Cryptography-Digest Digest #380, Volume #11 Tue, 21 Mar 00 18:13:01 EST
Contents:
Re: ecc equation ("Tom St Denis")
Re: generate a random number (pink aka Chr. Boesgaard)
Re: IV vs. SALT? (Terry Ritter)
Re: root mod a prime? ("Tom St Denis")
Re: root mod a prime? (David Hopwood)
Re: IV vs. SALT? ("Joseph Ashwood")
Re: multiple encryption ("Joseph Ashwood")
Re: Using virtually any cipher as public key system? (pink aka Chr. Boesgaard)
What is "Counter mode" and "Interleaved chaining mode" (Tong Zhang)
Re: root mod a prime? ("Tom St Denis")
Re: IV vs. SALT? (John Myre)
Re: What is "Counter mode" and "Interleaved chaining mode" ("Joseph Ashwood")
Re: Non-doublespending offline digital money? (David Hopwood)
Re: Card shuffling (John Myre)
Re: Concerning UK publishes "impossible" decryption law (Otto Sykora)
Re: Non-doublespending offline digital money? (Eric Norman)
Re: On jamming interception networks (Derek Bell)
Re: ScramDisk problem : storing PLAIN TEXT PASSPHRASE in the driver cache ... (Steve
K)
----------------------------------------------------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: ecc equation
Date: Tue, 21 Mar 2000 20:26:36 GMT
Mike Rosing <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> For GF(p), 4(a^3) + 27(b^2) can't be zero. But for GF(2^n), 4*x -> 0,
> so you're left with only b can't be zero. If Trace(a) = 0 you get a
> curve and if Trace(a) = 1 you get the "twist" of a curve (for the
> same b).
What is the diff between Trace(a) = 1, or 0?
For GF(p) what considerations should I make? What other types of
polynomials exist? I think I saw
y^2 + xy = x^3 + ax + b
or something like that...
err..
>
> Why does a have to be negative for GF(p)?
'a' must be negative for the real number set. Not for GF(p).
Thanks for the help.
------------------------------
From: [EMAIL PROTECTED] (pink aka Chr. Boesgaard)
Subject: Re: generate a random number
Date: 21 Mar 2000 21:32:03 +0100
Jesper Stocholm <[EMAIL PROTECTED]> writes:
> I use the Blum-Blum-shup / RSA CPRBG to construct random bitstrings.
> However - these require usage of primes. But how do I generate these
> primes - or the random bitstrings to make them from ? As far as I know,
> using the system-clock degrades the security from 2^500 (or more) to
> only 2^32 ... so I am reluctant to use that.
>
> What are the algorithms for this ? Should I use a combination of user-
> input and clock ... or ?
Check out yarrow from counterpane:
http://www.counterpane.com/yarrow.html
If you're on a *BSD og Linux check out /dev/random
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: IV vs. SALT?
Date: Tue, 21 Mar 2000 20:33:30 GMT
On Tue, 21 Mar 2000 09:12:38 -0700, in <[EMAIL PROTECTED]>,
in sci.crypt John Myre <[EMAIL PROTECTED]> wrote:
>Doug Stell wrote:
>> The IV is often considered secret.
>
>Rarely.
If the IV *is* exposed, a man-in-the-middle can change the plaintext
of the first block at will (by changing the IV). This does not change
the ciphertext or the chaining values, and so might not be detected if
only the chained result is used for validation.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: root mod a prime?
Date: Tue, 21 Mar 2000 20:37:36 GMT
Mike Rosing <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> We know that already :-) Welcome to the club.
I hope to stay in the club a while.
> Do a web search with "square roots mod p". I got 17 hits from google.
> Knuth has a method, and there's one in H. Reisle's book (spelling?)
> about
> primes. If you want, I'll get the page numbers in those books. (send
> me e-mail and remind me!!)
I found 1000 or so hits on google with the same string. Could you just
please email [or send via usenet] the url of the websites you found?
Thanks for the help. I hope to write some primitive ECC code [i.e find
points, add them, double, multiply by scalars]... :)
Tom
------------------------------
Date: Tue, 21 Mar 2000 20:22:06 +0000
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: root mod a prime?
=====BEGIN PGP SIGNED MESSAGE=====
Tom St Denis wrote:
>
> How do you take the sqrt of an integer modulo a prime?
Use a maths library :-). If you're writing or extending a maths
library, see Handbook of Applied Cryptography section 3.5.
