Cryptography-Digest Digest #503, Volume #12 Tue, 22 Aug 00 06:13:00 EDT
Contents:
Re: Very Fast Decorrelated Cipher (Mack)
Re: Kryptos and Gillogly ("collomb")
INTERESTED ON BUYING SOFTWARE ("Sergio Arrojo")
Re: INTERESTED ON BUYING SOFTWARE ("Michael Scott")
IPSec algorithms modes of operation? ("kihdip")
Re: IPSec algorithms modes of operation? ("kihdip")
Re: New algorithm for the cipher contest ([EMAIL PROTECTED])
Re: OTP using BBS generator? (Mok-Kong Shen)
Re: On pseudo-random permutation (Mok-Kong Shen)
Re: On pseudo-random permutation (Mok-Kong Shen)
Re: OTP using BBS generator? (Tim Tyler)
where from come the difficulties....? ("Sergio Arrojo")
Re: My unprovability madness. (Nathan the Great)
Re: My unprovability madness. (Torkel Franzen)
Re: How many bits of strength does the ZIP encryption have? (Tim Tyler)
Re: OTP using BBS generator? (Mark Wooding)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Mack)
Date: 22 Aug 2000 07:20:11 GMT
Subject: Re: Very Fast Decorrelated Cipher
>Can someone help I think this is how the attack on five rounds goes..
>
>For any input diff (0,a) you use pairs of inputs such as (L,Ri) where
>Ri varies and L remains the same. Then the output is something like
>(b,a).
yes ...
given that you can construct a characteristic
input r1 b,a
f 0,a
swap a,0
input r2 a,0
f a,0
swap 0,a
input r3 0,a
f b,a
swap a,b
note that the probability of the three round characteristic is
p^2 where p is the probability of the one round characteristic.
>
>With 2^32 possible inputs of the form (L,Ri) you can get about 2^31
>right pairs which would remove 2^31 keys right?
That depends on the characteristic and the cipher.
>
>Then you need todo this 2^32 more times before the key becomes apparent?
no then you do a brute force search on the remaining keys. Or if the number of
keys is still too high you repeat using the same texts with a different
characteristic.
>
>That means you need 2^63 chosen texts?
>
for a 64 bit block cipher it is hoped that you need more than 2^64 chosen
texts. ie. it can't be done.
>I'm lost...
>
>
>Sent via Deja.com http://www.deja.com/
>Before you buy.
>
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: "collomb" <[EMAIL PROTECTED]>
Subject: Re: Kryptos and Gillogly
Date: 22 Aug 2000 07:53:09 GMT
Achilles
Did you read my website concerning KRYPTOS ? I give an original
and complete solution :
http://calvaweb.calvacom.fr/collomb/
Do not judge it too quickly.
I am waiting for your comments
[EMAIL PROTECTED]
Achilles Outlaw <[EMAIL PROTECTED]> a écrit dans l'article
<8nsa0p$gs3$[EMAIL PROTECTED]>...
>
>
> A small diversion concerning posts made about a month or so ago (just
> read them now); I've been following this with immense interest:
>
> Jim-- you made mention that part three of the code is a reference to
> Howard Carter's discovery of King Tutankhamun's tomb; and it (the
------------------------------
From: "Sergio Arrojo" <[EMAIL PROTECTED]>
Subject: INTERESTED ON BUYING SOFTWARE
Date: Tue, 22 Aug 2000 09:48:26 +0200
Reply-To: "Sergio Arrojo" <[EMAIL PROTECTED]>
I send this email on behalf of Adtranz Signal from Germany. We are
interested on
buying Software to implementation of strong elliptic curves over fields char
2.
The Software should also contain algorithms for Key generation and exchange
(Diffie Hellman), digital signatures (ECDSA), Encryption and Decryption of
messages. That is, a complete Software that enables us to simulate (real
time)
secured (by ECC) communications through unsecure channels .
We are studying what the market offers. Please, send us as soon as possible
whatever offer you think could interest us, with both the economic
conditions
and the technical characteristics of the product.
Best Wishes
Sergio Arrojo (Adtranz Signal, Germany)
[EMAIL PROTECTED]
------------------------------
From: "Michael Scott" <[EMAIL PROTECTED]>
Subject: Re: INTERESTED ON BUYING SOFTWARE
Date: Tue, 22 Aug 2000 09:17:07 +0100
Most of your required functionality is implemented in the MIRACL library,
available form http://indigo.ie/~mscott
Mike Scott
"Sergio Arrojo" <[EMAIL PROTECTED]> wrote in message
news:8ntb2e$elg$[EMAIL PROTECTED]...
