Cryptography-Digest Digest #588, Volume #11 Thu, 20 Apr 00 16:13:01 EDT
Contents:
NIST: AES3 results up / comment period closes soon! (David Crick)
Re: password generator (Anton Stiglic)
Re: Should there be an AES for stream ciphers? (Anton Stiglic)
The Illusion of Security ([EMAIL PROTECTED])
Re: 40-Bit DES Question (Paul Koning)
Re: The Illusion of Security (Paul Rubin)
Re: Very Large S-Boxes VLSB's (Diet NSA)
Re: OAP-L3: Semester 1 / Class #1 All are invited. (James Felling)
Re: Q: NTRU's encryption algorithm (Diet NSA)
Re: The Illusion of Security (Jerry Coffin)
Re: The Illusion of Security ("Tony T. Warnock")
Re: The Illusion of Security (Andru Luvisi)
----------------------------------------------------------------------------
From: David Crick <[EMAIL PROTECTED]>
Subject: NIST: AES3 results up / comment period closes soon!
Date: Thu, 20 Apr 2000 19:27:49 +0100
http://csrc.nist.gov/encryption/aes/
> April 20, 2000 - Submitter statements that were distributed at AES3 are
> now available. Additionally, the comments from the AES3 feedback
> forms have been summarized (an HTML version should be available next
> week). Thirdly, the final agenda has been updated to include links to
> presentations - more will be added as they are received by NIST.
http://csrc.nist.gov/encryption/aes/round2/pubcmnts.htm
> The Round 2 comment period will close on May 15, 2000.
Submit comments here:
http://csrc.nist.gov/encryption/aes/round2/round2.htm#comments
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: password generator
Date: Thu, 20 Apr 2000 14:51:18 -0400
==============A02CCD10C4029D722040F63B
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
"Trevor L. Jackson, III" wrote:
> Anton Stiglic wrote:
>
> > O.k., I'm sorry for the error, I just posted a quick reflexion. No need for all
> >
> > that arragance, we already have Bob Silverman here for that.
>
> Hmmm. A couple of points.
>
> First, arrogance (sic) is partly in the eye of the beholder.
>
> Second, everyone who submits is guilty in some degree of insufficient humility in
> that they consider their writing to be worth reading (c.f., 90% of everything is ...
> -- Sturgeon?).
>
> Third, Silverman doesn't appear arrogant to me, just forceful (I'm willing to be
> corrected on this point if he chooses to opine on this topic).
>
> Fourth, had you been submitting code of your own you would probably have gotten far
> more gentle treatment than you got for falsely (arrogantly ;-) criticizing someone
> else's code.
When I submit ideas, or if I submit some type of code, I *want*
to get criticized. I don't believe in flattering. I would be
happy to see that someone took the time to look at my code.
When I see someone post an idea or some code, I see it as saying
"hey, let's discuss about this, let's do some kind of a brain
storm", rather than "use this idea/code". Published papers serve
the second much better.
So if people post code or ideas, I'll continue posting my ideas,
I'll say something stupid from time to time, I don't actually take
time to try to understand everything and make sure my statements
are correct, so I'll make some stupid remarks now and then. I usually
end up correcting my statements myself. If you find an error, go ahead
and point it out, that's what newsgroups are for, you don't have to
start asking me why I work where I do or what is my education or
background in a smirky fashion dough. Cryptology is suppose to
be fun, but people like you take all the fun away.
Anton
==============A02CCD10C4029D722040F63B
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
"Trevor L. Jackson, III" wrote:
<blockquote TYPE=CITE>Anton Stiglic wrote:
<p>> O.k., I'm sorry for the error, I just posted a quick reflexion.
No need for all
<br>>
<br>> that arragance, we already have Bob Silverman here for that.
<p>Hmmm. A couple of points.
<p>First, arrogance (sic) is partly in the eye of the beholder.
<p>Second, everyone who submits is guilty in some degree of insufficient
humility in
<br>that they consider their writing to be worth reading (c.f., 90% of
everything is ...
<br>-- Sturgeon?).
<p>Third, Silverman doesn't appear arrogant to me, just forceful (I'm willing
to be
<br>corrected on this point if he chooses to opine on this topic).