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBONfZ2TkCAxeYt5gVAQFyDAf9E71tapa1o1hQw/pxBz7tcuaOWwgZLCNL
otf/d0MlozOjcW9F+OncWNqQHmPgcmYh8vNOK8gkjw92lHeCf41c4BgmS0W02pcZ
F0+jeMa9/sJW2AX8QyVJNJFqpTBWzw8ZrpCekIDdHXVA5+GrIiemEU12r+H5v5bz
fLYpbqDcvuneUbSOI171lMkEa/VoptmnU7DoJ6H8aLKuRp9yOIef6Qk2clGbsnil
zhX+y8ewVGiZL9c7KUAGVnKvul8uRR/+9O4yWn6YWZRsiWO2YLKiJLNvePMne68L
y2OTD3iLWRzy0a3YXaYtJxwiYJhmc0Bds+6RB0XuWO3xWHbuNf4qMA==
=85tN
=====END PGP SIGNATURE=====
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: IV vs. SALT?
Date: Tue, 21 Mar 2000 12:46:30 -0000
The only differences are in how the process is viewed.
Both should be chosen randomly.
Both are used to make it virtually impossible to tell when 2
outputs are identical.
An IV is generally used for encryption, whether public,
block, or stream it's useful for all of them
A salt is generally used for password verification.
You could easily switch the word usage, and most people
(even in the industry) wouldn't even notice, the rest would
recognise what you meant and might comment on it.
There are some other considerations, but they really aren't
worth considering for most circumstances. Things like an IV
can actually be a simple counter for many circumstances,
while a salt generally shouldn't be, so if you simply choose
based on a good random number generator it won't matter.
Joe
"Marc Howe" <[EMAIL PROTECTED]> wrote in message
news:ebyB4.3882$[EMAIL PROTECTED]...
> I'm a newbie to crypto, so I was wondering what the
differences (if any -
> and similarities as well) are between IV (Initialization
Vector) and SALT?
>
> Thank you,
>
> Marc
>
>
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: multiple encryption
Date: Tue, 21 Mar 2000 12:54:36 -0000
All your questions have the same answer "It depends on the
algorithm." As was noted if they form a group then you only
have the equivalent of one encryption. What you also need to
know is if group tendancies are shown at larger values, do n
encryptions form a group? is n encryptions equivalent to n-i
encryptions for some i? Once these questions have been
answered for all i and n in your space, then it is possible
to judge. Actually you should analyze it down to the round
level, perhaps lower on occassion. A method that has shown
to have at least some progress is using a second key for
whitening, YMMV.
Joe
"Vlad" <[EMAIL PROTECTED]> wrote in message
news:8b8f8q$lmk$[EMAIL PROTECTED]...
> Hello.
> If I encrypt my data using short keys (40, 56) more then
one time,
> ( 1 file is encrypting 40 times with 56 bit key ) how it
can increase
> the privacy level ?
> What if I change the key every time I do my encryption
(i.e. 40
> cycles with 40 different keys). And what will be the
equivalent length
> of the one round encrypting key in this case ?
> Thanks.
> Vladislav
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
From: [EMAIL PROTECTED] (pink aka Chr. Boesgaard)
Subject: Re: Using virtually any cipher as public key system?
Date: 21 Mar 2000 22:08:03 +0100
[EMAIL PROTECTED] (fvw) writes:
> I don't recall where I read about this, or what it's called, but there
> was a way that you take a large amount of random keys. Then you add
> a unique ID to each of the keys. Then you encrypt all the key/ID pairs with
> a cypher that'll take a few secs on the recipients computer to crack.
> The recipient then picks one random encrypted Key/ID pair, cracks it, and
> sends you the ID. You then both know what key to use. An attacker however,
> would have to brute-force on average half of all the Key/ID pairs, and if
> you have a sufficiently large number of them, this becomes unviable.
In B.S. Applied Crypto. there is a description of one of the first
attempts to make a scheme like this.
--
Christian Boesgaard
------------------------------
From: Tong Zhang <[EMAIL PROTECTED]>
Subject: What is "Counter mode" and "Interleaved chaining mode"
Date: Tue, 21 Mar 2000 15:21:26 -0600
==============5F84A03890FA56B2038B5D23
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi,
I just read a book aabout block cipher. It mentioned
two operation mode : Counter mode, and
Interleaved chaining mode. It said that if the block
cipher works in these two modes, the cipher can be
pipelined. But I can't find the definition or explaination
of them. Where can I find related information? Thanks,
Tong
===============
As always, the life is beautiful!!!
==============5F84A03890FA56B2038B5D23
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<pre>Hi,</pre>
<pre>I just read a book aabout block cipher. It mentioned</pre>
<pre>two operation mode : Counter mode, and</pre>
<pre>Interleaved chaining mode. It said that if the block</pre>
<pre>cipher works in these two modes, the cipher can be</pre>
<pre>pipelined. But I can't find the definition or explaination</pre>
<pre>of them. Where can I find related information? Thanks,</pre>
<pre></pre>
<pre>Tong
</pre>
<pre></pre>
<pre>---------------
As always, the life is beautiful!!!</pre>
</html>
==============5F84A03890FA56B2038B5D23==
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: root mod a prime?
