Cryptography-Digest Digest #877, Volume #11 Sun, 28 May 00 05:13:00 EDT
Contents:
Re: Matrix key distribution? (Benjamin Goldberg)
Hill's algorithm (Benjamin Goldberg)
Re: ATTN REGS (K. Hassellblatt)
Re: Hitachi Patent ("Paul Pires")
Re: Is OTP unbreakable? (Greg)
Re: Is OTP unbreakable? (Greg)
Re: Is OTP unbreakable? (Greg)
No-Key Encryption (Michael Pellaton)
No-Key Encryption (Michael Pellaton)
Re: Is OTP unbreakable? ("Douglas A. Gwyn")
Re: Retail distributors of DES chips? (Jonathan Thornburg)
Re: PGP wipe how good is it versus hardware recovery of HD? (Jonathan Thornburg)
ignore ("Dulando")
Re: RSA/PK Question (Jerry Coffin)
Re: RSA/PK Question (Jerry Coffin)
Re: RSA/PK Question (Jerry Coffin)
Re: AES times on the Alpha 21164 with Parallel encryption (Jonathan Thornburg)
----------------------------------------------------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Matrix key distribution?
Date: Sun, 28 May 2000 05:14:20 GMT
Michael Brown wrote:
>
> Benjamin Goldberg <[EMAIL PROTECTED]> wrote in article
> <[EMAIL PROTECTED]>...
> > Perhaps this seems like a silly question, but what if matrix C isn't in
> > any special format, but whose only property is that it's non-invertable?
> For C to be singular either one (or more) row(s) has to be a combination of
> the other rows or one (or more) column(s) have to be a multiple of the
> other columns. The matrix C is based on the first idea with the second row
> being a multiple, in this case m, of the first row. I suspect that is still
> would be insecure if the matrix C used the other method though.
Don't forget that we're working in modulo 2^32 ... There is therefor
another,
simpler way to make C be non-invertable: Make all 4 numbers even.
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Hill's algorithm
Date: Sun, 28 May 2000 05:38:25 GMT
I'm thinking of using Hill's algorithm [or rather a variant thereof] as
block cipher. But I'm not sure how secure it is.
Here's some psuedo-code I made up for 128bit blocks:
do
encryption-key = generate-4x4-matrix-of-16bit-values();
until( determinant(encryption-key) is odd );
/* unless you have a better way of making an invertable matrix */
decryption-key = invert-matrix-modulo-2^16(encryption-key);
function encipher(plaintext,encryption-key) {
( A, B, C, D ) = plaintext;
for round = 1 to 8 {
( A, B, C, D ) += ( X1, X2, X3, X4 );
/* where X values are arbitrary constants, */
/* possibly different each round */
A ^= (B>>8); B ^= (C>>8);
C ^= (D>>8); D ^= (A>>8);
( A, B, C, D ) *= encryption-key;
}
ciphertext = ( A, B, C, D );
return ciphertext;
}
The decipher function is easily derivable from the encipher function.
------------------------------
Subject: Re: ATTN REGS
Crossposted-To:
alt.hackers.malicious,alt.usenet.kooks,alt.troll,alt.romath,alt.fan.karl-malden.nose
From: [EMAIL PROTECTED] (K. Hassellblatt)
Date: Sat, 27 May 2000 22:47:01 -0600
Geist <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP MESSAGE-----
> Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
> qANQR1DBwM4DKAiYJyFO5BgQBf9y0PAB7h58Oz5dr8k6faKhqLWQ2EeUNgtITwG1
[snip]
> vupEm02N39T7S1nFuz2evZfvnZdtH+1hlClillGmstk6AOm7HYhjo0ugyyfPqILS
> bJ76sM2z82Nl4Q==
> =FyCb
> -----END PGP MESSAGE-----
Encrypted messages, eh? You must be a terrorist.
I have netcopped you to [EMAIL PROTECTED]
Your days are numbered, you evil fiend.
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Hitachi Patent
Date: Sat, 27 May 2000 23:10:57 -0700
I'll take a stab at it.
I did look at the earlier posts that showed claims 1 and 10.
Rule one. Don't let people snip patents and point you to pieces.
Interesting that the term rotations was not founded in the claim. I'll have
to check their description and see what they have said. I think that
"rotation" is a metaphor. this happens in silicon and nothing really
rotates. the registers and whatnot are laid out like lists and the overflow
off one end doesn't pop back to the lsb. Rotation is a conceptual way of
looking at something, so how they describe it will have the most weight.
