Cryptography-Digest Digest #7, Volume #12 Mon, 12 Jun 00 00:13:01 EDT
Contents:
Re: Random IV Generation (Terry Ritter)
Re: Large S-Boxes (tomstd)
Re: matrix question (Benjamin Goldberg)
RSA Euro, Please read if you have used it already (Anonymous)
Re: Using two DES modules ("Joseph Ashwood")
Re: RSA Algorithm ("Joseph Ashwood")
Re: Digits of pi in Twofish (S. T. L.)
Re: randomness tests ("Douglas A. Gwyn")
Retract my views on AES (tomstd)
Re: Cryptanalytic gap [was: Re: Some dumb questions] ("Douglas A. Gwyn")
Re: Homophones ("Douglas A. Gwyn")
Re: randomness tests (tomstd)
Re: Cryptanalytic gap [was: Re: Some dumb questions] ("Douglas A. Gwyn")
Re: Retract my views on AES (tomstd)
Re: Cryptographic voting (Greg)
tiger (Cypheridea)
Re: tiger (tomstd)
Re: randomness tests (Guy Macon)
Re: randomness tests (Guy Macon)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Random IV Generation
Date: Sun, 11 Jun 2000 22:25:49 GMT
On Sun, 11 Jun 2000 22:36:03 +0200, in
<[EMAIL PROTECTED]>, in sci.crypt Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>Terry Ritter wrote:
>
>> Instead of counting in binary sequence, use a finite field.
>> Typically, this would be a simple linear feedback shift register
>> (lfsr). There is no strength required for the counting sequence; the
>> strength improvement comes from not presenting a sequence in which
>> only one bit changes fully half the time.
>
>Would a Gray code, which is simple to implement, also be good
>at that? Thanks.
No. The goal is to have many bits changing on each step, not just
one.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
Subject: Re: Large S-Boxes
From: tomstd <[EMAIL PROTECTED]>
Date: Sun, 11 Jun 2000 15:29:16 -0700
In article <[EMAIL PROTECTED]>, Mok-Kong Shen <mok-
[EMAIL PROTECTED]> wrote:
>
>
>tomstd wrote:
>
>> Sure
>
>[snip]
>
>For saving time of getting books from the library, question:
which of
>the literatures you gave contain stuffs of BP and DP? Thanks.
>
>M. K. Shen
If you honestly want to make sboxes, you should read them all,
but the papers I listed hardly constitutions comprehensive
reading... I just don't have access to all the euro/asia/crypt
books from 1980 to now (if I did I would be one very happy kid).
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: matrix question
Date: Mon, 12 Jun 2000 00:42:59 GMT
Dark Nebular wrote:
>
> how did you compute Mb, the inverse matrix of Ma?
>
[snip]
void mulmatrix(
unsigned int *out, const unsigned int *in1, const unsigned int *in2,
unsigned int a, unsigned int b, unsigned int c
) {
/* out = in1 x in2, with dimensions [a x c] = [a x b] x [b x c] */
unsigned int out_a, out_c;
for( out_a = 0; out_a < a; ++out_a )
for( out_c = 0; out_c < c; ++out_c ) {
unsigned int out_ac = 0, in_b;
for( in_b = 0; in_b < b; ++in_b )
out_ac += in1[ out_a*a + in_b ] * in2[ in_b*a + out_c
];
out[ out_a*a + out_c ] = out_ac;
}
}
int invmatrix(
unsigned int *inv, const unsigned int *mat, unsigned int size
) {
unsigned int i, j, k;
unsigned int *tmp;
unsigned int *p, *q, *r, *s;
extern unsigned int inv32(unsigned int x);
/* x * inv32(x) = 1 mod (2**32) */
for( i = 0; i < size; ++i )
if( !(mat[i * size + i] & 1) )
return 0;
tmp = (unsigned int*)malloc( sizeof(unsigned int) * size * size );
memcpy( tmp, mat, sizeof(unsigned int) * size * size );
for( i = 0; i < size; ++i )
for( j = 0; j < size; ++j )
inv[i*size+j] = i == j;
for( i = 0; i < size; ++i ) {
unsigned int c = inv32(tmp[i * size + i]);
r = &tmp[i*size];
s = &inv[i*size];
for( j = 0; j < size; ++j ) {
r[j] *= c;
s[j] *= c;
}
for( j = 0; j < size; ++j ) {
if (j == i)
continue;
p = &tmp[j*size];
q = &inv[j*size];
c = p[i];
for( k = 0; k < size; ++k ) {
p[k] -= c * r[k];
q[k] -= c * s[k];
}
}
}
free(tmp);
return 1;
}
void randmatrix(
unsigned int * matrix, unsigned int size,
unsigned int (*p_ranno)(void *state), void *closure
) {
unsigned int i, j;
for( i = 0; i < size; ++i )
for( j = 0; j < size; ++j )
matrix[i*size+j] = (*p_ranno)(closure)<<1 | (i==j);
}
------------------------------
From: Anonymous <[EMAIL PROTECTED]>
Date: 12 Jun 2000 01:16:56 -0000
Subject: RSA Euro, Please read if you have used it already
I'm trying to write a simple program using the RSA Euro crypto library.
