Cryptography-Digest Digest #149, Volume #12 Sun, 2 Jul 00 20:13:01 EDT
Contents:
SCOTT19U.ZIP_GUY **** PLONK! **** (Guy Macon)
Re: Newbie question about factoring (Paul Schlyter)
Re: Remark on practical predictability of sequences (Mok-Kong Shen)
Re: very large primes (Mok-Kong Shen)
A simple all-or-nothing transform (Mok-Kong Shen)
Re: DES Analytic Crack (Mok-Kong Shen)
Re: Observer 4/6/2000: "Your privacy ends here" (Simon Elliott)
Use of EPR "paradox" in cryptography (DSM)
Hashing Function (not cryptographically secure) (Simon Johnson)
Has RSADSI Lost their mind? ([EMAIL PROTECTED])
Re: Use of EPR "paradox" in cryptography (Nathan Urban)
Re: Call for volunteers for anonymous, censorship-resistant publishing system (Larry)
Re: Observer 4/6/2000: "Your privacy ends here" (U S-D)
W2K fakes 128-bit crypto? (denis bider)
Re: very large primes (Jerry Coffin)
Re: A simple all-or-nothing transform (Mark Wooding)
Re: Hashing Function (not cryptographically secure) (Mark Wooding)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: SCOTT19U.ZIP_GUY **** PLONK! ****
Date: 02 Jul 2000 15:14:01 EDT
SCOTT19U.ZIP_GUY wrote:
>in a way maybe John can even grasp or his BS crypto friends if they
>give it any thought. But if they are the stuff shirt kind of guys
>with ties they may not have suffcient blood flow to the brain.
**** PLONK! ****
------------------------------
From: [EMAIL PROTECTED] (Paul Schlyter)
Crossposted-To: comp.theory
Subject: Re: Newbie question about factoring
Date: 2 Jul 2000 19:12:30 +0200
In article <[EMAIL PROTECTED]>,
Dido Sevilla <[EMAIL PROTECTED]> wrote:
> Bob Silverman wrote:
>
>> The size of a number IS its number of digits.
>>
>> You contradict yourself.
>
> And you're playing semantics. How big is a number? It's it's
> magnitude. The number of digits is its number of digits.
Which number is biggest?
3E+28
or
0.00002374563487298734596792376598726349873645398726395482769328746
????
:-)))))))))))))))))))))))))))
--
================================================================
Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
Grev Turegatan 40, S-114 38 Stockholm, SWEDEN
e-mail: pausch at saaf dot se or paul.schlyter at ausys dot se
WWW: http://hotel04.ausys.se/pausch http://welcome.to/pausch
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Remark on practical predictability of sequences
Date: Sun, 02 Jul 2000 23:15:29 +0200
"John A. Malley" wrote:
> I hesitate with a resounding endorsement out of caution. I take little
> comfort in relying on secret parameters for LCG, LFSR or Non-LFSR
> PRNGs. Personally I would like to learn more about potential attacks
> relating the predictability of the next state of the PRNG from its past
> states to characteristics in the ciphertext output of the block cipher
> - with knowledge of the PRNG parameters and algorithm but the initial
> seed secret.
>
As far as I am aware, all the works on inferencing an LCPRNG
require that its output sequence (or fractions of the bits
of it) be either directly available or easily computable
from other data. However, this is not the case, if the
sequence is passed to a good cipher and only the output of
the cipher is available. Thus the case with secret seed
but known parameters does not have any known research results
applicable to it. It seems plausible to consider that that
is infeasible with the state of the art. On the other hand,
letting the parameters of the generator be secret certainly
gives better warrant of practical security at almost no
additional cost.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: very large primes
Date: Sun, 02 Jul 2000 23:15:37 +0200
Benjamin Goldberg wrote:
> Douglas A. Gwyn wrote:
> >
> > Dann Corbit wrote:
> > > http://mathworld.wolfram.com/Prime-GeneratingPolynomial.html
> [snip]
> > "However, there exists a polynomial in 10 variables with integer
> > coefficients such that the set of primes equals the set of
> > positive values of this polynomial obtained as the variables run
> > through all nonnegative integers, although it is really a set of
> > Diophantine equations in disguise (Ribenboim 1991)."
>
> Sounds cool. But... what is that polynomial-in-10-variables?
