Cryptography-Digest Digest #399, Volume #11 Thu, 23 Mar 00 11:13:01 EST
Contents:
Applied Zero Knowledge Proof ([EMAIL PROTECTED])
Re: NIST publishes AES3 papers (John Savard)
Re: Concerning UK publishes "impossible" decryption law (Richard Herring)
Re: Hashes! (newbie question) (Mark Wooding)
Re: Gray Code like ("Tony T. Warnock")
Re: DES Decryption Problem (James Muir)
Prime numbers? (newbie alert) (proton)
Re: 2048 Bit Encryption? ("Trevor L. Jackson, III")
Re: NIST publishes AES3 papers (DJohn37050)
Re: Applied Zero Knowledge Proof (Bob Silverman)
Re: Open source or not. (Was: Re: Planet Poker Claims...) (Eric Lee Green)
Re: NIST publishes AES3 papers ("Trevor L. Jackson, III")
Re: Download Random Number Generator from Ciphile Software (Eric Lee Green)
Re: NIST publishes AES3 papers ("Trevor L. Jackson, III")
Re: Applied Zero Knowledge Proof (Tony L. Svanstrom)
Re: Open source or not. (Was: Re: Planet Poker Claims...) (Tony L. Svanstrom)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Applied Zero Knowledge Proof
Date: Thu, 23 Mar 2000 14:15:58 GMT
Hi everybody,
I'd like to solve a problem that the concept if the zero knowledge proof. Is
there a well-known public algorithm for it ?
My problem:
Authentication via network using a biometrical system leads to simmetric key
problem. But I have a handicap: if someone hack the server and get the bio
stream, I cannot change it later, because it's related to a body part, and
cannot be modified.
So, I need a way to prove the server I have that bio piece, without showing
him what piece of information I have.
Any ideas ?
I'm working on this solution right now, and as soon as I have anything
appliable, I will announce it. Any ideas or comments are ***very*** welcome.
Regards,
Nelson Junior
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: NIST publishes AES3 papers
Date: Thu, 23 Mar 2000 14:06:45 GMT
On Wed, 22 Mar 2000 21:29:12 -0500, "Trevor L. Jackson, III"
<[EMAIL PROTECTED]> wrote, in part:
>Are there any significant objections to these resolutions?
The participants, some of whom are maintaining proprietary rights to
their algorithms at present, only agreed to let the world use their
algorithms free of charge if they were the _sole_ winner of this.
Hence, selecting multiple winners would either be unfair or pointless
on the basis of that issue.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/index.html
------------------------------
From: [EMAIL PROTECTED] (Richard Herring)
Crossposted-To:
alt.security.pgp,comp.security.pgp.discuss,alt.security.scramdisk,alt.privacy
Subject: Re: Concerning UK publishes "impossible" decryption law
Date: 23 Mar 2000 14:28:19 GMT
Reply-To: [EMAIL PROTECTED]
In article <[EMAIL PROTECTED]>, �R��� ([EMAIL PROTECTED]) wrote:
> I know a little of engineering, but not enough to say it will work, history
> was my major, at least I know not to repeat history. as for magnets, I
> should maybe take my foot out of my mouth to find a new topic. I have to
> think of different ways to hide data, as 128 bit encryption is not available
> to me as far as I know in Australia,
Not available, or not allowed?
You can easily find it, e.g. http://www.pgpi.org
> and I have heard that 56 k has been decoded by authorities.
56-*bit*? PGP may be crackable with available computer power, but
triple-DES is probably still way beyond that kind of attack.
--
Richard Herring | <[EMAIL PROTECTED]>
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Hashes! (newbie question)
Date: 23 Mar 2000 14:56:34 GMT
Runu Knips <[EMAIL PROTECTED]> wrote:
> AFAIK SHA-1 and RIPE MD160 are the algorithms which are
> considered secure at the moment. RIPE MD160 has been called
> "secure for the next 10 years" by its inventors in the
> original paper from April 1996, therefore we have time
> until the end of 2005 :-) then we need something better.
Indeed. Both can provide at most 80-bits-worth of security against an
adversary attempting to find collisions. For SHA, this is fine, since
80 bits fits in nicely with the 80-bit strength of other similar
algorithms designed by the NSA for government use, such as Skipjack and
DSA[1].
I suspect that we need good fast hash functions with at least 256-bit
outputs right now, to go with the good 128-bit block ciphers we already
have and the public-key algorithms we use. I don't think there can be
much argument that the hash is the weak bit in most digital signature
algorithms at the moment. Even Eli Biham and Ross Anderson's Tiger, at
192 bits, doesn't seem to offer commensurate security.
