Cryptography-Digest Digest #694, Volume #12 Sat, 16 Sep 00 16:13:00 EDT
Contents:
Re: "Secrets and Lies" at 50% off (Ike R. Malony)
Re: For the Gurus ("root@localhost " <[EMAIL PROTECTED]>)
Re: "Secrets and Lies" at 50% off (K. Y. Lemonair)
Re: ExCSS Source Code (David A Molnar)
Re: SHA-2 name rumors (Albert Yang)
Re: "Secrets and Lies" at 50% off (Menial Roky)
Re: Tying Up Loose Ends - Correction (SCOTT19U.ZIP_GUY)
question about delastelle cipher in Bauer's book (Fritz Schneider)
Re: CDMA tracking (was Re: GSM tracking) (Darren New)
Re: Attack on Free-MAC (Adam Back)
Re: More Bleh from a Blahish person. ;) (Simon Johnson)
Re: More Bleh from a Blahish person. ;) (Tom St Denis)
Re: Tying Up Loose Ends - Correction (Tom St Denis)
Re: "Secrets and Lies" at 50% off (Oral I. Menky)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Ike R. Malony)
Subject: Re: "Secrets and Lies" at 50% off
Date: Sat, 16 Sep 2000 17:22:58 GMT
Tim Tyler <[EMAIL PROTECTED]> wrote:
>For future reference - and if anyone cares - you can generally truncate
>Deja URLs after the "AN=" digits without any great loss - i.e. the
>following URL leads to the same spot:
>
> http://x52.deja.com/threadmsg_ct.xp?AN=655426930.1
>
>You can miss off the ".1" as well if you like:
>
> http://x52.deja.com/threadmsg_ct.xp?AN=655426930
Great advice. Thanks!
--
"Ike R. Malony" is actually 4012 859673 <[EMAIL PROTECTED]>.
012 3 456789 <- Use this key to decode my email address and name.
Play Five by Five Poker at http://www.5X5poker.com.
------------------------------
From: "root@localhost <spamthis>" <[EMAIL PROTECTED]>
Subject: Re: For the Gurus
Date: Sat, 16 Sep 2000 13:11:14 -0400
Jim,
Thank you for your points. I really do appreciate you having taken the
time to discuss this with me.
I will carefully consider what you have said. Perhaps the OTP is the
only way to go, though at this point I am looking hard at a Playfair or
similar system combined with transposition. Iff it can be made simple
enough to use.
I also like the code book and OTP approach.
Thank you for reminding me of the finer points.
-m-
--
If children don't know why their grandparents did what they
did, shall those children know what is worth preserving and what
should change?
http://www.cryptography.org/getpgp.htm
------------------------------
From: [EMAIL PROTECTED] (K. Y. Lemonair)
Crossposted-To: comp.security,comp.security.misc
Subject: Re: "Secrets and Lies" at 50% off
Date: Sat, 16 Sep 2000 17:25:37 GMT
"Donald L. Nash" <[EMAIL PROTECTED]> wrote:
>Bruce probably didn't want to repeat what had already been said.
And of course if he did, Tom St Denis would almost certainly jump all over
him for doing it.
--
"K. Y. Lemonair" is actually 4803 671259 <[EMAIL PROTECTED]>.
0 1 23456789 <- Use this key to decode my email address and name.
Play Five by Five Poker at http://www.5X5poker.com.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: ExCSS Source Code
Date: 16 Sep 2000 17:24:25 GMT
Ichinin <[EMAIL PROTECTED]> wrote:
> as well when you copy the DVD data from one medium to another,
> which allows for proper playback in any cd = CSS is bullocks!
> It's only EFFECTIVE MEASURABLE property is the region codes.
Also the licensing of players. Since you can't build a player without
implementing CSS.
-David
------------------------------
From: Albert Yang <[EMAIL PROTECTED]>
Subject: Re: SHA-2 name rumors
Date: Sat, 16 Sep 2000 17:31:28 GMT
Daniel Leonard wrote:
>
> On Wed, 23 Aug 2000, Kent Briggs wrote:
>
> > "S. T. L." wrote:
> >
> > > SHA-1 provides 160 bits; isn't that enough?
> >
> > Hash functions make convenient password crunchers and with the new AES standard
> > allowing key sizes up to 256 bits, it would nice to have a corresponding hash
> > function of that size.
> >
> > --
> > Kent Briggs, [EMAIL PROTECTED]
> > Briggs Softworks, http://www.briggsoft.com
>
> Well, three hash function comes into mind
>
> HAVAL, SNEFRU, RIPEMD256.
