Cryptography-Digest Digest #950, Volume #11 Mon, 5 Jun 00 18:13:01 EDT
Contents:
Re: Cipher design a fading field? (wtshaw)
Re: Cipher design a fading field? (wtshaw)
Multiplication in Storin (tomstd)
Re: Question about recommended keysizes (768 bit RSA) (David A. Wagner)
Re: Question about recommended keysizes (768 bit RSA) (Bob Silverman)
Re: Observer 4/6/2000: "Your privacy ends here" ("John Nuttall")
Cipher puzzle chain ("Purdy Family")
Re: Statistics of occurences of prime number sequences in PRBG output as (Mok-Kong
Shen)
Re: Cipher design a fading field? (Mok-Kong Shen)
Re: Faster than light Cryptanalysis (Mok-Kong Shen)
Some citations (Mok-Kong Shen)
Re: Could RC4 used to generate S-Boxes? (Simon Johnson)
Re: Could RC4 used to generate S-Boxes? (Simon Johnson)
Towards an attack on Storin (tomstd)
Re: Could RC4 used to generate S-Boxes? (tomstd)
Re: DES -- Annoyed (Paul Koning)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Cipher design a fading field?
Date: Mon, 05 Jun 2000 13:32:24 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
> On the other hand, 'a new cipher each day' for such traffics as personal
> e-mails will create in short time a diversity far exceeding the biodiversity
> in nature. (I don't know whether it is true, but I was told that the
> biologists don't yet fully oversee the kindom of objects of their study.)
> Since any one single e-mail has the potential of carrying some highly
> delicate stuffs, like calls for revolutions as well as scandalous expressions
> of affections of unlawful couples, which the dutiful and morally impacable
> top politicians must attempt to eradicate, this provides a good foundation
> for a bill to build a dozen more Echelons.
>
> M. K. Shen
Biologists are seeking to manipulate genetics to produce things that
nature has not. Some results are sure to very useful, or have uninded
and/or foresee repercussions. Should we tell them to stop learning? Some
want to because this puts lots of power in the hands of biologists. Since
I am one of them, I see no difference in that and designing new algorithms
as a cryptotographer, which I try to be as well.
The most subtile and elusive forms of crypto can be used for the most
devious purposes; this is something that countless Echelons cannot touch.
L. Paul Bremer spoke today about the truth that there is assymetery in
dealing with people like terrorists, that they have the choice of location
to act, which might be inexpensive, whereas active means of suppressing
terrorism means guarding all likely points of attack that can be most
costly. Bremer fails to learn all what he should from this knowledge as he
opts to put the military in charge of protecting civil liberties.
He must no know much about how that in the service, telling lies is not
even a low level art, but an all encompassing dictum, to fulfill missions
through giving and taking orders, and destroying all that get in the way,
including their peace and freedom. The prolem with police is when they
see themselves as military, able to get away with unconstitutional acts.
The military code of conduct is for expediency where everyone is supposed
to be ready to die as their superiors call it.
Countries like the US have had a traditional pattern of creating most of
its enemies. He called for Greece and Pakistan to be classed as terrorist
countries. The promise of putting more people at odds with us should
helpt the sprits of control freaks since it justifies more and more into
their brutal methods.
A better plan is some conflicts is not to take sides, Greece-Turkey,
India-Pakistan, but to try to inspire peace as in Northern Ireland, or
Israel-Jordan-Arrifatistan. At worst, you tell both parties that they
must solve their differences through negotiations if they want to have
anything else to do with us as a country, and you better darned protect
human rights of US citizens, and might as well extend it to their whole
populations as well.
So it is with crypto and so many other things, work to inspire peace
rather than polizarizing the population into long-eared and short-eared
factions. As a country that has so many more of its percentage in jail
than almost all other counties, being experts in suppression does not seem
to work. To the despot, everyone is a threat and an enemy; anything that
does not support their power must be destroyed.
