Cryptography-Digest Digest #705, Volume #12 Mon, 18 Sep 00 02:13:01 EDT
Contents:
Re: Serpent S-boxes (again) (Mack)
Re: Double Encryption Illegal? (wtshaw)
Re: Double Encryption Illegal? (wtshaw)
Re: Music Industry Offers US$10K for cracking their encryption system (Mack)
Re: Carnivore article in October CACM _Inside_Risks (wtshaw)
Re: Intel's 1.13 MHZ chip (Jerry Coffin)
Re: CDMA tracking (was Re: GSM tracking) (Jerry Coffin)
Re: QUESTION ABOUT ALGORITHMS (Sundial Services)
Crytographic keys based on pangrams (wtshaw)
Re: One-way encryption ("John A. Malley")
Re: CDMA tracking (was Re: GSM tracking) (Mack)
Re: QUESTION ABOUT ALGORITHMS (Mack)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Mack)
Date: 18 Sep 2000 03:47:05 GMT
Subject: Re: Serpent S-boxes (again)
>
>On 18 Sep 2000 01:48:56 GMT, in
><[EMAIL PROTECTED]>, in sci.crypt
>[EMAIL PROTECTED] (Mack) wrote:
>
>>>On 17 Sep 2000 16:21:43 GMT, in
>>><[EMAIL PROTECTED]>, in sci.crypt
>>>[EMAIL PROTECTED] (Mack) wrote:
>>>
>>>>>[EMAIL PROTECTED] wrote:
>>>>>: [EMAIL PROTECTED] (Gregory G Rose) wrote:
>>>>>
>>>>>:> I guess this could be considered an example of "proof by assertion",
>>>>>:> but, has anyone actually checked the stated algorithm to see if it
>>>>>:> does produce the chosen s-boxes?
>>>>>
>>>>>: The algorithm presented in the serpent paper is not complete they have
>>>>>: a step labeled "test for given criteria" which doesn't say "how" the
>>>>>: tests are done.
>>>>>
>>>>>*If* the criteria are well defined, it shouldn't matter how the tests are
>>>>>done. For example, "non-linearity of 4" should be unambiguous, no matter
>>>>>how you do your tests.
>>>>
>>>>In that specific case there are a number of measures of non-linearity.
>>>>So it isn't really a well defined criteria.
>>>
>>>I basically dispute this. Yes, it is true that Boolean function
>>>nonlinearity is applied to "bit-columns" in substitutions. This gives
>>>a nonlinearity result for each column, which are then often combined
>>>in some way. Typically we use either the minimum or the mean, and I
>>>have used both.
>>>
>>>Developing two related results from exactly the same set of Boolean
>>>function nonlinearity data hardly constitutes "a number of measures."
>>>
>>
>>The idea of non-linearity is pretty straight forward but the specific
>>phrase "a non-linearity of four" is ambiguous.
>>
>>Does it mean minimum maximum or mean. In this case I believe it is
>>minimum distance to the set of affine functions.
>
>I was probably extra inclusive to even mention the mean, perhaps
>because I have actually used it. *Almost* universally the measure is
>the minimum, not the mean. There is very little confusion in the
>literature.
>
I agree. But *Almost* is not completely unambiguous.
>
>>It could also
>>mean the sum of distances to affine funtions as has been used
>>in the past.
>
>I don't doubt the sum has been used somewhere. Clearly it is an
>intermediate to computing the mean. As such, both carry essentially
>the same meaning, and there is very little likelihood of confusing
>such widely different values.
>
Specifically.
Permutations that Maximise Non-linearity
and Their Cryptographic significance.
Pieprzyk and Finkelstein Computer Security
in the Age of Information. Caelli (ed) 1989.
Uses a summation form of non-linearity for
permutations. Lists averages of random
bijective permutations and maximums.
The use of this form is 'obvious' from the values.
>
>>>It is also true that "nonlinearity" originally implied a Fourier
>>>transform of data. I speculate that this form in fact may be more
>>>useful in the context of RNG's and stream ciphers.
>>>
>>>But for the past decade, s-box analysis has almost exclusively used
>>>the Walsh-Hadamard transform (and correlation to the related "affine
>>>Boolean functions" as opposed to sine waves of different frequency)
>>>for Boolean function analysis.
>>>
>>>I would be most glad to receive any citations or evidence to the
>>>contrary.
