Cryptography-Digest Digest #137, Volume #12 Thu, 29 Jun 00 16:13:01 EDT
Contents:
Re: Dynamical Cryptography algorithm (Mark Wooding)
Re: what does it mean: "to find collision in bytes" ("CrakMan")
Re: very large primes ("Tony T. Warnock")
Re: very large primes ([EMAIL PROTECTED])
Re: Does anyone have code for generating primitive polynomials? (Mike Rosing)
Re: Hey Tom, you wanted to break it ! ;-) (Mike Rosing)
Re: It's been pretty quiet for some time... ("Joseph Ashwood")
Re: Idea or 3DES ("Joseph Ashwood")
Re: very large primes ([EMAIL PROTECTED])
Re: AES: It's been pretty quiet for some time... (wtshaw)
Re: Idea or 3DES (jungle)
Re: On a notation issue of Feistel ciphers (Mok-Kong Shen)
Re: Variability of chaining modes of block ciphers (Mok-Kong Shen)
Re: Variability of chaining modes of block ciphers (Mok-Kong Shen)
Re: Remark on practical predictability of sequences (Mok-Kong Shen)
Re: Idea or 3DES (jungle)
Re: AES: It's been pretty quiet for some time... (Mok-Kong Shen)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Dynamical Cryptography algorithm
Date: 29 Jun 2000 17:12:01 GMT
Sylvain Martinez <[EMAIL PROTECTED]> wrote:
>
> > so. Hence my assertion that you didn't want to answer it. Is my
> > logic faulty?
>
> No, but I didn't see it that way. I was first thinking of "DES" because
> I realised it was wrong I said nothing.
> [...]
> > doesn't use factorials); you use a logical AND to do some passphrase
> > expansion, although this will cause a huge bias towards zero bits in
> > the result.
>
> I am actually not only doing that :O)
Indeed not. But
> > Counterintuitively enough, designing ciphers isn't the right way to
> > learn cipher design. What you need to do is study other people's
> > designs, and their analysis. Read the AES entries -- particularly
> > Twofish and Rijndael -- for hints on presentation and analysis. See
> > also Schneier's self-study cryptanalysis course.
>
> I do not totaly agree with you. It is like learning guitar.
There are similarities and differences. As a self-taught guitarist and
cryptographer (although far from perfect at either), I'll try to
describe them:
For instance, when you pick up a guitar and play it badly, it sounds
awful. You can tell this by listening, and do something to fix it, such
as changing your fingering or picking, or giving more practice time to a
tricky technique.
The important point is that you must have the ability to listen
critically to the notes and chords you're playing, so that you know when
you're doing something wrong.
Cipher design is a bit similar. Critical listening is the analogue of
cryptanalysis, where you attack your design, and find its flaws.
There are (at least) two differences.
* We all get exposed to lots of music throughout our lives. While
music varies between cultures, almost everyone develops an ability
to listen and appreciate music of some kind or other. We don't tend
to be exposed to ciphers to the same degree, and we don't acquire
the ability to analyse ciphers in that almost automatic way in which
we can criticise music. To take this analogy too far, someone who's
designing ciphers without understanding cryptanalysis is like
someone deaf trying to play a guitar.
* It only takes one person finding one problem with your cipher to
break it. It's as if, when you're playing music, you have to make
*everyone* happy at the same time.
> you can take lessons and becoming good at it, or you can learn your
> self. This will allow you to understand better some concepts. You would
> still need to take proper lessons but if you've done that, let say, for
> 7 years you will then learn quicker.
> In other words it is not a complete waste of time :O)
I don't suggest that it's impossible to learn cipher design without
being taught by someone. But there are right ways to learn and wrong
ways. Schneier's self-study course is a good pointer in the right
direction. See http://www.counterpane.com/self-study.html.
-- [mdw]
------------------------------
From: "CrakMan" <[EMAIL PROTECTED]>
Subject: Re: what does it mean: "to find collision in bytes"
Date: Thu, 29 Jun 2000 10:33:30 -0700
Another way for bytes to collide is when two people in the same office
decide to pick up and move their computers at the same time. They walk down
the hallway not looking where they are going and crash into one another...
That's another way...
JK :-)
--
CRAK Software
http://www.crak.com
Password Recovery Software
QuickBooks, Quicken, Access...More
Spam bait (credit E. Needham):
root@localhost
postmaster@localhost
admin@localhost
abuse@localhost
webmaster@localhost
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
tomstd <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "MP" <[EMAIL PROTECTED]> wrote:
> >What does that term mean in cryptoanalysis ??
>
> There could be collisions in block ciphers if it's not a
> multipermutation which means that changing only a certain part
> of the input makes a certain part of the output remain
> unchanged. That is a collision as well.
>
> Tom
>
>
> Got questions? Get answers over the phone at Keen.com.
