Cryptography-Digest Digest #97, Volume #12 Sat, 24 Jun 00 01:13:00 EDT
Contents:
Re: how to compare the securtity between ECC and RSA (David A. Wagner)
Re: DH - Man In The Middle (David A. Wagner)
Re: Variability of chaining modes of block ciphers (wtshaw)
Re: DH - Man In The Middle (David A. Wagner)
Re: Try it. ("Trevor L. Jackson, III")
Re: Compression & Encryption in FISHYLAND (zapzing)
Re: Compression & Encryption in FISHYLAND ("David S. Hansen")
Re: CHES 2000 accepted papers (Paul Rubin)
Re: Compression & Encryption in FISHYLAND (John Savard)
Re: Variability of chaining modes of block ciphers ("Scott Fluhrer")
Re: Compression & Encryption in FISHYLAND (tomstd)
Re: Variability of chaining modes of block ciphers (Mark Wooding)
Re: DH - Man In The Middle (Mark Wooding)
exponentiation (Yen-Choon Ching)
Re: exponentiation (tomstd)
Re: Weight of Digital Signatures ("Lyalc")
Re: Try it. (Boris Kazak)
Encryption 4 the Masses? ("Pig Ear")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: how to compare the securtity between ECC and RSA
Date: 23 Jun 2000 15:02:10 -0700
In article <8j081c$bcm$[EMAIL PROTECTED]>,
Bob Silverman <[EMAIL PROTECTED]> wrote:
> Your understanding is incomplete. It is not known whether
> P-TIME is a subset of P-SPACE.
It's not know for sure, but most believe that P-SPACE is likely
to be strictly larger than P-TIME, and for the purposes of this
argument, I think that's enough.
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: DH - Man In The Middle
Date: 23 Jun 2000 15:32:47 -0700
In article <[EMAIL PROTECTED]>,
lcs Mixmaster Remailer <[EMAIL PROTECTED]> wrote:
> For the case where only one side has a long term public key, say y1=g^x1,
> you could use something like g^(k2*(k1+x1)) for the shared secret.
> This would give the client assurance that it is talking to the right
> server, after confirming that it shared the same secret value.
I think this variant is insecure.
A bad guy can pretend to be the server by picking n at random and
sending l = g^n * y1^{-1} = g^{n-x1} where he was supposed to send g^k1.
Then the client will send g^k2 and compute the shared secret as (y1*l)^k2
= g^{k2*(n-x1+x1)} = (g^k2)^n. Thus, the bad guy will be able to compute
the shared secret and thereby fool the poor unsuspecting client.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Variability of chaining modes of block ciphers
Date: Fri, 23 Jun 2000 17:16:52 -0600
In article <8j031q$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Guy Macon) wrote:
>... The chances of our tweaks
> actually increasing security are really, really, small and are easily
> wiped out by even a slight chance that what we do is counterproductive.
> Thus the argument of picking a strong cipher and doing nothing else
> has considerable merit.
There are many algorithms that might add strength much better than the
trivial promise of a chaining mode. It makes better sense to run encrypted
blocks or plaintext through a stream cipher, for instance. To solve the
cipher text, you must deal with sufficient blocks to break the stream.
Those that feel the urge to use chaining modes or IV's are desperately
seeking anything that might make a particular cipher look better. If they
are deemed necessary, pick a better cipher to begin with, or do real
chaining with a complementary algorithm.
--
Some Turkeys can fly, for short distances. If you are to depend on
birds for communication, if it's with turkeys, consider the
discussions that might occur while feasting on one.
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: DH - Man In The Middle
Date: 23 Jun 2000 15:36:35 -0700
In article <[EMAIL PROTECTED]>,
Mark Wooding <[EMAIL PROTECTED]> wrote:
> > Then they do a short exchange where each side tests that the other
> > can encrypt/decrypt some standard value using this shared secret key.
> > The fact that each side ended up with the same shared key shows that
> > they knew the appropriate secret values, hence authenticating them.
>
> This isn't good enough for plain Diffie-Hellman; is it good enough for
> this construction?
>
> The attack against DH is like this: Let p be prime, and let g have order
> q z, mod p, where z is small. Let A and B be Alice and Bob, our usual
> friends, and M be Mallory, our Man In The Middle:
>
> A -> M: g^\alpha mod p
> M -> B: (g^\alpha)^q mod p
> B -> M: g^\beta mod p
> M -> A: (g^\beta)^q mod p
>
> Now, Alice and Bob both compute their shared secret g^{q \alpha \beta}
> mod p, and they compare notes and discover that they really have agreed
> upon the key. That's fine. What's not so fine is that g^q has order z,
> so Mallory can easily compute discrete logarithms in this group and
> discover the secret.
