Cryptography-Digest Digest #177, Volume #11 Mon, 21 Feb 00 17:13:00 EST
Contents:
Re: NIST publishes AES source code on web (Mok-Kong Shen)
Re: OAP-L3 Encryption Software - Complete Help Files at web site (Tim Tyler)
Re: $200 reward ("Trevor Jackson, III")
Re: OAP-L3 Encryption Software - Complete Help Files at web site (Tim Tyler)
Re: US secret agents work at Microsoft claims French intelligence report ("Trevor
Jackson, III")
Re: I will bring PGP to the masses h15 ("Trevor Jackson, III")
Re: $200 reward (Mok-Kong Shen)
Re: OAP-L3 Encryption Software - Complete Help Files at web site (Chuck)
Stuck on code-breaking problem - help appreciated ("jdc")
Re: NTRU Speed Claims (100x faster, etc.), explained (David Wong)
How Useful is Encryption as Long as NSA Exists? ([EMAIL PROTECTED])
Re: Is Phi perfect? (Anton Stiglic)
Re: Using virtually any cipher as public key system? (Anton Stiglic)
Re: Biggest keys needed (was Re: Does the NSA have ALL Possible PGP keys?) (David
A Molnar)
Re: Mixmasters encrypt how? (Anton Stiglic)
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: NIST publishes AES source code on web
Date: Mon, 21 Feb 2000 20:16:02 +0100
Paul Koning wrote:
>
> Not the same thing at all. Kahn really did (apparently) do
> that as a voluntary act. On the other hand, the prior review
> system proposed in the 70s was NOT intended to be honestly
> voluntary. At least it was not designed to appear that way
> to me at the time, and I did spend some time looking at it.
I simply want to remark that the word 'voluntary' is indeed
subject to a wide range of interpretations. In a rather special
situation (nothing to do with crypto!) I was once 'forced' to
sign a piece of document about something with the additional
statement that I signed it voluntarily. If one thinks a bit
carefully, isn't the very presence of that statement in the
document absurd? But the logic of the bureaucrats can be that
different from the common people!
One probably would never be able to know to what extent the above
mentioned prior review system has succeeded in practice. Evidently
no journal editor would like to provide informations on that.
M. K. Shen
------------------------------
Crossposted-To: talk.politics.crypto,alt.privacy
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: OAP-L3 Encryption Software - Complete Help Files at web site
Reply-To: [EMAIL PROTECTED]
Date: Mon, 21 Feb 2000 19:01:23 GMT
In sci.crypt Chuck <[EMAIL PROTECTED]> wrote:
: Many a clever algorithm that was "mathematically proven" by its designer
: to be unbreakable has quickly fallen when analyzed by the world's leading
: codebreakers.
Any algorithm that comes with a mathematical proof that it's unbreakable
is unlikely to be analysed by the world's leading codebreakers.
Instead it is likely to be dismissed out-of-hand - as the output of
someone with little idea about the nature of the field.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Sorry, I don't date outside my species.
------------------------------
Date: Mon, 21 Feb 2000 14:22:19 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: $200 reward
[EMAIL PROTECTED] wrote:
> I am offering a reward of $200 to the first person who can break the
> cipher, the
> description of which can be found below. It is a stream cipher. I have
> generated two files.
> The first file (cr_zeroes.bin) contains 1 Mbytes of binary zeroes XORed
> with the
> pseudo-random stream.
I found this quite confusing. Can you please explain the difference between
1MB of stream data and 1MB of stream data XORed with 1MB of binary zeros?
------------------------------
Crossposted-To: talk.politics.crypto,alt.privacy
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: OAP-L3 Encryption Software - Complete Help Files at web site
Reply-To: [EMAIL PROTECTED]
Date: Mon, 21 Feb 2000 19:11:58 GMT
In sci.crypt Peter Rabbit <[EMAIL PROTECTED]> wrote:
: I am not taking anybody's side here. All I am stating is: Investigate
: before judging and then prove what you are asserting.
How is /anyone/ supposed to evaluate the security of the project, when
there's no source code available?
I don't rate the "description" of the algorithm as being very coherent,
either. For example, there's lots of stuff abouit "rotating sets",
without specifying the direction of rotation. I doubt the information
provided is sufficient for a third-party to write either a decryptor or an
encryptor.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Love is chemistry, sex is physics.
------------------------------
Date: Mon, 21 Feb 2000 14:28:34 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: US secret agents work at Microsoft claims French intelligence report
Dave Hazelwood wrote:
> An intelligence report out of France has accused US secret agents of
> collaborating with computer giant Microsoft in developing a software
> that would allow Washington to spy on communications around the world.