Is it that attention hasn't been focussed on designing sufficiently
large hashes, or are they actually really difficult? Or am I way off
here and worrying about nothing?
[1] Yes, I know FIPS-186 says you can make p up to 1024 bits long, but
that doesn't matter much because q is still limited to 160 bits and
you can do Pollard's rho in the order-q subgroup in O(2^80). I'm
not sure I can be bothered with p larger than 768 for DSA, unless I
also increase q.
-- [mdw]
------------------------------
From: "Tony T. Warnock" <[EMAIL PROTECTED]>
Subject: Re: Gray Code like
Date: Thu, 23 Mar 2000 08:06:44 -0700
Reply-To: [EMAIL PROTECTED]
"Vincent J. Perricelli" wrote:
> In article <8ba1v8$942$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
> > I have encountered a form of encoding that's very similar to Gray
> > Code, but isn't quite the same. In Gray Code only a single symbol at
> > a single position may change when you move to an adjecent code word.
> > What I'm looking at here is a list of code words where a new symbol
> > is shifted in from the right when you move to the next code word and
> > all codewords are unique.
> >
> > An example: 000 001 010 101 011 111 110 100
> > [...]
> > My question is if anyone knows what this kind of encoding is called
> > and if there is any litterature about it and its uses.
> .
> You appear to be describing de Bruijn sequences, named after the
> Dutch mathematician N. G. de Bruijn, who first published papers about
> them in (I think) the mid-1940s. I believe work on such sequences
> actually goes back about a century to a French mathematician, whose
> name escapes me.
> .
> The literature on de Bruijn sequences is extensive. To get some of
> its flavor, go to the Computer Science Bibliography at:
> http://liinwww.ira.uka.de/bibliography/waisbib.html#search
> Set the maximum number of hits to 170 and use the search string:
> (Bruijn OR deBruijn) AND sequence*. You may also want to look at:
> (Bruijn OR deBruijn) AND graph*.
Flye St. Marie. de Bruijn discusses M. St. Marie's contribution in one of
his papers.
------------------------------
From: James Muir <[EMAIL PROTECTED]>
Subject: Re: DES Decryption Problem
Date: Thu, 23 Mar 2000 15:02:04 GMT
In article <[EMAIL PROTECTED]>,
Chuah Seong Ping <[EMAIL PROTECTED]> wrote:
> This is a multi-part message in MIME format.
> --------------C3983F32AD62A675A324C600
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
>
> Can you help me to debug the bug in my program?
> I can't find it ,I had tried it very much?
> I am here attached my program for references.
> Thank you very much
I don't know Java so I won't be much help in debugging your program.
Perhaps another sci.crypt reader could look at your code.
BTW, I'm sure you can find a DES implementation in Java on the web if
you look hard enough.
Good luck.
-James
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: proton <[EMAIL PROTECTED]>
Subject: Prime numbers? (newbie alert)
Date: Thu, 23 Mar 2000 15:53:49 +0100
Would a prime number instead of an ordinary number
be better for creating randomness?
Would they be better to use for keys/seeds when XOR'ing
streams?
I've also understood how the RSA algorithm works
as its explained in the crypto faq. But I still dont
understand *why* it works, and if prime numbers are
required for it to work...
And to those who immediately thinks I should go buy
a book: I cant afford books at the the moment..
Heh, one final warning too. My math skills arent all
that good. I barely understood the short RSA description
in the crypto faq and managed to verify it on my own
(with alittle bit of help from `bc' =))
/proton
------------------------------
Date: Thu, 23 Mar 2000 10:28:57 -0500
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: 2048 Bit Encryption?
Anthony Stephen Szopa wrote:
> "the algorithm used in key generation will select randomly from
> that space" The algorithm does not select the random numbers.
> Every process requires random user input. This input is the key.
> The user picks the order of the processes. The user enters usually
> 10 or 14 different numbers for each process. The user inputs how
> many times each process is run with different input. Etc.
This is a perfect example of why people dismiss your software. The first sentence
betrays either a complete ignorance of the issues, or a purposeful attempt to confuse
the truth. Pure algorithms do not operate randomly, they operate deterministically.
So the algorithm _cannot_ select "randomly from the space".
Then the second sentence contradicts the first.
The third sentence, "Every process requires random user input" probably represents the
quality of the software. Note that it does not describe the amount of entropy
required. The paragraph goes on to describe the kinds of parameters of the algorithm,
but it lacks all rigor.
A useful description of the software would include a quantitative description of the
randomness managed by the software. Such a specification would define the precise
limits on the input as a range of possible numbers measured in bits (the unit of
entropy -- log of the size of the input space). Such a spec would also describe
exactly how much output one could generated based on the input. Note that in an OTP,
which your software claims to implement, the output size (ciphertext) is always less
than or equal to the input size (key material).
