Cryptography-Digest Digest #841, Volume #12 Wed, 4 Oct 00 17:13:01 EDT
Contents:
NSA quote on AES (David Crick)
pronunciation of "DES" (David Crick)
Re: the trusth about rijndael cracked by biham (Allen Ethridge)
Re: On block encrpytion processing with intermediate permutations (Mok-Kong Shen)
Re: pronunciation of "DES" (Mok-Kong Shen)
Re: Is there any keyed MD5 or Blowfish encryption software out there?
([EMAIL PROTECTED])
Re: Democrats, Republicans, AES... ("Joseph Ashwood")
Re: Statistics about SSLvX use ?? ciphers use ? ("Joseph Ashwood")
Re: Choice of public exponent in RSA signatures ("Joseph Ashwood")
The best way to pronounce AES (Scott Craver)
Re: RC6 royalty free or not? (David Hopwood)
Re: It's Rijndael (David Hopwood)
Re: Choice of public exponent in RSA signatures (David Hopwood)
Re: It's Rijndael (David Hopwood)
Re: Choice of public exponent in RSA signatures (David Hopwood)
Re: Democrats, Republicans, AES... (Mok-Kong Shen)
Re: My Theory... (Mok-Kong Shen)
Re: No Comment from Bruce Schneier? (Mok-Kong Shen)
Re: PRNG improvment?? (David Schwartz)
----------------------------------------------------------------------------
From: David Crick <[EMAIL PROTECTED]>
Subject: NSA quote on AES
Date: Wed, 04 Oct 2000 20:36:13 +0100
"The National Security Agency (NSA) wishes to congratulate the National
Institute of Standards and Technology on the successful selection of an
Advanced Encryption Standard (AES). It should serve the nation well. In
particular, NSA intends to use the AES where appropriate in meeting the
national security information protection needs of the United States
government."
Michael J. Jacobs
Deputy Director for Information Systems Security
National Security Agency
- http://www.nist.gov/public_affairs/releases/aescomments.htm
--
+-------------------------------------------------------------------+
| David A. Crick <[EMAIL PROTECTED]> PGP: (OCT-2000 KEY) 0xE0F73D98 |
| Damon Hill Tribute Site: http://www.geocities.com/MotorCity/4236/ |
| M. Brundle Quotes: http://members.tripod.com/~vidcad/martin_b.htm |
+-------------------------------------------------------------------+
------------------------------
From: David Crick <[EMAIL PROTECTED]>
Subject: pronunciation of "DES"
Date: Wed, 04 Oct 2000 20:39:06 +0100
Thinking back to a long-running thread on here a while back, it was
interesting to note that Dr Cheryl Shavers pronounced DES as "dee
ee ess" (rather than "dez") during her part in the AES announcement.
I don't know about any of the others who followed her, since I keep
getting server time-outs in Real Player so can't hear/see the rest
of the webcast. :(
--
+-------------------------------------------------------------------+
| David A. Crick <[EMAIL PROTECTED]> PGP: (OCT-2000 KEY) 0xE0F73D98 |
| Damon Hill Tribute Site: http://www.geocities.com/MotorCity/4236/ |
| M. Brundle Quotes: http://members.tripod.com/~vidcad/martin_b.htm |
+-------------------------------------------------------------------+
------------------------------
From: [EMAIL PROTECTED] (Allen Ethridge)
Subject: Re: the trusth about rijndael cracked by biham
Date: 4 Oct 2000 19:44:08 GMT
[EMAIL PROTECTED] wrote in <8rfopa$85o$[EMAIL PROTECTED]>:
>I thought there was more people reading sci.crypt
>but nope, only 100 people
>
>It's a little newsgroup here
I imagine quite a lot of us, like myself, didn't find it necessary to
actually go to the web site to determine that your post was bogus.
--
"Sadness falling like burned skin."
