anvin" wrote:
>
> Most public key cryptosystems don't have a dense keyspace. You have
> to "densify" the keyspace before making comparisons. In the case of
> cryptosystems using primes, there is a formula for the prime density
> that you can apply.
True, the density of primes around n is 1/ln(n), per Gauss. That's
pretty dense.
That isn't the main explanation for why public key systems need
long keys. The main reason is that the best attacks on those systems
are vastly more efficient that brute force search.
paul
------------------------------
From: Sander Vesik <[EMAIL PROTECTED]>
Crossposted-To:
alt.privacy,alt.security.pgp,comp.security.pgp,comp.security.pgp.discuss
Subject: Re: "Trusted" CA - Oxymoron?
Date: 3 Feb 2000 21:00:10 GMT
In sci.crypt Brian Hetrick <[EMAIL PROTECTED]> wrote:
[snip]
> [Disclaimer: I am a Thawte "notary," and so arguably am not entirely
> impartial in this issue.]
[snip]
> What the Thawte web of trust does do, however, is establish a chain of
> liability. Thawte issues a certificate based on the word of notaries
> whose identities are known. The notaries agree to keep copies of the
> identity documents they used in establishing identities for five
> years. Suppose Thawte issues a certificate that is eventually shown
> to be for a false identity. Thawte calls in the notaries who attested
> to the identity: either they can pull out copies of documents, or they
> cannot. If the notaries can produce copies of documents, then (i)
Note that this is not what the example claimed. In the claimed case, the
identities of the *notaries* were assumed to be falsified.
Assuming Thawte requires k cerifications for you to become a thawte
notary. Get k+2 false ids (or have k+1 co-conspirators with false id-s).
have them all get cert from one independant un-knowing thawte notary.
Now have them all certify each other, by which we get a circle of fake
thawte notaries, who can create a fake, free-floating thawte notary who
can not be directly linked via any real person or id. Have the
co-conspirators throw away their fake id-s and take off their false
beards/wigs.
The trust has been broken, arbitary certified ids (indeed, if you repeat
it one more time over, arbitary ids signed by k+1 fake, unlinkable
notaries can be created).
[snip]
> Could a group of co-conspirators cause Thawte to certify a false
> identity? Yes. Could they do so without exposing themselves to
> liability? No. I suspect it would be substantially easier to falsify
Yes. See above how to get a valid but fully fake and "unlikable" Thawte
notary.
> more traditional identity proofs -- which, under any CA scheme, could
> then be used to generate credentials.
Right. Still, see above, which was the whole point.
It is harder to get a valid but fully fake and unlikable certificate as
a notary, that is Thawte is weaker than 'The real thing'.
--
Sander
There is no love, no good, no happiness and no future -
these are all just illusions.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
