Cryptography-Digest Digest #29, Volume #12 Wed, 14 Jun 00 19:13:01 EDT
Contents:
Re: Microsoft's Email Signing ([EMAIL PROTECTED])
Re: Digits of pi in Twofish (Dan Day)
small subgroups in Blum Blum Shub ([EMAIL PROTECTED])
Re: And the search is on! (Anton Stiglic)
Re: Onefish (Twofishes sibbling) (tomstd)
Re: On using compression as proper means of encryption (SCOTT19U.ZIP_GUY)
Re: Threshold Schemes. (Simon Johnson)
Re: Why the golden ratio? (Tim Tyler)
Def of "nonlinear order" (tomstd)
Re: Q: Using two DES modules (David A. Wagner)
Re: Threshold Schemes. (Simon Johnson)
Re: Why the golden ratio?
Re: Is Gretchen down? ("Joseph Ashwood")
Re: Random sboxes... real info (David A. Wagner)
Re: Maurer & Massey's result on cascade ciphers (was: Multiple encryptions) (David
A. Wagner)
Re: Q: Using two DES modules (Bryan Olson)
Re: Threshold Schemes. (James Pate Williams, Jr.)
Re: Why the golden ratio? (AllanW)
Re: Maurer & Massey's result on cascade ciphers (was: Multiple encryptions) (Bryan
Olson)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Microsoft's Email Signing
Date: Wed, 14 Jun 2000 21:00:33 GMT
Ryan, S/MIME specifies many different combinations of signing/encrypting
so that some can be exported, others not, and the data security required
can be tailored for use.
I believe Netscape, MS, and Eudora would test their products against
each other, and I have seen the Van Dyke implementation (A Wang govt
services company) docs claim to be interop tested with MS and Netscape.
As for bugs inherent in their products, it is possible, but more likely
to take the form of inadequate protection against the signing key.. I
would hope, this late in the game.
As a last cautionary note, sign before encrypt. The data could be
changed enroute if you don't sign it. (See the S/MIME RFCs for more
information why..)
Maybe the biggest difference is in the certificate handling -- pgp
allows a web of trust where you trust only who you want to trust. s/mime
asks you to trust whoever issued the certificate for the person.
Using both will likely be slow cumbersome, but layers are good. :)
In article <[EMAIL PROTECTED]>,
Ryan Phillips <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> After trying out Microsoft's Digital Signatures found in Microsoft
> Outlook, I came up with a few questions regarding the security of
> their algorithm.
>
> 1. What algorithm does the signing/encryption portion use? S/MIME?
> (I'm still going to use PGP, though, because of all the inherient
> security flaws found in MSFT products)
>
> 2. Has the implementation been tested against known test values?
>
> and
>
> 3. What is the time period, that is generally excepted, that a
> message will stay secure?
>
> Thanks for your time.
>
> - -Ryan Phillips
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.2
>
> iQA/AwUBOUeuYuB/yjQQFbPXEQKADgCgi3PKbef720OmzaV1x3Wovpkn/cgAoOcW
> E7lLvQjDfC8j+N5+SIAXcfGx
> =eias
> -----END PGP SIGNATURE-----
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Dan Day)
Subject: Re: Digits of pi in Twofish
Date: Wed, 14 Jun 2000 21:12:03 GMT
On 12 Jun 2000 01:47:38 GMT, [EMAIL PROTECTED] (S. T. L.) wrote:
><<Hippocracy is claiming that since you are MS Certified you can
>speak about good security.>>
>
>Ah, government by hippopotami.
ROTFL!
--
"How strangely will the Tools of a Tyrant pervert the
plain Meaning of Words!"
--Samuel Adams (1722-1803), letter to John Pitts, January 21, 1776
------------------------------
From: [EMAIL PROTECTED]
Subject: small subgroups in Blum Blum Shub
Date: Wed, 14 Jun 2000 21:10:44 GMT
Greetings.
Another question --- When playing around with Blum Blum Shub, using
small primes, I noticed very short cycles before repetition.
As an example, using 7 and 11 as the prime factors, feed it 6: 6 --> 36
--> 64 --> 15 --> 71 --> 36 ... That is three cycles. Using 11 and 31
(341) feed it 6: 6 --> 36 --> 237 --> 191 --> 335 --> 36 ... That is
four cycles.
While I realize larger primes will lead to larger cycles, it seems to me
that an attacker patient enough to wait for a cycle could easily guess
forthcoming and some previous bits.
