Cryptography-Digest Digest #895, Volume #11 Tue, 30 May 00 13:13:01 EDT
Contents:
Re: PGP wipe how good is it versus hardware recovery of HD? ("matt")
Re: Q: appropriate number of key-uses before replacement? (Terry Ritter)
Re: Onefish -- TC2 (Runu Knips)
Re: Onefish -- TC2 (tomstd)
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (Taneli Huuskonen)
Re: looking for an 8-byte long output hashing function (Eric Lee Green)
Re: Sunday Times 30/4/2000: "MI5 builds new centre to read e-mails on the net"
("Michael Watson")
Re: Retail distributors of DES chips? (ritter)
Re: Math problem (P=NP) prize and breaking encryption (Anton Stiglic)
Re: Retail distributors of DES chips? (tomstd)
any public-key algorithm ("Dark Nebular")
Re: any public-key algorithm (tomstd)
Re: Crypto patentability (Bill Unruh)
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May ("Fergus O'Rourke")
Re: No-Key Encryption (Mok-Kong Shen)
Re: email list for the contest (Mok-Kong Shen)
Note on the Hill cipher (II) (Mok-Kong Shen)
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May ("Fergus O'Rourke")
----------------------------------------------------------------------------
From: "matt" <[EMAIL PROTECTED]>
Subject: Re: PGP wipe how good is it versus hardware recovery of HD?
Date: Tue, 30 May 2000 22:13:48 +0800
I'd say a major reason is speed, as well as to ensure the integrity of
the encryption...
Matt.
"Guy Macon" <[EMAIL PROTECTED]> wrote in message
news:8grvv0$[EMAIL PROTECTED]...
> In article <8grrml$30e$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>
>
> >In fact, I have come to the conclusion that you
> >should never put anything on a hard disk unless
> >you would also be willing to post it to the net.
> >That means hardware encryption of your
> >entire hard disk. Use key managenment, and the
> >mere act of cancelling a certain key will "wipe
> >out" all the information encoded by that key.
> >No multi pass overwriting required.
> >
> >--
> >If you know about a retail source of
> >inexpensive DES chips, please let
> >me know, thanks.
>
> Why do you believe that the encryption must be in
> hardware? Why couldn't you use device driver software?
>
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Q: appropriate number of key-uses before replacement?
Date: Tue, 30 May 2000 14:22:28 GMT
On Fri, 26 May 2000 00:05:30 GMT, in <8gkf4b$65f$[EMAIL PROTECTED]>, in
sci.crypt [EMAIL PROTECTED] wrote:
>Hello all. The literature suggests rotating keys
>regularly, but I have yet to see suggestions on
>how often is often enough?
Blame the current cryptography texts which do not address the issue.
With respect to the symmetric cipher which actually enciphers data, I
claim there should be *at* *most* one message per message key.
Indeed, there may be *multiple* keys per message, and this should be
required and enforced for really long messages.
The message key itself should be an unknowable value which cannot be
selected by the sender.
There are at various ways of transporting the message key value. A
public-key cipher can be used to deliver a message key, although in
that case we may need to do something special to re-key long messages.
I recommend enciphering the "random" message key value under a higher
secret key. We can re-use that higher key, because it is only used to
transport random data.
Another way of transporting the message key is to send the random
value as plaintext, then use a keyed hash (or cipher) with a higher
key to produce the message key on both ends. But that exposes the
original "random" value in the ciphertext, which may help opponents to
predict other "random" values.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
Date: Tue, 30 May 2000 16:26:42 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: Onefish -- TC2
tomstd wrote:
>
> I changed my TC1 cipher to use the same sboxes but to use a MDS
> (properly stolen from Twofish) instead of a bit permutation.
> According to Mdw's program there are no differential chars
> involving one sbox only per round.
>
> It's at
> http://www.tomstdenis.com/tc2.c
>
> I will try to break this one, but if anyone notices a break,
> please don't disclose it, just give a hint hint nudge nudge.
Its not there. 404 not found.