I'll snatch em off the IBM patent server and give em a sniff.
Paul
Tom St Denis <[EMAIL PROTECTED]> wrote in message
news:8fkp44$r5s$[EMAIL PROTECTED]...
> I am not a lawyer so could someone please explain what exactly the
> hitachi patent covers?
>
> Tom
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: Is OTP unbreakable?
Date: Sun, 28 May 2000 06:36:11 GMT
In article <[EMAIL PROTECTED]>,
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> > > The OTP does not offer any authentication.
> Greg wrote:
> > How rediculous. OTP offers the same level of authentication as
> > most other private keys in a public key cryptosystem. If you have
> > the key, then you can sign the document. That is all authentication
> > means.
>
> Authentication is more than that. For example, in the OTP
> scenario, the encrypted message can be intercepted, a guess
> made as to some portion of the probable plaintext (for example
> a stereotyped beginning such as "For information only."),
> that portion of the key recovered, and a different plaintext
> substituted (e.g. "For immediate action."). The legitimate
> receiver has no way to know that the message is not what the
> legitimate originator sent. With a proper authentication
> scheme, such spoofing would almost certainly be detected.
Sorry, I never imagined that any assumption, especially one
so specifc as your example, would ever be valid. Be that as
it may, OTP continues to provide the mechanisms for authentication.
If you form a check sum (for example) and encrypt it as the end
of the message, you use the OTP to produce the authentication
that you claim OTP does not provide.
Furthermore, authentication merely means, as I stated before, that
you are the one who has the key because you were able to establish
the encoded check sum. This is not different enough from a hashing
algorithm or other current day authenitcation technique. And they
have no way of proving who really used the key, other than a trust
that only the correct person could possibly have done so.
--
There is only one gun law on the books- the second amendment.
The only vote that you waste is the one you never wanted to make.
RICO- we were told it was a necessary surrender of our civil liberties.
Asset Forfeiture- the latest inevitable result of RICO.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: Is OTP unbreakable?
Date: Sun, 28 May 2000 06:39:41 GMT
> The OTP authentication weakness comes from that fact that if you
> can get a matching cleartext and ciphertext, you can easily determine
> the pad for that message.
>
> One way to exploit this is:
>
> 1) Somehow determine the cleartext for one message or part of a
> message . (dumpster diving, find a note that was sent to many
> correspondents, one of whom you've corrupted, etc.)
Well, if that is the case, then I cannot accept your premise
because it begins with an unacceptable assumption.
But I would think that this weakness is true for any authentication
scheme.
--
There is only one gun law on the books- the second amendment.
The only vote that you waste is the one you never wanted to make.
RICO- we were told it was a necessary surrender of our civil liberties.
Asset Forfeiture- the latest inevitable result of RICO.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: Is OTP unbreakable?
Date: Sun, 28 May 2000 06:45:13 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Greg <[EMAIL PROTECTED]> wrote:
>
> :> The OTP does not offer any authentication.
>
> : How rediculous. OTP offers the same level of authentication as
> : most other private keys in a public key cryptosystem. If you have
> : the key, then you can sign the document. That is all authentication
> : means. [...]
>
> With conventional symmetric systems, attackers can't use known
plaintext
> to forge messages - even if no digital signature technique has been
> employed.
>
> They offer beter authentication than an OTP in this sense - if you
> receive an encrypted, unsigned document, you can be more certain that
> it did not come from an attacker than you would be able to if it had
> been encrypted using an OTP - since the attack on the OTP is more
simple
> and obvious, than an attack on the symmetric cypher is likely to be.
Yip. You said it better than the others. You make sense and I can
see it now. Thanks.
--
There is only one gun law on the books- the second amendment.
The only vote that you waste is the one you never wanted to make.
RICO- we were told it was a necessary surrender of our civil liberties.
Asset Forfeiture- the latest inevitable result of RICO.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Date: Sun, 28 May 2000 09:03:09 +0200
From: Michael Pellaton <[EMAIL PROTECTED]>
Subject: No-Key Encryption
In the literature about cryptography I often read about the three
different types of encryption - symmentric, asymmetric and Nop-Key
encryption. I found plenty implementations of the symmetric and the
asymmetric methode. Is there any implementation of no-key ecnryption
available?
