Cryptography-Digest Digest #850, Volume #12 Thu, 5 Oct 00 13:13:00 EDT
Contents:
Re: Choice of public exponent in RSA signatures (John Myre)
Re: Compute Public Key from Private Key - Algorithms? (John Bailey)
Re: It's Rijndael (John Myre)
Re: Maximal security for a resources-limited microcontroller (Volker Hetzer)
Re: Maximal security for a resources-limited microcontroller (Volker Hetzer)
Re: is NIST just nuts? (Tim Tyler)
Re: Compute Public Key from Private Key - Algorithms? ([EMAIL PROTECTED])
Re: Advanced Encryption Standard - winner is Rijndael (Andrew Carol)
Re: Requirements of AES (John Myre)
Re: The best way to pronounce AES (Simon Johnson)
Re: Encryption problem ("ed dominguez")
Re: Advanced Encryption Standard - winner is Rijndael ("Cynic")
Re: TC8 -- Yet Another Block Cipher (Tom St Denis)
RE: The best way to pronounce AES (Tom St Denis)
----------------------------------------------------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Choice of public exponent in RSA signatures
Date: Thu, 05 Oct 2000 09:02:27 -0600
Joseph Ashwood wrote:
<snip>
> if you follow the
> advances in factoring we will within 3 years likely see another advance, and
> there's a ~50% chance that it will be faster with smaller factors.
<snip>
Ah.
I've seen no evidence for this, and I don't believe it
to be true. What makes you think that ECM will make
advances faster than GNFS? Or are you thinking of an
entirely different algorithm? What makes you think
that 3 years is a reasonable deadline? I don't work
in factoring, so perhaps you know something I don't;
show me.
JM
------------------------------
From: [EMAIL PROTECTED] (John Bailey)
Subject: Re: Compute Public Key from Private Key - Algorithms?
Date: Thu, 05 Oct 2000 15:11:43 GMT
On Thu, 5 Oct 2000 08:20:07 -0400, "Arnold Shore" <[EMAIL PROTECTED]>
wrote:
>I'll appreciate any information on algorithms and implementations that
>support subject process.
>
>I'm using a commercial product set that performs this ratrher nicely
>(AFAIK), but I've been bitten by the algorithm bug, and want access to the
>underlying theory.
/* When used as an argument for the Unix utility, bc, this script
implements
the function e(m,p,q) which returns m raised to the p power, modulo q.
This function was used to create modular inverse pairs which, can be
used
to set up encryption decryption pairs for rsa encryption. */
define e(m,p,q) {
auto j , z
z = 1
for(j = p ; j > 0 ; j = j / 2 ) {
if( j % 2 == 1 ) {
z = z * m % q
}
m = m * m % q
}
return(z)
}
/* e(m,p,q) returns m raised to the p power modulo q. */
If this helps, there is a bit more at:
http://www.frontiernet.net/~jmb184/interests/cryptography/bc_based_math/
If you can gain access to BC, even using it on your ISP's Unix based
server, its a great way to play around with the number theory
underlying RSA.
John
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: It's Rijndael
Date: Thu, 05 Oct 2000 09:16:38 -0600
David Hopwood wrote:
<snip>
> Apparently Rijndael only produces even permutations for all keys [1], so the
> random cipher model is not quite accurate, but I don't think that affects
> this probability.
<snip>
Why not? That is, I certainly don't have a real
reason to disagree; just that my intuition is
that the computation of the limit is fairly
delicate, and might get a different answer even
if the probabilities were only slightly different.
JM
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: Maximal security for a resources-limited microcontroller
Date: Thu, 05 Oct 2000 17:31:24 +0200
"Bo D=F6mstedt" wrote:
> =
> Sagie wrote:
> >Hello all,
> >
> > I'm in need of a symmetric (secret key) encryption process for one=
of my
> >projects. I would love to use one of the popular schemes, such as blow=
fish
> >and DES, but the cipher has to be implemented in a teeny-weeny
> >microcontroller with very limited resources.
What about having a look at one of the AES finalists?
They are supposed to be good on small 8 bit controllers.
Rijndael, the chosen one, uses
16 RAM Bytes for subkey storage,
34 RAM Bytes for encryption (37 for decryption)
1 RAM Byte for key setup for decryption,
879 ROM Bytes for encryption and key setup
1049 ROM Bytes for decryption and key setup
on a 6805.
I don't know, whether the ROM contents' add up
or the decryption just needs some additional stuff.