>
> Drawn up by the intelligence arm of the French Defense Ministry, the
> Strategic Affairs Delegation (DAS), the report was quoted the
> newsletter Le Monde du Renseignement (Intelligence World) on Friday.
>
> The report claims that agents from the National Security Agency, NSA
> helped install secret programmes in Microsoft software which is
> currently in use in no less than 90 percent of all computers.
>
> The NSA protects communications for the US government, and also
> intercepts electronic messages for the Defence Department and other US
> intelligence agencies, the newsletter said.
>
> According to the report, "it would seem that the creation of Microsoft
> was largely supported, not least financially, by the NSA, and that IBM
> was made to accept the (Microsoft) MS-DOS operating system by the same
> administration".
>
> It also said that the Pentagon was Microsoft's biggest client in the
> world.
Sounds like an echo of the _NSAKEY issue. Any details on why they reached
their conclusion?
------------------------------
Date: Mon, 21 Feb 2000 14:34:19 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: I will bring PGP to the masses h15
PGP_for_ALL wrote:
> I will bring PGP to the masses
Look into InvisiMail from a company in NZ. They have a neat key manager that
automagically decrypts incoming mail and encrypts outgoing mail if the proper key
is present. If the respondent's key is not present it attaches the user's public
key to outgoing messages, so that the first exchange of messages between users
allows all future traffic between them to be encrypted invisibly.
When you make it brain-dead (like a light switch), they will use it.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: $200 reward
Date: Mon, 21 Feb 2000 21:37:34 +0100
Trevor Jackson, III wrote:
>
> [EMAIL PROTECTED] wrote:
>
> > I am offering a reward of $200 to the first person who can break the
> > cipher, the
> > description of which can be found below. It is a stream cipher. I have
> > generated two files.
> > The first file (cr_zeroes.bin) contains 1 Mbytes of binary zeroes XORed
> > with the
> > pseudo-random stream.
>
> I found this quite confusing. Can you please explain the difference between
> 1MB of stream data and 1MB of stream data XORed with 1MB of binary zeros?
That 'invention' is worth more than $200!
M. K. Shen
------------------------------
From: Chuck <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: OAP-L3 Encryption Software - Complete Help Files at web site
Date: Mon, 21 Feb 2000 12:35:17 -0600
On Mon, 21 Feb 2000 14:08:33 -0500, "Trevor Jackson, III"
<[EMAIL PROTECTED]> wrote:
>There are two thresholds involved. Security is naturally the first, but
>efficienccy/performance is also important in cipher selection. Concluding
>that only ~10 ciphers are secure because only ~10 ciphers have been widely
>deployed (which is also too low) is an error. Conceptually making secure
>ciphers is not hard*. Making secure ciphers that are also efficient is
>hard.
>
>*Illustration of the ease of making more secure ciphers. One can describe
>a whole family of ciphers all based on DES. 3DES is the most efficient,
>but NDES (N=2K+1), are all secure, and decreasingly efficient.
>
I got my mistaken info from a library book I checked out a while back,
entitled "Cryptography Simplified" or somesuch. Guess it was a little
TOO simplified. :-(
Can anyone recommend any good books that cover the history, use, and
algorithms from a layman's standpoint but won't be another waste of my
time?
------------------------------
From: "jdc" <[EMAIL PROTECTED]>
Subject: Stuck on code-breaking problem - help appreciated
Date: Mon, 21 Feb 2000 20:39:48 -0000
If anyone can have a look at this one and see if they can make it out I'd be
grateful - it is a fairly common pattern, but the straight decryption
doesn't work. I have non-definite reason to believe the repeated word begins
"apollo", and the letter at the end could be n or i, on that logic - the
greek.
Scanned it in on
http://www.multimania.com/jeancrypt/Code.jpg
Thanks.
John
--
I'm awake but this is not my home
------------------------------
From: David Wong <[EMAIL PROTECTED]>
Subject: Re: NTRU Speed Claims (100x faster, etc.), explained
Date: Mon, 21 Feb 2000 15:24:23 -0500
Reply-To: [EMAIL PROTECTED]
Mike Rosing wrote:
> Dr. Yongge Wang wrote:
> >
> > I think the 3:4=plain:cipher is obtained by re-using some randomness
> > (I donot have the paper at hand and do not want to bother to check it,
> > but if you are really interested in it, you may find it in their
> > ANTS paper--can be downloaded from www.ntru.com)
> >
> > Roughly I remember that after the first encryption,
> > the second message is encrypted with some info from the
> > first ciphertext...or...i forget the details and canot
> > get this 3:4 now
>
> That sounds familiar. I think John is right for an individual
> key/message.