According to Ribenboim's book (edition 1988) the formula
with 10 variables is not known in explicit form, but the one
with 26 variables is to be found there. The one with 10
variables has besides an extremely high degree so that it
seems not practical at all to do any computation with it. The
one with 26 variables has a degree of 25. However, it is said
that such formulae can generate non-relevant negative values
and repeated positive values which are primes. So it appears
that these, while of high significance theoretically, are
barely useful in practice for the purpose of generating
primes for applications.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: A simple all-or-nothing transform
Date: Sun, 02 Jul 2000 23:17:56 +0200
Rivest has in a well-known paper introduced the all-or-nothing
transform, which forces the analyst to decrypt all blocks of a
message, thus effectively increasing the key space with a
few bits.
However, his scheme is rather complicated in my humble view.
In the following I like therefore to present an alternative
scheme for discussion. I shall assume, however, that the
number of blocks of the given message is even, i.e. one has
to append a random block if the number of the proper message
blocks is odd. (Note that in Rivet's scheme, which doesn't
have this restriction, the message length is always increased
by one block in the encryption process.)
Let n (n even) message blocks P_1, P_2, ..., P_n be given.
We build their xor-sum S = Sum(P_j) j= 1, 2, ..., n.
Let B_i = P_i + S. Then the ciphertext blocks are given by
C_i = E(K, B_i).
The receiver first decrypts to obtain B_i and computes
Sum(B_j) = (n+1)*S = n*S + S = S (since n is even) and can
subsequently recover the plaintext blocks P_i from B_i.
Thanks for critiques and comments in advance.
M. K. Shen
===========================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: DES Analytic Crack
Date: Sun, 02 Jul 2000 23:31:01 +0200
lordcow77 wrote:
> What ever happened to Eric Michael Cordian's DES Analytic Crack
> project that was floating around the cypherpunks mailing list in
> 1998 or so? They haven't updated their FAQ for since then and I
> haven't heard anything else about their results (or even their
> lack thereof).
There were very early (at least back in 1981) considerations on cracking
DES through solving a set of mathematical equations. However, it
was found that that would require, among others, a practically
impossible
large amount of memory space. It seems that the constraints are far from
being removed today by the technological advancements attained in the
meantime. Otherwise there would have been people attempting to attack
AES that way.
M. K. Shen
------------------------------
From: Simon Elliott <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.security.scramdisk,uk.telecom
Subject: Re: Observer 4/6/2000: "Your privacy ends here"
Date: Sun, 2 Jul 2000 23:04:05 +0100
Reply-To: Simon Elliott <[EMAIL PROTECTED]>
JimD <[EMAIL PROTECTED]> writes
>This Hilda Murrell, had a nephew(?) who knew what happened to
>the log of the submarine that sunk the Belgrano. You'll recall
>the log mysteriously went missing when enquiries were being made
>about this incident.
>
>She was also active in some peace movement or other - that and
>the matter of the log was just a bit too much of a risk for
>the odious Thatcher woman to take, so she had her eliminated.
>Or so the story goes. The local police, unsurprisingly, got
>nowhere with the murder enquiry.
I recall that the log of HMS Conqueror went missing, and that the people
who knew about the log suddenly were not available to talk to the press.
At the time, I assumed that they had been made an offer they could not
refuse; I didn't know about the murder enquiry.
A suitable subject for some investigative journalism, I would have
thought?
Perhaps this issue will come to the public notice again now that the
Belgrano incident is coming before ECHR?
--
Simon Elliott phone : +44 (0)1444 413799
Software Consultant fax : +44 (0)870 0557822
Courtlands Technical Services email : <[EMAIL PROTECTED]>
------------------------------
From: DSM <[EMAIL PROTECTED]>
Crossposted-To: sci.physics
Subject: Use of EPR "paradox" in cryptography
Date: Sun, 02 Jul 2000 18:18:14 -0400
Reply-To: [EMAIL PROTECTED]
Why haven't I heard of any use of the EPR "paradox"
in cryptography? Is it only my poor research, or something
else?
>From what I know, EPR allows uninterceptable, untraceable,
instantaneous exchange of RANDOM data. Many have concluded
that its inability to carry true (non-chaotic) data makes
the phenomenon useless for communication. Not so. This is
the perfect one-time pad mechanism. Simply XOR your data
on both sides of the (conventional) link with the stream
from your EPR boxes...
Is it the expense of EPR machinery which prevents widespread
use? How much does a setup cost? Could it be built out of
open-market materials?
