Cryptography-Digest Digest #843, Volume #12 Wed, 4 Oct 00 22:13:01 EDT
Contents:
Re: HELLO?!?!?! Where are you, Jim Gillogly? I wish you would (Jim Gillogly)
Re: is NIST just nuts? (Tim Tyler)
Re: Requirements of AES (Tim Tyler)
Re: Mr. Zimmermann, Mr. Price when can we expect this feature ? (Imad R. Faiad)
Re: Mr. Zimmermann, Mr. Price when can we expect this feature ? (Dave Howe)
Re: No Comment from Bruce Schneier? (Scott Contini)
Re: It's Rijndael (John Savard)
Re: HELLO?!?!?! Where are you, Jim Gillogly? I wish you would respond!!! (About
cryptograms) (Paul Rubin)
Re: RC6 royalty free or not? (Sami J. M�kinen)
Re: HELLO?!?!?! Where are you, Jim Gillogly? I wish you would (Jim Gillogly)
Re: OPEN LETTER ABOUT Rijndael to sci.crypt (SCOTT19U.ZIP_GUY)
Re: It's Rijndael ("Paulo S. L. M. Barreto")
Re: HELLO?!?!?! Where are you, Jim Gillogly? I wish you would respond!!!
(About cryptograms) (Paul Rubin)
Re: Mr. Zimmermann, Mr. Price when can we expect this feature ? (Imad R. Faiad)
Re: OPEN LETTER ABOUT Rijndael to sci.crypt (John Savard)
----------------------------------------------------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Crossposted-To: rec.puzzles
Subject: Re: HELLO?!?!?! Where are you, Jim Gillogly? I wish you would
Date: Wed, 04 Oct 2000 23:15:18 +0000
daniel mcgrath wrote:
> ADDENDUM FOR SECOND POSTING OF MESSAGE
>
> Why is Jim Gillogly so often not responding to my posts regarding the
> cryptograms? I have even been sending these messages to him as e-mail
> AS WELL AS posting them and he STILL won't saying anything. Where is
> he? I wish he would respond!!!
Everybody has lots of projects they're working on, some free and some
for money. I was interested in your problem and worked on it for a
while, made some observations and some progress, and set it aside.
My comments on your cryptograms do not entitle you to further comments --
if I get around to it I may look at it again with the further hints,
unless somebody else cracks it first. But unless I'm getting paid
I work on my own schedule on the things that interest me at the time.
In particular, your posting of cryptogram challenges is not a contest
between you and me.
Right now I'm paying a lot of attention to GNFS (for Simon Singh's
Cipher Book challenge at the moment, but I've always wanted to
understand it more thoroughly), to AES (trying to understand better
the implications of the structure of Rijndael), and various projects
for the American Cryptogram Association. I don't guarantee that
I won't get back to your problem in due course.
--
Jim Gillogly
Mersday, 13 Winterfilth S.R. 2000, 23:08
12.19.7.10.17, 13 Caban 20 Chen, First Lord of Night
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: is NIST just nuts?
Reply-To: [EMAIL PROTECTED]
Date: Wed, 4 Oct 2000 22:50:47 GMT
[EMAIL PROTECTED] wrote:
: [EMAIL PROTECTED] wrote:
:>I believe there's some argument that the effective strength was only at
:>about the 56-bit level anyway. According to the story, reducing the
:>size of the keyspace reflected the properties of the underlying
:>algorithm, and didn't really make the system weaker than it already
:>was.
: I don't think this is a meaningful statement. The key size does put an
: upper bound on a cipher's strength, but apart from that, strength is
: not a one-dimensional entity [...]
: Ultimately instead of talking of bits of strength, we should put a
: dollar value to any attack we devise [...]
: Using such a formula, it becomes now possible to define an objective
: methodology to compare the strength of ciphers [...]
I agree $s to break is one of the best measures of strength - despite it
being "a one-dimensional entity".
: Finally compare the ciphers taking into account not so much the
: percentage of rounds that can be broken at a specific cost, but rather
: the rate at which the cost is growing at each successive round. That
: rate will best reflect the structural strength of the cipher.
Cost isn't everything. The best attack that may be publicly known about
may be brute force, a fact that would lead to a high "cost-to-break" value
- while our opponents may be able to reduce our algorithm to mincemeat
at a very low cost.
The "objective methodology" appears to have a subjective element.