> Up to 100 minutes free!
> http://www.keen.com
>
------------------------------
From: "Tony T. Warnock" <[EMAIL PROTECTED]>
Subject: Re: very large primes
Date: Thu, 29 Jun 2000 11:46:03 -0600
Reply-To: [EMAIL PROTECTED]
Try the link:
http://mathworld.wolfram.com/P/Prime-GeneratingPolynomial.html
and others on the same page.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: very large primes
Date: Thu, 29 Jun 2000 17:48:18 GMT
Runu Knips <[EMAIL PROTECTED]> wrote:
> I would be very surprised if there would be some purely arithmetic
> forumla which generates nothing but primes (Of course one can find
> silly examples such as f(x) := 2).
There are some, but none of them have any practical use. Interested
readers should see
http://www.utm.edu/reasearch/primes/notes/faq/p_n.html. (Note,
shortenting the url just after primes will take you to the start page,
from whence it's fairly easy navigating.) The entire site probably
contains more information than the average person wants to know about
primes.
The basic problem with them is that they're slower than generating
primes via process of elimination.
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Does anyone have code for generating primitive polynomials?
Date: Thu, 29 Jun 2000 12:41:43 -0500
Mack wrote:
> I am working in GF(2^n)
> with n from 33 to 1050 or so
>
> I will check out the pointer
>
> The method you describe does not seem practical for
> large n. Do you know of another method?
>
> Checking for primality should be easy.
> Checking for primitiveness seems a little harder.
I don't know of any other method. Brute force is the only way to
check. Look in Lidl and Niederreiter, there might be some
way to generate a highly probable primitive.
Patience, persistence, truth,
Dr. mike
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Hey Tom, you wanted to break it ! ;-)
Date: Thu, 29 Jun 2000 12:43:40 -0500
Runu Knips wrote:
>
> tomstd wrote:
> > In the mean time I am working on my book and hopefully the first
> > two chapters will be ready soon.
>
> Whow, a book ? Cool. Damned, from where do you get all this
> time...
Having parents supply roof and food helps a lot :-)
Good luck Tom, and have fun!
Patience, persistence, truth,
Dr. mike
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: It's been pretty quiet for some time...
Date: Thu, 29 Jun 2000 11:02:24 -0700
Right now, it's out of the public eye. I'd expect the next announcement to
be either an additional phase of request for comments (which means that they
need further help determining which algorithm should be blessed), or an
announcement of blessing. I'd also expect the announcement sometime in
August.
Joe
"Volker Hetzer" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Hi!
> Does anyone know what's going on?
> The last announcement was on may, 15.
>
> Greetings!
> Volker
> --
> The early bird gets the worm. If you want something else for
> breakfast, get up later.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Idea or 3DES
Date: Thu, 29 Jun 2000 11:07:09 -0700
Crossposted-To: alt.security.scramdisk,comp.security.pgp.discuss
CAST is kind of the loose choice for this. In terms of security differences,
all 3 algorithms are really only seperated by epsilons (numbers small enough
that they are only maintained for accuracy, not for relevance). I could
easily have added CAST to the two algorithms, and it would've made little
difference to the conclusion. It's all a personal preference, at least
within those 3. Personally I generally choose CAST, because there's some an
additional criterian that can be considered that sometimes people don't
like, that of lack of others using the algorithm (making the amortized costs
of attacking me higher). The downside is that I am at higher risk of an
effective attack because CAST has not received the attention of 3DES, but I
knowingly accept that risk, and take precautions accordingly.
Joe
"Ice_Makr" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I find all this very interesting but to cut through all the knowledge that
> is obviously commenting on this "and not to show my ignorance on this
> subject"
> but can i asume the i should'nt have my perfered algorithm "cast" and
change
> it to IDEA?? or 3DES???
>
> I want my things to be as safe as posible. if i change my cast do i need
to
> make a new key????
>
> just my 2cents among the 50's :)
>
>
> --
> Later,
>
> Ice_M
>
>
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: very large primes
Date: 29 Jun 2000 11:10:34 -0700
In article <tHq65.949$[EMAIL PROTECTED]>,
Mike Andrews <[EMAIL PROTECTED]> wrote:
>If you have to try a large number of cases, it may be worthwhile to write
>a computer program to generate and test the cases.
If you have to write a computer program to try enough cases, then you should
attempt to answer the question some other way first. One semester of
elementary number theory would be quite sufficient to allow one to write the
proof below that 6x+1 for integer x generates things other than primes.
It's much more educational to prove the general method for finding
counterexamples rather than just exhibiting one - because if we say
"x=4, 6x+1 = 25 = 5*5" then I fully expect that the guy will just respond
with something like "OK, well, what about 16x+1?" and keep it up until we get
tired of doing his homework for him, at which point he'll claim that he has
found an infallible prime generation formula and try to sell it to someone.