You have promised that users can generate extremely large amounts of random output
based on very small amounts of random input. This cannot be true. Either you know it
is false and are attempting to defraud your customers, or you do not know enough to be
in the randomness business.
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: NIST publishes AES3 papers
Date: 23 Mar 2000 15:36:06 GMT
Only free if sole winner is not true. NIST has always said there might be many
winners.
Don Johnson
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: Applied Zero Knowledge Proof
Date: Thu, 23 Mar 2000 15:27:16 GMT
In article <8bd8uh$por$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Hi everybody,
>
> I'd like to solve a problem that the concept if the zero knowledge
proof.
This isn't a full or grammatically correct sentence. Please explain
what you mean.
Is
> there a well-known public algorithm for it ?
>
What is 'it'?
> My problem:
>
> Authentication via network using a biometrical system leads to
simmetric key
> problem. But I have a handicap: if someone hack the server and get
the bio
> stream, I cannot change it later, because it's related to a body
part, and
> cannot be modified.
>
> So, I need a way to prove the server I have that bio piece, without
showing
> him what piece of information I have.
You can do a bit-commitment scheme if the data you need to prove
is static.
Otherwise you will need to explain more fully the structure of the
information. What is it *exactly* that you are hiding?
Do you know how to construct a ZKP? Schneier's book has some
helpful guides. However, AFAIK, there is no textbook written on the
subject.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Crossposted-To: rec.gambling.poker
Subject: Re: Open source or not. (Was: Re: Planet Poker Claims...)
Date: Thu, 23 Mar 2000 15:41:50 GMT
"Tony L. Svanstrom" wrote:
>
> Mike Caro <[EMAIL PROTECTED]> wrote:
>
> > I would have no objection to Planet Poker making their random number
> > algorithms public. There are two arguments about that, though. One is that
> > publishing the inner workings of the pseudo-random shuffles invites people
> > to try to decipher the logic. While I know the methods used and don't
> > think people would have much success, you've got to admit that publishing
> > gives scoundrels some minor advantage over not publishing.
I admit nothing of the sort.
See David Wagner's reverse engineering of the (closed source) Netscape PRNG at
http://www.cs.berkeley.edu/~daw/papers/ for a classic example of how a "bad
guy" would go about reverse-engineering something. We're lucky that in this
case a "good guy" got to the ball first, otherwise we would have had a MAJOR
melt-down in e-commerce as people made "secure" connections that weren't...
--
Eric Lee Green [EMAIL PROTECTED]
Software Engineer Visit our Web page:
Enhanced Software Technologies, Inc. http://www.estinc.com/
(602) 470-1115 voice (602) 470-1116 fax
------------------------------
Date: Thu, 23 Mar 2000 10:51:05 -0500
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: NIST publishes AES3 papers
"David A. Wagner" wrote:
> In article <[EMAIL PROTECTED]>,
> Trevor L. Jackson, III <[EMAIL PROTECTED]> wrote:
> > "Resolved, that if NIST selects multiple cipher "winners" then the
>candidate with the largest margin of strength should be one of them even if it is not
>close to _optimal_".
>
> You mean, Triple-DES?
> (It's hard to imagine how any of the AES candidates
> can be considered to have a larger margin of strength than
> Triple-DES, at least if one considers assurance of security
> today and amount of analysis done to date.)
Actually I was thinking of Serpent. But that's because I was considering only the new
submissions. It is very hard to discuss "margin of strength" because it is derivative
of "strength" which is a subjective metric. The context of the Harvey paper uses
margin of strength to mean (approximately) the ratio of the round count of the
proposed cipher to the largest round count for which an attack better than search is
known. He apparently believes RC6 to have just enough strength and Serpent, due to
its internal diversity and specific design goal, to have more than enough security.
As for 3DES, it certainly is stronger if the unit of strength is the amount of effort
expended on analyzing it without significant results in the open literature. However,
it does lack diversity, so some future attack such as a resonant boomerang could be
very effective against it.
Pragmatically, 3DES is probably going to show up on the cipher menu of any general
purpose system for historical if not engineering reasons.
But the principle illustrated by the question is not weakened by including 3DES.
Should 3DES be on the official list of winners? If there is a primary winner, should
it be 3DES due to its history of resistance? Should it _not_ be a winner due to its
homogeneity?
