Cryptography-Digest Digest #804, Volume #12 Sat, 30 Sep 00 22:13:01 EDT
Contents:
Re: Chaos theory (zapzing)
Re: Chaos theory (zapzing)
Re: Chaos theory (zapzing)
Re: Choice of public exponent in RSA signatures ("Cristiano")
Re: Choice of public exponent in RSA signatures (Tom St Denis)
Re: Choice of public exponent in RSA signatures (Francois Grieu)
Twofish Idea (Tom St Denis)
Re: Choice of public exponent in RSA signatures (Francois Grieu)
Re: HELP ME SOLVE THIS SECRET CODE... (Andreas Gunnarsson)
Re: Again a topic of disappearing e-mail? (Dan Kegel)
Re: Adobe Acrobat -- How Secure? (Ian Goldberg)
Re: Deadline for AES... (Mok-Kong Shen)
Re: On block encrpytion processing with intermediate permutations (Mok-Kong Shen)
Re: NIST Statistical Test Suite (Mok-Kong Shen)
Re: NIST Statistical Test Suite ("bubba")
Re: NIST Statistical Test Suite ("Paul Pires")
Re: AES annoucement due Monday 2nd October ("Douglas A. Gwyn")
My Own Revision of Twofish (Tom St Denis)
Very Interesting Article To Help All Of Us! ([EMAIL PROTECTED])
Re: PRNG improvment?? (David Schwartz)
----------------------------------------------------------------------------
From: zapzing <[EMAIL PROTECTED]>
Subject: Re: Chaos theory
Date: Sat, 30 Sep 2000 18:12:55 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
>
> zapzing wrote:
> >
>
> > Yes well I was sort of making the
> > unstated assumption that the chaotic
> > system would be implemented in analog
> > not in digital. Implementing a chaotic
> > system in digital *would* be a bad way
> > of making a PRNG, I admit.
>
> I don't agree with your point. Maybe the state of
> affairs has changed, but previously analog computing
> devices couldn't match with the accuracies of digital
> computers. One could utilize, I suppose, much of the
> knowledge already gained by applied mathematicians in
> solving problems in other fields where rounding errors
> are critical. Physicists are doing computations with
> chaos. At least two chaos journals give clear indication
> of that.
by *bad*, I meant not nearly as good as the
ones we have now, by using RC4 or hashing a
counter or some such thing. Digitizing a
chaotic would make a PRNG that could be
made cryptologically secure, I admit, but
there are more efficient ways of doing that.
--
Void where prohibited by law.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: zapzing <[EMAIL PROTECTED]>
Subject: Re: Chaos theory
Date: Sat, 30 Sep 2000 18:15:16 GMT
In article <[EMAIL PROTECTED]>,
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> zapzing wrote:
> > Yes well I was sort of making the
> > unstated assumption that the chaotic
> > system would be implemented in analog
> > not in digital. Implementing a chaotic
> > system in digital *would* be a bad way
> > of making a PRNG, I admit.
> > You would then digitize the analog
> > signal and hash that down. Sorry for
> > the confusion.
>
> You'd be even sorrier if you tried to implement
> that idea and carefully measured the result.
> Analog systems are easily perturbed by the
> environment, so for example it could synchronize
> with an ambient signal from some other source,
> e.g. 60-Hz hum.
The amount of hashing down would have to
be adjusted to the particular system.
Certainly the "raw" output would have
alot of internal and external correlations,
but after hashing down those would have
minimal impact on the system.
--
Void where prohibited by law.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: zapzing <[EMAIL PROTECTED]>
Subject: Re: Chaos theory
Date: Sat, 30 Sep 2000 18:16:59 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> zapzing <[EMAIL PROTECTED]> wrote:
>
> : Yes well I was sort of making the
> : unstated assumption that the chaotic
> : system would be implemented in analog
> : not in digital. Implementing a chaotic
> : system in digital *would* be a bad way
> : of making a PRNG, I admit.
