Cryptography-Digest Digest #9, Volume #12 Mon, 12 Jun 00 12:13:00 EDT
Contents:
quantum cryptography at nytimes.com (Quisquater)
Re: Improving DES based MAC ("Tor Rustad")
Re: slfsr.c (tomstd)
Re: Multiple encryptions (jkauffman)
Re: Multiple encryptions (tomstd)
Re: Question about recommended keysizes (768 bit RSA) (Mike Just)
Re: Multiple encryptions (Guy Macon)
Re: encoding of passwords (Mark Wooding)
Prime numbers search ("�������� ������")
Re: Prime numbers search (Mark Wooding)
Re: Multiple encryptions (jkauffman)
Re: Prime numbers search (tomstd)
Does Sarah Flannery have an email address? (David Youd)
Re: CAST sboxes --- scarry (Mike Just)
Re: CAST sboxes --- scarry (Mike Just)
FIPS-186 vs. FIPS-186-2 ("Martin Hamann")
Re: new public key? ("G. Orme")
Re: slfsr.c (Simon Johnson)
Re: slfsr.c (Simon Johnson)
Re: FIPS-186 vs. FIPS-186-2 (Mark Wooding)
Re: Random sboxes... real info ([EMAIL PROTECTED])
Re: slfsr.c (Mark Wooding)
Re: CAST sboxes --- scarry (tomstd)
Re: Encoding 56 bit data ---HELP--- (dexMilano)
Re: Cryptanalytic gap [was: Re: Some dumb questions] (Paul Koning)
Re: Double Encryption Illegal? (Paul Koning)
Re: How does DES work? (Paul Koning)
----------------------------------------------------------------------------
From: Quisquater <[EMAIL PROTECTED]>
Subject: quantum cryptography at nytimes.com
Date: Mon, 12 Jun 2000 13:02:49 +0200
See http://www.nytimes.com/library/magazine/home/20000611mag-code.html
from http://www.nytimes.com/library/magazine/home/index.html
------------------------------
From: "Tor Rustad" <[EMAIL PROTECTED]>
Subject: Re: Improving DES based MAC
Date: Mon, 12 Jun 2000 13:14:20 +0200
"Scott Fluhrer" <[EMAIL PROTECTED]> wrote in message
> I suspect the attacker might be able to do something to reduce the work
> effort if he had lots on plaintext/ciphertext pairs. Or, someone might be
> more clever than me. You must admit, that is an extremely likely
> possibility :-)
Well, the rest of this news group has been very silent, and it is not even
shure that such an attack do exist... But I feel there is a danger that a
chosen plaintext attack and cryptoanalyze, migth reduce the security below
2^56...
> P1 XOR P2 = DES-1k( C1 ) XOR DES-1k( C2 )
>
> Exactly the same, except you do trial decryptions rather than trial
> encryptions.
Wow, that was totally impossible for me to see...thanks! (I have always
woundered why DESX and HMAC had that outer XOR.)
--
Tor
------------------------------
Subject: Re: slfsr.c
From: tomstd <[EMAIL PROTECTED]>
Date: Mon, 12 Jun 2000 05:10:33 -0700
In article <8i28p7$pik$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
wrote:
>hello tomstd
>
>i see your reponse for
>
>"Yeah my polynomial is invalid, please don't use SLFSR..."
>
>it's difficult to give another polynom ???
>
>why 32 terms (+ or - is bad)
>
>1011010010111111000110010010001111110100000101110010000010110010
>
>-what do you say per "dense"
The polynomial should be dense to ensure that new bits depend on
as many bits of the state as possible. I haven't read the
papers on shrinking lfsrs, I am just going on what I have read
in AC.
>-the fisrt bit of the polynom 0 for your
> is important for no reverting the sequence
>
>64 bits poly is difficult to reverting or
>retrieve the generate seed
>
>please give me some help
>
>what do you think if for example
>i recup 5 bits (who give me the pos for
>the bit i want to extract) and re-use
>this method for the over bit. this method
>slowdown the slfsr but disable the reverse
>schema no ???
>
>bye bye !!
Well all you need is a valid 64-bit LFSR polynomial and my code
will be ok. Generally a slfsr can't be worked backwards given
only the output, so no need to modify it (other then the poly)
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: jkauffman <[EMAIL PROTECTED]>
Subject: Re: Multiple encryptions
Date: Mon, 12 Jun 2000 05:12:43 -0700
In article <8ht8it$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Guy Macon) wrote:
> jkauffman wrote:
> >
> >But surely if the combination of D & E is weaker than
> alone
> >then D represents the first stage of a cryptoanalytic
> attack
> >on E. And if D was developed independently of E then
> this
> >attack would be by pure chance.
