Cryptography-Digest Digest #158, Volume #12 Tue, 4 Jul 00 12:13:01 EDT
Contents:
Re: A simple all-or-nothing transform (Mok-Kong Shen)
Re: RC4 question (dexMilano)
Re: RC4 question (dexMilano)
Re: Diffie Hellman Primes : Speed Tradeoff Q (Mark Wooding)
Re: cray and time needed to attack (Mark Wooding)
Re: Public-domain Blowfish (Mark Wooding)
Re: cray and time needed to attack (Runu Knips)
Re: cray and time needed to attack (Bob Silverman)
RE: ANSI X9.62 and X9.63 (Bob Silverman)
Re: Use of EPR "paradox" in cryptography (John Savard)
Re: cray and time needed to attack ("Sam Simpson")
Re: Encryption and IBM's 12 teraflop MPC...... (Jeffrey Williams)
Re: A simple all-or-nothing transform (Mok-Kong Shen)
Re: Java implementation of DES and 3DES (Bob Deblier)
Re: Diffie Hellman Primes : Speed Tradeoff Q (Anton Stiglic)
Re: A thought on OTPs (David A Molnar)
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: A simple all-or-nothing transform
Date: Tue, 04 Jul 2000 12:43:31 +0200
David Hopwood wrote:
> If the requirement for the function to be unkeyed is dropped, then
> "all-or-nothing transform" is the wrong term to use; instead use either
> "pseudo-random permutation" (for deterministic functions) or
> "semantically secure encryption scheme" (for non-deterministic functions).
I don't share your view. All-or-nothing transform means that one
applies a procedure to make the encryption (component) processes
of a message so, that the opponent is forced to deal with the whole
of the ciphertext material and can't simply concentrate his efforts to a
part of it and thus achieve economy in his attack (which may even
be critical for his success). Thus, whether the first scientific paper
treating the theme happens to use a secret key or not is irrelevant to
the term 'all-or-nothing transform' as such. As to the second half of
your sentence, I wonder how I am going to classify my use of two
non-linear block chaining steps (see a follow-up of mine of 3rd. Jul),
which also forces the opponent to treat the entire message, according
to your terminology.
M. K. Shen
------------------------------
From: dexMilano <[EMAIL PROTECTED]>
Subject: Re: RC4 question
Date: Tue, 04 Jul 2000 10:26:37 GMT
I know that the strenght level of RC4 is considered very good because
of the key preparation.
I've thought to enforce it using a variant of CFB (Cipher feedback).
I mean that the Nth character is shifted of M position depending on the
n-1 ciphered character.
With this shifting the code-resulting of the character depends on the
previous sequnces. SO its more difficult an attack based on frequency.
What do you think of this idea?
dex
In article <uY1sV0Y5$GA.279@cpmsnbbsa07>,
"Joseph Ashwood" <[EMAIL PROTECTED]> wrote:
> That's correct. This is because all RC4 does is create a
> pseudo-random pad, which is then XORed with plaintext at a
> later time (with no plaintext/ciphertext dependancy).
> Joe
>
> "dexMilano" <[EMAIL PROTECTED]> wrote in message
> news:8js32m$t7j$[EMAIL PROTECTED]...
> > A silly question.
> >
> > I've tried the implementation of RC4 you can find on the
> web.
> > Is it correct the felling that the same sequence of bits
> in the same
> > position, with the same key, is coded in the same way,
> indipendently
> > form the previos bit sequences.
> >
> > I mean that, if yuo have to code gufy and pufy, the cript
> version shold
> > be something like 1234 and 9234.
> >
> > (I hope the example is clear)
> >
> > thx
> >
> > dex
> >
> >
> > Sent via Deja.com http://www.deja.com/
> > Before you buy.
>
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: dexMilano <[EMAIL PROTECTED]>
Subject: Re: RC4 question
Date: Tue, 04 Jul 2000 10:41:02 GMT
Sorry, I use the CBC approach for the variant.
In article <8jse4j$5m6$[EMAIL PROTECTED]>,
dexMilano <[EMAIL PROTECTED]> wrote:
> I know that the strenght level of RC4 is considered very good because
> of the key preparation.
>
> I've thought to enforce it using a variant of CFB (Cipher feedback).
> I mean that the Nth character is shifted of M position depending on
the
> n-1 ciphered character.
>
> With this shifting the code-resulting of the character depends on the
> previous sequnces. SO its more difficult an attack based on frequency.
>
> What do you think of this idea?
>
> dex
>
> In article <uY1sV0Y5$GA.279@cpmsnbbsa07>,
> "Joseph Ashwood" <[EMAIL PROTECTED]> wrote:
> > That's correct. This is because all RC4 does is create a
> > pseudo-random pad, which is then XORed with plaintext at a
> > later time (with no plaintext/ciphertext dependancy).
