Cryptography-Digest Digest #119, Volume #12 Tue, 27 Jun 00 21:13:00 EDT
Contents:
Re: Idea or 3DES ("Trevor L. Jackson, III")
Re: Variability of chaining modes of block ciphers (Shawn Willden)
Re: Variability of chaining modes of block ciphers (Shawn Willden)
Re: Variability of chaining modes of block ciphers (Mark Wooding)
Re: Variability of chaining modes of block ciphers (Mark Wooding)
Re: Idea or 3DES (Mark Wooding)
Re: What's matter with http://tomstdenis.com/crypto/ ? ("Jeff Moser")
Re: What's matter with http://tomstdenis.com/crypto/ ? ("Adam Durana")
Re: Idea or 3DES (JPeschel)
Sellotape and scotch tape (John Myre)
Re: Thoughts on "Cracking" of Genetic Code ([EMAIL PROTECTED])
Re: Sellotape and scotch tape ([EMAIL PROTECTED])
Re: Idea or 3DES (Jim Gillogly)
Re: Thoughts on "Cracking" of Genetic Code (John Savard)
Re: Dynamical Cryptography algorithm (John Savard)
Re: searching for a special GUI crypto tool (JPeschel)
Re: simple crypting (Benjamin Goldberg)
Re: Dixon's random square algorithm (Bob Silverman)
Re: Compression & Encryption in FISHYLAND (John Savard)
Re: Dynamical Cryptography algorithm ("Ryan Nicoletti")
Re: What's matter with http://tomstdenis.com/crypto/ ? (JPeschel)
----------------------------------------------------------------------------
Date: Tue, 27 Jun 2000 18:31:21 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: alt.security.scramdisk,comp.security.pgp.discuss
Subject: Re: Idea or 3DES
Jim Gillogly wrote:
> Joseph Ashwood wrote:
> > ... It is my
> > opinion that the likelihood of there being a significant known break in
> > either is exemplified by the US Governments willingness to prosecute the
> > author of PGP, indicating that neither is broken.
>
> Shouldn't you be arguing on the other side? The USG was in fact unwilling
> to prosecute the author of PGP, so according to your analysis shouldn't that
> indicate that IDEA was broken?
>From what did you infer unwillingness? Certainly the USG was both willing and
able to persecute PRZ, and made serious attempts to collect sufficient evidence
to prosecute him. It appears to me that the USG lacked ability to prosecute not
willingness to prosecute.
> I suggest that it's irrelevant to the
> security analysis: that it was dropped because (a) they didn't have
> strong evidence against PRZ himself; and (b) that they didn't want a
> court to tell them that the ITAR were unconstitutional. I suspect further
> that they didn't prosecute KG because of (b) and because he wasn't a
> well-known enough target to serve as a horrible example to other potential
> crypto hackers if they <did> manage to score a conviction without having
> the ITAR thrown out in their entirety. Again, nothing to do with the
> security of IDEA (nor, of course, [3]DES).
It may have something to do with revelations regarding the security of IDEA.
The Brady doctrine requires a prosecutor to reveal to the defense any
exculpatory information the prosecutor possesses. The USG may have demurred on
the basis that that had (have) knowledge of weaknesses in IDEA, or, OTOH, on the
basis that they had no knowledge of weaknesses. It would not be in the interest
of the USG to reveal what they did/did not know about weaknesses in IDEA.
If the USG knew that IDEA was weak, the defense might have been able to claim
that IDEA's strength put it below the threshold for ITAR restrictions. Of
course such a revelations would have discouraged the use of IDEA and the USG
would have lost some intelligence capability.
If the USG claimed no known weakness in IDEA, this might have acted as an
endorsement, encouraging the wide-spread use of the cipher, and again the USG
would have lost some intelligence capability.
In this realm there is no incentive for the USG to be either forward or honest
about cipher strength.
