Cryptography-Digest Digest #849, Volume #12 Thu, 5 Oct 00 11:13:01 EDT
Contents:
Re: TC8 -- Yet Another Block Cipher (Runu Knips)
Simplified knapsack public key system (John Bailey)
Re: Need help: considerations for IV and Keysetup ([EMAIL PROTECTED])
Re: what is wrapped PCBC? (SCOTT19U.ZIP_GUY)
Decryption speeds? ("Robert Hulme")
Re: TEA ("Nik")
Re: Encryption problem (Richard Heathfield)
RE: The best way to pronounce AES ("Manuel Pancorbo")
Re: No Comment from Bruce Schneier? (Chris Jones)
Re: Mathematical Problem (David A Molnar)
Re: Decryption speeds? (John Myre)
Re: Decryption speeds? (John Myre)
Re: Mr. Zimmermann, Mr. Price when can we expect this feature ? (pgp651)
Re: Maximal security for a resources-limited microcontroller (Bo D�mstedt)
Re: No Comment from Bruce Schneier? (Runu Knips)
Re: No Comment from Bruce Schneier? (Runu Knips)
Re: Mr. Zimmermann, Mr. Price when can we expect this feature ? (pgp651)
----------------------------------------------------------------------------
Date: Thu, 05 Oct 2000 14:47:01 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: TC8 -- Yet Another Block Cipher
David Blackman wrote:
> Tom St Denis wrote:
> > This cipher is designed after CS-Cipher but is much simpler and uses
> > little ram/rom. It's a cute cipher and I would appreciate any comments.
> >
> > This cipher has awesome diffusion amongst the bytes (64-bit block
> > cipher) and is very simple to look at.
> >
> > I noticed very little comments on MyFish... oh well...
> >
> > Tom
> >
> > Sent via Deja.com http://www.deja.com/
> > Before you buy.
>
> 64 bit block cyphers are toys.
This _IS_ a toy. Tom never said you should use it seriously.
> It seems that even with chaining modes,
> there are birthday attacks after a few GB, and lots of us would like to
> be able to work with more data than that.
Yep. 32 GB to be precise.
> Please switch to 128 bits for future designs. Or maybe even 256.
No necessary. Tom's Homepage states clearly they are not intended for
serious usage. So you shouldn't.
> I'm half expecting someone to come up with a generic attack on all 128 bit
> block cyphers, now that everyone is committed to using them for the next
> 30 years :-)
Generic attack ? Hardly. The birthday problem in CBC appears after
(2**(n/2)) Blocks. And you can still use some of the other modes
or combine your cipher with a nice little stream cipher such as
RC4.
------------------------------
From: [EMAIL PROTECTED] (John Bailey)
Subject: Simplified knapsack public key system
Date: Thu, 05 Oct 2000 12:47:15 GMT
US4306111: Simple and effective public-key cryptosystem
Lu; Shyue-Ching , Chung-Li, Taiwan
Lee; Lin-nan , Germantown, MD, assigned to:
Communications Satellite Corporation, Washington, DC
http://www.patents.ibm.com/details?pn=US04306111__
Described as:
A public encryption key (c1, c2, r) in which r is the product of two
relatively prime numbers, and in which c1 and r, as well as c2 and r,
are relatively prime numbers, is used in an encryption algorithm
x=c1m1 +c2 m2 (mod r). The decryption algorithm will be equivalent to
solving simultaneous linear equations derived from the encryption
algorithm. Thus, both encrypting and decrypting are quite simplified
while still maintaining a high degree of security.
(end quote)
At first glance, this patent appears to be based on a flawed premise
as to the safety of simplified knapsacks. Ref.
The rise and fall of knapsack cryptosystems, A. M. Odlyzko
http://www.research.att.com/~amo/doc/crypto.html
However, within the description text of this patent, they assert:
(quote)
If the decryption key is kept secret, the above-disclosed cryptosystem
can provide a very high level of security. Note that while the
encryption key (c1, c2, r) is put on the public file, no effective
algorithm is now known which will find the secret decryption key
without first finding the prime factors phd 1 and p2 of r.