> > Joe
> >
> > "dexMilano" <[EMAIL PROTECTED]> wrote in message
> > news:8js32m$t7j$[EMAIL PROTECTED]...
> > > A silly question.
> > >
> > > I've tried the implementation of RC4 you can find on the
> > web.
> > > Is it correct the felling that the same sequence of bits
> > in the same
> > > position, with the same key, is coded in the same way,
> > indipendently
> > > form the previos bit sequences.
> > >
> > > I mean that, if yuo have to code gufy and pufy, the cript
> > version shold
> > > be something like 1234 and 9234.
> > >
> > > (I hope the example is clear)
> > >
> > > thx
> > >
> > > dex
> > >
> > >
> > > Sent via Deja.com http://www.deja.com/
> > > Before you buy.
> >
> >
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Diffie Hellman Primes : Speed Tradeoff Q
Date: 4 Jul 2000 11:14:09 GMT
Anton Stiglic <[EMAIL PROTECTED]> wrote:
> Bob Silverman wrote:
>
> > False. Generating a 1024 bit prime should take a few tenths of a
> > second AT MOST if done correctly.
[snip]
> you want a strong prime p = 2q + 1 in DH for different reasons,
I'm aware that it's a good idea to work in a subgroup with prime order,
since this defeats attacks whereby the adversary takes advantage of
possible subgroups with smooth composite orders. Is there a further
benefit to
> you also want to work in the subgroup of size q
Most definitely.
> and preferably have g = 2 as a generator for that group
Is there any particular reason for this? I can see that there'd be a
minor efficiency gain to using g = 2 over (say) g = 4, which will
*always* generate the prime-order subgroup, but it doesn't really seem
worth throwing away half the candidate moduli. (I note that g = 2 will
generate the order-q subgroup precisely when 2 is a quadratic residue
mod p = 2 q + 1, which I believe happens with probability 1/2.)
> 1024 bit primes took less time, but not a fraction of a second.
Indeed. Maybe Bob ought to tell us how to generate primes
correctly. ;-) I'd love to know.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: cray and time needed to attack
Date: 4 Jul 2000 11:19:06 GMT
JPeschel <[EMAIL PROTECTED]> wrote:
> I suppose he means recovering the symmetric keys by exhaustive
> search of the keyspace, and the RSA and DH keys by factoring.
What are you planning on factoring to break a Diffie-Hellman key?
[Oh, the rest of your article was fine. I'm just nit-picking.]
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Public-domain Blowfish
Date: 4 Jul 2000 11:28:04 GMT
Future Beacon <[EMAIL PROTECTED]> wrote:
> To this day, can anybody use this algorithm any way they want?
Yes.
> Can anybody use it as a layer in their own algorithm?
Yes.
> Has there been restrictions (such as credit to the author) added?
No.
> Has anybody else patented it? Has anybody heard of any disputes?
No. No.
-- [mdw]
------------------------------
Date: Tue, 04 Jul 2000 13:39:03 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: cray and time needed to attack
Mist wrote:
> a friend told me it need less than a week to crack a 128 bit IDEA key
> with a cray, does its right?
In 40-50 years that might be possible, if Cray still exists and
computer still become faster at the speed they did in the last
decades.
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: cray and time needed to attack
Date: Tue, 04 Jul 2000 11:40:26 GMT
In article <[EMAIL PROTECTED]>,
Jerry Coffin <[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] says...
> > i want to know how many time is need to a cray to crack a:
> > 1� 128 bit key with idea
> > 2� 1024 bit key with blowfish
>
> A Cray would NOT be the weapon of choice in either of these attacks.
> Instead, you'd want to use specialized custom hardware.
Yep. We are still talking about times in the BILLIONS of years for
(1) and (2) will never be done. [Do the arithmetic]
> > 3� 128 bit key with RSA
>
> By contrast, this is so trivial that there's no real reason to use a
> Cray at all -- with an average desktop or laptop, factoring a 128-bit
> number will take less time than it takes you to type in the number.
Yep.
>
> If you intended to say 128 decimal digits instead of 128 bits, then
> at least you've got something secure enough that you might consider
> sing it. Somebody with plenty of talent and money could still break
> it, but the best people and computers available would still take a
> few months to do the job.
No. Try 1-2 weeks at worst.
>
> > 4� 1024 bit key with DH
>
> This borders on being theoretically possible with present technology,
No, it is not. it is not even CLOSE. This is NOT doable within
current technology.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: RE: ANSI X9.62 and X9.63
Date: Tue, 04 Jul 2000 11:49:42 GMT
In article <[EMAIL PROTECTED]>,
TAY YUE WENG <[EMAIL PROTECTED]> wrote:
> Does anybody know where can I download these copies if it is free?