>>>
>>
>>That is indeed the most common measure. But there are other
>>measures.
>
>I was looking for details on those "other measures." I mentioned both
>the minimum and the mean of the set of Boolean function nonlinearity
>results using the "affine Boolean function" basis. You mentioned the
>sum; what else is there?
>
There is also the mode which I have found useful as well as the devieation
from the mean which I have found useful. It is interesting to note
that 'Bent' functions have zero deviation from the mean.
>
>>Most of the differences are restricted to the case
>>of the nonlinearity of s-boxes as opposed to individual functions.
>>
>>I personally use the minimum hamming distance to the
>>set of affine functions. (Rueppel's critera).
>
>But that *is* what the FWT computes. The FWT can be seen as just a
>fast way to compute the differences to all the "affine Boolean
>functions" simultaneously.
>
Yes but the computation methods are different. FWT is 'easy' to
conceptualize mathematically. Where as the minimum hamming
distance to a set of affine functions is a brute force calculation.
Needless to say (but said anyway) computers excel at brute force
calculation.
>
>>This is easy to
>>compute and relatively fast. Unless there is a reason to
>>use a more complicated implementation I generally stick
>>to that for computer programming.
>>
>>The WHT is much better for algebraic analysis.
>
>I have no idea what distinction you are making.
>
This is an algorithmic issue and not really relevant. But
I thought it would be good to point out the two calculation
methods.
>
>>Did you receive the list of Citations that I sent you via e-mail?
>
>Yes. You had two references not in my listings.
>
>You are of course aware that I have multiple pages on this topic, with
>long reference lists in each. These include:
>
> http://www.io.com/~ritter/JAVASCRP/NONLMEAS.HTM
>
>which is the JavaScript functioning article that not only describes
>the background to the measure, but also does the nonlinearity
>computation itself. It includes 23 references.
>
>Another is:
>
> http://www.io.com/~ritter/RES/SBOXDESN.HTM
>
>which surveys 27 references in s-box design, including several on
>nonlinearity.
>
>These were done several years ago. Obviously I did not get
>everything, and there should be more now. But I did get a lot.
>
I have browsed your pages they are a great service. You have done
an excellent job with them. They are very thorough. I recommend
them to anyone who has not viewed them. Most of my references
are in paper format which are a bit unwieldy to search. Someday
maybe I will get it all scanned and OCRed.
>---
>Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
>Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
>
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Crossposted-To: comp.databases.oracle
Subject: Re: Double Encryption Illegal?
Date: Sun, 17 Sep 2000 21:26:00 -0600
In article <8q1tfb$bj1$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Paul
Schlyter) wrote:
> In article <[EMAIL PROTECTED]>,
> wtshaw <[EMAIL PROTECTED]> wrote:
> >
> > When a person uses 3-DES, they are single encrypting with 3-DES.
>
> FYI: 3-DES consists of three rounds of DES, using two or three
> different keys.
That is the definition of a newer algorithm than just plain DES. It is not DES.
>
> > An algorithm can be made of any conbination of steps. When two or more
> > pieces are combined, the result is one piece. Consider that such a
> > request, regulation, standard, whim, or pipe dream to limit so called
> > double encryption is a fog to confuse whereever possible; ambiguity shows
> > dualism of purpose.
>
> Nonsense! Calling the use of two encryptions in succession "double
> encryption", or three encryptions in succession "triple encryption"
> is a correct description of the procedure.
The procedure is surely part of the algorithm. The question originally
dealt with a legality. Lawyers tend to try to remake the world in their
own image, as they like to define arbitrarily what they want. I am saying
that that is not reasonable in this case. There are other aspects in
crypto where uneducated druthers don't make sense.
>
> However, "double enryption" or "triple encryption" is not always more
> secure than "single encryption". Consider for instance the good ol'
> Caesar cipher: double-Caesar or triple-Caesar will be no more secure
> than single-Caesar. But triple-DES will be more secure than single-DES.
>
Some algorithms tend to turn quickly in upon themselves when so utilitized.
--
Rats! (What Gov. Bush is apt to say the morning after the election)
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Crossposted-To: comp.databases.oracle
Subject: Re: Double Encryption Illegal?
