Cryptography-Digest Digest #347, Volume #12 Thu, 3 Aug 00 08:13:00 EDT
Contents:
Re: The key schedule in Twofish (=?iso-8859-1?Q?H=E5vard?= Raddum)
Re: A new crypto algorithm Wolf_Cub_2 (Runu Knips)
Re: The key schedule in Twofish ("kihdip")
Re: Proving continued possession of a file (Mark Wooding)
Re: Sending Messages in Morse Code (John Savard)
Re: A non-linear extension of the Hill cipher (John Savard)
Re: The key schedule in Twofish (=?iso-8859-1?Q?H=E5vard?= Raddum)
New block cipher for the contest ("Manuel Pancorbo")
Re: The key schedule in Twofish ("kihdip")
Re: What is the word on TC5? (tomstd)
Re: Q: Quantum dots (Tim Tyler)
Re: New William Friedman Crypto Patent (filed in 1933) (John Savard)
ANNOUNCE - BUGS v3.2.2 (Sylvain Martinez)
Re: ANNOUNCE - BUGS v3.2.2 (Sylvain Martinez)
Re: New William Friedman Crypto Patent (filed in 1933) (jungle)
----------------------------------------------------------------------------
From: =?iso-8859-1?Q?H=E5vard?= Raddum <[EMAIL PROTECTED]>
Subject: Re: The key schedule in Twofish
Date: Thu, 03 Aug 2000 10:30:10 +0200
kihdip wrote:
> I have downloaded the Twofish paper (15 June 1998) and the source code from
> Counterpane.
> But I'm not sure if I have misunderstood a vital point in the algorithm:
>
> In the key schedule (4.3, page 8) the RS matrix is multiplied with 64 bits
> of the key to form 32 bits called S (the third word vector).
> But is this just a multiplication between the RS matrix and M (m8i,
> m8i+1...m8i+7) ???
> I have used the RS_MDS_Encode function from the source code to produce a
> result, and with ordinary calculus (and my calculator) I have multiplicated
> the two matrix'es the normal way.
>
> The problem is: I do not get the same result!!!
> (Ofcourse the 64 bit key-"material" was the same.)
>
> Why is the result not the same wheter I use the source code or my calculator
> ?? Have I forgotten anything ??
>
> Kim Hyldgaard
Since you say you've used a calculator, have you done the multiplications mod
2^8 or something similar? The multiplication is done in a GF(2^8), generated
by x^8+x^6+x^3+x^2+1. I haven't seen calculators doing finite filed arithemtic
before, but then again I'm not aware of all different types of calculators
floating around, so I could be missing the target here.
------------------------------
Date: Thu, 03 Aug 2000 10:46:14 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: A new crypto algorithm Wolf_Cub_2
Mark Wooding wrote:
>
> Leonid Nowikow <[EMAIL PROTECTED]> wrote:
>
> > This algorithm is very steady to the chosen-plaintext attack .
>
> [snip binary mush]
>
> Please repost with something readable.
>
> -- [mdw]
First sign impression: Ouch.
It works on single bit variables and is incomplete (Psi is
some function...).
Translated the .doc to text:
===================================
The description of the algorithm Wolf_Cub_2.
Leonid Nowikow, Jeroen van de Erve.
June 2000 .
___________________________________________________________________
This algorithm Wolf_Cub_2 is designed for an encryption of any
input file Fi to an output file Fo and also for a restoration
of the starting file.
A function Cub_2 is a first part of the algorithm Wolf_Cub_2
and is designed for the encryption:
Fo = Cub_2 (Fi, P)
We may suppose that any file and any password are sequences of
bits and here Fi, Fo and P are these three sequences of bits:
the input file Fi =
{ Fi[0], Fi[1], ...., Fi[i], ...., Fi[NF-1] },
Fi[i] = 0 or 1, i = 0, 1, 2, ...., NF-1;
the output file Fo =
{ Fo[0], Fo[1], ...., Fo[j], ...., Fo[NF-1] },
Fo[j] = 0 or 1, j = 0, 1, 2, ...., NF-1;
the password P =
{ P[0], P[1], ...., P[k], ...., P[NP-1] },
P[k] = 0 or 1, k = 0, 1, 2, ...., NP-1.
An other function Wolf_2 is a second part of the algorithm
Wolf_Cub_2 and is designed for a restoration:
FILE_restored = Wolf_2 (FILE_encrypted, P)
___________________________________________________________________
The function Cub_2: Fo = Cub_2 (Fi, P).
