Cryptography-Digest Digest #541, Volume #11      Thu, 13 Apr 00 13:13:01 EDT

Contents:
  Where to post treatise? ([EMAIL PROTECTED])
  Re: Regulation of Investigatory Powers Bill (Jill)
  Re: SHA2 ([EMAIL PROTECTED])
  Re: Regulation of Investigatory Powers Bill (Jill)
  Re: O(...) - Newbie question (Bob Silverman)
  Re: Where to post treatise? (David A Molnar)
  Re: Is AES necessary? (Jerry Coffin)
  Re: SHA2 (Francois Grieu)
  Re: SHA2 (Diet NSA)
  Re: Is AES necessary? (Mok-Kong Shen)
  Q: NTRU's encryption algorithm (Mok-Kong Shen)
  TDMA CAVE encryption (Matt Linder)
  Re: OAP-L3: Semester 1 / Class #1 All are invited. (Lincoln Yeoh)
  Re: Cipher Contest Update (Boris Kazak)
  Re: new Echelon article (Diet NSA)
  Re: Q: Entropy (James Felling)
  Re: GSM A5/1 Encryption (Lincoln Yeoh)
  Re: Q: Inverse of large, sparse boolean matrix, anyone? (Bob Silverman)
  Re: Encode Book? (James Felling)
  Re: Q: Inverse of large, sparse boolean matrix, anyone? (Bob Silverman)
  Re: Miami Herald article about ATM ripoffs (Lincoln Yeoh)

----------------------------------------------------------------------------

From: [EMAIL PROTECTED]
Subject: Where to post treatise?
Date: Thu, 13 Apr 2000 14:30:53 GMT

Hi all,
I 've invented a pretty good data encryption algorithm and I have
written a treatise about it. But I don't know where to post the
treatise. What magazines are standard in this respect ? Can you suggest?
Best,
Yan.


Sent via Deja.com http://www.deja.com/
Before you buy.

------------------------------

From: Jill <[EMAIL PROTECTED]>
Crossposted-To: alt.security.scramdisk,alt.computer.security
Subject: Re: Regulation of Investigatory Powers Bill
Date: Thu, 13 Apr 2000 16:12:25 +0100

I would suggest that the 'protest' files of random data that I suggested
in an earlier posting are not generated by any current encryption
algorithm for the following reason.
Lets suppose that a number theorist discovers a detectable signature in
data encrypted by algorithm 'X',
where X is Blowfish, PGP, etc.  This may not allow decryption but
nevertheless will detect the hand of the algorithm in the data.  You
will then have a data file that the authorities can determine to be the
product of algorithm 'X' but for which you can provide no meaningful key
(oops!).
I would favour the use of genuine random data created by diode noise,
radioactive decay or some other genuinely random source.  Failing that I
would use a strong random number generator rather than an encryption
algorithm.  Cryptography is powerfully counter-intuitive and what seem
like good ideas can be fundamentally broken.  If you use random data for
this purpose and new analysis methods come along then these will only
serve to show that the file *is* random data.  This is by far the safest
course in a very complex and poorly understood field.

Andrew Le Couteur Bisson



------------------------------

From: [EMAIL PROTECTED]
Subject: Re: SHA2
Date: Thu, 13 Apr 2000 15:10:31 GMT

Mark Wooding <[EMAIL PROTECTED]> wrote:
> I'd like to propose AHS, for Advanced Hash Standard.  But then again,
> I'm feeling a bit childish today.

No, no, no. All acronyms should be one of the following:

1. Recursive, such as GNU, LAME, etc. SHS - SHS is a Hashing Standard.

2. Begin with YA, such as innumerable programs. YASHA.

3. Be totally incomprehensible, such as UTC. HAS - letters jumbled to
   appease part of the standards body.

4. As a last resort, you can add a prefix letter denoting your name,
   or mix and match the above three.

-- 
Matt Gauthier <[EMAIL PROTECTED]>

------------------------------

From: Jill <[EMAIL PROTECTED]>
Crossposted-To: alt.security.scramdisk,alt.computer.security
Subject: Re: Regulation of Investigatory Powers Bill
Date: Thu, 13 Apr 2000 16:17:13 +0100

Further to my previous posting I believe that suitable, genuinely random
data can be obtained, free of charge, from the SETI screensaver
project!!!