> I send this email on behalf of Adtranz Signal from Germany. We are
> interested on
> buying Software to implementation of strong elliptic curves over fields
char
> 2.
> The Software should also contain algorithms for Key generation and
exchange
> (Diffie Hellman), digital signatures (ECDSA), Encryption and Decryption of
> messages. That is, a complete Software that enables us to simulate (real
> time)
> secured (by ECC) communications through unsecure channels .
> We are studying what the market offers. Please, send us as soon as
possible
> whatever offer you think could interest us, with both the economic
> conditions
> and the technical characteristics of the product.
>
> Best Wishes
> Sergio Arrojo (Adtranz Signal, Germany)
> [EMAIL PROTECTED]
>
>
>
------------------------------
From: "kihdip" <[EMAIL PROTECTED]>
Subject: IPSec algorithms modes of operation?
Date: Tue, 22 Aug 2000 10:37:36 +0200
Just a quick question:
As far as I know, all the ESP algorithms in IPSec are used in CBC mode. Am I
correct ??
Do you know of other protocols where CFB or OFB modes are used ??
Kim
------------------------------
From: "kihdip" <[EMAIL PROTECTED]>
Subject: Re: IPSec algorithms modes of operation?
Date: Tue, 22 Aug 2000 10:44:55 +0200
I take it, that the AES also will be in CBC mode when included in IPSec.
(correct ??)
Kim
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: New algorithm for the cipher contest
Date: Tue, 22 Aug 2000 08:40:30 GMT
In article <8nsq4g$34q$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Weak K values will come from having low hamming weights.
Remember I said the key K generated by "MakeKey" is a random bit
sequence. So the number of 1's is near 256 (half the total bits of K).
> Consider flipping the lsb of the input, then if the K[0] has a zero
lsb
> then the msb of the output of the first round may be flipped with some
> probability not 1/2 :). Then as you reverse the string you get the
> biased msb in the lsb position.
Remember I said K[0]..K[3] are *allways* *odd* integers, so K[0] lsb
will never be zero. I need this to avoid the effect you pointed and to
invert the rounds.
> Still multiplication in Z is not a good idea since it's not a group
> operation.
You are forcing me to review my algebra books :)
Consider the function
f(b) = k * b (mod 2^64)
where b is a plain-block and k one of the multiplicative elements (K
[0]..K[3]) of K. Since k is odd it have a multiplicative inverse k'
(mod 2^64) and f(b) is a permutation (bijective) (any f(b) have a
unique pre-image b = k' * f(b) (mod 2^64)).
For a prime modulo, the multiplication is a group operation, but this
is not necessary to generate good confusion/difusion in the CipherBlock
function. The statistical tests reported in the cipher documentation
show this.
Let me know if I misunderstood your observations.
Alexis
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
Date: Tue, 22 Aug 2000 11:14:26 +0200
Bryan Olson wrote:
>
> Mok-Kong Shen wrote:
> > Bryan Olson wrote:
> > > Mok-Kong Shen wrote:
> > > > First of all the 'zero' is understood in the sense of
> > > > probability theory not in the sense of number theory.
> > > > At the time the spy makes up a list for casting a die,
> > > > he has free choice out of a practically unlimited topics
> > > > to be mapped to the die. The die may also be cast a
> > > > multiple times (thus having a larger event space) to
> > > > render the probability you mentioned arbitrarily small.
> > > > Once the topic is selected, he has yet a free choice
> > > > of messages (content). So before the timepoint where
> > > > his huge neuronal network starts to compose the message,
> > > > even the spy himself doesn't know what that message is.
> > > > So I think that justifies to ascribe a probability 0.
> > >
> > > That justifies "small" or even "negligible".
> > > Zero is wrong.
> >
> > Then kindly give me an example of yours that can
> > serve to illustrate a probability of measure zero
> > so that we could have a compararison.
>
> Uh, O.K: Let m be any message space, and s the sum
> of the probabilities of all messages in m. Consider
> the probability that s does not equal one.
First of all I don't yet see how you were answering to
my question, i.e. that that provides an example of the
kind I requested. Anyway, s, the sum of all probabilities
is by definition equal to one, isn't it?
We are doing 'hair-splitting' here. But never mind to
continue, as far I am concerned. I claim that there
is an infinite number of topics possible. Could you
accept that? If yes, then the probability of apriori
determining a message (by our imaginary and imaginative
sender himself and by his opponent) is clearly less
than any epsilon that you care to give. One counter-
argument that you could validly raise is that the brain
consists of a finite number of neurons and that that
system cannot possibly generate an infinite number of
entities in any finite time. But now we are apparently
beginning to touch on the so-called mind and body issue,
which is not yet resolved, as far as I am aware. Anyway,
for our purpose, is there a 'limit' to one's
(creative) thought? Is thought realized by a process
carried out by these finite number of neurons? A tiny
step further would then, I am afraid, be the question
of what is consciousness after all. How (through what
mechanism) could one ever be conscious? Am I really
conscious of the existence of myself and the world?