Are there any papers floating around that describe the behavior of these
subgroups [is that correct terminology? :] to allow for risk analysis?
How long will an attacker have to wait to see repetition from the bits
given 'n' bits in the modulus?
Thanks. ;)
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: And the search is on!
Date: Wed, 14 Jun 2000 17:27:45 -0400
tomstd wrote:
>
> Let's do a bit of math. There are about 2^1684 possible 8-bit
> permutations. Let's assume there are a trillion perfect 8x8
> sboxes, our chances of finding an sbox is about 2^-1644, let's
> assume there are only a million then we have 2^-1664. Finally I
> am guessing there are only a handful of perfect sboxes (say a
> thousand) we have a one in 2^1674 chance of finding one. These
> odds are stacked against us, but I bet given enough time and
> computers one of the sboxes will happen to fall out of the
> clouds.
Hmmm, with those odds, I'd rather have my spare CPU try to crack
the RC5 challenge, I'd have *much* better chances. By trying
just *one* key, I have a 2^-64 chance of being the one to find it,
that is 2^-64/2^-1674 = 2^1674/2^64 = 2^1610 times more chances
than finding your S-box!
Do you realize the probabilities encountered in your quest?
Look at http://stats.distributed.net/rc5-64/
They have been working for 965 days, a total of 254577 people
have participated. Just yesterday for example, 45016 people
actively participated, they still didn't find the right 64-bit
key!
Further note: If everybody that tries out your program just picks
random s-boxes to try out, it's even worse, because you will be
repeating work...
Take a look at www.mersenne.org for some more realistic distributed
computations.
Anton
------------------------------
Subject: Re: Onefish (Twofishes sibbling)
From: tomstd <[EMAIL PROTECTED]>
Date: Wed, 14 Jun 2000 14:26:47 -0700
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Dan Day) wrote:
>On Sun, 11 Jun 2000 09:13:00 -0700, tomstd
<[EMAIL PROTECTED]>
>wrote:
>
>>Just for fun I designed Onefish, it's a 64-bit block cipher
>>using some design components from RC5 and Twofish.
>
>Okay, how long until Redfish and Bluefish come along?
I would say about a week :) You can call TC5 (on my website)
NoFish if you like...
Tom
--
http://tomstdenis.com
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: On using compression as proper means of encryption
Date: 14 Jun 2000 21:29:43 GMT
[EMAIL PROTECTED] wrote in <8i8rd5$g5c$[EMAIL PROTECTED]>:
>In article <[EMAIL PROTECTED]>,
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
>> Use a PRNG (crypto strength unessential) with a key as
>> seed to generate a sequence of symbols (length of sequence
>> determined by PRNG) to initialize an adaptive Huffman
>> compression algorithm, taking care that all symbols of the
>> plaintext alphabet are input at least once. The output in
>
>M.K., I like the initial idea. However, there is a question I have...
>
>How does the receiver know the Huffman table? I *think* the table is
>sent with the data in most applications, and unless a fixed table is
>used (ie, fixed for that application, not adaptive on input data) then
>the table needs to be sent along as well. Would you simply send the
>table over encrypted with some other form (PK, symmetric)? At that
>point, why not just send the regular table over encrypted with PK or
>symmetric?
>
>I gotta say, I like the initial idea. :)
>
>
>
>Sent via Deja.com http://www.deja.com/
>Before you buy.
>
Acatually it is an idea I propsed a long time ago and can be
easily implmented using the 1-1 compression programs at my site,
the "key" or "conditioning table" would be the contentents of
the condition file. However even though it could be used for
encryption if would be far better as a first pass before encryption.
Since it is not "true" encryption you would need a much longer
"key" or "condtion" file that would have to be kept secret than
the short leys people commonly use for regular encryption.
see http://members.xoom.com/ecil/compress.htm
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: Threshold Schemes.
Date: Wed, 14 Jun 2000 21:30:19 GMT
In article <[EMAIL PROTECTED]>,
Anton Stiglic <[EMAIL PROTECTED]> wrote:
>
> Could you firstly describe that scheme briefly here, so that we don't
> all
> have to go find the book and read it?
>
> Anton
Okay, i am reluctant to describe this because i'm not sure how to do
it, but i will try :p
We have a Secret integer, M that we wish to devise a mxn treshold
scheme. For this example, say we want 5 people to be able to
reconstruct M and there to be a maxiumum of 257 shadows.
