Cryptography-Digest Digest #149, Volume #11 Fri, 18 Feb 00 09:13:02 EST
Contents:
Re: UK publishes 'impossible' decryption law ("ink")
Re: RSA Speed (Hagen Ploog)
Re: Method to break triple-DES (Jonathan Thornburg)
Re: Method to break triple-DES (Jonathan Thornburg)
Re: UK publishes 'impossible' decryption law (Gordon Walker)
Re: NSA Linux and the GPL (Paul Crowley)
Re: NSA Linux and the GPL (Paul Crowley)
Re: Does the NSA have ALL Possible PGP keys? (Paul Crowley)
Re: multi-precision integer C library (Tom St Denis)
Re: VB & Crypto ("Paul Bais")
Re: code still unbroken (Geoff Lane)
Re: NIST, AES at RSA conference (Bo Dömstedt)
Re: Period of cycles in OFB mode (Tim Tyler)
Re: UK publishes 'impossible' decryption law ("Garry Smith")
Re: Question about OTPs (Tim Tyler)
Re: Q: SAC2000? (Mike Just)
Re: Q: SAC2000? (Mike Just)
Re: Q: SAC2000? (Mike Just)
Re: VB & Crypto (Mike Just)
Re: UK publishes 'impossible' decryption law (Richard Herring)
----------------------------------------------------------------------------
From: "ink" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: UK publishes 'impossible' decryption law
Date: Fri, 18 Feb 2000 11:16:17 +0100
[EMAIL PROTECTED] schrieb in Nachricht
<[EMAIL PROTECTED]>...
>
>Any firearm can be used as a weapon. The US govt considers crypto to be
dangerous
>
>enough that it is classified as a "munition". What does that tell you?
Hardly any other government has doen that. What does that tell you?
ink
-- IMHO: In my hog-fucking opinion
(alt.tasteless FAQ)
------------------------------
Date: Fri, 18 Feb 2000 11:48:30 +0100
From: Hagen Ploog <[EMAIL PROTECTED]>
Subject: Re: RSA Speed
Erik wrote:
>
> I wrote a program to do RSA with a 1100 bit modulus. I use 65537 for
> the public key exponent, and the private key exponent is, of course,
> near 1100 bits. It works, and encrypting with the public key takes
> about a quarter of a second, but decrypting with the private key takes
> 43 seconds on a 400 MHz Pentium. Does this seem right?
>
> Erik
look at
http://security.ece.orst.edu/theses/97acar.pdf
------------------------------
From: [EMAIL PROTECTED] (Jonathan Thornburg)
Subject: Re: Method to break triple-DES
Date: 18 Feb 2000 12:41:43 +0100
In article <88hlt8$m76$[EMAIL PROTECTED]>,
Mickey McInnis <[EMAIL PROTECTED]> wrote:
>Actually, I've heard that there was a paper published recently showing
>a potentially practical attack on Triple DES that's considerably less
>effort than standard key exhaustion against a 112 bit (2xDES) key.
>It's some sort of meet-in-the middle attack, and was not too many times
>more trials than regular DES by key exhaustion.
Well, sort of, but there are some interesting tricks played to make
time-vs-memory tradeoffs. The attack is not "practical", in the sense
of "performable in reasonable time with less than US$trillions of hardware",
but it's theoretically interesting. See
Stefan Lucks,
"Attacking Triple Encryption,"
Fast Software Encryption '98, Volume 1372 of Lecture Notes in
Computer Science (S. Vaudenay, ed.), Springer-Verlag, 1998.
http://th.informatik.uni-mannheim.de/m/lucks/papers.html
for all the details.
--
-- Jonathan Thornburg <[EMAIL PROTECTED]>
http://www.thp.univie.ac.at/~jthorn/home.html
Universitaet Wien (Vienna, Austria) / Institut fuer Theoretische Physik
Q: Which countries have the death penalty for children?