------------------------------
Date: Sun, 28 May 2000 09:03:45 +0200
From: Michael Pellaton <[EMAIL PROTECTED]>
Subject: No-Key Encryption
In the literature about cryptography I often read about the three
different types of encryption - symmentric, asymmetric and no-key
encryption. I found plenty implementations of the symmetric and the
asymmetric methode. Is there any implementation of no-key ecnryption
available?
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Is OTP unbreakable?
Date: Sun, 28 May 2000 07:01:50 GMT
Greg wrote:
> Sorry, I never imagined that any assumption, especially one
> so specifc as your example, would ever be valid.
I can't quite parse that, but if you mean that the scenario
I described is unrealistic, you're quite wrong -- it is a
very real problem that workers in this field have to consider.
> Be that as
> it may, OTP continues to provide the mechanisms for authentication.
> If you form a check sum (for example) and encrypt it as the end
> of the message, you use the OTP to produce the authentication
> that you claim OTP does not provide.
If you have to add an authentication mechanism, such as checksum,
then it cannot be the OTP encryption that provides authentication.
------------------------------
From: [EMAIL PROTECTED] (Jonathan Thornburg)
Subject: Re: Retail distributors of DES chips?
Date: 28 May 2000 10:04:46 +0200
In article <8gn7gu$3at$[EMAIL PROTECTED]>, zapzing <[EMAIL PROTECTED]> asked
>But if I go with
>software encryption then how can I be certain that
>DES was actually used, and not some less
>powerful algorithm?
Ultimately you, or people you trust, have to carefully study each and
every line of the source code. And the source code for the compiler,
linker, and every other piece of software in the toolchain. And that
of the OS (and all the toolchain used to build it). Ditto for the CAD
software used to design the microprocessor. Etc etc.
This is what people who are really serious about their crypto, i.e. the
spooks, do: they manufacture a fair bit of hardware in-house, and contract
the rest to "trusted" companies. Similarly for software.
If you can't afford that level of parania, then using widely-studied free
software can be a fairly good approximation: You may have not personally
examined all of the approximately 1 million source code lines in GCC,
but enough other people -- and people from many different organizations
who are not plausibly all in a monster conspiracy -- have worked and
are working on the GCC code base, that we can be fairly confident that
any trojan horses planted there would soon be discovered.
As for hardware bugs, well, one could certainly imagine trojan horses
planted in (say) Pentium chips... but it's much harder to keep this sort
of thing secret in the commercial world than in spook-land. Besides,
while Ken Thompson showed a long time ago how to trojan-horse a compiler
( http://www.acm.org/classics/sep95/ , also available at
http://www.cs.umsl.edu/~sanjiv/sys_sec/security/thompson/hack.html ),
this relied on being able to pattern-recognize a particular pattern of
code. It's certainly possible for (say) Intel to trojan-horse the PIII
to pattern-recognize a particular byte sequence in the instruction stream,
but [outside the Microsoft word] this fails when we have many different
pieces of crypto software, compiled by many different compilers.
--
-- Jonathan Thornburg <[EMAIL PROTECTED]>
http://www.thp.univie.ac.at/~jthorn/home.html
Universitaet Wien (Vienna, Austria) / Institut fuer Theoretische Physik
Q: Which countries [only 5 of them] have the death penalty for children?
A: Iran, Nigeria, Pakistan, Saudi Arabia, United States
------------------------------
From: [EMAIL PROTECTED] (Jonathan Thornburg)
Subject: Re: PGP wipe how good is it versus hardware recovery of HD?
Date: 28 May 2000 10:13:52 +0200
In article <[EMAIL PROTECTED]>,
JohnNY <[EMAIL PROTECTED]> wrote:
>Does anyone know of any overwritten data that has been recovered? For
>instance, any forensic labs that claim they are able to do it or
>possibly evidence presented in a court case? I have read theoretical
>arguments on how it could be done but have not heard of a documented
>case. Just curious and no I am not being paid to post this message :)
|| ## http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
||
|| Secure Deletion of Data from Magnetic and Solid-State Memory
||
|| Peter Gutmann
|| Department of Computer Science
|| University of Auckland
|| [EMAIL PROTECTED]
||
|| This paper was first published in the Sixth USENIX Security Symposium
|| Proceedings, San Jose, California, July 22-25, 1996
||
|| Abstract
||
|| With the use of increasingly sophisticated encryption systems, an
|| attacker wishing to gain access to sensitive data is forced to look
|| elsewhere for information. One avenue of attack is the recovery of
|| supposedly erased data from magnetic media or random-access memory.
|| This paper covers some of the methods available to recover erased data
|| and presents schemes to make this recovery significantly more
|| difficult.