--
If you wonder worry about the future enough to adversely limit
yourself in the present, you are a slave to those who sell security.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Cipher design a fading field?
Date: Mon, 05 Jun 2000 13:39:56 -0600
In article <[EMAIL PROTECTED]>, Benjamin Goldberg
<[EMAIL PROTECTED]> wrote:
> Mok-Kong Shen wrote:
> ...While breaking every pre-existing cipher isn't necessary
> to be a professional, it *is* important to understand how 'classical'
> ciphers work, and why they are no longer used, so as not to incorporate
> the same problems into your own ciphers.
Every cipher has some classical blood in it. The heritage of crypto is
rich, and disregarding lesson from the past and bypassing derived
techniques that might better answer a specific problem means that you are
trying to breed-out wisdom as a result of hubris.
--
If you wonder worry about the future enough to adversely limit
yourself in the present, you are a slave to those who sell security.
------------------------------
Subject: Multiplication in Storin
From: tomstd <[EMAIL PROTECTED]>
Date: Mon, 05 Jun 2000 13:52:58 -0700
For starters this is not an attack on the cipher, just a
question, since well I am not so mathematically inclined...
How exactly is your matrix multiplication a non-linear component
in Storin? I don't get that. You use multiplication in the set
of integers modulo 2^24 (page 2, point 2) as the primary non-
linear step...
But addition/multiplication in the set of integers is not non-
linear if I am not mistaken. (of course I am mostlikely mistaken
which is why I am posting this).
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Question about recommended keysizes (768 bit RSA)
Date: 5 Jun 2000 13:53:38 -0700
In article <[EMAIL PROTECTED]>,
Roger Schlafly <[EMAIL PROTECTED]> wrote:
> There is nothing cynical about saying that an analysis that
> properly takes into account space and time will be more
> accurate than one that just looks at time.
I think you are missing a nuance here.
If we knew the true time and space complexity of factoring, you would
be right. However, we don't; we can only make guesstimates.
We can have different levels of confidence about our estimation at the
true time complexity and the true space complexity. As cryptographers,
we should be as cautious as possible, and that means that we might only
want to rely on the estimate that we consider more reliable.
If you believe that our estimate of time complexity is more reliable
than our estimate of space complexity -- and that seems like a pretty
reasonable belief -- then the appropriate model to use, for cryptographic
decisions, might well be the TIME model, and *not* the SPACE model.
In other words, counting the space requirements of today's algorithms
might well be strictly *more* misleading than omitting them. And, yes,
there is plenty of precedent for such a scenario.
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy.anon-server,alt.security.pgp
Subject: Re: Question about recommended keysizes (768 bit RSA)
Date: Mon, 05 Jun 2000 20:53:41 GMT
In article <[EMAIL PROTECTED]>,
Jerry Coffin <[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> says...
>
> [ ... ]
>
> > I can't figure out which model is best; The computional equivalence
> > model by RSA Labs, or the cost equivalence based model by
> > Lenstra/Verheul. I tend to trust the word of Bob Silverman, but I'm
also
> > chauvinistic enough to trust my fellow dutchmen.
>
> I think a cost-based model is more accurate. Ultimately, it's cost
> that's going to determine what an attacker does or does not attack.
>
> > I can go along with the assumptions and deductions claimed in
> > <http://www.rsasecurity.com/rsalabs/bulletins/bulletin13.html> about
> > Moore's law not holding, bus speeds and no big breakthroughs to be
> > archived in factoring/discrete logarithms.
>
> I canNOT go along with this comarison at all. I'll give a couple of
> examples of exactly WHY this si true.
>
> Comparing a Vax 11/780 to a Pentium II is ridiculous. When the Vax
> 11/780 was new, it was a large, expensive machine that was often the
> ONLY computer for even quite a large company. A reasonable current
> machine to which it could be compared would be an AlphaServer GS320.