A: Iran, Nigeria, Pakistan, Saudi Arabia, and United States
------------------------------
From: [EMAIL PROTECTED] (Jonathan Thornburg)
Subject: Re: Method to break triple-DES
Date: 18 Feb 2000 12:47:10 +0100
In article <88jb5n$82u$[EMAIL PROTECTED]>,
I (Jonathan Thornburg <[EMAIL PROTECTED]>) wrote:
[[Lucks' 3DES attack]] is not "practical", in the sense
>of "performable in reasonable time with less than US$trillions of hardware",
>but it's theoretically interesting. See
>
> Stefan Lucks,
> "Attacking Triple Encryption,"
> Fast Software Encryption '98, Volume 1372 of Lecture Notes in
> Computer Science (S. Vaudenay, ed.), Springer-Verlag, 1998.
> http://th.informatik.uni-mannheim.de/m/lucks/papers.html
>
>for all the details.
Just to provide a little more information, Lucks' web page summarizes
some of the key results as
about $2^{108}$ steps of computation are sufficient to break
three-key triple DES. If one concentrates on the number of single DES
operations and assumes the other operations to be much faster, $2^{90}$
of these are enough.
For comparison, exhausitve search of (single) DES takes an average
of 2^55 DES operations, so we're looking at attacks which are on the
order of 3e10 times more expensive than (single) DES exhaustive search.
The memory requirements of the 3DES attacks are also slightly gargantuan...
--
-- Jonathan Thornburg <[EMAIL PROTECTED]>
http://www.thp.univie.ac.at/~jthorn/home.html
Universitaet Wien (Vienna, Austria) / Institut fuer Theoretische Physik
"There are no significant bugs in our released software that any
significant number of users want fixed." - Bill Gates, 23 Oct 1995
------------------------------
From: [EMAIL PROTECTED] (Gordon Walker)
Crossposted-To: talk.politics.crypto
Subject: Re: UK publishes 'impossible' decryption law
Date: Fri, 18 Feb 2000 12:34:52 GMT
On Thu, 17 Feb 2000 21:57:55 GMT, zapzing <[EMAIL PROTECTED]> wrote:
>Obviously there is alot I don't know about English law.
>I thought you did not *have* the right to remain silent
>in England.
You have the right to remain silent. However, the courts now have a
right to rely on inferences drawn from your silence.
--
Gordon Walker
------------------------------
From: Paul Crowley <[EMAIL PROTECTED]>
Subject: Re: NSA Linux and the GPL
Date: 18 Feb 2000 08:10:13 -0000
"Adam Durana" <[EMAIL PROTECTED]> writes:
> > "Personally, I don't know if the Linux license allows the NSA to
> > make a secure version of the operating system if they are not going to
> > freely distribute the results."
>
> The bigger question is why is the NSA wasting thier time with Linux? If I
> were them I would work on something like OpenBSD, or maybe FreeBSD since
> OpenBSD is based in Canada. I guess the NSA is just being trendy.
I see little to be gained in a Linux-vs-xBSD flamewar. Both are
marvellous operating systems and it's good we have them. It's
certainly not on topic for this newsgroup.
--
__
\/ o\ [EMAIL PROTECTED] Got a Linux strategy? \ /
/\__/ Paul Crowley http://www.hedonism.demon.co.uk/paul/ /~\
------------------------------
From: Paul Crowley <[EMAIL PROTECTED]>
Subject: Re: NSA Linux and the GPL
Date: 18 Feb 2000 08:11:41 -0000
[EMAIL PROTECTED] (John Savard) writes:
> In the latest CRYPTO-GRAM, Bruce Schneier asked:
>
> "Personally, I don't know if the Linux license allows the NSA to
> make a secure version of the operating system if they are not going to
> freely distribute the results."
I understand that the modified kernel will be made freely available
under the GPL. So there's no need for concern here.