First we construct a m-1'th order polynomial mod 257, in this case the
highest power is 4.
f(x) = ax^4 + bx^3 + cx^2 + dx + m mod 257
Randomly select values for a,b,c,d. Then the x'th shadow is created by
evaluating the polynomial.
Once all the shadows are generated, loose but don't reveal a,b,c,d.
Now i'm after a quick method to compute a,b,c,d from the shadows.
Can you help?
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Why the golden ratio?
Reply-To: [EMAIL PROTECTED]
Date: Wed, 14 Jun 2000 21:13:35 GMT
Volker Hetzer <[EMAIL PROTECTED]> wrote:
: Dennis Scott wrote:
: [golden ratio]
:> e^(i*pi) + 1 = 0
: So, how would one get from your equation to the value 0.618?
You probably would not. Runu specified an equation with pi, e, the
golden number, and 1. This is a very well-known equation with
PI, e, i, 1 and 0. It seems possible that they were mixed up.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ This tagline no verb.
------------------------------
Subject: Def of "nonlinear order"
From: tomstd <[EMAIL PROTECTED]>
Date: Wed, 14 Jun 2000 14:40:18 -0700
I am confused now (uh-oh) I thought the nonlinear order of a
function can be computed using a modification of the Bit
Independence Criterion (BIC). For example a function is
nonlinear to the order r if for all masks with a hamming weight
of 2..r you can perform a BIC test and pass.
For example the mask '3' would be 11 in binary and mean to test
the first and second nx1 sboxes. 7 would be 111 and mean to
test the first three.
In otherwords no r-tuple of nx1 sboxes are linearly dependent.
If this is the case then the findings of Knudsen and Jakobsen
are wrong when they discuss the nonlinear order of cubics and
quadratics (etc) in GF(2^n). For my 20 sboxes I posted earlier
they were found to be perfectly nonlinear upto 7-tuples of 8x1
sboxes...
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Q: Using two DES modules
Date: 14 Jun 2000 14:40:06 -0700
You are talking about OFB | CBC, I take it?
The hard part in these modes is always how to select the IV, if I
understand correctly. If the IV is secret, maybe they are good modes,
but then you can only use it once. So you'd like to be able to pick a
random IV and transmit it over the wire, like in any other streaming
mode. But, if you do that with multiple modes, there are often subtle
attacks -- chosen-IV attacks, and so on. It seems tricky to come up
with a multiple mode like this that one can actually use in practice
without destroying its security advantages.
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: Threshold Schemes.
Date: Wed, 14 Jun 2000 21:36:16 GMT
Thanxs, But i'm after the math to do it, not the algothims..... I aint
go time to *decipher* the code :p
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: Why the golden ratio?
Date: 14 Jun 2000 15:40:17 -0700
Runu Knips ([EMAIL PROTECTED]) wrote:
: Dido Sevilla wrote:
: > Does the golden ratio have some properties that these
: > other numbers don't?
: AFAIK there is a simple equotation of pi, e, the golden
: number, and 1, I don't remember it exactly but it was
: really very simple. Maybe I can find it at home.
: However, I believe the fact that the golden number is
: related to pi and e puts a little of the glory of those
: most important numbers into it. :-)
: And hey, its golden ! ;-)
Like another poster, at first I thought you had misremembered Euler's
famous formula,
e^(i*pi)=-1
which is really only a fancy way of saying that cos(180 deg)=-1.
However, there is a formula like what you have mentioned: it isn't all
that simple, and it is due to Srinavasa Ramanujan...
and you can find it at
http://mathworld.wolfram.com/GoldenRatio.html
John Savard
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Is Gretchen down?
Date: Wed, 14 Jun 2000 14:45:20 -0700
Crossposted-To:
alt.security.pgp,comp.security.firewalls,alt.privacy.anon-server,alt.privacy
> A) you need a pipe equivilant to the sum of the major backbones.
Not if you have a significant computer present at each of those backbones
that performs a significant portion of the filtering for you, then you would
only need a much smaller pipe. Also remember that the vast majority of hose
pipes remain unfilled almost all the time.
>
> B) you need a computer or cluster that can read and filter on the fly this
> ammount of information
Which can be done, for proof I simply point to the fact that these pipelines
are running, so it can obviously be read. The traffic is being generated by
a small portion of the cpu in a small portion of the computers in the world,
a trojan would be an ideal way to get the processor time needed, after all
the attack is obviously not bounded by lawfulness.