Andrew Le Couteur Bisson



------------------------------

From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: O(...) - Newbie question
Date: Thu, 13 Apr 2000 15:07:01 GMT

In article <8d3dqn$4i0$[EMAIL PROTECTED]>,
  Bryan Olson <[EMAIL PROTECTED]> wrote:
> Bob Silverman wrote:
>
> > A function f(x) is said to be O(g(x))  [read as 'order of g(x)']
> > if  lim n--> oo  of  |f(x)/g(x)| < c   for some constant c.
>
> There's a problem with that definition in that |f(x)/g(x)|
> may always be less than c for sufficiently large x, but the
> limit as x->oo may not exist. (I'm assuming the use of "n"
> was a typo.   Yes. Bob)
                                                       ___
I left off the limes superior...  It should have been  lim, or
lim sup

>
> > In other words  f(x) grows at a rate which is bounded by a constant
> > times the rate at which g(x) grows  as x becomes sufficiently large.
>
> The definition I know of is:
>
>    f(x) is O(g(x)) if and only if there exist some c
>    and n such that,
>        0 <= f(x) <= c*g(x)  whenever  x >= n.
>
This does not work either.  g(x) might be strictly positive
and f(x) strictly negative, yet f goes to -oo much fast than g goes
to oo.  You are missing  | | signs.


> For example 2 + sin(x) is O(1) but
>     lim x->oo  |(2 + sin(x))/1|
> does not exist.

Yep.

Does anyone know Auntie-Derivative's recipe for lim soup?

--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"


Sent via Deja.com http://www.deja.com/
Before you buy.

------------------------------

From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Where to post treatise?
Date: 13 Apr 2000 15:12:24 GMT

[EMAIL PROTECTED] wrote:
> Hi all,
> I 've invented a pretty good data encryption algorithm and I have
> written a treatise about it. But I don't know where to post the
> treatise. What magazines are standard in this respect ? Can you suggest?

You can post it here. Maybe someone will read it. In addition, if
something turns out to be wrong and the flaw is caught here, it's no big
deal. (you have read the FAQ about how "most pretty good data encryption
algorithms aren't", right?)

You can also submit it to a conference on cryptography. Unfortunately
Fast Software Encryption 2000 is just over, but others are coming up. 

The submission deadline for the "Selected Areas in Cryptography" 
and the "Annual Computer Security Applications Conference" are both 
coming up soon (May 1 and May 12, I think). Check their web pages for
instructions on how to submit :

SAC :
http://www.cacr.math.uwaterloo.ca/conferences/2000/SAC2000/announcement.html

ACSAC :
http://www.acsac.org/

and this list of Calls For Papers and Conferences should give you more
ideas :
http://www.dice.ucl.ac.be/crypto/call_for_papers.html

There are also the journals Cryptologia and Journal of Cryptology. I'm
not familiar with the first, but the latter is generally reserved for 
"finished" copies of papers which have been worked on a great deal, and
may have appeared as extended abstracts in conferences. They aren't
quite "magazines" the way I normally think of the term.

Dr. Dobb's Journal has been known to publish crypto-related articles. 

So best of luck, 
-David

------------------------------

From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Is AES necessary?
Date: Thu, 13 Apr 2000 09:46:25 -0600

In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...

[ ... ] 

> Technically 3des is not des...

Technically, what is usually called "3DES" really IS DES now -- i.e. 
late last year, FIPS 46-2 was replaced with FIPS 46-3, so the current 
Data Encryption Standard (i.e. DES) is FIPS 46-3.  This standard 
requires three applications of the Data Encryption Algorithm, which 
is what is normally referred to as 3DES, though 3DEA would probably 
now be a more accurate term.

-- 
    Later,
    Jerry.
 
The universe is a figment of its own imagination.