------------------------------
Date: Tue, 27 Jun 2000 16:24:38 -0600
From: Shawn Willden <[EMAIL PROTECTED]>
Subject: Re: Variability of chaining modes of block ciphers
Mok-Kong Shen wrote:
> I personally prefer chaining using both accumulated plaintext and
> accumulated ciphertext (xor or addition mod 2^n). One can use
> two IVs that are secret. If these are independent of the key of the
> cipher, the scheme certainly adds more than a few bits of keyspace
> in my view.
If I understand what you're saying, the IV's add no security, at least with xor
accumulation.
Let Pj be the jth plaintext
Let Cj be the jth ciphertext
Let IV1 and IV2 be secret IVs
Let sum(P,j) be the xor of the first j plaintexts and IV1
Let sum(C,j) be the xor of the first j ciphertexts and IV2
Let ^ denote xor, E denote encryption and D denote decryption (with some key).
Let Cj = E(sum(P,j) ^ sum(C,j-1))
To attack using brute force, first pick two adjacent ciphertext blocks, Cj-1 and
Cj. Pick a key and decrypt both blocks, yielding D(Cj-1) and D(Cj). Then
calculate:
D(Cj) ^ D(Cj-1) ^ Cj-1
= sum(P,j)^sum(C,j-1)^sum(P,j-1)^sum(C,j-2)^Cj-1
= sum(P,j)^sum(P,j-1)^sum(C,j-1)^sum(C,j-2)^Cj-1
= Pj ^ Cj-1 ^ Cj-1
= Pj
(if the chosen key is correct).
I haven't thought about the variant using addition mod 2^32. Frankly I don't
remember the properties of addition in Zn well enough (shame on me).
Shawn.
------------------------------
Date: Tue, 27 Jun 2000 16:34:51 -0600
From: Shawn Willden <[EMAIL PROTECTED]>
Subject: Re: Variability of chaining modes of block ciphers
Shawn Willden wrote:
> I haven't thought about the variant using addition mod 2^32. Frankly I don't
> remember the properties of addition in Zn well enough (shame on me).
OTOH, yes I do. Unless memory, intuition and a few hastily worked examples fail me,
this would just be:
Let Cj = E(sum(P,j) + sum(C,j-1))
To attack using brute force, first pick two adjacent ciphertext blocks, Cj-1 and
Cj. Pick a key and decrypt both blocks, yielding D(Cj-1) and D(Cj). Then
calculate the additive inverses of D(Cj-1) and Cj-1 and calculate:
D(Cj) + -D(Cj-1) + -Cj-1
= (sum(P,j) + sum(C,j-1)) + -(sum(P,j-1) + sum(C,j-2)) + -Cj-1
= sum(P,j) + -sum(P,j-1) + sum(C,j-1) + -sum(C,j-2)-Cj-1
= Pj + Cj-1 + -Cj-1
= Pj
Shawn.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Variability of chaining modes of block ciphers
Date: 27 Jun 2000 22:25:30 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> You snipped out what Scott Fluhrer worte and then provided the wrong
> argument. Here is what he wrote before my sentences quoted above:
No, not really. Whether you use a good cipher *followed* by a bad
cipher or just the good cipher on its own doesn't really matter (by
definition of `good'), as long as you use it.
> I answered that there can be (though rare) cases where one has
> information of the power of his computer and that he is using brute
> force.
Oh, yes. So you did. I'd not noticed that you'd restricted your
impractically limited scenario to that extent. I don't think anything
else needs to be said on the subject, to be honest: your folly stands by
itself.
> Sorry, I don't yet understand. Let me quote what you wrote in full:
Maybe I'm confusing people by considering the real world for once. I
know it's surprising, because I don't often do this, but I think that in
this instance it's the right thing to do.
If we're in a real-world situation where we know enough about our
adversary (or adversaries -- let's assume they're all working together,
so there's just one big adversary to consider) that we can predict both
his approach to cryptanalysis and his computational capabilities, I
firmly believe that whatever intelligence provided us with this
information would also provide us with enough information to determine
some other way of communicating which was immune from attacks by this
adversary anyway.
To summarize my position as it now is:
* Block cipher modes are not, nor should be, designed to increase the
security of the cipher. If the cipher, by itself, is not strong
enough, use a different one. If real-world constraints prevent
this, then fight the constraints, because they're wrong.