Depending on your threat scenario you might consider SkipJack as well. I =
don't
have its numbers but ISTR that it was also good with small controllers.
After all, it was designed for embedded systems.
Greetings!
Volker
--
The early bird gets the worm. If you want something else for =
breakfast, get up later.
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: Maximal security for a resources-limited microcontroller
Date: Thu, 05 Oct 2000 17:31:40 +0200
"Bo D=F6mstedt" wrote:
> =
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> >What do you have that is better then publicly known methods of crypto
> >and implementing crypto?
> =
> Dear Tom St Denis,
> =
> If you have a hole in your tooth, would you mend it yourself,
> or call a professional ?
Do you really propose to invent a proprietary encryption algorithm?
If yes, then, to go back to professionalism, as a customer one
should form an opinion about the ability of the "professional".
Like how good your algorithms are. Did you take part in or win
any competitions? Did your algorithms survive any public analysis?
Did you write any well commented on books about cryptography?
Just calling yourself Chief Cryptographer would certainly not
be enough to convince me.
To me, you are an unknown and I can understand Toms skepticism.
Greetings!
Volker
--
The early bird gets the worm. If you want something else for =
breakfast, get up later.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: is NIST just nuts?
Reply-To: [EMAIL PROTECTED]
Date: Thu, 5 Oct 2000 15:04:27 GMT
John Savard <[EMAIL PROTECTED]> wrote:
: Tim Tyler <[EMAIL PROTECTED]> wrote, in part:
:>Where do you get the 65-bit figure from?
: AC, in reference to DES with independent subkeys.
"DES with independent subkeys" in 12.6, p 295 (2nd ed.)?
That describes an algortithm with a 768 bit key, and presents a 2^61
chosen plaintext differential attack on it.
It concludes "It would seem that any modification of the key schedule
cannot make DES much stronger.
I guess its true that even if there are various attacks on DES with a
64 bit key, it's bound to be somewhat stronger than a 56-bit version.
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Compute Public Key from Private Key - Algorithms?
Date: Thu, 05 Oct 2000 15:37:15 GMT
You could also try to look at http://cacr.math.uwaterloo.ca/hac/ for the
underlying theory.
Brice.
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Bailey) wrote:
> On Thu, 5 Oct 2000 08:20:07 -0400, "Arnold Shore" <[EMAIL PROTECTED]>
> wrote:
>
> >I'll appreciate any information on algorithms and implementations
that
> >support subject process.
> >
> >I'm using a commercial product set that performs this ratrher nicely
> >(AFAIK), but I've been bitten by the algorithm bug, and want access
to the
> >underlying theory.
> /* When used as an argument for the Unix utility, bc, this script
> implements
> the function e(m,p,q) which returns m raised to the p power, modulo q.
> This function was used to create modular inverse pairs which, can be
> used
> to set up encryption decryption pairs for rsa encryption. */
>
> define e(m,p,q) {
> auto j , z
> z = 1
> for(j = p ; j > 0 ; j = j / 2 ) {
> if( j % 2 == 1 ) {
> z = z * m % q
> }
> m = m * m % q
> }
> return(z)
> }
> /* e(m,p,q) returns m raised to the p power modulo q. */
>
> If this helps, there is a bit more at:
>
http://www.frontiernet.net/~jmb184/interests/cryptography/bc_based_math/
>
> If you can gain access to BC, even using it on your ISP's Unix based
> server, its a great way to play around with the number theory
> underlying RSA.
>
> John
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Andrew Carol <[EMAIL PROTECTED]>
Crossposted-To: alt.security.scramdisk
Subject: Re: Advanced Encryption Standard - winner is Rijndael
Date: Thu, 05 Oct 2000 08:44:23 -0700
In article <8rh4m8$[EMAIL PROTECTED]>, Gregory G Rose <[EMAIL PROTECTED]>
wrote:
> This requirement comes from the principle of
> red/black separation, BTW. It is not stupid, even
> though it does appear to violate Kerkhoff's Maxim
> that all secrecy should reside in the keys.
I suspect they have enough confidence in their own work to know that
what they use is secure and are MORE interested in not letting OTHERS
know some of their tricks.
They don't keep it secret to help protect what is encrypted, they keep
it secret so as to not "teach" our enemies a few tricks they might not
have thought of.
---- Andy
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Requirements of AES
Date: Thu, 05 Oct 2000 09:43:35 -0600
Tim Tyler wrote:
<snip>
> It doesn't sound /that/ funny - some civilian devices do similar things:
<snip>
Another example can be seen in IBM's crypto cards
(http://www-3.ibm.com/security/cryptocards/).
