Cryptography-Digest Digest #411, Volume #11 Fri, 24 Mar 00 11:13:01 EST
Contents:
Re: OAP-L3: Answer me these? ("Trevor L. Jackson, III")
Re: OAP-L3: Answer me these? ("Trevor L. Jackson, III")
Re: OAP-L3: Answer me these? (Volker Hetzer)
Re: Open source or not. (Was: Re: Planet Poker Claims...) ("Gary Carson")
Re: bigfloat works (kinda) ("Michael Scott")
Re: Open source or not. (Was: Re: Planet Poker Claims...) (Tony L. Svanstrom)
Re: "THE DES, An Extensive Documentation and Evaluation" - from Aegean Press. (Mike
Andrews)
Start of Cipher Contest ("Adam Durana")
Re: Code Book : 5th stage (smuggdot)
Re: multiple encryption ([EMAIL PROTECTED])
Re: Fastest DES implementation on Intel PIII ? (Runu Knips)
Re: NIST publishes AES3 papers (David A. Wagner)
Re: Re-seeding PRNG's in central key distribution systems (Doug Stell)
Re: "THE DES, An Extensive Documentation and Evaluation" - from Aegean Press.
(Doug Stell)
----------------------------------------------------------------------------
Date: Fri, 24 Mar 2000 08:29:32 -0500
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: OAP-L3: Answer me these?
Anthony Stephen Szopa wrote:
> OAP-L3: Answer me these?
>
> Where is the bias in any of the procedures and processes in OAP-L3?
>
> Where is any bias introduced into any of the procedures and processes
> found in OAP-L3 when used according to recommendations?
>
> What conclusions can we draw if there are no biases in any of the
> procedures and processes, and no biases introduced in
> any of the procedures and processes used in OAP-L3?
The more important conclusion is drawn from the fact that you refuse to
provide sufficient information for an objective observer to determine whether
biases exist or not. But I'll offer an inducement that you may find useful as
an endorsement. I'll put up $1,000.00. You put up $10,000.00, and publish
all of your source code. If no one finds any flaws in your product within 60
days you keep my money, and you get to advertise the fact that you software is
flawless. Otherwise I'll split your money with the people who find the flaws
in your software.
Now if you are are right about the quality of OAP-L3 you stand to make a quick
grand. You _do_ believe in your software don't you?
------------------------------
Date: Fri, 24 Mar 2000 08:34:48 -0500
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: OAP-L3: Answer me these?
Tom St Denis wrote:
> Right after quantum computers come out you can use a million bit key :)
Should we re-encrypt all of our old messages with the new keys? How do we get
our opponents to let us re-encrypt the messages they have saved that were
encrypted with the old keys?
>
>
> Until then it's a waste of resources. Of course if you are using an AES
> cipher why not just go with a 256-bit key. My main point was relating to
> these million-bit ciphers people are making.
>
> [foot in mouth situtation on] In my library CB I actually use the largest
> possible key for all the symmetric ciphers it includes. For RC5 for example
> I use 256 bit keys, 20 rounds, etc...[foot in mouth off]
>
> Cheers,
> Tom
>
> Joseph Ashwood <[EMAIL PROTECTED]> wrote in message
> news:e#aujAVl$GA.215@cpmsnbbsa02...
> > I think we have to part company a bit on this. I am not
> > comfortable saying that quantum computers won't become a
> > reality in my lifetime. With a quantum computer 160-bit
> > encryption becomes equivalent to an 80-bit cipher on a
> > standard computer. I'm not comfortable trusting long term
> > security to only 80 effective bits.
> > Joe
> >
> > "Tom St Denis" <[EMAIL PROTECTED]> wrote in message
> > news:_LBC4.65775$[EMAIL PROTECTED]...
> > >
> > > <[EMAIL PROTECTED]> wrote in message
> > > news:[EMAIL PROTECTED]...
> > > > How is it a waste of resources when it can be broken by
> > someone? Are
> > > > you saying that 160 is unbreakable?
> > >
> > > Searching 2^160 keys in any cipher is not feasible. You
> > would have to find
> > > a faster way to break the cipher.
> > >
> > > See my post on 'what is a 2048 bit cipher'.
> > >
> > > Tom
> > >
> > >
> >
> >
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: OAP-L3: Answer me these?
Date: Fri, 24 Mar 2000 14:14:27 +0000
"Trevor L. Jackson, III" wrote:
> If no one finds any flaws in your product within 60
> days you keep my money, and you get to advertise the fact that you software is
> flawless. Otherwise I'll split your money with the people who find the flaws
> in your software.
Of course, this only works if he posts the source code that he actually uses.
Volker
--
Hi! I'm a signature virus! Copy me into your signature file to help me spread!