> You do get a lot of expansion if you reset all the data each time, but
> that
> isn't necessary for lots of keys.
>
> For bandwidth limited applications I don't think NTRU is a good fit. It
> has
> lots of other uses tho, and the math is pretty interesting.
OK, at last I am at office and have a chance to check it:
Their paper writes as follows:
It may be worth mentioning that there is a simple way that the NTRU
technique can be used to convey a very long message with an expansion
of only 1-1 after the first message block.
With this approach, the first encrypted message e1 that Cathy sends
is decrypted as a sequence of 1s , 0s, and -1s (p=3) and interpreted as a
\phi_1 for the next message block. The next encrypted message block
is (\phi_1 * e1 + m1), where m1 is the first block of the actual message.
As Dan knows \phi_1, he can recover (m1 mod q ) exactly. The next
encrypted message block Cathy sends is (e2= \phi_2 * e1 + m2),
where Cathy derived \phi_2 from m1 by squaring m1 and reducing
it mod 3. Dan can now recover \phi_2 as he knows m1, and hence
can derive (m2 mod q) from e2. This can continue for a message of arbitary
length.
Good luck!
------------------------------
From: [EMAIL PROTECTED]
Subject: How Useful is Encryption as Long as NSA Exists?
Date: Mon, 21 Feb 2000 21:05:03 GMT
As you all know there are rumors that Microsoft Windows products have
an NSA backdoor. Why not, if throught history the NSA has always
convinced foreign crypto companies to have one too. Check out an
interesting article on:
http://mediafilter.org/caq/cryptogate/
Currently, U.S. companies can export strong crypto but the product must
continuously go through government "review," whatever that means. Many
argue that these domestic requirements are useless because someone
could buy strong crypto from Israel, Ireland, etc., that has not
been "touched" by the U.S. government. But can we say for sure that the
NSA's fingers have not been all over these products as well, especially
when there is plenty of evidence to the contrary?
Maybe a drug dealer living in Costa Rica, who has fled the U.S. years
before, is using encryption software from a non-U.S. country in some of
his daily operations, thinking that nobody is listening, when the U.S.
actually has the key. What protection is a safe with an infinite number
of combinations if your enemy has the secret code? Code breaking ceases
to become an issue.
Furthermore, even if the drug dealer in question is lucky enough to be
using crypto from a country that has not been pursuaded by the U.S. to
cough up the key, he is probably still using Windows, and might still
have some of his data vulnerable.
Even though all this is a big "what if" scenario, can someone (say,
living outside of the U.S.) using a Windows operating system be
positively sure that the U.S. cannot decrypt his encrypted
communication or the encrypted information inside his computer, except
by guessing the password (which is the most difficult way)? how about
access his/her files through Microsoft?
Thanks.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Is Phi perfect?
Date: Mon, 21 Feb 2000 11:21:31 -0500
==============E211BC77A45B8D727E47EE4A
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
The Euler function is simply defined as this:
Phi(n) = | { a: 0 < a <= n such that gcd(a,n) = 1} | ,
where |A| is the cardinality of set A, gcd stands for greatest
commun divisor. gcd(x,y) = 1 if x is relatively prime to y.
*That* is the correct definition.
Anton
Frank the_root wrote:
> Hi,
>
> I always thought that the Euler's Phi fonction ( Phi(n) ) was the
> fonction that gives the number of numbers relatively prime to n and
> smaller than n by the multiplication of each primes factors of n reduced
> by one. Last day, I found that it wasn't always true.
>
> For exemple: Let's determine the number of numbers relatively prime to
> 125: 125 = 5³, so we can see that at each 5 numbers, 4 of them are
> relatively prime to 125. 125 × (5/4) = 42 != (5-1)(5-1)(5-1)
>
> I noticed that Phi doesn't work with numbers that are perfect squares,
> perfect cubes ... etc. Ex:
>
> Phi(9) (3-1)(3-1) != 6
> Phi(16): (2-1)(2-1)(2-1)(2-1) != 8
> Phi(49): (7-1)(7-1) != 42
>
> This contradiction seems me to obvious. Was this problem known when
> Euler presented his fonction and is there a official restriction that
> was attributed to this fonction?
>
> Tanks
>
> Frank
>
> --
> Ceux qui rêvent le jour, savent des choses qu'ignorent ceux qui rêvent
> la nuit.
--
___________________________________________
Anton Stiglic
Jr. developer & specialist in cryptology.
