Cryptography-Digest Digest #914, Volume #11 Thu, 1 Jun 00 20:13:01 EDT
Contents:
Re: Powers of s-boxes and other functions (Jim Steuert)
Re: Tableaus Revisited, Again ("Douglas A. Gwyn")
Re: DVD encryption secure? -- any FAQ on it (Bryan Olson)
Re: encryption without zeros (zapzing)
Re: Finding primitive polynomials via the Berlekamp method? (Terry Ritter)
Re: Question about Re: RSA/PK Question ("DD")
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (Andy Dingley)
Re: Free Crypto-Lib for VB? ("jeff tallent")
Re: UDP Cotse (Chuck Kohlenberg)
Re: Finding primitive polynomials via the Berlekamp method? (lordcow77)
Re: Q: Session key generation ([EMAIL PROTECTED])
old ssl challenge ("Nathan J. Yoder")
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May ("Scotty")
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May ("Scotty")
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May ("Scotty")
----------------------------------------------------------------------------
From: Jim Steuert <[EMAIL PROTECTED]>
Subject: Re: Powers of s-boxes and other functions
Date: Thu, 01 Jun 2000 17:09:26 -0400
Hi David,
Thanks for your papers. I looked at them briefly. I will study them,
but I accept your results.
I have been able compose permutation polynomials,
and thus form powers.of a permutation (which must be permutations).
Note that we are iterating the whole function description. Only after we
iterate do we plug in a value. For powers of a permutation, the plugged-in
values can't collide. It all depends on what you consider the inputs of the
function.There are in fact two inputs: f(iteration count,root-value). I'm
not
sure that collisions of the "count" would be a problem in some applications.
Plus,
I think we can make the probability of such collisions vanishingly small
with some functions (I haven't shown this)
My hope is that this we can find a large variety of functions via symbolic
algebraic methods. Several modern crypto functions have algebraic
description which may be useful for designing classes of these functions.
-Jim Steuert
"David A. Wagner" wrote:
> In article <[EMAIL PROTECTED]>,
> Jim Steuert <[EMAIL PROTECTED]> wrote:
> > It would be interesting to come up with
> > a hash function which could be
> > practically "iterated" in logarithmic
> > time.
>
> Yes, it would.
>
> Unfortunately, I have a proof that strong collision-resistance is
> incompatible with efficient iteration. This gives some partial evidence
> that such hash functions may be hard to find, or at least, that if such
> functions exist, you might be able to find collisions in them.
>
> For details, see
> http://www.cs.berkeley.edu/~daw/my-posts/iterable-hash
> for early results; or, for stronger results, see Theorem 1 of
> http://www.cs.berkeley.edu/~daw/papers/keystretch.ps
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Tableaus Revisited, Again
Date: Thu, 1 Jun 2000 20:30:53 GMT
Mok-Kong Shen wrote:
> I always wonder why Vigenere was that popular and people didn't
> widely employ substitution tables with independent alphabets, i.e.
> with each column being an arbitrary permutation of the alphabet.
Such tables have been used, but they are harder to construct and
require a much larger key (since one is unlikely to remember more
than just the standard alphabet). The main theoretical importance
of a Vigenere tableau is that it corresponds to the way that some
machine systems work.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: DVD encryption secure? -- any FAQ on it
Date: Thu, 01 Jun 2000 18:55:23 GMT
Casper H.S. Dik
> Bryan Olson writes:
>
> >Though now broken, the DVD system was a copy protection
> >mechanism, of which the disk encryption was one part. The
> >concept was that decoders able to decrypt the disk would
> >refuse to do so unless the data was read from the original
> >media.
>
> Or from media exactly like; it's a fallacy: the disks are just a bunch
> of bits; you can read them you can copy them
Giving you a copy of a bunch of bits that will not play as a
movie. And to even get those bits requires defeating part
of the system. There were reports on a DVD discussion group
that someone built a module that could feed the raw data to
a player as if it came from the drive, but a workable demo
never appeared.
> >> You can do bit-by-bit copying of DVD disks and they'll play in
> >> any player; no need to decrypt.
>
> >Consumer equipment will not make exact copies of DVD disks.
> >Equipment that can write to the special reserved areas is
> >available only under restrictive licensing terms.
>
> Yeah, And the consumers are the main pirates? It's the people
> with serious $$ who'll make millions of copies and sell them.
