Cryptography-Digest Digest #951, Volume #11 Mon, 5 Jun 00 20:13:01 EDT
Contents:
Cryptographic voting (Jim Ferry)
Re: DES -- Annoyed (tomstd)
Re: Cryptographic voting (tomstd)
Re: Observer 4/6/2000: "Your privacy ends here" (leo)
Re: RSA Algorithm ("Douglas A. Gwyn")
Re: Evidence Eliminator, is it patented, copyrighted, trademarked ?
([EMAIL PROTECTED])
Re: Is OTP unbreakable? (Mok-Kong Shen)
Re: Question about recommended keysizes (768 bit RSA) (Roger Schlafly)
Re: Donald Davies has died ([EMAIL PROTECTED])
Re: Question about recommended keysizes (768 bit RSA) (Jerry Coffin)
Re: Evidence Eliminator, is it patented, copyrighted, trademarked ? (Ron B.)
Re: DVD encryption secure? -- any FAQ on it (Bryan Olson)
Re: Could RC4 used to generate S-Boxes? (Terry Ritter)
Re: DVD encryption secure? -- any FAQ on it (David A. Wagner)
Re: Question about recommended keysizes (768 bit RSA) (David A. Wagner)
Re: Cryptographic voting (Mok-Kong Shen)
Re: XTR (was: any public-key algorithm) (Bodo Moeller)
Re: Observer 4/6/2000: "Your privacy ends here" (Brian {Hamilton Kelly})
----------------------------------------------------------------------------
From: Jim Ferry <jferry@[delete_this]uiuc.edu>
Crossposted-To: sci.math
Subject: Cryptographic voting
Date: Mon, 05 Jun 2000 17:11:17 -0500
I was wondering if there's a way for a small group of people
(less than 100) to vote cryptographically. I imagine it would
work as follows:
Say everyone who is to vote comes up with a private key, and posts
a corresponding public key. From these, a joint public key is
composed. Each voter uses her private key together with the
joint public key and her (private) vote to produce a public vote.
>From the set of public votes, a (public) vote tally is produced.
However, it should be pragmatically impossible to determine the
tally of any subset of (public) votes, or indeed, any information
about them that is not implicitly given by the total tally.
Is there a way to do this in the literature? (Or, better yet, is
it so trivial that it's not even in the literature?)
| Jim Ferry | Center for Simulation |
+------------------------------------+ of Advanced Rockets |
| http://www.uiuc.edu/ph/www/jferry/ +------------------------+
| jferry@[delete_this]uiuc.edu | University of Illinois |
------------------------------
Subject: Re: DES -- Annoyed
From: tomstd <[EMAIL PROTECTED]>
Date: Mon, 05 Jun 2000 15:10:09 -0700
In article <[EMAIL PROTECTED]>, Paul Koning
<[EMAIL PROTECTED]> wrote:
>Mark Wooding wrote:
>>
>> tomstd <[EMAIL PROTECTED]> wrote:
>> > As part of my 'Tiny Crypt Lib' I am implementing DES (and
then
>> > of course 3key 3des) and have possibly the smallest (and
>> > slowest) implementation ever... problem is I can't find test
>> > vectors for DES anywhere!!!
>> >
>> > I looked at the FIPS-42 pages ...etc, nothing. I can't
believe
>> > they specify DES without test vectors...
>
>They are in a separate document. NIST special publication 800-
17.
>
> paul
Remember back in say early this year I said "Don't use 3des
since it's slow, ugly and genrerally a pain in the arse"? Well
I believe my own words now. I hate implementing such a shitty
cipher.
I will glady just copy/paste/credit someone elses code for
3des...
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
Subject: Re: Cryptographic voting
From: tomstd <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Date: Mon, 05 Jun 2000 15:22:51 -0700
In article <KzV_4.351$[EMAIL PROTECTED]>, Jim Ferry
<jferry@[delete_this]uiuc.edu> wrote:
>I was wondering if there's a way for a small group of people
>(less than 100) to vote cryptographically. I imagine it would
>work as follows:
>
>Say everyone who is to vote comes up with a private key, and
posts
>a corresponding public key. From these, a joint public key is
>composed. Each voter uses her private key together with the
>joint public key and her (private) vote to produce a public
vote.