The copyright is owned by the American Banker's Assoc.
They charge a small (less than $100) fee.
> Can someone send a copy to me if membership is required?
Doing so would be a violation of copyright law.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Crossposted-To: sci.physics
Subject: Re: Use of EPR "paradox" in cryptography
Date: Tue, 04 Jul 2000 12:43:07 GMT
On Mon, 03 Jul 2000 22:34:06 -0400, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote, in part:
>Lewis E. Little has an alternate point of view that you can read
>about in his papers on the "Theory of Elementary Waves". It is
>not necessary to accept everything about his theory in order to
>see that quantum "paradoxes" really are the historical result of
>early entrenchment of some wrong ideas. http://www.yankee.us.com/TEW/
That does seem to be a valid method of removing nonlocality from
quantum mechanics. Have waves obeying the Schrodinger equation come
from the detectors, and have the interference take place at the time
of particle emission. (Rather than the waves having independent phases
which are then coordinated by the particle, however, these detector
waves would probably have to be a more complicated kind of object
which includes all phases at once, each one labelled in a way that
indicates the distance to the detector.)
However, I can see why that idea didn't recieve serious consideration
at the beginning; there are two reasons.
- the waves emitted by the detectors must be very complex, containing
a huge amount of information;
- detectors passively await a particle, and need not consume energy.
The production of a particle, however, does consume energy. If we
think of the waves as real physical objects (which is precisely what
is claimed by the author), presumably their production has a cost.
Also, I would have thought that the 'delayed-choice' experiment would
address this theory.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "Sam Simpson" <[EMAIL PROTECTED]>
Subject: Re: cray and time needed to attack
Date: Tue, 4 Jul 2000 14:05:25 +0100
> Mist wrote:
> >
> > i want to know how many time is need to a cray to crack a:
> > 1� 128 bit key with idea
> > 2� 1024 bit key with blowfish
There is no such thing as blowfish with a 1024-bit key - the max key
size as per the cipher definition is 448-bits.
> > 3� 128 bit key with RSA
I think your mixing your symmetrical and asymmetric ciphers up!
Regards,
Sam
------------------------------
From: Jeffrey Williams <[EMAIL PROTECTED]>
Subject: Re: Encryption and IBM's 12 teraflop MPC......
Date: Tue, 04 Jul 2000 08:14:05 -0500
Good comment, Trevor. This group needs a few more commentators with a sense of
humour.
- Jeff
"Trevor L. Jackson, III" wrote:
> Jerry Coffin wrote:
>
> > In article <3961098a$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> > says...
> > >
> > > "Casper H.S. Dik - Network Security Engineer" <[EMAIL PROTECTED]>
> > > wrote in message news:8jlgi8$n6p$[EMAIL PROTECTED]...
> > > > "Harvey Rook" <[EMAIL PROTECTED]> writes:
> > > >
> > > > >If someone put this thing to work brute forcing passwords, it could break
> > > > >40 bit RC4 in a second.
> > > >
> > > > Only if it had an "rc4 & compare result" instruction (or could do so
> > > > in 8 instructions)
> > > >
> > > > (But a "very short time to crack RC4-40" would be correct)
> > > >
> > >
> > > True, but the calculations are certainly off by no more than 100 orders of
> > > magnitude. 100 seconds is still enough to pronounce 40 bit keys as very
> > > insecure.
> >
> > The difference between 1 and 100 is TWO orders of magnitude, not 100
> > orders of magnitude. If the estimate was off by 100 orders of
> > magnitude, it would mean the machine took considerably longer than
> > the estimated age of the universe to test a single key. If the
> > estimate was off by 100 orders of magnitude in the other direction, a
> > exhausting a 40-bit keyspace wouldn't even be a challenge -- in fact
> > even a 128-bit keyspace would be trivial for it to exhaust.
>
> A googol here, a googol there, soon you're talking real crypto sizes. ;-)
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: A simple all-or-nothing transform
Date: Tue, 04 Jul 2000 16:57:08 +0200
"SCOTT19U.ZIP_GUY" wrote:
> Actually if you use SCOTT19U or SCOTT16U you can get
> a "form of all or nothing" encryption that treats the
> whole file as a single block without changing the file
> length at all if one wishes.
The all-or-nothing transform has the purpose of augmenting
the power of the (already existing, given) block ciphers,
which deal with small groups of bits, in such a manner that
these are in a sense adhered together into a monolithic
whole to be attacked by the opponent (instead of individually).
