Cryptography-Digest Digest #883, Volume #12 Mon, 9 Oct 00 22:13:00 EDT
Contents:
Re: A new paper claiming P=NP (glenn)
Re: Quantized ElGamal (Tom St Denis)
Re: What is "freeware"? (was: Re: Any products using Rijndael?) (John Savard)
Re: Microsoft CAPI's PRNG seeding mechanism (dbt)
Re: RC5 Test Vectors (David Hopwood)
Re: SDMI challenge (dbt)
Re: xor algorithm (Tom St Denis)
Re: SDMI - Answers to Major Questions (Tom St Denis)
Re: Any products using Rijndael? (Tom St Denis)
Re: Why wasn't MARS chosen as AES? (Greggy)
Re: NSA quote on AES (Greggy)
Re: NSA quote on AES (Greggy)
Re: NSA quote on AES (Greggy)
----------------------------------------------------------------------------
From: glenn <[EMAIL PROTECTED]>
Crossposted-To: comp.theory,sci.math,sci.op-research
Subject: Re: A new paper claiming P=NP
Date: Tue, 10 Oct 2000 04:03:23 +0300
On Tue, 10 Oct 2000 13:23:26 +1300, Ross Smith <[EMAIL PROTECTED]>
wrote:
>Ah, but that "...or worse" gives them an out. If reviewing a proof is
>P-time, but *finding* the proof is *worse* than NP-time, then reviewing
>can still be easier than finding without contradicting P=NP.
I'm not aware of the technicalities of the N=NP problem, but I know
that it is a major problem. Can someone say for sure if the presented
proof is right?
--
glenn
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Quantized ElGamal
Date: Tue, 10 Oct 2000 01:13:28 GMT
In article <[EMAIL PROTECTED]>,
"William A. McKee" <[EMAIL PROTECTED]> wrote:
> What is Quantized ElGamal? What is a timing-attack? Is ElGamal
secure or
> has it been broken?
Quantification means to reduce with loss of information. PCM audio is
quantised for example, so are DCT coefficients of MP3 and JPEG images.
Quantized ElGamal does not make sense.
A timing attack is based on the *implementation* of an algorithm. For
example in ElGamal I must raise something with my private exponent. I
could time how long it takes to guess at the bits of my exponent (see
the multiply-square method). ElGamal is vaguely as difficult as the
discrete logarithm problem. So when implemenented and used properly
it's secure. For example a proper implementation of ElGamal with a 200
bit prime is not secure no matter how good the hardware, but ElGamal
with a 2000 bit prime is not guaranteed to provide security.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: What is "freeware"? (was: Re: Any products using Rijndael?)
Date: Tue, 10 Oct 2000 01:10:49 GMT
On 10 Oct 2000 01:12:49 +0200, [EMAIL PROTECTED] (Paul Schlyter)
wrote, in part:
>I don't understand that "in between freeware and public domain" stuff.
>Either the program is copyrighted, or it is not copyrighted. It cannot
>be "in between", can it? Therefore open source is copyrighted freeware.
But it is a special category.
Ordinary freeware is free, but otherwise subject to the usual
conditions associated with commercial packages: you can't distribute a
modified version, you don't get the source, and so on.
Open source software, on the other hand, lets you do most of the
things you can do with public-domain software - except hide it in
something that you can pass off as all your own work, which others
cannot use as you used the original.
So it is a distinct class of program. It is copyrighted, but the
copyright is put to a different use.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (dbt)
Crossposted-To: sci.crypt.random-numbers
Subject: Re: Microsoft CAPI's PRNG seeding mechanism
Date: Tue, 10 Oct 2000 01:19:43 GMT
Jack Love <[EMAIL PROTECTED]> says:
>> MS is well-known for not taking security seriously.
>>
>Windows 2k was recently given a C2 rating.
C2 is extremely meaningless. It's a marketing label required to get your
foot in the door for most government contracts.
--
David Terrell | "Instead of plodding through the equivalent of
Prime Minister, NebCorp | literary Xanax, the pregeeks go for sci-fi and
[EMAIL PROTECTED] | fantasy: LSD in book form." - Benjy Feen,
http://wwn.nebcorp.com | http://www.monkeybagel.com/ "Origins of Sysadmins"
------------------------------
Date: Mon, 09 Oct 2000 23:51:46 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: RC5 Test Vectors
=====BEGIN PGP SIGNED MESSAGE=====
Chris Kerslake wrote:
>
> I am looking for test vectors for RC5 (and eventually other ciphers).
http://www.users.zetnet.co.uk/hopwood/crypto/scan/
For RC5, see RFC 2040 (this only includes test vectors for CBC mode,
but it's easy to derive single-block test vectors from them).