> "D was developed independently of E" is not the same as
> "D is independent of E". Maybe the two developers had
> the same bright idea. Maybe there is a suptle
> interaction
> that you haven't forseen.
Presumably an attacker knows the full details of E, and so
having the same bright idea has nothing to do with it. If it
is possible to design D maliciously such that applying it to
E weakens E then this is an attack and E is not secure. As
long as I dont know the key used with E there should be
nothing I can do to weaken it.
* Sent from AltaVista http://www.altavista.com Where you can also find related Web
Pages, Images, Audios, Videos, News, and Shopping. Smart is Beautiful
------------------------------
Subject: Re: Multiple encryptions
From: tomstd <[EMAIL PROTECTED]>
Date: Mon, 12 Jun 2000 05:54:25 -0700
In article <[EMAIL PROTECTED]>,
jkauffman <[EMAIL PROTECTED]> wrote:
>In article <8ht8it$[EMAIL PROTECTED]>,
>[EMAIL PROTECTED] (Guy Macon) wrote:
>> jkauffman wrote:
>> >
>> >But surely if the combination of D & E is weaker than
>> alone
>> >then D represents the first stage of a cryptoanalytic
>> attack
>> >on E. And if D was developed independently of E then
>> this
>> >attack would be by pure chance.
>> "D was developed independently of E" is not the same as
>> "D is independent of E". Maybe the two developers had
>> the same bright idea. Maybe there is a suptle
>> interaction
>> that you haven't forseen.
>
>Presumably an attacker knows the full details of E, and so
>having the same bright idea has nothing to do with it. If it
>is possible to design D maliciously such that applying it to
>E weakens E then this is an attack and E is not secure. As
>long as I dont know the key used with E there should be
>nothing I can do to weaken it.
If D and E are truly independent keywise then there is nothing E
can do to D (assuming a "E o D" construction) to weaken it.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Mike Just <[EMAIL PROTECTED]>
Subject: Re: Question about recommended keysizes (768 bit RSA)
Date: Mon, 12 Jun 2000 12:56:27 GMT
I'll post the entire paragraph from cryptosavy.com since the comments below may be
a little misleading... If you go to http://www.cryptosavvy.com/RSAbulletin.htm it
says
+++++
"We were pleasantly surprised to see that RSA Laboratories in their article in the
Bulletin of RSA Laboratories Number 13 adopted the approach introduced in our
paper. It is a pity, however, that many of the findings of our paper, and actually
many other facts, are misrepresented in the RSA article, thereby seriously
undermining its academic stature."
"As an example, according to the RSA article�s conclusion, our paper �reaches the
conclusion that 1024-bit RSA keys will be safe only until 2002�, a conclusion we
�reached by assuming that 56-bit DES was vulnerable in 1982�. A correct
interpretation of our findings, as can easily be verified by reading our paper,
would be �if one was comfortable using the DES until 1982, and one adopts the
model of computational equivalence (as opposed to cost equivalence), then one
should also be willing to trust 1024-bit RSA keys until the year 2002�. The year
1982 in our paper is just a default setting, and should not be interpreted, as
done in the RSA article, as a fixed choice. One of the ideas of our model is that
the settings can be chosen by users of our model, e.g. by employing
the JavaScript program on www.cryptosavvy.com. Using this JavaScript program one
finds that if one was willing to trust the DES until 1996, as would be an adequate
choice according to the RSA article, then one should also be willing to trust
760-bit RSA keys until the year 2002 and 1024-bit RSA keys until 2010. In this
case the latter keys may even be trusted until 2018 if one adopts the more liberal
�cost equivalence� model, a year that is very close to the one mentioned in the
RSA article. It does not surprise us that a model that is very similar to ours
reaches the same conclusions as ours; it surprises us that this agreement is
presented in the RSA article as �baffling� disagreement."
+++++++++++++
Also, do you have anything more substantial regarding what the German sig law
says?
Thanks,
Mike J.
DJohn37050 wrote:
> See www.cryptosavvy.com for an estimate based on TIME (ops) that says that one
> should not use 1024 bit RSA past 2002. Also, I hear German sig. law says
> something similar.