------------------------------
Subject: Re: Onefish -- TC2
From: tomstd <[EMAIL PROTECTED]>
Date: Tue, 30 May 2000 07:53:17 -0700
In article <[EMAIL PROTECTED]>, Runu Knips
<[EMAIL PROTECTED]> wrote:
>tomstd wrote:
>>
>> I changed my TC1 cipher to use the same sboxes but to use a
MDS
>> (properly stolen from Twofish) instead of a bit permutation.
>> According to Mdw's program there are no differential chars
>> involving one sbox only per round.
>>
>> It's at
>> http://www.tomstdenis.com/tc2.c
>>
>> I will try to break this one, but if anyone notices a break,
>> please don't disclose it, just give a hint hint nudge nudge.
>
>Its not there. 404 not found.
Yeah I took it down since I am still working on it.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (Taneli Huuskonen)
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: 30 May 2000 18:13:26 +0300
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
In <[EMAIL PROTECTED]>
[EMAIL PROTECTED] (David Boothroyd) writes:
[...]
>I thought you said you were too young. The Poll Tax was replaced because
>Conservative MPs realised it was too unpopular. The idea that the police
>being able to demand that encrypted data (about which they have a reasonable
>suspicion) be decrypted is in some way unreasonable is absurd.
Hi, David, what do you say of this? A good way to come up with extra
money, even though it's a wee bit short of being entirely legal? But no
need to worry, the police won't be able to decrypt it unless you give
them the passphrase. :-)
- -----BEGIN PGP MESSAGE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: NvXk5NCMQ8qSbF+g0p5H1SLe8ficwESv
pP7xLelwzh8bQ2oR4hv0+kURsZK+jaVOSiMU75K/iz6Z2i9zWgZL8kw2HXuFkD8t
HLn8IKcHQ2b8BwDpSqfggannc5ftAIk+aKaejPyU/3B9rv5uqr/e0uqd2ojYbUih
xdecR07SGS1mI+r6YbAfE4Cd4cmPmc0LBod3nq/cNGu3FcVDjj/+uZnL5K5BKXbH
8XVAV7NXj9X9eq1pNQiJ67bx4fe8vdIjtoUxdnQxDlcaCDXCRyaatqcFQadvFrRe
Pp4EBwIr4DsT4JvRWX6sGzIEtswkKNGiFwhUi3TB9Xo0dIm7VP0HGDbfbSsBUdKK
lqa/tDJMFSOzD/vxN2ou9A==
=Hb+T
- -----END PGP MESSAGE-----
But seriously, according to what I've read about the proposed
legislation, I find some parts of it totally unreasonable.
Taneli Huuskonen
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQA/AwUBOTPaDF+t0CYLfLaVEQJURQCgyZzU9BeJrPX+rh5fCCTgVOE8V+wAn0eV
H+n9oLSGFaVht/L03+klkwGz
=p6c/
=====END PGP SIGNATURE=====
--
I don't | All messages will be PGP signed, | Fight for your right to
speak for | encrypted mail preferred. Keys: | use sealed envelopes.
the Uni. | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: looking for an 8-byte long output hashing function
Date: Tue, 30 May 2000 15:35:32 GMT
Jean-Luc wrote:
> For a development task, I would need to use a hashing function with an
> output of 8 bytes (and not 16 or 20 like the popular algorithms). The
You can either a) use the first 8 bytes of a 16-byte algorithm, or b) use an 8
byte block algorithm such as DES using one of the techniques discussed in
Applied Cryptography or other crypto handbooks.
--
Eric Lee Green [EMAIL PROTECTED]
Software Engineer Visit our Web page:
Enhanced Software Technologies, Inc. http://www.estinc.com/
(602) 470-1115 voice (602) 470-1116 fax
------------------------------
From: "Michael Watson" <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.politics.uk
Subject: Re: Sunday Times 30/4/2000: "MI5 builds new centre to read e-mails on the net"
Date: Tue, 30 May 2000 16:34:58 +0100
Hehe - MI5 is almost down the road from me, in Catterick Garrison I believe!!!