Date: Sun, 17 Sep 2000 21:29:15 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
> Ah, I understand. In your definition there is never
> any multiple encryption and a superencipherment is
> simply a single (big) encipherment, there being
> (presumably in your view) no need to mention that the
> whole is made of certain (in general) different
> components. I don't partake your viewpoint. For the
> components can, and are in fact commonly, used and
> evaluated singly. It is the art of combination that
> is of interest in a multiple encryption. We need to
> know (to emphasize) what the components are and how
> they get combined.
>
> M. K. Shen
Yes, that is a scientific question, and I have no quibble with such. The
legal parry is something else.
--
Rats! (What Gov. Bush is apt to say the morning after the election)
------------------------------
From: [EMAIL PROTECTED] (Mack)
Date: 18 Sep 2000 04:00:36 GMT
Subject: Re: Music Industry Offers US$10K for cracking their encryption system
>In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED]
>wrote:
>> http://www.msnbc.com/news/460310.asp?cp1=1
>>
>
>congrats you have pointed out yet another stupid useless story in the
>world. Considering what they want to solve is impossible I think the
>story is very news worthy
>
>Tom
>
>
>Sent via Deja.com http://www.deja.com/
>Before you buy.
>
The goal is dubious and the contest even more so.
However it is interesting if nothing else.
the actual reference is
http://www.hackSDMI.org
The contest is basically removing a black box
watermarking scheme. An unmarked and
corresponding marked file are available. The
contest is to successfully remove a watermark
from a third file for which no clear file is available.
Given the watermarking algorithm this is a reletively
easy task. However there is an online oracle which
is supposed to determine the results. This will
be available soon or so the site says. This seems
to be a legitimate test of the system.
Theoretically the watermarking algorithm will remain
secret.
Suggested improvements of the contest are:
1) Longer time span
2) More pairs of marked and unmarked files
3) actually implementing the oracle
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Carnivore article in October CACM _Inside_Risks
Date: Sun, 17 Sep 2000 21:49:10 -0600
In article <8q2kqk$59j$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Jonathan Thornburg) wrote:
> During the cold war, it was widely known that people from the west
> who visted the USSR routinely had their telephones tapped, their
> mail monitored, etc, and in the west this was widely held to be
> a classic example of the USSR's "police state" government.
....
> Now fast-forward to today: What do the US digital telephony
> legislation, Carnovior, and similar programs in other countries,
> say about our nominally democratic and "free" societies?
>
Given a different group of people there are those that act the same, will
stretch of ignore the rights of the people for power's sake. It is also
true that others will fight such intrusions regardless of where they are.
Do not forget that even our government praises those who resist oppresion
elsewhere; they should also feel kindly about those that would demand
freedom from abuses here as well. Those that abuse rights, even in the
name of government, are our constitutional enemies, or wayward and
misdirected children in a way that needs to be corrected as we can, shall,
and will.
--
Rats! (What Gov. Bush is apt to say the morning after the election)
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Intel's 1.13 MHZ chip
Date: Sun, 17 Sep 2000 22:23:28 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> Jerry Coffin wrote:
> > Let's see if I've got this straight. You're trying to imply ...
>
> No, I'm saying that you have invented a picture of how major
> computer procurements have occured in the NSA that if true
> would constitute malfeasance on the part of high-ranking
> public officials, without providing any evidence to back it up.
> Such accusations are serious matters, not to be made frivolously.
> Indeed, you could be running afoul of the libel laws.
Gosh Doug, if I didn't know better, I'd think that having lost the
argument, you'd turned to using a bit of FUD to try to put a chilling
effect on free speech.
Then again, what would make me think I knew better?
--
Later,
Jerry.
The Universe is a figment of its own imagination.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: CDMA tracking (was Re: GSM tracking)
Date: Sun, 17 Sep 2000 22:23:33 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> Jerry Coffin wrote:
> > This simply is NOT true. I've personally done testing on this exact
> > point for work, and can state with _absolute_ assurance that at least
> > some CDMA phones (the Qualcomm QCP 1960 was what we were testing, but
> > the MSM 3000 is used in other phones as well) most assuredly DOES
> > "wake up" every 1.28 seconds, even when the power is turned off.
>
> I've seen the source code. We'll have to agree to disagree. Your provider
> maybe rewrote that part for some reason.
I've seen the object code. We did testing with phones from a number
of different providers, and the all acted identically in this
respect. Though I personally rather doubt your claim of having seen
the source code, if you have I'd take a close look at your compiler
to see what bugs you haven't found yet. I'd also advise taking a
close look at your QA process to find out why you're turning out
products that don't match specifications without realizing it.