If a design concept is such that it has the entire message in
view and does not concentrate its effort on a small group of
bits (like all block cipher by definition do), then there
is of course no need of such a transformation.
(Something off-topic:)
The practical fact is however this: While there are block
ciphers that are commonly acknowledged to be good and on
which an all-or-nothing transform can be applied to obtain
further benefits, there are no commonly acknowledged good
ciphers that deal with whole messages as fundamental/basic
entities. I know that you, and maybe some others, have
claimed to have algorithms of that nature. But to gain
acceptance at all, you have to present these in appropriate
and attractive ways to the public. I mean you have to post
to the group sufficiently formal, succint yet entirely
comprehensible descriptions of these without reference to
C codes or second level details etc., so that people can
discuss on principle grounds (i.e. argue at higher levels)
which eventually could lead to improvements of existing
algorithms. I hope that these words of personal recommendation
will meet your consent.
M. K. Shen
------------------------------
From: Bob Deblier <[EMAIL PROTECTED]>
Subject: Re: Java implementation of DES and 3DES
Date: Tue, 04 Jul 2000 16:46:29 +0200
dexMilano wrote:
> The algortith seems to work perfectly.
> I've verified some cases that put the error.
>
> For example, if the resulting bit sequence is 143 the character
> corresponding (ASCII (143)) is "\uFFFD" as a single char!
> If try do decript the sequende where I have this char I have a wrong
> decription.
> I don't receive any error but the algorith doesn't work.
>
> That's why I think the problem could be in the way Java manages
> characters.
>
> dex
It's up to you to properly convert Java's two byte characters to bytes
to feed to the cipher first. The method in which you do this depends on
your mileage, but you could run your string through a DataOutputStream
piggybacked onto a ByteArrayOutputStream. Feed the byte array you get
out of the latter one to DES cipher (rounded up to a whole number of
blocks, unless you use something like PKCS5 padding). On decrypting your
data, piggyback a DataInputStream on a ByteArrayInputStream, created
with your decrypted bytes, and read your string from the former.
Hope this helps
Bob Deblier
Virtual Unlimited
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Diffie Hellman Primes : Speed Tradeoff Q
Date: Tue, 04 Jul 2000 11:13:01 -0400
Mark Wooding wrote:
> Is there any particular reason for this? I can see that there'd be a
> minor efficiency gain to using g = 2 over (say) g = 4, which will
> *always* generate the prime-order subgroup, but it doesn't really seem
> worth throwing away half the candidate moduli. (I note that g = 2 will
> generate the order-q subgroup precisely when 2 is a quadratic residue
> mod p = 2 q + 1, which I believe happens with probability 1/2.)
yes. Here is another test, g=2 is a generator of the subgroup of order
q (p = 2q + 1) iff p = 7 mod 8.
The reasoning is that 2 is a quadratic residue (a group of order q)
iff p = 7 mod 8 or p = 1 mod 8 (but you can eliminate the case 1 mod 8
since p is a strong prime).
Also,
2 is a quadratic residue mod p
=> 2^(1/2) exists
=> 2^q = 2^((p-1)/2) = (2^(1/2))^{p-1} = 1 mod p
<=> g = 2 generates an order q subgroup (Since 2^q = 1 mod p then 2's
order
can only be 2 or q, but the only elements of order 2 are 1 and p-1).
There are other tests. For example, SSLeay uses this:
/* Check that p is a strong prime and
* if g is 2, 3 or 5, check that is is a suitable generator
* where
* for 2, p mod 24 == 11
* for 3, p mod 12 == 5
* for 5, p mod 10 == 3 or 7
* should hold.
*/
And yes, you could use another generator, that has a word size for
example,
and has few bits and then use some kind of word modular exponentiation
(like they have in Open-SSL for example) that is fast, but choosing p
such
that 2 generates the subgroup of order q will not take more than twice
as
long in average.
>
> > 1024 bit primes took less time, but not a fraction of a second.
>
> Indeed. Maybe Bob ought to tell us how to generate primes
> correctly. ;-) I'd love to know.
me to!
Anton
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: A thought on OTPs
Date: 4 Jul 2000 15:47:56 GMT
Guy Macon <[EMAIL PROTECTED]> wrote:
> I don't like the phrase "provably secure" Both "provable" and "secure"
> mean something different to the layperson. I like "the code is impossible
> to break". It speaks to the nontechnical reader. in my opinion.
what is the difference between "provably secure" and "the code is
impossible to break" to a layperson? They both sound really impressive,
and they both overlook the kind of caveat emptors which take up so much
argumentation in this newsgroup, like the assumption that the key is truly
random.
-David
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
