Cryptography-Digest Digest #853, Volume #12 Fri, 6 Oct 00 00:13:00 EDT
Contents:
Re: newbie pathetic question (Albert Yang)
Re: is NIST just nuts? (Scott Contini)
Re: is NIST just nuts? (Roger Schlafly)
ISAAC PRNG ([EMAIL PROTECTED])
Re: NIST Statistical Test Suite ("Cristiano")
Check NIST test ("Romero")
Re: Looking Closely at Rijndael, the new AES ("Paulo S. L. M. Barreto")
Re: Looking Closely at Rijndael, the new AES (John Savard)
Re: CDMA tracking (was Re: GSM tracking) (Mack)
Re: Faraday Cage (Was CDMA tracking) (Mack)
Elliptic Curve / Blowfish combination as an alernative to PGP ?
([EMAIL PROTECTED])
Re: Rijndael Coverage Improved on Web Site (John Savard)
Re: Choice of public exponent in RSA signatures (Francois Grieu)
Re: CRC vs. HASH functions ("Scott Fluhrer")
Re: Elliptic Curve / Blowfish combination as an alernative to PGP ? (Paul Rubin)
Re: what is wrapped PCBC? (Mack)
----------------------------------------------------------------------------
From: Albert Yang <[EMAIL PROTECTED]>
Subject: Re: newbie pathetic question
Date: Thu, 05 Oct 2000 21:30:08 GMT
Compression is based on frequency, and frequency = bias, and bias = bad because
bias = more likely to be cracked.
Your tree structure for English would be very predictable. Take a look at
Playfair as an example. So your secret tree would not be too much of a
secret.. Or at least a predictable one.
A great example of this is watching "Wheel of Fortune", you can tell right away
that basically it's common knowledge what the frequency of the english language
is...
Albert
Danilo wrote:
> I wonder why is arithmetic coding not used to scramble messages ?
>
> If I arithmetic compress a message, but using a frequency table which
> is actually my key (both in the frequencies and in the order of the bytes),
> wouldn't it be very hard to decrypt ?
>
> Excuse in advance for my pathetic ignorance of the matter.
>
> Danilo
------------------------------
From: [EMAIL PROTECTED] (Scott Contini)
Subject: Re: is NIST just nuts?
Date: 5 Oct 2000 23:06:26 GMT
In article <[EMAIL PROTECTED]>,
Runu Knips <[EMAIL PROTECTED]> wrote:
>Albert Yang wrote:
>> I don't think Twofish should have won. Twofish is WAY too complex, and
>> complexity in crypto is like a cat in a rocking chair store..
>
>I don't think Twofish was too complex. Its basic design
>principles where IMHO very simple.
>
>> It wasn't the most secure or had the most security margain (Serpent wins
>> that)
>
>But it was the second securest, and Serpents safety factor
>is simply extreme.
>
>> It wasn't the most elegant (RC6, hands down)
>
>Yes RC6 is elegant but it doesn't meet the requirements (key
>agility). The only reason why they included Mars and RC6 in
>the list of finalists was IMHO the names of IBM and RSADSI.
I think this is an absurd claim. In fact, after the 2nd AES
conference, the attendants voted on their favorite cipher, and
RC6 got more votes than any other cipher. It seems that the
opinion of the community changed when hardware became a serious
issue.
>
>You can be elegant and you can be too elegant. RC6 was too
>elegant. Btw, RC6 was just a modification of RC5, and a too
>small one to yield a cipher which can meet the requirements
>of the AES contest. Rivest should IMHO have known that from
>the start.
>
I do not feel the need to reply to comments I (and everybody else)
cannot take seriously.
>I think RC6 would be a good cipher for high end PC's if it
>would be free and you use 16 rounds, instead of 8. It would
>not be the securest or fastest or something but it would be
>a really short and compact piece of code, which doesn't
>need much memory space.
>
RC6 has 20 rounds. To my knowledge, RSA Security has not said anything
yet about whether RC6 will be royalty free now that it has not won the
AES. I do not know why people assume otherwise.
Your other comments show that you are not up to date on the issues.
Please read NIST's document on the selection of the AES before
making more absurd claims.
Scott
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: is NIST just nuts?
Date: Thu, 05 Oct 2000 17:36:47 -0700
Scott Contini wrote:
> RC6 has 20 rounds. To my knowledge, RSA Security has not said anything
> yet about whether RC6 will be royalty free now that it has not won the
> AES. I do not know why people assume otherwise.
RSAS said that RC6 is patented, and would be royalty-free if
it wins. IBM said that Mars is patented, and would be royalty
free, win or lose. Other contestants disclaimed patent rights.