Date: Tue, 21 Mar 2000 21:28:35 GMT
David Hopwood <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Tom St Denis wrote:
> >
> > How do you take the sqrt of an integer modulo a prime?
>
> Use a maths library :-). If you're writing or extending a maths
> library, see Handbook of Applied Cryptography section 3.5.
Well actually I use MPI, which doesn't [yet] have a sqrtmod routine. hehe
Thanks for the info.
Tom
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: IV vs. SALT?
Date: Tue, 21 Mar 2000 14:35:00 -0700
Terry Ritter wrote:
>
> On Tue, 21 Mar 2000 09:12:38 -0700, in <[EMAIL PROTECTED]>,
> in sci.crypt John Myre <[EMAIL PROTECTED]> wrote:
>
> >Doug Stell wrote:
> >> The IV is often considered secret.
> >
> >Rarely.
>
> If the IV *is* exposed, a man-in-the-middle can change the plaintext
> of the first block at will (by changing the IV). This does not change
> the ciphertext or the chaining values, and so might not be detected if
> only the chained result is used for validation.
Assuming you mean CBC mode, this is quite true. Meanwhile,
the same thing applies to *every other* ciphertext block
anyway - the "IV" for every block except the first is the
prior ciphertext block, which of course you have to send.
In other words, it is not healthy to validate only based on the
last block, even if you conceal the IV.
Now, it is true that changing some block other than the IV has
an additional effect: the changed block is decrypted to garbage.
But if you rely on that, then you are in fact validating the
entire message. If you are going to do that, it is wise to use
a strong validation method (like HMAC, say). If you do so, then
a change to the IV is detected, too.
Similar (not identical) considerations apply to the other
standard block cipher modes that use an IV (CFB and OFB).
Most people consider it not worth the trouble to conceal the IV,
most of the time - it doesn't buy you enough.
John M.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: What is "Counter mode" and "Interleaved chaining mode"
Date: Tue, 21 Mar 2000 13:45:40 -0000
Well to express them in short I will use pseudo-code (very
similar to C), that I hope you can read/understand.
Encrypt is of the form
Encrypt(key, InitializationVector, Data)
in many cases the key and InitializationVector are
simply XOR'd to produce the key value that that is actually
used for the encryption
Counter mode
{
for(blockNumber = IV; blockNumber within blocks;
blockNumber = blockNumber +1)
{
Encrypt(key, blockNumber, block)
}
}
The result is that block n uses an initialization vector of
the IV+n, this can of course be deserialized completely
Interleaved Chaining is harder to describe generically in
pseudo-code, the short of it is that you have n different
IV, n different initialized methods, potentially n different
encryption methods, basically n of everything. The blocks
are then algorithmically distributed between them, typically
by a simple loop counter, and encryption behaves as usual.
This can also be deserialized to a point.
"Tong Zhang" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Hi,
>
> I just read a book aabout block cipher. It mentioned
>
> two operation mode : Counter mode, and
>
> Interleaved chaining mode. It said that if the block
>
> cipher works in these two modes, the cipher can be
>
> pipelined. But I can't find the definition or explaination
>
> of them. Where can I find related information? Thanks,
>
> Tong
>
> ---------------
> As always, the life is beautiful!!!
>
>
>
------------------------------
Date: Tue, 21 Mar 2000 21:26:55 +0000
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Non-doublespending offline digital money?
=====BEGIN PGP SIGNED MESSAGE=====
matt wrote:
> Could anyone tell me if it is theoretically/physically possible to
> have a digital cash system which is offline, and prevents double
> spending?
It's possible to detect double spending in an off-line system (when
the cash is deposited with the bank), but not to prevent it at the
time of the transaction. You can make it more difficult (and reduce the
amount of resources needed to deal with it in practice) by using a
tamper-resistant user token, so that double spending can only occur
at deposit time if the user to which the cash was issued has broken
the tamper resistance of their token.
OTOH, with the cost of always-on access coming down significantly
in most countries, and with the introduction of wireless networks, I
doubt if the advantages of off-line cash would outweigh the added
complexity (which is considerable).