------------------------------
From: "Gary Carson" <[EMAIL PROTECTED]>
Crossposted-To: rec.gambling.poker
Subject: Re: Open source or not. (Was: Re: Planet Poker Claims...)
Date: Fri, 24 Mar 2000 07:53:47 -0600
Mike Caro wrote in message ...
>On Thu, 23 Mar 2000 15:41:50 GMT, Eric Lee Green <[EMAIL PROTECTED]>
>wrote:
>Think about it not from a standpoint of unraveling the secrets, but in
>the context of what you'd do under those circumstances if you wanted
>to make sure nobody robbed your store next month.
There has been a lot of social science research on store robbery. One of
the simpliest, and most effective, things you can do to prevent a robbery is
keep your windows unubstructed. Making sure that anybody can look inside
tends to keep the bad guys away.
For whatever that's worth.
Gary Carson
------------------------------
From: "Michael Scott" <[EMAIL PROTECTED]>
Subject: Re: bigfloat works (kinda)
Date: Fri, 24 Mar 2000 14:20:48 -0000
Those interested in point-counting might have a look at an early beta of a
Windows Command Prompt utility schoof2.exe available from
ftp://ftp.compapp.dcu.ie/pub/crypto/schoof2.exe
This counts the points on an elliptic curve defined over GF(2^m). In one
test the points on a curve defined over GF(2^191) were counted. This took 40
minutes on a Pentium III 450MHz. No source code as yet, but it will be
available in a week or two. A much faster Schoof-Elkies-Atkin implementation
is next on my to-do list. For complete solutions (CM, Schoof,
Schoof-Elkies-Atkin) to point counting for elliptic curves defined over
GF(p). see http://indigo.ie/~mscott
Mike Scott
"lordcow77" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Calculating the group order of the set of points on an eliptic
> curve modulo a prime requires different algorithms than those
> used for curves defined over a polynomial or normal basis. If
> you are currently trying understand how the basic eliptic curve
> encryption algorithm works, I do not suggest trying to learn
> about point counting algorithms, especially over arbitrary
> primes! If you truly want to get started, try reading the
> Complex Multiplication method in the appendix of P1363. Any
> point counting algorithm for general curves of cryptographic
> interest will be rather involved though...
>
>
> * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network
*
> The fastest and easiest way to search and participate in Usenet - Free!
>
------------------------------
From: [EMAIL PROTECTED] (Tony L. Svanstrom)
Crossposted-To: rec.gambling.poker
Subject: Re: Open source or not. (Was: Re: Planet Poker Claims...)
Date: Fri, 24 Mar 2000 15:26:00 +0100
Gary Carson <[EMAIL PROTECTED]> wrote:
> There has been a lot of social science research on store robbery. One of
> the simpliest, and most effective, things you can do to prevent a robbery
> is keep your windows unubstructed. Making sure that anybody can look
> inside tends to keep the bad guys away.
Hey, that works great... Just look at the pope and his car, and AFAIK he
hasn't been robbed in his car. ;-)
/Tony
--
/\___/\ Who would you like to read your messages today? /\___/\
\_@ @_/ Protect your privacy: <http://www.pgpi.com/> \_@ @_/
--oOO-(_)-OOo---------------------------------------------oOO-(_)-OOo--
DSS: 0x9363F1DB, Fp: 6EA2 618F 6D21 91D3 2D82 78A6 647F F247 9363 F1DB
---���---���-----------------------------------------------���---���---
\O/ \O/ �1999 <http://www.svanstrom.com/?ref=news> \O/ \O/
------------------------------
From: [EMAIL PROTECTED] (Mike Andrews)
Subject: Re: "THE DES, An Extensive Documentation and Evaluation" - from Aegean Press.
Date: Fri, 24 Mar 2000 14:41:21 GMT
Jack Diamond <[EMAIL PROTECTED]> wrote:
: DES is filled with trap doors, so you might learn as much by doing
: simple distribution analysis and finding them.
Care to point any out in this group?
--
"Usenet is like a herd of performing elephants with diarrhea -- massive,
difficult to redirect, awe-inspiring, entertaining, and a source of mind-
boggling amounts of excrement when you least expect it."
-- Gene "spaf" Spafford (1992)
------------------------------
From: "Adam Durana" <[EMAIL PROTECTED]>
Subject: Start of Cipher Contest
Date: Fri, 24 Mar 2000 09:56:26 -0500
Hi,
I haven't had a chance to update the web site yet, but I would like to go
ahead and start the contest. As it stands now there is no deadline for
ciphers. All ciphers will be put into a list ordered by the date they were
submitted. When a weakness is found in a cipher in the listing it will be
removed from the list. The author has the option to fix the problem and
resubmit it, but this is not required. Besides the requirement that an
entry have no known weaknesses, the entry must also be a block cipher. The
resource requirements for the cipher must be justified if they are extreme.