These attacks don't work if both sides check to be sure that all values
which are supposed to be in the q-order subgroup, are indeed in the subgroup.
(Exclude the identity, too, for good measure.) This is, in general, a good
idea, so I don't see any reason to skimp on the subgroup-membership tests.
------------------------------
Date: Fri, 23 Jun 2000 20:29:50 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Try it.
"Trevor L. Jackson, III" wrote:
>
> Le plus ce change, le plus c'est le meme chose.
>
It has been pointed out to me that I no longer speak French in any meaningful
way. Apologies to any offended fracophiles.
------------------------------
From: zapzing <[EMAIL PROTECTED]>
Subject: Re: Compression & Encryption in FISHYLAND
Date: Sat, 24 Jun 2000 00:15:08 GMT
I have a wonderful idea! Let's just compress
all messages of the form "you are a
presumptuous bastard" and/or "you are an
ignorant foolish jerk" etc. to the small
case letter z!
--
If you know about a retail source of
inexpensive DES chips, please let
me know, thanks.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "David S. Hansen" <[EMAIL PROTECTED]>
Subject: Re: Compression & Encryption in FISHYLAND
Date: Sat, 24 Jun 2000 00:46:48 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
lol =)
*** David S. Hansen
*** [EMAIL PROTECTED]
*** http://www.haploid.com
"zapzing" <[EMAIL PROTECTED]> wrote in message
news:8j0ui2$sf1$[EMAIL PROTECTED]...
> I have a wonderful idea! Let's just compress
> all messages of the form "you are a
> presumptuous bastard" and/or "you are an
> ignorant foolish jerk" etc. to the small
> case letter z!
>
=====BEGIN PGP SIGNATURE=====
Version: PGP 6.5.3
iQA/AwUBOVQFMLUtlIUTAKGREQJJiwCfU3l1MTaQwBroewE6lIsgB5KHXAgAoMYO
69cusq7rCd6hVZWN2HwQKH34
=nMiq
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Crossposted-To: comp.arch.arithmetic,comp.arch.fpga
Subject: Re: CHES 2000 accepted papers
Date: 24 Jun 2000 01:13:02 GMT
In article <[EMAIL PROTECTED]>,
Christof Paar <[EMAIL PROTECTED]> wrote:
>H. Wu.
>Montgomery multiplier and squarer in GF(2^m).
What does it mean to do Montgomery multiplication in GF(2^m)!?
Also, is the author H.-H. Wu of the University of California, Berkeley?
Or a different H. Wu?
Thanks.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Compression & Encryption in FISHYLAND
Date: Sat, 24 Jun 2000 01:32:14 GMT
On Fri, 23 Jun 2000 22:28:10 GMT, "David S. Hansen"
<[EMAIL PROTECTED]> wrote, in part:
>Where on earth did you get the impression that this Scott guy
>is an "arrogant foolish mean person"? Is June 23rd National
>Presumptuous Bastards Day or something?
While I don't wish to justify people in being impolite, it should be
noted that if someone wished to form an opinion of David A. Scott,
they would have more information than this one post.
Mr. Scott's claim to fame is scott19u, which essentially is a block
cipher which uses an S-box having 2^19 key-dependent entries. This
certainly is a valid way to increase security, but in his early
postings about an earlier version of this cipher, he made what many
view as exaggerated claims that well-respected block ciphers,
particularly IDEA as used in PGP, were worthless and insecure.
It is also distinguished by using a method of converting Huffman-coded
compressed text into a whole number of bytes which, since it offers a
bijective mapping of input random-bit-length symbol-terminating
messages to integral-number-of-bytes arbitrary messages, is claimed to
produce unbiased output bytes. I have disputed that claim; my take on
the basic ideas involved can be found at
http://home.ecn.ab.ca/~jsavard/crypto/mi060303.htm
The idea of using what I call a "pseudo-Morse" code for the last
symbol - which I think is sort of like the first half of what he does
for his compression (I'm not sure it's what he does, and in any case I
suspect it's an old idea that's been around a long time: if not, I may
have to change this page to give him credit by name) - is valid, but
while padding with 10000..., the standard technique used in SHA, is
bijective, it is not unbiased. I believe his technique, which is *not*
that technique, has the same sort of bias.
(If one assumed that since there are twice as many messages 1023 bits
long as there are 1022 bits long, a message is twice as likely to be
1023 bits long as 1022 bits long, one can indeed easily get an
unbiased technique of this type, as someone argued, but I think the
fallacy of assuming that to be the length distribution of messages is
obvious.)