So a well-funded operation can defeat the system. You had
claimed "it's not a copy protection mechanism at all" and
that is false.
Incidentally, the pirate DVD market is mainly in titles,
translations, or region-codings not previously released on
DVD. There are also reports that pirates in Asia broke the
encryption a couple years ago and copied just as DeCSS does.
Do you know of any piracy operation based on bit-for-bit
media copy?
> The consumer technology needs to read the entire
> disk, even though some data will stay inside the
> controller; how hard do you think it is to replace
> the drive firmware and just read the bits?
The larger problem is the one I noted: consumer equipment
will not _write_ the reserved areas. Modifying consumer
drives to write exact copies of CSS encoded DVDs is hard
enough that no such modifications are known to be available.
Spreading false assertions about the DVD protection system
only hurts the case for open cryptanalysis and related
software. No, you can't do a bit-for-bit copy and have it
play in any player; at least not unless the "you" we are
addressing is a sophisticated and well-funded engineering
team (or a DVD Consortium licensee).
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: zapzing <[EMAIL PROTECTED]>
Subject: Re: encryption without zeros
Date: Thu, 01 Jun 2000 20:29:40 GMT
In article <8gv24e$ol7$[EMAIL PROTECTED]>,
"Scott Fluhrer" <[EMAIL PROTECTED]> wrote:
>
> Mathew Hendry <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > On 29 May 2000 19:02:49 GMT, Postmaster@[127.0.0.1] (real address at
end
> of
> > post) wrote:
> >
> > >> > :> lcs Mixmaster Remailer <[EMAIL PROTECTED]> wrote:
> > >> > :> > block through the encryption function again, and repeat
until
> you
> > >> > :> > don't get any zeros.
> > >
> > >[much snippage]
> > >
> > >Also, this method leaks timing info which can not be compensated
because
> > >of the non-determinism.
> >
> > How would such timing info help an attacker?
> If you send an 8 block message, and the attacker can determine that it
took
> long enough to actually encrypt 10 blocks, then he has a good guess
that two
> of the blocks has a zero in them when they were encrypted, and had to
be
> re-encrypted (or, possibly, one of the blocks had to be encrypted
three
> times).
>
> Now, this is leaking information. Not much, though, and it's by no
means
> obvious how the attacker could use this.
This information, if you really are worried about it,
can be eliminated by simply inbtroducing a time delay
so that all encryptions (except the enormously
improbable ones) take the same time. If it only took
one encryption, wait for the time it takes to do 9
more, etc.
>
> --
> poncho
>
>
--
If you know about a retail source of
inexpensive DES chips, please let
me know, thanks.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Finding primitive polynomials via the Berlekamp method?
Date: Thu, 01 Jun 2000 21:58:18 GMT
On Thu, 01 Jun 2000 13:51:51 -0700, in
<[EMAIL PROTECTED]>, in sci.crypt lordcow77
<[EMAIL PROTECTED]> wrote:
>The most commonly used algorithm for finding primitive
>polynomials of arbitrary degree n over GF(2) is to test whether
>x^p_i==1 mod p(x) for all prime factors p_i of 2^n-1. The
>process of locating primitive polynomials is evidently related
>to the problem of factor univariate polynomials using the
>classical Zassenhaus-Berlekamp method, according to the sources
>that I have consulted. However, there is not enough detail
>present to understand how it would be possible to use this for
>determining whether a particular polynomial is prime, although I
>gather that it would have something to do with constructing a
>matrix with the coefficients of the evaluated polynomial at
>various values and determining the rank of this matrix. Could
>somebody please provide some more information?
>From my Crypto Glossary:
http://www.io.com/~ritter/GLOSSARY.HTM#PrimitivePolynomial
[...]
All primitive polynomials are irreducible, but irreducibles are not
necessarily primitive, unless the degree of the polynomial is a
Mersenne prime. One way to find a primitive polynomial is to select an
appropriate Mersenne prime degree and find an irreducible using
Algorithm A of Ben Or:
1. Generate a monic random polynomial gx of degree n over
GF(q);
2. ux := x;
3. for k := 1 to (n DIV 2) do
4. ux := ux^q mod gx;
5. if GCD(gx, ux-x) <> 1 then go to 1 fi;
6. od
Ben-Or, M. 1981. Probabilistic algorithms in finite
fields. Proceedings of the 22nd IEEE Foundations of Computer Science
Symposium. 394-398.