Personally, I find we should nip the "MD" family tree at the bud while
we can. Not a big fan of RIPEMD myself..
SHA-256 will be a welcome relief after AES is picked.
Albert
------------------------------
From: [EMAIL PROTECTED] (Menial Roky)
Crossposted-To: comp.security,comp.security.misc
Subject: Re: "Secrets and Lies" at 50% off
Date: Sat, 16 Sep 2000 17:32:53 GMT
Andrew Carol <[EMAIL PROTECTED]> wrote:
>He does not have a history of simply popping in to shill books but
>contributes enourmous amounts of useful information to this group.
A good example is the frequent questions that we see here about the proper
implementation of Blowfish and Twofish. Bruce Schneier is able to offer
such helpful advice on these issues that you'd almost think he invented
those algorithms himself!
--
"Menial Roky" is actually 0381 249576 <[EMAIL PROTECTED]>.
012345 6789 <- Use this key to decode my email address and name.
Play Five by Five Poker at http://www.5X5poker.com.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Tying Up Loose Ends - Correction
Date: 16 Sep 2000 17:58:41 GMT
[EMAIL PROTECTED] (Mok-Kong Shen) wrote in <39C3A56D.69CF508@t-
online.de>:
>
>
>John Savard wrote:
>>
>> Since this is an element of David A. Scott's encryption proposals, and
>> since he claimed he didn't have the kind of difficulties with the last
>> symbol that I encountered, possibly this is the method he is using. If
>> so, I will have to credit him specifically in this case: while I think
>> the basic notion of coding the last symbol in a general fashion, where
>> a message is represented by a prefix-property binary code, and the
>> resulting message is transmitted with an explicit length indication,
>> is almost certain to have occurred to people at an early stage in the
>> development of this field (maybe even before Huffman came forward with
>> his replacement for Shannon-Fano coding), the specific scheme of using
>> a code that is shifted down one symbol after either the least frequent
>> symbol or the least frequent symbol followed by any number of
>> repetitions of the second least frequent symbol so as to achieve an
>> optimal scheme not requiring backtracking is at a level of detail that
>> no one might necessarily have ever bothered with before.
>
>If one doesn't care the so-called 1-1 property of Scott,
>then one can simply create an end-of-file symbol in
>the Huffman scheme and then fill to whatever boundary
>one wants.
>
>M. K. Shen
>
Yes and that minor changes greatly reduce the secruity
of the thing your encrypting. But It is obvious you don't
see how.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: Fritz Schneider <[EMAIL PROTECTED]>
Subject: question about delastelle cipher in Bauer's book
Date: Sat, 16 Sep 2000 12:01:01 -0700
I'm working through F. L. Bauer's book "Decrypted Secrets" and ran
across something unfamiliar in section 4.2.3 (Delastelle cipher). He
gives a warning that "a mere gliding by one place, a Kulissenverfahren,
does not give the wanted effect...".
What does "gliding" mean in this context and what is its desired
effect? My assumption is that "gliding" is something to do with the
transposition step and that its intent is to make the cipher more
secure... but maybe someone here can clear things up for me? Thanks!
-- fritz
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: CDMA tracking (was Re: GSM tracking)
Date: Sat, 16 Sep 2000 19:32:51 GMT
Jerry Coffin wrote:
> This simply is NOT true. I've personally done testing on this exact
> point for work, and can state with _absolute_ assurance that at least
> some CDMA phones (the Qualcomm QCP 1960 was what we were testing, but
> the MSM 3000 is used in other phones as well) most assuredly DOES
> "wake up" every 1.28 seconds, even when the power is turned off.
I've seen the source code. We'll have to agree to disagree. Your provider
maybe rewrote that part for some reason.
--
Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
"No wonder it tastes funny.
I forgot to put the mint sauce on the tentacles."
------------------------------
From: Adam Back <[EMAIL PROTECTED]>
Subject: Re: Attack on Free-MAC
Date: Sat, 16 Sep 2000 15:37:34 -0400
The lower bound is an interesting result. Wei commented on this: are
you convinced that the formulation you use in your lower bound proof
still holds when there are additional shared secret values for:
- the checksum
- the IV
- other keys to encrypt a small constant number of extra blocks under
independent keys (eg. the checksum).
The specific attack you attribute to Pankaj Rohatgi was also
discovered by Virgil Gligor, Pompiliu Donescu and Michaela Iorga.
Gligor and Donescu found a version of it while working on their IACBC
(integrity aware) mode. I am not sure when they first discovered it,
Gligor sent me a mail sometine in March 2000.
David Wagner found a related attack against Gligor and Donescu's
ioPCBC variant using modular addition for the feedback.