>
> Well, that's essentially how most PRNGs are made. If you use analogue
> systems, you're unlikely to wind up with a deterministc system.
>
> Determinism is the main reason for making a *P*RNG in the first place.
>
> If your system is not deterministic, you might as well go for a "real"
> RNG.
> --
That's exactly the use I was suggesting. The
Random numbers so generated would be used in
applications where real random numbers are
needed.
--
Void where prohibited by law.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Cristiano" <[EMAIL PROTECTED]>
Subject: Re: Choice of public exponent in RSA signatures
Date: Sat, 30 Sep 2000 21:01:59 +0200
> Anyone know a rational reason for such a choice ?
123^3 (mod 123456789)=123^3=1860867
if I have 1860867 I can calculate 123 by simply doing 1860867^(1/3) (e and N
are pubblic).
I think that this is a good reason!
If you use a little e (log2 e<90 or 100) there is some possible attack.
Cristiano
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Choice of public exponent in RSA signatures
Date: Sat, 30 Sep 2000 19:41:41 GMT
In article <[EMAIL PROTECTED]>,
Francois Grieu <[EMAIL PROTECTED]> wrote:
> It is well known that it might be dangerous to use a
> small public exponent e (like 3) in RSA encryption,
> because if the same message is available naively
> encrypted (i.e. without embedded user id and proper
> formatting) using e different known public keys,
> the message can be easily recovered.
The problem is that when 'd' is too small as well. having more then
one person use the same encryption exponent is not a problem, but
sharing moduli can be a problem.
> However I see a tendancy to use e = 2^16+1 even in
> signature applications, like signature of downloadable
> code using ISO 9796-2 or the like. This, of course,
> makes signature verification over 8 times slower than
> with e = 3.
>
> Anyone know a rational reason for such a choice ?
First off it's not as dramatic as you think it is. On my comp with MPI
I don't really notice a huge diff between e=3 or e=65537.
Second using e=65537 has the security advantage over e=3 I believe...
read up on the papers... I am not sure off the top of my head.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Francois Grieu <[EMAIL PROTECTED]>
Subject: Re: Choice of public exponent in RSA signatures
Date: Sat, 30 Sep 2000 22:38:57 +0200
"Cristiano" <[EMAIL PROTECTED]> wrote�:
> > Anyone know a rational reason for such a choice ?
>
> 123^3 (mod 123456789) = 123^3 = 1860867
>
> if I have 1860867 I can calculate 123 by simply doing 1860867^(1/3)
> (e and N are pubblic).
> I think that this is a good reason!
>
> If you use a little e (log2 e<90 or 100) there is some possible attack.
Cristiano's example nicely illustrates the danger of using RSA to directly
sign unformatted messages, especialy with small public exponents.
But some formatting (such as ISO 9796-2 or PKCS#1v2) is necessary
regardless of the public exponent, to guard against the multiplicative
property of RSA. Without formatting, we could combine known signatures
to obtain new ones simply by the multiplicative property:
S((A*B)%N) = (S(A)*S(B))%N
[For example: get 10 signed, square the signature mod N, and you
have the signature of 100].
Since all formatting schemes around do produce a number about the size
of the modulus, small public exponents are not an issue with respect
to the attack Cristiano points out, when formatting is used.
Francois Grieu
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Twofish Idea
Date: Sat, 30 Sep 2000 20:52:33 GMT
I probably mentioned this before... but I am bored so here we go...
In Twofish there are four key dependent 8x8 sboxes. If I am not
mistaken they take at most 32-bits each (five q' mappings). However
why not use something like F(x) = (a/(bx+c) + d) where n/0 = 0, etc...
It's nonlinear and has a low dpmax (well at least when a=1). Since
it's key dependent each diff/linear char will hold for 1/255 for all
keys.