>From the set of public votes, a (public) vote tally is produced.
>However, it should be pragmatically impossible to determine the
>tally of any subset of (public) votes, or indeed, any
information
>about them that is not implicitly given by the total tally.
>
>Is there a way to do this in the literature? (Or, better yet,
is
>it so trivial that it's not even in the literature?)
For a voting scheme to be usefull the talliers should not be
able to tell who voted for what, only that all votes are
valid....
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: leo <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.security.scramdisk,uk.telecom
Subject: Re: Observer 4/6/2000: "Your privacy ends here"
Date: Mon, 5 Jun 2000 22:26:13 +0100
In article <[EMAIL PROTECTED]>, Ian Wiles
<[EMAIL PROTECTED]> writes
>In the Observer article (which I just read in the paper..that's how I
>got here :) ) it said something about the bill contrvening the EU right
>to privacy aswell as other laws. So if someone was banged up for not
>disclosing or misplacing their encryption key then surely there'd be one
>helluva storm about it?
Isn't there a nice business opportunity here for someone to make ISP
services available in another country to UK residents?
--
leo
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: RSA Algorithm
Date: Mon, 5 Jun 2000 21:25:09 GMT
wtshaw wrote:
> ... "Joseph Ashwood" <[EMAIL PROTECTED]> wrote:
> > I think you need a restatement of one of crypto's basic
> > lemmas, the output of a strong cipher MUST be
> > indistinguishable from a random number. ...
> ... The appearance of ciphertext can be non-random, yet even be
> indecipherable.
Perhaps it would help to give a simple counterexample:
Suppose the ciphertext from some system X meets JA's criterion.
Consider a new ciphertext consisting alternately of 0 bits and
the system-X ciphertext bits. Clearly the result is easy to
distinguish from a random bit stream, yet the underlying
plaintext is just as secure as using system X alone.
> ... Do you work for the government, or do you just believe their
> propaganda?
I don't think either would be a fair inference from what the fellow
said.
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: alt.privacy,alt.privacy.anon-server,alt.security.pgp
Subject: Re: Evidence Eliminator, is it patented, copyrighted, trademarked ?
Date: Mon, 05 Jun 2000 22:35:41 +0100
On Mon, 05 Jun 2000 12:58:13 GMT, [EMAIL PROTECTED] wrote:
>I'm not a lawyer, but I do know a little about trademarks. In the U.S.
>you can pretty much make anything your trademark. However, you need to
>establish your mark. The first step is to put a "TM" next to your mark.
>That tells anyone who sees the mark that you have/want to establish
>that mark as your trademark. The serious businesses will then
>"register" the trademark, which then allows one to put the infamous (R)
>next to the mark.
>
>Even before the trademark question came up, the first thing that hit me
>with evidence eliminator is their "e" looks a lot like Microsoft's
>internet explorer "e". The thought crossed my mind as to whether
>Microsoft would take issue with that mark?
>
>
>
>In article <#76ChGqz$GA.451@cpmsnbbsa08>,
> "Hiram Yaeger" <no@email> wrote:
>> "jungle" <[EMAIL PROTECTED]> wrote in message
>> news:[EMAIL PROTECTED]...
>> > where trademarked ? what country ?
>> > it is not trademark in USA ...
>> >
>> > Hiram Yaeger wrote:
>> > >
>> > > "jungle" <[EMAIL PROTECTED]> wrote in message
>> > > news:[EMAIL PROTECTED]...
>> > > > the other 2 ?
>> > > >
>> > > > Lucifer wrote:
>> > > > >
>> > > > > On Sat, 03 Jun 2000 06:13:12 -0400 jungle
><[EMAIL PROTECTED]>
>> wrote:
>> > > > >
>> > > > > >Evidence Eliminator, is it patented, copyrighted, trademarked
>?
>> > > > >
>> > > > > It's copyrighted when it's written.
