Cryptography-Digest Digest #789, Volume #12 Thu, 28 Sep 00 09:13:00 EDT
Contents:
Re: DES and Differential Power Analysis ([EMAIL PROTECTED])
Re: Chaos theory (Mok-Kong Shen)
Re: Notice: Problems with DiehardC. ("Sam Simpson")
Re: Chaos theory (Niclas Carlsson)
Re: "Secrets and Lies" at 50% off (Mok-Kong Shen)
Re: "Secrets and Lies" at 50% off (Mok-Kong Shen)
Re: Chaos theory (Mok-Kong Shen)
Re: I am only an egg... (David Rush)
Re: Tying Up Loose Ends - Correction (Tim Tyler)
Re: Chaos theory (Tim Tyler)
Re: DES and Differential Power Analysis (Jonathan Edwards)
Re: Triple DES CBC test vectors (Jonathan Edwards)
Re: RSA and Chinese Reminder Theorem (Soeren Gammelmark)
Re: test values for HMAC-Tiger (Mark Wooding)
Re: Josh MacDonald's library for adaptive Huffman encoding (Chris F Clark)
Re: Adobe Acrobat -- How Secure? (John Savard)
Re: Adobe Acrobat -- How Secure? (John Savard)
Re: Adobe Acrobat -- How Secure? (Volker Hetzer)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: DES and Differential Power Analysis
Date: Thu, 28 Sep 2000 08:12:18 GMT
I am implementing on an HC05 processor. However, i am just looking for
general ideas e.g. adding random timings.
In article <8qt6c4$3us$[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
> In article <8qt37h$139$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
> > Hi,
> >
> > I am looking for papers dealing with Differential Power Analysis
> > applied to DES. I am looking in particular for possible
> countermeasures
> > on DPA when implementing DES.
> >
>
> When implementing DES on what?
>
> Tom
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Chaos theory
Date: Thu, 28 Sep 2000 10:33:30 +0200
zapzing wrote:
>
> "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> > Soeren Gammelmark wrote:
> > > I was woundering if anyone ever thought about using chaos theory in
> > > order to make cryptographic algorithms.
> >
> > Yes, this comes up every so often, and it ought to be part
> > of the sci.crypt FAQ. The simple response is that chaotic
> > behavior is far from random, so it is not a natural fit.
>
> To the contrary, the behavior of a chaotic system
> should look quite random as long as you hash it
> down enough. And there would be *No* repetition
> (at least not given our present understanding
> of most physical chaotic sytems) Any application
> using a digital PRNG will repeat eventually, but
> a sufficiently hashed chaotic RNG would not have
> any cycles.
I think that your observation is useful for those
who want to get randomness. One could also use
a number of systems and mix them together in some
way, I suppose.
M. K. Shen
===========================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: "Sam Simpson" <[EMAIL PROTECTED]>
Subject: Re: Notice: Problems with DiehardC.
Date: Thu, 28 Sep 2000 09:52:16 +0100
Mok-Kong Shen <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> Paul Pires wrote:
> >
> > I believe I have detected a problem with DiehardC v1.03
> > and menu item #8 (31x31 and 32x32 binary matrix tests).
>
> I recommend that you ask the author of DiehardC (not Diehard).
> He will certainly be friendly engough to help you.
That's precisely what he's done - it's documented in his previous
message!
--
Sam Simpson
http://www.scramdisk.clara.net/ for ScramDisk hard-drive encryption &
Delphi Crypto Components. PGP Keys available at the same site.
------------------------------
From: [EMAIL PROTECTED] (Niclas Carlsson)
Subject: Re: Chaos theory
Date: 28 Sep 2000 11:53:27 +0300
Mok-Kong Shen <[EMAIL PROTECTED]> writes:
>zapzing wrote:
>>
>> To the contrary, the behavior of a chaotic system
>> should look quite random as long as you hash it
>> down enough. And there would be *No* repetition
>> (at least not given our present understanding
>> of most physical chaotic sytems) Any application
>> using a digital PRNG will repeat eventually, but
>> a sufficiently hashed chaotic RNG would not have
>> any cycles.