This is to avoid people submitting ciphers that use a huge amount of
resources for no good reason, i.e.. 1024 rounds, 50mb of tables, etc. All
submissions should be accompanied by a paper describing the cipher, this
paper will cover design decisions and such things, and any analysis done.
ALL CIPHERS SHOULD BE ANALYZED BEFORE BEING SUBMITTED. I am well aware that
a lot of us lack the skills or understanding to do some of the advanced
attacks such as linear and differential analysis. So do the best you can,
basically show the proof that convinced you the cipher was secure. The
paper is the meat of the submission, so participants should spend more time
on that then any other part. Poorly written papers will make analysis much
harder so entries with poor papers maybe removed from the listing until the
author revises the paper. Submissions should also include reference code in
ANSI C. The source code should include basic routines such as: cipher_init,
cipher_block_encrypt, cipher_block_decrypt, cipher_encrypt, cipher_decrypt,
and cipher_cleanup. cipher_block_en/decrypt should en/decrypt a single
block of data. cipher_en/decrypt should be able to encrypt an entire array
of blocks. If cipher_clean is not needed by your entry it does not need to
be included. If you do not fully understand the requirements for the source
code part of the submission, I will be posting some sample source code on
the web site to further explain this. And finally the submission should
include test vectors. So a submission will consist of 3 parts: paper,
source code (one file), and test vectors (text file). One thing about the
paper please use a standard document format, not all of us have Microsoft
Word. So please use either a text file, an Adobe pdf or a postscript file.
If you can submit your paper in more than one format that would be great.
All submissions should be sent in an archive format, zip file or tarball
please. If you have any questions please don't hesitate to email me or post
them. Entries should be emailed to [EMAIL PROTECTED] Entries
should not be sent to me! I will send you a message once your entry has
been received. I will setup a listing of the ciphers on the web site soon.
Failure to comply with any of the requirements will delay your cipher from
being entered into the listing. So do it right the first time.
Good luck!
- Adam
------------------------------
From: smuggdot <[EMAIL PROTECTED]>
Subject: Re: Code Book : 5th stage
Date: Fri, 24 Mar 2000 14:59:18 GMT
Isabelle wrote:
> I can't decode the 5th stage of the Simon Singh's Code Book : could
> somebody help me ?
>
> I just want to know if it is a binary operation or a coding from an
> original text (as the "declaration of independance"))
> Thanks
Haven't tried to decode it either but it's most probably a book-cipher,
it's placed between the vigerne-cipher and the playfair-cipher wich is
about the time of the beale-cipher.
If you have the french version of the book, try the parts written in
english
first(like the translation of La Disparition if that's included) because
the
ciphers 2-10 are in the same language everywhere.
--
Just because you're paranoid,
don't mean they're not after you.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: multiple encryption
Date: 24 Mar 2000 15:04:44 GMT
In a previous article, Vlad <[EMAIL PROTECTED]> writes:
> Hello.
>Thanks for your replies on this subject. I am sorry that I've made
>repeating postings - it was my mistake while I was working with Deja.
>As I understood from recent discussions I should make analysis to
>determine whether the generated keys form a group or not. Is there
>any particular method (software library ) for that ?
Forget software library. You should derive the algebraic formulaes and use
mathemtical proofs to determine whether or not the keys form a group.
>Is it possible
>to determine the encryption strength of group of keys( does this
>task has decision at all)?
Yes it has. Each element E_k in a group has an order o(E_k), such that
E_k^(o(E_k)-1), i.e. iteration of E_k a number of o(E_k)-1 times, is the
identity mapping. Applied to practical cryptography, this means that if the
key size is 64-bits and o(E_k) = 2^16 for all (non weak) key specific encrypt
functions E_k, then any E_k can be broken by the following procedure:
0. Assume that you have one plain text block T and its corresponding cipher
block C.
1. Find a way to divide the group of keys into its 2^48 subgroups by choosing
one generator from each. More specifically, you should find a fast method to
choose a non weak key that does not belong to any subgroup in a given set.
2. Choose a generator E_ki of some subgroup using the method described in 1.
3. Iterate C0 = C, Cn = E_ki(C(n-1)) a number of 2^16 times, or until Cn = T.
4. If Cn = T goto 6.
5. Store E_ki in your set of used subgroup generators and goto 2.
6. The function E_k you are looking for is equivalent to E_ki^n.
The beauty of this procedure is that it in this case requires about 256 times
as many encryptions as a regular brute force attack (about (2^16)*(2^25) and
2^33 respectively given the birthday paradox), but at the same time 256 times
less data storage capacity (about 2^25 keys instead of 2^33 keys given the
birthday paradox). This is likely to make the entire procedure faster if the
key initialization phase is substantially more time consuming (more than 256
times) than the encryption itself. One might also note 2^25 keys are easily
stored on the hard drive of any PC, while 2^33 are probably too many.