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Requirements of AES
Reply-To: [EMAIL PROTECTED]
Date: Wed, 4 Oct 2000 22:58:50 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
: [EMAIL PROTECTED] wrote:
:> Tom St Denis <[EMAIL PROTECTED]> wrote:
:> : What attack on Twofish has a 16/11 advantage? [...]
:>
:> According to 3.2.1.5 of the NIST report they know of no such attack.
[snip reference to:]
:> "A Twofish Retreat: Related-Key Attacks Against Reduced-Round Twofish"
:> Niels Ferguson, John Kelsey, Bruce Schneier and Doug Whiting - for the
:> best known related key attack on Twofish.
:>
:> There /was/ a 10-round attack suggested in the original Twofish paper.
:> Apparently it fails to work.
: Maybe I am just a troll, but doesn't that mean people *tried* to break
: Twofish?
Look at the authors of the paper - the "attackers" are also the designers
of Twofish. You have to explore attacks to be taken seriously when
presenting new cyphers.
I believe the Twofish team did a good job, and few (no?) others were able
to get any attacks against their cypher which were any better than the
ones the team had found themselves.
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
From: Imad R. Faiad <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp
Subject: Re: Mr. Zimmermann, Mr. Price when can we expect this feature ?
Date: Wed, 04 Oct 2000 23:42:46 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Greetings,
PGP 6.x.x uses RSADSI's encumbered BSAFE library for RSA operations.
The maximum RSA key length supported by the BSAFE library is 2048bits.
The RSA enabled PGP 5.x.x builds used the good stuff for RSA operations,
that is NAI's or should I say Colin Plumb's and Phil Zimmermann's library.
This is why you were able to use 4k bits RSA keys with PGP 5.x.x. In fact,
the official builds of PGP 5.x.x were able to use RSA keys up to 8k bits
in length. However, the user interface did not allow you to generate
such keys.
With the demise of the RSA patent, NAI will no doubt resume using their
own and much superior libraries for the implementation of PGP RSA keys.
So, if NAI so desires, they may increase the RSA key length in their
official builds of PGP. However, it is worthy to note that
legacy RSA keys beyond 3k bits or thereabout do not offer more
security due to the limitations of the hash and symetrics encryption
schemes utilized.
Hope that the above has shed some light on this arcane PGP matter.
Best regards
Imad R. Faiad
On Wed, 04 Oct 2000 23:18:16 +0100, in alt.security.pgp Dave Howe
<[EMAIL PROTECTED]> wrote:
>In our last episode (<alt.security.pgp>[Wed, 04 Oct 2000 03:02:53
>GMT]), Jacques Therrien <[EMAIL PROTECTED]> said :
>>There are however incompatibilities with 4096-bit RSA keys. For instance
>> in PGP 6.x., those RSA keys cannot be used for encryption.
>>I am not sure what would happen if one tried to verify a message signed
>>with such an RSA key -- I would assume that would not work either.
>It doesn't - I signed a HTML file with my 4096RSA a few weeks back,
>and the 6.x users onlist couldn't verify it. I must admit I find this
>more than mildly suspicous - 5.x *does* verify and use those keys ok.
>
>--== DaveHowe ( is at) Bigfoot dot com ==--
=====BEGIN PGP SIGNATURE=====
Version: 6.5.8ckt http://irfaiad.virtualave.net/
Comment: KeyID: 0xBCC31718833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBOdu/+7zDFxiDPxutAQFcDAf9F6W0d19PIzkLdPBESpff0UFzmghqb5+c
7FwgFt2lyRqvsur1KiscNe8UpjK9yQdizmFYU1qDI5A52N0iHGTC7L9rOjyzUnXt
bRyIuxroJutJ62KtUaoNdBREUhKvL0HEsJxk1SU13z69/MavMV1OLMK7UJI7Mbys
nopktpSsKQldIU66X7h+Hu0yxvKU/mGlDsE2Mi6OOeSY5SXiiF6u8Q64/ucHJ85R
aRFOj3IcjTdmdtY3kYdCQ/aJe24+tNbSde/4Lq58Eni9DJstfhB4z+ZYhWQSoesk
Sgd11Q7DJjAfMM2h5pb+5NHFCWrfQ9fRmpcXVhPJPAP6OpLguSiAAw==
=uxYs
=====END PGP SIGNATURE=====
------------------------------
From: Dave Howe <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,alt.security.scramdisk
Subject: Re: Mr. Zimmermann, Mr. Price when can we expect this feature ?