------------------------------
Subject: Hashing Function (not cryptographically secure)
From: Simon Johnson <[EMAIL PROTECTED]>
Date: Sun, 02 Jul 2000 15:30:19 -0700
Here is a hashing function which i almost certainly no isn't
cryptographically secure. So my main question is wether it is
bias in some manner.
Okay, this hash is used to produce check-digits for data being
sent across a network (the data is in plain-text so the hash
need not be secure) it has a hash size of 64-bit (2^32 birthday
attack, which is exceptable chance of collision)
It works on block of 64-bits, if the item the document is not
divisible, evenly, into 64-bits, pad with the length of the
document in binary and then append trailing 0's to this value to
make the length into a multiple of 64.
Then divide the document into 64-bit chunks, XOR them all
together. This is your hash value.
To sumerise:
Padding: if (length of message) mod 64 != 0 then message =
message & length of document & trailing 0's (to make: len
(message) mod 64 = 0)
Hashing: for the 0 to i blocks: Hash = block[0] XOR block[1]
XOR........ block[i]
Any suggestion for this check digit system?
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: [EMAIL PROTECTED]
Subject: Has RSADSI Lost their mind?
Date: Sun, 02 Jul 2000 18:08:18 -0500
Below is a couple of messages posted to the OpenSSL users mailing list.
Seems someone down at RSADSI has lost it. I found the part about them
*owning* EAY quite amusing. I wounder if anyone bothered telling him that
he is considered owned property of RSADSI.
=========================================================================
The following message is forwarded to you by "William H. Geiger III"
<[EMAIL PROTECTED]> (listed as the From user of this message). The
original sender (see the header, below) was [EMAIL PROTECTED] and
has been set as the "Reply-To" field of this message.
=========================================================================
>Return-Path: <[EMAIL PROTECTED]>
>Received: from ossp.org (ossp1.ossp.org [62.208.181.50])
> by domains.invweb.net (8.9.3/8.9.3) with ESMTP id QAA12892
> for <[EMAIL PROTECTED]>; Wed, 28 Jun 2000 16:38:05 -0400
>Received: by mail.ossp.org (Sendmail 8.10.2+/smtpfeed 1.07) for openssl-users-L2
> id e5SKaOM89942; Wed, 28 Jun 2000 22:36:24 +0200 (CEST)
>Received: by mail.ossp.org (Sendmail 8.10.2+) via ESMTP for <[EMAIL PROTECTED]>
> from opensource.ee.ethz.ch id e5SKaNV89938; Wed, 28 Jun 2000 22:36:23 +0200
>(CEST)
>Received: by en5.engelschall.com (Sendmail 8.9.2/smtpfeed 1.06) for openssl-users-L
> id WAA24723; Wed, 28 Jun 2000 22:36:19 +0200 (MET DST)
>Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for
><[EMAIL PROTECTED]>
> from gateway.hie.com id WAA24709; Wed, 28 Jun 2000 22:36:15 +0200 (MET DST)
>Received: by gateway.hublink.com with Internet Mail Service (5.5.2650.21)
> id <N2DACG2H>; Wed, 28 Jun 2000 16:30:38 -0400
>Message-ID: <[EMAIL PROTECTED]>
>From: Bill Rebey <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Legality - just heated up
>Date: Wed, 28 Jun 2000 14:30:38 -0600
>X-Old_TimeStamp: Wed, 28 Jun 2000 16:30:38 -0400
>MIME-Version: 1.0
>X-Mailer: Internet Mail Service (5.5.2650.21)
>Content-Type: text/plain;
> charset="iso-8859-1"
>Sender: [EMAIL PROTECTED]
>Precedence: bulk
>Reply-To: [EMAIL PROTECTED]
>X-Sender: Bill Rebey <[EMAIL PROTECTED]>
>X-List-Manager: OpenSSL Majordomo [version 1.94.4]
>X-List-Name: openssl-users
>Status:
I just got off the phone with, among others, John Riley at RSA. He's
claiming things like (paraphrased):
"It's flat out illegal to use OpenSSL for Commercial purposes" "Even if
you use OpenSSL, it still uses RSA technologies that you have to pay
royalties for (regardless whether it uses RSA encryption or not)" "We own
EAY, thus we own SSLeay/OpenSSL"
He's leaning on us to pay $70K up front, plus $636 in royalty fees for
every copy of our product that we sell!!
Can anyone clarify any of this for me?