* Using the choice of mode as a secret provides a uselessly small
increment of security. It's almost transparent to known- and
chosen-plaintext attacks.
* An ability to compute the opponent's resources with regard to
cryptanalysis is unlikely to be isolated: you should be able to
determine others of his capabilities too, and thus work out a way of
communicating securely without the need for cryptography of any
kind.
* I'm not interested in pursuing this argument further. I don't think
I can express myself much more clearly, and I can't be bothered
wading through the same old twaddle from you. If you have something
genuinely new to add to the discussion, I might pick up on it.
Good day.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Variability of chaining modes of block ciphers
Date: 27 Jun 2000 22:38:52 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> You were again ignoring my repeatedly made point that it IS a basic
> assumption of my article that the cipher at hand is NOT strong enough
> and you claimed that the cipher resists key-recovery attacks.
* A good cipher resists key-recovery attacks. This is part of what it
means for a cipher to be good.
* Using a bad cipher is stupid.
There's nothing more to be said. If other constraints are imposed, then
complain about them and get them fixed. Otherwise, you're left with
boneheaded constraints and boneheaded security.
> One is to say that the assumption is wrong/unrealistic and provide
> arguments why that's so
And indeed I've repeatedly done this. I've commented frequently on the
lack of realism in your scenario.
> You REPEATEDLY ignored my point that my original post is NOT intended
> for cases where one already has a strong enough cipher (your good
> cipher).
Then you should *get* a good cipher, rather than pratting about with a
bad cipher and sellotaping[1] extra bits of security to it. It's just
not going to work.
[1] Sellotape is a manufacturer of sticky transparent tape. US readers
may be able to draw comparisons with Scotch tape.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Idea or 3DES
Date: 27 Jun 2000 22:44:52 GMT
David A Molnar <[EMAIL PROTECTED]> wrote:
> on the ARM, you avoid the branch by using conditional instructions,
> can't you?
Not all of them. The best I could come up with (after soliciting advice
from appropriate newsgroups...) was
; r7 contains &ffff
; multiply d <- s * d mod 65537 (using idea representation)
ands s, s, r7
moveq s, d
andnes d, d, r7
rsbeq s, s, #1
beq mul_end
mul d, s, d
and s, d, r7
subs s, s, d, lsr #16
addcc s, s, #1
.mul_end
That's an awful lot of work grinding through the special cases at the
beginning. Admittedly the usual case doesn't need a branch, but it
doesn't need to wade through far too much `irrelevant' code to decide
that it doesn't need to do anything unusual.
-- [mdw]
------------------------------
From: "Jeff Moser" <[EMAIL PROTECTED]>
Subject: Re: What's matter with http://tomstdenis.com/crypto/ ?
Date: Tue, 27 Jun 2000 17:56:20 -0500
> About ten days ago I was on site http://tomstdenis.com/crypto/ where were
a
> lot of SUPER GOOD articles.
> But now I can't connect to this link. What's the matter? Was this link
> changed or where is these articles now?
Tom has been having problems with his ISP. The DNS resolved directly to his
static IP, and it's been down for awhile. It should be up soon, hopefully..
Perhaps I should mirror it :)
Jeff
------------------------------
From: "Adam Durana" <[EMAIL PROTECTED]>
Subject: Re: What's matter with http://tomstdenis.com/crypto/ ?
Date: Tue, 27 Jun 2000 18:43:29 -0400
It relocated to http://www.geocities.com/tomstdenis/
"Медведев Михаил" <[EMAIL PROTECTED]> wrote in message
news:8jb2vm$dvl$[EMAIL PROTECTED]...
> Hi!
> About ten days ago I was on site http://tomstdenis.com/crypto/ where were
a
> lot of SUPER GOOD articles.
> But now I can't connect to this link. What's the matter? Was this link
> changed or where is these articles now?
>
> Thanks, Michael.
