Cryptography-Digest Digest #442, Volume #12 Mon, 14 Aug 00 18:13:00 EDT
Contents:
Re: What is up with Intel? (lcs Mixmaster Remailer)
Get Free Software (George Peters)
Re: IDEA algorithm - how to license? ("Eric Braeden")
Re: New Serpent Sboxes ("Brian Gladman")
Re: What is up with Intel? (Roger Schlafly)
Re: Is this Diffie-Hellman modification safe? (Thomas Wu)
Who's used a Protocol Analyzer? ("Eric Braeden")
Re: New William Friedman Crypto Patent (filed in 1933) (Mike Andrews)
Re: OTP using BBS generator? (lordcow77)
Re: Key in ASCII ?? (Benjamin Goldberg)
Re: WinACE encryption algorithm (lordcow77)
Re: New Serpent Sboxes (tomstd)
Re: Steganography (Andru Luvisi)
----------------------------------------------------------------------------
Date: 14 Aug 2000 21:20:27 -0000
From: lcs Mixmaster Remailer <[EMAIL PROTECTED]>
Subject: Re: What is up with Intel?
Trevor L. Jackson, III wrote:
> Wider filters have been around "forever". They were even discussed here in
> sci.crypt last year.
Last year is not forever. If you could show that the specific circuit
used by Intel was already in the literature, you could probably invalidate
the patent.
> There may be something special about the patented device, but width cannot be
> the only aspect that was improved.
We'll have to wait and see, but based on discussion with Intel engineers
there is nothing that special about the bias remover, other than that
it looks at three bits at a time rather than two.
> Is there a reference available?
No, they haven't published it yet. However someone posted what they
claimed or surmised was the state table, a few months ago on sci.crypt.
------------------------------
From: George Peters <[EMAIL PROTECTED]>
Subject: Get Free Software
Date: Mon, 14 Aug 2000 21:25:03 GMT
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
There is a full suite of encryption products available at
www.endecs.com/uenigma.exe.
It contains two file encryption applications, system key management application,
email, ftp and messaging applications. It is a self-extracting zip
file due to special installation requirements.
<p>Well worth the download.
<br>
<br> </html>
------------------------------
From: "Eric Braeden" <[EMAIL PROTECTED]>
Subject: Re: IDEA algorithm - how to license?
Date: Mon, 14 Aug 2000 17:24:10 -0400
David Thom <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> We've been trying to contact Ascom, the people who claim to license the
IDEA
> algorithm (http://www.ascom.ch/infosec/), for the past 2+ weeks.
>
> We've send emails repeatedly to the addresses on their web site
> ([EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]) and
> have even filled-in their web form asking for information...no response
(the
> emails are returned after 5 days as undeliverable).
>
> Is Ascom the correct company? Is this a for-real business?
>
> David Thom
> NPSi Houston
>
Don't give up. They did the same thing to me. I finally decided that
these guys don't answer email. When they do get around to contacting
you, they just refer you to the North American contact. Sorry, I don't
remember who this is. Try to get an IDEA chip for production
prototyping....forget it. I went elsewhere. There are a lot better
algorithms anyway......Some in hardware.
Eric
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: New Serpent Sboxes
Date: Mon, 14 Aug 2000 22:21:57 +0100
"Sam Simpson" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I believe any Serpent SBoxes can be made into a boolean expression,
> it would be interesting to see how "optimal" (or otherwise!) they
> really are....
>
> --
> Sam Simpson
> Comms Analyst
> http://www.scramdisk.clara.net/ for ScramDisk hard-drive encryption &
> Delphi Crypto Components. PGP Keys available at the same site.
>
> tomstd <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > "Sam Simpson" <[EMAIL PROTECTED]> wrote:
> > >Have you worked out optimal (in respect of "terms") boolean
> > >representations of the S-Boxes? Dr Gladman and myself have
> > spent a
> > >considerable amount of computing power (using a custom program
> > >written by Dr Gladman, available on his site) to find what we
> > >consider to be near optimal terms for the existing boxes.
> > >
> > >If not then the boxes will, no doubt, be of theoretical
> > interest but
> > >probably won't be particularly quick>
> >
> > Well I don't doubt that these sboxes could be turned into
> > something like the compiled ones since the original sboxes were
> > not designed with that strictly in mind where they?
As Sam says, we did quite a bit of early work on Serpent S-box boolean
function optimisation.