(end quote)
Nice claim.
Am I missing something? Does solving their modular equation require
factoring r?
John
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Need help: considerations for IV and Keysetup
Date: Thu, 05 Oct 2000 13:25:13 GMT
Ok,
after reconsidering I decided to take the same approach that scramdisk
takes, i.e. usage of extra storage (first block of the tape in my case)
to store random bits used for calculating IVs and Whitening values.
Also, I use it to store a masterkey, randomly generated & 256bit, used
for the actual encryption of the following blocks in CBC mode. The
first block itself is encrypted in ECB mode with the key given by the
user.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: what is wrapped PCBC?
Date: 5 Oct 2000 13:34:21 GMT
[EMAIL PROTECTED] (Marc) wrote in <[EMAIL PROTECTED]>:
>
>No email supplied other than [EMAIL PROTECTED], sorry
>for asking public.
You can email from the main webpage
>
>> The "wrapped PCBC" will handle any byte length for a file longer than
>> 3 block lengths.
>
>How does "wrapped PCBC" work, and why do you prefer it over "ciphertext
>stealing" which works with files >= 1 block length?
The best page to look at is the one by Horst:
http://xoom.members.com/ecil/page2.htm
it is for scott19u but it is explained there quite well however
I have to admit even with horsts hell Mok and DW seem to be totally
lost. I suspect its only because they both were to lazy to look.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: "Robert Hulme" <[EMAIL PROTECTED]>
Subject: Decryption speeds?
Date: Thu, 5 Oct 2000 14:39:34 +0100
I have to write up a report specifying the amount of time it would take a
hacker brute force attack certain algorithms.
What I'm looking for is some resource that has information about how many
keys per second some resonable PC can try per second (like a PIII700 or
something) for a variety of different algorithms (TWOFISH, TripleDES, DES,
etc..) and from this I can write my report saying how long it would take to
crack our keys based on people have x number of these machines, if we used y
bit keys etc...
It would also be helpful in determining how many users our server will be
able to handle when we implement this system.
Does anyone know of a page that lists this kind of information?
------------------------------
From: "Nik" <[EMAIL PROTECTED]>
Subject: Re: TEA
Date: Thu, 5 Oct 2000 17:41:38 +0400
I want to use TEA in the microcontroller (PIC 16C8x), because it(he) is very
simply realized.
Alex Nik
Nik ����� � ��������� <39dc570f$[EMAIL PROTECTED]> ...
>Whether there are legal restrictions of application of the given algorithm,
>in particular for commercial use.
>
>Excuse for mine bad English.
>
>Alex Nik
>
>
------------------------------
Date: Thu, 05 Oct 2000 14:56:47 +0100
From: Richard Heathfield <[EMAIL PROTECTED]>
Subject: Re: Encryption problem
ed dominguez wrote:
>
> We were toying with the idea of creating a small "price is
> right" game at work. We have a hefty prize and we were deciding
> how to give it away and we thought about giving the price to
> that one that found out what the price is.
>
> Problem is, some always knows the price. So we decided
> to make this price random, although realistic. We decided
> to encrypt this and store it on a file. But then, brute
> forcing your way to the real price is trivial.
>
> How can I implement a program that will encrypt a random number but
> that its so secure that even the programmers cant brute-force it
> in small amount of time (days,weeks) ?
>
> I am not a student of crypto, so maybe this is a faq. I RTFF (faq)
> but couldnt find an answer for this.
>
> Thanks in advance
I'm not a cryptographer either, but I did think of a quick and dirty way
to do this, which has the makings of a fun "ritual"... (for people who
don't get out much).
The program decides the random number. It doesn't display it, of course.
The contestants are sorted into alphabetical order of surname (using
forename as a tie-break, and seniority or works number as a further
tie-break if need be). Each of them in turn walks solemnly past the
keyboard, and presses a single alphanumeric key (if there are very few
contestants, you might want them to press /two/ keys, or even three).