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On block encrpytion processing with intermediate permutations
Date: Wed, 04 Oct 2000 22:15:51 +0200
Bryan Olson wrote:
>
> Mok-Kong Shen wrote:
> >
> >
> > Bryan Olson wrote:
> > >
> > > Mok-Kong Shen wrote:
> > > > Bryan Olson wrote:
> > > > > Mok-Kong Shen wrote:
> > > > > > Bryan Olson wrote:
> > > > > So the scheme is only appropriate when a new key will be
> transported
> > > > > for each session? Note that a conventional block cipher and
> > > > > chaining mode can support arbitrarily many sessions and messages
> > > > > with a single key.
> > > >
> > > > Then you send the secret seed with that 'single' key.
> > > > I don't understand what is the problem that you see here?
> > >
> > > O.K. that's clear. Now the attacker just repeats the same
> > > encrypted seed so the chosen plaintext attack can use the
> > > same permutation in multiple messages, just as before.
>
> Hmmm, I mis-explained that. The attacker uses the same
> differentials as in the chosen plaintext attack, but what he
> actually uses is chosen ciphertext.
O.k. Now you want to use, if I don't err, the most unlikely
kind of attack. Of course, one should also take that into
account. Now please tell me what if there is no permutation
at all and you have before you the original block cipher
and you use a chosen ciphertext on it. Would that involve
less work or more work than in the case with permutation as
I described? I like to have a definite answer and a tiny
bit explanation for that. Please do answer my question this
time. If you really want to 'laugh', as you indicated in
the following part that I snipped, you can do that much
much better later on, if indeed you succeed to win your
arguments. I am not used to discussions where people don't
express their direct opinions. We are discussing science,
not politics or theology, etc. I never consider it a
'loss of my image' or the like, if I get defeated in a
scientific discussion. (It would be different, if I were
morally wrong.) I am confident that you share the same
opinion. So let's discuss and be fair to each other.
>
> > The seed of PRNG is of course not to be reset, as I
> > mentioned previously several times.
>
> Then you'll inevitably lose synchronization between sessions.
There is fortunately a tradeoff of disadvantage/advantage.
The loss of syncronization allows namely the detection of
the attack, which cannot be detected for the original block
cipher under the same chosen ciphertext attack. Depending
on the application, the gain may even overweigh the loss.
In case one can't afford loss of synchronization (and
resumption) at all, which is likely to occur only in
comparatively important applications, then one almost
surely can afford the higher expense of employing a different
key plus seed for each session.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: pronunciation of "DES"
Date: Wed, 04 Oct 2000 22:19:20 +0200
David Crick wrote:
>
> Thinking back to a long-running thread on here a while back, it was
> interesting to note that Dr Cheryl Shavers pronounced DES as "dee
> ee ess" (rather than "dez") during her part in the AES announcement.
>
> I don't know about any of the others who followed her, since I keep
> getting server time-outs in Real Player so can't hear/see the rest
> of the webcast. :(
So you are very interested to know how AES (or whatever the
successor) is pronounced?
M. K. Shen
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Is there any keyed MD5 or Blowfish encryption software out there?
Date: Wed, 04 Oct 2000 20:11:07 GMT
Reply-To: [EMAIL PROTECTED]
Thanks for the quick reply...
Basically, what I need is an encryption scheme which takes a seed key
and passes that and a string (to be encrypted) to a VB bas file, OCX, or
DLL to generate an encrypted string.
That encrypted string will be passed to a C/UNIX application which will
also know the seed key which it will use to decode the encrypted string.
The process needs to work in the opposite direction also. A string in
C/UNIX needs to be encrypted using a seed key and then decoded on the vb
client using the vb bas file, OCX, or DLL to get the unencrypted string.
I am asking for an MD5 or Blowfish algorithm because these, I am told,
are widely accepted encryption schemes that can be used outside of the
US (unlike DES)
Does software already exist already, or am I searching for a holy grail?
Thanks in advance!
Scott
[EMAIL PROTECTED]
In article <8rd3eg$1k4$[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
> In article <8rd32r$1d8$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
> > Hello,
> >
> > Your help is MUCH appreciated... I'm looking for a DLL, Active-X
> control
> > or .Bas module that implements a Keyed MD5 scheme which can be used
> > outside of the US too. I am using vb on the front end and Unix/C
> > on the back end so it must be implemented in both Unix/C and VB so
> that
> > I can encrypt and decrypt strings to and from eachother.