Adam
[EMAIL PROTECTED] wrote:
>
> There was a scheme proposed some time back for MAC along with encryption,
> called Free-MAC (attached below)
>
> encryption in FREE_MAC is:
> y_i = E_k( x_i + y_{i-1} ) + x_{i-1}
>
> I have a lowerbound on such schemes. This paper is available
> at http://eprint.iacr.org/2000/039/
> The lower bound says that any linear scheme which does
> MAC and encryption together would require at least log m extra
> encryptions (m is the number of blocks).
> That would imply that the above scheme is broken. Various
> attacks on this scheme were posted earlier as well. However,
> doubts remained about various simple fixes. Using the lower
> bound, I demonstrate below that this scheme needs major overhaul.
>
> Let M_i denote the intermediate quantity x_i+y_{i-1},
> and N_i denote E_k(x_i+y_{i-1}).
>
> Here is a known plaintext attack (first shown to me by Pankaj Rohatgi).
> Let y' be the new ciphertext, and
> let primed variables denote the new quantities.
> Now,
> N_{i+2}= y_{i+2}+x_{i+1}
> N_i = y_i +x_{i-1}
>
> Let y'_i = y_i +N_i+N_{i+2} (all earlier y' remain same as y)
> Then N'_i = N_{i+2}
> Hence M'_i = M_{i+2}
> x'_i= x_i+M_i+M_{i+2}
>
> Let y'_{i+1}= y+{i+1}+M_i+M_{i+2}
> Then, N'_{i+1}= N_{i+1}
> hence, M'_{i+1} = M_{i+1}
> So, x'_{i+1}= x_{i+1} + N_i +N_{i+2}
>
> Let, y'_{i+2}= y_{i+2}
> Then, N'_{i+2}= N_{i+2}+N_i+N_{i+2}= N_{i}
> So, M'_{i+2}= M_i
> Hence, x'_{i+2}= x_{i+2}
>
> So, x'_{i+2}=x_{i+2}, and y'_{i+2}=y_{i+2}, and the computation continues
> unperturbed !!
>
> If the last block was a checksum of the plaintexts, then this would require a
> chosen plaintext attack. All in all, any such scheme is hopeless. However,
> see the aforementioned paper for new and interesting schemes which are
> provably secure. They are also quite simple.
>
> -Charanjit Jutla
>
> From: Adam Back <[EMAIL PROTECTED]>
>
> Subject: Free-MAC mode
> Date: 07 Mar 2000 00:00:00 GMT
> Message-ID: <[EMAIL PROTECTED]>
> Content-Transfer-Encoding: 7bit
> X-Accept-Language: en
> Content-Type: text/plain; charset=us-ascii
> X-Complaints-To: [EMAIL PROTECTED]
> X-Trace: newscontent-01.sprint.ca 952476942 209.5.124.20 (Tue, 07 Mar 2000 19:55:42
> EST)
> Organization: Sprint Canada Inc.
> MIME-Version: 1.0
> NNTP-Posting-Date: Tue, 07 Mar 2000 19:55:42 EST
> Newsgroups: sci.crypt
>
> Following on from the discussion of block modes which try to exhibit error
> propagation to give a MAC or MDC combined with a block mode in the thread
> with subject "avoid man-in-the-middle known plaintext attack using a stream
> cipher", here's a block mode Anton and I have been working on.
>
> encryption is:
>
> y_i = E_k( x_i + y_{i-1} ) + x_{i-1}
>
> and decryption is:
>
> x_i = D( y_i + x_{i-1} ) + y_{i-1}
>
> In practice to make a MAC out of this you would append a fixed block to the
> message and verify that this fixed block was preserved on decryption. This
> block could be public, or perhaps could be the IV, or a separate key.
>
> We are working on a paper describing the Free-MAC mode, and output feedback
> as a way to get error propagation on the decryption operation of a block
> mode.
>
> The result is likely to be essentially as efficient as CBC encryption, and
> doesn't suffer the block swapping attacks that Propagating-CBC,
> Plaintext-CBC, iaPCBC and CBCC do.
>
> Adam
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: More Bleh from a Blahish person. ;)
Date: Sat, 16 Sep 2000 19:25:31 GMT
Okay, try again... its obvious u've missed the question i'm trying to
ask (through my bad phrasing.)
What i'm saying is this (not sure if this has been proven/disproven):
Every mapping of n bits to n bits has a function that will describe it.
Does this make any sense?