Is there another group that I should mail to that would be a more
appropriate or authoritative audience for such legal questions?
Thanks again,
Bill Rebey
=====Original Message=====
From: Bill Rebey
Sent: Wednesday, June 28, 2000 4:06 PM
To: [EMAIL PROTECTED]
Subject: Legality
Hi all,
Assuming I ever get OpenSSL figured out and working, I need to know about
the legality of using OpenSSL.
I am using it in a Commercial product.
What can and can't I use? I control both the client and server, so the
brand of encryption that I use is not important. What's far more
important is that I avoid using anything that requires licensing,
royalties, fees, etc.
Is there a definitive source for this information somewhere?
Thanks for any help you can offer,
Bill Rebey
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
=====================================================
-- End of forwarded message
=====================================================
--
===============================================================
William H. Geiger III http://www.openpgp.net
Geiger Consulting
Data Security & Cryptology Consulting
Programming, Networking, Analysis
PGP for OS/2: http://www.openpgp.net/pgp.html
E-Secure: http://www.openpgp.net/esecure.html
===============================================================
------------------------------
From: [EMAIL PROTECTED] (Nathan Urban)
Crossposted-To: sci.physics
Subject: Re: Use of EPR "paradox" in cryptography
Date: 2 Jul 2000 19:07:55 -0400
Reply-To: [EMAIL PROTECTED]
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> Why haven't I heard of any use of the EPR "paradox"
> in cryptography? Is it only my poor research, or something
> else?
Poor research. A simple web search for "quantum cryptography" and "EPR"
immediately reveals, for instance:
http://www.aip.org/enews/physnews/2000/physnews.480.htm
http://www.ai.sri.com/~goldwate/quantum.html#QKD
> From what I know, EPR allows uninterceptable, untraceable,
> instantaneous exchange of RANDOM data. Many have concluded
> that its inability to carry true (non-chaotic) data makes
> the phenomenon useless for communication. Not so. This is
> the perfect one-time pad mechanism.
Bingo. Look for things like "quantum key distribution". I bet there
are loads of papers on quant-ph.
> Is it the expense of EPR machinery which prevents widespread use?
AFAIK, the main practical barrier is that it's rather hard to do over
long distances.
------------------------------
From: Larry <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security
Subject: Re: Call for volunteers for anonymous, censorship-resistant publishing system
Reply-To: [EMAIL PROTECTED]
Date: Sun, 02 Jul 2000 18:27:43 -0500
Damn, sounds tight
Larry
On Fri, 30 Jun 2000 13:04:36 GMT, [EMAIL PROTECTED] (Avi Rubin)
wrote:
>
>We have designed and implemented a system for anonymous, censorship-resistant
>publishing on the web. It is called Publius. Details can be found at
>
> http://cs.nyu.edu/waldman/publius/
>
>We are soliciting volunteers to host publius servers. All that is required
>is that you run our CGI script on your server, and that you are willing to
>dedicate a certain amount of disk space to the project. More information is
>available on the publius site.
>
>Key dates:
>
> 6/30-7/21 Request For Volunteers
> 7/21-7/27 Publius Software Distribution and Installation
> 7/28-9/28 Live Trial of Publius
>
>Today's Washington Post featured an article about Publius. The text is
>available at
>
> http://www.washingtonpost.com/wp-dyn/articles/A21689-2000Jun29.html
>
>If you are interested in volunteering, you can sign up on the Publius
>web site.
------------------------------
From: [EMAIL PROTECTED] (U S-D)
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.security.scramdisk,uk.telecom
Subject: Re: Observer 4/6/2000: "Your privacy ends here"
Date: 2 Jul 2000 23:38:02 GMT
In article <[EMAIL PROTECTED]>, Simon Elliott wrote:
>JimD <[EMAIL PROTECTED]> writes
>>This Hilda Murrell, had a nephew(?) who knew what happened to
>>the log of the submarine that sunk the Belgrano. You'll recall
>>the log mysteriously went missing when enquiries were being made
>>about this incident.
>>
>>She was also active in some peace movement or other - that and
>>the matter of the log was just a bit too much of a risk for
>>the odious Thatcher woman to take, so she had her eliminated.
>>Or so the story goes. The local police, unsurprisingly, got
>>nowhere with the murder enquiry.
>
>I recall that the log of HMS Conqueror went missing, and that the people
>who knew about the log suddenly were not available to talk to the press.