> Don Johnson
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Multiple encryptions
Date: 12 Jun 2000 09:32:39 EDT
jkauffman wrote:
>
>
>In article <8ht8it$[EMAIL PROTECTED]>,
>[EMAIL PROTECTED] (Guy Macon) wrote:
>> jkauffman wrote:
>> >
>> >But surely if the combination of D & E is weaker than
>> alone
>> >then D represents the first stage of a cryptoanalytic
>> attack
>> >on E. And if D was developed independently of E then
>> this
>> >attack would be by pure chance.
>> "D was developed independently of E" is not the same as
>> "D is independent of E". Maybe the two developers had
>> the same bright idea. Maybe there is a suptle
>> interaction
>> that you haven't forseen.
>
>Presumably an attacker knows the full details of E, and so
>having the same bright idea has nothing to do with it. If it
>is possible to design D maliciously such that applying it to
>E weakens E then this is an attack and E is not secure. As
>long as I dont know the key used with E there should be
>nothing I can do to weaken it.
Point well taken. I retract my statement. I was clearly wrong.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: encoding of passwords
Date: 12 Jun 2000 13:38:06 GMT
Wouter <[EMAIL PROTECTED]> wrote:
> Thank you very much. This is exactly what I wanted to know. There's
> one thing I don't know yet: the DES algorithm I know don't use a
> 'salt' (there are not 4096 different variations). What part of the DES
> algorithm is different and what is the new one (the part of the
> algorithm which uses this salt)? I hope somebody can answer this
> question too.
You're right: the Unix DES crypt(3) function doesn't use `standard' DES.
The salt is a 12-bit number, which is used to define a bit permutation
applied immediately after the standard expansion permutation E in the
DES round function. Each salt bit is associated with two bits from the
48-bit output of E: if the salt bit is set then the bits are swapped.
-- [mdw]
------------------------------
From: "�������� ������" <[EMAIL PROTECTED]>
Subject: Prime numbers search
Date: Mon, 12 Jun 2000 16:41:44 +0400
Hi everybody!
Can you help me where can I find good algorithms for searching prime
numbers?
Or tell me, please, some Internet links where I can solve this problem.
Michael.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Prime numbers search
Date: 12 Jun 2000 13:47:30 GMT
[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Can you help me where can I find good algorithms for searching prime
> numbers? Or tell me, please, some Internet links where I can solve
> this problem.
Try http://www.cacr.math.uwaterloo.ca/hac/: read chapter 4 in particular.
-- [mdw]
------------------------------
From: jkauffman <[EMAIL PROTECTED]>
Subject: Re: Multiple encryptions
Date: Mon, 12 Jun 2000 06:36:33 -0700
In article <[EMAIL PROTECTED]>,
tomstd <[EMAIL PROTECTED]> wrote:
> If D and E are truly independent keywise then there is
> nothing E
> can do to D (assuming a "E o D" construction) to
> weaken it.
> Tom
quite
* Sent from AltaVista http://www.altavista.com Where you can also find related Web
Pages, Images, Audios, Videos, News, and Shopping. Smart is Beautiful
------------------------------
Subject: Re: Prime numbers search
From: tomstd <[EMAIL PROTECTED]>
Date: Mon, 12 Jun 2000 07:16:34 -0700
In article <8i2pbb$4q1$[EMAIL PROTECTED]>, "�������� ������"
<[EMAIL PROTECTED]> wrote:
>Hi everybody!
>Can you help me where can I find good algorithms for searching
prime
>numbers?
>Or tell me, please, some Internet links where I can solve this
problem.
>
>Michael.
>
What type of primes?
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: David Youd <[EMAIL PROTECTED]>
Subject: Does Sarah Flannery have an email address?
Date: Mon, 12 Jun 2000 14:22:52 GMT
Does anyone have the email address for Sarah Flannery, creator of the
cayley-purser algorithm? I have a question I'd like to ask her.
Her recent book "In Code" (available from www.amazon.co.uk) doesn't
mention an email address, and the only URL it mentions is
www.cayley-purser.ie .
------------------------------
From: Mike Just <[EMAIL PROTECTED]>
Subject: Re: CAST sboxes --- scarry
Date: Mon, 12 Jun 2000 14:42:44 GMT
Tom,
Have you looked at the paper "Practical S-box Design" from SAC '96. It is
available (in postscript) at
<http://adonis.ee.queensu.ca:8000/sac/sac96/papers.html>.
Mike J.
tomstd wrote:
> This is bothering me that nobody knows how to make cast style
> sboxes. The CAST designers don't even have websites, and
> ENTRUST is fairly useless for technical information.