<snip>
If one reads my paper *carefully*, one will read that one of the
assumptions is that server-class machines are NOT readily available
for parallel sieving. The model assumes that desktop class machines
have plenty of spare cpu-cycles at zero marginal cost.
When the VAX was first introduced, there WEREN'T any desktop class
machines. (Although one might consider a PDP-11/23 or similar as
such)
An AlphaServerGS320 is *not* a machine appropriate for "idle time"
sieving. They are too busy acting as servers. What matters is the bus
speed of machines that are available.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "John Nuttall" <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.security.scramdisk,uk.telecom
Subject: Re: Observer 4/6/2000: "Your privacy ends here"
Date: Mon, 5 Jun 2000 22:07:12 +0100
Steganography takes encryption a stage further - nothing looks more suspect
than an encrypted file (although it may not be crackable) Steg actually
hides the file so if you get visited by MI5 they won't even know what they
are looking for, cos it ain't visible.
On another note (as a UK citizen) - what is the position re the Channel
Islands? They have their own legislative body - so if all the UK ISPs pulled
out and migrated, I presume the lunatic Bill would be dead in the water.
"Ian Wiles" <[EMAIL PROTECTED]> wrote in message
news:cC74fBAJG$[EMAIL PROTECTED]...
> Meanwhile lurking by a stone in the mud , two eyes looked to see what I
> was and then U Sewell-Detritus spoke and this is what it said to
> me.......Observer 4/6/2000: "Your privacy ends here"
> >James Winsoar <[EMAIL PROTECTED]> wrote:
> >
> >>"B Labour" <[EMAIL PROTECTED]> wrote:
> >
> >>> http://www.observer.co.uk/focus/story/0,6903,328071,00.html
> >>>
> >>> Your privacy ends here
> >>>
> >>> A Bill which is slipping through the House of Lords will allow MI5
> >>> access to all our online communications, says John Naughton. It
> >>> could mean we're all guilty until proven innocent. So why don't we
> >>> care more?
> >>
> >>We are suggesting people download PGP from
> >>ftp://tucows.belgium.eu.net/Tucows/files/PGPfreeware_6.5.3.zip
> >
> >PGP et al suit being coupled with a steganography package. [1]
> >
> >Today, the Beeb reports yet another industry plea for RIP to
> >be scrapped. [2]
>
>
> Well once all the e-business buggers off to Ireland then they'll realise
> what a cock up they've made. It'll all end in tears.
>
> Oh and BTW, what's a
> >steganography package
> ?
> Scuse my ignorance.
>
>
> Cheers,
> --
> Ian Wiles
> --
> Please Remove NOUCE before replying via E-mail
------------------------------
Reply-To: "Purdy Family" <[EMAIL PROTECTED]>
From: "Purdy Family" <[EMAIL PROTECTED]>
Subject: Cipher puzzle chain
Date: Mon, 5 Jun 2000 08:58:21 +0100
Announcing the CipherChain: a bid to generate a number of
entertaining Cipher challenges, have some fun and (for a lucky few)
win the odd prize.
A challenge is set to solve a cipher problem within a time period,
after which a winner will be drawn from the correct solutions. The
prize is: (a) any monetary or other reward put up by the challenger
and (b) the right to set the next challenge in the chain -
choosing your own code/cipher text & method. Your NEW challenge will
be moderated for fairness by the challenger whose code you broke.
Once it's agreed and posted, you take over as Cipher Chain
Challenger - until the next prize is won when your cipher is
broken.
And another link appears in the chain.
Have a look at the first *easy* link in the chain at:
http://www.egroups.com/group/cipherchain
and get ready to win the prize and set your own challenge!