If you're thinking of using RC5, bear in mind that it is patented.
> I have downloaded three different crypto-libraries off the Net and
> have been trying to compare them, but before getting too serious I
> want to ensure that they all return the same "correct" values, and
> thus the need for the test vectors.
>
> So far I have Wei Dai's Crypto++, Eric Young's libeay, BeeCrypt, and
> Bruce Schneider RC5 (from Applied Crypto v2)...
In general, Crypto++ and Eric Young's code pay attention to byte order,
whereas much of the code from Applied Crypto does not. I'm not sure
about BeeCrypt. In this case Crypto++ and libeay are correct.
Note that libeay has effectively changed its name to OpenSSL, and
is being maintained at www.openssl.org. It does have test vectors
for RC5, BTW, in crypto/rc5/rc5test.c; the first one is the same
as used by Crypto++.
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOeJL0TkCAxeYt5gVAQGyoAf/XWcxSOIICBYvqhnQUGuDA0NgOIbDGVG/
ONn2eP6b5zUKXvTcFox66lpviUtUvTvL57XarOOjNxCilaKelKlAxbk8NJZfsl6Y
gd5JrqBJRSAe1VcxKAMfQpzbkD1NN2gNGF9E/gNZlQYjVPay0w1+QSMxuwlVm9U2
TFWrYtFXlQA0N+Io8DH9QkZH54WcA1IScdqQM313f+NV4jZYL12Q4yD4eBRtULn7
wCiF5mVU7JXFFeyw2shSZE6BvQokA09Zwwzh8R5qwizwg3QLpXwZuuxgI1Vb7p7x
JatN6te8IYN+mf+Wrps7Pquui4NkyNk+4Gw2fGbA6ZDdu/nQu9wVsA==
=8cBG
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (dbt)
Subject: Re: SDMI challenge
Date: Tue, 10 Oct 2000 01:22:26 GMT
David Blackman <[EMAIL PROTECTED]> says:
>Much of DMCA is very unconstitutional, including the parts needed to
>enforce the below. It would be nice if someone was brave enough to break
>those parts so that this could be confirmed by the courts. Of course,
>that would entail risks and probably significant court costs, so don't
>do it unless you're prepared.
Read up on 2600 vs. DVDA.
--
David Terrell | "Instead of plodding through the equivalent of
Prime Minister, NebCorp | literary Xanax, the pregeeks go for sci-fi and
[EMAIL PROTECTED] | fantasy: LSD in book form." - Benjy Feen,
http://wwn.nebcorp.com | http://www.monkeybagel.com/ "Origins of Sysadmins"
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: xor algorithm
Date: Tue, 10 Oct 2000 01:16:14 GMT
In article <oqrE5.173$[EMAIL PROTECTED]>,
"Paul Pires" <[EMAIL PROTECTED]> wrote:
>
> William A. McKee <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Antonio Merlo <[EMAIL PROTECTED]> wrote in message
> > news:8rs4sr$mm7$[EMAIL PROTECTED]...
> > > How strong will be an encryption method based on a xor operation
with a
> > pass
> > > phrase (or password) an a buffer to encrypt? (suppossed a very
strong
> > > password of, let's say 16 letters, combining uppercase,
lowercases and
> > > digits)
> > > How will you cryptoanalise that algoritm?
> > >
> > >
> >
> > If you use your password to seed a pseudo random number generator
(PRNG)
> > like ISAAC, WAKE, etc. and xor the buffer with the PRNG output, I
think it
> > can be quite secure. I may be wrong. I'm such a newbie :)
>
> I'm a newbie too but I think you should point out that not all PRNG's
> are equal. There are PRNG's and then there are Cryptographically
> secure PRNG's. I am not sure about ISAAC. Regardless, this is a
> stream cipher and has use limitations. A blanket statement that it
> can be "Quite secure" could be misleading.You cannot re-use a keyed
stream.
> If the same key is used for two different messages and a
> plaintext is known for one, it is trivial to slove for the other
plaintext.
> There are ways of dealing with this but it's not like falling off a
log.