>
> MD5 is not techincally a cipher. Are you using MD5 has a stream
> cipher, a block cipher or a hash?
>
> > So far I have searched the web and have come up with nothing that :
> >
> > 1) Has both a VB and C/Unix implementation
> > 2) Can take in a Key for encrypting/decrypting
> > 3) Can be used outside of the US also (I hear that if the control
> > implements DES also, you are considered an arms dealer if you export
> it)
> >
>
> What do you want with MD5?
>
> Tom
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Democrats, Republicans, AES...
Date: Wed, 4 Oct 2000 11:11:24 -0700
> As a historical query, does anyone know if "warm, fuzzy feelings" were
> linked to cryptography before the publication of "Applied Cryptography"?
Lacking proof, I'd say that Enigma gave the Germans warm-fuzzies (probably
not that word), and they obviously trusted that above the information
leakage.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Statistics about SSLvX use ?? ciphers use ?
Date: Wed, 4 Oct 2000 11:19:03 -0700
A quick check of a site tells me that most likely the most common one is RSA
with RC4. To be safe use a 1024-bit RSA key (or bigger depending on your
requirements/abilities) and use 128-bit RC4, the 1024-bit RSA will slow the
initial stuff down a little, but 128vs 40 bit RC4 doesn't matter for speed.
Joe
"Laure Barrere" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Hi,
> I'm doing a model where I need to do a benchmark to estimate SSL
> impact in our product. To do that, I have to estimate what is the most
> common used. I am a newbie in crypto. Do you have any information/URL on
> "what version of SSL is the most used, what are the ciphers the most
> used ?". I really have no idea on that.
> Please, help me :) !
> Thanks in advance,
> Laure.
>
>
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Choice of public exponent in RSA signatures
Date: Wed, 4 Oct 2000 11:29:08 -0700
"Paul Rubin" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "Joseph Ashwood" <[EMAIL PROTECTED]> writes:
> > Well my personal view on it is that n-prime RSA can be no
> > stronger than 2-prime RSA, and against certain factoring
> > methods will be substantially weaker.
>
> Why should anyone care what your personal views are if you don't have
> any mathematical evidence for them?
We have plenty of empirical evidence, factoring algorithms come in three
general types, those that factor is the same time regardless of factor
sizes, those that factor faster numbers with smaller factors faster, and
those that exploit some artifact of the prime choosing methods. Only the
first two matter for this decision (the third is in the generation which is
seperate). The 2-prime version clearly has an advantage against n-prime RSA
simply from the fact that the primes cannot be larger than the primes for
2-prime when the factoring algorithm works faster with smaller factors. When
the algorithm takes the same time regardless of factor size, the 2 proposals
are equal. I have no proof that it must remain this way, but I have seen
evidence only that numbers with 2 factors must be at least as hard to factor
as n-prime, therefore lacking evidence to the contrary I will retain my
stand that 2-prime RSA is at least as strong as n-prime RSA.
> Example: for a 4b-bit modulus with two 2b-bit factors, decryption
> takes roughly [some constant c] * 2 * (2b)**3 = 16*b**3 operations,
> while with four b-bit factors it would take c * 4 * b**3 operations
> which is 4x faster.
Thank you, that was fairly well exactly what I was asking. So the becoming
more generic, the equation is approximately c*n*(B/n)**3, where B is the
size of the modulus, and n is the seperate parts. So the speed up is
n1**2/n**2, n1 is the known factorization of B1, and n is the known
factorization of B, for some B1 and B that are very close.
Joe
------------------------------
From: [EMAIL PROTECTED] (Scott Craver)
Subject: The best way to pronounce AES
Date: 4 Oct 2000 20:31:23 GMT
I know I have no authority to decide these things, but I
strongly feel that "AES" should be pronounced, "uh-YES."