>
> C) you need a network interface for a data pipe that doesn't exist.
Except that by segmenting the necessities you require much smaller network
interface, on a much smaller pipe.
>
> D) how does a system with IP range A, on subnet B, see data between
systems C
> and D with completely seperate subnets when the data is never even routed
across
> A's network. Unless you are implying that they have a vampire tap on
every
> major circuit and subcircuit that duplicates all traffic and then reroutes
it to
> their hosts.
They would be forced to have a vampire on each of the major backbones, or at
least the ones with anything of interest. It would be a massive undertaking,
cost a hundred million dollars or so (just a very rough guess), but it is
possible. The next questions should be: what are the necessary backbones?
where is the best location to tap them?
Joe
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Random sboxes... real info
Date: 14 Jun 2000 15:01:43 -0700
In article <[EMAIL PROTECTED]>, Tim Tyler <[EMAIL PROTECTED]> wrote:
> David Hopwood <[EMAIL PROTECTED]> wrote:
> : In fact, a method for selecting a permutation uniformly at random
> : from that space would be as secure as a keyed permutation (a.k.a.
> : block cipher) of that size can possibly be.
>
> That last seems questionable. The space of all possible permutations
> contains the identity transformation - which is not strong.
Nonsense. That's on par with the following popular fallacy:
Myth: "the all-zeros key is a weak key for the one-time pad
(because it acts as the identity transformation), and
so the one-time pad can be strengthened if you exclude
the all-zeros key."
Such reasoning is pure balderdash. The myth is, of course, false.
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Maurer & Massey's result on cascade ciphers (was: Multiple encryptions)
Date: 14 Jun 2000 15:12:24 -0700
In article <[EMAIL PROTECTED]>, Nicol So <see.signature> wrote:
> Bryan Olson wrote:
> > Ueli M. Maurer and James L. Massey. Cascade ciphers:
> > The importance of being first. Journal of Cryptology,
> > 6(1):55-61, 1993.
>
> > Against chosen plaintext, (again assuming independent keys)
> > the composition must be at least as strong as the stronger
> > of the two.
>
> I've had a problem with the result of Maurer and Massey for a long time.
> Basically, I think the result is "wrong". The (counter-)example they
> gave in the paper does not demonstrate the informal statement of the
> result. The definition of a secure cipher implicitly used in the paper
> is, in my opinion, unnatural. For a cipher to be secure, it should be
> secure w.r.t. all distributions of inputs. That's not the case with the
> "secure" ciphers in their example.
It sounds like you don't care too much for their definitions; you prefer
different ones. That's ok. Their point remains. If all we care about
is ciphertext-only security when the plaintext is distributed like ASCII
English, and if the _only_ way we ever measure security is via this threat
model, then a cascade of two ciphers may be weaker (_under this metric_)
than the second cipher.
I agree that, as you say, in practice our metrics are much more demanding.
We insist that our ciphers be secure not just against plaintext distributed
like English is, but against plaintext that is _chosen by the attacker_.
Note that the chosen-plaintext security requirement is an even stronger
requirement than just insisting that the cipher be secure for all plaintext
distributions, since in the chosen-plaintext model the attacker usually is
free to _adaptively_ choose the plaintexts.
And, yes, as Bryan Olson says, under this more demanding chosen-plaintext
metric, the cascade is indeed at least as strong as the stronger of the two
ciphers, as we'd intuitively hope and expect.
The contribution of the Maurer and Massey paper, as I see it, is to show
that this intuition need not hold true for all metrics, and indeed, there
are some semi-reasonable metrics where our intuitive expectation is wrong.
It doesn't mean that cascades don't work; it just means we need to be
careful about our expectations. That's interesting, IMHO.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Q: Using two DES modules
Date: Wed, 14 Jun 2000 22:25:06 GMT
Mok-Kong Shen wrote:
>
> Bryan Olson schrieb:
>
> > Mok-Kong Shen wrote:
> > >
> > > Given two two DES modules and two keys, which of the following
> > > schemes is to be preferred, (a) in ECB and (b) in CFB?
> > >
> > > 1. Superencipherment (2DES).
> > >
> > > 2. Use one DES in full OFB for preprocessing the plaintext
> > > with xor before input to the other DES.
> > >
> > > 3. Use one DES in full OFB to generate keys for the other
> > > DES.