[...]
I also give a wide range of references in my RNG article:
http://www.io.com/~ritter/ARTS/CRNG2ART.HTM#Sect6.5
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
Reply-To: "DD" <[EMAIL PROTECTED]>
From: "DD" <[EMAIL PROTECTED]>
Subject: Re: Question about Re: RSA/PK Question
Date: Thu, 1 Jun 2000 23:00:21 +0100
Thanks for the clarification guys.
Best of luck in your finals Tom.
Regards,
Dermot.
tomstd <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> In article <8h66g2$72g$[EMAIL PROTECTED]>, sarnold_intertrust@my-
> deja.com wrote:
> >In article <KkvZ4.15$[EMAIL PROTECTED]>,
> > "DD" <[EMAIL PROTECTED]> wrote:
> >> tomstd <[EMAIL PROTECTED]> wrote in message
> >> > I also don't agree with using 128+ bit symmetric keys
> because it
> >> > provides a false sense of security. "Oh it's secure
> because I
> >> > use a 256-bit symmetric key", big deal.
> >>
> >> I don't understand what you mean, can you or anyone else
> please
> >> explain? Are you saying that it is not secure or that
> whether the
> >> key is 128bits or say 256 bits makes little difference in
> practice
> >> because both are thought to be secure today?
> >
> >In an attempt to help Tom study bio, I will try putting words
> into his
> >mouth. :)
> >
> >What I think Tom is getting at, is that a 256-bit key is as
> easy to
> >bribe/steal/torture/blackmail out of users as a 128-bit key.
> However,
> >since a 256 bit key is so much more secure in terms of brute-
> force
> >check-all-keys attacks, people are more likely to commit
> secrets to
> >256-bit keys when the O(1) attacks on the keys are just as
> effective on
> >256-bit as 128-bit. The extra bits leads people to trust the
> system more
> >than they should, leading to a false sense of security. (Or,
> perhaps, by
> >seeing "256-bit" users might think the system is great, whereas
> the
> >protocol itself might leak too much information, or the
> implementation
> >was done poorly, etc..)
> >
> >(For those secrets where one needs 256-bits of brute-force
> protection, a
> >good FIPS 140-1 level 4 hardware device with a threshold scheme
> on
> >operators isn't too much to ask. :)
> >
> >But, of course, I don't speak for Tom -- I just think I
> understood what
> >he was saying. :)
>
> You nailed it right on the head.
>
> Personally my grief is not with 256 bit keys, my point is just
> they are from a practical standpoint no more secure.
>
> If you are using a AES cipher then please do use a 256 bit key,
> but please do verify the security of all the other parts.
>
> The big "grief" is with people and their huge key ciphers (say
> +512 bits), Here is my view on key requirements of today.
>
> 80-bit Security for about 5~10 years.
>
> 128-bit Security for about 15~20 years (at the least).
>
> 256-bit Security for about 100 years (at the least).
>
> As it stands now, with distributed.net it's been about 2.5 years
> searching for a 64 bit key. A 80-bit key is 65536 times
> harder. So I would bet 5~10 years is a good margin.
>
> Of course like I said if you are using an AES cipher, use either
> 128/192/256 bit keys. The algorithms have been analyzed with
> all three in mind.
>
> Anyways, I have loads of bio to study. Maybe I will post after
> finals.
>
> Tom
>
>
> * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network
*
> The fastest and easiest way to search and participate in Usenet - Free!
>
------------------------------
From: Andy Dingley <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Thu, 01 Jun 2000 23:05:12 +0100
George Edwards <[EMAIL PROTECTED]> a �crit :
>all they can do is take away your PC
No, they can lock me up for two years.
You think imprisonment by legal stupidity doesn't happen ? What about
the two homeless shelter workers in Cambridge ?
------------------------------
From: "jeff tallent" <[EMAIL PROTECTED]>
Subject: Re: Free Crypto-Lib for VB?
Date: Thu, 01 Jun 2000 22:13:55 GMT
Check out this site: http://www.sevillaonline.com/ActiveX/index.htm.