--
Later,
Jerry.
The Universe is a figment of its own imagination.
------------------------------
Date: Sun, 17 Sep 2000 21:27:36 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: QUESTION ABOUT ALGORITHMS
>Big Boy Barry wrote:
>
> If someone publsihes an algorithm, can someone else patent it?
Methinks that a lawyer would charge you $100,000 to find out -- and in
the end, only he would benefit.
RSA might have been the last company to *really* benefit from a US
patent on crypto, because they acquired it in 1980 when the entire world
wasn't talking to itself.
Today, a "patented" crypto algorithm will be known around-the-world in
less than one full rotation of that world. It will be protected in only
a very small percentage of the surface-area of that world.
To put it another way .. a way that assumes that this world is NOT
entirely filled with conniving thieves {other than lawyers, ahem ;-)}
all the money spent by the patent-holder to ostensibly "protect" the
idea will only be useful in that small area -- and, then and there, only
marginally useful at best.
I personally feel that, in the special case of crypto, patents are a
waste of time because {1} disclosure and peer-review of the technique is
vital; and {2} ahem .. if you've got a really good idea and (ahem) "bust
your ass" to develop it into a great product .. then the true economic
value of the algorithm to you is -not- going to be determined by how
great the idea is, but by how good your product is and "how well you
busted your ass to promote it and build a great product from it."
It's the power of the brand. The power of the perception of trust and
the power of "having done something very well so that I can 'just buy a
copy.'"
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Crytographic keys based on pangrams
Date: Sun, 17 Sep 2000 22:47:55 -0600
Take a pangram and pull of the first use of each letter to build a
permutation of n=26, a hash of the pangram if reasonably longer than 26
characters.
We know that some algorithms such as monoalphabetic substitution are
trivial to solve given enough ciphertext. For solvers, unless a well
known pangram is used, reconstruction of the original pangram from
solution of the substitutions may be difficult or impossible.
We could use the permutation to build a 5x5 matrix keyblock, dropping the
particular off character. You could pick a usage would be stronger than
just substitution.
If another character were addded after the first word, a space
representing character, a permutation of n=27 is produced. There are a
number of algorithms that this would suit. One of these is BLT; the
earliest reference to it I find is Jan., 1999, in my notes.
Picking a new homegrown pangram, a 27 character permutation suitable for
BLT could be as follows:
Pangram: From quadriplegics: Know jobs vex the lazy.
Alpha(BLT): from/quad iplegcskn wjbvxthzy
For ease of use, the key rewritten: fro m/q uad ipl egc skn wjb
vxt hzy
Here is an example pt to ct:
pt: Quiz x-ray views to help doctors' frank judgement.
preformatted: quiz/ xray/ views /to/h elp/d octor s/fra nk/ju dgeme ntx
ct: ean eqi pvf ctz mgj dgz ewp itk nqt waj qxm rhs akv ceu jbm ipg bac
vfl wzx bnm xkm gfb pwk mak vqn fmq kgt lrc uiq fix pyw vka mhi mhp mbj
gyn jnz vxr cha fns vqb rpz zjf fzm kas ktd lpb ork
equivalent ct: wxn ftm auv tyk hzp nzr smk vng ndo wzr oxi amv gki tfv knw
srj dkq uec hka bqh kjm rwl khp igr iqy vfc xko tky uft suz jch ipz msw
esx ebg zcy png mkz yvg fle hql gjk pzu wxv rjm zyc tro nkz
If you wade through this you see that even as BLT triples length, it is
nevertheless a simple way to encript rather strongly with nothing
remembered to go on but a pangram.
Same key, a rather risque pangram: uhf ebr pte lgq sgx gpj gvm vua ksq zof
mrz rbe cnf eht tiw igx qvk hni jaz pci vzx lrc wed sgr tzv rkv lgr vgk
vxt uyv kvh cbj nca xvs kat vnx zeq ejp tfy vhb odt pbe csx spg pez ghl
iye zls sgz ejs wqg kyd acx pum gbn uld ypj
--
Rats! (What Gov. Bush is apt to say the morning after the election)
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: One-way encryption
Date: Sun, 17 Sep 2000 22:26:25 -0700
Thanh Diep wrote:
>
> Hi,
>
> I am looking for an one-way encryption algorithm to encrypt passwords of
> about
> 20-character in length.