Like Mr. Dingle or whoever it was from the train station in
the old Jack Benny radio show. "auhYEEEEEEEEEEEEEEEEEEEEEESSSS????"
-S
"Oh, not you again!"
"Train now leaving on track 5 for Anaheim, Azusa, and KOOK-kamunga."
------------------------------
Date: Wed, 04 Oct 2000 03:08:16 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: RC6 royalty free or not?
=====BEGIN PGP SIGNED MESSAGE=====
"Sami J. M=E4kinen" wrote:
> I couldn't tell by reading the papers from RSA webpage that
> is RC6 royalty free or not (to use in shareware program)?
RC6 is patented, and there has been no statement from RSA Security Inc.
that it will be royalty-free, so I'd assume that it won't be unless you
hear otherwise.
- -- =
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 0=
1
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has b=
een
seized under the Regulation of Investigatory Powers Act; see www.fipr.org=
/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOdqQ+zkCAxeYt5gVAQEKcgf/UMHyzLoO3PSI0O2wPnajSEc5lo0C38hG
aTtlpLctFZYLO69UP6sXQd7c94Nm6V3J4+BG6WvsNWSCIiAxpbzxnyuIVIwJpsK0
YHCcfdBWNH+Q4DDnw2ROjpr3HhK4nNbNAhzhgH3I7eZDG7ff1Oy9y8J4B4LLgeFw
h6QBIEoQp4mjEuyceIZl5IrrBez5DfYaBN4YOHEJ60ySh8jEij3LCKjw/6uHhpVt
63rz0um5PQuhhvuckjrxGo8Cl674whhwZkoolv6D0m+i710kB5y90H467ux14Zm8
XsX0bWuf4nzWLtE7vq35c6sGxJsDCfK7uaiLkZxgn8Q8Ge2OeoCREA=3D=3D
=3D/N2A
=====END PGP SIGNATURE=====
------------------------------
Date: Wed, 04 Oct 2000 04:18:03 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: It's Rijndael
=====BEGIN PGP SIGNED MESSAGE=====
John Savard wrote:
> On Tue, 3 Oct 2000 12:43:26 +0200, Serge Paccalin
> <[EMAIL PROTECTED]> wrote, in part:
>
> >So, the US authorities still think that people that can design a
> >fairly good encryption algorithm cannot implement it in a working
> >product? :-)
>
> It *helps* if the computers of the world all use the U.S. designed
> Microsoft Windows operating system, which means that anyone making a
> compiler that produces programs that run on it has to license
> "windows.h" from Microsoft (if not the Microsoft Foundation Classes as
> well, which nearly every compiler maker would also do) and therefore
> is compelled - regardless of which country they are located in,
> although I'm not aware of too many non-U.S. compilers for Windows -
> to include in their license agreements a clause requiring foreign
> users of the compiler not to do anything with it that might constitute
> a violation of U.S. export laws.
Writing and compiling an encryption program outside the U.S. is not
a violation of U.S. export laws, and never has been.
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOdqhWDkCAxeYt5gVAQETIggAxDBLvKjFrlTF4b5rTi3totc8E9W7xBQd
F6RnxM9q7DjDANe97K+zDFlnTiMlgz75XjqAkspmvjW+FWehEqDW26Tt7/6ChXN/
/x9h1lLQMXJTpznbSMcI3F9JIZH+MkgwdNObe5bQDHnuDYIN4e7md7+BYRCWyK3G
K6TDcqjQuSRCCGaMmjHJHj/ujfMCJErYgT2YTF6o0m+25NGfVlwDfaNa9WEREa6D
0O5Te8130vhfuVmUgGLyi95PkDmx0zSXE67iK13r8S6/VlryzcHaxrHdDXjiOd7O
7+abPRJcSmQ2Gpg3WzfJikgiYPsz/+eAAesCoRj64btFP+xkw7AV+Q==
=8vpx
=====END PGP SIGNATURE=====
------------------------------
Date: Wed, 04 Oct 2000 19:01:24 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Choice of public exponent in RSA signatures
=====BEGIN PGP SIGNED MESSAGE=====
"John A.Malley" wrote:
> David Wagner wrote:
> > Yes, I am familiar with those attacks. As I said, with proper use of
> > random padding (e.g., OAEP), the attacks do not apply. Thus, I do not
> > see why they should provide a justification to prefer e>3.
