Cryptography-Digest Digest #958, Volume #11 Tue, 6 Jun 00 16:13:01 EDT
Contents:
Re: Question about recommended keysizes (768 bit RSA) (David A. Wagner)
Re: A Family of Algorithms, Base78Ct (wtshaw)
Re: Some citations (wtshaw)
Re: Could RC4 used to generate S-Boxes? ("T.Williams")
Re: Question about recommended keysizes (768 bit RSA) (Jerry Coffin)
Re: Question about recommended keysizes (768 bit RSA) (Paul Koning)
Cryptography FAQ (01/10: Overview) ([EMAIL PROTECTED])
Cryptography FAQ (02/10: Net Etiquette) ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Question about recommended keysizes (768 bit RSA)
Date: 6 Jun 2000 11:32:47 -0700
In article <8hiv9l$vcp$[EMAIL PROTECTED]>,
Bob Silverman <[EMAIL PROTECTED]> wrote:
> In article <8hhcok$v4s$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (David A. Wagner) wrote:
> > In article <[EMAIL PROTECTED]>,
> > Roger Schlafly <[EMAIL PROTECTED]> wrote:
> > > It is not obvious to me why it a time estimate should be more
> > > accurate than a space estimate.
> >
> > One reason why it might be so is that many theoretical works consider
> > only the total complexity, and even then, in asymptotic form only.
>
> We have real-world benchmarks!!! These are not "theoretical estimates".
Yes, now. But wouldn't you say that people have been studying
"theoretical estimates" for advanced algorithms longer (or more
intensely, if one looks back in time a bit) than they have been
studying "real-world benchmarks"?
The point is, whichever has been studied more thoroughly might
well be considered better-understood and thus might lead to a
more reliable (from a very conservative point of view) estimate
of the complexity of factoring.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: A Family of Algorithms, Base78Ct
Date: Tue, 06 Jun 2000 11:08:28 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
> wtshaw wrote:
>
> > Mok-Kong Shen<[EMAIL PROTECTED]> wrote:
> > >
> > > Through the time I saw you several times mentioning GVA but I have
> > > never understood what that scheme really performs. Could you give
> > > a pointer or post a sketch to the group? Thnaks.
> >
> > http://www.radiofreetexas.com/wts/
>
> I see that the multistage (i.e. iterated) use of the Jefferson cylinder
> with the aid of a key is indeed a nice idea.
>
> M. K. Shen
Thanks, it works, and neither Jefferson, Brassier, nor any Mr. M94 is
complaining about the role of prior art.
BTW, none has be able to successfully attack even a moderate level of
security, as define by the keys, not a single soul, and many have tried.
Keep in mind that the cylinder itself is the principal key.
At the time of its public description, none in the public sector seemed to
admit that strong crypto was known or might be possible as having such
violated crypto propaganda maximums. Since then it has become vogue to
claim such strength., but none can easily come close the working strength
of this baby, certainly not its simplicity.
--
If you wonder worry about the future enough to adversely limit
yourself in the present, you are a slave to those who sell security.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Some citations
Date: Tue, 06 Jun 2000 10:55:17 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
> I think that the following citations may be of some interest,
> because they may presumably not be unanimously accepted by
> us all and hence could trigger some discussions:
>
> Bandwidth expansion is not necessarily either a drawback
> or a strength of a system, merely a feature.
>
I said the same thing ,in essence, and said it first, circa 1995.
--
If you wonder worry about the future enough to adversely limit
yourself in the present, you are a slave to those who sell security.
------------------------------
From: "T.Williams" <[EMAIL PROTECTED]>
Subject: Re: Could RC4 used to generate S-Boxes?
Date: Tue, 06 Jun 2000 20:51:12 +0200
Mark Wooding wrote:
> T.Williams <[EMAIL PROTECTED]> wrote:
> > Runu Knips wrote:
> >
> > > Hmm. For me, a s-box is an operation of the form:
> > >
> > > f(x) -> y
> > >
> > > where f is bijective and should have some other good properties
> > > already discussed in this thread.
>
> No. Bijectivity isn't actually a necessary feature; it helps security,
> though. For example, Blowfish's S-boxes aren't necessarily bijective --
> these are the `weak keys' that Vaudenay found. DES's S-boxes aren't
> bijective either: in particular, they're source-heavy. Non-bijectivity
> is a bad idea in general: it means that you can get nonzero input
> differences sent to zero output differences, giving you an easy 2-round
> iterative characteristic.
>
> > > The main point about it is, that it is an operation or function,
> > > not a dynamically changing mapping, i.e. for the same x you
> > > always get the same y.
>
> This is true.
>
> An `S-box' is a function, possibly parameterized by the key, and usually
> implemented as a look-up table for speed (or because algebraic
> expressions of the function are too horrible to contemplate).