>
> <rant>Couldn't it be possible they 'lied' about their
> construction and nobody ever bothered to check?</rant> i don't
> want to spread rumors or belittle them, but I find it very
> disconcerning that I can't find a single document saying how
> they made those sboxes. In the early 80's they talked about
> making single nxn sboxes but never sboxes that way.
>
> <rant ver2.0>Ever notice in CAST-128 they mix the output of the
> boxes using various dyadic operators but in CAST-64 (the
> original) they only use xor? Which operator makes
> them "ideal"</rant ver2.0>
>
> Tom
>
> * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
> The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Mike Just <[EMAIL PROTECTED]>
Subject: Re: CAST sboxes --- scarry
Date: Mon, 12 Jun 2000 14:43:12 GMT
Tom,
Have you looked at the paper "Practical S-box Design" from SAC '96. It is
available (in postscript) at
<http://adonis.ee.queensu.ca:8000/sac/sac96/papers.html>.
Mike J.
tomstd wrote:
> This is bothering me that nobody knows how to make cast style
> sboxes. The CAST designers don't even have websites, and
> ENTRUST is fairly useless for technical information.
>
> <rant>Couldn't it be possible they 'lied' about their
> construction and nobody ever bothered to check?</rant> i don't
> want to spread rumors or belittle them, but I find it very
> disconcerning that I can't find a single document saying how
> they made those sboxes. In the early 80's they talked about
> making single nxn sboxes but never sboxes that way.
>
> <rant ver2.0>Ever notice in CAST-128 they mix the output of the
> boxes using various dyadic operators but in CAST-64 (the
> original) they only use xor? Which operator makes
> them "ideal"</rant ver2.0>
>
> Tom
>
> * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
> The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: "Martin Hamann" <[EMAIL PROTECTED]>
Subject: FIPS-186 vs. FIPS-186-2
Date: Mon, 12 Jun 2000 17:25:33 +0200
Reply-To: "Martin Hamann" <[EMAIL PROTECTED]>
What are the differences in the FIPS-186 (1994) and the FIPS-186-2 (2000)
standards. Both are issued by NIST and defines the Digital Signature
Algorithm. I guess the standard has just been updated, but does anyone know
what the differences are ?
Thanks!
--
Regards,
Martin Hamann, Student,
Technical University of Denmark.
------------------------------
From: "G. Orme" <[EMAIL PROTECTED]>
Subject: Re: new public key?
Date: Mon, 12 Jun 2000 15:40:15 GMT
Macckone <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> If you have a private lookup table isn't
> it then a code book cipher rather
> than a public key cipher?
>
> Mack
G. In that format yes. My main point was whether expressions like these had
ever been used in cryptography, where functions that are easy to do one way
and hard to do in reverse are useful. The best example of this of course is
RSA which depends on factorizing a large number N, though it is much easier
to find two suitable factors to make N hard to factorize. In the same way
one can select 2 number, the Ath root of B (B exp 1/A) , and give say the
first 100 digits as N. it is hard to take those 100 digits and find the
values of A and B.
If this hasn't been used before, then the possibility exists to design a
cipher around this principle. Do you know if this has been done?
------------------------------
Subject: Re: slfsr.c
From: Simon Johnson <[EMAIL PROTECTED]>
Date: Mon, 12 Jun 2000 08:37:14 -0700
I would have thought if you made all the coeffients prime then
it should be primitive & irreducible. Why would having the
polynomial mod 2 change this fact?
Simon Johnson
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
Subject: Re: slfsr.c
From: Simon Johnson <[EMAIL PROTECTED]>
Date: Mon, 12 Jun 2000 08:41:02 -0700
I would have though having prime coeffients would make it
irreducible & primitive, why does this not work Mod 2?
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: FIPS-186 vs. FIPS-186-2
Date: 12 Jun 2000 15:53:02 GMT
Martin Hamann <[EMAIL PROTECTED]> wrote:
> What are the differences in the FIPS-186 (1994) and the FIPS-186-2 (2000)
> standards. Both are issued by NIST and defines the Digital Signature
> Algorithm. I guess the standard has just been updated, but does anyone know
> what the differences are ?
I'm not sure 186-2 is actually published yet. I'd have thought it'd be
on NIST's web pages by now if it were.
http://www.itl.nist.gov/fipspubs/by-num.htm
suggests that 186-1 is the latest, published on 1998-12-15.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Random sboxes... real info
Date: Mon, 12 Jun 2000 15:36:12 GMT
In article <[EMAIL PROTECTED]>,
tomstd <[EMAIL PROTECTED]> wrote:
> I.e is my point comming through? Random sboxes are hardly ideal.
