Cryptography-Digest Digest #601, Volume #11 Fri, 21 Apr 00 18:13:02 EDT
Contents:
Re: papers on stream ciphers (Tom St Denis)
Re: Sophie-Germain and ElGamal ("Joseph Ashwood")
Re: New version of MIRACL ("Trevor L. Jackson, III")
Re: new Echelon article ("Edward Combs Jr.")
Re: OAP-L3: Secure, but WAY more dificult to use than other equally ("Trevor L.
Jackson, III")
Re: Sophie-Germain and ElGamal (Tom St Denis)
suggested change to cb (Tom St Denis)
Re: Requested: update on aes contest (Terry Ritter)
Re: New version of MIRACL (lordcow77)
Re: The Illusion of Security (Terry Ritter)
Re: nss (Tom McCune)
Re: Can a password be to long? ([EMAIL PROTECTED])
Re: Requested: update on aes contest (Tom St Denis)
Re: The Illusion of Security (Terry Ritter)
Re: The Illusion of Security (Tom St Denis)
Re: Problems with NTRU (Paul Koning)
Re: The Illusion of Security (Paul Koning)
Re: suggested change to cb ("Joseph Ashwood")
Re: Sophie-Germain and ElGamal ("Joseph Ashwood")
Re: The Illusion of Security (Tom St Denis)
----------------------------------------------------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: papers on stream ciphers
Date: Fri, 21 Apr 2000 20:56:39 GMT
Joseph Ashwood wrote:
>
> Hey I've said the same thing over and over about stream
> ciphers, there aren't that many of them, roll your own and
> add to our knowledge. Of course I've also said that one
> should not limit yourself just using a good random number
> generator and XOR, that's weak against known attacks (like
> if I know your plaintext I can send valid streams as you).
> Try to add knowledge, not just security. I've tried many
> times, but I haven't found one that even begins to be
> secure.
Take alook at my Secure Lagged Fibonacci generator. The problem is I
haven't the time or skill to make any meaningful attack against it.
Basically for a usefull stream cipher you need something that is long
perioded, then some intermit mixing stage, then mixing with the input.
Ciphers like RC4 aren't particularly sound of design since the period is
not known for any seed.
That's why I start all designs with a LFSR or LFG prng, then filter the
output.
Tom
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Sophie-Germain and ElGamal
Date: Fri, 21 Apr 2000 13:58:33 -0700
Once you get into severely composite numbers, all bets are
off. For security a prime factor of significant size is
needed, I should have stated that, basically I'd say that a
500+ bit prime is enough for moderate security right now,
and good security begins around 768 bits, and paranoia (my
preferred level since I generally have processor to spare)
starts at 2048 bits, and never ends.
Joe
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> Joseph Ashwood wrote:
> >
> > The primary reason for using {some personally preferred
> > subset of} Primes is that there are various methods of
> > attack on either factoring (for RSA) or Discrete Log
(for
> > DH, ElGamal, etc) that make use of specific properties
of
> > the primes for speed increases (in your case you were
asking
> > specifically about (p-1)/2 being composite), or even in
some
> > case to be able to work. As I recall most of those
methods
> > are no longer fastest when you get out of the 300-400
bit
> > range, so YMMV.
>
> That's not true at all. A 1024 bit composite can be
factored easily by
> the pollard-rho method iff the factor base is smooth,
err... there are a
> bunch of small prime factors. Same for the DL problem.
>
> Tom
------------------------------
Date: Fri, 21 Apr 2000 17:13:23 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: New version of MIRACL
Dann Corbit wrote:
> "Tom St Denis" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> [snip]
> > Why don't you email the author directly. It may be a trivial problem.
> > I don't think you should call it a hack, cuz well it works well in all
> > environments I have seen it in. Either case you like miracl better
> > whoopy a number is a number is a number.
>
> Actually, I am quite unconcerned about it. I already have:
>
> * Maple V (Commercial tool)
> * MIRACL (Shamus Software)
> * ECPP (Morain)
> * FreeLip (Lenstra)
> * HFLOAT (Arndt)
> * APFLOAT (Tommilla)
> And a host of others.