Input:
Fi = { Fi[0], Fi[1], ...., Fi[i], ...., Fi[NF-1] },
P = { P [0], P [1], ...., P [k], ...., P [NP-1] }.
Output:
Fo = { Fo[0], Fo[1], ...., Fo[j], ...., Fo[NF-1] }.
Ri[0] and Ri[1] are two current points in the file Fi,
Ro[0] and Ro[1] are two current points in the file Fo,
i. e. Ri[m] and Ro [m] are integer numbers,
0 <= Ri[m] < NF,
0 <= Ro[m] < NF, m = 0 or 1.
Ei[0] and Ei[1] are corresponding boundaries for these
Ri[0] and Ri[1], Eo[0] and Eo[1] are corresponding
boundaries for these Ro[0] and Ro[1].
i. e. Ei[m] and Eo[m] are integer numbers,
0 <= Ei[m] < NF,
0 <= Eo[m] < NF, m = 0 or 1.
The initial values for these current points
Ri[0], Ri[1], Ro[0], Ro[1]
are these following:
Ri0[0] = Psi (P[0] , P[1] , ...., P[NP/4-1] ,
0 ),
Ri0[1] = Psi (P[NP/4] , P[NP/4+1] , ...., P[NP/4+NP/4-1] ,
Ri0[0]),
Ro0[0] = Psi (P[NP/2] , P[NP/2+1] , ...., P[NP/2+NP/4-1]) ,
0 ),
Ro0[1] = Psi (P[NP*3/4], P[NP*3/4+1] , ...., P[NP*3/4+NP/4-1],
Ro0[0]).
Here Psi(bit[0], bit[1], ...., bit[NP/4-1], N ) is a some
function from NP/4 bits and from an one integer number N
that Ri0[0] != Ri0[1]
and Ro0[0] != Ro0[1].
The initial values for these current boundaries
Ei[0], Ei[1], Eo[0], Eo[1]
are these following:
Ei0[0] = Ri0[1]
Ei0[1] = Ri0[0]
Eo0[0] = Ro0[1]
Eo0[1] = Ro0[0]
___________________________________________________________________
Step 1.
Ri[0] = Ri0[0], Ri[1] = Ri0[1],
Ro[0] = Ro0[0], Ro[1] = Ro0[1],
Ei[0] = Ei0[0], Ei[1] = Ei0[1],
Eo[0] = Eo0[0], Eo[1] = Eo0[1].
Step 2.
Previous = 0,
| Previous is an integer number = 0 or 1 .
| It is a value of the last bit
| transfered from the file Fi to the file Fo.
Even = 0 ,
| Even is an integer number = 0 or 1 .
| It is a remainder of i / 2, (Even = i % 2) .
k = 0,
i = 0.
Step 3.
if i == NF then go to the Step 8.
Step 4.
if i < NF-1 then
Bit = Previous ^ P[k],
| the operation ^ is:
| 0 ^ 0 = 0
| 0 ^ 1 = 1
| 1 ^ 0 = 1
| 1 ^ 1 = 0
k = k + 1,
if k == NP then
k = 0,
Even = 1 - Even;
else /* if i == NF - 1 */
Bit = Bit ^ 1 .
Step 5 .
if Even != 0 then
Fo[Ro[1-Bit]] = Fi[Ri[1-Bit]],
Previous = Fi [ Ri [1-Bit] ] ,
Ri [1-Bit] = Ri [1-Bit] + 1 ,
if Ri [1-Bit] == NF then Ri [1-Bit] = 0 ,
Ro [1-Bit] = Ro [1-Bit] + 1 ,
if Ro [1-Bit] == NF then Ro [1-Bit] = 0 ;
else /* if Even == 0 */
Fo [ Ro [Bit] ] = Fi [ Ri [1-Bit] ] ,
Previous = Fi [ Ri [1-Bit] ] ,
Ri [1-Bit] = Ri [1-Bit] + 1 ,
if Ri [1-Bit] == NF then Ri [1-Bit] = 0 ,
Ro [Bit] = Ro [Bit] + 1 ,
if Ro [Bit] == NF then Ro [Bit] = 0 ;
Step 6.
if Ri [1-Bit] == Ei [1-Bit] and i < NF-2 then
A1 = Ri[Bit],
Ei [1-Bit] = Ei [Bit] ,
A3 = Ei [Bit] ,
if A3 < A1 then A3 = A3 + NF ,
A2 = (A1 + A3) / 2 ,
if A2 >= NF then A2 = A2 - NF ,
Ri [1-Bit] = A2 ,
Ei [Bit] = A2 .