Zero-Knowledge Systems Inc.
___________________________________________
==============E211BC77A45B8D727E47EE4A
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
The Euler function is simply defined as this:
<p> Phi(n) = | { a: 0 < a <= n such that
gcd(a,n) = 1} | ,
<br>where |A| is the cardinality of set A, gcd stands for greatest
<br>commun divisor. gcd(x,y) = 1 if x is relatively prime to y.
<p>*That* is the correct definition.
<p>Anton
<br>
<p>Frank the_root wrote:
<blockquote TYPE=CITE>Hi,
<p>I always thought that the Euler's Phi fonction ( Phi(n) ) was the
<br>fonction that gives the number of numbers relatively prime to n and
<br>smaller than n by the multiplication of each primes factors of n reduced
<br>by one. Last day, I found that it wasn't always true.
<p>For exemple: Let's determine the number of numbers relatively prime
to
<br>125: 125 = 5³, so we can see that at each 5 numbers, 4 of them
are
<br>relatively prime to 125. 125 × (5/4) = 42 != (5-1)(5-1)(5-1)
<p>I noticed that Phi doesn't work with numbers that are perfect squares,
<br>perfect cubes ... etc. Ex:
<p>Phi(9) (3-1)(3-1) != 6
<br>Phi(16): (2-1)(2-1)(2-1)(2-1) != 8
<br>Phi(49): (7-1)(7-1) != 42
<p>This contradiction seems me to obvious. Was this problem known when
<br>Euler presented his fonction and is there a official restriction that
<br>was attributed to this fonction?
<p>Tanks
<p>Frank
<p>--
<br>Ceux qui rêvent le jour, savent des choses qu'ignorent ceux qui
rêvent
<br>la nuit.</blockquote>
<pre>--
___________________________________________
Anton Stiglic <[EMAIL PROTECTED]>
Jr. developer & specialist in cryptology.
Zero-Knowledge Systems Inc.
___________________________________________</pre>
</html>
==============E211BC77A45B8D727E47EE4A==
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Using virtually any cipher as public key system?
Date: Mon, 21 Feb 2000 11:26:15 -0500
==============467D45B9F7DB6598914E1883
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
I think you were just confusing the terms you were using. In any case,
I don't see why anyone would need public key encryption whitout any
public key scheme, it does not make much sens.... something has to
be public if the two participants don't have any way to personaly
communicate in a secure way.
Anton
John Savard wrote:
> Anton Stiglic <[EMAIL PROTECTED]> wrote, in part:
>
> >The scheme that I described was actually first described by ElGamal
> >in his crypto 84 paper. I'd suggest you go read the paper, it clearly
> >uses the term "public key cryptosystem" to describe the scheme.
>
> Of course it's public key encryption. Because Diffie-Hellman is used.
> But it isn't a way to perform public-key encryption using only DES and
> similar methods.
>
> John Savard (jsavard<at>ecn<dot>ab<dot>ca)
> http://www.ecn.ab.ca/~jsavard/crypto.htm
--
___________________________________________
Anton Stiglic
Jr. developer & specialist in cryptology.
Zero-Knowledge Systems Inc.
___________________________________________
==============467D45B9F7DB6598914E1883
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<br>I think you were just confusing the terms you were using. In
any case,
<br>I don't see why anyone would need public key encryption whitout any
<br>public key scheme, it does not make much sens.... something has
to
<br>be public if the two participants don't have any way to personaly
<br>communicate in a secure way.
<br>
<p>Anton
<br>
<p>John Savard wrote:
<blockquote TYPE=CITE>Anton Stiglic <[EMAIL PROTECTED]> wrote, in part:
<p>>The scheme that I described was actually first described by ElGamal
<br>>in his crypto 84 paper. I'd suggest you go read
the paper, it clearly
<br>>uses the term "public key cryptosystem" to describe the scheme.
<p>Of course it's public key encryption. Because Diffie-Hellman is used.
<br>But it isn't a way to perform public-key encryption using only DES
and
<br>similar methods.
<p>John Savard (jsavard<at>ecn<dot>ab<dot>ca)
<br><a
href="http://www.ecn.ab.ca/~jsavard/crypto.htm">http://www.ecn.ab.ca/~jsavard/crypto.htm</a></blockquote>
<pre>--
___________________________________________
Anton Stiglic <[EMAIL PROTECTED]>
Jr. developer & specialist in cryptology.
Zero-Knowledge Systems Inc.
___________________________________________</pre>
</html>
==============467D45B9F7DB6598914E1883==
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Biggest keys needed (was Re: Does the NSA have ALL Possible PGP keys?)