His conference presentation included pictures showing the recoverable
data left after overwriting.
Quoting from his conclusions,
|| Data overwritten once or twice may be recovered by subtracting what is
|| expected to be read from a storage location from what is actually read.
|| Data which is overwritten an arbitrarily large number of times can still
|| be recovered provided that the new data isn't written to the same location
|| as the original data (for magnetic media), or that the recovery attempt
|| is carried out fairly soon after the new data was written (for RAM).
|| For this reason it is effectively impossible to sanitise storage locations
|| by simple [sic] overwriting them, no matter how many overwrite passes are
|| made or what data patterns are written. However by using the relatively
|| simple methods presented in this paper the task of an attacker can be
|| made significantly more difficult, if not prohibitively expensive.
--
-- Jonathan Thornburg <[EMAIL PROTECTED]>
http://www.thp.univie.ac.at/~jthorn/home.html
Universitaet Wien (Vienna, Austria) / Institut fuer Theoretische Physik
Quotes from two different people's .signature files:
#1: "If we're not supposed to eat animals, why are they made of meat?"
#2: "If we're not supposed to eat people, why are they made of meat?"
------------------------------
From: "Dulando" <[EMAIL PROTECTED]>
Subject: ignore
Date: Sun, 28 May 2000 08:20:13 GMT
-Jq:;#.|28'.t6IMq3K}N=q8`72m|u1lm%>(CcyGY'Lo7ldB~3
"fqkMJj>{GvXu6`HDgW>-J^U0zGGiU0muT_DmV;tV"fps.0?^x
^{n^Bry{#a'X<+#yE`ZivPHMO'CGj'm4-(zext+M<U$#HR@SI*
`GcYv|2}z)'ETr':Z/.uT<ynz8p.22I+6C/`m_gU{MX9c" ^=2
4=|GCb[56HHjww19 en:X^~^!9l@ls//q3x 48Y5{/Mm&=I&"g
J{jT%pj=z)`\V?JFo4Lm;3O5&s,&Qh|yd~6zy"sVp"Ngw/sv*`
!Q>w~-4\pSgKVgg)9n=7;Yz6W3x{/%30WM'5{cJhOU#/7Dy>$v
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: RSA/PK Question
Date: Sun, 28 May 2000 02:26:54 -0600
In article <8go14s$ka5$[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
[ ... ]
> > For example, if you want some information to remain secure for at
> > least the next 50 years, you'd _better_ not depend on an RSA key of
> > 768 bits, even though that's (AFAIK) unbreakable at the present time.
> > In 50 years, an average hand-held calculator is likely to have more
> > than enough resources to break a 768-bit key.
>
> Typical inane sci.crypt technobabble.
Bob, there's no question that you know a lot more about factoring
than I do. A wise man, however, knows his limits, and in making
these statements, I believe you've exceeded your's.
> I will give you a hint: Think about the *power* requirements to drive
> a processor that fast. Think about the power needed to refresh
> a terabyte of memory.....
50 years from now, DRAM that requires refresh will be as thoroughly
obsolete as mercury delay lines are now. Consider that several
companies are currently working on magneto-resistive memory (MRAM).
MRAM, by its nature not only requires no refresh, but is non-volatile
so it requires absolutely NO power at all to maintain its state.
MRAM is being moved out of research and toward production right now.
There's only one thing that's likely to keep MRAM from coming into
wide deployment, and that's the development of something with even
better characteristics (including lower power conumption).
Processor speeds: compare the speed and power requirements of a Palm
Pilot to the speed and power requirements of, say, a UNIVAC I. The
Palm Pilot runs a lot faster on a TINY fraction of the power.
The current research in fabrication is sucessfully working at
geometries small enough for about 10 years from now following Moore's
law. That's about enough of a fairly loaded workstation to factor a
768-bit RSA key. To believe a hand-held computer 50 years from now
won't be able to do so, we basically have to believe that all
research and development is going to come to a screeching halt within
the next few years, and we'll go for the following 40 or so straight
with essentially NO improvements at all. To me, that seems a
completely ridiculous and indefensible position to take.
