Cryptography-Digest Digest #99, Volume #12 Sat, 24 Jun 00 11:13:01 EDT
Contents:
Re: Algo's with no easy attacks? (Simon Johnson)
Re: Questions about RSA............. (David Blackman)
Re: security problem with Win 2000 Encryption File System (Simon Johnson)
Re: Questions about RSA............. (Simon Johnson)
Re: exponentiation (tomstd)
Re: Encryption 4 the Masses? (tomstd)
Re: Encryption 4 the Masses? (Simon Johnson)
Re: Encryption 4 the Masses? (tomstd)
Re: Compression & Encryption in FISHYLAND (tomstd)
Re: Algo's with no easy attacks? (tomstd)
Re: Algo's with no easy attacks? (tomstd)
Re: Variability of chaining modes of block ciphers (Guy Macon)
Re: XOR versur MOD (Richard Outerbridge)
Re: Comments please: A protocol for Digital voting (Roadkill)
Re: how to compare the securtity between ECC and RSA (DJohn37050)
Re: DH - Man In The Middle (DJohn37050)
How Close? (Future Beacon)
Simple Key Escrow (tomstd)
Re: How Close? (tomstd)
Re: Encryption 4 the Masses? (Troed)
----------------------------------------------------------------------------
Subject: Re: Algo's with no easy attacks?
From: Simon Johnson <[EMAIL PROTECTED]>
Date: Sat, 24 Jun 2000 02:12:24 -0700
Yup,
Most ciphers have no *easy* attacks, but they can usally be
attacked in some way, shape or form.
The real question is your definition of easy, is a requirement
of 2^62 known plain-texts an easy attack?
Really, i can only invisige that the One Time Pad is the only
attack-less cipher out there.
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: David Blackman <[EMAIL PROTECTED]>
Subject: Re: Questions about RSA.............
Date: Sat, 24 Jun 2000 19:24:53 +1000
Simon Johnson wrote:
>
> Just a quick point,
>
> VB is pants for RSA, i can never generate a public-private key
> pair with a modulo greater than 32-bit.
>
> Out of intrest, does anyone know a way of computing large
> numbers in VB.
>
> Got questions? Get answers over the phone at Keen.com.
> Up to 100 minutes free!
> http://www.keen.com
Did you learn the algorithms "long multiplication" and "long division"
at primary school? It is actually possible to implement them in VB,
though probably not much fun. Good luck.
------------------------------
Subject: Re: security problem with Win 2000 Encryption File System
From: Simon Johnson <[EMAIL PROTECTED]>
Date: Sat, 24 Jun 2000 02:22:54 -0700
>I don't know how that system works, but if one
>wants to create an encrypted file system, any
>data which is ever stored to that disk should
>NEVER be unencrypted, or else you always can
>get that data back, no matter if it was wiped
>or not.
I aggree with this statement, however, if you have no choice.
Wiping the deleted file down with a several-passes of a pseudo
random number generator, is a good substiute.
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Subject: Re: Questions about RSA.............
From: Simon Johnson <[EMAIL PROTECTED]>
Date: Sat, 24 Jun 2000 02:26:53 -0700
Outch.
That's all i have to say...... I don't fancy doing that :)
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Subject: Re: exponentiation
From: tomstd <[EMAIL PROTECTED]>
Date: Sat, 24 Jun 2000 04:27:02 -0700
Yen-Choon Ching <[EMAIL PROTECTED]> wrote:
>
>
>tomstd wrote:
>>
>> Yen-Choon Ching <[EMAIL PROTECTED]> wrote:
>> >Hi,
>> >
>> >Can someone tell me how fast can we do an exponentiation on
a 8-
>> bit
>> >smart card for the following parameter:
>> >
>> >p = 1024 bits, q = 160 bits
>> >
>> >Does it need a crypto processor?
>>
>> I assume this is in the field of integers modulo a prime?
Then
>> I would suggest a math-copro if speed is a requirement
otherwise
>> a compact multiply-square can get it done in a *resonable*
>> amount of time without serious code-bloat.
>
>What's reasonable without a crypto processor? Under 1 second?
>
>
I would think with a 11mhz AVR MCU you could do a exponentiation
like that in under a second. This would be ideal for logins and
authentications. You wouldn't use a software only MCU device
todo realtime PK crypto...
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Subject: Re: Encryption 4 the Masses?
From: tomstd <[EMAIL PROTECTED]>
Date: Sat, 24 Jun 2000 04:27:41 -0700
"Pig Ear" <[EMAIL PROTECTED]> wrote:
>Is this program any good? Has it stood up to the scrutiny of
the crypto
>community?
What program? PGP?