--
__
\/ o\ [EMAIL PROTECTED] Got a Linux strategy? \ /
/\__/ Paul Crowley http://www.hedonism.demon.co.uk/paul/ /~\
------------------------------
From: Paul Crowley <[EMAIL PROTECTED]>
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: 18 Feb 2000 08:23:43 -0000
David Hopwood <[EMAIL PROTECTED]> writes:
>
> OTOH, AFAIK no existing secure cryptosystem is based on an NP-hard problem.
David says "secure" here because lots of insecure cryptosystems are
based around NP-complete problems! They were broken not because the
NP-complete problem was solved but becuase it turned out you could
break the system without making a general solution to the problem.
So even allowing the assumption that P!=NP, creating a cryptosystem
with provably superpolynomial time-to-break is an unsolved problem a
lot of people would like to solve!
A curious thing I've noticed: there aren't very many problems left in
NP that haven't been classified either as P or as NP-complete,
according to my complexity lecturer. But the ones there are keep
being useful in crypto! Examples include graph isomorphism (thought
to be in P unfortunately) and, of course, factorisation. What's the
good property these problems have that no NP-complete problem has?
Why is this property incompatible with NP-completeness?
--
__
\/ o\ [EMAIL PROTECTED] Got a Linux strategy? \ /
/\__/ Paul Crowley http://www.hedonism.demon.co.uk/paul/ /~\
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: multi-precision integer C library
Date: Fri, 18 Feb 2000 12:44:45 GMT
In article <[EMAIL PROTECTED]>,
"BBC-Igor" <[EMAIL PROTECTED]> wrote:
> Can anyone point me in the right direction of a well-documented multi-
precision integer arithmetic C library?
>
>
Take a look at
ftp://linguist.dartmouth.edu/pub/src/mpi.tar.gz
It's very good.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Paul Bais" <[EMAIL PROTECTED]>
Subject: Re: VB & Crypto
Date: Fri, 18 Feb 2000 13:39:36 +0100
Hi
I'm looking for a crypt() function in VB as well. In fact, I want to encrypt
user passwords for use on unix machines. Does anyone have the source in C or
VB?
I'm not going to store and check the passwords in some VB program; I'm just
going to let my database frontend do the encryption before the passwords are
stored, speed is not an issue since encryption will only occur when a new
account is created or a password is changed.
Thanks,
Paul
------------------------------
From: [EMAIL PROTECTED] (Geoff Lane)
Subject: Re: code still unbroken
Date: 18 Feb 2000 12:55:10 GMT
> Chuck Davis wrote:
>
>> Most of the correspondence I get from cryptanalysis folk about the code I
>> devised at discovervancouver.com sneers at its triviality.
Perhaps nobody cares?
Perhaps nobody has the patience to wait for the discovervancouver.com
page to down load.
Perhaps nobody can stop laughing at the Y2K bug the page still displays
(Saturday, February 19, 100 indeed!)
--
Geoff. Lane. |
In case of fire, yell FIRE!
------------------------------
From: [EMAIL PROTECTED] (Bo Dömstedt)
Subject: Re: NIST, AES at RSA conference
Reply-To: [EMAIL PROTECTED]
Date: Fri, 18 Feb 2000 13:00:40 GMT
[EMAIL PROTECTED] (John Savard) wrote:
>You will note that, unless it reverses the good encryption in the
>first step, it will _have_ to expand the input in order to have room
>to add redundancy.
>
>John Savard (jsavard<at>ecn<dot>ab<dot>ca)
>http://www.ecn.ab.ca/~jsavard/crypto.htm
Yes, I understand that.
Well, NIST has published a long list of statistical tests.
According to your opinion, is it clear, obvious, and scientifically
well established, for each of these individual statistical tests,
how to apply a cryptanalytic method when a (AES-) cipher
fails the test in question ?
Suppose two ciphers A and B are compared, and A fails statistical
test Xn. When subject to a massive cryptanalysis effort, is it
obvious that A is weaker than B? Or is B weaker than A?