>I think that your observation is useful for those
>who want to get randomness. One could also use
>a number of systems and mix them together in some
>way, I suppose.
Of course all the talk about chaotic systems never
repeating assume that we have infinite precision.
It's all a matter of how large the internal state is.
So then, what's the difference in practice between
a "digital PRNG" and a "digital implementation of
a chaotic system"? None whatsoever, IMHO. The chaotic
system is just another PRNG, it might even have worse
statistical properties if you're unlucky and the
stationary measure is badly biased.
Hashing can make things better, but I see no obvious
advantages of a "chaotic system". PRNGs tend to be
"chaotic" by their very nature. Try plugging x and
x+1 as a seed into an ordinary LCG, iterate a few
steps and see what happens.
Nicke
--
"A witty saying proves nothing."
- Voltaire (1694-1778)
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc
Subject: Re: "Secrets and Lies" at 50% off
Date: Thu, 28 Sep 2000 11:36:30 +0200
Tom St Denis wrote:
>
> When someone constantly mocks others there words have less tenative
> value.
I agree. However, I suppose that anyone who is very used
to calling others newbie and clueless when sighting
some apparently beginners' posts achieves the same effect,
quite independent of the content of these posts.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: comp.security,comp.security.misc
Subject: Re: "Secrets and Lies" at 50% off
Date: Thu, 28 Sep 2000 11:36:35 +0200
Terry Ritter wrote:
>
> Albert Yang <[EMAIL PROTECTED]> wrote:
>
> >2) There are people who are slightly more privileged than others.
>
> I think you see things very, very wrong.
I think he was joking a little bit. On the other hand,
it is a fact of the real world that some people are
previleged or more previleged not because of political
instruments or possession of more money etc. but simply
because they are able to obtain 'beliefs' of many other
people. See the example of religious gurus (i.e. the
original 'real' gurus).
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Chaos theory
Date: Thu, 28 Sep 2000 12:01:15 +0200
Niclas Carlsson wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> writes:
>
> >zapzing wrote:
> >>
> >> To the contrary, the behavior of a chaotic system
> >> should look quite random as long as you hash it
> >> down enough. And there would be *No* repetition
> >> (at least not given our present understanding
> >> of most physical chaotic sytems) Any application
> >> using a digital PRNG will repeat eventually, but
> >> a sufficiently hashed chaotic RNG would not have
> >> any cycles.
>
> >I think that your observation is useful for those
> >who want to get randomness. One could also use
> >a number of systems and mix them together in some
> >way, I suppose.
>
> Of course all the talk about chaotic systems never
> repeating assume that we have infinite precision.
> It's all a matter of how large the internal state is.
The finite precision is indeed a problem in chaos
theory, if I don't err. But it seems to be that in
general the issue is not too much worse than certain
other numerical computational fields where one has
also to cope with finite precision. There is a
so-called shadowing theorem, though it doesn't
entirely clear the ground, as far as I understand.
>
> So then, what's the difference in practice between
> a "digital PRNG" and a "digital implementation of
> a chaotic system"? None whatsoever, IMHO. The chaotic
> system is just another PRNG, it might even have worse
> statistical properties if you're unlucky and the
> stationary measure is badly biased.
>
> Hashing can make things better, but I see no obvious
> advantages of a "chaotic system". PRNGs tend to be
> "chaotic" by their very nature. Try plugging x and
> x+1 as a seed into an ordinary LCG, iterate a few
> steps and see what happens.
It is a matter of degree with reference to the state
of the art of analysis, I conjecture. The common
PRNG's have been intensively studied concerning their
statistical properties and, for crypto, the methods of
inference. This is apparently not yet the same for
chaos, as far as my humble knowledge goes. So that
fact could give some advantage to using sources from
chaos, I believe. Anyway, it serves as a viable
alternative. On the other hand, one can certainly do
appropriate post-processing to output sequences of
predictable PRNGs to obtain results that are less
susceptible to inference. (In fact, I made such an
attempt. See my web page.)
M. K. Shen
=============================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: David Rush <[EMAIL PROTECTED]>
Subject: Re: I am only an egg...