> Stream ciphers and Block ciphers are not two different, but
equivalent,
> methods
Technically any effective PRNG is cryptographically secure by
definition. But I will agree that some PRNG's are weak and "allowed"
to be weak for logistical purposes.
ISAAC looks neat but has had little cryptanalysis. WAKE is also not
secure and very incomplete (the paper doesn't say how the tables are
made just that "they are key supplied...."). RC4 is perhaps your best
bet.
> How the password is used to seed the PRNG is not trivial either.
> This can be hosed easily.
Simple, take Password + SALT and hash it to make the key. Of course
many people get this step wrong...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: SDMI - Answers to Major Questions
Date: Tue, 10 Oct 2000 01:22:12 GMT
In article <8rstp2$7vn$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Hi folks - having read a number of Internet articles and posts from
> concerned and/or irate MP3 fans about the possible future of MP3s
> in an SDMI-oriented world, I was lucky enough to get SDMI
> executive director Leonardo Chiariglioni on the phone to ask him
> some of these questions directly -- some of his answers are pretty
> interesting. Check out the interview at
> http://www.neato.com/default.asp?goto=Articles/neatonicks.asp
>
This sums up the competence of the SDMI folk...
--- quote ---
NEATO-nicks: Presumably many people who are downloading MP3s are not as
concerned as they perhaps should be about the quality of the audio. Are
you concerned that people might take an SDMI-encoded file, play it back
on an SDMI-compliant device, and then take that analog signal and re-
encode it as a new file?
Chiariglione: This is a question that you should possibly ask the
rights holder for the music, not SDMI. SDMI is a body developing a
specification for secure digital music. What you describe is feasible
because the specification we have written allows this to happen. On the
other hand, this is one of the great advantages of SDMI. Music will be
released by the professionals, so you will expect to have very high
quality music. While if you get music from unknown sources, you can get
real garbage.
---quote---
Translation: Our software is most likely weak but what the heck do we
care, we're laughing it to the bank. Some companies (not to name
names.... um Sony...) are stupid enough to believe are crap. If it
gets pirated you would expected are copyright protection scheme to save
the day, but if not tough luck for the starving artist.
Also on the same page...
---quote---
NEATO-nicks: People seem to be concerned about audio quality -- that if
there's watermarking that goes on with a compressed audio file, this
will degrade the quality of the audio. Is that likely to be a concern?
Chiariglione: I wouldn't say so, because we have selected the phase 1
technology after very rigorous subjective tests done by professionals.
I would be more concerned about the effect of compression. If you take
MP3, you get transparency at 192 kbps, but that's not the rate that
people usually employ. They use maybe 64 kbps, and then quality is
really affected. You're really at the point where you have to make some
tradeoffs concerning compression. But I assume that the effect of the
watermarking is, if anything, the least effect that you should consider
in the overall quality of the system.
---quote---
Stupid SDMI people. I routinely listen to MP3 shoutcast streams at 128
kbps, and it sounds very good. If your watermark makes it worse then
phhtt!
Why won't the stupid business majors realize that crypto is designed to
solve the problem of getting info from point A to point B, not point
C,D,E,F,G...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Any products using Rijndael?
Date: Tue, 10 Oct 2000 01:25:39 GMT
In article <[EMAIL PROTECTED]>,
Runu Knips <[EMAIL PROTECTED]> wrote:
> Marc wrote:
> > Why do you trust Twofish/Blowfish more than IDEA?
>
> Well, I trust the principles behind Blowfish because
> no matter which breaks one will find in future, it
> is very, very likely that the random sboxes of
> Blowfish will resist them.
Well that's just not true. The way you use the sboxes is vital to how
effective they are.
> Therefore Blowfish lacks the most important weakness
> of most ciphers: they have only been optimized
> against known attacks.
Reduced round Blowfish fell to the same attacks. In fact 16-round
Blowfish is about as strong as DES (except the longer keyspace).
> And Twofish, well it is more a mathematical concept
> just like IDEA, but at least it has 128 bit blocks
> and no known weak keys.
Twofish round function output is really making me sick lately. It
doesn't look like a "wide data path" to me and could be a big source of
troubles.
> > Hasn't IDEA received more analysis already?
>
> AFAIK yes - at least more than Blowfish.
IDEA is a few years older and much more widely known.
> > Do you have logical reasons towards your prefered
> > ciphers or is it just a feeling?