If the numbers where reversed, i.e. o(E_k) = 2^48 for each non weak key k,
then you might use the following procedure instead:
1. Find 2^16 keys each belonging to distinct subgroups, initialize them all
and store the initialized key data (I guess it should be altogether about
200-300MB for most 64-bit ciphers) in a matrix in the heap.
2. For i := 1 to 2^16 do
3. C0i := C
4. n := 1
5. For i := 1 to 2^16 do
6. Cni := E_ki(C(n-1)i)
7. If Cni = T then goto 9
8. n := n + 1; Goto 5
9. The function E_k you are looking for is equivalent to E_ki^n.
This procedure will be done after 2^16 key initializations and about 2^16*2^25
encryptions (given the birthday paradox).
Conclusion: If you are constructing a cipher, then you should either make sure
that there are no proper subgroups of keys, or that each valid key belongs to
a distinct subgroup of some theoretic supergroup of keys.
>Can anyone suggest references to materials for further reading on
>this topic (especially in Internet).
Contact a university near you...
----- Posted via NewsOne.Net: Free Usenet News via the Web -----
----- http://newsone.net/ -- Discussions on every subject. -----
NewsOne.Net prohibits users from posting spam. If this or other posts
made through NewsOne.Net violate posting guidelines, email [EMAIL PROTECTED]
------------------------------
Date: Fri, 24 Mar 2000 16:09:54 +0100
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: Fastest DES implementation on Intel PIII ?
Pascal JUNOD schrieb:
> Hi, I'm seeking the fastest DES implementation on the Intel platform.
> Any suggestion ?
www.openssl.org
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: NIST publishes AES3 papers
Date: 24 Mar 2000 06:49:27 -0800
In article <#$CMhOVl$GA.154@cpmsnbbsa02>,
Joseph Ashwood <[EMAIL PROTECTED]> wrote:
> Actually most implementations [of 3DES] only use 2 keys, because of
> the meet in the middle attack.
That's just plain not true.
Most implementations of 3DES that I've seen use 3 keys.
And anyway, if you are worried about MITM attacks, using
2 keys is a silly response -- it doesn't add any protection
against MITM attacks, and is definitely weaker against
some attacks.
------------------------------
From: [EMAIL PROTECTED] (Doug Stell)
Subject: Re: Re-seeding PRNG's in central key distribution systems
Date: Fri, 24 Mar 2000 15:22:43 GMT
On 24 Mar 2000 10:52:08 GMT, [EMAIL PROTECTED] (Mark Currie) wrote:
>Hi,
>
>Consider a system where public and private keys are generated by a central
>source and distributed to users (often the case in smart card systems). For
>this example we will assume that RSA(CRT) public and private keys are issued to
>users (possibly on smart cards). If the private RSA prime factors p & q are
>found using the output of a prng, it may be possible for a user (knowing his
>private keys p & q) to predict what other user's private keys are. Since his p
>or q (depending on which one was generated last) can reflect the last state of
>the prng, he can predict what the next state will be. He can use the same
>algorithm as the central authority to find the next primes for p & q. He can
>continue with this for all subsequent user keys until the prng is re-seeded.
Nonsense! An essential requirement of a cryptographically secure PRNG
is that you CAN NOT the next output of the PRNG, even if you know all
the previous outputs. The output of the PRNG should not just be the
state of the thing. The internal state is well hidden by a one-way
function.
>In general when using a central key distribution system, it should be a rule
>that if a prng is used then it MUST be re-seeded from a quality random source
>before each new key set is generated.
In that case, why would they be using a PRNG (P=pseudo)? Why not just
use a real source of randomness, an RNG, without the P?
doug
------------------------------
From: [EMAIL PROTECTED] (Doug Stell)
Subject: Re: "THE DES, An Extensive Documentation and Evaluation" - from Aegean
Press.
Date: Fri, 24 Mar 2000 15:27:01 GMT
On Fri, 24 Mar 2000 10:34:45 GMT, Jack Diamond <[EMAIL PROTECTED]>
wrote:
>DES is filled with trap doors, so you might learn as much by doing
>simple distribution analysis and finding them.
The experts have been evaluating DES for 22+ years and have not found
this to be the case. In fact, they have found just the opposite.
Although there was much suspicion about DES for much of its life, it
has pretty well evaporated in light of recent discoveries.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