So like: Say we wanted a 8x8 s-box. Instead of using a fixed table, we
could use an maths function. let F(X) = X + 1 mod 256. We take x and
compute F(X), F(X) then substitues x. If this doesn't make sense, i
give up ;)
Okay, now what i was trying to ask was this:
Does a function exist that can describe every s-box? If so, then some
of these functions must duplicate the *best* s-boxes one can produce.
Say i found such a function in GF(2^32). I could then use this one
function as my entire f-function, in a Feistel based cipher. Lets say i
added the round key to the plain-text chunk being encrypted, mod
(2^32). How many rounds would this require before the best linear and
differential attack requires more known plain-text blocks than exist?
I believe this is somewhat clearer. If my langauge is incorrect don't
hesitate to point it out
Thanxs,
Simon Johnson.
=========================
'Man is everywhere in chains'
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: More Bleh from a Blahish person. ;)
Date: Sat, 16 Sep 2000 19:48:05 GMT
In article <8q0het$caj$[EMAIL PROTECTED]>,
Simon Johnson <[EMAIL PROTECTED]> wrote:
> Okay, try again... its obvious u've missed the question i'm trying to
> ask (through my bad phrasing.)
>
> What i'm saying is this (not sure if this has been proven/disproven):
> Every mapping of n bits to n bits has a function that will describe
it.
> Does this make any sense?
>
> So like: Say we wanted a 8x8 s-box. Instead of using a fixed table, we
> could use an maths function. let F(X) = X + 1 mod 256. We take x and
> compute F(X), F(X) then substitues x. If this doesn't make sense, i
> give up ;)
>
> Okay, now what i was trying to ask was this:
>
> Does a function exist that can describe every s-box? If so, then some
> of these functions must duplicate the *best* s-boxes one can produce.
No one function can describe every possible function, or at least it's
description would be terribly long. And you can get ideal properties
out of your sbox by carefully choosing your function.
> Say i found such a function in GF(2^32). I could then use this one
> function as my entire f-function, in a Feistel based cipher. Lets say
i
> added the round key to the plain-text chunk being encrypted, mod
> (2^32). How many rounds would this require before the best linear and
> differential attack requires more known plain-text blocks than exist?
Depends on the function. F(x) = x is a function in GF(2^32) but it's
hardly worth using.
> I believe this is somewhat clearer. If my langauge is incorrect don't
> hesitate to point it out
>
> Thanxs,
> Simon Johnson.
>
> -------------------------
> 'Man is everywhere in chains'
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Tying Up Loose Ends - Correction
Date: Sat, 16 Sep 2000 19:48:58 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> [EMAIL PROTECTED] (Mok-Kong Shen) wrote in
<39C3A56D.69CF508@t-
> online.de>:
>
> >
> >
> >John Savard wrote:
> >>
> >> Since this is an element of David A. Scott's encryption proposals,
and
> >> since he claimed he didn't have the kind of difficulties with the
last
> >> symbol that I encountered, possibly this is the method he is
using. If
> >> so, I will have to credit him specifically in this case: while I
think
> >> the basic notion of coding the last symbol in a general fashion,
where
> >> a message is represented by a prefix-property binary code, and the
> >> resulting message is transmitted with an explicit length
indication,
> >> is almost certain to have occurred to people at an early stage in
the
> >> development of this field (maybe even before Huffman came forward
with
> >> his replacement for Shannon-Fano coding), the specific scheme of
using
> >> a code that is shifted down one symbol after either the least
frequent
> >> symbol or the least frequent symbol followed by any number of
> >> repetitions of the second least frequent symbol so as to achieve an
> >> optimal scheme not requiring backtracking is at a level of detail
that
> >> no one might necessarily have ever bothered with before.
> >
> >If one doesn't care the so-called 1-1 property of Scott,
> >then one can simply create an end-of-file symbol in
> >the Huffman scheme and then fill to whatever boundary
> >one wants.
> >
> >M. K. Shen
> >
>
> Yes and that minor changes greatly reduce the secruity
> of the thing your encrypting. But It is obvious you don't
> see how.
Perhaps like the rest of the freeworld, he doesn't think compression
should be the catalyst of information security.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Oral I. Menky)
Crossposted-To: comp.security.misc
Subject: Re: "Secrets and Lies" at 50% off
Date: Sat, 16 Sep 2000 20:07:00 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
>What are you guys talking about? I own a copy of applied crypto, I
>like his research!!!
And how did you learn that it was a valuable book worth buying? I'd say the
chances are pretty fair that you first learned about it on one of these
newsgroups, probably sci.crypt.
--
"Oral I. Menky" is actually 5486 729301 <[EMAIL PROTECTED]>.
0123 4 56789 <- Use this key to decode my email address and name.
Play Five by Five Poker at http://www.5X5poker.com.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