Each must remember the key(s) they pressed - and, if more than one, in
which /order/ they pressed it. The program then encrypts the number,
using their keypresses as a one-time pad, or via whatever symmetric
encryption mechanism you like (Serpent, TwoFish, AES, DES, or even CDX-2
;-) - I nearly said RSA, which isn't symmetric, is it? Which shows how
much I know about crypto...). The ciphertext is stored on disk.
A few days/weeks later, you collect your guesses. This is easy - each
contestant can write down their guess, and then they're all handed in at
once, in the time-honoured way of school examinations.
Then - guess what? They all walk past the keyboard again, in the same
order, to rebuild the key. The program fetches the ciphertext off disk,
decrypts, and displays the answer.
In other words, you divide the secret up amongst the contestants.
Given that your secret need only last a few days or weeks, I'd guess
this is pretty secure, especially as the payoff for cracking it is,
presumably, relatively low (i.e. I presume we're not talking about, say,
ten thousand pounds/dollars). Nonetheless, I'd be interested to hear of
any high-speed, low-cost cracks against this proposed solution. (Let's
say, cracks that would take less than a week, with a modern PC, for ten
people with two letters each, giving us a keyspace of 20^(26 + 10).)
[ Rubberhosing would work, of course... ;-) ]
--
Richard Heathfield
"Usenet is a strange place." - Dennis M Ritchie, 29 July 1999.
C FAQ: http://www.eskimo.com/~scs/C-faq/top.html
K&R Answers: http://users.powernet.co.uk/eton/kandr2/index.html
------------------------------
From: "Manuel Pancorbo" <[EMAIL PROTECTED]>
Subject: RE: The best way to pronounce AES
Date: Thu, 5 Oct 2000 15:05:27 +0200
Scott Craver <[EMAIL PROTECTED]>
> I know I have no authority to decide these things, but I
> strongly feel that "AES" should be pronounced, "uh-YES."
>
I don't understand why anglos have so many childish problems to pronounce so
stupidly easy things. Pronounce it simply foneticly [a-es]; that's all. ;-)
Manuel
------------------------------
From: Chris Jones <[EMAIL PROTECTED]>
Subject: Re: No Comment from Bruce Schneier?
Date: Thu, 5 Oct 2000 14:15:14 GMT
Albert Yang <[EMAIL PROTECTED]> writes:
> I expected to hear from a few people, Brian Gladman, the author's of
> Rijndael themselves etc... But most of all, I expected Bruce to say
> something on sci.crypt. Something sportsman-like, like, "Rijndael is a
> good algorithm, designed by two people who know what they are doing. I
> want to congratulate them on being selected as the AES winner."
An article on The Standard, available at
http://www.thestandard.com/article/display/0,1151,19101,00.html says
Other finalists praised the selection process and Rijndael. "I think any of
the finalists would have been a good choice, and Rijndael was a particularly
good choice given how consistently it performs on a variety of processors,"
said RSA's Kaliski.
"Of course, I am disappointed that Twofish didn't win," said Schneier. "But I
have nothing but good things to say about NIST and the AES
process. Participating in AES is about the most fun a block-cipher
cryptographer could possibly have, and the Twofish team certainly did have a
lot of fun."
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Mathematical Problem
Date: 5 Oct 2000 14:09:36 GMT
David A Molnar <[EMAIL PROTECTED]> wrote:
> Lattice based cryptosystems have been broken in recent years. Maybe
> McEliece is vulnerable (if it hasn't already been broken). Maybe there
Ah, looks like it has. or at least the "original."
Check Helger Lipmaa's excellent page of links:
http://www.tml.hut.fi/~helger/crypto/link/public/mceliece.html
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Decryption speeds?
Date: Thu, 05 Oct 2000 08:46:29 -0600
Robert Hulme wrote:
>
> I have to write up a report specifying the amount of time it would take a
> hacker brute force attack certain algorithms.