Ok Tom -- new assignment. Random S-boxes are bad. So, write some
software to output "ok" S-boxes. (Save the program to output "good" and
"great" sboxes either for yourself, or to sell. :)
:)
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: slfsr.c
Date: 12 Jun 2000 15:56:18 GMT
Simon Johnson <[EMAIL PROTECTED]> wrote:
> I would have though having prime coeffients would make it
> irreducible & primitive, why does this not work Mod 2?
How many prime numbers can you think of among the integers mod 2?
-- [mdw]
------------------------------
Subject: Re: CAST sboxes --- scarry
From: tomstd <[EMAIL PROTECTED]>
Date: Mon, 12 Jun 2000 08:54:39 -0700
In article <[EMAIL PROTECTED]>, Mike Just
<[EMAIL PROTECTED]> wrote:
>Tom,
>
>Have you looked at the paper "Practical S-box Design" from
SAC '96. It is
>available (in postscript) at
><http://adonis.ee.queensu.ca:8000/sac/sac96/papers.html>.
>
>Mike J.
The paper explains it well. Thanks. Maybe this summer I will
implement it and try it out.
Thanks a bunch,
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: dexMilano <[EMAIL PROTECTED]>
Subject: Re: Encoding 56 bit data ---HELP---
Date: Mon, 12 Jun 2000 15:46:28 GMT
What an incredible media Internet.
All of you have helped me in many different way.
Just to be more clear.
I have a the word to cript that is a 10 digit number.
I have to generate, after this 1st cript, a set of 3 word should be
used as keys for a 3des new encription.
As you know the keys for DEs should have parity so I needed to have a
result of 7 byte to create the parity byte.
Do you know if 3des puts some other constrains to the key to work.
thx
dex
In article <8hqpm1$r94$[EMAIL PROTECTED]>,
dexMilano <[EMAIL PROTECTED]> wrote:
> Is there some good algorithm coding 7 byte in 7 byte using a
masterkey.
>
> I thought about variable length and cipher but I can't fined any good
> source to study.
>
> thx
>
> dex
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Cryptanalytic gap [was: Re: Some dumb questions]
Date: Mon, 12 Jun 2000 11:37:50 -0400
John Savard wrote:
>
> On Sun, 11 Jun 2000 06:34:24 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
> wrote, in part:
> >John Savard wrote:
>
> >> ... Anything that isn't an OTP can, in theory, be solved: ...
>
> >No.
>
> If you count brute-force methods, which I was doing in that context, I
> can't immediately see where I've oversimplified.
You need enough material to get you past the unicity
distance... which answers Trevor's question.
Yes, you could use a weak cipher if you sent sufficiently
small quantities of ciphertext. That might be useful, if you
have a need to do a pencil & paper cipher. Then again, that's
a risky spot to be in...
paul
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Crossposted-To: comp.databases.oracle
Subject: Re: Double Encryption Illegal?
Date: Mon, 12 Jun 2000 11:47:36 -0400
Crypto-Boy wrote:
>
> On page 10-10 and 10-14 of the Oracle Advanced Security Administrator's
> Guide (from release 8.1.6 December 1999), it says the following (in bold
> no less):
>
> "Warning: You can use SSL encryption in combination with another Oracle
> Advanced Security authentication method. When you do this, you must
> disable any non-SSL encryption to comply with government regulations
> prohibiting double encryption."
>
> Since when is it illegal to double encrypt in the US? I don't believe
> this is true.
It isn't and it never has been.
Clearly the author of that statement is very confused.
If they were talking about non-US applications (more so in
the past than currently) that might be different, but in
that case a warning wouldn't have been sufficient.
paul
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: How does DES work?
Date: Mon, 12 Jun 2000 11:55:50 -0400
Quisquater wrote:
> ... The only weak point (today!) is the key length of DES.
> Triple DES is a solution (DES-X ?). Do you how many applications
> are using DES today (correctly) and are not broken? DES was in the
> field from 1975: How many "new" ciphers (IDEA, twofish, ...) will
> be in the field for the next 25 years (I know I'm provocative here)?
Given how easy the exhaustive attack is, I'd say that any
application that uses DES to protect something more valuable
than a few thousand dollars is broken. If you exclude
those from "using DES today (correctly)" then that's fine.
Also, the exhaustive attack was described accurately
in 1977, so I wouldn't agree that DES has had a long secure
life. What I would say is that the PR machine that
overcame the original Diffie & Hellman paper was quite
successful, but PR success does not make for real
security.
paul
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