>
> I no nothing about OAEP and thus cannot respond. I will go and read up
> on it - there should be papers at the Counterpane crypto on-line
> library.
>
> Is there a "must-read" paper or a set of "must-read" papers on OAEP you
> recommend?
- From <http://www.users.zetnet.co.uk/hopwood/crypto/scan/>
(in the asymmetric ciphers section under OAEP-MGF1):
[Def] RSA Security, Inc.,
PKCS #1: RSA Cryptography Standard, version 2.0.
http://www.rsalabs.com/pkcs/pkcs-1/
[Inf] IEEE,
IEEE P1363a draft version 4 (D4).
http://grouper.ieee.org/groups/1363/P1363a/index.html
[Inf] M. Bellare, P. Rogaway,
Optimal asymmetric encryption -- How to encrypt with RSA,
Extended abstract in Advances in Cryptology - EuroCrypt '94 Proceedings,
Volume 950 of Lecture Notes in Computer Science (A. De Santis, ed.),
Springer-Verlag, 1995.
Full paper of revised version:
http://www-cse.ucsd.edu/users/mihir/papers/pke.html#oae-paper
[Test] RSA Security, Inc.,
Test vectors for OAEP-based encryption scheme: #1 and #2,
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1v2/p1ovect1.txt
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1v2/p1ovect2.txt
[for RSA/OAEP-MGF1(SHA-1)]
> > And, in real life, everyone uses random padding, and the random padding
> > is large enough to avoid Coppersmith's attack.
>
> With e = 65537 the padding can be smaller than the padding required for
> e = 3 while maintaining resistance against Coppersmith's Short Pad
> Attack.
That's beside the point, because for both OAEP and PKCS #1 v1.5, the
padding is large enough to avoid attacks on e = 3.
> Since less bits in the string to encrypt must be random pad
> more bits in the string can be message bits - and thus there is more
> bandwidth for the message.
For OAEP, the overhead (i.e. the part of the block that cannot be used
for message bits) is just over 2t where t is the length of a
hash function output (say 128 or 160 bits). This is independent of the
encryption exponent.
In any case, PK encryption algorithms are normally used to encrypt
per-message keys for a symmetric algorithm, so the message bandwidth of
the asymmetric cipher itself is often not very important.
Unfortunately, for OAEP the non-malleability property doesn't extend to
the whole plaintext if you just encrypt a per-message key in the obvious
way, but that can be fixed by using a MAC as well as a symmetric cipher,
similar to DHAES. I have a method called XOAEP for doing this while
minimising the message expansion (which is useful for things like remailer
protocols, where the message expansion affects the maximum number of
remailers in a chain). It would also be useful for other applications that
would benefit from non-malleability, and I'm confident it is secure under
the same assumptions as OAEP in the random oracle model. I'll write it up
when I have time, and post it here.
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOdpfzjkCAxeYt5gVAQFzOggAwa0kAnFIWAY5vRCTai9FtScJll6uVUoa
2/j2x8gn7ylO+lLx7dyicdG9vsvXXfA30NVn03FbEn8pANm2qmDAwQEO67SMPjo7
J4aL6fkea//vfamtSNroqv8XDlNHKoStTWrNVg3CVpvBjih1wX6wG8X8LEhIcB1e
Sy8pCdCWJ9xVh54d0jAKJo1Y87Fcp2Stku4vXQXWJLJQIpn9gCgWLYaQQND/ozz2
Na1v+O//3jSgn+25xvvtJ0wvEdupoVIz4Ori+FjSD0c8iQDBoCWo2tSjE1FeGYm8
5HxyyGa/VXgHXxaFp2lalXp3o+pndssUKvba51yEs94cRxnlHoqfxw==
=tI6L
=====END PGP SIGNATURE=====
------------------------------
Date: Wed, 04 Oct 2000 19:03:21 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: It's Rijndael
=====BEGIN PGP SIGNED MESSAGE=====
Martin Wolters wrote:
> >Recently I attempted to look at MAGENTA but couldn't
> >locate any more its documentation. Could you help?