>> > > > >
>> > > > > No filing is required.
>> > >
>> > > I would assume that "Evidence Eliminator" is legally their
>trademark.
>> As
>> > > for patented, they use methods for overwriting data that are well
>known
>> and
>> > > have been in use for years. They didn't invent it. No patent.
>>
>> I'm not a lawyer. I was taking a guess, which is why I said I assume.
> I
>> don't know how trademarks work.
>>
>>
>
>
>Sent via Deja.com http://www.deja.com/
>Before you buy.
What a bunch of nazis. You couldn't destroy the company with your
lies, so now you try to find some way to take away their trademark,
etc.,. What a bunch of pathetic assholes. You belong in Russia or
Hong Kong with the rest of the gangster rats.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Is OTP unbreakable?
Date: Tue, 06 Jun 2000 00:45:59 +0200
"Douglas A. Gwyn" wrote:
> Joseph Ashwood wrote:
> > This authenticator is not subject to known-plaintext attacks, ...
>
> That was just cipher-feedback mode. You're assuming that single-
> block DES encryption is immune to known-plaintext key recovery.
In CFB the key is kept constant. In his code, the key gets changed
in each step. This is not equivalent to any of the common modes
used for encryption with DES. Presumably he first uses the original
key (kept constant) to encrypt the different blocks (in any of the
common modes) to get the ciphertext. After that he uses that
original key in his algorithm as given in his post, where the key gets
updated in each step and append the final key value to the ciphertext
as the authenticator.
M. K. Shen
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: Question about recommended keysizes (768 bit RSA)
Date: Mon, 05 Jun 2000 15:47:19 -0700
"David A. Wagner" wrote:
> If you believe that our estimate of time complexity is more reliable
> than our estimate of space complexity -- and that seems like a pretty
> reasonable belief -- then the appropriate model to use, for cryptographic
> decisions, might well be the TIME model, and *not* the SPACE model.
That is a big IF. I'll let Bob S. defend his own model, but any such
model depends on the threat model, hardware predictions, etc.
It is not obvious to me why it a time estimate should be more
accurate than a space estimate. And even if it is, so what? It
may still be possible to give a useful worst-case estimate.
If you are comparing 2 different algorithms, or choosing a key
size for 1, you need some sort of security estimate. If 1 is much
harder to break because of huge space requirements, then that is
an appropriate thing to consider. Thinking that it is conservate
to ignore a relevant factor is just sloppy thinking.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Donald Davies has died
Date: 5 Jun 2000 22:50:54 GMT
The Times obituary can be found at:
http://www.the-times.co.uk/news/pages/tim/2000/05/31/timobiobi02004.html
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy.anon-server,alt.security.pgp
Subject: Re: Question about recommended keysizes (768 bit RSA)
Date: Mon, 5 Jun 2000 16:53:22 -0600
In article <8hh40c$ktj$[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
[ ... ]
> > Comparing a Vax 11/780 to a Pentium II is ridiculous. When the Vax
> > 11/780 was new, it was a large, expensive machine that was often the
> > ONLY computer for even quite a large company. A reasonable current
> > machine to which it could be compared would be an AlphaServer GS320.
>
> If one reads my paper *carefully*, one will read that one of the
> assumptions is that server-class machines are NOT readily available
> for parallel sieving. The model assumes that desktop class machines
> have plenty of spare cpu-cycles at zero marginal cost.
This is irrelevant -- if you wanted to make that assumption, to get
valid comparisions, you had to make it throughout the model.
> When the VAX was first introduced, there WEREN'T any desktop class
> machines. (Although one might consider a PDP-11/23 or similar as
> such)
The Vax 11/780 and the Apple II were both introduced in 1977. By
then, MITS had been selling Altairs for a couple of years.
You've got two possibilities: you can compare high-end machines then
to high-end machines now, or you can compare low-end machines then to
low-end machines now. You can NOT, however, get anything approaching
meaningful results by comparing a high-end machine then to a low-end
machine now (or vice versa).