The random data and hash functions work fine, but I get errors when I
try to use the RSAPublicEncrypt function.
When I just have rsaeuro.h included in my code I get the error
"'RSAPublicEncrypt' : undeclared identifier". This function isn't declared
anywhere in rsaeuro.h so this is a logical error. It is declared in rsa.h,
so I also tried including rsa.h. However this gives me another error
"unresolved external symbol "int __cdecl RSAPublicEncrypt[and so on]".
Please if anyone of you have already used the RSA Euro crypto library in
a program let me know what I have to do to be able to use these RSAxxx
functions. Its probably some stupid little error I just don't see because
I'm
too tired already :)
I'm using Visual C++ 6 and RSA Euro v1.04
thanks
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Using two DES modules
Date: Sun, 11 Jun 2000 18:17:31 -0700
> 1. Superencipherment (2DES).
Broken, subject to meet-in-the-middle attack.
>
> 2. Use one DES in full OFB for preprocessing the plaintext
> with xor before input to the other DES.
Each block will have some characteristics that could allow
something akin to a meet-in-the-middle attack, but I doubt
it could be done as efficiently.
>
> 3. Use one DES in full OFB to generate keys for the other
> DES.
At first blush this seems to be the best option. It would
take significantly more examination to be assured of it, but
each block could be broken to determine the key, which might
be a problem depending on your threat model.
Thinking about it briefly, I think #3 would be the most
preferable of the options, but I doubt any of them would be
highly secure.
Joe
>
> Note that (3) needs only one key. Does the comparison gets
> changed, if the two keys of (1) or (2) are identical?
>
> Intuitively, I think that (3) could be superior.
>
> Many thanks in advance.
>
> M. K. Shen
> ----------------------------
> http://home.t-online.de/home/mok-kong.shen
>
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: RSA Algorithm
Date: Sun, 11 Jun 2000 18:18:07 -0700
Actually, I think I will personally have to take exception
to my proposal, and completely reverse direction on my
statement. First let me say that my last statement on this
was rather loaded with loopholes. Continuing, my logic is as
follows.
Encrypted output is completely incompressible if and only if
under all chaining methods and under all keys a finitely
keyed encryption cannot be compressed under any inputs. The
counterexample is quite simple, reverse the order of the
prior proposals such as:
(assuming a 64-bit block cipher that is perfect in every
way)
pad the PLAINTEXT to 64 times it's original size by
inserting 0's into the stream, creating plaintext2
encrypt plaintext2 with our perfect block cipher with a
64-bit block in ECB mode
the resultant ciphertext with have 2 64-bit values contained
within, call them 0 and 1.
>From here the ciphertext can be easily compressed to 2
64-bit blocks and a stream of 0,1, padding the stream by
only 128-bits (and having a .5 chance of flipping all the
bits), call this compressedciphertext1
Seperate compressedciphertext1 into a 128-bit random number
(called ran1), and a stream of 0,1 called str1
compress str1 using whatever methods are available for the
original data (and it's inverse), call it str2
recombine ran1 and str2 to form a final string that is
shorter than PLAINTEXT, hence in exact contradiction of my
prior statements.
Joe
> I think I can end this though by
> changing my statements to be that if you take the input to
> an isolated strong encryption method, the output cannot be
> compressed to smaller than the input. Can we agree to
that,
> and agree to differing ideas of what happens in certain
> special cases?
> Joe
------------------------------
From: [EMAIL PROTECTED] (S. T. L.)
Subject: Re: Digits of pi in Twofish
Date: 12 Jun 2000 01:47:38 GMT
<<Hippocracy is claiming that since you are MS Certified you can
speak about good security.>>
Ah, government by hippopotami.