------------------------------

From: Francois Grieu <[EMAIL PROTECTED]>
Subject: Re: SHA2
Date: Thu, 13 Apr 2000 18:21:29 +0200

Gregor Leander  <[EMAIL PROTECTED]> wrote:

> I read something about a new hash function from the NSA called SHA-2.

This maybe was the following old message:
<http://www.deja.com//getdoc.xp?AN=603213967>

where Rich Ankney <[EMAIL PROTECTED]> said:
> You might want to wait for SHA-2, which will supposedly have
> 256- and 512-bit outputs (along with 384-bits truncated
> from 512).  Supposedly available late summer from NIST.



   Francois Grieu

------------------------------

Subject: Re: SHA2
From: Diet NSA <[EMAIL PROTECTED]>
Date: Thu, 13 Apr 2000 09:16:16 -0700


In article <
[EMAIL PROTECTED]>,
Runu Knips <
[EMAIL PROTECTED]> wrote:

>One of my professors was the inventors of lsd-trees, which
>are used to sort twodimensional data. Unfortunately, I never
>found out how they work ;-)
>
>
Here is an explanation of how they work:

http://www.vldb.org/conf/1989/
P045.PDF


"I feel like there's a constant Cuban Missile Crisis in my pants."   
    - President Clinton commenting on the Elian Gonzalez situation
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!


------------------------------

From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Is AES necessary?
Date: Thu, 13 Apr 2000 18:34:11 +0200

Tom St Denis wrote:
> 

> No really think about it though.  RC5 is smaller, faster and allows a
> greater key then DES.  RC5 is more resiliant [after 16 rounds] to the
> same attacks then DES.  While the last point is kinda moot the three
> others are a good push.
> 
> So the question is then, why use DES over RC5?  It's slower, larger and
> has a smaller key.

Wait and see if any expert on strength of encryption algorithms 
would tell us which one of the two is stronger.

M. K. Shen

------------------------------

From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Q: NTRU's encryption algorithm
Date: Thu, 13 Apr 2000 18:34:18 +0200

Does any expert in public key cryptography have an objective 
and clear-cut evaluation of NTRU's encryption algorithm and 
would like to let us learn that? The recent web page of NTRU 
says about a 11 million dollar funding and contains a number 
of challenge problems with rewards.

M. K. Shen
=======================
P.S. For those who want to earn money there are much better 
challenge problems. One million dollar has recently been offered 
for attacking the Goldbach conjecture. See Science, 31st March, 
p. 2405.

------------------------------

From: Matt Linder <[EMAIL PROTECTED]>
Subject: TDMA CAVE encryption
Date: Thu, 13 Apr 2000 16:25:04 GMT

With all this talk about GSM and A5/1 and its weaknesses, it makes
me wonder about GSMs cousin TDMA used here in the US.  I think it uses
an algorithm called CAVE (I don't even remember what it stands for)

Does anyone know anything about how good the CAVE algorithm is?


Sent via Deja.com http://www.deja.com/
Before you buy.

------------------------------

From: [EMAIL PROTECTED] (Lincoln Yeoh)
Subject: Re: OAP-L3: Semester 1 / Class #1 All are invited.
Date: Thu, 13 Apr 2000 16:36:36 GMT
Reply-To: [EMAIL PROTECTED]

On Wed, 12 Apr 2000 23:27:23 GMT, Tom St Denis <[EMAIL PROTECTED]> wrote:


>I missed the fact that he was adding in diff mag of digits.  So it's
>actually D1 + 10*D2 + 100*D3, in which case he isn't adding the digits
>at all [to each other] they are just different components of the number.
>
>If for example he *were* doing R = D1+D2+D3 / 3, that would be entirely
>non random.

Should still be random but distributed differently.