Besides that, he has been quite happy to call Bruce Schneier and other
respected figures who have not condescended to call him names by a
number of names.
So it's really not surprising that he will meet with some negativity
on a preconceived basis now, each time he posts here.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Variability of chaining modes of block ciphers
Date: Fri, 23 Jun 2000 18:32:32 -0700
Mok-Kong Shen <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> The most popular block chaining mode seems to be CBC.
> There is also PBC which chains with plaintext blocks.
> One can also accumulate the previous blocks for doing the
> chaining and use plaintext as well as ciphertext for
> chaining. (I used this in one of my own designs.) By
> combinatorics this gives 8 variants. Obviously one can
> also use modular addition instead of xor and do some
> random rotations if one likes. I think that the variability
> of chaining modes could be advantageousy exploited such
> that the actual chanining mode used in a message has to be
> guessed by the opponent, thus redering his task much more
> difficult.
Why would it? All these operations can be summarized as:
C_i = Encrypt( F( P_i, C_{i-1}, P_{i-1} ) )
for a relatively small set of F's, where:
P_i is the ith plaintext block
C_i is the ith ciphertext block
Encrypt is the underlying block cipher (on a single block in encrypt mode)
Given that the number of possible F's is relatively small, and assuming that
P_i, P_{i-1} are known (that is, this is the known-plaintext attack), the
attacker can easily compute all 8 possible values of F( P_i, C_{i-1},
P_{i-1} ), and then do a brute force calculation of:
Decrypt( C_i )
looking for any of the 8 possible values. When he finds one, it is easy to
verify if he got the key, or a false hit.
This allows the attacker to look through all 8 possibilities with a
relatively small additional effort beyond a brute force search of the
underlying block cipher. Thus, you have gained no additional security for
your additional complexity.
--
poncho
------------------------------
Subject: Re: Compression & Encryption in FISHYLAND
From: tomstd <[EMAIL PROTECTED]>
Date: Fri, 23 Jun 2000 19:09:34 -0700
"David S. Hansen" <[EMAIL PROTECTED]> wrote:
>WTF??
>
>Where on earth did you get the impression that this Scott guy
>is an "arrogant foolish mean person"? Is June 23rd National
>Presumptuous Bastards Day or something?
You must be new here. I know I should be polite and I know I
should just ignore him but he gets the best of me. He is rude,
ignorant and just plain mean.
It's not that he has differing views on something it's that
nobody else is right unless they side with him.
Anyways I don't take anything he says seriously anymore (well
for the past long while).
BTW Don't PGP sign all your messages. a) WASTE OF SPACE b)
Don't check anyways.
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Variability of chaining modes of block ciphers
Date: 24 Jun 2000 02:56:13 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> So from which sentence of mine did you conclude that I was suggesting
> to other people to 'fiddle about loads of different modes'? That there
> ARE a number of modes is indeed what I called attention to, but where
> is the suggestion of 'fiddling'?
There are indeed many chaining modes. I don't believe that I ever
denied this. By `fiddling', I was referring to the idea of choosing
from among a suite of these in order to add a few more effective key
bits.
> Your favorite mode is CBC. There can no objection from others against
> your having that opinion at all. But you are clearly opposing my
> making publicity for the 'exsistence' of the other candidate modes,
> aren't you?
Nope. Definitely not. I'm opposing the idea of using the choice of
mode as a secret.
> There could be many reasons why a particular algorithm has to be used
> and there is no other choice. For instance, it could be that my boss
> is strongly of the opinion that 3DES should be used, because it is a
> current standard,
Do you have a problem with the security offered by triple-DES which
adding 4 more bits of key would help? I certainly don't.
> or it could be that my firm has already invested much money in certain
> hardware and is unwilling to throw these away and buy new ones. That
> leaves me not much room to manoeuvre than trying to see whether I
> could improve the matter a bit through using some chaining modes which
> in my personal judgement are better than ECB.
Almost any chaining mode is better than ECB.
> But something better IS anyway better than without that something,
> isn't it?
No. Bad cryptography is worse than no cryptography at all, to someone
who can't tell the difference, because it is given trust.
> Why should one close one's eyes and forego a chance simply because
> that chance is not very attractively big?
I'm not suggesting doing anything blindly. I'm suggesting choosing a
cipher to do the job of a cipher, which is to encrypt data strongly, and
a chaining mode to do the job of a chaining mode, which is to hide the
block structure of a block cipher.
> That's EXACTLY why one should keep ones eyes open to ALL opportunities
> of improving one's security that one can afford to exploit.