>
> Here it is:
>
> http://www.gel.ulaval.ca/~klein/maitrise/aes/magenta.pdf
Anyone have an URL for the SAFER+ paper? (It was pulled from both the
NIST and Cylink sites. I still have a copy, so I'll put it up if it is
not available anywhere else.)
To answer John Savard's question, the CRYPTION 1.0 paper is at
http://crypt.future.co.kr/~chlim/pub/cryptonv10.ps
and CRYPTON 0.5 (the AES candidate) at
http://crypt.future.co.kr/~chlim/pub/cryptonv05.ps
The papers for the other 12 first-round candidates are referenced at
http://www.users.zetnet.co.uk/hopwood/crypto/scan/
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOdp7ODkCAxeYt5gVAQERuwf/fMuiif7XKp9T87R+CwzLcPmTKzACnCwP
smil/eEV3NYy1q3emJ0NVe3fU1dp2Hs5AIwDiv1wsKNM618pVVk9kWRGALcjwaLz
+I5dgeccKBE/9nXolKbwPlaOqFNpFCVBGYP4urSxSSrmzq4w+ySbGDmPkRu3fKFv
t425KKsBCPQFyewtr5A/gNDwPLMJHDXpXFJkks36D6l5oB01aFxY8ufcNLvU5YHk
TqLWCldXGJhA7+aUvkTUgXZCtFrpM0l2Ut1vBiFeHyn8ML19fji31d0/cll92ICh
g9YLkURdV/pa4moQosICA99Eww2yxD+tZnT8Aphav6y5o11ItlKjMA==
=FPrR
=====END PGP SIGNATURE=====
------------------------------
Date: Wed, 04 Oct 2000 19:02:12 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Choice of public exponent in RSA signatures
=====BEGIN PGP SIGNED MESSAGE=====
Francois Grieu wrote:
[snip]
> Unfortunately, I know no accepted padding standard with provable
> security.
> If I could propose a standard, it may be a FDH[4] or PSS[5] scheme
> with exponent 2 (or 3 if marketing considerations rule), and SHA1
> or RIPEMD (or maybe some arithmetic hash scheme is there is a
> security proof) as the required hash.
> But AFAIK the FDH concept, or much less PSS, is not part of any
> ISO standard; is there one in P1363 or PKCS ?
PSS will be in IEEE P1363a, PKCS #1 v2.1, and a new version of
ISO/IEC 9796-2. Unfortunately there are some differences between the
proposed versions that will need to be ironed out, so if you implement
it now and need standards-compliance, be prepared to make some changes
(fairly minor, but enough that the final version will probably not
accept signatures made by the older versions).
The version of PSS currently in P1363a supports e = 2 (Rabin-Williams).
> NB: One problem with PSS is the need for a random number generator
> in the signer, and room for a subliminal channel.
All practical communication systems have subliminal channels, whether
or not the signature algorithm used does; I don't see that this is a
significant concern. That the signer needs an RNG is no different to
DSA (and the consequences of an RNG failure are less severe than for
DSA).
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOdpllDkCAxeYt5gVAQFWpAgAlSn4K2WszihqIJ1mF+r/oqF1wPmS0T3j
9NyTFX5LdsS852HXib+HOFCfX3NMAkwWzqma2niL1mbEe7pxj7On3gSo3lfPeuCG
YW/yRWTxVgrM3o0VFUlXRCmNqFjVURUaQWYBDZUSXzSNp7pCE7qsVqLlhrvgN00F
WzN8MV/KiKbNs1fjOPzYBfyqcyxjQ2iRn7zfIfDK0n4cMk+qANOMYNx9inxUDon7
G6N+OgRJvYJHOtfXNNdPk6o0TKLStsQqLR9jgS9vyslhSdcX8q/f/EPIhSnaGW8j
OJjD4qkhzpsQbuftlVZk7JmsEIvOoUyMFkD9QUwN2He1GWg+jbWo1Q==
=bg+5
=====END PGP SIGNATURE=====
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Democrats, Republicans, AES...