To summarize: your "hints" seem to me to give a big hint about your
limited perspective, and essentially none at all as to the likely
state of computing 50 years from now. Specialization is a fine
thing, and you're clearly an expert in your field, but don't let your
expertise in one field lead you to believe that you must be an expert
in other fields, so if you don't know about something, it can't exist
or happen.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: RSA/PK Question
Date: Sun, 28 May 2000 02:26:56 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
[ ... ]
> So if the NFS will take 2^256 steps to factor a n-bit composite,
> then it's provably secure, unless a new NFS or Sieve comes
> along, which is possible but not very likely.
Yes, but if you figure things up, you'll find that factoring a 768-
bit number isn't even _close_ to this range. In fact, if the world
as a whole decided to do so, I believe the technology exists to start
factoring a 768-bit number within the next year and be done within
one year after that.
Just for example, the number of machines in existence right now with
enough memory is probably zero. The technology to build such a
machine exists though, and the memory production capability to
populate such a machine exists as well. The only thing that prevents
it from being done is that not enough people care to do it.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: RSA/PK Question
Date: Sun, 28 May 2000 02:26:58 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
[ ... ]
> Jerry seems very sure that either Moore's law is going to hold for
> another 50 years, or a major improvement in algorithms will happen.
Not at all. If you figure things up, you'll find that Moore's law
can slow down substantially, and this would still be true.
> Bob seems very sure that Moore's law will give up before that, and no
> major improvement in algorithms will happen.
>
> Either way is a brave prediction if you're looking that far.
Given that there's only a _little_ over 50 years of history in
electronic computing in general, any prediction that far into the
future has to be a little brave. Despite this, as my father was wont
to say, discretion is the better part of valor, I think I've used
sufficient discretion in my prediction.
> There's no obvious physical reason why you can't fit a terabyte and a
> few million MIPS into a handheld and run it off less than a watt.
> Currently no-one knows how to do this. Guessing whether it will or will
> not be done in 50 years is just guessing.
Obviously _any_ prediction about what will happen 50 years from now
has to be a guess. Despite this, I would find it _much_ more
difficult to defend Bob's position than my own. Experimental work at
close to the right design geometries is already being done. To
defend Bob's position, you basically have to assume we hit (and can't
find a way around) an _absolute_ lower limit on design geometries
within the next year or two, so there can never be anything much
better than what we're experimenting with right now. Assuming that
we're going to go from nearly constant progress to essentially none
at all almost overnight seems ridiculous to me.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: [EMAIL PROTECTED] (Jonathan Thornburg)
Subject: Re: AES times on the Alpha 21164 with Parallel encryption
Date: 28 May 2000 10:38:10 +0200
In article <[EMAIL PROTECTED]>,
Kenneth Almquist <[EMAIL PROTECTED]> wrote:
>In the discussion on hardware timings of the AES candidates, some
>posters have suggested that encryption/decryption speed is not a
>particularly useful measure of performance because you can get
>more throughput from a slow algorithm by performing multiple
>encryptions in parallel. While I'm not totally convinced by this
>argument, I did do some back of the envelope calculations of the
>time required to encrypt and decrypt two blocks in parallel on
>the Alpha 21164.
Why compare times on obselete chips? I don't have the exact 21164
intro date at hand, but I have archived comp.arch postings from the
fall of 1996 where people were debating details of the cache in
shipping 21164 systems, and the half-a-generation-improved 21164PC
was announced at Microprocessor Forum at the same time (fall 96)
A comparison using reasonably contemporary chips would be much more
interesting, i.e. any of Pentium III, AMD K7, Alpha 21264 EV67, and
their kin. Unlike the 21164, these chips are all heavily out-of-order,
so their relative performance might be quite different.
--
-- Jonathan Thornburg <[EMAIL PROTECTED]>
http://www.thp.univie.ac.at/~jthorn/home.html
Universitaet Wien (Vienna, Austria) / Institut fuer Theoretische Physik
Seen on usenet (dueling .signature quotes):
#1: "If we're not supposed to eat animals, why are they made of meat?"
#2: "If we're not supposed to eat people, why are they made of meat?"
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