>
> > Ah, but this is not always the case. Remember Merkle's Khufu and
> > its ever changing s-boxes?
>
> Khufu doesn't have `ever changing s-boxes'. It has a key-dependent
> S-box for each 8 rounds. You use the same S-boxes in the same sequence
> for each block.
>
> -- [mdw]
I stand corrected. That's what usually happens when I paraphrase So
this time I'll just quote from the Schneier/Kelsey paper:
"Although in most Feistel ciphers, the F-function is altered only by the
round keys from round to round, there is no reason why this must be the
case. In Merkle's Khufu[Mer91], for example, the F-function changes (the
S-boxes change) once per 'octet'...".
I interpreted that first sentence to mean that F(x) doesn't necessarily
always
have to return the same "y" for the same "x". Bad interpretation? Maybe
a better way to say it is F(x) will return the same "y" for the same "x"
using the same s-box contents (or whatever F is using). Does a deviation
from this behavior classify the construction as something other than a
block
cipher? For example, if the s-box started its life as the output of a PRNG
(ala "CAST-like block cipher with random s-boxes"), as opposed to being an
optimized representation of an algebraic expression, and the cipher
implementation was such that the s-box "evolved" over time, thus opening
the door for F(x) to return y' instead of y, is the cipher automatically a
stream
cipher? [ Or, more probably just a bad cipher ;-) ] Is the s-box no
longer an
"S-box"?
Whoops. I think I've gotten far enough off topic... too many questions...
sorry 'bout that.
-tom
---
"...just an old programmer trying to understand the rules..."
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy.anon-server,alt.security.pgp
Subject: Re: Question about recommended keysizes (768 bit RSA)
Date: Tue, 6 Jun 2000 13:01:00 -0600
In article <8hjdrg$bc5$[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> In article <[EMAIL PROTECTED]>,
> Jerry Coffin <[EMAIL PROTECTED]> wrote:
> > In article <8hiv0a$v21$[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
>
> > > You want a "high-end" machine in 1977? Try the CDC-6600.
> >
> > Bob, I hate to point it out, but your knowledge of the history of
> > computing seems badly defective.
>
> ROTFL.....
>
> I was *there*.
So why do you persistly make statements you have the background to
know are false?
> I was working at DEC when the VAX was first introduced
> and was coding on high end CDC machines in 1978. (doing linear
> programming). I was even coding on the CRAY-1S in 1980.
So? I wrote code on a Cyber too. What of it? My experience on
vector machines was with the commercially less-sucessful Cyber 205,
but that doesn't really have a lot to do with the question at hand,
now does it?
> The VAX was considered a 32-bit MINI-Computer, even by DEC when it
> was introduced. It was anything but a high end machine.
Quibble over wording all you like, but you can't change reality:
comparing the memory bandwidth of a VAX 11/780 to a low-end, single-
user machine gives results that are grossly misleading at best. By
the same token that the 11/780 wasn't a high-end machine, neither is
the AlphaServer GS320 to which I said it should be compared.
If you think the GS320 is the wrong choice, feel free to decide that
DEC had the highest market share in that area at the time, and
compare it to the current Sun Enterprise 10000 since I believe Sun
now has the leading market share in that range. If, for whatever
reason, you think it would be better to compare to an HP PA-RISC,
SGI, etc., go for it -- they're all pretty similar anyway.
The simple fact is though, that all you've tried to do is change the
subject and argue over words instead.
I won't bother with another follow-up like this: far be it from me to
spend more time and effort simply to force you to admit that you were
and are wrong -- I think intelligent people reading the thread have
enough information to realize that your comparison and conclusions
were inaccurate. Unless you're willing to change your ways and add
something substantive to the thread, there's no real point in
continuing it.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp
Subject: Re: Question about recommended keysizes (768 bit RSA)
Date: Tue, 06 Jun 2000 14:16:14 -0400
Tom McCune wrote:
> ...
> 4096 bit RSA keys are not slow on modern computers - even 8k keys are
> tolerable:
Possibly for interactive use with applications such as PGP.
But that doesn't carry over to SSL, or IPsec, where a server
has to be able to support hundreds or thousands of clients.
paul
--
!-----------------------------------------------------------------------
! Paul Koning, NI1D, D-20853
! Lucent Corporation, 50 Nagog Park, Acton, MA 01720, USA
! phone: +1 978 263 0060 ext 115, fax: +1 978 263 8386
! email: [EMAIL PROTECTED]
! Pgp: 27 81 A9 73 A6 0B B3 BE 18 A3 BF DD 1A 59 51 75
!-----------------------------------------------------------------------
! "A system of licensing and registration is the perfect device to deny
! gun ownership to the bourgeoisie."