Date: Wed, 04 Oct 2000 22:59:10 +0200
Tim Tyler schrieb:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> : I have many times suggested allowing variable number of rounds.
>
> One problem that springs to my mind on this front is hardware
> implementation. Since I believe more rounds equates to more area,
> hardware implementations that could read all Rijndael traffic would
> commonly occupy an area corresponding to the maximum possible number of
> rounds - probably not a desirable scenario.
You can have a standard specifying a minimum number of
rounds, say the present number, and allow the use of more
rounds as an option. Thus those who can afford more area,
longer processing time, trouble of getting the same number
of rounds at both ends, high cost of hardware, or what not
can get the benefit (even if it is simply a psychological
matter) of more rounds. Again using an example used
elsewhere by me, the programming language Cobol has a
number of 'levels' to suit different user needs.
>
> : Another way is to go like 3DES.
>
> Also probably not a desirable scenario.
This use, in my view, is quite independent of standard,
though it would be fine if there is one. In hardware,
there shouldn't be much loss in efficiency, I guess.
In software on a machine with more than one processors,
I suppose one could also do something to gain speed.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: My Theory...
Date: Wed, 04 Oct 2000 22:59:16 +0200
"SCOTT19U.ZIP_GUY" wrote:
>
> [EMAIL PROTECTED] (Mok-Kong Shen) wrote:
> >
> >Thomas Pornin wrote:
> >>
> >> It is the NSA interest that the US companies use a strong cipher. Or, at
> >> least, a cipher that ONLY the NSA can break. Since the NSA is no more
> >> the richest organization in the world, they cannot play (anymore ?) the
> >> backdoor game. They are doomed to propose really strong ciphers.
> >
> >Is is quite sure that there are no organizations (public or
> >commercial) in the world that have more or less comparable
> >resources?
>
> I must not be understanding what you meant. Since I think I
> agree with you. So could you please clarify. Just what did you
> exactly mean. Please be specific.
There are in foreign countries also large public (I mean
government) organizations (e.g. military, intelligence, etc.)
and large commercial organizations (e.g. manufactureres,
banks etc.) who can afford to do crypto work, maybe just as
well as the one that most crytpo folks normally have in mind.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: No Comment from Bruce Schneier?
Date: Wed, 04 Oct 2000 23:04:27 +0200
Albert Yang wrote:
>
> I expected to hear from a few people, Brian Gladman, the author's of
> Rijndael themselves etc... But most of all, I expected Bruce to say
> something on sci.crypt. Something sportsman-like, like, "Rijndael is a
> good algorithm, designed by two people who know what they are doing. I
> want to congratulate them on being selected as the AES winner."
Why do you think is it useful/necessary for them to comment
at this time? A proper and better time is when they manage
to find new attacks on Rijndael.
M. K. Shen
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: PRNG improvment??
Date: Wed, 04 Oct 2000 13:55:35 -0700
Tim Tyler wrote:
>
> David Schwartz <[EMAIL PROTECTED]> wrote:
> : [EMAIL PROTECTED] wrote:
>
> :> Now if I seed the PRNG with true random numbers, license plates,
> :> system clock, keyboard latency measurements, etc. and seed often, and
> :> shuffle often, will I, after say 10,000 shuffles & 30,000 seeds, begin
> :> to approach the level of patternless 'randomness' necessary for a
> :> cryptographical secure One Time Pad? It's uniform. It's long. The
> :> question is, will this method introduce enough randomness?
>
> : All you've done is make things worse! If the first output is 200, I
> : know the second output has a less than usual chance of also being 200.
>
> I don't think that's true. The original post may not have described
> the algorithm very precisely; but I can see no way to interpret it
> that would result in the effect described.
Read back. He began with a small number of copies of each possible
output and then used his randomness to shuffle them.
DS
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