RC6 did not win, and a patent issued to RSAS. The obvious
inference is that it will cost money to use RC6.
------------------------------
From: [EMAIL PROTECTED]
Subject: ISAAC PRNG
Date: Fri, 06 Oct 2000 00:26:10 GMT
Hi all,
Is anyone aware of any effort to cryptoanalyse the Robert Jenkin's PRNG
ISAAC?
The web site for this algorithm is at:
http://burtleburtle.net/bob/rand/isaacafa.html
Regards,
Unseenrising
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Cristiano" <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers
Subject: Re: NIST Statistical Test Suite
Date: Fri, 6 Oct 2000 02:30:00 +0200
We have implemented the new NIST test suite, but our implementations work
fine?
In the draft "rng.pdf" there is some error on the results of the sample
sequence (like in DFT).
I think the best way is to compare the results of several implementation by
using the same bit stream.
I have generated the stream by collecting the most significant bit of a
1,000,000 32-bits numbers sequence calculated in this way: x(i)=69069*x(i-1)
and the seed (x0) is 0x12345678; so epsilon[i].b=x>>31 and the sequence
start with 1110000110001011...
m=10 unless otherwise stated; the p-values error is lesser than 1e-6,
and is #define LONG_RUNS_CASE_10000 1
These are my p-values:
Frequency 0,234046364521335
Block Frequency 0,672532414273779
Runs 0,584664057164664
Longest Run Of 1's 0,536676047502367
Rank 0,000607048641442409
DFT 0,00229023344371974
Non Ov. TM 0,295971733531129
Ov. TM 0,519165487785374
Universal 0,296229920126166
LZ Compression 0,490588901657062
Linear Complexity (m=1000) 0,790656256977868
Serial (m=17) 0,356984386847784 and 0,346361632586787
Approximate Entropy (m=14) 0,725940597565766
Cumulative Sums 0,257514803597646 and 0,182821797731254
Random Excursions 0,301770841481425
Random Excursions Variant 0,46216038216253
I hope to receive some reply.
Thanks
Cristiano
------------------------------
From: "Romero" <[EMAIL PROTECTED]>
Subject: Check NIST test
Date: Fri, 6 Oct 2000 02:24:50 +0200
We have implemented the new NIST test suite, but our implementations work
fine?
In the draft "rng.pdf" there is some error on the results of the sample
sequence (like in DFT).
I think the best way is to compare the results of several implementation by
using the same bit stream.
I have generated the stream by collecting the most significant bit of a
1,000,000 32-bits numbers sequence calculated in this way: x(i)=69069*x(i-1)
and the seed (x0) is 0x12345678; so epsilon[i].b=x>>31 and the sequence
start with 1110000110001011...
m=10 unless otherwise stated; the p-values error is lesser than 1e-6,
and is #define LONG_RUNS_CASE_10000 1
These are my p-values:
Frequency 0,234046364521335
Block Frequency 0,672532414273779
Runs 0,584664057164664
Longest Run Of 1's 0,536676047502367
Rank 0,000607048641442409
DFT 0,00229023344371974
Non Ov. TM 0,295971733531129
Ov. TM 0,519165487785374
Universal 0,296229920126166
LZ Compression 0,490588901657062
Linear Complexity (m=1000) 0,790656256977868
Serial (m=17) 0,356984386847784 and 0,346361632586787
Approximate Entropy (m=14) 0,725940597565766
Cumulative Sums 0,257514803597646 and 0,182821797731254
Random Excursions 0,301770841481425
Random Excursions Variant 0,46216038216253
I hope to receive some reply.
Thanks
Cristiano
------------------------------
Date: Thu, 05 Oct 2000 22:45:21 -0200
From: "Paulo S. L. M. Barreto" <[EMAIL PROTECTED]>
Subject: Re: Looking Closely at Rijndael, the new AES
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
Tim Tyler wrote:
<blockquote TYPE=CITE>cott said "small fast cypher" in the first place.
A small secure cypher
<br>would be a sort of cryptographic magic bullet. I don't think
it exists -
<br>you need a certain degree of complexity to poroduce enough confusion
to
<br>properly resist analysis.</blockquote>
You don't think it exists? Then let me introduce "One-Time Pad".
Can you think of anything smaller or faster? Yet if you don't accept
that as secure, then just forget *anything* else.
<p>Paulo Barreto.
<br> </html>
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Looking Closely at Rijndael, the new AES
Date: Fri, 06 Oct 2000 02:30:51 GMT
On Thu, 05 Oct 2000 22:45:21 -0200, "Paulo S. L. M. Barreto"
<[EMAIL PROTECTED]> wrote, in part:
>Then let me introduce "One-Time Pad".