<snip>
> Does anyone know of a page that lists this kind of information?
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Decryption speeds?
Date: Thu, 05 Oct 2000 08:51:31 -0600
Robert Hulme wrote:
>
> I have to write up a report specifying the amount of time it would take a
> hacker brute force attack certain algorithms.
<snip>
> Does anyone know of a page that lists this kind of information?
(2nd try)
http://www.distributed.net/
http://www.tml.hut.fi/~helger/aes/
http://www.btinternet.com/~brian.gladman/cryptography_technology/aes/index.html
JM
------------------------------
Date: 5 Oct 2000 14:53:18 -0000
From: pgp651 <Use-Author-Supplied-Address-Header@[127.1]>
Subject: Re: Mr. Zimmermann, Mr. Price when can we expect this feature ?
Crossposted-To: alt.security.pgp,alt.security.scramdisk
=====BEGIN PGP SIGNED MESSAGE=====
I will look into this solution to, thank.
On Thu, 05 Oct 2000, Imad R. Faiad
<[EMAIL PROTECTED]> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>Greetings,
>
>PGP 2.6.x is the ultimate build for the do it your selfer.
>
>The required tools to roll out your own build may be obtained
>freely on the net. In this case all you need is DJGPP's
>GNU C compiler and other tools (not sure what the URL is,
>any search engine will direct you to right place by searching
>for the keyword "DJGPP". It is freeware.
>
>Get a copy of the PGP 2.6.3ia from ftp://zedz.net/
>Just apply the patch which Rich suggested and roll your own
>build.
>
>Best Regards
>
>Imad R. Faiad
>
~~~
This PGP signature only certifies the sender and date of the message.
It implies no approval from the administrators of nym.alias.net.
Date: Thu Oct 5 14:53:08 2000 GMT
From: [EMAIL PROTECTED]
=====BEGIN PGP SIGNATURE=====
Version: 2.6.2
iQEVAwUBOdyV3E5NDhYLYPHNAQGlGQf/VxC0YWKam5MDHRgCuIMaf0iyYuqe3bJL
aD/DmtJmtJsjN6HlJFVorr1ZeycZ8LQ8g3pTDp14HRKPFcGQqN3rFqZRDlqwJB1r
VH+KeLId0RphXS6r3Vjxfmvqoyxp1ceixob9G8INXthTOi5YtarJPTiKTwCFbZG7
yzdoPZh+Yj8tFwNNN6zaRGys/Gv1nolYLQWE+zP3ZiGWCmj2P/gD4RV3nEHJBHf+
ocZb2ERAUrzCnEeSSotLUrzfkFXf11nAJuWcBkvzGXXQJGjJUg1Fu43nzTgjQP95
sXRrGTAxIb+pxtWIWrB6YsmJFK4JO+qMw+xjxikMdtKR/V7BQGnvFQ==
=Sn5S
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (Bo D�mstedt)
Subject: Re: Maximal security for a resources-limited microcontroller
Reply-To: [EMAIL PROTECTED]
Date: Thu, 05 Oct 2000 14:54:36 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
>What do you have that is better then publicly known methods of crypto
>and implementing crypto?
Dear Tom St Denis,
If you have a hole in your tooth, would you mend it yourself,
or call a professional ?
Bo D�mstedt
Chief Cryptographer
Protego Information AB
IDEON,Lund,Sweden
Our hardware noise generator:
http://www.protego.se/sg100_en.htm
Our E-Mail:
[EMAIL PROTECTED]
Fax: +46 46 286 36 40
------------------------------
Date: Thu, 05 Oct 2000 17:00:14 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: No Comment from Bruce Schneier?
Scott Contini wrote:
> I am NOT part of the RC6 design team, though I did work with them
> on some analysis. My personal opinion is that there were 5 good
> algorithms which were all good candidates for the AES. Of course
> my favorite is RC6, but if I had to make a second choice it would
> have been Rijndael or Serpent.