Date: Thu, 05 Oct 2000 00:44:49 +0100
In our last episode (<alt.security.pgp>[4 Oct 2000 17:27:18 -0000]),
[EMAIL PROTECTED] (Rich Wales) said :
>Do you know where the source code can be found? Several reasons:
>(1) so that non-DOS/Windows users (such as myself) can try it
>(2) so people can compare the 2.6.3ig sources with "vanilla" 2.6.3i
> and see exactly what was changed
>(3) just on principle, never trust "binary-only" crypto software;
> always insist on getting source code and compile it yourself
Replay used to have a copy of 2.6.3i with 8K key support
<rummage rummage>
aha - they were written by
F. A. Friedrichs <[EMAIL PROTECTED]> [0xCB62BDA1] http://faf.home.pages.de/
but unfortunately the site is dead - however you can still download
code and source from here:
http://www.ftp.uni-erlangen.de/pub/other/pgp.Xtra/
--== DaveHowe ( is at) Bigfoot dot com ==--
------------------------------
From: [EMAIL PROTECTED] (Scott Contini)
Subject: Re: No Comment from Bruce Schneier?
Date: 4 Oct 2000 23:53:43 GMT
In article <[EMAIL PROTECTED]>,
Roger Schlafly <[EMAIL PROTECTED]> wrote:
>Albert Yang wrote:
>> Something sportsman-like, like, "Rijndael is a
>> good algorithm, designed by two people who know what they are doing. I
>> want to congratulate them on being selected as the AES winner."
>
>You sound like the announcer who interviewed Marion Jones
>after she lost a race, asked her if she was happy, and was
>disappointed when she said that she wanted to win.
>
>I believe the Twofish designers are on record as saying that
>all the finalists are excellent, and they advocated a single
>winner because any one is fine.
>
>Where are IBM, Rivest, Biham, and the other losers?
I am NOT part of the RC6 design team, though I did work with them
on some analysis. My personal opinion is that there were 5 good
algorithms which were all good candidates for the AES. Of course
my favorite is RC6, but if I had to make a second choice it would
have been Rijndael or Serpent. My only concern about Rijndael is
the recent claims suggesting Rijndael has some unusual structure
for a block cipher, but so far these results have not lead to real
attacks. Therefore I am accepting and supportive of Rijndael winning.
Congrats to them.
I also think NIST deserves a lot of applause for the way they conducted
this algorithm selection and all the effort they put into it. The
final document that they wrote up "Report on the development of the
Advanced Encryption Standard (AES)" shows they did their research,
and did an excellent and thorough job.
Scott
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: It's Rijndael
Date: Wed, 04 Oct 2000 23:50:22 GMT
On Wed, 04 Oct 2000 04:18:03 +0100, David Hopwood
<[EMAIL PROTECTED]> wrote, in part:
>Writing and compiling an encryption program outside the U.S. is not
>a violation of U.S. export laws, and never has been.
Of course not.
But exporting a compiler from the U.S. for use in creating things the
U.S. would not like to export directly *might* be. At least, the
compiler companies' lawyers seemed to think so.
Hence, these clauses in the license agreements of some compilers.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Crossposted-To: rec.puzzles
Subject: Re: HELLO?!?!?! Where are you, Jim Gillogly? I wish you would respond!!!
(About cryptograms)
Date: 04 Oct 2000 17:06:26 -0700
Jim Gillogly <[EMAIL PROTECTED]> writes:
> Right now I'm paying a lot of attention to GNFS (for Simon Singh's
> Cipher Book challenge at the moment, but I've always wanted to
> understand it more thoroughly),
lions and tigers and bears, oh my!
------------------------------
Subject: Re: RC6 royalty free or not?
From: [EMAIL PROTECTED] (Sami J. M�kinen)
Date: Thu, 05 Oct 2000 00:30:53 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
[EMAIL PROTECTED] (Roger Schlafly) wrote in
<[EMAIL PROTECTED]>:
>Yes. But it is hard to see why anyone would want to use RC6
>now. The main arguments for it were simplicity, and more
>analysis. But simplicity is not a big plus if it is an
>alternative cipher. It might be a plus in a smartcard, but
>RC6 is slow there anyway. And soon Rijndael will be more
>analyzed than any of them.
I was simply considering to implement RC6 if it would have
been free. It's simple and fast in software, that's what I
like about it but as said, the security margin isn't the best.
Since it isn't free it's not a problem because I already
got more than enough ciphers implemented (Serpent, Twofish,
Rijndael, Blowfish and CAST128).