>
> And all work very easily and quite well enough for my purposes. I have got
> to the point where I can complete a compile wit MPI and I know enough that
> it is not competitive with the other tools at my disposal. However (as I
> said before) I am sure it is a very nice thing to have for those who are
> addressed by the requirements it was designed to serve.
Have you any experience with NTL (Shoup)? Can you comment on it's utility?
------------------------------
From: "Edward Combs Jr." <[EMAIL PROTECTED]>
Crossposted-To:
alt.politics.org.cia,alt.politics.org.nsa,alt.journalism.print,alt.journalism.newspapers
Subject: Re: new Echelon article
Date: Fri, 21 Apr 2000 21:15:02 GMT
Second British Spy Laptop Lost
A second spy lost a security services laptop after drinking too much and
losing track of it. The �2,000 computer was reported last night to contain
details of British secret agents working abroad.
It is an embarrassing sequel to the March 4 theft at Paddington that cost an
MI5 officer his laptop and the secrets of the Ulster peace process that it
contained.
In this case, the agent had spent the March 3 evening drinking at Rebato's
tapas bar, about a mile from the MI6 headquarters beside the Thames at
Vauxhall, London. He then lost track of it, but thought it might have been
left in a taxi.
MI6's efforts to recover the laptop, using an anonymous newspaper advert,
will further embarrass the Government. The advert placed by MI6 begged
return of the laptop with 'vital research notes' to the 'academic' that lost
it, in return for a reward. The computer was recovered on March 16.
MI6 chief Richard Dearlove has already given a full report to Foreign
Secretary Robin Cook and Prime Minister Tony Blair.
============================================================================
----
------------------------------
Date: Fri, 21 Apr 2000 17:28:25 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: OAP-L3: Secure, but WAY more dificult to use than other equally
James Felling wrote:
> This program is a clasic example of the assertion that any algortihim that
> does not form a group over its keys can if reiterated enough be made
> arbitrarially secure.
>
> I have withdrawn any criticisms that I have in re: the security of this
> program provided that the Mix files are generated by a sulficient number of
> passes of his processes.
I think this begs the question of the definition of "sufficient". In another
post the suggestion was made to have the user enter ~3000 characters of input,
all of it "truly random". Since this is well over the average page of text (at
~2500 characters), we're not talking about a pass phrase, we're describing a
"pass page".
1.) Given ~3000 "truly random" characters, or ~24K bits, one can find far more
efficient application of that amount of entropy for security purposes. Even a
50% efficient application of the entropy should give a space of 2^12,000
(10^~3600) rather than the quoted figure of 10^~459.
2.) Given that typing in a page of characters is an onerous, error prone
process, one immediately considers automating it with a machine-readable
representation of the input. But if the communicants using this system are
going to pass around machine readable media why would they not pass around
large keys and use a true OTP instead of a fake one?
> I now wish for him to adress the severe usability and documentational
> issues that his program possesses.
I believe we have yet to see an adequate excuse for the existence of this
software. I'm interested in learning it, if it becomes available.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Sophie-Germain and ElGamal
Date: Fri, 21 Apr 2000 21:38:31 GMT
Joseph Ashwood wrote:
>
> Once you get into severely composite numbers, all bets are
> off. For security a prime factor of significant size is
> needed, I should have stated that, basically I'd say that a
> 500+ bit prime is enough for moderate security right now,
> and good security begins around 768 bits, and paranoia (my
> preferred level since I generally have processor to spare)
> starts at 2048 bits, and never ends.
> Joe
Again you are wrong. Specifically constructed primes are not random
(well primes aren't truly random either, however...).
Generally you just make random primes of the required size. My earlier
point was that older methods such as pollard-rho can work on big
numbers, just with very low probability (not zero prob).
Tom
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: suggested change to cb
Date: Fri, 21 Apr 2000 21:42:15 GMT
One suggest change (originally by David Wagner) is that I allow the
programmer to directly access the ciphers. I favor this idea and plan
to add it to the next cb.
I am also working on portable load/store routines for all the routines
(and more efficient means of doing it).
While I am at it, is there anything else 'lacking' from CryptoBag that I
should add?