! -- Vladimir Ilyich Lenin
------------------------------
Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers
Subject: Cryptography FAQ (01/10: Overview)
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: 06 Jun 2000 19:15:39 GMT
Archive-name: cryptography-faq/part01
Last-modified: 1999/06/27
This is the first of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read this part before the rest. We
don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.
Disclaimer: This document is the product of the Crypt Cabal, a secret
society which serves the National Secu---uh, no. Seriously, we're the
good guys, and we've done what we can to ensure the completeness and
accuracy of this document, but in a field of military and commercial
importance like cryptography you have to expect that some people and
organizations consider their interests more important than open
scientific discussion. Trust only what you can verify firsthand.
And don't sue us.
Many people have contributed to this FAQ. In alphabetical order:
Eric Bach, Steve Bellovin, Dan Bernstein, Nelson Bolyard, Carl Ellison,
Jim Gillogly, Mike Gleason, Doug Gwyn, Luke O'Connor, Tony Patti,
William Setzer. We apologize for any omissions.
Archives: sci.crypt has been archived since October 1991 on
ripem.msu.edu, though these archives are available only to U.S. and
Canadian users. Another site is rpub.cl.msu.edu in /pub/crypt/sci.crypt/
from Jan 1992.
The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu
as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography
FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto,
sci.answers, and news.answers every 21 days.
The fields `Last-modified' and `Version' at the top of each part track
revisions.
1999: There is a project underway to reorganize, expand, and update the
sci.crypt FAQ, pending the resolution of some minor legal issues. The
new FAQ will have two pieces. The first piece will be a series of web
pages. The second piece will be a short posting, focusing on the
questions that really are frequently asked.
In the meantime, if you need to know something that isn't covered in the
current FAQ, you can probably find it starting from Ron Rivest's links
at <http://theory.lcs.mit.edu/~rivest/crypto-security.html>.
If you have comments on the current FAQ, please post them to sci.crypt
under the subject line Crypt FAQ Comments. (The crypt-comments email
address is out of date.)
Table of Contents
=================
1. Overview
2. Net Etiquette
2.1. What groups are around? What's a FAQ? Who am I? Why am I here?
2.2. Do political discussions belong in sci.crypt?
2.3. How do I present a new encryption scheme in sci.crypt?
3. Basic Cryptology
3.1. What is cryptology? Cryptography? Plaintext? Ciphertext? Encryption? Key?
3.2. What references can I start with to learn cryptology?
3.3. How does one go about cryptanalysis?
3.4. What is a brute-force search and what is its cryptographic relevance?
3.5. What are some properties satisfied by every strong cryptosystem?
3.6. If a cryptosystem is theoretically unbreakable, then is it
guaranteed analysis-proof in practice?
3.7. Why are many people still using cryptosystems that are
relatively easy to break?