Quite a bit of work has been done on these S-boxes for particular machines.
My code tries to reduce the total number of operations in boolean
expressions. Dag Osvik has worked out better boxes on the Pentium family
and John Worley of HP has optimised these for the IA64 architectures.
You are welcome to use my code for S box boolean function search but it is a
bit of a hack and is not well documented. Its in the 'cryptography
technology' part of my site at http://www.gladman.uk.net under Serpent.
I know that quite a bit of optimisation code has been written here but I
don't think much of this has been published yet.
Brian Gladman
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: What is up with Intel?
Date: Mon, 14 Aug 2000 14:25:43 -0700
lcs Mixmaster Remailer wrote:
> As for how it is better, specifically it produces more efficient output,
> with a smaller percentage of rejected bits, preserving more of the
> entropy in the input.
Better than the most simple-minded von Neumann rejection?
Ok, fine, but not as efficient as running it thru SHA-1
which is what a lot of crypto applications would be doing
anyway.
> With the bias remover, the chip produces very good quality random
> numbers that pass standard statistical tests, as described in
> http://www.cryptography.com/intelRNG.pdf.
But why not just say that it passes those tests when the bias
is removed? People who understand those tests won't have any
problem understanding it.
> Without the bias remover the chip would pass almost no tests.
> A superficial reading would suggest that the RNG was crap since it
> fails everything. Sophisticated reviewers would know to look deeper,
> but it could still hurt the chip's acceptance if it got a reputatation
> for producing bits that fail elementary randomness tests. So to some
> extent this can be seen as a marketing requirement.
Yes, the marketplace test is the real test, I guess. From what I
can see, the market did decide that the Intel RNG is crap and hardly
anyone uses it. That was my conclusion, anyway.
------------------------------
From: Thomas Wu <[EMAIL PROTECTED]>
Subject: Re: Is this Diffie-Hellman modification safe?
Date: 14 Aug 2000 14:23:45 -0700
"George Harth" <[EMAIL PROTECTED]> writes:
> Greetings,
>
> The basic scenario is that we log into the server app and use Diffie-Hellman
> to generate a shared secret key. We plug those keys into Blowfish and use
> Blowfish for all further data communications, including the official
> password login. The problem is that this method doesn't ensure that the
> server we connected to is actual, trusted server.
>
> With that in mind, I modified the Diffie-Hellman algorithm slightly. I am
> wondering if this modification is relatively safe, or if I am opening up
> some trouble. This system uses the fact that the real server should already
> know the password for the user requesting a connection.
>
> Where,
> n = shared prime
> g = shared base
> h = hash of password (same bit length as n)
> x = random secret number
> y = random secret number
>
> 1. Alice sends Bob her username and requests a connection. No password is
> sent at this stage.
>
> 2. Bob computes and sends Alice X, where:
> X = (power(g, x) mod n) xor h
>
> 3. Alice computes and sends Bob Y, where:
> Y = (power(g, y) mod n) xor h
Congratulations, you've just re-invented DH-EKE. You need to be careful
exactly how you perform the xor, and how you choose n and g to avoid
leaking information.
At the risk of being repetitive, I'd suggest that you look into the
strong password families previously suggested:
http://srp.stanford.edu/srp/
http://www.integritysciences.com/
Some of these protocols have the additional advantage that the
information stored on the server side can't be used by an attacker
to break into your system (i.e. they both don't store h). Make sure
you read the published papers on this subject - there have been many.
--
Tom Wu * finger -l [EMAIL PROTECTED] for PGP key *
E-mail: [EMAIL PROTECTED] "Those who would give up their freedoms in
Phone: (650) 723-1565 exchange for security deserve neither."
http://www-cs-students.stanford.edu/~tjw/ http://srp.stanford.edu/srp/
------------------------------
From: "Eric Braeden" <[EMAIL PROTECTED]>
Subject: Who's used a Protocol Analyzer?
Date: Mon, 14 Aug 2000 17:31:10 -0400
As long as I have read this NG I have never seen more
than an occasional reference to cryptographic protocol
analyzers. Given that the protocol is just as important
as the encryption algorithm, this seems strange.
My search on the net showed that analyzers are hard to
find. In fact, I was only able to find one that could be
downloaded.
So...Where are they and why don't we discuss them here?