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBONfo9DkCAxeYt5gVAQGvbgf/RivIj51Rn7dxoiqNfZqL6hFS8iSnJWUl
pZKJK2/yPJ+e/cKtFX7txIRys8uMTOEJkE8brXT9n4iICe+VoINZbwCJ+la1bGxj
VL6q8hmaJtSrF0DWmj5KGONeE0Cdmm1VTNFv+vHU/b+fXIOLlCTxr+UCd8Oo0a8i
JqHgtAhp32MRXgsK8f9t1AWADOdBwoRTrJ2zFRrBz7o5c44xLEQ43ZLnIy08Md39
gOhu1ESN8DifDUFWcErvbSoBa44s9ArKextdiP4qkcAU/iX3tFL6hGyp2686pCoY
0DxigN1e32/XDpiCSyrr7JfF2o3kkcoA9lmY8cwgCn3WNJqMRx17Sw==
=YK79
=====END PGP SIGNATURE=====
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Card shuffling
Date: Tue, 21 Mar 2000 14:54:39 -0700
Mok-Kong Shen wrote:
> ... Can
> one give a function f(P) with range [0.0, 1.0] that characterizes
> in some reasonable way (i.e. not contrary to some common sense
> or intuition and hence be acceptable to the common people) the
> 'disordering' of P relative to S?
Well of course. But what use would it be? Any number of facts
concerning random numbers and probability are counterintuitive
"to the common people". What would you use f(P) for?
John M.
------------------------------
From: [EMAIL PROTECTED] (Otto Sykora)
Crossposted-To:
alt.security.pgp,comp.security.pgp.discuss,alt.security.scramdisk,alt.privacy
Subject: Re: Concerning UK publishes "impossible" decryption law
Date: Tue, 21 Mar 2000 22:09:58 -0001
>> an electric magnet is not so hard to make or get hold of, its
harmless
> unless power is given to it, and when powered, can be easily be strong
> enough to destroy data an the disks.
I find that difficult to believe Can you provide figures to
justify your assertion?
<<
why should it be difficult to destroy data on disk with a magnet?
Small example , this time with small permanent magnet:
in some trains in Germany, they have seats similar like in airplane,
the small table integrated in the seat in front of you is held in the
stoved position by two small permament magnets. When people used this
table as support for some types of laptop computer, their harddrivs
were sudenly partialy erased. Just because of the small magnet placed
abt half inch from the drive.
--
Otto Sykora
Basel, Switzerland
[EMAIL PROTECTED] (ROT 13)
------------------------------
From: Eric Norman <[EMAIL PROTECTED]>
Subject: Re: Non-doublespending offline digital money?
Date: Tue, 21 Mar 2000 16:27:32 -0600
matt wrote:
>
> Could anyone tell me if it is theoretically/physically possible to
> have a digital cash system which is offline, and prevents double
> spending?
If every offline transaction eventually leads to a subtraction
from their account, what double spending is there to worry about?
Eric Norman
"Congress shall make no law restricting the size of integers
that may be multiplied together, or the number of times that
an integer may be multiplied by itself, or the modulus by
which an integer may be reduced".
------------------------------
From: Derek Bell <[EMAIL PROTECTED]>
Subject: Re: On jamming interception networks
Date: 21 Mar 2000 22:58:42 -0000
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
: jungle wrote:
:> > ... Hayden's speech to the Kennedy Political Union.
:> how to get grip of this speech ? on internet, please ...
: It should be on the NSA Web site.
More specifically, it's at http://www.nsa.gov/releases/speeches.html
in both HTML and Adobe Acrobat formats. Thanks for the pointer, Doug.
Derek
--
Derek Bell [EMAIL PROTECTED] | Socrates would have loved
WWW: http://www.maths.tcd.ie/~dbell/index.html| usenet.
PGP: http://www.maths.tcd.ie/~dbell/key.asc | - [EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Steve K)
Crossposted-To: alt.security.scramdisk
Subject: Re: ScramDisk problem : storing PLAIN TEXT PASSPHRASE in the driver cache ...
Date: Tue, 21 Mar 2000 22:47:40 GMT
On Tue, 21 Mar 2000 18:26:36 GMT, [EMAIL PROTECTED] wrote:
<snippity doo dah>
>>Things like this are why I use Scorch on my swapfile...
>
>(It's in locked memory & can't be swapped out anyway!)
Right you are. OTOH, whatever apps process the files in your
container while it is mounted, can swap out plenty o' plaintext.
Though Scramdisk itself has an option to wipe the disk cache, and I
use it, I like the belt & suspenders approach. Who knows, someday I
might actually have something in there that the Bad Guys (TM) want to
get at... and meanwhile, if they come sniffing, I'll make 'em pay
money to find out that there's nothing of interest.
:o)
Steve
---Continuing freedom of speech brought to you by---
http://www.eff.org/ http://www.epic.org/
http://www.cdt.org/
PGP key 0x5D016218
All others have been revoked.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