>
>
>
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Idea or 3DES
Date: 27 Jun 2000 23:20:28 GMT
"Trevor L. Jackson, III" [EMAIL PROTECTED] writes, in part:
>Jim Gillogly wrote:
>
>> Joseph Ashwood wrote:
>> > ... It is my
>> > opinion that the likelihood of there being a significant known break in
>> > either is exemplified by the US Governments willingness to prosecute the
>> > author of PGP, indicating that neither is broken.
>>
>> Shouldn't you be arguing on the other side? The USG was in fact unwilling
>> to prosecute the author of PGP, so according to your analysis shouldn't
>that
>> indicate that IDEA was broken?
>
>From what did you infer unwillingness?
Jim probably infers, correctly, that the US government was unwilling to
prosecute
the author of PGP because it dropped its case.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Sellotape and scotch tape
Date: Tue, 27 Jun 2000 17:13:44 -0600
This is way off-topic, except that Sellotape was actually
mentioned in another post.
I forget, there is a word for when a brand name becomes the
(de facto) general term. Good examples in the US include
zipper, kleenex, and the aforementioned scotch tape. In each
case, using the "proper" generic term is rare. Anybody
remember what this is called?
Meanwhile, this is the first I've heard of Sellotape. Is it
sold in the US? Is Scotch tape sold in the UK?
Is there a term for the reverse process? That is, a general
term that is appropriated as a brand name. Examples could
include PC (the IBM one) and Windows (Microsoft).
One more thing. What is it called when a brand name becomes
so generic that the brand owner can no longer control its use?
(I think zipper is that way).
John M.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Thoughts on "Cracking" of Genetic Code
Date: Tue, 27 Jun 2000 23:47:22 GMT
Information System <[EMAIL PROTECTED]> wrote:
> I know that this is off the explicit subject of the
> group, but I am interested in the reaction of others to the
> wording of news stories that state that the genetic code has
> been "cracked," drawing comparisons to a cryptographic
Even more near and dear to the sci.crypt reader's heart should be the
patent office allowing people to patent genes. ;)
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Sellotape and scotch tape
Date: Tue, 27 Jun 2000 23:51:14 GMT
John Myre <[EMAIL PROTECTED]> wrote:
> One more thing. What is it called when a brand name becomes
> so generic that the brand owner can no longer control its use?
> (I think zipper is that way).
Successful marketing! :)
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Idea or 3DES
Date: Wed, 28 Jun 2000 00:11:01 +0000
JPeschel wrote:
> Jim probably infers, correctly, that the US government was unwilling to
> prosecute
> the author of PGP because it dropped its case.
To be even more explicit, the government investigated PRZ but never
brought charges, so in some sense there was no case to drop.
--
Jim Gillogly
Mersday, 5 Afterlithe S.R. 2000, 00:09
12.19.7.5.19, 6 Cauac 2 Tzec, Second Lord of Night
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Thoughts on "Cracking" of Genetic Code
Date: Wed, 28 Jun 2000 00:25:54 GMT
On 27 Jun 2000 13:31:34 EDT, [EMAIL PROTECTED] (Information System)
wrote, in part:
>As I understand it, what has been accomplished is
>the compilation, in crypto terms, of a complete and possibly
>accurate transcription of the ciphertext.
Well, many years ago, the genetic code was "cracked" in the sense that
a code by which three bases (from a set of four) along an RNA or DNA
molecule represented an amino acid was determined.
The Human Genome Project is indeed not really analogous to
codebreaking, and indeed the relationship between the various variant
forms of proteins formed by different alleles (the different forms of
the same gene) and observed traits in humans has not been completely
established - and will not be for quite some time.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Dynamical Cryptography algorithm
Date: Wed, 28 Jun 2000 00:28:50 GMT
On Tue, 27 Jun 2000 14:13:51 GMT, [EMAIL PROTECTED] wrote, in part:
>As I said everything is explained on the web site
>so I won't waste your time any longer, here is
>just a summary of the main feature of this
>algorithm:
Instead of a spec sheet, it would have been useful to tell us what
specifically makes your algorithm unique, to stimulate interest in
going to
http://www.bccrypt.com/
which URL does not seem to have a DNS entry...so it didn't work for
me.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: searching for a special GUI crypto tool
Date: 28 Jun 2000 00:35:43 GMT
"TL" [EMAIL PROTECTED] writes, in part:
>I'm searching for a special GUI crypto tool.