Eric
------------------------------
From: [EMAIL PROTECTED] (Mike Andrews)
Subject: Re: New William Friedman Crypto Patent (filed in 1933)
Date: Mon, 14 Aug 2000 21:36:26 GMT
Scripsit John Savard <[EMAIL PROTECTED]>:
: On Fri, 11 Aug 2000 14:28:42 +0200, "Bjarne Carlsen"
: <[EMAIL PROTECTED]> wrote, in part:
:>seven is not a magic number ;-)
: Of course not. The magic numbers are 2, 8, 20, 28, 50, 82, and 126. :)
Unless you're a chemist, in which the magic numbers are 2, 8,
18, 32, 50, and 72.
--
Nature and nature's laws lay hid in night,
God said, "Let Newton be," and all was light.
It did not last; the devil howling "Ho!
Let Einstein be!" restored the status quo.
------------------------------
Subject: Re: OTP using BBS generator?
From: lordcow77 <[EMAIL PROTECTED]>
Date: Mon, 14 Aug 2000 14:46:48 -0700
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
>
>Mark Wooding wrote:
>>
>> In general, though, I suppose we should consider the strength
of
>> cryptosystems based on the integer factorization problem by
the
>> difficulty of factoring the most difficult sorts of composite
numbers
>> available, and then try to choose those sorts of composites.
Currently,
>> those really are just the products of pairs of random primes.
>
>Could you conceive of any possibility of ever formally
>characterizing the 'most difficult sort of composite numbers'?
>Intuitively, I rather doubt that that could be done. Thanks.
>
Just what Mark Wooding stated; the products of two random primes
of the same length.
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Key in ASCII ??
Date: Mon, 14 Aug 2000 21:57:13 GMT
Trevor L. Jackson, III wrote:
>
> Guy Macon wrote:
>
> > Trevor L. Jackson, III wrote:
>
> [snip to focus on fundamental issue]
>
> >
> > >The actual estimate means you can successfully predict the next
> > >character of a text stream about half the time.
> >
> > That cuts the bits entropy per character in half. It doesn't reduce
> > the bits entropy per character to one.
>
> Let's try again. No matter how large the symbol set is, if I can
> predict the next symbol with 50% probability, then that symbol
> contains one bit of information.
Suppose I have an unfair 6-sided die. The "1" side comes up 50% of the
time. The other sides come up 10% of the time each. Although we can
predict the result with PRECISELY 50% probability, we can't represent 8
die rolls as 8 bits.
> In this context information, entropy, disorder, uncertainty, and
> surprise are synonyms. The fact that a symbol has more than one bit
> used in its representation is an indication that the information
> density is lower than unity.
>
> The trivial example is a fair coin flip. Since there are two states
> and the flips are independent, the result contains one bit of
> information.
Yes, but in this case, when we make a mistake about our prediction,
there is only one other possibility.
> Given an fair 8-sided die each roll generates three bits of
> information. An unfair die produces less by Shannon's fundamental
> definition of information which is the sum of the logarithms of the
> probabilities. Trivial examples: given odds of 50:50:0:0:0:0:0:0 the
> die obviously produces only one bit. Given odds of
> 25:25:25:25:0:0:0:0 the die produces two bits.
> Exercise for reader: how big does the "1" face have to be to produce
> only one bit if the other seven sides all have the same odds?
Much greater than 50%. And only if you are allowed to use multiple
rolls [A string of "1"s] represented as a much shorter string of bits.
> When applying these definitions to text we treat each character in
> sequence and subtract from its numeric representation the degree by
> which we can predict the value. Trivial example: In a numeric string
> consisting of repeated binary digits we have the equivalent of the
> fair coin toss if the bits are independent and uniformly distributed.
>
> Example of structural context: In a numeric string composed of pairs
> of digits where the leading digit is always zero or one and the
> trailing digit is always two or three we need two bits to minimally
> represent each digit, but the information carried by each digit is
> still only one bit. If all of the information is crammed into the
> leading digit (by using four pair of digits such as 00,11,22,33, or
> 00, 10, 20, 30) you still need two bits to hold each digit, but each
> digit (on average) has only one bit of information -- this is because
> the _pairs_ only have two bits of information.
>
> These examples have obvious forms of redundancy. English text also
> has a great deal of redundancy. One can estimate it statistically,
> using the preceding text to condition the prediction of the next
> character.