Link.
****************************
Reply to:     @Spam to
lyeoh at      @[EMAIL PROTECTED]
pop.jaring.my @ 
*******************************

------------------------------

From: Boris Kazak <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Cipher Contest Update
Date: Thu, 13 Apr 2000 16:38:38 GMT



Adam Durana wrote:
> 
> Hello,
> 
> The contest started about two weeks ago, and so far I have only received ONE
> submission.  Boris Kazak submitted a cipher named LETSIEF (Feistel
> backwards).  Matthew Fisher was able to perform differential analysis on it,
> and Mr. Kazak resubmitted his cipher.  LETSIEF2 is still in the running and
> I have no heard of any attacks on it yet.
> **************
> If you don't have the URL it is
> http://www.wizard.net/~echo/crypto-contest.html
> 
> - Adam
==================
 Hi, Adam, thanks for posting my toy submission (Letsief is in 64-bit
range).
   I am thankful to Matt Fisher, he did a nice job, so I hope the
revised
Letsief will pass his attacks with flying colors.

   I have another submission almost ready - one of what I call "drunken" 
ciphers - large key-dependent array of S-boxes and plaintext-dependent
path
through this array. It is also based on modular multiplication, but is 
scalable - it can work with any block length from 8 bytes and more, in 
increments of 4 bytes, so there is nothing impossible in encrypting a
1Mb
file as a single block, provided you have enough memory to handle it.
It will take me about a week to complete the description and to supply
it 
with a suitable "main" to test-drive the machinery.

  For those who prefer time-tested algorithms, I have a 128-bit block 
size IDEA, a working model which imitates the original design, but uses 
multiplication (mod 2^32+1) and the same key scheduler as Letsief.
*************************************************************
                      "A naive variation might double the block size.
                       The algorithm (IDEA) would work just as well with
                       32-bit sub-blocks instead of 16-bit sub-blocks
and
                       a 256-bit key. Encryption would be quicker and 
                       security would increase 2^32 times. Or would it?
                       The theory behind the algorithm hinges on the
fact
                       that 2^16 + 1 is a prime, 2^32 + 1 is not.
Perhaps
                       the algorithm could be modified to work, but it 
                       would have very different security properties.
                       Lai says it would be difficult to make it
work..."
                       (B. Schneier "Applied Cryptography" 2-nd ed.
p.325)

     You can say that I was naive... but it works.
**************************************************************

   However, you said that direct spin-offs of conventional algorithms
will
not be accepted, so I don'd insist.

Best wishes               BNK

------------------------------

Subject: Re: new Echelon article
From: Diet NSA <[EMAIL PROTECTED]>
Crossposted-To: 
alt.politics.org.cia,alt.politics.org.nsa,alt.journalism.print,alt.journalism.newspapers
Date: Thu, 13 Apr 2000 09:39:55 -0700


In article <
[EMAIL PROTECTED]
net>, [EMAIL PROTECTED] wrote:

>Tell me boys, ever hear of the Glomar Explorer???
>
>
This was developed by the CIA & Howard
Hughes. Earlier, the NSA, etc. used to spy
on American citizens but in the 1970s
laws were created to prevent this.
Supposedly, also in the 1970s, Echelon
arose. Maybe in the past there were more
questionable collaborations between
business & government intel agencies.


"I feel like there's a constant Cuban Missile Crisis in my pants."   
    - President Clinton commenting on the Elian Gonzalez situation
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!


------------------------------

From: James Felling <[EMAIL PROTECTED]>
Subject: Re: Q: Entropy
Date: Thu, 13 Apr 2000 11:42:20 -0500



Mok-Kong Shen wrote:

> James Felling wrote:
> >
> > > > > Bryan Olson wrote:
> > > > > > Given a string of, say, a million zeros and a "random"
> > > > > > million-bit string, Kolmogorov complexity does not say which
> > > > > > is more complex.
> > > > >
> > > > > If the shortest program to describe the former is shorter than
> > > > > the one for the latter (a case which seems fairly likely), then
> > > > > by definition the former has less Kolmogorov complexity than
> > > > > than the latter.
> > > >
> > > > Wrong.  Kolmogorov complexity allows the program to be
> > > > written in a large class of languages.  For any pair of
> > > > distinct finite strings there's a pair of legal language that
> > > > disagree on which string has the shorter program.
> > >
> > > That issue of difference of languages is understandably treated
> > > in Kolmogorov complexity. Otherwise that theory wouldn't be
> > > able to exist at all. The fact that no real-world algorithm to
> > > measure that theoretical quantity exists can also be interpreted
> > > to mean that no very exact comparison could be made, in my view.
> > > But surely some more or less useful comparison can be made.
> > > Allow me to use an analogy: one can surely claim that the code
> > > for an operating system is more complex than one for the
> > > quick sort, and that totally independent of what programming
> > > languages one uses, including those of year 3000, can't one?
>
> > The problem that is run into here is that given a family of languages L
> > we can evaluate Kolmogorov complexity (called K-complexity in remainder
> > of the article.  We can then evaluate the K-complexity of that string
> > relative to that language family L.  However given 2 strings S1, and S2,
> > and two language families L1, and L2 then it is simply possible to show
> > that in L1 S1 has greater K-complexity than S2, and relative to L2 S1
> > has less K-complexity than S2.  Since the K-complexity cannot be
> > establised in an absolute manner, the best one can say is that the
> > k-complexity of S relative to language family L is ...,   this does NOT
> > establish any useful characteristic for evaluating S, as we cannot
> > evaluate S vs. the class of all languages without of course concluding
> > that it has order 1 as there will exist a language in which S is the
> > trivial output of a single command.  Only an infinite string may be
> > evaluated for K-complexity in a reasonable manner, as there are infinite
> > strings generatable only in multiple operations.
>
> Are you hence establishing that the entire theory of Kolmogorov
> complexity is useless? (What uses can there be, if otherwise?)
> Concerning infinite strings, please see my response to Bryan Olson.
>
> M. K. Shen

No. What I am saying is:

1)Over the space of all possible languages, the K-complexity of any finite
string is 1.( one atomic op will produce that string in some language)

2) Over a given set of languages L, it is possible to make "K-complexity
relative to L" comparisons between two strings S1 and S2, but that such
comparisons are not extensible beyond that specific language family L. ( and
thus fail to generalize in any meaningful manner -- one can say S1  is shorter
to code than S2  in language X , but not that S1 is shorter to encode than S2
in general)

3) K-complexity for an infinite string is more easily defined, as there are
infinite strings that are more easily encoded than others. This is true even
over the space of all languages.  ( 000000......) is much more compact
codewise to generate than  the decimal expansion of a trancendental, or
Chaitin's(sp?) Omega.
This is where generalized K-complexity has a useful meaning.


------------------------------

From: [EMAIL PROTECTED] (Lincoln Yeoh)
Subject: Re: GSM A5/1 Encryption
Date: Thu, 13 Apr 2000 16:49:01 GMT
Reply-To: [EMAIL PROTECTED]

On 8 Apr 2000 10:30:24 -0700, [EMAIL PROTECTED] (David A.
Wagner) wrote:

>It is hard to imagine design constraints so fierce that the designers
>could not have afforded the extra cost of a 128-bit A5/1.  (Perhaps it
>is so, but it seems quite a stretch, given the time at which it was
>developed.)

Huh? 

I thought the reason they went 40 bit was because the spook agencies
grumbled and lobbied and made lots of noise? I can't cite references but I
seem to recall mention of it in the UK newspapers back in the early 90s. It
was no surprise it was cracked, what really surprised me was the big fuss
the Americans made of the crack.

The encryption was to be reasonably strong, but it was intentionally
weakened.

I don't understand why they did that.

Sure the calls may be encrypted from your phone to the towers/stations, but
they are then decrypted to plaintext, and then reencrypted to the other
phone. The spooks can always listen in on the plaintext. It's even easier
as there are a lot fewer backbone points than cells.