>
>At the time, I assumed that they had been made an offer they could not
>refuse; I didn't know about the murder enquiry.
>
>A suitable subject for some investigative journalism, I would have
>thought?
>
>Perhaps this issue will come to the public notice again now that the
>Belgrano incident is coming before ECHR?
Murrell's uncle was the guy who ordered the sinking of the Belgrano.
Murrell was quite prominent in the anti-Sizewell B lobby.
West Mercia Constab reopened the murder investigation in late April
when advancements in DNA technologies allowed them to analyse
the tiny sample of semen apparently found near her body.
--
"Over a full English breakfast, weapons inspectors, Ramaphosa and
Ahtisaari, discussed their report with British Premier, Tony Blair."
BBC World Service 26/6/00
------------------------------
From: [EMAIL PROTECTED] (denis bider)
Subject: W2K fakes 128-bit crypto?
Date: Sun, 02 Jul 2000 23:42:56 GMT
Can anyone confirm this rumour?
>Actually,
>
>I have heard a rumour that the '128-bit encryption' that Microsoft is
>shipping with Windows 2000 has actually been tweaked in such a way that it
>is only 128-bit when observed by a non-clued-in person, but is rather 40-bit
>for the people who know how it has been designed.
>
>In effect, rumour therefore has it that 88 bits out of the 128 are set in
>such a way that it is extremely easy to find them for someone who knows how.
>The French are supposed to have found this out, and they are supposed to
>have been a little bit upset because of this fact.
>
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: very large primes
Date: Sun, 2 Jul 2000 18:06:31 -0600
In article <8jlm2i$iav$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
[ ... ]
> This above idea is actually very close to a proof done by Euclid involving
> the infinitely greater prime number. What that proof stated was that (n!
> +1) will be prime. n! creates a number that is divisible by every number up
> to n. when you add one to n!, the result:
> can't be a multiple of 2, because it leaves 1 over when you divide by 2
> can't be a multiple of 3, because it leaves 1 over when you divide by 3
> can't be a multiple of 4, because it leaves 1 over when you divide by 4
>
> Obviously, this is not correct: n = 5, (5!+1) = 121 = 11 * 11, thereby not
> being prime. But why does the reasoning for it seem almost logical?
This is NOT the reasoning Euclid used -- he specifically said that
when we obtain N!+1, it will either be a prime OR it will be
divisible by a prime larger than N. Either proves that N is not the
largest prime number.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: A simple all-or-nothing transform
Date: 2 Jul 2000 23:46:14 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> Let n (n even) message blocks P_1, P_2, ..., P_n be given. We build
> their xor-sum S = Sum(P_j) j= 1, 2, ..., n. Let B_i = P_i + S. Then
> the ciphertext blocks are given by C_i = E(K, B_i).
>
> The receiver first decrypts to obtain B_i and computes Sum(B_j) =
> (n+1)*S = n*S + S = S (since n is even) and can subsequently recover
> the plaintext blocks P_i from B_i.
Interesting observation. It's not actually strong enough to make an
all-or-nothing system from, though.
For example note that if any *pair* of the plaintext blocks P_i, P_j are
known, then we're likelt to be able to recover the key and the remaining
plaintext given the ciphertext in little more time than would be
required without the transform.
Compute X = P_i (+) P_j. Now, for each possible key K, compute X'_K =
E^{-1}(K, C_i) (+) E^{-1}(K, C_j). Then if X'_K = X then K is a
possible key. Decrypt the rest of the message using K and then XOR with
E^{-1}(K, C_i) (+) P_i. If the message is `plausible' then we're done.
Instead of using the plausibility test, we can use ceil(k/n) - 1 further
ciphertext/plaintext pairs.
I'll stick with Rivest's package transform, thanks.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Hashing Function (not cryptographically secure)
Date: 2 Jul 2000 23:52:41 GMT
Simon Johnson <[EMAIL PROTECTED]> wrote:
> Hashing: for the 0 to i blocks: Hash = block[0] XOR block[1]
> XOR........ block[i]
>
> Any suggestion for this check digit system?
Yeah. Don't use it.
Any reordering of blocks is transparent to it. (Equivalently) any XOR
difference applied to an even number of blocks is transparent to it.
Applying an XOR difference to an unknown `check' to fix it up after
having applied an XOR difference to a corresponding unknown preimage is
trivial.
And if it's not meant to resist these sorts of things, it shouldn't be
in sci.crypt.
-- [mdw]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