Date: 28 Sep 2000 09:40:09 +0100
Dido Sevilla <[EMAIL PROTECTED]> writes:
> David Rush wrote:
> > I'm wondering what has been
> > done in the area of using the convolution operation (from signals
> > analysis) as an encryption transformation. It certainly would combine
> > every bit of the key with every bit of the plaintext.
>
> convolution is essentially polynomial multiplication. For the
> convolution to be invertible by an inverse convolution (polynomial
> division), your signal (message) would have to become longer by the
> length of the kernel (key).
True. I get the impression from reading the NG and various crypto
websites recommended by sc authors that message expansion is a
'grey-area' kind of an issue. It's not entirely bad, but not entirely
good. In this case, I would guess that it's fairly bad for convolution
because it exposes the key.
> Another problem is the frequency domain representation. In the frequency
> domain, a convolution is just a multiplication, so cryptanalysis may be
> much easier after performing a discrete Fourier transform, or its
> analogue (whatever that may be).
This cuts to the heart of the bits I don't understand. (I know, I'm
supposed to learn cryptanalysis *before* I try to design a cipher. I'm
learning in parallel.) I suppose that if I'm using large prime keys,
attacking the transformed message becomes a factoring problem. I
suppose that the tricky bit would be keeping the keys relatively
prime to the message. Actually, the issue would be with the
*frequency-domain* representation of the key, wouldn't it?
> I have no idea how the DFT-equivalent
> would be formulated if your signals are elements of a finite field, but
> my guess is it would involve choosing a set of orthogonal functions over
> the finite field in which your signal is expressed, as with any other
> integral transform. I can't imagine what these functions would look
> like in a finite field like, say, GF(2^8), but I'm not going to say that
> they don't exist (I wouldn't know).
Well I'll certainly be looking into that. You've given me a few good
bits of jargon to plugin into the search engines. Thanks.
david rush
--
There is only one computer program, and we're all just writing
pieces of it.
-- Thant Tessman (on comp.lang.scheme)
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Tying Up Loose Ends - Correction
Reply-To: [EMAIL PROTECTED]
Date: Thu, 28 Sep 2000 10:26:39 GMT
Bryan Olson <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> Bryan Olson wrote:
:> : Knowledge of the ciphertext is not enough. With no better
:> : attack than exhaustive search, you have to do a trial
:> : decryption, for each key, and those alone make the attack
:> : intractable.
:>
:> There are plenty of attacks where the ability to reject
:> keys is useful - even with no crypyanalytic attack on the
:> cypher.
: None of which are at issue. You claimed that knowing some
: number of bits of plaintext *normally* reduces the keyspace
: or "effective keyspace" by that many bits.
Look at what I've said I mean by the latter term, and you will find it's
true - being given known plaintext often makes it easier to reject
particular keys, thus making those keys less effective. Perhaps if you
read it is the (effective key)(space) - rather than the (effective)
(keyspace) - you'll find the term more palatable.
I'm sure we can rattle on for ages about how much "less effective" is
sufficient to qualify a key for the acolade of no longer being
"effective". I'm not terribly interested in doing that.
Perhaps I'll go further out of my way to make sure I put in the
"effective" every single time - since I know what pedants sci.crypt
readers can be.
Perhaps I'll even try to rework my terminology to avoid even mentioning
any effect on anything remotely related to the keyspace, when the work
required to reject keys is not reduced to absolutely zero. Probably not
though - the work taken to reject keys is rarely exactly zero, even with a
genuine cryptanalytic "reduction of the keyspace".
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Chaos theory
Reply-To: [EMAIL PROTECTED]
Date: Thu, 28 Sep 2000 10:30:10 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
: Soeren Gammelmark wrote:
:> I was woundering if anyone ever thought about using chaos theory in
:> order to make cryptographic algorithms.
: Yes, this comes up every so often, and it ought to be part
: of the sci.crypt FAQ. The simple response is that chaotic
: behavior is far from random, so it is not a natural fit.
What makes you think chaotic behaviour cannot appear random?
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
------------------------------
From: Jonathan Edwards <[EMAIL PROTECTED]>
Subject: Re: DES and Differential Power Analysis
Date: Thu, 28 Sep 2000 11:24:24 GMT
Adding random timings isn't effective.