Could everyone reading this please give their opinions !
Bo Dömstedt
Chief Cryptographer
Protego Information AB
http://www.protego.se
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Period of cycles in OFB mode
Reply-To: [EMAIL PROTECTED]
Date: Fri, 18 Feb 2000 13:02:15 GMT
Recently, I, Tim Tyler <[EMAIL PROTECTED]> wrote:
: The method appears to guarantee high period, offer whatever security is
: associated with the block cypher, and avoids the birthday-like issue
: associated with setting initial state using some type of counter. [...]
Having written this, I've noticed that there is still *some* remaining
irregularity that appears at about the square root of the guaranteed cycle
size.
For the sake of concreteness, I'll assume a 64 bit block size and counter
size.
Somewhere around 2^32 blocks, a block is likely recur. The attacker can
then make a positive statement about the next block: namely that is is not
the same as the block that followed the current block on any of the
previous times it occurred.
Of course this is much, *much* better than the attacker being able to
make such a statement after *every* block, and being able to guarantee
that not a single one of the blocks so far is going to come up again -
but still seems slightly short of perfection.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Fatal error. You're dead.
------------------------------
From: "Garry Smith" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: UK publishes 'impossible' decryption law
Date: Fri, 18 Feb 2000 13:13:33 -0000
zapzing wrote in message <88hqt1$p7e$[EMAIL PROTECTED]>...
>>
>> Plus, the recent Scottish case where it was ruled that
>> non-self-incrimination is still a valid reason to keep your mouth shut
means
>> that you can keep the keys to yourself and the courts cannot hold it
against
>> you.
>
>Obviously there is alot I don't know about English law.
>I thought you did not *have* the right to remain silent
>in England. And you can appeal to EU courts now?
Note that the earlier post referred to a Scottish legal case.
England and Scotland have different legal systems - a relic of their
independent existence until 1707. This can make a fundamental
difference to something as mundane as buying a house.
In general, new laws which are introduced into the UK nowadays
are made to apply to both England and Scotland, but still
require explicit action (2 Acts of Parliament?) to make this happen.
To generalise very broadly - I'm not a legal expert, but I'm
Scottish - it seems to me that Scots law is usually a fairer
system from the point of view of the individual who may
fall foul of it.
--
Garry Smith [EMAIL PROTECTED]
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Question about OTPs
Reply-To: [EMAIL PROTECTED]
Date: Fri, 18 Feb 2000 13:17:22 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> A deterministic compressor is not likely to be capable of producing a
:> uniform distribution of cyphertexts - because some messages are sent more
:> frequently than others.
: That could be taken into account. Any really efficient compression
: scheme needs to take into account the statistical properties of the
: population from which messages are drawn.
I'm not sure you grasped what I was attempting to talk about.
I probably didn't explain it very well.
Imagine there are two messages, A, and B. A occurs 15 times out of 16,
and B occurs 1 time out of 16.
A compressor that attemped to maximally squeeze the data might code A
as "1" and B as "0". However, this would result in a skewed distribution
of messages being sent to the cypher. Such a distribution might allow
cryptanalysis based on the cyphertext, if lots of messages were sent, and
the messages were longer.
What I called a "non-deterministic compressor" should perhaps have
been described as a device that attempted to get an even distribution of
texts fed to the cypher. It would have 15 different "homophones" for
A (chosen at random), and one for B. The randomness involved should be as
genuine as possible to best resist attack. The cypher would then be
digesting texts with equal frequency - giving the attacker less to go on
in the way of statistical anomolies in the plaintexts.
: However, truly *perfect* compression would mean not having to
: transmit *any* information, since the model would be perfect and
: the receiver could obtain the next message by stepping the model
: one click. [...]
As you say, there's no communication at all here. You can quantify how
much a compression algorithm compresses - and talk about maximising that -
without going to this extreme.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
The internet is full, go away.