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: Ron B. <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy,alt.privacy.anon-server,alt.security.pgp
Subject: Re: Evidence Eliminator, is it patented, copyrighted, trademarked ?
Date: Mon, 05 Jun 2000 22:58:04 GMT
On Mon, 05 Jun 2000 22:35:41 +0100, [EMAIL PROTECTED] wrote:
Plonk!
Into the global killfile with your sir!
>
>What a bunch of nazis. You couldn't destroy the company with your
>lies, so now you try to find some way to take away their trademark,
>etc.,. What a bunch of pathetic assholes. You belong in Russia or
>Hong Kong with the rest of the gangster rats.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: DVD encryption secure? -- any FAQ on it
Date: Mon, 05 Jun 2000 22:51:22 GMT
David A. Wagner wrote:
> Bryan Olson wrote:
> > What I mean is that having the bunch of bits - the easy part
> > of the copying process - is not sufficient. You have to
> > create media that looks like a legit DVD. It is not the
> > case that if one can read a DVD one can make a (working)
> > bit-for-bit copy.
>
> Sure it is. It may require hardware -- special hardware
> to press a master, etc. -- and it may require money, but
> it's the same process as used to mass-manufacture DVD's
> (and almost the same process as used to mass-manufacture
> or mass-pirate CD's, I'm told). There are no secrets
> involved, no codebreaking required. Bits is bits.
But the media is _not_ just the bits. You need the physical
format and you have to sign non-disclosures to get it.
If you want to change the claim to "if one can read the
bits and has a DVD foundry handy, then he can make
working copies", I will not disagree.
> Sure, you can't go to a website and download the software
> to do bit-for-bit copies. It's not a software attack.
> Consequently, we don't expect Joe Sixpack to be doing bit-for-bit
> copies in his basement.
And Mr. Sixpack can read the bits. Thus the assertion that
if one can read the bits then he can make a (playable) copy
is shown false.
[...]
> I don't think that makes it
> reasonable to conclude that bit-for-bit copying doesn't go on.
I agree. I expect it does go on.
[...]
> > If the (now broken) DVD protection system was not a copy
> > protection mechanism at all, how come it prevented so many
> > people from making copies?
>
> I wouldn't go that far. I would say that it is a pretty sloppy
> design, for a copy protection mechanism.
Absolutely. But what started this strand was a claim that
the system is not a copy protection mechanism at all.
False.
> On the other hand, as a player control and monopoly-enforcing
> mechanism, it is an almost barely plausible design, if we ignore
> for a moment that they're using an utterly broken stream cipher.
Certainly there is the "player control" that forces the
player vendors to implement certain limitation on access to
content. There is no monopoly on players. Had the DVD
developers wanted to enforce a monopoly on players, there
were already plenty of patents on the DVD system without
the copy protection.
As we know the system is weak, and now utterly broken.
DeCSS recovers the decrypted, compressed data, which is the
worst possible break (from the MPAA point of view). Pirates
in Asia had reportedly broken the encryption previously.
It's also true that a sophisticated operation could copy the
encrypted media, and in fact the developers of CSS
acknowledged that the encryption was not primarily aimed
such operations.
None of that indicates that the system was not a copy
protection mechanism at all. Of course it was.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Could RC4 used to generate S-Boxes?
Date: Mon, 05 Jun 2000 23:19:18 GMT
On Mon, 05 Jun 2000 21:40:35 GMT, in <8hh6of$mvr$[EMAIL PROTECTED]>, in
sci.crypt Simon Johnson <[EMAIL PROTECTED]> wrote:
>In Applied Cryptography V2 (AC2), it says an 8x8 s-box may be enough?
>What would you suggest?
A single 8x8 may not be enough. A single box probably will have to be
used repeatedly for each block, and that provides opportunity for
attack. It is best to use multiple boxes.
>i'm thinking of using both 8x8 & 8x32 random s-boxes.
I have serious reservations about coupling 8x8's together in this way.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: DVD encryption secure? -- any FAQ on it
Date: 5 Jun 2000 16:15:38 -0700
In article <8hhat5$q20$[EMAIL PROTECTED]>,
Bryan Olson <[EMAIL PROTECTED]> wrote:
> You need the physical
> format and you have to sign non-disclosures to get it.