It's much simpler then the q' idea and probably has better
cryptographic properties... Of course for the four sboxes different
primitive polynomials in GF(2^8) can be used to ensure that identical
values will not lead to identical sboxes...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Francois Grieu <[EMAIL PROTECTED]>
Subject: Re: Choice of public exponent in RSA signatures
Date: Sat, 30 Sep 2000 23:02:36 +0200
Thanks to Pierre Vandevenne for pointing out the paper:
Arjen Lenstra, Eric Verheul: Selecting Cryptographic Key Sizes
<ftp://ftp.sunet.se/pub/security/docs/crypt/cryptosizes.pdf>
which contains:
"There is evidence that the equivalence (..of factoring and
RSA..) does not hold if the (..public exponent is small..).
Based on recent results in this area the public exponent for
RSA must be sufficiently large. Once popular values such as
3 and 17 can no longer be recommended, but commonly used
values such as 2^16+1 = 65537 still seem to be fine."
What is this evidence ? Does it apply to properly formatted
RSA signatures ?
Francois Grieu
------------------------------
From: Andreas Gunnarsson <[EMAIL PROTECTED]>
Crossposted-To: rec.puzzles
Subject: Re: HELP ME SOLVE THIS SECRET CODE...
Date: Sat, 30 Sep 2000 23:19:31 +0200
I haven't seen any answers yet so "spoiler" is after the message...
(btw, are you sure that 611713 shouldn't be 6112713?)
"Supreme Commander"<[EMAIL PROTECTED]> wrote:
> 1774-611713-407713-5324-5*11133713-8883
>
> ~19~
> 143-50-1771164-17-
> 1771551176-11-70175-
> 17-15-(09/15/00)-(11:57pm)-
> 1177-43123-50-1-6817-
> 7011-17-7411715-940-
> 115-17-743-9857-7-
> 177017745-17-485-
> 83317-50-81113501773-
> 111487-1113-48113-15-
> 50-12381-1-48113-17311312-
> 94317-7415-11184-
> 83940123-11-12-743-
> 612387357-741176-1-
> 111177-10113-11-4-311312
> ~486~
>
> -------
>
> * = This may be a 5 or 3. It's hard to read. I think it's a 5. My friend
> thinks it is a 3.
>
> This was written beside the message...
>
> 19-17-486-
> 4-311312
�
59017312
Andreas
--
Andreas Gunnarsson - [EMAIL PROTECTED]
Using a metaphor as proof is like selling water and charging for single malt
QED
------------------------------
From: Dan Kegel <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Again a topic of disappearing e-mail?
Date: Sat, 30 Sep 2000 15:00:10 -0700
"David C. Barber" wrote:
> > The following is in the ACM Technews:
> >
> > Email users will soon be able to erase the messages they send
> > from the recipient's hard drive using software called SafeMessage
>
> I gather the only way this program can work is that the program itself is
> required for display of the message. Each time the message is recalled for
> display the program decides to either Display or Delete.
>
> Otherwise I'd like to see how it deletes the backup copy on a
> write-protected floppy disc.
I can't speak for SafeMessage, but the way Disappearing Inc. does
it is by keeping the messages encrypted, using clients that
fetch the key from a server and agree not to cache it,
and deleting the key from the server when it's time for
the message to vanish.
It is for use between parties who already have an incentive
to not keep old email around, and who agree to not subvert the
system by printing out email etc.
This has been discussed at length in earlier posts here.
A common objection is "But what if the recipient prints the message out?",
but since the system is for use between parties who agree not to do that,
it's not really an issue, I think.
- Dan
------------------------------
From: [EMAIL PROTECTED] (Ian Goldberg)
Subject: Re: Adobe Acrobat -- How Secure?
Date: 30 Sep 2000 21:58:12 GMT
In article <8r0pc5$2nu9$[EMAIL PROTECTED]>,
David C. Barber <[EMAIL PROTECTED]> wrote:
>This does lead to an interesting question about Acrobat security though. If
>one is to mount an attack against an Acrobat encrypted document, does it
>make more sense to: 1) Attack the reader code (as you suggested below that
>some attacks have been done, though I haven't tried any of them); 2) Attack
>the document itself with some sort of filter to remove/alter the protection
>specification value(s); or 3) Write a viewer from the specification that
>ignores the protection?