See "Towards Sound Approches to Counteract Power Analysis Attacks"; Chari,
Jutla, Rao, and Rohatgi; Proceedings of CRYPTO '99, Springer Verlag, LNCS
1666.
On Thu, 28 Sep 2000 [EMAIL PROTECTED] wrote:
> I am implementing on an HC05 processor. However, i am just looking for
> general ideas e.g. adding random timings.
>
> In article <8qt6c4$3us$[EMAIL PROTECTED]>,
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> > In article <8qt37h$139$[EMAIL PROTECTED]>,
> > [EMAIL PROTECTED] wrote:
> > > Hi,
> > >
> > > I am looking for papers dealing with Differential Power Analysis
> > > applied to DES. I am looking in particular for possible
> > countermeasures
> > > on DPA when implementing DES.
> > >
> >
> > When implementing DES on what?
> >
> > Tom
> >
> > Sent via Deja.com http://www.deja.com/
> > Before you buy.
> >
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
>
>
------------------------------
From: Jonathan Edwards <[EMAIL PROTECTED]>
Subject: Re: Triple DES CBC test vectors
Date: Thu, 28 Sep 2000 11:30:08 GMT
The Monte Carlo tests in 800-20 do what you want.
There's a PDF file in
http://csrc.nist.gov/cryptval/des/tripledes-vectors.zip that lists the
expected outputs for the first couple of rounds of the Monte Carlo tests,
which tests the chaining...
On Mon, 25 Sep 2000, MVJuhl wrote:
> I'm looking for test vectors for Triple DES in CBC mode.
>
> I have looked at NIST Special Publication 800-20, but it doesn't contain the
> tests I'm looking for.
>
> What I would like is encryption/decryption on 2 or 3 blocks of known
> plaintext, so I can verify that the chaining I've implemented is working.
>
>
> Thanks
> M V Juhl
>
>
>
>
------------------------------
From: Soeren Gammelmark <[EMAIL PROTECTED]>
Subject: Re: RSA and Chinese Reminder Theorem
Date: Thu, 28 Sep 2000 13:13:03 +0200
> Does this answer your question?
I belive so - thank you.
S=F8ren Gammelmark
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: test values for HMAC-Tiger
Date: 28 Sep 2000 11:54:35 GMT
Dido Sevilla <[EMAIL PROTECTED]> wrote:
> I've written an implementation of Tiger that seems to be sane (it
> produces the same hash values for all the test inputs anyhow!) and now
> have a program that does HMAC-TIGER in the same way everyone else does
> HMAC-MD5 and HMAC-SHA1, as described in RFC 2104. Does anyone have any
> test values for HMAC-Tiger which I can compare with my implementation?
The following is an excerpt from tests/tiger in the Catacomb
distribution. Each test consists of, in turn, a preimage to be hashed,
a key, and the HMAC output. The preimage is textual; the key and output
are binary and expressed in hexadecimal. I use a little-endian
convention for converting between bytes and 64-bit words. I used Eli
Biham's implementation as a reference for checking the underlying hash
function.
My news client complains about long lines, so I've wrapped some of the
key representations. It should be obvious what's going on
# --- HMAC mode ---
#
# No test vectors available. The HMAC implementation has not been
# tested against an external reference. The HMAC code is autogenerated
# anyway, and ought to be reliable and correct.
#
# These test vectors are here to spot changes in behaviour rather than
# ensure interoperability.
tiger-hmac {
"Hi There"
0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
0a402190741a498d6d4a09016b0895cb6419ff849b196137;
"what do ya want for nothing?"
4a656665
3a351b1dec6075d6290e68b604e553821edc39041b82da83;
"Test With Truncation"
0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
95981aaf2303d232824c504cc51459ea8275734336e92b1a;
"Test Using Larger Than Block-Size Key - Hash Key First"
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
ebbb20db7af380b5dffff39f671e1224e994d840408a7941;
"Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data"
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
308ebb428666c75b50d0442fe008777f4c208c7fa6d5ce7c;
}
-- [mdw]
------------------------------
Crossposted-To: comp.compression,comp.theory
From: Chris F Clark <[EMAIL PROTECTED]>
Subject: Re: Josh MacDonald's library for adaptive Huffman encoding
Date: Thu, 28 Sep 2000 12:08:14 GMT
M. K. Shen asked:
> I like to repeat a question I asked before. How does
> adaptive Huffman compare with static Huffman that
> employs an exact frequency distribution of the texts?