-*---*-------
S.T.L. My Quotations Page at *** http://quote.cjb.net *** is being
REORGANIZED. Comments are welcome. *392* quotations and growing!
Now playing: Half-Life Now learning: C programming (Hello, World!)
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: randomness tests
Date: Mon, 12 Jun 2000 03:00:04 GMT
Mok-Kong Shen wrote:
> tomstd wrote:
> > Mok-Kong Shen wrote:
> > >What do youi mean by 'test' above? A test that has some reasonable
> > >statistical foundation, or one that simply outputs 'Fail!'? ...
> > I mean just that. For any PRNG I can devise a test that it
> > would fail.
> Is that kind of arguments appropriate in scientific discourse?
I think we could also ask if your question was appropriate.
A "test" in this context is a procedure that reliably detects
a certain deviation from the spec (true randomness). The
deviation Tom obviously had in mind was that the output is
perfectly predictable (using the actual PRNG as the model),
which of course is a failure to be truly random.
------------------------------
Subject: Retract my views on AES
From: tomstd <[EMAIL PROTECTED]>
Date: Sun, 11 Jun 2000 19:59:31 -0700
I retract my statements about AES having multiple ciphers.
Reason: KISS.
By using one cipher as 'AES' you can keep the cryptosystems as
simple as possible. I learnt this from Cryptobag which I am
thinking of scrapping (because it sucks).
I hope never have to retract my beliefs ever again, although
it's my sincere hope I make plenty more mistakes in the
following years to come.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Cryptanalytic gap [was: Re: Some dumb questions]
Date: Mon, 12 Jun 2000 03:05:29 GMT
"David A. Wagner" wrote:
> If we interpret OTP loosely, as meaning "any cipher that is not used
> past the unicity distance", then ...
But that's not the accepted definition of "one-time-pad cryptosystem".
Since, properly interpreted, "not past the unicity distance" is
equivalent to "not unambiguously cryptanalyzable", to change the
definition in that way would be cheating. John was claiming that the
ciphertext from any system other than a true OTP was crackable, and
that is simply not so. One needs any of a number of things to happen
before cryptanalysis can succeed.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Homophones
Date: Mon, 12 Jun 2000 03:07:23 GMT
Mok-Kong Shen wrote:
> ... If each character is stored in a
> byte, we can have a homophone mapping of 70 to 256. I suppose
> that's enough expansion to effect essential flattening of
> frequency distribution of single characters.
But it doesn't disguise their contacts, which can be recovered
in several ways, e.g. fitting a HMM, or SVD of the transition matrix.
------------------------------
Subject: Re: randomness tests
From: tomstd <[EMAIL PROTECTED]>
Date: Sun, 11 Jun 2000 20:05:47 -0700
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
>Mok-Kong Shen wrote:
>> tomstd wrote:
>> > Mok-Kong Shen wrote:
>> > >What do youi mean by 'test' above? A test that has some
reasonable
>> > >statistical foundation, or one that simply
outputs 'Fail!'? ...
>> > I mean just that. For any PRNG I can devise a test that it
>> > would fail.
>> Is that kind of arguments appropriate in scientific discourse?
>
>I think we could also ask if your question was appropriate.
>A "test" in this context is a procedure that reliably detects
>a certain deviation from the spec (true randomness). The
>deviation Tom obviously had in mind was that the output is
>perfectly predictable (using the actual PRNG as the model),
>which of course is a failure to be truly random.
Bingo, right on the button. As well as other non-trivial
contrived tests. For example LFG's will fail the birthday
spacing test but a BBS won't. Both are PRNG's, both can be
usefull (depending on context). But since the LFG fails the BST
does that mean it's useless?
That's like saying your new car is useless because it can't do 0-
60 in 0.4 seconds... You don't need that "feature" so it doesn't
hamper the appeal. Similarly you may not need
statistically "random" numbers that pass the BST.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Cryptanalytic gap [was: Re: Some dumb questions]
Date: Mon, 12 Jun 2000 03:08:32 GMT
JPeschel wrote:
> If it's a Caesar variant, and the sender's language
> is English: WINO.
Yes, sorry, I canceled that posting and substituted one in which
I said what I meant to say: just simple substitution, not Caesar.
------------------------------
Subject: Re: Retract my views on AES
From: tomstd <[EMAIL PROTECTED]>
Date: Sun, 11 Jun 2000 20:07:54 -0700
In article <[EMAIL PROTECTED]>, tomstd
<[EMAIL PROTECTED]> wrote:
>I retract my statements about AES having multiple ciphers.