>
> With respect to your dictionary search, single words are not English
> text. There is insufficient context to limit the information to a
> single bit per character. After all, there are far more than 256
> eight-letter words in English. However, a random sequence of
> eight-letter words is hardly English text.
--
"There's a mathematical reason not to trust Christians... The Buddhists
believe that human lives repeat. The atheists believe that human lives
terminate. That means that the Christians must believe that humans are
irrational."
- Matt Katinas
"Not necessarily... they could think that humans are imaginary."
- Rob Pease, in response to the above
"Of course Christians think humans are irrational: They believe humans
are transcendental, and all transcendentals are irrational. I suppose
that all we can be certain of is that humans are complex."
- Me, in response the the above
------------------------------
Subject: Re: WinACE encryption algorithm
From: lordcow77 <[EMAIL PROTECTED]>
Date: Mon, 14 Aug 2000 14:49:19 -0700
tomstd <[EMAIL PROTECTED]> wrote:
>"Marc Beckersjuergen" <[EMAIL PROTECTED]> wrote:
>>Hey, I'm just the webmaster, not the developer
>>and I don't know squat about programming in general and
>encryption in
>>particular :-)
>
>So do something smart and go get a developer? Geez...
>
<flame>
There's something called tact. You might consider learning about
it before tackling impossible differentials.
</flame>
Couldn't help myself.
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Subject: Re: New Serpent Sboxes
From: tomstd <[EMAIL PROTECTED]>
Date: Mon, 14 Aug 2000 14:55:51 -0700
"Brian Gladman" <[EMAIL PROTECTED]> wrote:
>"Sam Simpson" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>> I believe any Serpent SBoxes can be made into a boolean
expression,
>> it would be interesting to see how "optimal" (or otherwise!)
they
>> really are....
>>
>> --
>> Sam Simpson
>> Comms Analyst
>> http://www.scramdisk.clara.net/ for ScramDisk hard-drive
encryption &
>> Delphi Crypto Components. PGP Keys available at the same
site.
>>
>> tomstd <[EMAIL PROTECTED]> wrote in message
>> news:[EMAIL PROTECTED]...
>> > "Sam Simpson" <[EMAIL PROTECTED]> wrote:
>> > >Have you worked out optimal (in respect of "terms") boolean
>> > >representations of the S-Boxes? Dr Gladman and myself have
>> > spent a
>> > >considerable amount of computing power (using a custom
program
>> > >written by Dr Gladman, available on his site) to find
what we
>> > >consider to be near optimal terms for the existing boxes.
>> > >
>> > >If not then the boxes will, no doubt, be of theoretical
>> > interest but
>> > >probably won't be particularly quick>
>> >
>> > Well I don't doubt that these sboxes could be turned into
>> > something like the compiled ones since the original sboxes
were
>> > not designed with that strictly in mind where they?
>
>As Sam says, we did quite a bit of early work on Serpent S-box
boolean
>function optimisation.
>
>Quite a bit of work has been done on these S-boxes for
particular machines.
>My code tries to reduce the total number of operations in
boolean
>expressions. Dag Osvik has worked out better boxes on the
Pentium family
>and John Worley of HP has optimised these for the IA64
architectures.
>
>You are welcome to use my code for S box boolean function
search but it is a
>bit of a hack and is not well documented. Its in
the 'cryptography
>technology' part of my site at http://www.gladman.uk.net under
Serpent.
>
>I know that quite a bit of optimisation code has been written
here but I
>don't think much of this has been published yet.
Thanks, unfortunately your code won't compile with DJGPP 2.952
(using 'gxx') on my machine. I get a whole bunch of errors (I
could email em if you like).
Do you have any different packages?
Another thing I would like to learn more about boolean function
decomposition. If you have any tips pointers, ideas to share
please do so.
Thanks,
Tom
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: Andru Luvisi <[EMAIL PROTECTED]>
Subject: Re: Steganography
Date: 14 Aug 2000 14:50:15 -0700
Bruce Barnett <[EMAIL PROTECTED]> writes:
> Does anyone know of any references to a technique for watermarking of
> text so that if more than one version of the text was examined,
> differences might be seen, but it would still be difficult for two
> individuals to create an version without revealing their identify.
>
> I developed and implemented such a technique, and was wondering if
> it was unusual, or if others have done something similar.
I haven't heard of it before, but I would be very interested in
hearing your method. Are you willing to share?
Andru
--
Andru Luvisi, Programmer/Analyst
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