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Statistics of occurences of prime number sequences in PRBG output as
Date: Mon, 05 Jun 2000 23:43:53 +0200
"John A. Malley" wrote:
> Something struck me yesterday while looking at the behavior of LFSR
> stream ciphers and then at stream ciphers in general. Say the keystream
> generator uses a register m bits long. Look at each m bit block in the
> output keystream as an m bit number. The keystream generator makes a
> non repeating sequence of 2^m - 1 numbers. And phi(2^m) of those numbers
> are prime. Now there is no iterated or recursive mathematical function
> that
> generates all primes starting from a given input value. So stream
> ciphers as iterated or recursive math functions should not generate
> "long" sequences of primes starting from a seed value, where "long" is
> TBD. The probability of finding any two m-bit prime numbers, or any
> three m-bit prime numbers, or any k m-bit prime numbers in successive
> sequence in PRBG output should be much smaller than expected for a
> genuine random bit sequence of the same bit length as the keysteam. And
> above some value of k the probability of encountering a k prime sequence
> in the PRBG keystream probable goes to zero.
I don't understand your sentence 'there is no iterated or recursive
mathematical function that generates all primes starting from a given
input value'. One can write a program to generate successive primes.
Woudn't that contradict your statement?
Further in the other sentence, does the expression 'long sequence of
primes' mean a sequence of primes without gaps, i.e. a number
of seccessive primes, e.g. 7,11,13,17,19,23, in increasing or
decreasing order? I don't yet understand the logic underlying your claim
that the probability you mentioned in a non-perfect sequence should
be much lower than that in a perfect random sequence? Could you
please explain a bit more, perhaps with a hypothetical example to
illustratrate? Thanks.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Cipher design a fading field?
Date: Mon, 05 Jun 2000 23:44:16 +0200
"Douglas A. Gwyn" wrote:
> Mok-Kong Shen wrote:
> > wtshaw wrote:
> > > Ah..the old problem: What is strength?
> > This question is virtually in the same category as 'What is truth?'.
>
> Not at all. A scientific investigation of cryptosecurity is possible;
> you can't just wave away the issue. It's a matter of knowledge vs.
> uninformed guessing.
The problem is, I guess, that the knowledge can't be perfect and
often leaves much to be desired, e.g. what concerns the resources
of the opponents or certain yet unproved propositions related to
number theory, etc.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Faster than light Cryptanalysis
Date: Mon, 05 Jun 2000 23:44:04 +0200
"Douglas A. Gwyn" wrote:
> Mok-Kong Shen wrote:
> > I heard the other day a lecture on 'quantized sound'. The lecturer attempted
> > to establish that sound transmission is also a quantum phenomenon. I guess
> > there must be some flaws somewhere.
>
> There are modes called "phonons", but generally speaking sound
> transmission
> is understandable in terms of classical (non-quantum) physics.
The lecturer attempted to use some data to 'show' that his quantum
interpretation is right while the classical theory leads to wrong values.
I strongly suspect that that's bogus.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Some citations
Date: Mon, 05 Jun 2000 23:45:17 +0200
I think that the following citations may be of some interest,
because they may presumably not be unanimously accepted by
us all and hence could trigger some discussions:
Bandwidth expansion is not necessarily either a drawback
or a strength of a system, merely a feature.
The Kerckhoffs principle is neither a correct description
of, nor a self-evident prescription for, all secrecy
design projects.
Source:
G. R. Blakley, Twenty years of cryptography in the open
literature. 1999 IEEE Symposium on Security and Privacy.
M. K. Shen
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: Could RC4 used to generate S-Boxes?
Date: Mon, 05 Jun 2000 21:38:10 GMT
In article <8hh3go$rr9$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David A. Wagner) wrote:
> In article <8hgr8b$di5$[EMAIL PROTECTED]>,
> Simon Johnson <[EMAIL PROTECTED]> wrote:
> > Strictly by definition, RC4 does have an s-box; One value get
> > substituted for another. Wether it slowly evolves makes no
difference
> > to its name; it is still an s-box.
>
> I think most cryptographers would agree that, in the traditional
meaning
> of the word, a S-box is a fixed mapping, not a time-varying mapping.