>
>Reason: KISS.
>
>By using one cipher as 'AES' you can keep the cryptosystems as
>simple as possible. I learnt this from Cryptobag which I am
>thinking of scrapping (because it sucks).
>
>I hope never have to retract my beliefs ever again, although
>it's my sincere hope I make plenty more mistakes in the
>following years to come.
"I hope ^to^ ..." hehehe oops... speaking of mistakes.
Blush....
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Greg <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Cryptographic voting
Date: Mon, 12 Jun 2000 02:57:48 GMT
> For goodness sakes, people could use laundry
> tickets for money if they wanted to. Actually
> that gives me an interesting idea about
> cryptographic money .... I'll have to work on
> it after I get the *cryptographic* *voting*
> thing figured out (hint).
After carefull consideration of what would be required for a voting
system to resist fraud and tampering, I have come to the conclusion
that given the requirements below, one cannot be made:
1. It must be secret ballot
2. Voters cannot be identified (by law)
3. Voters cannot be deduced from the votes
4. Votes must be verifiable (not altered) by anyone
5. Voters cannot vote more than once
6. The system requires no trust of anyone
If you think this through, you will realize that if we don't know WHO
voted, then we don't know with any certainty how many votes we should
see. Therefore, the system allows a person (in charge of a precinct)
to add any number of fraudulent votes to further their agenda.
Requirements 1 and 2 are by law and they stand in the way (I wonder
why?) of a fraud proof system. All other requirements can be met with
trivial use of web sites, public keys, and other standard technology of
today. I can go through the steps if anyone is interested, but under
current law, a fraud proof system cannot be used in US elections.
--
Tyranny is kept at bay by guns and will. Our government
knows we have the guns, but they don't know if we have
the will. Nor do we.
The only lawful gun law on the books- the second amendment.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Cypheridea)
Subject: tiger
Date: 12 Jun 2000 03:10:59 GMT
i had a few questions about the tiger hash algorithm.
is it more secure than MD5 or SHA1?
can it generate a 256 bit digest?
Does anyone know where can i get the C++ source code?
thanks
------------------------------
Subject: Re: tiger
From: tomstd <[EMAIL PROTECTED]>
Date: Sun, 11 Jun 2000 20:11:57 -0700
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Cypheridea) wrote:
>i had a few questions about the tiger hash algorithm.
>
>is it more secure than MD5 or SHA1?
>can it generate a 256 bit digest?
>Does anyone know where can i get the C++ source code?
here's a tip, read the bloody paper... goto
http://www.cs.technion.ac.il/~biham/
And grab his source and papers.
For your info, it's produces a 192 bit hash, but he discusses
drop in replacement with 128/160 bit outputs (truncated). And
it's conjectured to be more secure then both MD5 and SHA because
of the larger digest. It's newer then the others but has a very
sound design. it's also very fast.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: randomness tests
Date: 11 Jun 2000 23:28:19 EDT
tomstd wrote:
>
>
>In article <8hvhpl$[EMAIL PROTECTED]>,
>Guy Macon wrote:
>>what is your advice to the seller of a PRNG concerning testing?
>>What is your advice to the seller of a hardware based RNG
>>concerning testing? Please be specific.
>
>That just it "Please be specific". If I told you my block
>cipher pased the DNA randomness test you would say "oh so what
>there is a million other things to look at". This is true, a
>block cipher has to be secure against other statistical attacks.
>
>So why wouldn't this be true for a prng? Just because your prng
>passes DIEHARD doesn't mean it's at all random. It's been shown
>time and time again that you can devise means to fool the
>statistical might and still not be random.
>
>I would suggest to the developers of prng devices to state
>exactly what their tests were and to say what the implications
>are.
Far enough. But what is your advice concerning what tests they
should run before they publish the full details of the results?
You said "IF you don't know what it's for, how can you tell if
it's good or not?". Are you saying that they should run no tests?
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: randomness tests
Date: 11 Jun 2000 23:31:54 EDT
tomstd wrote:
>If you don't know what you are using the prng for, you can't
>tell if it's working now can you? Simple as that.
You have it backwards. I know what I am using a PRNG for - I am
using it to hide my plaintext from an attacker. Can I tell if
it's working? No. I cannot. If you do know what you are using
the PRNG for, you still can't tell if it's working, now can you?
Simple as that.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