BASMIC
====
"Axel" <[EMAIL PROTECTED]> wrote in message news:8gusi7$63s$[EMAIL PROTECTED]...
> In uk.legal JimD <[EMAIL PROTECTED]> wrote:
> > The odds are stacked against the right-wing pillocks of the
> > Security Service breaking even a Boy-Scout cipher.
>
> > The balance of likelihood is that the only way it can be
> > compromised is by getting the key by some means other than
> > cryptanalysis.
>
> Which is exactly what they would do, perhaps by seizing the originating
> computer and examining it for temporary documents or simply remote
> monitoring of the screen either by tempest, or even something as simple
> as a bug... don't forget the videoing of the accused in the Lawrence
> affair.
>
>
------------------------------
Subject: Re: Retail distributors of DES chips?
From: ritter <[EMAIL PROTECTED]>
Date: Tue, 30 May 2000 08:45:43 -0700
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Mark Wooding) wrote:
>Terry Ritter <[EMAIL PROTECTED]> wrote:
>
>> But how shall we measure this "trustworthy" property so we can
"make
>> sure" that it exists?
>>
>> There is an alternative, and I have been promoting it for
several
>> years: Use *scalable* cipher designs, so we can perform an
extensive
>> or even exhaustive analysis of the tiny scaled-down version.
>
>Sorry to interrupt while you're on your hobby horse, Terry, but
I was
>referring to *implementations* of existing cipher designs.
Oh, well, if "implementation" is the distinction,
then perhaps you will tell us just how you *test* for
the "trustworthy" property in *implementations*.
Or maybe your idea of "trustworthy" is the real
hobby-horse ride being so rudely interrupted.
>The
>discussion in hand is about the possibility of hardware
implementations
>of strong (as a matter of hypothesis) having been deliberately
>compromised by the vendor. Cipher design doesn't help here.
"Software" is just another name for the
customization of hardware digital systems. In
general, when we want a complete understanding of
what is present in a digital system, we must have
exhaustive tests. Such tests are impossible in real
size cipher systems, either hardware or software.
Only tiny systems allow exhaustive tests, only
scalable ciphers allow us to build tiny systems
directly related to real ones, and only exhaustive
testing allows us to know that nothing else is there.
Perhaps that is clearer now.
That said, I think we can test a cipher chip to a
software implementation, using the property that
we have a particular 1:1 transformation, and that
no more information comes out than goes in. But
that means the chip cannot pick any "random"
system-level values (no message keys, no IV's).
It also means that if *the* *cipher* is exposing
key in the structure of the ciphering itself, we
will not find that. Ooops!
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Math problem (P=NP) prize and breaking encryption
Date: Tue, 30 May 2000 11:56:30 -0400
There is a proof that factoring is not NP-hard (I'm talking
about NP-hard, and not NP-complete). The proof is from Gilles
Brassard. See [Brassard79].
He proved that under certain hypothesis (that exclude, for
example, probabilistic encryption schemes, see [Brassard79]
and [GoldreichGoldwasser98]), one could not base a public key
encryption scheme on an NP-hard problem unless NP = coNP.
RSA encryption resides inside the hypothesis constraints, and
uses the fact that Factoring is hard, conclude for yourself.
There has also been interesting work in [Ajtai97] and
[AjtaiDwork97].
[Brassard] Relativized Cryptography. In 20th FOCS, pages 383-391, 1979
[GoldreichGoldwasser98] On the possibility of basing Cryptography
on the assumpltion that P != NP (I have a hard copy of this paper,
I know I got it somewhere on the web but I don't remember where).
[Ajtai96] Generating Hard Instances of Lattice Problems. In 28th STOC
pages 99-108
[AjtaiDwork97] A public-Key Cryptosystem with Worst-Case/Average-Case
Equivalence, in 29th STOC pages 284-293, 1997.