( A1 , A2 , A3 are work variables )
if Ro[1-Bit] == Eo [1-Bit] and i < NF - 2 then
A1 = Ro [Bit] ,
Eo [1-Bit] = Eo [Bit] ,
A3 = Eo [Bit] ,
if A3 < A1 then A3 = A3 + NF ,
A2 = (A1 + A3) / 2 ,
if A2 >= NF then A2 = A2 - NF ,
Ro [1-Bit] = A2 ,
Eo [Bit] = A2 .
if Ro[Bit] == Eo[Bit] and i < NF - 2 then
A1 = Ro [1-Bit] ,
Eo [Bit] = Eo [1-Bit] ,
A3 = Eo [1-Bit] ,
if A3 < A1 then A3 = A3 + NF ,
A2 = (A1 + A3) / 2 ,
if A2 >= NF then A2 = A2 - NF ,
Ro [Bit] = A2 ,
Eo [1-Bit] = A2 .
Step 7.
i = i + 1,
go to the Step 3.
Step 8.
The end of the work.
___________________________________________________________________
The function Wolf_2: FILE_restored = Wolf_2(FILE_encrypted, P)
is an inverse function for the function Cub_2.
___________________________________________________________________
The end of the description of the algorithm Wolf_Cub_2
Phone and Fax : +972-6-640-7465
[EMAIL PROTECTED]
[EMAIL PROTECTED]
------------------------------
From: "kihdip" <[EMAIL PROTECTED]>
Subject: Re: The key schedule in Twofish
Date: Thu, 3 Aug 2000 10:57:20 +0200
>before, but then again I'm not aware of all different types of calculators
>floating around, so I could be missing the target here.
>
Thank you for your answer. I bump into this Galois field all the time, but
nobody seems to have any understandable explanation of how it works. Since I
have just used ordinary mod 2^8 this is probably the reason why I don't get
the same result.
But since I'm a student with no knowledge of Galois fields, I wondered if
anyone has anything explaining it in a 'down to earth' manner ?
(I know it is 'just' math, but I hope somebody can explain it to me)
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Proving continued possession of a file
Date: 3 Aug 2000 09:09:10 GMT
David A. Wagner <[EMAIL PROTECTED]> wrote:
> In article <8ltusp$rmb$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
> > I've found an algorithm that lets Bob post non-interactive
> > proofs that he has a certain message M.
>
> What's wrong with applying the standard heuristic to turn any
> interactive proof into a non-interactive one? Let D be the date, and
> H be a hash function (with sufficiently large output length) that can
> be modeled as a random oracle. Take any interactive protocol for
> proving continued possession of a file. Then we run the interactive
> protocol, except that the challenger should use H(D) as his random
> bits instead of generating truly random bits. If we publish D and the
> trace of this simulated protocol run, doesn't this give us a nice
> concise non-interactive proof as desired?
No. For a start, Bob can compute H(D) for various D in advance (say,
every week for a year) and then throw away the original file. The
important bit behind continued possession protocols is that it's not the
prover who has the secrets.
My protocol gave the verifier a long-term secret which she could use as
a short cut to computing the same thing the prover would have to
calculate the hard way. The important bit behind mm4141[1]'s work was
removing the need for the verifier's long-term secret by having a TTP
provide values which are useful for verification but not computing.
That's an important step. But then there's an additional tweak for
constructing the noninteractive proof: you must use some unpredictable
source for the timing information. The date can be predicted easily, so
dates aren't a good source of hash preimage material. Using, say,
lottery numbers, racing results and/or newspaper headlines works much
better here.
[1] While I don't have any problem with people wanting to retain
anonymity, I do wish they'd give some more usable pseudonyms. ;-)
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Sending Messages in Morse Code
Date: Thu, 03 Aug 2000 09:17:46 GMT
On Thu, 03 Aug 2000 02:47:10 GMT, [EMAIL PROTECTED]
(John Savard) wrote, in part:
>To keep everyone happy, I have added to my starting page on data
>compression
>http://home.ecn.ab.ca/~jsavard/mi0601.htm
>a few extra lines of text about arithmetic compression, and I have
>discussed Tunstall codes as well, since my Morse armor idea reminded
>someone on comp.compression of them.
