Cryptography-Digest Digest #504, Volume #12 Tue, 22 Aug 00 08:13:00 EDT
Contents:
ECC->Pegwit->SecuraCrypt (Re: where from come the difficulties....?)
([EMAIL PROTECTED])
Re: The DeCSS ruling ("CiPHER")
Re: Very Fast Decorrelated Cipher ([EMAIL PROTECTED])
Re: New algorithm for the cipher contest ([EMAIL PROTECTED])
Re: The DeCSS ruling and the big shots (rot26)
Re: CRC? ("Tomas Rosa")
Re: On pseudo-random permutation (Mok-Kong Shen)
Re: 1-time pad is not secure... (Shellac)
Re: The DeCSS ruling and the big shots (Mark Wooding)
Re: The DeCSS ruling ("A. Melon")
Re: Bytes, octets, chars, and characters (John Savard)
Re: My unprovability madness. (Future Beacon)
Re: Bytes, octets, chars, and characters (John Savard)
Re: My unprovability madness. (John Savard)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: ECC->Pegwit->SecuraCrypt (Re: where from come the difficulties....?)
Date: Tue, 22 Aug 2000 10:06:09 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
Sergio Arrojo wrote:
> I am an unexperienced student, so my question might be a bit stupid. I was
> told to make some Software to implement elliptic curves over GF(2^m).
just make sure that m is prime..
Nigel Smart has recently discovered a new and powerful attack against elliptic
curves over GF(2m) for composite m
Details available http://www.hpl.hp.com/news/ecc.html
and http://www.hpl.hp.com./techreports/2000/HPL-2000-10.html.
BTW, i just found commercial app SecuraCrypt using ECC over GF(2^m) at
http://www.securasite.com/securacrypt.htm
there is no source code available, but it seems that the ECC code is taken from
Pegwit without modifications (the same private passphrase generates the same public
key)
and it also seems they have changed symmetric cypher from square to something else
(probably to DES, Blowfish or Twofish - these cyphers are mentioned in their main page)
== <EOF> ==
Disastry http://i.am/disastry/
http://disastry.dhs.org/pgp.htm <-- PGP half-Plugin for Netscape
http://disastry.dhs.org/pegwit <-- Pegwit (probably insecure now)
remove .NOSPAM.NET for email reply
=====BEGIN PGP SIGNATURE=====
Version: Netscape PGP half-Plugin 0.14 by Disastry / PGPsdk v1.7.1
iQA/AwUBOaI0KjBaTVEuJQxkEQKuNACbBYDnazeJazSDOwnI/z3TubO6F9UAnj16
PsgR5rljAZkvDngEsd7Zc+ZA
=aSqS
=====END PGP SIGNATURE=====
------------------------------
From: "CiPHER" <cgoth[hatespam]@hotmail.com>
Subject: Re: The DeCSS ruling
Date: Tue, 22 Aug 2000 11:39:39 +0100
Reply-To: "CiPHER" <cgoth[hatespam]@hotmail.com>
"Jim Steuert" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Is anyone in this newgroup concerned about
> this ruling?
Less on the ruling, more on something that the guy who made DeCSS pointed
out... it's rather scary when your own government/police force act like the
personal attack puppies of the US government in such cases.
Someone should get it hosted on Sealand. ;)
> The judge apparently ruled that publishing keys to a bank vault,
> even if the publisher never intended to rob the bank,
> would force the bank to re-program it's vault. And that
> constitues illegal intent.
But wasn't it one of the co.s that 'published' their key in the first place
which allowed all this? They shot themselves in the foot with stupidity as
far as I'm concerned. An algorithm can be as strong as you want it to be,
'unbreakable' even, but it's only as strong as it's weakest link. Which is
usually a human. Publishing the key on a DVD is a pretty weak link.
---
Marcus
---
http://www.cybergoth.cjb.net/
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Very Fast Decorrelated Cipher
Date: Tue, 22 Aug 2000 10:32:11 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Mack) wrote:
> >Can someone help I think this is how the attack on five rounds goes..
> >
> >For any input diff (0,a) you use pairs of inputs such as (L,Ri) where
> >Ri varies and L remains the same. Then the output is something like
> >(b,a).
>
> yes ...