By the Chinese Remainder Theorem, when we have two numbers p and q that are
relatively prime, we can find an n that is congruent to a mod p and congruent
to b mod q. Suppose you show me a formula like "px+k" with constant p and k,
and you claim that for integer x it always produces primes. (For instance,
"6x+1", or "23x+37".) Well, I just choose a q that is relatively prime to p,
for instance any prime q greater than p, and find my n that is congruent to
k mod p and 0 mod q. That n will be a counterexample to your claim that
the formula produces only primes. I can produce an infinite number of
additional counterexamples with the formula pqx+n, integer x, because the
numbers generated by that formula will all be congruent to k mod p and
0 mod q.
6x+1 won't work
23x+37 won't work
nothing that looks like px+k can ever work
--
Matthew Skala
[EMAIL PROTECTED] I paid for it, I own it; fight SDMI!
http://www.islandnet.com/~mskala/
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: AES: It's been pretty quiet for some time...
Date: Thu, 29 Jun 2000 12:20:00 -0600
In article <[EMAIL PROTECTED]>, Volker Hetzer
<[EMAIL PROTECTED]> wrote:
> Hi!
> Does anyone know what's going on?
> The last announcement was on may, 15.
>
> Greetings!
> Volker
> --
> The early bird gets the worm. If you want something else for
> breakfast, get up later.
Some are perhaps readying their spray cans so as to paint a large bullseye
on any announced winner. After all, why attack many when you can wait to
attack only one?
--
Ralph Nader must not be a politician, he makes sense. Those that
hype confusion about understandable issues are the anarchists.
------------------------------
From: jungle <[EMAIL PROTECTED]>
Crossposted-To: alt.security.scramdisk,comp.security.pgp.discuss
Subject: Re: Idea or 3DES
Date: Thu, 29 Jun 2000 15:25:40 -0400
IDEA should be considered extremely more secure than triple DES ...
- exactly, from 2^38 to 2^20 steps more secure ...
Joseph Ashwood wrote:
>
> CAST is kind of the loose choice for this. In terms of security differences,
> all 3 algorithms are really only seperated by epsilons (numbers small enough
> that they are only maintained for accuracy, not for relevance).
I will call # of steps of 2^38 as EPSILON only when I'm ignorant ...
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On a notation issue of Feistel ciphers
Date: Thu, 29 Jun 2000 21:48:28 +0200
Runu Knips wrote:
> In my new cipher 'PARANOIA' I use a formula
> like this:
>
> A = A @ X(B, C, D, E, F, G, H)
> B = B @ X(C, D, E, F, G, H, A)
> [...]
> H = H @ X(A, B, C, D, E, F, G)
>
> I think thats a possible extension of the
> 'ordinary' Feistel.
If the function X is good, it is indeed a good extention. (As I
noted, Feistel's scheme is nothing but a particular iterative
processing of a set of equations.) However, run efficiency could
under circumstances be poorer than the normal Feistel.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Variability of chaining modes of block ciphers
Date: Thu, 29 Jun 2000 21:47:57 +0200
Mark Wooding wrote:
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> > But we were disputing on whether Scott Fluhrer's argument (to which
> > I answered) involved TWO ciphers or ONE cipher!
>
> We were? Oh. Perhaps you should have told me!
>
> I thought we were agreed that his comment (preprocessing your bogus
> cipher's input with something like Rijndael) involved two ciphers.
> Unless you're now claiming that the original bogus cipher doesn't
> actually count, of course.
Yes! We WERE arguing between TWO and ONE cipher.
Here quote from Scott Fluhrer:
For example, pass it through Rijndael first.
Here quote from me:
You are distorting the discussion context. We are discussing the
possibilities to obtain some improvements upon a given cipher
with some chaining modes, not discussing using two or more ciphers.
Here quote from you:
But your answer doesn't address his point.
The point is that you're using the wrong fix. The right fix is a good
cipher. Use one.
> > (I said many times) if you have to communicate through public
> > providers and there is no other possibility, how are you going to
> > obtain 'some other way of communicating which was immune from attacks
> > by this adversary anyway'??
>
> Let's get a profile of this adversary, then.
>
> * He's incapable, for some reason, of mounting any attacks against
> ciphers which aren't brute-force. He also conveniently told you
> this.
>
> * His computers can break t-bit keys, but no longer. He can't buy any
> more computers for some reason. You know what t is to within a
> factor of eight, again because he told you. Oddly, the cipher which
> you have no choice but to use is about 2^t to break.
>
> * He can eavesdrop on every communications channel available to you.
> That includes landline telephones, mobile telephones, the postal
> service, motorcycle couriers, carrier pigeon, leased data lines to
> the internet...