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Subject: Re: Encryption 4 the Masses?
From: Simon Johnson <[EMAIL PROTECTED]>
Date: Sat, 24 Jun 2000 04:31:40 -0700
tomstd <[EMAIL PROTECTED]> wrote:
>"Pig Ear" <[EMAIL PROTECTED]> wrote:
>>Is this program any good? Has it stood up to the scrutiny of
>the crypto
>>community?
>
>What program? PGP?
>
>Tom
'encryption 4 the masses' is an encryption program i believe.
Its the one the author is refering to. :)
>
>Got questions? Get answers over the phone at Keen.com.
>Up to 100 minutes free!
>http://www.keen.com
>
>
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Subject: Re: Encryption 4 the Masses?
From: tomstd <[EMAIL PROTECTED]>
Date: Sat, 24 Jun 2000 04:37:45 -0700
Simon Johnson <[EMAIL PROTECTED]> wrote:
>tomstd <[EMAIL PROTECTED]> wrote:
>>"Pig Ear" <[EMAIL PROTECTED]> wrote:
>>>Is this program any good? Has it stood up to the scrutiny of
>>the crypto
>>>community?
>>
>>What program? PGP?
>>
>>Tom
>
>'encryption 4 the masses' is an encryption program i believe.
>Its the one the author is refering to. :)
>>
I dunno, PGP is referred to as "Cryptography for the masses" as
well...
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Subject: Re: Compression & Encryption in FISHYLAND
From: tomstd <[EMAIL PROTECTED]>
Date: Sat, 24 Jun 2000 04:39:26 -0700
Simon Johnson <[EMAIL PROTECTED]> wrote:
>Then again, you could always put your differences behind you.
>Rather than trying to slur each other.
>
>I don't know, maybe i'm wrong.
>
>S. Johnson
Here's something funnier. Some attacks actually work better
against compressed data. The full 16r Differential Attack on
DES for example doesn't work so well with only ASCII plaintext
blocks...
Anyways...
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Subject: Re: Algo's with no easy attacks?
From: tomstd <[EMAIL PROTECTED]>
Date: Sat, 24 Jun 2000 04:41:41 -0700
Simon Johnson <[EMAIL PROTECTED]> wrote:
>Yup,
>
>Most ciphers have no *easy* attacks, but they can usally be
>attacked in some way, shape or form.
>
>The real question is your definition of easy, is a requirement
>of 2^62 known plain-texts an easy attack?
>
>Really, i can only invisige that the One Time Pad is the only
>attack-less cipher out there.
Yeah but there are some block ciphers that have higher
resistance. For example we could consider eight rounds of DES
secure if you said "2^14 plaintexts is not available" but I
would generally not use so few rounds.
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Subject: Re: Algo's with no easy attacks?
From: tomstd <[EMAIL PROTECTED]>
Date: Sat, 24 Jun 2000 04:46:04 -0700
"matt" <[EMAIL PROTECTED]> wrote:
>Hi all.
>
>I've been lurking on this NG for a while, and often mention is
made of
>various attacks on algorithms such as known plaintext, repeated
>messages etc.
Known plaintext is not an attack. The current popular types of
attacks are differentials and linear I/O sums (single sums).
Things like Generalized Linear Cryptanalysis (SAFER for
example), Interpolation Attacks, ... are variants of the two
basic attacks.
In the two primary attacks you need either *chosen* or *known*
plaintexts to perform the attack. The more plaintexts you need
the harder it is to perform the attack. Many ciphers are
declared secure when it's found that the number of plaintexts
exceeds the total number possible of plaintexts.
>I don't have much experience in matters such as this, so are
there
>any/many algorithms which are freely available, which don't
suffer
>from any known attacks such as this. Basically, i want
something which
>I don't have to worry about that the plaintext may be known, or
a
>repeated pattern of messages is sent, or other problems such as
that.
>Are IDEA, Twofish, 3DES etc OK in this regard, or are there
problems
>with these?
I can always find problems, if you just look!
IDEA is slow, has weak keys, free-use only patent.
3DES terribly slow, weak keys, not particularly usefull.
Twofish is complicated, weak shorten keys, good cipher though.
..
Depends on what your requirements are.
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Variability of chaining modes of block ciphers
Date: 24 Jun 2000 08:14:33 EDT
John Myre wrote:
>
>I think that, if I were writing crypto programs for my own use (where
>my worst enemy is probably an 8-year old), I would indeed try stuff
>like double encrypting, or varying algorithms, etc. This for fun, or
>speed, or general educational value. But for money, I would be a
>fuddy-duddy, and make recommendations like "just use triple-DES for
>now", or something. So, yes, I'd agree that our assumptions were
>quite different.