>Can you think of anything smaller or faster? Yet if you don't accept
>that as secure, then just forget *anything* else.
That is true, but not germane.
The one-time-pad is secure because the key matches the message in
size.
When the key is fixed in size, however, simple XOR (of the key over
and over) is not secure. For a fixed size key - a key just large
enough to prevent brute force search - can a fast, small, simple
cipher be secure?
That is the question to which "no" may _well_ be the answer, and that
is the question really being discussed, even if that hasn't been
indicated explicitly: can _work factor security_, as opposed to
_information-theoretic security_, be obtained from a small, fast
cipher.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: CDMA tracking (was Re: GSM tracking)
Date: 06 Oct 2000 03:37:05 GMT
>> >>> >> > >If you are concerned about your phone being
>> >>> >> > >trackable when it is off, why not just put
>> >>> >> > >it in an aluminum briefcase ?
>
>Its Dangerous to add to a thread when you don't know what
>went before - but if you are after a Legitimate test method
>to stop signal getting to/from a mobile phone, why not put
>it into a gauranteed (consumer quality) RF-proof enclosure nearly
>everyone owns --- a microwave oven. Just don't turn the oven on!!
>
>--
>Steven Murray, AirBorn Electronics -- [EMAIL PROTECTED]
>PO Box 1491, North Sydney, NSW 2060, Australia.
>Ph(61)(2)9925 0325 Fax 9925 0297 -- http://www.airborn.com.au
>"Opportunities multiply as they are seized. " -- Sun Tzu
>
We are back to frequency specifics again ...
microwaves block one set of frequencies really well
But how do they actually work on other frequencies?
The simple test I used before was your phone or pager in
your enclosure and then call your cell phone. If it rings
the enclosure isn't good enough.
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: Faraday Cage (Was CDMA tracking)
Date: 06 Oct 2000 03:39:56 GMT
>
>Arturo wrote:
>>
>>>>Guy's comments:
>>>>
>>>>The idea of grounding a Faraday shield was Faraday's, and it is very
>>>>important in Faraday's application, which was to protect humans from
>>>>large electrostatic charges. Without the ground, the cage can hold
>>>>a charge and zap you as you step out of it.
>>>>
>>I don�t follow it. We want to ground a cellphone via a Faraday cage.
>>But if you do it right, the FC will block all EM signals incoming and
>>outcoming.
>>In that case: how on Earth will you be able to talk through your phone, or
>>receive incoming calls? You�d might as well just plug the battery out.
>>
>
>It's for doing an experiment where you want to see what your cellphone
>does when it cannot contact anything else by radio.
>
>
>
>
Actually the original thread was on the cell phone tracking
your location and storing it in memory. Some people may not
like the idea that someone may get their cell phone and tell
where they have been. Particularly if it is their wifes detectives
seeing if they have been visiting brothels in Las Vegas.
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: [EMAIL PROTECTED]
Subject: Elliptic Curve / Blowfish combination as an alernative to PGP ?
Date: Fri, 06 Oct 2000 03:32:28 GMT
Hi there,
Just wondering if anyone could give me an opinion on using a
combination of an Elliptic Curve / Blowfish set to produce a type of
Public key encryption solution for securing files, in contrast to using
the PGP DLL solution? (client wants PGP type public/private security
setup but wants to stear clear of actual PGP because of import
regulations in one of their branch offices)
Specifically I am looking at the Delphi components offered by TSM Inc
(http://www.crypto-central.com). Their solution involves using their
Elliptic Curve object to create a public/private key pair, then use an
exchanged value from the Elliptic Curve object to act as an
initalization key for the Blowfish object. Their documentation states:
"TEllipticCurve is an implementation of an elliptic curve (ECC) based
asymmetrical cryptosystem, based loosely on the work of Paulo Barreto
and George Barwood, but extensively reworked to offer greater
performance and stability."
I would greatly appreciate any comments,
many thanks,
Jay.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Rijndael Coverage Improved on Web Site
Date: Fri, 06 Oct 2000 03:28:57 GMT
On Thu, 05 Oct 2000 11:27:59 GMT, [EMAIL PROTECTED]
(John Savard) wrote, in part:
>As befits Rijndael's status as the new AES, I've extended the
>description of it on my web page.
Now, I've even added a diagram - a three-dimensional view (isometric)
in color - of a round of Rijndael to that page.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Francois Grieu <[EMAIL PROTECTED]>
Subject: Re: Choice of public exponent in RSA signatures
Date: Fri, 06 Oct 2000 05:41:50 +0200
[EMAIL PROTECTED] asked:
> Is there evidence that finding cube roots mod n (n=pq, p,q distinct,
> unknown, large primes) is *much easier* than finding square roots (that
> is, than factoring)?