>
> I think I might be forgiven for claiming that this was a rather strange
> sort of adversary. The word `preposterous' springs to mind, actually.
I do think that there could be realistic cases of what I was thinking of.
Consider a very large industrial competitor. His computing power
may be publically known. He may use money to bribe some people
at your providers to tap your communications or else engage some
other external guys to do that. I was told anyway that it is quite trivial
to have my telephone line taped.
> > Let's first consider the familiar CBC. Suppose one uses a secret IV
> > (of the size of the block). If the analyst brute force the first
> > block, how much additional work does he have when compared to the case
> > where there is no xoring with the IV? A few bits? Please give a
> > plausible argument, if you think so.
>
> Duh. Why would the analyst waste his time doing this? Why doesn't he
> attack the second block instead? He recovers the key and reads all but
> the first block, which (most likely) wasn't very interesting anyway.
But that wasn't my point. I was showing that, if an unknown chaining
value is xored to the plaintext of a block (for example the first block
of CBC with a secret IV), then the task of bruteforcing using that
block is materially more difficult than a few bits. I wonder why you
raised the question 'Why would the analyst waste his time doing this?'.
Wouldn't that question be 'superfluous' due to the following that is
quoted from my previous post? (The second sentence of the quote
implies that the analyst would work on other than the first block.
The third sentence means that with an appropriate chaining mode
all chaining values are unknown and that consequently the strength
of the cipher is enhanced by more than a few bits as argued above.)
Now for the second and following block, the analyst does know
the chaining value. That's why I don't prefer CBC. As I said
previously, there are other chaning modes than CBC where all
the chaining values are unknown to the analyst.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Variability of chaining modes of block ciphers
Date: Thu, 29 Jun 2000 21:48:07 +0200
Mark Wooding wrote:
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> > Fine. Do you think that one can always get such a 'good' cipher in ALL
> > cases? Note that there is no absolutely objective evaluation of the
> > strength of a cipher, nor that of risk. Hence a user might always
> > desire further improvements of his security. 3DES is mostly considered
> > to be secure at the current moment. But there is no strong argument
> > to convince someone who fears that it is not secure enough for his
> > application.
>
> Ahh. But adding three more bits by keeping the chaining mode secret
> will make all the difference. Of course. How silly of me to have
> thought differently.
In another follow-up it is argued by me that the strength enhancement
is MORE than the three or a few bits. I suppose we could 'concentrate'
in future on that other branch of the discussion tree of the present thread
and not have several branches open at the same time.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Remark on practical predictability of sequences
Date: Thu, 29 Jun 2000 21:48:16 +0200
Tim Tyler wrote:
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> : Pseudo-random sequences, being deterministically generated,
> : always involve the issue of predictability. On the other
> : hand, a good cipher prevents the opponent to obtain the
> : plaintext from the ciphertext. It seems logical to conclude
> : that, if one feeds a pseudo-random sequence to a good cipher,
> : the resulting output sequence is practically unpredictable,
> : since he can't recover the original sequence which he needs
> : to do the inference in the first place.
>
> This is essentially how (for example) Yarrow works.
>
> It feeds a less than perfectly random sequence (in fact it uses a
> counter) through a block cypher (3DES).
>
> Typically hash functions - rather than block cyphers - are used in this
> context - but the principle is similar.
A essential question is what kinds of 'less than perfectly random
sequence' are allowed to pass through a block cipher of the quality
of 3DES, if 'practical' unpredictability of the output is to be
achieved. My guess is that any statistically superior sequence from
a common PRNG is good enough as input and that no
non-predictability of the input sequence itself is required. In particular,
the input sequence need not come from any hardware devices, so that
everything can be in software (excepting perhaps a relatively short
seed of the PRNG which may be obtained e.g. from throwing dice,
if not through very simple hashing of a parsephrase).
M. K. Shen
------------------------------
From: jungle <[EMAIL PROTECTED]>
Crossposted-To: alt.security.scramdisk,comp.security.pgp.discuss
Subject: Re: Idea or 3DES
Date: Thu, 29 Jun 2000 15:45:19 -0400
Arturo wrote:
> And what if we accept the fact that not even the USG is all-powerful?
accepting above fact has nothing to do with the reality ...
> They canīt stop the flow of drugs into the US or prevent a starving-to-death
> country like North Korea from becoming a nuclear power,
why above jobs are left not finished is the matter of preference
AND NOT the inability ...
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: AES: It's been pretty quiet for some time...
Date: Thu, 29 Jun 2000 21:54:46 +0200
wtshaw wrote:
> Some are perhaps readying their spray cans so as to paint a large bullseye
> on any announced winner. After all, why attack many when you can wait to
> attack only one?
I read a popular article where the Hitachi claims were termed an attack.
I don't think it proper to call that to be an attack of a cipher, which
is a breaking in our sense.
M. K. Shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