Cheerio,

Link.
****************************
Reply to:     @Spam to
lyeoh at      @[EMAIL PROTECTED]
pop.jaring.my @ 
*******************************

------------------------------

From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: Q: Inverse of large, sparse boolean matrix, anyone?
Date: Thu, 13 Apr 2000 16:43:25 GMT

In article <[EMAIL PROTECTED]>,
  Gadi Guy <[EMAIL PROTECTED]> wrote:
> > I'm designing a cipher algorithm based on matrix algebra modulo 2.
Make sure
> > that I had no problem with the usual numerical recipes for handing
matrices;
> > simply, I apply them 'modulo 2'.
>
> Just an off topic thought, why can't large boolean matrices be used
for
> DH key exchange?

(1) What makes you assert that they can't be used?
(2) In fact, they can.
(3) Why do you suggest them? What makes them advantageous over
    ordinary DH? Why do you think they might be?
(4) Why "large"?  [hint: think about efficiency of computation]
(5) What makes you believe that they would be any different from
    ordinary DH?  (Hint:  discrete logs in SL(2,Z) or SL(k,Z) are
    reducible to ordinary DL)


--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"


Sent via Deja.com http://www.deja.com/
Before you buy.

------------------------------

From: James Felling <[EMAIL PROTECTED]>
Subject: Re: Encode Book?
Date: Thu, 13 Apr 2000 11:50:39 -0500



Tom St Denis wrote:

> James Felling wrote:
> >
> > I learned pascal at about the same age.  It was a big achievement, but
> > not on the same order as Ms. Flannery's achievement.  You are gifted and
> > talented, but she has done something that was truly extraordinary.  Live
> > with it.
>
> Not to be a jealous type, but how much of it was here idea, and not her
> fathers coaxing?  hehehe, just kiddin I actually don't know much at all
> about her so that's no a fair comment, sorry... but makes you wonder :)
>
> Anyways, does she have a website of her own? If so where is it?
>
> And I don't view learning a programming language by ourselve as an
> everyday activity for twelve year olds.  Or writting your own Bulletin
> Board System (BBS) when you are 13, or etc... Anyways, nuff ranting I
> bet we are all just gifted in our own domains.  She is probably wicked
> at math, but couldn't play the piano etc... So no reason to be bitter,
> right?
>

Exactly.  She may have been in the right place at the right time publicity
wise, but what she did was impressive none the less -- whether that will be
the zenith of her career or whether she will go on to other things, that is
the true test of greatness.

>
> Tom


------------------------------

From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: Q: Inverse of large, sparse boolean matrix, anyone?
Date: Thu, 13 Apr 2000 16:46:16 GMT

In article <8d2i39$84k$[EMAIL PROTECTED]>,
  Bob Silverman <[EMAIL PROTECTED]> wrote:

> If the matrix is sparse it is virtually certain that its inverse
> will be 50% done.


This should be 50% dense, of course.


--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"


Sent via Deja.com http://www.deja.com/
Before you buy.

------------------------------

From: [EMAIL PROTECTED] (Lincoln Yeoh)
Subject: Re: Miami Herald article about ATM ripoffs
Date: Thu, 13 Apr 2000 17:04:29 GMT
Reply-To: [EMAIL PROTECTED]

On 11 Apr 2000 01:10:12 GMT, [EMAIL PROTECTED] (Bill Unruh) wrote:

>I suspect he meant algorithm. (just a rearrangement of the first four
>letters). But even that is wrong. It contains an offset to get from teh
>natural PIN created by encrypting various things like the account number
>by DES with a secret key to the true pin. (See Ross Anderson's
>explanation many years ago here.)

But isn't that an insecure way to do things?

The card should hold a card number and the PIN should be random.

The ATM should use the card number to check the PIN with the nearest
database (replicated).

To increase detection of duplicated cards, the ATM could write to the card
a sequence number after each transaction. But this makes things more
failure prone.

Cheerio,

Link.
****************************
Reply to:     @Spam to
lyeoh at      @[EMAIL PROTECTED]
pop.jaring.my @ 
*******************************

------------------------------


** FOR YOUR REFERENCE **

The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:

    Internet: [EMAIL PROTECTED]

You can send mail to the entire list (and sci.crypt) via:

    Internet: [EMAIL PROTECTED]

End of Cryptography-Digest Digest
******************************

Reply via email to