<p>Fourth, had you been submitting code of your own you would probably
have gotten far
<br>more gentle treatment than you got for falsely (arrogantly ;-) criticizing
someone
<br>else's code.</blockquote>
<pre>When I submit ideas, or if I submit some type of code, I *want*</pre>
<pre>to get criticized. I don't believe in flattering. I would be</pre>
<pre>happy to see that someone took the time to look at my code.</pre>
<pre>When I see someone post an idea or some code, I see it as saying</pre>
<pre>"hey, let's discuss about this, let's do some kind of a brain</pre>
<pre>storm", rather than "use this idea/code". Published papers serve</pre>
<pre>the second much better.</pre>
<pre>So if people post code or ideas, I'll continue posting my ideas,</pre>
<pre>I'll say something stupid from time to time, I don't actually take</pre>
<pre>time to try to understand everything and make sure my statements</pre>
<pre>are correct, so I'll make some stupid remarks now and then. I usually</pre>
<pre>end up correcting my statements myself. If you find an error, go ahead</pre>
<pre>and point it out, that's what newsgroups are for, you don't have to</pre>
<pre>start asking me why I work where I do or what is my education or</pre>
<pre>background in a smirky fashion dough. Cryptology is suppose to</pre>
<pre>be fun, but people like you take all the fun away.</pre>
<pre></pre>
<pre>Anton</pre>
</html>
==============A02CCD10C4029D722040F63B==
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Should there be an AES for stream ciphers?
Date: Thu, 20 Apr 2000 14:53:26 -0400
Paul Koning wrote:
> Anton Stiglic wrote:
> > ...
> > I think stream cipher's are important, and often more practical.
>
> True for some cases, not for others. For example, IPSec,
> where you have to do packat at a time processing and the
> packets aren't necessarily in order or free of omissions,
> stream ciphers are a major hassle. Which would explain
> why they aren't used with IPSec.
>
> paul
Yeah, that is a good point.
------------------------------
From: [EMAIL PROTECTED]
Subject: The Illusion of Security
Date: Thu, 20 Apr 2000 18:51:16 GMT
All Product ciphers based on DES and the Feistel Network can be broken
without an Exhaustive Key Search.....
The secret lies in the Non Linear F Function...This can be decomposed
into Algebraic Linear Primitives...and the Key can be recovered
relatively easily...The Backdoor Function...
The illusion that the Strength of an Algorithm is in the Key length is
just that...an illusion....with detailed knowlage of the algorithm,
Algebraic decomposition is possible with no significant computing
power requirements...
This is the biggest disinformation in history...all Public
Product Ciphers are week and vulnerable...
Public Key systems based on Large Primes are also breakable without an
exhaustive key search....
It has been calculated that a 500 bit RSA key will take 20 seconds to
break on a supercomputer......
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: 40-Bit DES Question
Date: Thu, 20 Apr 2000 14:53:51 -0400
Doug Stell wrote:
>
> On Wed, 19 Apr 2000 18:17:40 GMT, [EMAIL PROTECTED] wrote:
>
> >I assume that for 40-Bit DES, known bits are set in the 56 bit DES key.
> >Can someone tell me which bits are set and to what value? Also, where
> >is this defined, FIPS?
>
> It's old and probably out of date, but here is the only spec I've seen
> on 40-bit DES.
>
> Internet Draft Paul Hoffman
> draft-hoffman-des40-02.txt ...
That spec is long expired, of course. More importantly, it
should be considered obsolete/historic/deprecated since
the motivation for its existence no longer applies. DES-40
was always bad, even more so now, it never existed for any
reasons other than political ones. And those reasons no
longer apply.
So dump the notion into the bit bucket...
By the way, CDMF is an entirely different mechanism (and
patented as well, if I remember right).
paul
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: The Illusion of Security
Date: 20 Apr 2000 19:09:09 GMT
Go away, troll.
------------------------------
Subject: Re: Very Large S-Boxes VLSB's
From: Diet NSA <[EMAIL PROTECTED]>
Date: Thu, 20 Apr 2000 09:12:33 -0700
In article <8djpr5$rno$[EMAIL PROTECTED]>
, [EMAIL PROTECTED] wrote:
>PS. While I'm here... where could I find information about the
finite
>automaton cipher mentioned in Schneier? Web searches turned out
nothing
>useful. It's the "FAPKC1" and "FAPKC2" on page 482.
>
I haven't seen this page in Schneier but
FAPKC was invented by Tao Renjii in
1985. Tim Tyler (who is a regular poster
to this thread) has a bibliography of
Renjii's work. Go to http://alife.co.uk
and click the "cellular automata" link and
then click "bibliography". In this
newsgroup, we have discussed cellular &
finite automata related to crypto. (Try
searching for "cellular automata" in
sci.crypt at deja.com).
"I feel like there's a constant Cuban Missile Crisis in my pants."