>
> given that you can construct a characteristic
>
> input r1 b,a
> f 0,a
> swap a,0
> input r2 a,0
> f a,0
> swap 0,a
> input r3 0,a
> f b,a
> swap a,b
>
> note that the probability of the three round characteristic is
> p^2 where p is the probability of the one round characteristic.
Well differential cryptanalysis is impossible against this cipher. I
thought the impossible differential holds with a prob of 1?
> >
> >With 2^32 possible inputs of the form (L,Ri) you can get about 2^31
> >right pairs which would remove 2^31 keys right?
>
> That depends on the characteristic and the cipher.
>
> >
> >Then you need todo this 2^32 more times before the key becomes
apparent?
>
> no then you do a brute force search on the remaining keys. Or if the
number of
> keys is still too high you repeat using the same texts with a
different
> characteristic.
Still you need about 2^32 plaintexts to reduce the keyspace by not even
one bit, I think the six-round version is still ok.
> >
> >That means you need 2^63 chosen texts?
> >
>
> for a 64 bit block cipher it is hoped that you need more than 2^64
chosen
> texts. ie. it can't be done.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: New algorithm for the cipher contest
Date: Tue, 22 Aug 2000 10:35:01 GMT
In article <8nte9s$pm0$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> In article <8nsq4g$34q$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
>
> > Weak K values will come from having low hamming weights.
>
> Remember I said the key K generated by "MakeKey" is a random bit
> sequence. So the number of 1's is near 256 (half the total bits of K).
Yes, but weak keys still exist.
> > Consider flipping the lsb of the input, then if the K[0] has a zero
> lsb
> > then the msb of the output of the first round may be flipped with
some
> > probability not 1/2 :). Then as you reverse the string you get the
> > biased msb in the lsb position.
>
> Remember I said K[0]..K[3] are *allways* *odd* integers, so K[0] lsb
> will never be zero. I need this to avoid the effect you pointed and to
> invert the rounds.
I meant in the plaintext.
>
> > Still multiplication in Z is not a good idea since it's not a group
> > operation.
>
> You are forcing me to review my algebra books :)
> Consider the function
> f(b) = k * b (mod 2^64)
> where b is a plain-block and k one of the multiplicative elements (K
> [0]..K[3]) of K. Since k is odd it have a multiplicative inverse k'
> (mod 2^64) and f(b) is a permutation (bijective) (any f(b) have a
> unique pre-image b = k' * f(b) (mod 2^64)).
> For a prime modulo, the multiplication is a group operation, but this
> is not necessary to generate good confusion/difusion in the
CipherBlock
> function. The statistical tests reported in the cipher documentation
> show this.
>
> Let me know if I misunderstood your observations.
Multiplication is not a group, this means the function doesn't depend
on all of the bits. In a field it would be better.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: rot26 <[EMAIL PROTECTED]>
Subject: Re: The DeCSS ruling and the big shots
Date: Tue, 22 Aug 2000 10:40:40 GMT
Some links concerning the DeCSS ruling...
THE THREE PAGE ORDER AGAINST 2600 (PDF)
http://www.2600.com/dvd/docs/2000/0817-order.pdf
THE DECISION AGAINST 2600 (PDF)
http://www.2600.com/dvd/docs/2000/0817-decision.pdf
Emmanuel Goldstein's reaction to the ruling
http://www.2600.com/news/2000/0821.html
I'd just like to know what the general attitude of sci.crypt readers are
towards the DeCSS case... Isn't it about time the "big shots" use their
influence to stop the bullying by the MPAA, educate the public and
perhaps give 2600 their support? (It could be my ignorance and that they
are doing it already... I stand to be corrected.)
DeCSS case in a nutshell:
Someone designed and used an insecure encryption scheme. Before long
someone else broke it. And the someone else was sued.
What the hell?
Exactly.
Stop the bullying, mirror DeCSS.
rot26
> Is anyone in this newgroup concerned about
> this ruling?
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Tomas Rosa" <[EMAIL PROTECTED]>
Subject: Re: CRC?
Date: Tue, 22 Aug 2000 10:10:32 +0200
"Mario Tonni" <[EMAIL PROTECTED]> wrote in message
news:8npvk4$m4l$[EMAIL PROTECTED]...