>
I came to the same conclusion. One social problem is that sci.crypt
has a mix of both kinds of people, with new ones coming in. Again
and again I see the two cultures clash as individuals who don't
realize that the other class of crypto user exists answer each others'
posts.
------------------------------
From: Richard Outerbridge <[EMAIL PROTECTED]>
Subject: Re: XOR versur MOD
Date: Sat, 24 Jun 2000 08:35:11 -0400
2000-06-24 08:18:06 EDT
Maybe the question should be "What is the Hamming distance between
the truth tables?" Looking at Tony's examples, and taking into account
the fact that 11 XOR 11 is 00, as far as I can see the Hamming distance
between 2-bit XOR and 2-bit ADD is only 4. Can we do better? Would
it matter? I can't speak to the latter, but here's an example of
the former.
Consider the little-known and seldom-used two's complement addition
method, which like XOR (but unlike ADD) is involutable, and combines
addition and subtraction.
It can be done any number of ways:
NEG.L D3 /* (-leftt - fval) */
SUB.L D4,D3
or
ADD.L D4,D3 /* -(leftt + fval) */
NEG.L D3
or
ADD.L D4,D3 /* ~(leftt + fval) + 1 */
NOT.L D3
ADDQ.L #1,D3
and results in this two-bit Latin-square truth table:
2CMP for 2 bits
00 11 10 01
11 10 01 00
10 01 00 11
01 00 11 10
which has a Hamming distance of 12 from Tony's (corrected) XOR table.
Would this perhaps be a better disjoint combiner with XOR than ADD?
outer
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>Mok-Kong Shen wrote:
>
>> "Tony T. Warnock" schrieb:
>>
>> > The operands are in order, these are the result tables
>> >
>> > XOR for 2 bits ADD for 2 bits
>> > 00 01 10 11 00 01 10 11
>> > 01 00 11 10 01 10 11 00
>> > 10 11 00 01 10 11 00 01
>> > 11 10 01 11 11 00 01 10
>> >
>> > Each row and each column each table is a permutation of the
>> > corresponding row or column of the other table. Both tables are latin
>> > squares. For larger bit strings, the tables look even more different
>> > from each other.
>>
>> I see that I misunderstood you. You mean in effect that a+x and a^x
>> generate the same set of values. However, I don't yet clearly see what
>> (practically essential) implications can be drawn from that. An analogy
>> would be comparing x and E(x), where E is a block encryption and
>> both x and E(X) generate the same set of values.
>
>The main point is that either XOR, ADD, SUB (or any latin square)
>combination of two input streams generates the same set of values in the
>output stream. The probability distribution of the output will be flatter
>than the distribution of either input stream unless either stream is
>uniformly distributed (in which case the output will be uniform) or either
>stream is concentrated at one value (in which the output will be a
>permutation of the input.) Statistically, all combination methods will be
>similar.
>
--
<[EMAIL PROTECTED]> :
Just an "eccentric soul with a curiosity for the bizarre".
Payloads to: A902/MCE307/3/17TPU-28413618 (or thereabouts)
------------------------------
Date: 24 Jun 2000 13:09:37 -0000
From: Roadkill <[EMAIL PROTECTED]>
Subject: Re: Comments please: A protocol for Digital voting
=====BEGIN PGP SIGNED MESSAGE=====
zapzing wrote:
> I think you're right. the first anonymous broadcast
> is not needed. So only the vote needs to be broadcast
> anonymously,
Why is that? Cypherpunk and Mixmaster remailers are functioning fine
without broadcast mechanisms <http://anon.efga.org/Remailers>. It would
be near impossible to track remailed messages to their origin. Only the
stats pages posted dayly to <news:alt.privacy.anon-server> with show
uptime and reliability of known remailers are broadcasted.
Thanks for replying, I feel this subject could become important in the
near future. (At least in the EU, where they are pushing for
legislation against anonymising techniques)
Roadkill
- --
"If you're so special, why aren't you dead" - Kim Deal
~~~
This PGP signature only certifies the sender and date of the message.
It implies no approval from the administrators of redneck.gacracker.org.