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: Download Random Number Generator from Ciphile Software
Date: Thu, 23 Mar 2000 15:47:54 GMT
Anthony Stephen Szopa wrote:
> [Lots of off-topic stuff]
But you still haven't answered the question: Is it a cryptographically strong
random number generator (i.e., not only produces a random distribution, but
produces an UNPREDICTABLE random distribution, with various nice qualities
such as, e.g., if you know a dozen output values, you cannot predict the next
output value or backtrack to prior output values).
Is it cryptographically strong? Yes? Or no?
C'mon, this isn't rocket science, this is elementary boolean logic!
--
Eric Lee Green [EMAIL PROTECTED]
Software Engineer Visit our Web page:
Enhanced Software Technologies, Inc. http://www.estinc.com/
(602) 470-1115 voice (602) 470-1116 fax
------------------------------
Date: Thu, 23 Mar 2000 10:57:49 -0500
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: NIST publishes AES3 papers
John Savard wrote:
> On Wed, 22 Mar 2000 21:29:12 -0500, "Trevor L. Jackson, III"
> <[EMAIL PROTECTED]> wrote, in part:
>
> >Are there any significant objections to these resolutions?
>
> The participants, some of whom are maintaining proprietary rights to
> their algorithms at present, only agreed to let the world use their
> algorithms free of charge if they were the _sole_ winner of this.
I suspect they might settle for being the "primary" winner, which would limit the
selection of "secondary" winners to those without encumbrance.
>
>
> Hence, selecting multiple winners would either be unfair or pointless
> on the basis of that issue.
I don't see the unfairness. Who would lose?
As for pointless, I disagree. Would the participants _object_ to being selected? I
doubt it. They might maintain their legal encumbrance but still be qualified as an
approved AES candidate. Then it would be up to them to market their property against
the equally approved, but free, alternatives. Tough sell. That means either a very
small niche, or very low (i.e., negligible) fees. As long as NIST selects one
unencumbered cipher the others will experience this constraint.
------------------------------
From: [EMAIL PROTECTED] (Tony L. Svanstrom)
Subject: Re: Applied Zero Knowledge Proof
Date: Thu, 23 Mar 2000 17:00:41 +0100
<[EMAIL PROTECTED]> wrote:
> So, I need a way to prove the server I have that bio piece, without
> showing him what piece of information I have.
>
> Any ideas ?
How about a checksum and an identifier pointing to the information which
it belongs to...
/Tony
--
/\___/\ Who would you like to read your messages today? /\___/\
\_@ @_/ Protect your privacy: <http://www.pgpi.com/> \_@ @_/
--oOO-(_)-OOo---------------------------------------------oOO-(_)-OOo--
DSS: 0x9363F1DB, Fp: 6EA2 618F 6D21 91D3 2D82 78A6 647F F247 9363 F1DB
---���---���-----------------------------------------------���---���---
\O/ \O/ �1999 <http://www.svanstrom.com/?ref=news> \O/ \O/
------------------------------
From: [EMAIL PROTECTED] (Tony L. Svanstrom)
Crossposted-To: rec.gambling.poker
Subject: Re: Open source or not. (Was: Re: Planet Poker Claims...)
Date: Thu, 23 Mar 2000 17:09:48 +0100
Mike Caro <[EMAIL PROTECTED]> wrote:
> It is my policy not to respond to messages that were posted to more
> than one newsgroup. But since you're a contributor in good standing at
> rec.gambling.poker,
Thank you, there are two reasons for me to include crypto-related NGs
every now and then. First of all, I feel that it will be good for poker
if people working with such things become more active when it comes to
on-line poker-related matters; the second reason is something I think I
shouldn't openly admit... I'm just very pro-open source when it comes
to security and I knew the people in sci.crypt would be "on my side". ;)
> I will tell you that I had nothing whatsoever to do with developing any of
> the algorithms that Planet Poker uses to generate pseudo-random numbers.
I didn't think that you'd designed it, I asked how much crypto-related
programming you've done simply because you said this:
> > > While I know the methods used and don't think people would have much
> > > success,
Just wanted to know if you had a background within a related field.
> > > you've got to admit that publishing gives scoundrels some minor
> > > advantage over not publishing.
Nope, I don't, and not many would agree with you.
/Tony
--
/\___/\ Who would you like to read your messages today? /\___/\
\_@ @_/ Protect your privacy: <http://www.pgpi.com/> \_@ @_/
--oOO-(_)-OOo---------------------------------------------oOO-(_)-OOo--
DSS: 0x9363F1DB, Fp: 6EA2 618F 6D21 91D3 2D82 78A6 647F F247 9363 F1DB
---���---���-----------------------------------------------���---���---
\O/ \O/ �1999 <http://www.svanstrom.com/?ref=news> \O/ \O/
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