>
>
> Hi there.
> Often I hear the term "CRC", which I know that means
> "cyclic redundancy check".
>
> What I wonder instead is if CRC's are error-recovering
> methods, or simply a more reliable way to calculate a
> checksum?
If you think about CRC in general as about linear cyclic codes, than you
would have any type of code ("the code as you like it"). If you for example
want error detection property only than you design the code with this
property in your mind. When you want also the ability to correct certain
types of errors then you add this property to the design of the code.
There is quite lot of subjects to talk about to fit them into this group.
Try the literature bellow as a starting point for your investigations.
Note about the comparison of cryptographic hash functions (SHA-1, etc.) and
cyclic codes. Each of this type of function is designed to have different
properties and thus is suitable for different purposes. Of course there may
be situations when you can use cyclic codes instead of cryptographic hash
function and vice versa. But in general this is not the desired way.
When you will use hash function instead of cyclic code than you will know
almost nothing about error patterns (for some codeword it may be 200-errors
detecting while for some else only 2-error detecting - of course due to the
property of the function you don't know which ones these codewords are).
Besides some exceptions (I know them already) this will make you some kind
of trouble.
literature: Vanstone, S. A., van Oorschot, P., C. :An Introduction to Error
Correcting Codes with Applications, ISBN 0-7923-9017-2
Tom
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: comp.programming
Subject: Re: On pseudo-random permutation
Date: Tue, 22 Aug 2000 13:20:00 +0200
Mok-Kong Shen wrote:
>
> Tim Tyler wrote:
> >
> > In sci.crypt Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
[snip]
> > A PRNG outputting real numbers is not a requirement for the
> > orthodox method - you need random integers between 0 and n for
> > various values of n - not random reals.
>
> My assumption limits me to the availability of a bit
> sequence. I can get from the beginning only random
> integers in [0, 2^s-1] for any s, but not random
> integers in arbitrary ranges.
[snip]
Sorry. What I said above is nonsense. One can get a
random number in a smaller range from a generator of
a larger range by simply discarding the numbers that
are outside of range.
BTW, one thought that motivated my proposal is that
sort routines applicable to arrays of almost arbitrary
sizes are often available in one's programming
environment and can hence be conveniently utilized.
M. K. Shen
------------------------------
From: Shellac <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Date: 22 Aug 2000 12:14:13 +0100
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
Tim Tyler <[EMAIL PROTECTED]> writes:
> Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> : Tim Tyler wrote:
>
> :> It amuses me to think that some people feel they can completely dismiss
> :> the idea that the universe is deterministic on the basis of our current
> :> knowledge of physics.
>
> : Excuse me, but (1) you have confused (non)determinism with fundamental
> : randomness [...]
>
> *Perhaps*. AFAIK, in common usage, these terms are very closely equivalent.
>
> My dictionary also has: "determinism (n): theory that human action is
> settled by forces independent of will".
>
> I'm *not* using the word "determinism" in a manner that relates
> specifically to human action. I'm using it in the sense that
> effects are "determined" uniquely by causes in a predictable fashion.
>
> In other words, I am using "deterministic", as a synonym for "non-random"
> or "predictable" - and "indeterministic" as a synonym for "containing at
> least some random elements", or "being predictable only in a statistical
> manner".
>
> I hope this makes my intended meaning clear. If you are trying to draw
> distinctions between these terms, it might help to explain what you think
> the differences are, so that we are not at cross purposes over terminology.
> --
> __________ http://alife.co.uk/ http://mandala.co.uk/
> |im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
I'll jump into the thread here, having missed much of what went
before. Bad behaviour, but you asked an interesting question - can you
have randomness in deterministic systems?
First of all, your dictionary is a little inadequate :-) You are half
right: Determinism is best thought of as (roughly) the thesis that the
laws of physics are such that the 'present' complete state of the
world uniquely determines the future states (you can sharpen this up
quite a bit, but hopefully that's pretty clear).
Don't confuse this with predictability. Chaotic systems are (usually)
determinstic, but arbitrarily close systems initially become very far
apart subsequently. So attempting to predict precisely what happens to
such a system is impossible. Predictabilty is (I would argue) about
how errors grow.