- President Clinton commenting on the Elian Gonzalez situation
=======================================================================
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: OAP-L3: Semester 1 / Class #1 All are invited.
Date: Thu, 20 Apr 2000 14:11:16 -0500
> <giant snip>
>
> I will prove you do not know what you are talking about by you
> simply answering this question:
>
> The OAP-L3 encryption software uses a random number generator.
> Now which of the following is the most correct and most
> comprehensive description of this random number generator that
> it uses: which is the description that results in the random
> numbers used in the encryption process?
>
> 1) The process that outputs the random digits from the MixFiles, or
>
> 2) the process that results in the OTP files?
Well the best way to answer that is "neither"( or "both" -- depends upon how I look at
it). I
agree that the stream data is generated primarially by process #2. However it still
uses
data from process #1 to produce the mix files which are then used by process #2. If
one
examines the crypto literature you will find many algorithims that have comentaries by
skilled
people along the line of "this section of the algorithim is weak -- it does not do X
properly
-- I have found no attack to exploit this property" and this is enough to withdraw the
algorithim from serious consideration. Why should your program be judged upon a
different
standard?
>
>
> Now define precisely what your supposed flaws are and what is the
> exact nature of these "artifacts" you allege?
Ok since you have obviously not done even a textbook analisys of your mix file
generation
process I will.
I am using your own names for the subprocesses.(P.S. this is not an exhaustive list of
what I
have found, but it is simply the result of a half hour of simple kindergarten
cryptoanalisys)
We start with a file F of all possible 1 to 10 sequences.I shall number them F(1),F(2),
....,F(10!)
1) Scramble -- since all other mixing ops are external( they affect the order in which
the
F(i)'s are presented) Scramble is effectively orthogonal to all other MixFile creation
steps.This means we can effectivly treat all other steps as modifying the set S=
Scramble(F(1)), Scramble(F(2)), ....., Scramble(F(10!))
2) Mix -- The "Mix" operation doesn't do a very good job of it. M(i)= the ith sequence
of
Mix(S) has the following properties M(j+105*n)= S(j+105*n) with probability . (n>=0,
and j=
first mix value). Since there are further steps this is less bad than it seems.
3) Redistribute -- This creates 14 files I will denote them as T(1) to T(14), and
then T(k,m)
= themth member of Tfilek.
This is aparently accomplished as follows T(k,m)= M( (k-1)*259200 + m ).
4) Shuffle. This Permutes the Tfiles, then data are taken from them in the permuted
order to
generate the mixfile.call this permutation p(x).
Attack vs mix file generation.
Sincej>=1, T(1,1)= Scramble(F(1)) , and T(8,1)=Scramble(F(1814401)) this meand that
within
the first 14 sequences in the Mix files we have two sequences that are known, this
will occur
regularly within the mix file where within 14 digits at easily computable points in
the file 2
sequences (Scrambled) with known chjaracter exist. Because of this we have very good
odds of
recovering both scramble, and some very good information on P(x) in addition.
Further, if
j>1 we will easily recover scramble as T(1,2) will occur 14 spots later in the file
and will
be a single rearangement swap different from T(1,1)
.
As you can see the Mixfile.otp has a significant amount of exploitable structure --
enough to
allow recovery of its generating keys in comparitively short order. Since this is the
case,
it seems likely to me that at least some of this structure could be exploited by an
analyst
working the whole key backward.
>
>
> Let me end with this:
>
> The accepted test of the security of an encryption process is not
> what Mr. Huuskonen has asked for. The accepted test is that it is
> assumed that the cracker knows every thing there is to know about
> the algorithm, and that the cracker has a substantial amount of
> plain text and the corresponding encrypted text. From this
> it is demanded that the cracker use this information and knowledge
> to crack the software. This is hardly what Mr. Huuskonen is asking
> for: he is essentially asking for the key once removed.
Yes, to a degree he is. But the same structures that allow him to attack your mix
file will
exist, to a lesser degree in the final output. My guess is that the Mix files provide
about
20-30 bits of randomness per each(assuming my attack cannot be refined). This puts the
randomness of your code somewhere in the neigborhood of a 90 to 100 bits( tops) when
you
factor it all in. I will be generous and say you are as secure as 3DES(112 bits). Why
should
we use your code in prefrence to 3DES?
------------------------------
Subject: Re: Q: NTRU's encryption algorithm
From: Diet NSA <[EMAIL PROTECTED]>
Date: Thu, 20 Apr 2000 12:13:17 -0700
In article <
8dm6e7$o4i$[EMAIL PROTECTED]>,
David A Molnar <[EMAIL PROTECTED]>
wrote:
>Does this last sentence have to mean "no better than using
Grover's
>algorithm"?