Tom
--
http://24.42.86.123/cb.html
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Requested: update on aes contest
Date: Fri, 21 Apr 2000 21:43:32 GMT
On Fri, 21 Apr 2000 18:50:25 +0100, in <[EMAIL PROTECTED]>,
in sci.crypt David Crick <[EMAIL PROTECTED]> wrote:
>Terry Ritter wrote:
>>
>> >>I know that you have stated that you are opposed to multiple selections.
>> >>Would your position on this issue be influenced by a pair of selections
>> >>distinguished by performance? Say Twofish or RC6 as primary, and R++ as
>> >>secondary?
>> >
>> >No. One standard. Only one. Not two. One.
>>
>> Right. One standard. Consisting, for example, of every cipher not
>> yet explicitly broken.
>
>75% of the attendees at AES3 who filled in the anonymous
>questionnaire voted for a single algorithm over multiple
>ones.
That's sort of a self-selecting population, don't you think? Or do
you suggest that the result is representative of knowledgeable crypto
people everywhere?
It sure doesn't represent my views.
And voting is irrelevant in Science.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
Subject: Re: New version of MIRACL
From: lordcow77 <[EMAIL PROTECTED]>
Date: Fri, 21 Apr 2000 14:39:17 -0700
In article <[EMAIL PROTECTED]>, "Trevor L. Jackson,
III" <[EMAIL PROTECTED]> wrote:
>Have you any experience with NTL (Shoup)? Can you comment on
it's utility?
>
The algorithms and implementation of NTL are second to none,
particularly in the areas of fast polynomial arithmetic and
lattice basis reduction, but many people find the C++ structure
to be too confining and orthogonal to their thought processes. I
personally like the organization and clear layout of the library
and recommend it to anyone doing numerical work with these
structures.
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: The Illusion of Security
Date: Fri, 21 Apr 2000 21:50:34 GMT
On Fri, 21 Apr 2000 20:06:24 GMT, in <[EMAIL PROTECTED]>,
in sci.crypt Tom St Denis <[EMAIL PROTECTED]> wrote:
>[...]
>I meant used. The lastest used ciphers are 3des, cast128 and idea, all
>of which have had considerable analysis put against. Of course anybody
>can make a cipher that is trivial breakable. But those that have
>survived all our known tests, are secure.
This flaunts the edge of what we know. Surviving *our* tests does not
make a cipher secure. A cipher is secure -- and protects our data --
only when it survives the secret unknown attacks by our unknown
attackers. Those attackers do not announce their successes, so if
they are successful, we will never know. Even if the cipher has
survived all of our tests.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: Tom McCune <[EMAIL PROTECTED]>
Subject: Re: nss
Date: Fri, 21 Apr 2000 21:50:42 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
In article <[EMAIL PROTECTED]>, elise <[EMAIL PROTECTED]>
wrote:
>I look forward to norton secret stuff decryption
>
>please help me!
I'm not sure why you look forward to this weak 40 bit encryption, but it is
at: ftp://ftp.symantec.com/misc/nss.exe
=====BEGIN PGP SIGNATURE=====
Version: PGP Personal Privacy 6.5.3
Comment: My PGP Page & FAQ: http://McCune.cc/PGP.htm
iQA/AwUBOQDM0w2jfaGYDC35EQJraQCfabJPldfyETp1Fd+y9xTdTIpKgfQAn1T2
sOHxHxy9Khy7Ywpfh9FhBbU+
=aNQ4
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Can a password be to long?
Date: Fri, 21 Apr 2000 21:54:02 GMT
John <[EMAIL PROTECTED]> wrote:
>I know passwords can be to shrot, but I recall reading
>somewhere, a long time ago, about being to long. Is this true.
Yes, it's true. For a person who can't successfully spell "too short",
a long password could be a real disaster.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Requested: update on aes contest
Date: Fri, 21 Apr 2000 21:54:53 GMT
Terry Ritter wrote:
>
> On Fri, 21 Apr 2000 18:50:25 +0100, in <[EMAIL PROTECTED]>,
> in sci.crypt David Crick <[EMAIL PROTECTED]> wrote:
>
> >Terry Ritter wrote:
> >>
> >> >>I know that you have stated that you are opposed to multiple selections.