Given how we normally define a random process it seems that a
deterministic process can't be a random process - true. However you
can have deterministic worlds with real randomness. The initial
conditions of the world could be random. This is the case in some
deterministic versions of quantum mechanics.
Finally you can have very strong pseudo-randomness in chaotic
systems. Some types of (deterministic) mechanical systems are such
that they are indistinguishable from a stochastic (i.e. random,
indeterministic) system (Bernoulli systems). With perfect knowledge of
the inital state of the system you can predict what will happen, of
course, but anything less than this will mean that it looks
random. One example is a ball on a pool table with a convex obstacle.
Hope that was clear,
Shellac
- --
Key fingerprint = FC31 23CA 3EBA E30D 2F20 D7EA 8C8F BB0A 49CA 5201
I use and endorse MkLinux, MacOS, GnuPG, Xemacs, Alpha (text
processor), wwwoffle, w3m, Gnus, Leafnode, Cherry Coke, PG Tips. They
do not sponsor me. Despite endless requests.
=====BEGIN PGP SIGNATURE=====
Version: GnuPG v1.0.2 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard <http://www.gnupg.org/>
iD8DBQE5omCDjI+7CknKUgERAs2KAKCykwjobuKsfj7eSDQBXUG1TI43tgCfSwcB
6xambco85TjiEjo+HV7RI5U=
=bR4g
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: The DeCSS ruling and the big shots
Date: 22 Aug 2000 11:26:52 GMT
rot26 <[EMAIL PROTECTED]> wrote:
> I'd just like to know what the general attitude of sci.crypt readers are
> towards the DeCSS case... Isn't it about time the "big shots" use their
> influence to stop the bullying by the MPAA, educate the public and
> perhaps give 2600 their support? (It could be my ignorance and that they
> are doing it already... I stand to be corrected.)
The list of people who gave statements to Martin Garbus (who is
representing 2600 in this case) reads like a cryptographic who's-who.
There are lots of familiar names there saying sensible things.
-- [mdw]
------------------------------
Date: Tue, 22 Aug 2000 04:47:48 -0700
From: "A. Melon" <[EMAIL PROTECTED]>
Subject: Re: The DeCSS ruling
Would it be a good idea if periodically someone should email the
source decks in question to the judge? Just to let him know how
useless his ruling was? Anyone know his email address?
If the New York Times published the source (a la Pentagon Papers)
would the judge have ruled against them? Another example would be
the magazine that published detailed directions to making atomic
bombs.
It appears that private copyright 'rights' are more powerful than the
government rights to keep something secret.
The source is still available around on the web. Has anyone done a
survey to see if most of the sites that have it posted are outside
the US? Has the MPAA sent letters to sites overseas? What is the
reaction to the ruling or the letters by sites overseas?
Is the source on Deja-News?
What are the names of the files in question?
In article <[EMAIL PROTECTED]>
Jim Steuert <[EMAIL PROTECTED]> wrote:
>
> I am horrified to learn about the DeCSS
> case. The judge has
> ruled in favor of the MPAA (Motion Picture
> Arts Association) and
> enjoined 2600 magazine from publishing the
> DeCSS code on it's web
> site.
>
> The judge apparently ruled that publishing
> keys to a bank
> vault, even if the publisher never intended
> to rob the bank,
> would force the bank to re-program it's
> vault. And that
> constitues illegal intent.
>
> Where I think the judge is mistaken is his
> lack of distinction
> between publishing the specific keys to a
> specific bank vault, versus
> reverse-engineering a publicly visible vault
> mechanism (software).
>
> Isn't what is discussed on this newsgroup
> equivalent to
> "vault mechanisms?". And if so, isn't
> publishing an attack on
> a commericially used encryption algorithm
> (DES certainly)
> illegal?
>
> Is anyone in this newgroup concerned about
> this ruling?
>
> -Jim Steuert
>
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Crossposted-To: comp.lang.c,alt.folklore.computers
Subject: Re: Bytes, octets, chars, and characters
Date: Tue, 22 Aug 2000 11:49:32 GMT
On 21 Aug 2000 18:16:59 -0700, Eric Smith
<[EMAIL PROTECTED]> wrote, in part:
>On a
>Stretch, a byte was of variable size from 1 to 8 bits.