Regards,
Sami J. M�kinen / [EMAIL PROTECTED]
- --
SBC Archiver homepage: www.geocities.com/sbcarchiver
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Get my key from certcerver.pgp.com: "Sami J. M�kinen"
iQA/AwUBOduoC0Xlu0hQpi+BEQJY1ACg/zcCgcAJIfbPihHSF5oUp6AXx/AAn0dw
nVi42dIs1nNB5vwOGyPJeUdw
=fTsf
=====END PGP SIGNATURE=====
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Crossposted-To: rec.puzzles
Subject: Re: HELLO?!?!?! Where are you, Jim Gillogly? I wish you would
Date: Thu, 05 Oct 2000 01:00:06 +0000
Paul Rubin wrote:
>
> Jim Gillogly <[EMAIL PROTECTED]> writes:
> > Right now I'm paying a lot of attention to GNFS (for Simon Singh's
> > Cipher Book challenge at the moment, but I've always wanted to
> > understand it more thoroughly),
>
> lions and tigers and bears, oh my!
Yeah, well, for <me> the math of GNFS is a big deal. I can understand
how it would be elementary recreational reading for you! :)
--
Jim Gillogly
Highday, 14 Winterfilth S.R. 2000, 00:58
12.19.7.10.18, 1 Edznab 1 Yax, Second Lord of Night
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: OPEN LETTER ABOUT Rijndael to sci.crypt
Date: 5 Oct 2000 00:56:24 GMT
[EMAIL PROTECTED] (Michael Elkins) wrote in
<[EMAIL PROTECTED]>:
>On 4 Oct 2000 17:55:19 GMT, SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]>
>wrote:
>>How ever I would like to propose a chainning mode so people
>>who encypt files can do a few things that the NIST chainning
>>methods will not allow them to do. The problem with any
>>encryption chainning mode is that they do not hide the underlying
>>cipher from attack so that it is easy for someone to gain a list
>>of ciphertext plaintext block pairs. I have been corresponding with
>>NIST but I feel it is leading to nowhere. Just like the false promises
>>of the guy who encouraged my to write a paper for ACM. My proposal
>>is this. We design chainning modes that hide the ciphertext plaintext
>>pairs along with test vectors to check the implimentation.
>> We design modes that do the following. A single bit change in the
>>input file changes the whole output file. The length of the output
>>file matches the length of input file.
>
>How do you propose that the impelemtations of a crypto algorithm be tested
>if there are no test vectors to work with? In general, algorithms which
>rely on the nondisclosure of the logic are a bad idea.
The idea of test vector was to test that we have the right
inplimentation of the AES method. We would have to create others
as we build the program so others could test it on other platforms
>
>It is not very feasable to build a table of plaintext-ciphertext pairs.
>If you consider a 128-bit key with an 8-byte block size, that would be a
>table 2^128 * 2^64 = 2^8192 entries.
I agree that is a wase. But the point is to hide all such pairs so
attacker has no idea what the plaintext cipher pairs are for the secret
key you are using
>
>The use of CBC mode prevents patterns in the plaintext
>from showing up in the ciphertext. Each block is XOR'd with the previous
>block. Given different IV's, the same file will have completely different
>ciphertext.
This has been argued over and over. It does not diffuse the data
of a file all the way through it. It does nothing to prevent and attacker
getting ciphertext plaintext block pairs with a choses plain text attack.
>
>If you want the ciphertext to be the same length as the plaintext, use CFB
>mode. It allows you to encrypt 1-bit at a time if you like, or any other
>unit <= block size of the cipher algorithm you are using.
I think you didn't read the whole post this does not anwser the
questions.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
Date: Wed, 04 Oct 2000 22:08:40 -0200
From: "Paulo S. L. M. Barreto" <[EMAIL PROTECTED]>
Subject: Re: It's Rijndael
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
Will Janoschka wrote:
<blockquote TYPE=CITE>Not a flame
<br>Does someone know if the Rijndael key to encript
<br> ****RIJNDAEL**** to
*AES*WINNER*AES*
<br>does exist? Thought it wouls be a nice test
vector.
<br>
-will-</blockquote>
Yes, it does exist, because 128-bit keys define a permutation over the
AES codebook. The big problem is finding the key.
<p>I hope nobody is foolish enough to start a contest for it. Unlike the
contests under way to break 64-bit keys, the case for 128-bit keys is futile,
and will remain so until quantum computers are widespread.
<p>Cheers,
<p>Paulo.