I heard once that their model 1, which has the best
FIPS-140 rating you can get, would sometimes zero
itself, thinking there was an intrusion, when in fact
it was just environmental noise (poor power supply,
for example). One result was to create the model 13,
which isn't quite so secure (in theory), but more
robust (in normal operation). I don't know if this
is true, but it makes sense, because the costs of
the cards were about the same, and they do have
different security ratings.
JM
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: The best way to pronounce AES
Date: Thu, 05 Oct 2000 15:50:07 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> On Wed, 04 Oct 2000 23:54:33 +0200, Mok-Kong Shen
> <[EMAIL PROTECTED]> wrote, in part:
> >Scott Craver wrote:
>
> >> I know I have no authority to decide these things, but I
> >> strongly feel that "AES" should be pronounced, "uh-YES."
>
> >Side question: As far as I know, the 'standard' British
> >English is the Oxford English. Which is the corresponding
> >one for American English? Thanks.
>
> Facetiously, I might respond with "The Walter Cronkite idiolect", but
> in fact it is Midwestern English which is considered the most
> "standard".
>
> However, accent is largely considered merely an indicator of regional
> origin which is not significant in itself: it is not strongly
> associated with social class in the way that it is in Britain.
>
> There are extreme accents which are rejected, like Cockney is in
> Britain, but there is no single accent that all individuals aspiring
> to rise must adopt.
>
> John Savard
> http://home.ecn.ab.ca/~jsavard/crypto.htm
>
Woah, are you actually from england? Because you're preconceptions of
us are _extremly_ wrong. Dilect is purely a regional indicator. It
doesn't dictate 'Class' a tall. In fact, like religion, class is
becoming a redudant concept.
Cockney isn't rejected, that's just false, its simply a dilect. I
personally have a northan accent, this clearly cannot dictate my
posistion in society because this is deterimened through you're
qualfications. Its therefore obvious that no single accent that is
aspired to.
This traditional english voice, is probably spoken by the Queen and
only the Queen. An not too many people are fond of her anyway :P
England has the forth largest economy in the world. This couldn't have
been achieved through preservation of Aristoracies and
institutationalism. To keep pace with the world, we are a dynamic
nation with dynamic views.
Don't let the Press fool you :P
Simon.
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "ed dominguez" <[EMAIL PROTECTED]>
Subject: Re: Encryption problem
Date: Thu, 5 Oct 2000 10:27:12 -0500
What if this little game is web based, and if you
found the correct price, you get instant feedback
of your succcess ? You need to store the key
someplace to check everytime someone makes
a guess. So, the programmer, having access to
the key, can copy paste it or write it down,
take it home and do a brute force attack,
and since the space is very small (its a number,
a price), he will find the answer in no time).
Everyone can try a guess one time every day
until one of them finds the correct price.
btw, thanks to everyone for their answers.
"Richard Heathfield" <[EMAIL PROTECTED]> escribi� en el mensaje
news:[EMAIL PROTECTED]...
> ed dominguez wrote:
> >
> > We were toying with the idea of creating a small "price is
> > right" game at work. We have a hefty prize and we were deciding
> > how to give it away and we thought about giving the price to
> > that one that found out what the price is.
> >
> > Problem is, some always knows the price. So we decided
> > to make this price random, although realistic. We decided
> > to encrypt this and store it on a file. But then, brute
> > forcing your way to the real price is trivial.
> >
> > How can I implement a program that will encrypt a random number but
> > that its so secure that even the programmers cant brute-force it
> > in small amount of time (days,weeks) ?
> >
> > I am not a student of crypto, so maybe this is a faq. I RTFF (faq)
> > but couldnt find an answer for this.
> >
> > Thanks in advance
>
>
> I'm not a cryptographer either, but I did think of a quick and dirty way
> to do this, which has the makings of a fun "ritual"... (for people who
> don't get out much).
>
> The program decides the random number. It doesn't display it, of course.
>
> The contestants are sorted into alphabetical order of surname (using
> forename as a tie-break, and seniority or works number as a further
> tie-break if need be). Each of them in turn walks solemnly past the
> keyboard, and presses a single alphanumeric key (if there are very few
> contestants, you might want them to press /two/ keys, or even three).
> Each must remember the key(s) they pressed - and, if more than one, in
> which /order/ they pressed it. The program then encrypts the number,
> using their keypresses as a one-time pad, or via whatever symmetric
> encryption mechanism you like (Serpent, TwoFish, AES, DES, or even CDX-2
> ;-) - I nearly said RSA, which isn't symmetric, is it? Which shows how
> much I know about crypto...). The ciphertext is stored on disk.