3. ghostscript can read encrypted pdf's, is free, and open-source.
I'm fairly sure it has no idea what to do with the PDF "view but can't
print" bit. Does anyone have a sample "unprintable" PDF lying around
we can try this on?
Note that this assumes that the password used to encrypt the document is
either the default one, or known. If the password is unknown (so you
can't even *read* the document), it's only 40-bit RC4, so have your PIII
hit it for a while, *then* read and print it.
- Ian
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Deadline for AES...
Date: Sun, 01 Oct 2000 00:16:49 +0200
John Savard wrote:
>
> What is true is that no one candidate seems to have generated
> excitement, but then it isn't that kind of a contest. (It ran longer
> than _Survivor_...)
I expect that there would be more interest on the winner(s)
from our group once that's decided.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On block encrpytion processing with intermediate permutations
Date: Sun, 01 Oct 2000 00:16:15 +0200
I like to add some remarks that are mainly resume of what I
wrote in the other follow-ups:
1. The permutation should be done with a PRNG using a secret
seed pertaining to the session without resetting. The
alternative of using halves of the message bits during
the course of processing to do permutation (via sorting)
could favour the opponent in a chosen-plaintext attack.
(Of course, this kind of permutation could be done in
addition to the one performed by the PRNG.)
2. Block chaining could be done for the different cycles
and in different directions.
3. Random rotation of words could also be done.
4. One could also use a number of different keys for the
different blocks.
5. What I termed the scaled-down version is likely to be
unfavorable for actual usage.
6. It is not the purpose of my article to suggest that
all the stuffs mentioned should be included in an
implementation but rather to point out that, if one
does kind of horizontal slicing of a block cipher and
extending the individual cycles to the whole message,
then there are ample new opportunities to introduce
'complexities' for the opponent, namely when one does
in each cycle certain operations that are chosen with
a view to encompass the entire message rather than
concentrating one's attention always on each single
block at a time and working vertically down it in the
manner that is commonly being done for block ciphers.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers
Subject: Re: NIST Statistical Test Suite
Date: Sun, 01 Oct 2000 00:16:27 +0200
Mathew Hendry wrote:
>
> Anyone had any luck with it? It crashes on me during the tests.
I suggest that you inform the implementors.
M. K. Shen
------------------------------
From: "bubba" <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers
Subject: Re: NIST Statistical Test Suite
Date: Sun, 01 Oct 2000 00:33:03 GMT
I built it last night using Microsoft VC6.0 for x86.
I had to dummy out erfc() and erf(), as those are
not standard in the PC world. I wish they would
have release PC compatible source, more than
a few of use those nowadays.
I got plenty of warnings. Some suggest SUN's
compiler missing questionable code.
The executable runs, but I fell asleep downloading
the sample data. Maybe I will fool with it again later.
"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> While all the current attention of our groups in direction
> of NIST is apparently on AES, I believe that it is barely
> known that NIST has just contributed something also of
> essential interest to us. In
>
> http://csrc.nist.gov/rng/
>
> there is now available for download an apparently
> fairly good statistical test suite. A technical problem
> may be however that the stuff is in UNIX tar files.
>
> I hope that this news is of value to those interested
> in random numbers. If someone gains practical experience
> with the test suite, it would be nice if he will give
> a report on that to us.