------------------------------
From: Mike Just <[EMAIL PROTECTED]>
Subject: Re: Q: SAC2000?
Date: Fri, 18 Feb 2000 13:55:38 GMT
See
http://www.cacr.math.uwaterloo.ca/conferences/2000/SAC2000/announcement.html
Hideo Shimizu wrote:
> Where can I found a information about SAC 2000?
> I can't found on old homepage
> http://adonis.ee.queensu.ca:8000/sac/
>
> Hideo Shimizu
> TAO, Japan
------------------------------
From: Mike Just <[EMAIL PROTECTED]>
Subject: Re: Q: SAC2000?
Date: Fri, 18 Feb 2000 13:56:12 GMT
See
http://www.cacr.math.uwaterloo.ca/conferences/2000/SAC2000/announcement.html
Hideo Shimizu wrote:
> Where can I found a information about SAC 2000?
> I can't found on old homepage
> http://adonis.ee.queensu.ca:8000/sac/
>
> Hideo Shimizu
> TAO, Japan
------------------------------
From: Mike Just <[EMAIL PROTECTED]>
Subject: Re: Q: SAC2000?
Date: Fri, 18 Feb 2000 13:56:46 GMT
See
http://www.cacr.math.uwaterloo.ca/conferences/2000/SAC2000/announcement.html
Hideo Shimizu wrote:
> Where can I found a information about SAC 2000?
> I can't found on old homepage
> http://adonis.ee.queensu.ca:8000/sac/
>
> Hideo Shimizu
> TAO, Japan
------------------------------
From: Mike Just <[EMAIL PROTECTED]>
Subject: Re: VB & Crypto
Date: Fri, 18 Feb 2000 14:00:18 GMT
Entrust has a VB toolkit that you can download. See
http://developer.entrust.com/vb/index.htm for more information.
Mike J.
Khalil Haddad wrote:
> Hello all,
>
> I am developping softwares in VB6 and would like to use strong
> encryption algorithms.
> Anyone could tell me where to find sources in VB so that I can study
> them.
>
> thanks
>
> Khalil Haddad
> KFSoft
> http://kfsoft.cjb.net
------------------------------
From: [EMAIL PROTECTED] (Richard Herring)
Crossposted-To: talk.politics.crypto
Subject: Re: UK publishes 'impossible' decryption law
Date: 18 Feb 2000 13:51:30 GMT
Reply-To: [EMAIL PROTECTED]
In article <88hqt1$p7e$[EMAIL PROTECTED]>, zapzing ([EMAIL PROTECTED]) wrote:
> In article <888ujl$mro$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (Geoff Lane) wrote:
> > In article <884m8a$m2i$[EMAIL PROTECTED]>,
> > zapzing <[EMAIL PROTECTED]> writes:
> > > *How*, after all, would the
> > > police be able to tell an encrypted file
> > > from random numbers, anyway, and if the
> > > accused must *prove* his innocence, then
> > > how would he prove that they were random
> > > numbers and not an encrypted file?
> >
> > This is of course the killer.
> >
> > Plus, the recent Scottish case where it was ruled that
> > non-self-incrimination is still a valid reason to keep your mouth shut means
> > that you can keep the keys to yourself and the courts cannot hold it against
> > you.
> >
> > Major parts of the proposed legislation would be knocked down the first time
> > a case was taken to a superior eu court.
> >
> Obviously there is alot I don't know about English law.
It's different from Scots law, for a start, so that ruling
probably doesn't create a precedent in England.
> I thought you did not *have* the right to remain silent
> in England.
The weasel words are something like "you do not have to say anything
but if you do not mention now something which you later use in
your defence, ..."
> And you can appeal to EU courts now?
I'm not sure it's technically an appeal. More like a separate
prosecution brought against the government for breach of the ECHR.
--
Richard Herring | <[EMAIL PROTECTED]>
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