Ref[2] gives sort of a partial ab absurdum argument in this direction,
in the special case of low-exponent root.
Francois grieu
[2] Dan Boneh, Ramarathnam Venkatesan: Breaking RSA May Be
Easier Than Factoring
<http://crypto.stanford.edu/~dabo/papers/no_rsa_red.pdf>
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: CRC vs. HASH functions
Date: Thu, 5 Oct 2000 20:19:15 -0700
Mack <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Having been working hard and not here for a while
> the topic of CRC vs. HASH functions
> came up in a thread.
>
> 1) CRC are faster than HASH functions of
> comparable size. That is a fact. Many
> hash functions use a CRC like layer at the
> top to mix in data linearly. SHA-1 is no exception.
> A table driven 256 bit hash function requires 4 32-bit word
> lookups/byte, four 32-bit word XORs, a shift and an XOR
> to add data.
>
> A 16-bit lookup uses fewer lookups but much bigger
> tables.
However, if you are willing to use a MAC rather than a HASH (which may be
appropriate depending on why you are summarizing the file in the first
place), there are MACs which can be even faster than CRC. Examples of this
would include UMAC (http://www.cs.ucdavis.edu/~rogaway/umac/) and hash127
(http://cr.yp.to/hash127.html)
--
poncho
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: Elliptic Curve / Blowfish combination as an alernative to PGP ?
Date: 05 Oct 2000 20:53:08 -0700
[EMAIL PROTECTED] writes:
> Just wondering if anyone could give me an opinion on using a
> combination of an Elliptic Curve / Blowfish set to produce a type of
> Public key encryption solution for securing files, in contrast to using
> the PGP DLL solution? (client wants PGP type public/private security
> setup but wants to stear clear of actual PGP because of import
> regulations in one of their branch offices)
That doesn't make any sense at all. Any program with cryptography
will have the exact same import/export issues as PGP.
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: what is wrapped PCBC?
Date: 06 Oct 2000 04:08:32 GMT
>[EMAIL PROTECTED] (Marc) wrote in <[EMAIL PROTECTED]>:
>
>>
>>No email supplied other than [EMAIL PROTECTED], sorry
>>for asking public.
>
> You can email from the main webpage
>
>>
>>> The "wrapped PCBC" will handle any byte length for a file longer than
>>> 3 block lengths.
>>
>>How does "wrapped PCBC" work, and why do you prefer it over "ciphertext
>>stealing" which works with files >= 1 block length?
>
> The best page to look at is the one by Horst:
> http://xoom.members.com/ecil/page2.htm
>it is for scott19u but it is explained there quite well however
>I have to admit even with horsts hell Mok and DW seem to be totally
>lost. I suspect its only because they both were to lazy to look.
>
>David A. Scott
>--
>SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
> http://www.jim.com/jamesd/Kong/scott19u.zip
>Scott famous encryption website **now all allowed**
> http://members.xoom.com/ecil/index.htm
>Scott LATEST UPDATED source for scott*u.zip
> http://radiusnet.net/crypto/ then look for
> sub directory scott after pressing CRYPTO
>Scott famous Compression Page
> http://members.xoom.com/ecil/compress.htm
>**NOTE EMAIL address is for SPAMERS***
>I leave you with this final thought from President Bill Clinton:
>
wrapped PCBC is basically a form of chaining similar to CBC and PCBC.
It uses multiple passes over the text wrapping the last block to the front
It is a form of AONT. If the encryption function is unbreakable wrapped
PCBC is unbreakable.
example
P1 P2 P3 P4
E1=f(P4^P1^P2)
E2=f(E1^P2^P3)
E3=f(E2^P3^P4)
E4=f(E3^P4^E1))
now here is where it gets interesting
second round produces what we will call G
G1=f(E4^E1^E2)
G2=f(G1^E2^E3)
G3=f(G2^E3^E4)
G4=f(G3^E4^G1)
notice that this is invertible
In scott19u and relatives the second xor is changed to a +.
It must be decrypted last block first to unwind it.
In particular scott19u uses large tables for f and round keys.
This prevents 'the Onions attack' by Paul Onions which is
a form of Slide attack. It is interesting that it isn't mentioned
in David Wagner's paper on Slide attacks. I believe David may have
been around a bit when that attack was introduced.
I posted a paper about it a long time back in sci.crypt.research
I introduced IS8, RS8 and M8 of those only M8 had round keys
and is still unbroken. It is in the north american crypto archive
as X8.ZIP
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