> >> >>Would your position on this issue be influenced by a pair of selections
> >> >>distinguished by performance? Say Twofish or RC6 as primary, and R++ as
> >> >>secondary?
> >> >
> >> >No. One standard. Only one. Not two. One.
> >>
> >> Right. One standard. Consisting, for example, of every cipher not
> >> yet explicitly broken.
> >
> >75% of the attendees at AES3 who filled in the anonymous
> >questionnaire voted for a single algorithm over multiple
> >ones.
>
> That's sort of a self-selecting population, don't you think? Or do
> you suggest that the result is representative of knowledgeable crypto
> people everywhere?
>
> It sure doesn't represent my views.
>
> And voting is irrelevant in Science.
I tend to agree. I think we should filter out some more ciphers....Like
have AES downto three ciphers. Definately Twofish should be there,
since RC6 is still quite secure and easy to implement add that too, and
Serpent since it's conservative.
Twofish should be used for all general purpose AES traffic (basically
any type of trafic). RC6/Serpent should be there as well (like cipher
ID tags) but not enforced, they should be backups.
Now I don't want to have people think I am being brain-washed by Bruce
S. propaganda, I think he is very well motivated to have people pick his
cipher for one reason. He (along with his team) worked really hard on
it. The cipher truly is complex, but efficient on many platforms, it is
compact and nobody can seem to attack it (yet). They did an amazing
job.
In my software I just add as many as possible and let the users pick.
Of the ten ciphers in CB for example none are trivially weak (i.e
pratical attacks). So it doesn't matter what they pick, but at least
they can choose.
Tom
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: The Illusion of Security
Date: Fri, 21 Apr 2000 21:56:07 GMT
On Fri, 21 Apr 2000 12:48:11 -0700, in <#btnDt8q$GA.303@cpmsnbbsa04>,
in sci.crypt "Joseph Ashwood" <[EMAIL PROTECTED]> wrote:
>[...]
>While I agree that the
>breaking of an AES finalist in the next few years is
>unlikely,
We can believe whatever we want, but we simply have no evidence about
the probability that a cipher may be broken, or when this might
happen. There is no science to suggest that breaking an AES finalist
in the next few years is "unlikely." Only wishing suggests that.
>unbreakability against an infinite future is at
>best laughable.
Of course.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: The Illusion of Security
Date: Fri, 21 Apr 2000 21:58:30 GMT
Terry Ritter wrote:
>
> On Fri, 21 Apr 2000 20:06:24 GMT, in <[EMAIL PROTECTED]>,
> in sci.crypt Tom St Denis <[EMAIL PROTECTED]> wrote:
>
> >[...]
> >I meant used. The lastest used ciphers are 3des, cast128 and idea, all
> >of which have had considerable analysis put against. Of course anybody
> >can make a cipher that is trivial breakable. But those that have
> >survived all our known tests, are secure.
>
> This flaunts the edge of what we know. Surviving *our* tests does not
> make a cipher secure. A cipher is secure -- and protects our data --
> only when it survives the secret unknown attacks by our unknown
> attackers. Those attackers do not announce their successes, so if
> they are successful, we will never know. Even if the cipher has
> survived all of our tests.
If money starts disappearing we will know for sure. It may be too late
but we will know.
Seriously though, it's good to be cautious, but when years of constant
pressure and work cannot break an algorithm, it's most likely that it
can't be done.
Take factoring for example. Been worked on for 1000s of years, and we
still can't factor as fast as one would want to. Like nobody will
really find the factors for
n =
7845464894948624085817674125006260680782223977132130103813467169531516537849\
05071193915597920110439954227055221771064236731175096156784015401689495213130748\
60509508765626164401372205205788363152458477780132197255553417102647530965046777\
799344029763540728789585552629530174624630219899102518383088153375672107
before I am long since dead. So there are problems that are just plain
hard.