3.8. What are the basic types of cryptanalytic `attacks'?
4. Mathematical Cryptology
4.1. In mathematical terms, what is a private-key cryptosystem?
4.2. What is an attack?
4.3. What's the advantage of formulating all this mathematically?
4.4. Why is the one-time pad secure?
4.5. What's a ciphertext-only attack?
4.6. What's a known-plaintext attack?
4.7. What's a chosen-plaintext attack?
4.8. In mathematical terms, what can you say about brute-force attacks?
4.9. What's a key-guessing attack? What's entropy?
5. Product Ciphers
5.1. What is a product cipher?
5.2. What makes a product cipher secure?
5.3. What are some group-theoretic properties of product ciphers?
5.4. What can be proven about the security of a product cipher?
5.5. How are block ciphers used to encrypt data longer than the block size?
5.6. Can symmetric block ciphers be used for message authentication?
5.7. What exactly is DES?
5.8. What is triple DES?
5.9. What is differential cryptanalysis?
5.10. How was NSA involved in the design of DES?
5.11. Is DES available in software?
5.12. Is DES available in hardware?
5.13. Can DES be used to protect classified information?
5.14. What are ECB, CBC, CFB, and OFB encryption?
6. Public-Key Cryptography
6.1. What is public-key cryptography?
6.2. How does public-key cryptography solve cryptography's Catch-22?
6.3. What is the role of the `trapdoor function' in public key schemes?
6.4. What is the role of the `session key' in public key schemes?
6.5. What's RSA?
6.6. Is RSA secure?
6.7. What's the difference between the RSA and Diffie-Hellman schemes?
6.8. What is `authentication' and the `key distribution problem'?
6.9. How fast can people factor numbers?
6.10. What about other public-key cryptosystems?
6.11. What is the `RSA Factoring Challenge?'
7. Digital Signatures
7.1. What is a one-way hash function?
7.2. What is the difference between public, private, secret, shared, etc.?
7.3. What are MD4 and MD5?
7.4. What is Snefru?
8. Technical Miscellany
8.1. How do I recover from lost passwords in WordPerfect?
8.2. How do I break a Vigenere (repeated-key) cipher?
8.3. How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...]
8.4. Is the UNIX crypt command secure?
8.5. How do I use compression with encryption?
8.6. Is there an unbreakable cipher?
8.7. What does ``random'' mean in cryptography?
8.8. What is the unicity point (a.k.a. unicity distance)?
8.9. What is key management and why is it important?
8.10. Can I use pseudo-random or chaotic numbers as a key stream?
8.11. What is the correct frequency list for English letters?
8.12. What is the Enigma?
8.13. How do I shuffle cards?
8.14. Can I foil S/W pirates by encrypting my CD-ROM?
8.15. Can you do automatic cryptanalysis of simple ciphers?
8.16. What is the coding system used by VCR+?
9. Other Miscellany
9.1. What is the National Security Agency (NSA)?
9.2. What are the US export regulations?
9.3. What is TEMPEST?
9.4. What are the Beale Ciphers, and are they a hoax?
9.5. What is the American Cryptogram Association, and how do I get in touch?
9.6. Is RSA patented?
9.7. What about the Voynich manuscript?
10. References
10.1. Books on history and classical methods
10.2. Books on modern methods
10.3. Survey articles
10.4. Reference articles
10.5. Journals, conference proceedings
10.6. Other
10.7. How may one obtain copies of FIPS and ANSI standards cited herein?
10.8. Electronic sources
10.9. RFCs (available from [FTPRF])
10.10. Related newsgroups
------------------------------
Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers
Subject: Cryptography FAQ (02/10: Net Etiquette)
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: 06 Jun 2000 19:15:39 GMT
Archive-name: cryptography-faq/part02
Last-modified: 94/06/13
This is the second of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.
The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu
as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography
FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto,
sci.answers, and news.answers every 21 days.
Contents:
2.1. What groups are around? What's a FAQ? Who am I? Why am I here?
2.2. Do political discussions belong in sci.crypt?
2.3. How do I present a new encryption scheme in sci.crypt?
2.1. What groups are around? What's a FAQ? Who am I? Why am I here?
Read news.announce.newusers and news.answers for a few weeks. Always
make sure to read a newsgroup for some time before you post to it.
You'll be amazed how often the same question can be asked in the same
newsgroup. After a month you'll have a much better sense of what the
readers want to see.
2.2. Do political discussions belong in sci.crypt?
No. In fact some newsgroups (notably misc.legal.computing) were
created exactly so that political questions like ``Should RSA be
patented?'' don't get in the way of technical discussions. Many
sci.crypt readers also read misc.legal.computing, comp.org.eff.talk,
comp.patents, sci.math, comp.compression, talk.politics.crypto,
et al.; for the benefit of people who don't care about those other
topics, try to put your postings in the right group.
Questions about microfilm and smuggling and other non-cryptographic
``spy stuff'' don't belong in sci.crypt either.
2.3. How do I present a new encryption scheme in sci.crypt?
``I just came up with this neat method of encryption. Here's some
ciphertext: FHDSIJOYW^&%$*#@OGBUJHKFSYUIRE. Is it strong?'' Without a
doubt questions like this are the most annoying traffic on sci.crypt.
If you have come up with an encryption scheme, providing some
ciphertext from it is not adequate. Nobody has ever been impressed by
random gibberish. Any new algorithm should be secure even if the
opponent knows the full algorithm (including how any message key is
distributed) and only the private key is kept secret. There are some
systematic and unsystematic ways to take reasonably long ciphertexts
and decrypt them even without prior knowledge of the algorithm, but
this is a time-consuming and possibly fruitless exercise which most
sci.crypt readers won't bother with.
So what do you do if you have a new encryption scheme? First of all,
find out if it's really new. Look through this FAQ for references and
related methods. Familiarize yourself with the literature and the
introductory textbooks.
When you can appreciate how your cryptosystem fits into the world at
large, try to break it yourself! You shouldn't waste the time of tens
of thousands of readers asking a question which you could have easily
answered on your own.
If you really think your system is secure, and you want to get some
reassurance from experts, you might try posting full details of your
system, including working code and a solid theoretical explanation, to
sci.crypt. (Keep in mind that the export of cryptography is regulated
in some areas.)
If you're lucky an expert might take some interest in what you posted.
You can encourage this by offering cash rewards---for instance, noted
cryptographer Ralph Merkle is offering $1000 to anyone who can break
Snefru-4---but there are no guarantees. If you don't have enough
experience, then most likely any experts who look at your system will
be able to find a flaw. If this happens, it's your responsibility to
consider the flaw and learn from it, rather than just add one more
layer of complication and come back for another round.
A different way to get your cryptosystem reviewed is to have the NSA
look at it. A full discussion of this procedure is outside the scope
of this FAQ.
Among professionals, a common rule of thumb is that if you want to
design a cryptosystem, you have to have experience as a cryptanalyst.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