<br> </html>
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Crossposted-To: rec.puzzles
Subject: Re: HELLO?!?!?! Where are you, Jim Gillogly? I wish you would
respond!!! (About cryptograms)
Date: 04 Oct 2000 18:26:11 -0700
Jim Gillogly <[EMAIL PROTECTED]> writes:
> > lions and tigers and bears, oh my!
>
> Yeah, well, for <me> the math of GNFS is a big deal. I can understand
> how it would be elementary recreational reading for you! :)
You've got to be kidding :). I don't begin to understand GNFS. I'm
just boggled to hear that Singh's challenge calls for it. I guess I'm
not supposed to ask for details just yet. But given how stage 9
already needed Deep Crack, if you're going to need GNFS next, you're
probably looking at a big parallel implementation and a lot of iron to
run it on. Wow!
------------------------------
From: Imad R. Faiad <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,alt.security.scramdisk
Subject: Re: Mr. Zimmermann, Mr. Price when can we expect this feature ?
Date: Thu, 05 Oct 2000 01:32:43 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Greetings,
PGP 2.6.x is the ultimate build for the do it your selfer.
The required tools to roll out your own build may be obtained
freely on the net. In this case all you need is DJGPP's
GNU C compiler and other tools (not sure what the URL is,
any search engine will direct you to right place by searching
for the keyword "DJGPP". It is freeware.
Get a copy of the PGP 2.6.3ia from ftp://zedz.net/
Just apply the patch which Rich suggested and roll your own
build.
Best Regards
Imad R. Faiad
On Thu, 05 Oct 2000 00:44:49 +0100, in alt.security.pgp Dave Howe
<[EMAIL PROTECTED]> wrote:
>In our last episode (<alt.security.pgp>[4 Oct 2000 17:27:18 -0000]),
>[EMAIL PROTECTED] (Rich Wales) said :
>>Do you know where the source code can be found? Several reasons:
>>(1) so that non-DOS/Windows users (such as myself) can try it
>>(2) so people can compare the 2.6.3ig sources with "vanilla" 2.6.3i
>> and see exactly what was changed
>>(3) just on principle, never trust "binary-only" crypto software;
>> always insist on getting source code and compile it yourself
>Replay used to have a copy of 2.6.3i with 8K key support
><rummage rummage>
>aha - they were written by
>F. A. Friedrichs <[EMAIL PROTECTED]> [0xCB62BDA1] http://faf.home.pages.de/
>but unfortunately the site is dead - however you can still download
>code and source from here:
>http://www.ftp.uni-erlangen.de/pub/other/pgp.Xtra/
>--== DaveHowe ( is at) Bigfoot dot com ==--
=====BEGIN PGP SIGNATURE=====
Version: 6.5.8ckt http://irfaiad.virtualave.net/
Comment: KeyID: 0xBCC31718833F1BAD
Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45
iQEVAwUBOdvZp7zDFxiDPxutAQHB1wf7BKWyPUaydi7+gKIztA5rRzFiuE8SdDTP
bwCQ+1Bf5+xqUF4jYeq/4ydAwrXLcbJAwTbl69N+Qz0KUQ+IQbBY4wSV/+VX2prE
PSiuGbRvqGY0MphEddTeXRO885JhH9nHE6Ox7NjHyzexJrPmF2VmNcEgABZtHRXJ
TzKxNp0nVmZqIViiR2ylrOj9Ax/A6Os0BE4XpypwV9s+wR3BMnSR60LqDej8HDAY
qgws4140g8PjPkYCpzXFq2d4B7CbbhdT3beqv1emzjFvxh0GU2sF1u3rL7HA5i7u
9rOCWHfwwT34a5LaDCXP9g7vAfRa9UP/c7Ghj3PzsDq8QEZYh13Bjw==
=D09t
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: OPEN LETTER ABOUT Rijndael to sci.crypt
Date: Thu, 05 Oct 2000 01:37:14 GMT
On Wed, 04 Oct 2000 22:15:21 GMT, [EMAIL PROTECTED] (Michael
Elkins) wrote, in part:
>How do you propose that the impelemtations of a crypto algorithm be tested
>if there are no test vectors to work with? In general, algorithms which
>rely on the nondisclosure of the logic are a bad idea.
True, but that is *one* charge that cannot be levelled against David
Scott. His source code is available.
He is not talking about a secret algorithm. Simply a chaining mode
that turns the whole document, effectively, into a single block.
Doing CBC mode twice, once forwards and once backwards, would do that,
as an example, although Mr. Scott's mode is different from that.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