Although his DLL's do not come with the source code, as far as I know they
are free and work very well. The only reason I stopped using them was
because I wanted to have the source code. So I wrote my own ActiveX library
instead. Alvaro's DLL comes with SHA-1, RC2, RC4 and DES56 along with Base64
enc/dec, Hex conversion functions and some others... hope this helps!
jeff
"Charles" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I'm looking for a free cryptography library full of vector-tested
> algorithms, either in BAS, OCX or DLL format, which are usable in a
> Visual Basic environment. I realise that VB is the poorest choice for
> a language involving crypto, but I would appreciate some help in
> finding something.
>
> I have had limited success, once finding a vector-verified Blowfish
> DLL, and another in a group of BAS files with the hashes MD5 and
> SHA-1, and the cipher RC4, but MD5 didn't verifiy against the
> vectors...so scrap that one.
>
> Anyone know where I can find a free crypto-lib for VB? (particularly
> including an implementation of SHA-1).
------------------------------
From: Chuck Kohlenberg <[EMAIL PROTECTED]>
Crossposted-To:
news.admin.net-abuse.usenet,alt.privacy.anon-server,alt.vacation.las-vegas,ne.general,alt.anonymous
Subject: Re: UDP Cotse
Date: 1 Jun 2000 17:59:06 -0500
In <[EMAIL PROTECTED]>, Charles Demas posted:
>In article <20000601191751$[EMAIL PROTECTED]>,
>Damn! Spam from Bellglobal is way down this week.
>
>Looks like chances that they'll be UDPed are getting pretty small. :~(
Get that Spamhause COSTE instead.
------------------------------
Subject: Re: Finding primitive polynomials via the Berlekamp method?
From: lordcow77 <[EMAIL PROTECTED]>
Date: Thu, 01 Jun 2000 16:18:53 -0700
Errr, yes, that's exactly the method I described as the
traditional way of finding primitive polynomials (ensuring that
the residue of x^(p_i) mod p(x) for all factors p_i is not equal
to one). Perhaps I was unclear: Berlekamp's Q-matrix algorithm
can be used to factor univariate monic polynomials; it seems
reasonable that some adaptation of this could be used to quickly
screen for whether a particular polynomial was primitive or not
(by computing the dimension of the null space of Q-I, since this
is equal to the number of irreducible factors of p(x)).
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Q: Session key generation
Date: Thu, 01 Jun 2000 23:42:54 GMT
In article <[EMAIL PROTECTED]>,
Baruch Even <[EMAIL PROTECTED]> wrote:
> Obiously if you can get your hand on an hardware RNG, and assuming
> it is hard eough for the attacker to guess its output, you would
> be better off.
There is a chipset available from Intel (supplied with new motherboards
using intel chipsets?) to generate random values from temperature
sensors. IBM has an 4758 cryptographic coprocessor, and iirc it also has
a hardware RNG.
The first is likely to be ubiquitous. The second can be added to any
computer with PCI slots, though I have yet to find out how much it
costs. (Likely a lot -- FIPS 140-1 level 4. :)
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Nathan J. Yoder" <[EMAIL PROTECTED]>
Subject: old ssl challenge
Date: Thu, 1 Jun 2000 19:58:20 -0700
Concerning this old challenge: http://pauillac.inria.fr/~doligez/ssl/ I have
a few questions.
It states that RC4-128-EXPORT-40 algorithm was used for the SSL transaction.
I am wondering what algorithm EXPORT-40 is referring to. According to an
SSLv3 draft (http://home.netscape.com/eng/ssl3/draft302.txt):
SSL_RC4_128_EXPORT40_WITH_MD5
is the closest thing to above. The standard isn't very clear on what
exactly on what algo export is referring to (or maybe I just missed
something)?
Also, just about SSL in general, I've seen implementations of SSL (like
SSLeay) that include blowfish encryption and other types of encryption which
are stated no where in drafts for SSL nor TLS. Are they there for future
versions or what?
------------------------------
From: "Scotty" <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Thu, 1 Jun 2000 19:52:30 +0100
George Edwards wrote in message ...
>In article <[EMAIL PROTECTED]>, Scotty
><[EMAIL PROTECTED]> writes
>>
>>You don't even have to go that far. I think if enough people kept a few
>>files, randomly encrypted, (so they deliberately don't remember the
>>password) on their disks, the whole bill will collapse. Anyone presented
>>with a decryption notice could just claim it was such a file and the
burden
>>of proof could be correctly restored. I'm doing my bit, I suggest those
>>opposed to the bill do likewise.