If
> you want to use the word differently, that's your choice, but don't be
> surprised if the result is occasional confusion and miscommunication.
>
> In any case, it's not clear that thinking of the RC4 table as a S-box
is
> very useful; the usual literature on S-box design doesn't seem
applicable
> here.
>
Fair enough, i will not diviate form the unwritten standard again. I
personally believe that Confusion (in the human sense of the word) is a
spawn of satan.
--
=======
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: Could RC4 used to generate S-Boxes?
Date: Mon, 05 Jun 2000 21:40:35 GMT
In Applied Cryptography V2 (AC2), it says an 8x8 s-box may be enough?
What would you suggest?
i'm thinking of using both 8x8 & 8x32 random s-boxes.
=======
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Subject: Towards an attack on Storin
From: tomstd <[EMAIL PROTECTED]>
Date: Mon, 05 Jun 2000 14:56:28 -0700
I might possibly have a valid idea for starting a differential
attack (this attack may not be valid, but I think it is):
Look for a set (a, b, c, d) such that the lsbs into the matrix
are zero (after the key xor), that is a 2^-4 chance. Then look
for a pair such that the output 12th bit of each word (after the
matrix step) becomes either fixed at 1 or 0 (again 2^-4
chance). Then given this difference 'works' you know the four
lsb key bits (before the matrix). You can turn this into a key
recovery attack for the four lsb bits by pretending you got the
input/output right with regard to the lsb (2^-16 chance) then
you guess the four bits that would make a single input (a, b, c,
d) have zero lsbs, then try the key on other pairs.
There will be considerable noise from the 12th bits but I think
it can't be filtered out...
I am assuming we are looking at the round as R : M(x ^ k) where
M is the invertible 4x4 matrix and 'k' is the four 24 bit round
keys.
I may have this wrong, but this is probably a good method of
starting an attack.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
Subject: Re: Could RC4 used to generate S-Boxes?
From: tomstd <[EMAIL PROTECTED]>
Date: Mon, 05 Jun 2000 15:00:45 -0700
In article <8hh6of$mvr$[EMAIL PROTECTED]>, Simon Johnson
<[EMAIL PROTECTED]> wrote:
>In Applied Cryptography V2 (AC2), it says an 8x8 s-box may be
enough?
>What would you suggest?
>i'm thinking of using both 8x8 & 8x32 random s-boxes.
Well 8x8 sboxes are hardly ever 'ideal' the chances are about 2^-
15 of getting an ideal sbox randomly (LPmax=32, DPmax=8,SAC).
Just make sure your 8x32 sboxes are 'unique' (i.e see the attack
on Blowfish) and bijective. If not collisions in your F
function (asumming you use the 8x32 sboxes as CAST/Blowfish) can
be exploited in a diff attack.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: DES -- Annoyed
Date: Mon, 05 Jun 2000 17:21:40 -0400
Mark Wooding wrote:
>
> tomstd <[EMAIL PROTECTED]> wrote:
> > As part of my 'Tiny Crypt Lib' I am implementing DES (and then
> > of course 3key 3des) and have possibly the smallest (and
> > slowest) implementation ever... problem is I can't find test
> > vectors for DES anywhere!!!
> >
> > I looked at the FIPS-42 pages ...etc, nothing. I can't believe
> > they specify DES without test vectors...
They are in a separate document. NIST special publication 800-17.
paul
--
!-----------------------------------------------------------------------
! Paul Koning, NI1D, D-20853
! Lucent Corporation, 50 Nagog Park, Acton, MA 01720, USA
! phone: +1 978 263 0060 ext 115, fax: +1 978 263 8386
! email: [EMAIL PROTECTED]
! Pgp: 27 81 A9 73 A6 0B B3 BE 18 A3 BF DD 1A 59 51 75
!-----------------------------------------------------------------------
! "A system of licensing and registration is the perfect device to deny
! gun ownership to the bourgeoisie."
! -- Vladimir Ilyich Lenin
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