And I have also added, at
http://home.ecn.ab.ca/~jsavard/mi060102.htm
a description of a scheme whereby arithmetic coding is approximated,
using only bits and base-3 digits (also called trits) to keep all the
base conversions well-bounded.
John Savard (teneerf <-)
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: A non-linear extension of the Hill cipher
Date: Thu, 03 Aug 2000 09:21:43 GMT
If one makes one's matrix of the form
1 0 0 0 0
* 1 0 0 0
* * 1 0 0
* * * 1 0
* * * * 1
where the 1's can be replaced by any number with a reciprocal, and the
asterisks indicate any nonlinear function, not just squaring, and any
rearrangement of rows and columns is allowed, one indeed has something
invertible...but it is really a generalization of the Feistel round
rather than the Hill cipher.
John Savard (teneerf <-)
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: =?iso-8859-1?Q?H=E5vard?= Raddum <[EMAIL PROTECTED]>
Subject: Re: The key schedule in Twofish
Date: Thu, 03 Aug 2000 12:22:44 +0200
kihdip wrote:
> >before, but then again I'm not aware of all different types of calculators
> >floating around, so I could be missing the target here.
> >
>
> Thank you for your answer. I bump into this Galois field all the time, but
> nobody seems to have any understandable explanation of how it works. Since I
> have just used ordinary mod 2^8 this is probably the reason why I don't get
> the same result.
> But since I'm a student with no knowledge of Galois fields, I wondered if
> anyone has anything explaining it in a 'down to earth' manner ?
> (I know it is 'just' math, but I hope somebody can explain it to me)
To give an introduction to the subject so that you fully appreciate how a
finite (or Galois) field works is too much to do in a newsgroup. Not that it's
very difficult, there is just rather much to explain. I would recommend you
study a textbook on the subject. The book I have on the topic is called "A
Concrete Introduction to Higher Algebra" by Lindsay Childs, and is fairly good
------------------------------
From: "Manuel Pancorbo" <[EMAIL PROTECTED]>
Subject: New block cipher for the contest
Date: Thu, 3 Aug 2000 12:28:48 +0200
I don't see my post (7-30) about a new cipher. Hence, here it is again
=========
JALEO BLOCK CIPHER
Main Features
* 128-bit block size cipher (could be implemented in 64-bit fashion or in
any
64-bit size).
* It's not a Feistel cipher; its concept is totally different. Only 3 single
steps. No "round" is needed.
* It's based on two matrix transforms (Hill method) modulo 2, with mixed
operation on 2^N to avoid linearity.
* Internal key size of 8256 bits (2080 in case of 64-bit block size).
* User key is variable, its size must be an exact 32 multiple. The internal
key is generated by a suited non-linear propagator applied to the user key.
* Memory occupied by the key-dependent variables sizes up to 4112 bytes
(1032
in case of 64-bit block size). Key scheduling needs about 80Kb of temporal
memory in an unoptimized way.
* Actual performance is 1.5 Mb/s in a K6-II 350Mhz. Due to the structure of
the core algorithm it can be naturally programmed in assembler or even in
hardware, this way gaining speed. Moreover this algorithm will take much
advantage of 64-bits micros.
Full description and source code in www.scandicus.es.org/jaleo.zip (~135 Kb)
------------------------------
From: "kihdip" <[EMAIL PROTECTED]>
Subject: Re: The key schedule in Twofish
Date: Thu, 3 Aug 2000 12:49:06 +0200
bject. The book I have on the topic is called "A
>Concrete Introduction to Higher Algebra" by Lindsay Childs, and is fairly
good
>
Thanks, I'll try that.
Kim
------------------------------
Subject: Re: What is the word on TC5?
From: tomstd <[EMAIL PROTECTED]>
Date: Thu, 03 Aug 2000 04:05:43 -0700
Runu Knips <[EMAIL PROTECTED]> wrote:
>tomstd wrote:
>> I have done more differential cryptanalysis on TC5 but no
>> breaks. There is a mistake in the TC5 paper as well.
>>
>> But no real breaks on the cipher.
>
>Hi Tom ! Welcome back :-)
Thanks, my new isp seems to work very well :)
>> Maybe if David could explain his attack better we could finish
>> tc5 off?
>
>Hmm I'm next to sure that attack only distinguishes the
>cipher from a random permutation. He said 'generic attack
>from the literature', and that doesn't sound like deeper
>cryptanalysis - more like something which comes to mind
>immediately as you look at some concept.