>
> A few days/weeks later, you collect your guesses. This is easy - each
> contestant can write down their guess, and then they're all handed in at
> once, in the time-honoured way of school examinations.
>
> Then - guess what? They all walk past the keyboard again, in the same
> order, to rebuild the key. The program fetches the ciphertext off disk,
> decrypts, and displays the answer.
>
> In other words, you divide the secret up amongst the contestants.
>
> Given that your secret need only last a few days or weeks, I'd guess
> this is pretty secure, especially as the payoff for cracking it is,
> presumably, relatively low (i.e. I presume we're not talking about, say,
> ten thousand pounds/dollars). Nonetheless, I'd be interested to hear of
> any high-speed, low-cost cracks against this proposed solution. (Let's
> say, cracks that would take less than a week, with a modern PC, for ten
> people with two letters each, giving us a keyspace of 20^(26 + 10).)
>
> [ Rubberhosing would work, of course... ;-) ]
>
>
> --
> Richard Heathfield
> "Usenet is a strange place." - Dennis M Ritchie, 29 July 1999.
> C FAQ: http://www.eskimo.com/~scs/C-faq/top.html
> K&R Answers: http://users.powernet.co.uk/eton/kandr2/index.html
------------------------------
From: "Cynic" <none@none>
Crossposted-To: alt.security.scramdisk
Subject: Re: Advanced Encryption Standard - winner is Rijndael
Date: Thu, 5 Oct 2000 17:47:31 +0100
Andrew Carol wrote
>They don't keep it secret to help protect what is encrypted, they
keep
>it secret so as to not "teach" our enemies a few tricks they might
not
>have thought of.
In addition it is much, much harder to even start to crack an
encrypted message if you have absolutely no idea what principle has
been used to encrypt.
--
Cynic
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: TC8 -- Yet Another Block Cipher
Date: Thu, 05 Oct 2000 16:41:51 GMT
In article <[EMAIL PROTECTED]>,
Runu Knips <[EMAIL PROTECTED]> wrote:
> David Blackman wrote:
> > Tom St Denis wrote:
> > > This cipher is designed after CS-Cipher but is much simpler and
uses
> > > little ram/rom. It's a cute cipher and I would appreciate any
comments.
> > >
> > > This cipher has awesome diffusion amongst the bytes (64-bit block
> > > cipher) and is very simple to look at.
> > >
> > > I noticed very little comments on MyFish... oh well...
> > >
> > > Tom
> > >
> > > Sent via Deja.com http://www.deja.com/
> > > Before you buy.
> >
> > 64 bit block cyphers are toys.
>
> This _IS_ a toy. Tom never said you should use it seriously.
>
> > It seems that even with chaining modes,
> > there are birthday attacks after a few GB, and lots of us would
like to
> > be able to work with more data than that.
>
> Yep. 32 GB to be precise.
>
> > Please switch to 128 bits for future designs. Or maybe even 256.
>
> No necessary. Tom's Homepage states clearly they are not intended for
> serious usage. So you shouldn't.
>
> > I'm half expecting someone to come up with a generic attack on all
128 bit
> > block cyphers, now that everyone is committed to using them for the
next
> > 30 years :-)
>
> Generic attack ? Hardly. The birthday problem in CBC appears after
> (2**(n/2)) Blocks. And you can still use some of the other modes
> or combine your cipher with a nice little stream cipher such as
> RC4.
Just to clear up, I think my ciphers have *some* security merit. Like
in TC5 or TC6a. I am suggesting *not* to use them because of their
very limited experience. In TC8 for example I have found a flaw in the
keyschedule and I have found how to apply diff attacks to it (have to
find out the details, but it doesn't appear to break 6 rounds).
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: RE: The best way to pronounce AES
Date: Thu, 05 Oct 2000 16:44:07 GMT
In article <8rhqqt$r0s$[EMAIL PROTECTED]>,
"Manuel Pancorbo" <[EMAIL PROTECTED]> wrote:
>
> Scott Craver <[EMAIL PROTECTED]>
>
> > I know I have no authority to decide these things, but I
> > strongly feel that "AES" should be pronounced, "uh-YES."
> >
>
> I don't understand why anglos have so many childish problems to
pronounce so
> stupidly easy things. Pronounce it simply foneticly [a-es]; that's
all. ;-)
Ok... pronouce the word "aesthetic".... hehehe
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