Jeffery Vitter (formerly of Brown now with Duke Univ I believe) wrote
some papers on this topic. As I recall, he proved that asymtopicly
dynamic Huffman is within a constant factor of static Huffman and
that some other hueristic which I can't recall, may have been splay
trees or move-to-front, is within a constant factor of dynamic
Huffman. The reult of this is you can use dynamic Huffman in place of
static Huffman and expect the different to be measurable in "constant"
percentages (i.e. if you double the amount of text the algorithm won't
get twice as far from optimal). (In fact, in general since dynamic
Huffman adapts to the frequencies of the text it is processing, the
more text the closer to optimal it gets.)
For some texts (ones whose frequencies shift as the test is processed,
i.e. the characters at the front of the text have different
frequencies than the characters in the middle or back) dynamic Huffman
can produce more optimal compressing than static Huffman. I'm not
aware of any proofs (or even measurements) in this regards--however,
compression is not my specialty.
Hope this helps,
-Chris
*****************************************************************************
Chris Clark Internet : [EMAIL PROTECTED]
Compiler Resources, Inc. Web Site : http://world.std.com/~compres
3 Proctor Street voice : (508) 435-5016
Hopkinton, MA 01748 USA fax : (508) 435-4847 (24 hours)
==============================================================================
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Adobe Acrobat -- How Secure?
Date: Thu, 28 Sep 2000 12:08:31 GMT
On Thu, 28 Sep 2000 13:25:45 +0800, Dido Sevilla <[EMAIL PROTECTED]>
wrote, in part:
>If someone's determined enough, all they
>need to do is fire up a screen capture program, or to open a copy of MS
>Word or whatever, open your file reading program, share the screen with
>your file reader and Word, and just type whatever he or she sees on the
>file reader's window to the Word window. Nothing to it.
Well, Acrobat certainly can't prevent typing, although it does have an
option to disable cut and paste. However, IIRC, the .PDF file format
is fully documented - including the keys - so it is possible to write
a rogue version of Reader that ignores security.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Adobe Acrobat -- How Secure?
Date: Thu, 28 Sep 2000 12:14:14 GMT
On 27 Sep 2000 20:18:41 -0700, Paul Rubin <[EMAIL PROTECTED]>
wrote, in part:
>"David C. Barber" <[EMAIL PROTECTED]> writes:
>> I am looking to distribute some documents I don't want the user to be able
>> to alter or print. Acrobat was suggested, but IIRC, wasn't the Steven King
>> story distributed through Acrobat, and it was broken quickly just by loading
>> it into the full fledged Acrobat program?
If so, then the security options weren't turned on, because
full-fledged Acrobat does respect them.
>They can always
>photograph the screen or copy down the content by hand into a paper
>notebook.
True, but I think that the definition of "secure" for this sort of
thing has to exclude *those* particular risks. Instead, "no worse than
a paper document" is a reasonable standard for security.
I suppose that once cochlear implants are perfected, the music
industry might *try* to have us listen to music in the form of
encrypted radio waves that never become sound...
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: Adobe Acrobat -- How Secure?
Date: Thu, 28 Sep 2000 14:46:18 +0200
John Savard wrote:
>
> On 27 Sep 2000 20:18:41 -0700, Paul Rubin <[EMAIL PROTECTED]>
> wrote, in part:
> >"David C. Barber" <[EMAIL PROTECTED]> writes:
> >> I am looking to distribute some documents I don't want the user to be able
> >> to alter or print. Acrobat was suggested, but IIRC, wasn't the Steven King
> >> story distributed through Acrobat, and it was broken quickly just by loading
> >> it into the full fledged Acrobat program?
A successful example would be the C++ standard document. You can buy (cheaply)
a pdf file but can't extract parts of it.
Greetings!
Volker
--
The early bird gets the worm. If you want something else for
breakfast, get up later.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