No! I think that we should do enough that we believe that compromising
our secrets is well beyond our conservative estimate of the adversary's
capabilities. If we can't do that, we're probably better off by not
deluding ourselves by doing a half-good job. Half-good security isn't
better than none -- it's worse.
By the way, I suspect that I can identify most simple chaining modes
using some extremely simple chosen plaintext queries.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: DH - Man In The Middle
Date: 24 Jun 2000 02:58:49 GMT
David A. Wagner <[EMAIL PROTECTED]> wrote:
> These attacks don't work if both sides check to be sure that all values
> which are supposed to be in the q-order subgroup, are indeed in the subgroup.
> (Exclude the identity, too, for good measure.) This is, in general, a good
> idea, so I don't see any reason to skimp on the subgroup-membership tests.
In the hypothetical (bad) example above, g has order q z, not q, and the
bogus results would satisfy a simple `if I exponentiate by q z, do I get
1?' test. I agree (and have recommended elsewhere, for this very
reason) that generators be chosen to have prime orders, and that this be
verified.
-- [mdw]
------------------------------
Date: Sat, 24 Jun 2000 11:22:25 +0800
From: Yen-Choon Ching <[EMAIL PROTECTED]>
Subject: exponentiation
Hi,
Can someone tell me how fast can we do an exponentiation on a 8-bit
smart card for the following parameter:
p = 1024 bits, q = 160 bits
Does it need a crypto processor?
Thanks.
--
Yen-Choon Ching
------------------------------
Subject: Re: exponentiation
From: tomstd <[EMAIL PROTECTED]>
Date: Fri, 23 Jun 2000 20:42:59 -0700
Yen-Choon Ching <[EMAIL PROTECTED]> wrote:
>Hi,
>
>Can someone tell me how fast can we do an exponentiation on a 8-
bit
>smart card for the following parameter:
>
>p = 1024 bits, q = 160 bits
>
>Does it need a crypto processor?
I assume this is in the field of integers modulo a prime? Then
I would suggest a math-copro if speed is a requirement otherwise
a compact multiply-square can get it done in a *resonable*
amount of time without serious code-bloat.
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: "Lyalc" <[EMAIL PROTECTED]>
Subject: Re: Weight of Digital Signatures
Date: Sat, 24 Jun 2000 14:00:50 +1000
There is no "perfect forgery" with paer and ink, merely pretty good ones.
With digital signature technology, the signature is perfect under the
scenario described below.
Is the scenario's digital signature valid in a court of law? - well, that
depends on the available evidence, and lots of expensive fees.
>From my limited legal understanding, I suspect the short answer is that the
relying party wears the entire liability, as occurs with paper signatures -
the equivalence factor in the legislation (unless certain forms of crime are
proved to be involved - forgery, intent to deceive, fraud etc).
Robert Stonehouse wrote in message
<[EMAIL PROTECTED]>...
>[EMAIL PROTECTED] (John Savard) wrote:
>...
>>A law that makes a digital signature "just as binding as one in ink",
>>when it is so much easier to break into someone's house and read their
>>hard drive than forge their signature perfectly makes ordinary people
>>much more vulnerable to forgery than before.
>...
>The thing that makes an ink signature binding is the fact that it
>was written by the right person. If your bank pays out on a forged
>cheque, saying 'Well, it was a perfect forgery' won't help the bank
>at all. The bank has to make it good to you.
>
>It is hard to imagine how any law authorising digital signatures can
>preserve that protection for bank customers and others who sign
>documents.
>[EMAIL PROTECTED]
------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Try it.
Date: Sat, 24 Jun 2000 04:11:58 GMT
"Trevor L. Jackson, III" wrote:
>
> "Trevor L. Jackson, III" wrote:
>
> >
> > Le plus ce change, le plus c'est le meme chose.
> >
>
> It has been pointed out to me that I no longer speak French in any meaningful
> way. Apologies to any offended fracophiles.
======================================
I have a suspicion that the redneck who pointed this out to you
declares himself as a devout Christian. (This idea could not have
occurred to an atheist, I know this, I am one myself).
And, BTW, John-Paul II in Rome speaks 15 languages, French and
English included. This "Christian" who reprimanded you for using
French, is in fact refusing to follow the example set forth by his
own pontiff... Sic!
"Paris, ca vaut la messe!!"
����� ����� ������!!
Paris is worth a cermon!!
Best wishes BNK
------------------------------
From: "Pig Ear" <[EMAIL PROTECTED]>
Subject: Encryption 4 the Masses?
Date: Sat, 24 Jun 2000 05:09:45 GMT
Is this program any good? Has it stood up to the scrutiny of the crypto
community?
Thanks!
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