>
>
>look this is a stupid bill.
>
>I have (just counted) some 20 passwords on my board. Don't know what
>most of them refer to. Can go on giving out possible keys till the cows
>come home. How the hell do they prove I "know" key if I don't use it
>after they ask?
>More stupid law from A. Blair and Co.
I agree, but they don't have to prove you know they key 'beyond reasonable
doubt', only on a 'balance of probabilities'. This is a fundamental shift in
the burden of proof.
Think about it, unknown to you, a friend whom you communicate with
regularly, is arrested in a drugs bust. The police turn up and want your
keys to decrypt all your communications. How will that look to a jury if you
forget your keys? The police can say you have been in regular communication
with a known drug dealer and they suspect your trips abroad have been used
to import drugs etc. On the 'balance of probability' it looks already as if
you're guilty of refusing a reasonable request to hand over your keys.
This is not just a stupid law its a dangerous law.
------------------------------
From: "Scotty" <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.politics.uk,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Fri, 2 Jun 2000 00:16:38 +0100
George Edwards wrote in message
<[EMAIL PROTECTED]>...
>In article <[EMAIL PROTECTED]>, Scotty
><[EMAIL PROTECTED]> writes
>> [end of
>>rant]
>
>
>No do go on.........
Don't temp me :-)
------------------------------
From: "Scotty" <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.politics.uk,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Fri, 2 Jun 2000 00:54:07 +0100
David Boothroyd wrote in message ...
>In article <[EMAIL PROTECTED]>, "Scotty"
><[EMAIL PROTECTED]> wrote:
>
>> David Boothroyd wrote in message ...
>> >In article <[EMAIL PROTECTED]>, Andru Luvisi
>> ><[EMAIL PROTECTED]> wrote:
>> >> [EMAIL PROTECTED] (David Boothroyd) writes:
>> >> [snip]
>> >> > > Yet there is still a vast weight of legal opinion (more highly
>> respected
>> >> > > than the government's own law officers),
>> >> >
>> >> > Is this possible?
>> >> >
>> >> > Are these mysterious givers of legal opinion in some way connected
with
>> >> > organisations who have always been against the Bill?
>> >> [snip]
>> >>
>> >> Even if they are, that does not imply that their legal opinion was
>> >> influenced by their opposition to the bill.
>> >
>> >And likewise the opinions of Government law officers were not influenced
>> >by their support for the Bill, QED.
>>
>> So you agree that the governments law officers are not impartial towards
the
>> bill. :-)
>
>They are members of the government bound by collective responsibility and
>by the government whips.
>
>> When two views are mutually contradictory at least one must be wrong.
>
>Which do you think is more likely:
>
>a) The government law officers, with the benefit of the civil service
> and direct access to the European Court records to check, and who
> are directly responsible for checking whether a Bill complies, and
> who would be very strongly criticised for wasting Parliament's time
> if they gave a certificate of compliance which turned out to be
> incorrect, decided purely on the basis of their political loyalty
> to issue a certificate of compliance.
They do not issue the certificate, the minister does. The minister does not
even have to seek their advice. Their main purpose is to decide if the bill
requires a certificate, not to determine if it should get one, that is the
prerogative of the minister.
>
>b) A pressure group which wished to have some argument persuaded a
> lawyer that one part of the Bill could be questioned as to its
> human rights compliance.
>
>It is very easy to question whether something complies with a treaty.
>There were two challenges to the House of Lords Bill last year which
>were struck out very quickly, one over the legal status of a writ of
>summons and the other over the Act of Union with Scotland. Both took
>hours of legal argument but neither had any real foundation.
>
>> The important point here is that the section 19 certificate is merely a
>> statement about the *Minister's* opinion.
>
>This is the best opinion that is available: the Minister is introducing
>the Bill, and so knows what its provisions will be and (more importantly)
>how they will be used.
He is undoubtedly the worlds leading expert on his own opinion, however
wrong that opinion might be. The provisions and how the will be used, are
set down in the act, and since he cannot bind the actions of a future
government, compliance is ultimately determined by what is set down in the
act, not any ad-hock guidelines of use.
How can an act define a crime punishable with 2 years imprisonment, on the
basis of 'balance of probabilities', rather than 'beyond reasonable doubt',
ever justify a section 19 certificate of compliance? It is so breathtakingly
blatant its an embarrassment to a democratic society.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