I know that on a PDP-10, the byte was variable in size, and bytes of 9
or 7 bits were freqently used, but this is the first I've heard of
this characteristic applying to the Stretch.
Of course, though, only a limited number of Stretch computers were
shipped, and the term 'byte' did only come into general use with the
System/360. Prior to the Stretch, at least, computer memory was often
measured in characters, whether those characters were 6 bits in length
(as on a 7090 or an 1103) or 7 bits in length (6 data bits plus one
flag bit, for example, as on the 1401: the flag bit was often not
transferred to external media).
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Future Beacon <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.physics
Subject: Re: My unprovability madness.
Date: Tue, 22 Aug 2000 07:53:58 -0400
This isn't worth answering except to say that it is a purely
mathematical issue that should be confined to sci.math.
Jim Trek
Future Beacon Technology
http://eznet.net/~progress
[EMAIL PROTECTED]
On 22 Aug 2000, Torkel Franzen wrote:
> Future Beacon <[EMAIL PROTECTED]> writes:
>
> > I have to say it again. I did not say that his theorem in
> > incorrect and I have said that it is. It is a correct deduction
> > from the PM starting point.
>
> You seem to be assuming that PM was used in the proof, which it
> wasn't.
>
>
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Crossposted-To: comp.lang.c,alt.folklore.computers
Subject: Re: Bytes, octets, chars, and characters
Date: Tue, 22 Aug 2000 11:56:13 GMT
On 22 Aug 2000 07:49:18 +0200, [EMAIL PROTECTED] (Paul Schlyter)
wrote, in part:
>In article <[EMAIL PROTECTED]>,
>Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
>> Paul Schlyter wrote:
>>> Yep -- a word is X bits on an X-bit machine, that's the rule.
>> That is a tautology. The real question is, what is meant
>> by "X" in calling a computer an "X-bit machine"? I have
>> encountered real cases where no matter what you use for X,
>> it could be disputed.
>X = the width, in bits, of the data bus.
>Yes, I know there are cases where the external and the internal
>data buses differ in width... :-(
More importantly, there are cases where the same architecture is
preserved across designs with data buses of differing width. One
certainly can say that an 80386 SX is "16-bit" while a 386 DX, and a
486 (either SX or DX) are "32-bit", and a Pentium is "64-bit", but
that may not be appropriate for some circumstances.
Thus, the System/360 was referred to as a 32-bit architecture, because
the general registers were 32 bits wide, even though it was
implemented with bus widths from 16 to 128 bits. (The version with an
8-bit bus, however, was slightly incompatible, and had a 16-bit
architecture.)
>From that point of view, everything from the 80386 SX to the Pentium
is 32-bit. And, indeed, all those processors run some "32-bit"
software.
Another way to consider the word length of a machine would be to see
what alignment restrictions apply to instructions. This makes a
System/360 a 16-bit machine, and even a Pentium an 8-bit machine;
while this is an unambiguous convention, it doesn't say anything about
the power of the machine or the underlying architecture, so it hasn't
been used.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Crossposted-To: sci.math,sci.physics
Subject: Re: My unprovability madness.
Date: Tue, 22 Aug 2000 12:02:19 GMT
On Mon, 21 Aug 2000 17:03:16 -0400, Future Beacon <[EMAIL PROTECTED]>
wrote, in part:
>If you're interested, the message below was selectively answered to
>make it appear that I disagree with Goedel's theorem.
When you say something like
> > It seems to me that we are not talking about the same thing. The
> > foundations of any system must include definitions and may include
> > axioms. If we get weird results that cause us problems or poorly
> > serve our purposes, the only place to go is back to the foundations
> > of the system (at least in my opinion). If we assume that the
> > foundation is great, we're done. But to me and a few others
> > undecidable questions are not acceptable within a mathematical
> > system (at least one that I would want to use).
then the conclusion must be that _either_ you disagree with Godel's
proof, _or_ that you believe that you can do without the ability to do
arithmetic.
Perhaps, though, there was something additional which indicated that
"I would want to use" applied to some specific purpose, such as
cryptography, where a more restricted mathematical substrate would
serve. Otherwise, I am hard put to think of what you could mean by
'selectively' quoted in this case.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