>
> I have been scanning various news group without much success. A few
> algorithms
> mentioned were: 3DES, MD5, SHA-1 and RIPE MD160, but I have no ideas where
> to
> get them or how to implement.
>
> Ideally, I would like to have an algorithm to incorporate in my system but
> will
> settle for a dll. My development platform is J++ on NT 4.0 and the
> application
> is running on the server side only. Please bear in mind that this is a
> commercial application.
Cryptix offers a free, clean-room version of the Java Cryptography
Extension package with more algorithms readily available than Sun's JCE.
It's Java source and classes. Read the FAQ at
http://www.cryptix.org/old/cryptix/FAQ.html
The package is at
http://www.cryptix.org/products/cryptix31/index.html#download
Now keep in mind the people at Cryptix declare loud and strong they are
NOT professional cryptographers.
Be prudent and exercise due diligence (since this is a commercial
product) before incorporating any open source / freeware crypto software
into your product. Check out the licensing terms for the package and do
read over its bug history.
Cryptix lists locations of a few other free Java crypto packages at
http://www.cryptix.org/resources.html
Hopes this help,
John A. Malley
[EMAIL PROTECTED]
> Thank you in advance for your help.
>
> Regards,
>
> Thanh Diep
>
> (Please send a copy of your suggestion/solutions to [EMAIL PROTECTED])
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: CDMA tracking (was Re: GSM tracking)
Date: 18 Sep 2000 05:57:49 GMT
>In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
>> Jerry Coffin wrote:
>> > This simply is NOT true. I've personally done testing on this exact
>> > point for work, and can state with _absolute_ assurance that at least
>> > some CDMA phones (the Qualcomm QCP 1960 was what we were testing, but
>> > the MSM 3000 is used in other phones as well) most assuredly DOES
>> > "wake up" every 1.28 seconds, even when the power is turned off.
>>
>> I've seen the source code. We'll have to agree to disagree. Your provider
>> maybe rewrote that part for some reason.
>
>I've seen the object code. We did testing with phones from a number
>of different providers, and the all acted identically in this
>respect. Though I personally rather doubt your claim of having seen
>the source code, if you have I'd take a close look at your compiler
>to see what bugs you haven't found yet. I'd also advise taking a
>close look at your QA process to find out why you're turning out
>products that don't match specifications without realizing it.
>
>--
> Later,
> Jerry.
>
>The Universe is a figment of its own imagination.
>
>
What is the exact behaviour during this periodic wakeup?
Does it transmit or receive? Or does it just check a battery
level and then go back to sleep?
This has me rather curious. Is this function used to detect
missed calls? What exactly is it doing?
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: QUESTION ABOUT ALGORITHMS
Date: 18 Sep 2000 06:08:55 GMT
>>Big Boy Barry wrote:
>>
>> If someone publsihes an algorithm, can someone else patent it?
>
>
>Methinks that a lawyer would charge you $100,000 to find out -- and in
>the end, only he would benefit.
>
>RSA might have been the last company to *really* benefit from a US
>patent on crypto, because they acquired it in 1980 when the entire world
>wasn't talking to itself.
>
>Today, a "patented" crypto algorithm will be known around-the-world in
>less than one full rotation of that world. It will be protected in only
>a very small percentage of the surface-area of that world.
>
>To put it another way .. a way that assumes that this world is NOT
>entirely filled with conniving thieves {other than lawyers, ahem ;-)}
>all the money spent by the patent-holder to ostensibly "protect" the
>idea will only be useful in that small area -- and, then and there, only
>marginally useful at best.
>
>I personally feel that, in the special case of crypto, patents are a
>waste of time because {1} disclosure and peer-review of the technique is
>vital; and {2} ahem .. if you've got a really good idea and (ahem) "bust
>your ass" to develop it into a great product .. then the true economic
>value of the algorithm to you is -not- going to be determined by how
>great the idea is, but by how good your product is and "how well you
>busted your ass to promote it and build a great product from it."
>
>It's the power of the brand. The power of the perception of trust and
>the power of "having done something very well so that I can 'just buy a
>copy.'"
>
>
It is interesting that RSA did benefit from the patent even though
PGP really made the algorithm famous (MY OPINION not argued
as fact)
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