Tom
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Problems with NTRU
Date: Fri, 21 Apr 2000 17:05:49 -0400
lordcow77 wrote:
>
> Their web site has very well written introductions on the basic
> structure and implementation of their algorithm as well as
> detailed, technical, analyses of the performance and security
> parameters. Their documentation on their truncated polynomial
> ring cryptosystem is as good as Certicom's on eliptic curve
> cryptography. I'm not seeing much to complain about. It's
> definitely not snake oil.
Perhaps I wasn't clear. I don't think so either, and I did
not intend to imply it is.
What I meant is that the manner of marketing used, such as the
performance claims, is not of the same caliber. That point
has been made before, and the site is somewhat better now.
Still, there are issues. For example, to refer to standard
techniques for fast arithmetic on large numbers (like FFT
or Karatsuba) as "fancy techniques" makes the conclusions
suspect...
paul
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: The Illusion of Security
Date: Fri, 21 Apr 2000 17:12:43 -0400
Tom St Denis wrote:
> Of course of all the ciphers used since the 70's none of them have yet
> been broken.
Sure they have. DES...
Or did you mean "have succumbed to an attack better than
exhaustive search"? Then perhaps it doesn't apply to
DES, but that's not the right question to ask.
Joseph Ashwood wrote:
> ...
> And 3des, cast128 and idea are all from the last five years,
> although the building block for 3des has been around longer.
Not so. Multiple DES was mentioned in IEEE Spectrum 7/1979,
and for all I know may have been described earlier than that.
IDEA was published in 1991, and CAST in 1993. Sounds like
more than 5 years to me...
paul
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: suggested change to cb
Date: Fri, 21 Apr 2000 14:56:25 -0700
How about dynamically allowing various chaining methods.
Something like:
CBC(void *in, void *out,cipher_state *state, *cipher(...))
Or port it over to C++ and encapsulate the extras.
How about a TCP/IP connection/negotiation, send, recieve,
and close. Seperate configuration for the TCP/IP stack
(preferred and allowed ciphers).
Just some thoughts.
Joe
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> One suggest change (originally by David Wagner) is that I
allow the
> programmer to directly access the ciphers. I favor this
idea and plan
> to add it to the next cb.
>
> I am also working on portable load/store routines for all
the routines
> (and more efficient means of doing it).
>
> While I am at it, is there anything else 'lacking' from
CryptoBag that I
> should add?
>
> Tom
> --
> http://24.42.86.123/cb.html
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Sophie-Germain and ElGamal
Date: Fri, 21 Apr 2000 15:02:29 -0700
> Again you are wrong. Specifically constructed primes are
not random
> (well primes aren't truly random either, however...).
I was not stating that one should construct a prime in some
manner, more that one should verify that the randomly chosen
prime is not likely subject to errors. And the last time I
checked there was no dependable way to construct a prime
without randomly generating nearly as large primes.
>
> Generally you just make random primes of the required
size.
> My earlier
> point was that older methods such as pollard-rho can work
on big
> numbers, just with very low probability (not zero prob).
And with proper precautions, the probability goes to 0. What
I encourage seems to me to be simply common sense, if there
is a potential flaw in the number you chose, check for it,
that way you can eliminate the possibility of that problem.
Perhaps you don't do this, if so that is your decision, but
some of us prefer safer methods.
Joe
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: The Illusion of Security
Date: Fri, 21 Apr 2000 22:09:09 GMT
Paul Koning wrote:
>
> Tom St Denis wrote:
> > Of course of all the ciphers used since the 70's none of them have yet
> > been broken.
>
> Sure they have. DES...
>
> Or did you mean "have succumbed to an attack better than
> exhaustive search"? Then perhaps it doesn't apply to
> DES, but that's not the right question to ask.
>
> Joseph Ashwood wrote:
> > ...
> > And 3des, cast128 and idea are all from the last five years,
> > although the building block for 3des has been around longer.
>
> Not so. Multiple DES was mentioned in IEEE Spectrum 7/1979,
> and for all I know may have been described earlier than that.
>
> IDEA was published in 1991, and CAST in 1993. Sounds like
> more than 5 years to me...
The design principles behind CAST came out well before 1993, as did for
IDEA.
Tom
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