But that is just it. If I understand his attack well he is
trying to send a predefined difference through at least one
round of TC5, which is not generally feasible...
Does anyone else have any comments on TC5?
Thanks,
tom
Glad to be back!!!
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Q: Quantum dots
Reply-To: [EMAIL PROTECTED]
Date: Thu, 3 Aug 2000 10:57:16 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
: [...] It may be of interest to note that there is currently an
: international conference on quantum dots. I happened to see a number of
: posters but the materials in them are of course entirely cryptic for a
: layman like me.
There's a (fairly) PopSci book on the subject. "The Quantum Dot", by
Richard Turnton. It's quite readable.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Breast is best.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: New William Friedman Crypto Patent (filed in 1933)
Date: Thu, 03 Aug 2000 11:17:53 GMT
On 03 Aug 2000 06:30:47 GMT, [EMAIL PROTECTED] (Mack) wrote, in
part:
>Hmmm ... does someone at IBM have a sense of humor or
>did the patent office hold a patent due to National Security Issues?
The patent seems real enough; it corresponds to the M-134, which,
although it is a rotor machine, is not all that similar to the Enigma.
And many patents by Friedman and others at the NSA have indeed been
held for years and decades for reasons of national security.
John Savard (teneerf <-)
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Sylvain Martinez <[EMAIL PROTECTED]>
Subject: ANNOUNCE - BUGS v3.2.2
Date: Thu, 03 Aug 2000 11:16:17 GMT
BUGS v3.2.2 has been released:
http://www.bcrypt.com/crypto/bugs-3.2.2.tgz
Update:
. Corrected minor error in block and bunlock in the argcheck()
. Corrected a problem in bcrypt, block and bunlock when a parameter
was sent as a parameter.
. Changed the default TYPE_INT from 'long' to 'int' for the library
. Minor change in the testscript
Cheers,
Sylvain.
PS: Thanks to Jeremie petit for testing BUGS on TRUE64.
--
---
Unix security administrator
BUGS crypto project: http://www.bcrypt.com
http://www.encryptsolutions.com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Sylvain Martinez <[EMAIL PROTECTED]>
Subject: Re: ANNOUNCE - BUGS v3.2.2
Date: Thu, 03 Aug 2000 11:24:19 GMT
sorry, the link should have been:
http://www.bcrypt.com/crypto/bugs-3.3.2.tgz
as the new version is 3.3.2 and not 3.2.2
hum... I need more sleep ! (and new fingers ;o)
Sylvain.
In article <8mbk9t$hhv$[EMAIL PROTECTED]>,
Sylvain Martinez <[EMAIL PROTECTED]> wrote:
> BUGS v3.2.2 has been released:
> http://www.bcrypt.com/crypto/bugs-3.2.2.tgz
>
> Update:
> . Corrected minor error in block and bunlock in the argcheck()
> . Corrected a problem in bcrypt, block and bunlock when a parameter
> was sent as a parameter.
> . Changed the default TYPE_INT from 'long' to 'int' for the library
> . Minor change in the testscript
>
> Cheers,
> Sylvain.
> PS: Thanks to Jeremie petit for testing BUGS on TRUE64.
> --
> ---
> Unix security administrator
> BUGS crypto project: http://www.bcrypt.com
> http://www.encryptsolutions.com
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
>
--
---
Unix security administrator
BUGS crypto project: http://www.bcrypt.com
http://www.encryptsolutions.com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: jungle <[EMAIL PROTECTED]>
Subject: Re: New William Friedman Crypto Patent (filed in 1933)
Date: Thu, 03 Aug 2000 07:57:10 -0400
awarded after 67 years of conspiracy !!!
=========================================
in support of awarded issue ...
are we going to expect now that patent on HYPERLINK awarded to BT in 1976, that
is making SPIN now everywhere in the world, will be invalidated because NSA
will / could be awarded patent FILED in, say 1933 & LOCKED IN CONSPIRACY until
now ?
it must be illegal to award patent, after conspiracy for say 1 or 2 years &
definitely illegal after 67 years of conspiracy ...
Bruce Schneier wrote:
>
> William Friedman filed a patent application for an Enigma-like
> encryption device in 1933. The Patent Office awarded the patent this
> month:
>
> http://www.patents.ibm.com/details?&pn=US06097812__&s_all=1
>
> Bruce
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