Anton
David Blackman wrote:
>
> Scott Contini wrote:
> >
>
> > Here's my 2 cents:
> >
> > Factoring is certainly not NP-complete (though a proof of this
> > does not exist). We can factor in sub-exponential time, but the
> > fastest algorithms for solving general NP-complete problems take
> > exponential time.
> >
> > Scott
>
> I think there is a proof that if factoring is NP-complete, then either
> P=NP, or the extended Riemann hypothesis fails. I vaguely remember this
> is referenced in Garey and Johnson (but i've lost my copy). A lot of
> people would consider this to prove that factoring is not NP-complete,
> although technically it is not quite such a proof.
>
> It hinges on factoring being (almost certainly) in co-NP.
------------------------------
Subject: Re: Retail distributors of DES chips?
From: tomstd <[EMAIL PROTECTED]>
Date: Tue, 30 May 2000 08:55:34 -0700
In article <[EMAIL PROTECTED]>, ritter
<[EMAIL PROTECTED]> wrote:
>
>In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>(Mark Wooding) wrote:
>>Terry Ritter <[EMAIL PROTECTED]> wrote:
>>
>>> But how shall we measure this "trustworthy" property so we
can
>"make
>>> sure" that it exists?
>>>
>>> There is an alternative, and I have been promoting it for
>several
>>> years: Use *scalable* cipher designs, so we can perform an
>extensive
>>> or even exhaustive analysis of the tiny scaled-down version.
>>
>>Sorry to interrupt while you're on your hobby horse, Terry, but
>I was
>>referring to *implementations* of existing cipher designs.
>
>Oh, well, if "implementation" is the distinction,
>then perhaps you will tell us just how you *test* for
>the "trustworthy" property in *implementations*.
>
>Or maybe your idea of "trustworthy" is the real
>hobby-horse ride being so rudely interrupted.
>
>
>>The
>>discussion in hand is about the possibility of hardware
>implementations
>>of strong (as a matter of hypothesis) having been deliberately
>>compromised by the vendor. Cipher design doesn't help here.
>
>"Software" is just another name for the
>customization of hardware digital systems. In
>general, when we want a complete understanding of
>what is present in a digital system, we must have
>exhaustive tests. Such tests are impossible in real
>size cipher systems, either hardware or software.
>Only tiny systems allow exhaustive tests, only
>scalable ciphers allow us to build tiny systems
>directly related to real ones, and only exhaustive
>testing allows us to know that nothing else is there.
>
>Perhaps that is clearer now.
Yup it's clear you are not answering the question.
His question was the possibility of DES being fudge-up by some
naughty person. Not whether DES was strong or not, whether the
CHIP was.
Not like you do bad work, but you are plugging it in the wrong
spot my friend.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: "Dark Nebular" <[EMAIL PROTECTED]>
Subject: any public-key algorithm
Date: Tue, 30 May 2000 16:34:36 GMT
Hi !!
Could anybody give me the description of a public-key algorithm, other than
RSA?
Thank you
DN ([EMAIL PROTECTED])
------------------------------
Subject: Re: any public-key algorithm
From: tomstd <[EMAIL PROTECTED]>
Date: Tue, 30 May 2000 09:48:14 -0700
In article <w4SY4.3338$[EMAIL PROTECTED]>, "Dark
Nebular" <[EMAIL PROTECTED]> wrote:
>Hi !!
>
>Could anybody give me the description of a public-key
algorithm, other than
>RSA?
Look up NRTU, ECC or ElGamal
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Crypto patentability
Date: 30 May 2000 16:52:23 GMT
In <[EMAIL PROTECTED]> Mok-Kong Shen <[EMAIL PROTECTED]> writes:
>Bill Unruh wrote:
>> However, in the case of software, I find it hard to find a justification
>> for patents. Since software must be readable by computer, and thus also
>> ( with more work) by humans, it is very very hard to maintain trade
>> secrecy. The publication of the patented process is the primary reason
>> for patents. Why should society grant a monopoly when it gets little in
>> return it would not get anyway? (Of course some people are of the
>Your arguments are not yet clear to me. Software patents are quite akin
>to book copyrights, aren't they? They let their authors to obtain some
>rewards for their intellectual activities. In both cases illegal copies can be
>done and hard to find.