Hopefully, at a minimum.
BTW, Simon suggested that certain
one-way functions could cause a
separation between BPP & BQP (There is
no proof that BPP is in BQP except in a
specific relative case, described in the
paper below). You might want to look at
this paper which mentions the potential
of (cryptographic) one-way functions &
suggests the possibility of using quantum
computation to solve problems such as
finding the shortest vector in a lattice (it
doesn't say anything explicit about this):
http://arxiv.org/abs/cs.cc/9811023
>I hadn't thought about your question here at all.
>
I don't know who first posed this question
but it wasn't me. This question also
occurs in the last paragraph on page 10 of
this new paper by Lance Fortnow which is
definitely worth viewing:
http://arxiv.org/abs/quant-ph/0003035
I seem to recall that a quantum computer
can simulate a classical
>one step by step, so BPP is in BQP (am I wrong?).
See above.
What else?
>Are there any BQP-complete problems? Can there be?
>
There is at least one BQP-complete
problem. See this paper:
http://arxiv.org/abs/quant-ph/9909094
>
>Anyway, factoring and discrete log are in SZK, I think.
I don't know if they are. I know almost
nothing about the "class" SZK. You might
consider emailing Lance Fortnow & Salil
Vadhan because they might have insights
or references that we wouldn't think of.
party - so the only possible
>separation would be between a quantum poly and a probabilistic
poly time
>TM. I haven't thought about it very much yet, though...way too
much else
>to do... :-\
>
>Thanks,
>-David
>
>
"I feel like there's a constant Cuban Missile Crisis in my pants."
- President Clinton commenting on the Elian Gonzalez situation
=======================================================================
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: The Illusion of Security
Date: Thu, 20 Apr 2000 13:33:45 -0600
In article <8dnjit$3eh$[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> All Product ciphers based on DES and the Feistel Network can be broken
> without an Exhaustive Key Search.....
If you want such claims to be believed, you need to provide one
thing: an actual break based on the weakness you claim exists.
> It has been calculated that a 500 bit RSA key will take 20 seconds to
> break on a supercomputer......
All sorts of things have been calculated. Many of them are wrong.
Again, if you think you can factor a 500 bit number in 20 seconds on
a supercomputer, publish the method. If you can do so, you'll become
somewhat rich, and extremely famous, at least among mathematicians.
While either of your claims _might_ just barely be possible, you need
to do a LOT more than make bald claims to get an intelligent person
to believe what you're claiming.
As I pointed out recently in a different context, claims about
breakthroughs and such often stretch the truth. You're not merely
stretching the truth, but putting it to a tensile strength test, and
I'm quite certain have suceeded in breaking it. In short, you leave
the intelligent and informed people of the world with no choice but
to disbelieve your claims.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: "Tony T. Warnock" <[EMAIL PROTECTED]>
Subject: Re: The Illusion of Security
Date: Thu, 20 Apr 2000 13:56:19 -0600
Reply-To: [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
> All Product ciphers based on DES and the Feistel Network can be broken
> without an Exhaustive Key Search.....
>
> The secret lies in the Non Linear F Function...This can be decomposed
> into Algebraic Linear Primitives...and the Key can be recovered
> relatively easily...The Backdoor Function...
>
> The illusion that the Strength of an Algorithm is in the Key length is
> just that...an illusion....with detailed knowlage of the algorithm,
> Algebraic decomposition is possible with no significant computing
> power requirements...
>
> This is the biggest disinformation in history...all Public
> Product Ciphers are week and vulnerable...
>
> Public Key systems based on Large Primes are also breakable without an
> exhaustive key search....
>
> It has been calculated that a 500 bit RSA key will take 20 seconds to
> break on a supercomputer......
I give up. Show me.
------------------------------
From: Andru Luvisi <[EMAIL PROTECTED]>
Subject: Re: The Illusion of Security
Date: 20 Apr 2000 12:53:07 -0700
Care to elaborate? The details of how you would go about applying
this to, say, DES and RSA, would be of great interest.
Andru
--
==========================================================================
| Andru Luvisi | http://libweb.sonoma.edu/ |
| Programmer/Analyst | Library Resources Online |
| Ruben Salazar Library |-----------------------------------------|
| Sonoma State University | http://www.belleprovence.com/ |
| [EMAIL PROTECTED] | Textile imports from Provence, France |
==========================================================================
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