How could your favorite be RC6 when it doesn't support the
key agility required for AES ?
> My only concern about Rijndael is the recent claims suggesting
> Rijndael has some unusual structure for a block cipher
Do you have some pointers about that ? Hasn't there be
likewise claims about Twofish ? (key separation)
> [applause to NIST]
Okay :-)
------------------------------
Date: Thu, 05 Oct 2000 17:05:40 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: No Comment from Bruce Schneier?
Mok-Kong Shen wrote:
> John Savard wrote:
> > But he only visits sci.crypt to post occasionally, and he may be busy
> > right now.
> He might be scared away by the massive chosen plaintext
> attack launched by someone to crack his recent post.
Hehe.
According to his "Applied Crypto", he uses killfiles.
And he states the reader will learn to use them fast,
if he or she starts reading sci.crypt, too.
Hopefully I'm not in it...
------------------------------
Date: 5 Oct 2000 15:09:00 -0000
From: pgp651 <Use-Author-Supplied-Address-Header@[127.1]>
Subject: Re: Mr. Zimmermann, Mr. Price when can we expect this feature ?
Crossposted-To: alt.security.pgp,alt.security.scramdisk
=====BEGIN PGP SIGNED MESSAGE=====
I don't have 1 GHz PC yet to be it practical.
But 3k RSA key should be fast to use on 300 MHz average PC. Waiting second or
two to process data is not the problem for average user at encryption. It could
be the problem at e - business place. The long time key generation is
practically no problem, you are generating key only one time, then use key many
times.
We should have now OFFICIALLY this option from NAI in PGP, in PGP v262
On Wed, 04 Oct 2000, jungle <[EMAIL PROTECTED]> wrote:
>if you really need it,
>it is much slower then 2k version, specially key generation,
>
>get it from http://members.aol.com/EJNBell/pgp263ig.zip
>it will handle 4k RSA ...
>
>if I will have 1,000 MHz intel processor, it could be a different story ...
>
>the key generation is extremely slow, about 15 min ...
>the decryption of 20 kB text file about 5 seconds ...
>the encryption of 20 kB text file very fast ...
>
>I will stay with 2k max ...
>
>
>pgp651 wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>>
>> Mr. Zimmermann, Mr. Price when can we expect this feature ?
>>
>> After RSA patent hoopla is over, isn't now the time to implement 4k RSA keys
>> into PGP v262 ? The maximum size of 2k is little bit lower than corresponding
>> 128 bits key strength from symmetric cipher.
>>
>> The introduction of 4k RSA will be in line with Twofish introduction.
>>
>> We need 3k RSA keys to create balance between symmetric & asymmetric ciphers.
>> When can we expect this feature ?
>>
~~~
This PGP signature only certifies the sender and date of the message.
It implies no approval from the administrators of nym.alias.net.
Date: Thu Oct 5 15:08:58 2000 GMT
From: [EMAIL PROTECTED]
=====BEGIN PGP SIGNATURE=====
Version: 2.6.2
iQEVAwUBOdyZi05NDhYLYPHNAQEtGgf+OYO4n26xPVtHAhvII3i5Qmjgs+76pHOI
gRapl5YwFP6+k1PrspT/q7uVlpp3omxMPDgMTSD54Gfwmvu1Hm0urr91DxlYuMdr
mA74BsfxPL/3w48lGxYKfP3aowejtGrRkLv52UA0G9wKWj+18xVCdOk8pz0/pi2b
4ByZFKL4MsoFHm0pGP+Ov7QT4yUYZ3ila5wIpV+bvIKke5qr8jDHFVNLyYO7yIei
aO7njEC6TrO2c6qW3DHUMeeByK7vWwiuZPPR6lVrWCJzfRRlrzQzmWsdGNyeAWBJ
w5uu1N0Mxcv7Q1SmuWk4s/CYo2E32eOubkmUu1O2Mll1qO/rnIf+SQ==
=KxU6
=====END PGP SIGNATURE=====
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