In fact in an analogous vein you could also argue that
the number infinity does not exist and hence should be
excluded from consideration, for any number one could
'think' of must have a finite number of digits, however
large. Or that the Eulidean geometry is nonsense,
because any point must have a finite dimension, etc.
I am afraid that we would be heavily flamed for wasting
bandwidth. But I am ready and interested to continue
discussing with you on a path which in my humble view is
no longer crypto but philosophical (maybe pseudo-
philosophical) via e-mail, even though I know that my
knowledge is fairly poor and am hence likely to be
beaten by anyone who knows more.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: comp.programming
Subject: Re: On pseudo-random permutation
Date: Tue, 22 Aug 2000 11:14:42 +0200
Tim Tyler schrieb:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> : Let A[1..n] be the array to be permuted, B[1..n] be an array
> : of records of two unsigned integers, with the first component
> : of each record filled with the pseudo-random bits (m bits
> : are used for each unsigned integer of size m, which is thus
> : a random number in [0, 2^m-1]) and the second component of
> : the records set consecutively to 1..n. We sort the array B
> : according to the first component of the records in ascending
> : order so that the second component now gives the original
> : (i.e. before sorting) array-index of the individual records.
> : With these indices, which form edivently a random permutation
> : of 1..n, the array A can be re-ordered.
>
> I observe that you omit any form of detection of collisions between the
> first components of B. Without such a check the result does not form a
> truly unbiased random permutation (on the assumption that the RNG is
> good).
That collision is to be resolved by the sorting process.
One has to decide on a resolution rule, though.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: comp.programming
Subject: Re: On pseudo-random permutation
Date: Tue, 22 Aug 2000 11:14:48 +0200
Tim Tyler wrote:
>
> In sci.crypt Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> : Pseudo-random permutation is commonly done with a PRNG giving
> : real values in [0,1) according to an algorithm due to
> : Durstenfeld (see Knuth vol. 2). Sometimes one has, however,
> : a pseudo-random bit sequence given, instead of a PRNG of
> : the said kind. In that case, I suggest that it is more
> : convenient to [use a sort-based method].
>
> A PRNG outputting real numbers is not a requirement for the
> orthodox method - you need random integers between 0 and n for
> various values of n - not random reals.
My assumption limits me to the availability of a bit
sequence. I can get from the beginning only random
integers in [0, 2^s-1] for any s, but not random
integers in arbitrary ranges.
> If one method is better than the other, I think performance
> should probably be the main distinguishing criterion.
You point is valid. On the other hand, the proposed
method at least offers an alternative which can as such
be of interest, particularly in crypto designs where
the presence of diversity of approaches can be favourable,
I suppose.
M. K. Shen
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
Reply-To: [EMAIL PROTECTED]
Date: Tue, 22 Aug 2000 09:14:59 GMT
Mark Wooding <[EMAIL PROTECTED]> wrote:
:> Tim Tyler wrote:
:> > I for one don't see how the nature of the BBS modulus might help prevent
:> > cycles in the low bits.
: You missed the bit where I explained exactly how the nature of the BBS
: modulus can prevent short cycles in the parity bit.
Yes, I definitely did.
: Remember that the cycle length of the parity bits must be a factor of
: the cycle length for the residue sequence, which in turn we know to be
: a factor of \pimax = \lambda(\lambda(n)). By choosing n appropriately,
: we can ensure that \pimax is twice the product of some large primes
: (larger than some chosen bound t). Then, by rejecting a seed which
: leads to a cycle of length 2, we know that the parity cycle length must
: be at least t.
Apart from the fact that cycles of length 1 also apppear to be a
possibility to my mind, this sounds very much as though you know
what you're talking about ;-)
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
From: "Sergio Arrojo" <[EMAIL PROTECTED]>
Subject: where from come the difficulties....?
Date: Tue, 22 Aug 2000 11:26:42 +0200
Reply-To: "Sergio Arrojo" <[EMAIL PROTECTED]>
Hi
I am an unexperienced student, so my question might be a bit stupid. I was
told to make some Software to implement elliptic curves over GF(2^m). I made
a very simple example with MATLab which was able to operate only with very
small numbers. Then I was told to translate to C and to simulate with
realistic values. The idea was to use a Linux compilator that enabled using
unlimited variables. Soon I saw that I would not be able to end this task. I
was told that this Software is actually quite difficult to design. Since I
(as dumb as I am) was able to make a simplified example that worked with
tiny numbers I assume that the tricky thing is to generate the curves (and
to simulate ECC) in a reasonable amount of time (less than 10^99 centuries)
when operating with really big numbers. Am I right, or am I missing
something here?