Again, patents and copyrights are not "reward" systems--the state
feeling sorry for the poor writer and taxing the rest of society to make
him rich. Patents are an agreement that in return for making the
invention public, the state will grant a monopoly. Software is already,
by its nature, public. You do not need the monopoly bribe to have it
made public. Society gets a very very bad deal out of software patents.
Software copyrights are also a very bad deal. There is no evidence
whatsoever that society has to give software writers a life+75 year
monopoly in order to get stuff written. I would like to see a 3 year
software copyright, extended to 7 if the source code is published. The
current system is totally irrational, unless you believe, like the
soviets did, that the purpose of government is to make people rich by
granting monopolies to friends.
------------------------------
From: "Fergus O'Rourke" <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.politics.uk,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Tue, 30 May 2000 17:55:22 +0100
Andru Luvisi <[EMAIL PROTECTED]> wrote in message >
> This is not a usenet post. This is a binding contract which you have
> already signed, stating that you must pay me US$1,000,000 on or before
> July 1st 2000.
Eh?
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: No-Key Encryption
Date: Tue, 30 May 2000 19:11:22 +0200
DD wrote:
> tomstd <[EMAIL PROTECTED]> wrote
>
> > If I get the 3-pass protocal it is:
> >
> > A wants to send B 'm'.
> >
> > 1. A sends m^e mod p
> > 2. B sends m^e^d mod p
> > 3. A sends m^e^d^-e nod p
> >
> > B recovers 'm' via m^e^d^-d^-e mod p
> >
> > Then 'e' and 'd' are your keys. This is hardly 'no-key'
> > encryption.
> >
>
> It is no-key in thye sense that neither user has a key.
> It's generated on the fly (e.g. a session key) and exchanged
> like in Diffie-Hellman.
Still, these stuffs generated on the fly are 'fundamentally' inaccessible
to the analyst and hence are equivalent to (secret) keys. The same
doesn't seem to apply to using foreign languages.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: email list for the contest
Date: Tue, 30 May 2000 19:11:31 +0200
tomstd wrote:
> Here are the revelant email addys you need to know.
> [snip]
Since many of us are also interested in mathematics, it may be of
interest to know that there has recently been estabished a contest
for solving seven well-known mathematical problems, each with
a prize of one million dollars.
It would be fine, if some benevolent rich person (Gates?) could
donate a similar prize to solve the problem of crackability of a
certain cipher that is destined for universal use in the new millennium.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Note on the Hill cipher (II)
Date: Tue, 30 May 2000 19:11:37 +0200
The Hill cipher
C = H * P mod u
where H is an invertible matrix in Z_u, has the known
disadvantage that, if a pair of plaintext and ciphertext is
available, then H, the 'key', can be recovered.
A direct remedy of this, which becomes practical with the
availability of computers nowadays as compared to the time
of Hill's invention, is to employ a PRNG to generate
one H for each P. The 'key' of the scheme is then the seed
of the PRNG. An alternative that allows some longer use of
the same matrix H is the following: One fills the plaintext
into the matrix P excepting the main diagonal, which is
filled with output from the PRNG. (If one wishes, one could
also arrange to have these pseudo-random diagonal elements
such that P and (hence) C are not invertible.)
What is said above obviously applies also to the following
variation of the Hill cipher suggested in my previous note
with the same title:
C = H1 * P * H2 mod u
M. K. Shen
==============================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: "Fergus O'Rourke" <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Tue, 30 May 2000 17:58:53 +0100
Axel <[EMAIL PROTECTED]> wrote in message
news:8gus3n$63s$[EMAIL PROTECTED]...
> In uk.legal Fergus O'Rourke <[EMAIL PROTECTED]> wrote:
> > The best way to get a tyrannical government is not to vote
>
> Not when there are limitations on standing for election and how
> candidates are allowed to describe themselves.
>
Don't be silly
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