>The aim is just to hide my private infos, when sending
>email attachments thru the net, or even progs I made.
>Some downloaded binairies I like the most :
>- PUFFER http://www.briggsoft.com/puffer.htm
>- CRYPTO http://www.gregorybraun.com/crypto.html
>- HARDCRYPT http://www.alternetive.asso.fr/securite/jcutils.htm
I'd recommend Puffer, and Puffer would have
been one of my recommendations even if you
hadn't mentioned any programs.
I've never heard of the stuff on the French
web page you mention, but Gregory Braun's
Crypto 3.5 is snake-oil.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: simple crypting
Date: Wed, 28 Jun 2000 00:39:12 GMT
[EMAIL PROTECTED] wrote:
>
> if i post e crypted message here...
> is there anyone here who could decrypt it?
"Could decrypt it," probably, but *would* decrypt it... unlikely unless
you offered a prize for doing so, or unless you give us a good reason,
eg, "I encrypted <some important files>, and forgot the password." It
would also help (immensely) if you tell us what encryption algorithm was
used. Having a large sample of the ciphertext also helps.
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: Dixon's random square algorithm
Date: Wed, 28 Jun 2000 00:34:16 GMT
In article <8ja6r0$2he$[EMAIL PROTECTED]>,
"Медведев Михаил" <[EMAIL PROTECTED]> wrote:
> Hi!
> The Dixon's factoring randomized algorithm has running time L(n)^sqrt
(2),
> where L(n) = e^(sqrt(logn*loglogn))
> Can anybody tell me, how this time is calculated (or, where can I
find an
Knuth, Vol 2.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Compression & Encryption in FISHYLAND
Date: Wed, 28 Jun 2000 00:37:45 GMT
On Mon, 26 Jun 2000 18:04:18 GMT, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote, in part:
>The underlying redundancy in uncompressed plaintext is much more
>helpful to the working cryptanalyst in practical attacks on systems;
>therefore, precompression hinders cryptanalysis.
This is indeed very true. Although I too have problems with Mr. Scott
referring to a problem generally believed to be minor as totally
fatal, without any real evidence, I do think he is correct that one
might as well make the extra effort, when compressing for encryption,
to eliminate any avoidable problem, minor or not.
So I'm happy to endorse as helpful not only the basic idea (used by
PGP et al already) of compressing without headers, but also Mr.
Scott's suggestion that even a minor bit of redundancy at the end of
the file be suppressed. From his description of what he was doing - I
think I can be forgiven for believing it not worth the trouble to plow
through his source code - I had come to the conclusion that,
unfortunately, that which he was attempting to do, he got wrong. But
for those interested, I explain on my web site very carefully how to
abolish that last tiny fragment of redundancy typically ignored by
Huffman compression. (The section is titled "Tying Up Loose Ends".)
Of course, a Huffman code on single letters would still leave a much
larger amount of redundancy untouched in the bigram structure - which
is another issue.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "Ryan Nicoletti" <[EMAIL PROTECTED]>
Subject: Re: Dynamical Cryptography algorithm
Date: Tue, 27 Jun 2000 17:54:39 -0700
Hello everyone!
I was interested in checking out the site, Sylvain, so I found that you made
just a slight typo in the URL, and I figured I'd let anyone else who cares
to have the link that the site can be found at:
http://www.bcrypt.com
-rnn
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: What's matter with http://tomstdenis.com/crypto/ ?
Date: 28 Jun 2000 01:09:05 GMT
"Jeff Moser" [EMAIL PROTECTED] writes:
>Tom has been having problems with his ISP. The DNS resolved directly to his
>static IP, and it's been down for awhile.
I thought he had set up his own machine as a server,
but has recently changed his mind about doing that.
Joe.
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