Thanks
Sergio
------------------------------
From: [EMAIL PROTECTED] (Nathan the Great)
Crossposted-To: sci.math,sci.physics
Subject: Re: My unprovability madness.
Date: Tue, 22 Aug 2000 09:31:26 GMT
On Mon, 21 Aug 2000 17:03:16 -0400, Future Beacon <[EMAIL PROTECTED]>
wrote:
>On 20 Aug 2000, Keith Ramsay wrote:
>> Goedel was careful not to assume anything speculative in his proof.
>
>He was careful to specify the formal system Principia Mathematica
>(PM). To characterize that system as not speculative is to simply
>dismiss out of hand my suggestion that it may not be acceptable to
>everybody.
Principia Mathematica builds on Cantorian Set theory which posits
the existence of complete, not just potential, infinite Sets.
The concept of a 'complete infinite' Set is obnoxious to an
Intuitionists.
>I have noticed that I am alone in this view among the people
>writing to this thread.
Alone in the wilderness...
"...a man who is more right than
his neighbors is a majority of one"
- Thoreau
>I think that the axioms are fine with them,
>undecidability and all.
...often in error, never in doubt
Nathan the Great
Age 12
====== Posted via Newsfeeds.Com, Uncensored Usenet News ======
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
======= Over 80,000 Newsgroups = 16 Different Servers! ======
------------------------------
From: Torkel Franzen <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.physics
Subject: Re: My unprovability madness.
Date: 22 Aug 2000 11:37:50 +0200
Future Beacon <[EMAIL PROTECTED]> writes:
> I have to say it again. I did not say that his theorem in
> incorrect and I have said that it is. It is a correct deduction
> from the PM starting point.
You seem to be assuming that PM was used in the proof, which it
wasn't.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: How many bits of strength does the ZIP encryption have?
Reply-To: [EMAIL PROTECTED]
Date: Tue, 22 Aug 2000 09:37:01 GMT
Christian Ghisler <chris@ghisler=remove.com> wrote:
: I'm aware of the plain text attack - but this can be avoided by
: special means like dual compression without a header on the inner
: file.
You'll probably need a non-deterministic compressor to deal with the case
of complete known plaintexts. Either that or prepend some garbage to the
file before compressing.
It's almost certainly better to use a proper algorithm. I thought the US
had greatly relaxed its crypto export regulations recently.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: OTP using BBS generator?
Date: 22 Aug 2000 09:58:27 GMT
Tim Tyler <[EMAIL PROTECTED]> wrote:
> Mark Wooding <[EMAIL PROTECTED]> wrote:
> :> Tim Tyler wrote:
>
> :> > I for one don't see how the nature of the BBS modulus might help
> :> > prevent cycles in the low bits.
>
> : You missed the bit where I explained exactly how the nature of the
> : BBS modulus can prevent short cycles in the parity bit.
>
> Yes, I definitely did.
Fair enough. I can't expect that everyone here reads every message I
post. I can't even be bothered to read most of them, so I can't see why
anyone else should, really. ;-)
Anyway, the article in question is:
: From: [EMAIL PROTECTED] (Mark Wooding)
: Newsgroups: sci.crypt
: Subject: Re: OTP using BBS generator?
: Date: 16 Aug 2000 09:42:26 GMT
: Organization: National Society for the Inversion of Cuddly Tigers
: Message-ID: <[EMAIL PROTECTED]>
[snip maths]
> Apart from the fact that cycles of length 1 also apppear to be a
> possibility to my mind, this sounds very much as though you know
> what you're talking about ;-)
Hmmm. If x = x^2 (mod n) then (taking logs) k = 2 k (mod \lambda(n)).
Let's divide through by g = \gcd(k, \lambda(n)). Let k' = k/g, and l =
\lambda(n)/g. Then
k' = 2 k' (mod l)
and \gcd(k', l) = 1. If k' =/= 0 (mod l) then we can multiply by
k'^{-1} and we get 1 = 2 (mod l) which won't work. So k is a multiple
of \lambda(n). But the antilog of a multiple of \lambda(n) is 1. Hence
the only seed with a cycle length of 1 is the multiplicative identity
itself.
Besides, testing for a period of length 2 will catch a period of length
1 as well.
-- [mdw]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