Ahh, yes, my favorite: Security through obscurity!
(or, in this case, through NDA's. it amounts to the same thing)
> If you want to change the claim to "if one can read the
> bits and has a DVD foundry handy, then he can make
> working copies", I will not disagree.
Ok, accepted.
> Absolutely. But what started this strand was a claim that
> the system is not a copy protection mechanism at all.
> False.
Oh, sure, it's a copy protection mechanism -- it's just not
a very good one. :-)
(Proof: Software players exist. I rest my case.)
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Question about recommended keysizes (768 bit RSA)
Date: 5 Jun 2000 16:23:00 -0700
In article <[EMAIL PROTECTED]>,
Roger Schlafly <[EMAIL PROTECTED]> wrote:
> It is not obvious to me why it a time estimate should be more
> accurate than a space estimate.
One reason why it might be so is that many theoretical works consider
only the total complexity, and even then, in asymptotic form only.
Since the space complexity is not the bottleneck if you consider just the
asymptotics (it only becomes the bottleneck when you go to implement on
today's systems, as has been discovered fairly recently), we can imagine
that it may not have received as much attention until recently.
If you want an example of precedent, consider the original
meet-in-the-middle attack on 2DES, with time complexity 2^56 and space
complexity 2^56. Even though its space complexity was huge, many people
still considered 2DES breakable with something like 2^56 work (i.e., they
ignored the space complexity). And, more recently, this view has been
shown to be fairly accurate -- van Oorschot and Wiener have shown how
to greatly reduce the space requirements, at some comparably small cost
in time complexity, so it was indeed correct to consider 2DES insecure
in practice, despite the space complexity of the original attack.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Cryptographic voting
Date: Tue, 06 Jun 2000 01:45:06 +0200
Jim Ferry wrote:
> Is there a way to do this in the literature? (Or, better yet, is
> it so trivial that it's not even in the literature?)
See Bruce Schneier's book. There is quite an amount of more
recent papers on voting in journals. Unfortunately I haven't
taken notes of these. I hope that others would provide you with
good pointers.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Bodo Moeller)
Subject: Re: XTR (was: any public-key algorithm)
Date: 3 Jun 2000 21:50:25 GMT
Mark Wooding <[EMAIL PROTECTED]>:
> David A. Wagner <[EMAIL PROTECTED]> wrote:
>> I'd argue that the `standard' exponent is e = 3.
> Well, SSLeay uses F_4 by default; [...]
'genrsa' has a '-3' option (the implementation for this is 'f4=3', though :-).
The library function for generating RSA keys does not have a default.
------------------------------
From: [EMAIL PROTECTED] (Brian {Hamilton Kelly})
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.security.scramdisk,uk.telecom
Subject: Re: Observer 4/6/2000: "Your privacy ends here"
Date: Mon, 05 Jun 2000 21:45:53 GMT
In article <cC74fBAJG$[EMAIL PROTECTED]>
[EMAIL PROTECTED] "Ian Wiles" writes:
> Oh and BTW, what's a
> >steganography package
> ?
> Scuse my ignorance.
Did you not find out at the URL given in the poster's footnote?
http://members.tripod.com/steganography/stego.html
I've not visited it myself, nor know much about the implementation, but
SFAICS, it's a method for hiding information bits in what would otherwise
be the "noise" part of such "files" as GIFs and real-audio streams. The
presence of these *data* bits would not be discernable to the human
eye/ear on using the file for its apparent purpose, yet could readily be
extracted to reconsitute the original data.
The word comes from "hidden writing"; one of the earliest examples of
such would probably have been the ancient Greek skytale.
--
Brian {Hamilton Kelly} [EMAIL PROTECTED]
"We have gone from a world of concentrated knowledge and wisdom to one of
distributed ignorance. And we know and understand less while being incr-
easingly capable." Prof. Peter Cochrane, BT Labs
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