> >
> > One and two are currently intractable (no one can afford the
> > space for the time-space tradeoff).
> >
> > Three is breakable.
> >
> > What's the point?
>
> To find out whether using two DES modules would be sufficient in
> place of three DES modules as in 3DES and hope that the same
> result could be transferred to other block ciphers.
None of them nearly as secure as 3DES (barring huge
advances against 3DES). The speed-up isn't that
great either; in software number 3 may be slower.
> I am not sure of having understood the meaining of your term
> 'breakable' in the present context.. Does your 'currently intractable'
> mean 'unbreakable' or does it mean 'breakable', or is it something
> inbetween? Could you substantiate your claim of difference between
> (1) and (2) on the one side and (3) on the other side? Many thanks
> in advance.
Mark Wooding and Scott Fluhrer did a good job of that.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (James Pate Williams, Jr.)
Subject: Re: Threshold Schemes.
Date: Wed, 14 Jun 2000 22:54:45 GMT
On Wed, 14 Jun 2000 21:36:16 GMT, Simon Johnson
<[EMAIL PROTECTED]> wrote:
>Thanxs, But i'm after the math to do it, not the algothims..... I aint
>go time to *decipher* the code :p
>--
>Hi, i'm the signuture virus,
>help me spread by copying me into Signiture File
>
>
>Sent via Deja.com http://www.deja.com/
>Before you buy.
If you tried looking at the program that has a reference to Schneier's
book in the opening comments you would see that a form of the
algorithm requires the extended Euclidean algorithm for calculating
the inverse of a number modulo another number. Also, you can
use Gaussian elimination. Another program shows the method using
Lagrange's interpolation formula. See the _Handbook of Applied
Cryptography_ by Alfred J. Menzes et al. 12.71 Mechanism page 526.
==Pate Williams==
[EMAIL PROTECTED]
http://www.mindspring.com/~pate
------------------------------
From: AllanW <[EMAIL PROTECTED]>
Subject: Re: Why the golden ratio?
Date: Wed, 14 Jun 2000 22:38:56 GMT
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> Runu Knips wrote:
> > AFAIK there is a simple equotation of pi, e, the golden
> > number, and 1 ...
>
> Not a nontrivial one.
> As others have pointed out, pi, e, i, 1, and 0 along with the
> operators =, +, * (multiply), and ^ (exponentiate) enter into
> a single nontrivial relationship: e^(i*pi)+1=0 which is surely
> memorable. However, the golden ratio "phi" is not involved.
> One can, of course, combine any number of unrelated quantities
> into a single equation, but that means nothing. Feynman once
> showed how all known laws of physics could be trivially
> "unified": Take the i-th basic real-valued equation, e.g.
> E=m*c^2, and rewrite it with 0 on one side: E-m*c^2=0. Call
> the left side the "unworldiness" of that equation: Ui. Then
> the "unified" theory is: the sum over i of all Ui^2 = 0. That
> single equation contains all the known laws of physics..
So you're saying
(sqrt(5)-1)/2 * 0 = (E-M*C^2) * 0
is that right?
That's very deep. It could explain so many things. Like, why
did Clinton screw around on his wife?
G = Gross Domestic Product of USA
N = Amount of nookie Clinton gets (0=none, 1.0=constant)
W = Amount of nookie Clinton gets from his wife alone
G*0 = (N-W)*0
So Clinton getting extra-marital nookie is actually good for
the country!
--
[EMAIL PROTECTED] is a "Spam Magnet," never read.
Please reply in newsgroups only, sorry.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Maurer & Massey's result on cascade ciphers (was: Multiple encryptions)
Date: Wed, 14 Jun 2000 22:38:56 GMT
Nicol So wrote:
> I've had a problem with the result of Maurer and Massey for a
> long time.
> Basically, I think the result is "wrong". The (counter-)example they
> gave in the paper does not demonstrate the informal statement of the
> result. The definition of a secure cipher implicitly used in the paper
> is, in my opinion, unnatural. For a cipher to be secure, it should be
> secure w.r.t. all distributions of inputs. That's not the case with
> the "secure" ciphers in their example.
You have a point. I tried to avoid those difficulties by
clearly separating the chosen-plaintext case, and referring
the weakening as a "theoretical possibility". But I agree
that the papers results are somewhat silly. The "folk
theorem" they deride is basically correct, and the point
that the attacker cannot insert a step between the plaintext
and the first encryption seems trivial for a journal article.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