Date: 21 Feb 2000 21:10:07 GMT
Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
> "David A. Wagner" wrote:
>> In article <[EMAIL PROTECTED]>,
>> Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
>> > Best I've heard for factoring is square root improvement [...]
>>
>> Well, probably the single most famous result in the field is Shor's
>> algorithm that does factoring and discrete log in quantum-poly time.
>> That's much more than square-root improvement.
> Yes, that is dramatically better. Does this represent a general
> breakthrough or is it a narrowly specialized technique?
Narrowly specialised. As far as I know, the technique only works for
factoring and discrete log. Works by finding the order of an element for
some arbitrary elements modulo n = pq. Eventually you end up finding an
element whose order is p or q and this gives you a factor. Do not remember
the details for discrete log, but it's a similar idea.
People have doubtless been trying to generalise his results in order
to get similar speedups on other problems. As far as I know, though,
this has met with very limited success (but I don't know much).
The best general-purpose speedup is still sqrt(n).
Thanks,
-David
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Mixmasters encrypt how?
Date: Mon, 21 Feb 2000 11:34:01 -0500
==============39F896CFFFAE3D63A44E014B
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
You can start by reading Ian Goldberg et al paper:
"Privacy-enhancing technologies for the Internet",
and check out the refs...
You can get the paper at this URL:
http://www.cs.berkeley.edu/~daw/papers/privacy-compcon97-www/privacy-html.html
Anton
William Rowden wrote:
> I'm interested in the encryption methods used by anonymous remailers.
> Can someone point me to some documentation on the algorithms,
> particularly the one used by type 2 (Mixmaster)? My basic
> understanding is that type 1 remailers use PGP's method (i.e., CAST,
> IDEA, or 3DES for the message, with the session key encrypted by a
> public key--an Elgamal, or DH/DSS, public key in this case). I see
> that Mixmaster remailers use RSA keys, but they appear to have a
> special key format. I'll browse the sources, but I'd like a more
> detailed algorithm description first. I imagine one of the sci.crypt
> regulars knows.
>
> TIA
> --
> -William
> SPAM filtered; damages claimed for UCE according to RCW19.86
> PGP key: http://www.eskimo.com/~rowdenw/pgp/rowdenw.asc until 2000-08-01
> Fingerprint: FB4B E2CD 25AF 95E5 ADBB DA28 379D 47DB 599E 0B1A
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
--
___________________________________________
Anton Stiglic
Jr. developer & specialist in cryptology.
Zero-Knowledge Systems Inc.
___________________________________________
==============39F896CFFFAE3D63A44E014B
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
You can start by reading Ian Goldberg et al paper:
<br>"Privacy-enhancing technologies for the Internet",
<br>and check out the refs...
<br>You can get the paper at this URL:
<br><a
href="http://www.cs.berkeley.edu/~daw/papers/privacy-compcon97-www/privacy-html.html">http://www.cs.berkeley.edu/~daw/papers/privacy-compcon97-www/privacy-html.html</a>
<p>Anton
<p>William Rowden wrote:
<blockquote TYPE=CITE>I'm interested in the encryption methods used by
anonymous remailers.
<br>Can someone point me to some documentation on the algorithms,
<br>particularly the one used by type 2 (Mixmaster)? My basic
<br>understanding is that type 1 remailers use PGP's method (i.e., CAST,
<br>IDEA, or 3DES for the message, with the session key encrypted by a
<br>public key--an Elgamal, or DH/DSS, public key in this case).
I see
<br>that Mixmaster remailers use RSA keys, but they appear to have a
<br>special key format. I'll browse the sources, but I'd like a more
<br>detailed algorithm description first. I imagine one of the sci.crypt
<br>regulars knows.
<p>TIA
<br>--
<br> -William
<br>SPAM filtered; damages claimed for UCE according to RCW19.86
<br>PGP key: <a
href="http://www.eskimo.com/~rowdenw/pgp/rowdenw.asc">http://www.eskimo.com/~rowdenw/pgp/rowdenw.asc</a>
until 2000-08-01
<br>Fingerprint: FB4B E2CD 25AF 95E5 ADBB DA28 379D 47DB 599E 0B1A
<p>Sent via Deja.com <a href="http://www.deja.com/">http://www.deja.com/</a>
<br>Before you buy.</blockquote>
<pre>--
___________________________________________
Anton Stiglic <[EMAIL PROTECTED]>
Jr. developer & specialist in cryptology.
Zero-Knowledge Systems Inc.
___________________________________________</pre>
</html>
==============39F896CFFFAE3D63A44E014B==
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