>
> M. K. Shen
> -------------------------
> http://home.t-online.de/home/mok-kong.shen
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers
Subject: Re: NIST Statistical Test Suite
Date: Sat, 30 Sep 2000 17:43:27 -0700
Mathew Hendry <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On Fri, 29 Sep 2000 23:08:45 +0200, Mok-Kong Shen <[EMAIL PROTECTED]>
> wrote:
>
> >While all the current attention of our groups in direction
> >of NIST is apparently on AES, I believe that it is barely
> >known that NIST has just contributed something also of
> >essential interest to us. In
> >
> > http://csrc.nist.gov/rng/
>
> Anyone had any luck with it? It crashes on me during the tests. The only
changes
> I made to persuade it to compile was to remove the declaration of log2 in
> cephes-protos.h (it's defined as a macro on my system), and to adjust the path
> to gcc in the makefile. I compiled using cygwin 1.1.4 (Win2k, gcc 2.95.2). It
> seems from the documentation that the package was mainly developed and tested
> under SPARC/Solaris/gcc.
They state that they did port the code onto a "200MHz PC using MS visual
C++ 6.0" I have a 233 P2 running Win98 and MSV C++ 6.0. I'll try it out
over the weekend and let you know what happens.
Would it have been a bad thing for them to post a few compiled packages
and specific install instructions that are known
to operate properly on common OS's? Perhaps if we come up with a few
that don't puke, and that actually pass the sample tests, maybe we can share?
Paul
>
> -- Mat.
>
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: AES annoucement due Monday 2nd October
Date: Sat, 30 Sep 2000 21:09:02 -0400
Brian Gladman wrote:
> Nevertheless, I will be rather surprised if multiple winners are adopted.
If they select multiple algorithms, then they have lost sight of the
original goal, which was to standardize a single sufficiently good
encryption algorithm to replace DES. The only commercial
consideration should be how well the algorithm supports commercial
requirements for a standard block cipher algorithm.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: My Own Revision of Twofish
Date: Sun, 01 Oct 2000 01:00:21 GMT
I got bored so I packed some of my ideas into a Twofish like (NOTE:
THIS IS NOT THE SAME AS TWOFISH) cipher. I used the sboxes I was
talking about, instead I use eight of them. Currently the source on my
website doesn't take into account when the multiplicand is zero, I plan
to treat zeros as -1. I moved the rotations into the output of the MDS
multiply, the rotations are key dependent (but forced odd, and they are
the same for all rounds). Also I use 8 8x8 sboxes (thus there are 8
8x32 sboxes).
I plan to revise the code tommorow. I mainly designed it on paper
first so I hope I got the details right...
Please comment on it if you can (I would appreciate the comments).
Note: I am aware my cipher is much less versatile then the original.
I wouldn't consider this an "upgrade" mainly my ideas thrown at
Twofish. I intended this cipher for "bulk data" encryption on
desktops. It could be done with little ram but would be insanely slow.
http://www.geocities.com/tomstdenis/
(near the bottom).
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Very Interesting Article To Help All Of Us!
Date: Sun, 01 Oct 2000 01:41:27 GMT
I just read this article titled "Have You Heard The News?-New
Scientific Weight Loss Technology". It's pretty fascinating, and has
tons of stories on how all kinds of people are using this new
technology to lose weight FAST, and apparently, very safely. It's
several paragraphs long so I didn't want to post it all here where you
might have to pay for the time you are "online". I went ahead and put
a copy of it on my autoresponder, so you can get it emailed to you and
read it at your own convenience. To get a copy of this article, just
send any email to [EMAIL PROTECTED] and you'll get it emailed
right back to you in a few minutes.
Happy Reading!
April
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: PRNG improvment??
Date: Sat, 30 Sep 2000 18:42:06 -0700
[EMAIL PROTECTED] wrote:
> Now if I seed the PRNG with true random numbers, license plates,
> system clock, keyboard latency measurements, etc. and seed often, and
> shuffle often, will I, after say 10,000 shuffles & 30,000 seeds, begin
> to approach the level of patternless 'randomness' necessary for a
> cryptographical secure One Time Pad? It's uniform. It's long. The
> question is, will this method introduce enough randomness?
All you've done is make things worse! If the first output is 200, I
know the second output has a less than usual chance of also being 200.
DS
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