Date: Sat Jun 24 13:09:30 2000 GMT
From: [EMAIL PROTECTED]
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3a
Charset: noconv
iQCVAwUBOVSzD5Lupyyiz83tAQHMBAQAoac3EwoK0EUtXaoeL7o8+UlGz8DjJBNB
T5vBj1jMCAyKOc5jKk0u4P9gjcL0VtfvnyDtaazEjkcZ47qlHJT7cJcPPJUS3v8Q
dTwE3JzMivfWo3zrLSJ/xulEXKOJCf+C7k7k0Syrt0F0wiwxdDvbo1I8RRdHsPZL
OsFIK3N/+ic=
=9iCA
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: how to compare the securtity between ECC and RSA
Date: 24 Jun 2000 13:25:20 GMT
I totally AGREE with Roger (surprise) that is it USEFUL to know both the TIME
and SPACE needs for an attack. More info is always useful. I do not see TIME
and SPACE in this context being 2 dimensions in some kinds of spacetime
geometry (although that may be one way to look at it), rather I see SPACE as a
more powerful ability to compute than TIME.
(At least most people THINK it is a more powerful ability to compute.)
And in using just a TIME analysis, I point out that; (1) it is a common
assumption to ignore space needs, (2) this allows for a more direct mapping and
hence high confidence in that mapping, and (3) doing so seems (to me) to
require fewer assumptions.
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: DH - Man In The Middle
Date: 24 Jun 2000 13:27:57 GMT
The HAC and P1363 discusses all (most?) of this so one could always start
there.
Don Johnson
------------------------------
From: Future Beacon <[EMAIL PROTECTED]>
Subject: How Close?
Date: Sat, 24 Jun 2000 10:18:33 -0400
How random do you think these numbers are:
Large files of equal size A, B, and C are composed of the
least significant two bits of bytes found in news group messages
(excluding headers, carriage returns, line feeds, and spaces).
In each case, these bits are strung together, four pairs per byte
in these files. At least three quarters of the original data is
not used. Let's assume that the files are over a megabyte in size.
Then, file B is divided into two files (BP and BQ) this way: If the
first bit in A is a 0, then the first bit in B becomes the first bit
in BP. If the first bit in A is a 1, the first bit in B becomes the
first bit in BQ. Each next bit in A determines whether the next bit
in B becomes the next bit in BP or BQ. When the bits of A and B are
exhausted, BQ is appended to BP and the resultant file is called RAND.
How random is RAND?
Thank you for your help.
Jim Trek
Future Beacon Technology
http://eznet.net/~progress
[EMAIL PROTECTED]
------------------------------
Subject: Simple Key Escrow
From: tomstd <[EMAIL PROTECTED]>
Date: Sat, 24 Jun 2000 07:17:50 -0700
This has probably been thought of, just want some insight!
What about a system where the law agency (LA) has a master 128-
bit key (and we are using 128-bit block ciphers) K. Now all
chips that have crypto have 128-bit serial numbers R on them.
Each chip has an embeded 128-bit key K2 that is derived from Ek
(R) so that only the chip and LAW know K2.
Now when I want to send a message I make up a key like I
normally would then encrypt it with my K2 and send my
ciphertext, the K2 encrypted key and my serial number.
In total 256-bits is added to the message. Nobody can tell the
K2 from the serial numner (easily) and nobody can tell K from a
K2 and serial number easily...
Just some ideas...
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Subject: Re: How Close?
From: tomstd <[EMAIL PROTECTED]>
Date: Sat, 24 Jun 2000 07:19:59 -0700
Future Beacon <[EMAIL PROTECTED]> wrote:
>
>
>How random do you think these numbers are:
>
>Large files of equal size A, B, and C are composed of the
>least significant two bits of bytes found in news group messages
>(excluding headers, carriage returns, line feeds, and spaces).
>In each case, these bits are strung together, four pairs per
byte
>in these files. At least three quarters of the original data is
>not used. Let's assume that the files are over a megabyte in
size.
>
>Then, file B is divided into two files (BP and BQ) this way:
If the
>first bit in A is a 0, then the first bit in B becomes the
first bit
>in BP. If the first bit in A is a 1, the first bit in B
becomes the
>first bit in BQ. Each next bit in A determines whether the
next bit
>in B becomes the next bit in BP or BQ. When the bits of A and
B are
>exhausted, BQ is appended to BP and the resultant file is
called RAND.
>
>How random is RAND?
I wouldn't think it would be random for two reasons. First off
anyone can calculate this. Second the lower 2 bits are hardly
random to begin with from ascii text. There is serious bias
(note the letter e appears quite a bite!).
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: [EMAIL PROTECTED] (Troed)
Subject: Re: Encryption 4 the Masses?
Reply-To: [EMAIL PROTECTED]
Date: Sat, 24 Jun 2000 15:03:44 GMT
tomstd <[EMAIL PROTECTED]> wrote:
>>'encryption 4 the masses' is an encryption program i believe.
>>Its the one the author is refering to. :)
>>>
>
>I dunno, PGP is referred to as "Cryptography for the masses" as
>well...
Tom, see my new thread ("E4M, Was ...!")
www.e4m.net
___/
_/
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