>
> Besides the fact that I believe Blowfish is very
> hard to break (as described above), the two
> *fish ciphers are also free, while using IDEA
> legally is only possible in (a) freeware or
> (b) for a IMHO really expensive license.
Well technically DES is hard to break as well (consider round
independent keys...). Blowfish is "sufficiently" secure for virtually
all purposes.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Greggy <[EMAIL PROTECTED]>
Subject: Re: Why wasn't MARS chosen as AES?
Date: Tue, 10 Oct 2000 01:43:51 GMT
In article <[EMAIL PROTECTED]>,
JCA <[EMAIL PROTECTED]> wrote:
> UBCHI2 wrote:
>
> > Why wasn't MARS chosen as AES?
>
> Because it was the worst candidate by a mile?
The expression is, "by a country mile" if you want to add emphasis... :)
--
If I were a cop, I would refuse to go on any no knock raid.
But then, I am not a cop for basically the same reasons.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Greggy <[EMAIL PROTECTED]>
Subject: Re: NSA quote on AES
Date: Tue, 10 Oct 2000 01:46:03 GMT
In a word, "scary". That is what I feel when they make that type of
endorsement.
> "The National Security Agency (NSA) wishes to congratulate the
National
> Institute of Standards and Technology on the successful selection of
an
> Advanced Encryption Standard (AES). It should serve the nation well.
In
> particular, NSA intends to use the AES where appropriate in meeting
the
> national security information protection needs of the United States
> government."
>
> Michael J. Jacobs
> Deputy Director for Information Systems Security
> National Security Agency
>
> - http://www.nist.gov/public_affairs/releases/aescomments.htm
>
> --
> +-------------------------------------------------------------------+
> | David A. Crick <[EMAIL PROTECTED]> PGP: (OCT-2000 KEY) 0xE0F73D98 |
> | Damon Hill Tribute Site: http://www.geocities.com/MotorCity/4236/ |
> | M. Brundle Quotes: http://members.tripod.com/~vidcad/martin_b.htm |
> +-------------------------------------------------------------------+
>
--
If I were a cop, I would refuse to go on any no knock raid.
But then, I am not a cop for basically the same reasons.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Greggy <[EMAIL PROTECTED]>
Subject: Re: NSA quote on AES
Date: Tue, 10 Oct 2000 01:49:13 GMT
> > >"The National Security Agency (NSA) wishes to congratulate the
National
> > >Institute of Standards and Technology on the successful selection
of an
> > >Advanced Encryption Standard (AES). It should serve the nation
well. In
> > >particular, NSA intends to use the AES where appropriate in
meeting the
> > >national security information protection needs of the United States
> > >government."
> >
> > These are weseal words if nothing else. To say they will use it
> > where its appropraite does not mean anything at all. They may
> > only use it in the sense of decoding messages. And they don't say
> > where its appropriate for them to use. But I guess it is to much
> > to expect an honest anwser from them.
>
> Once again we can see that accuracy and objective analysis are not
among
> your stronger abilities.
But even you have to admit, these words from the NSA sounded like
something you expect from a press secretary when you want to hide the
truth. The words are very well organized yet say absolutely nothing,
and they provide plenty of patting the back of another agency (how
often does that take place?). Sounds like propaganda to me...
--
If I were a cop, I would refuse to go on any no knock raid.
But then, I am not a cop for basically the same reasons.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Greggy <[EMAIL PROTECTED]>
Subject: Re: NSA quote on AES
Date: Tue, 10 Oct 2000 01:51:04 GMT
> > >..., NSA intends to use the AES where appropriate in meeting the
> > >national security information protection needs of the United States
> > >government."
> > These are weseal words if nothing else. To say they will use it
> > where its appropraite does not mean anything at all. They may
> > only use it in the sense of decoding messages.
>
> No, did you miss the words "information protection needs"?
>
> > And they don't say where its appropriate for them to use.
>
> That has already been stated up front by NIST. AES is intended
> for use to secure sensitive-but-unclassified (SBU) information.
Well, that settles it for me. I won't be using it for any of
my "classified" information...
> An example would be competitive-procurement records.
But my classified information is like my SS# or credit card number.
The latter is used for my personal procurement over the internet. So I
won't be procuring with AES it seems...
>
> > But I guess it is to much to expect an honest anwser from them.
>
> It is too much to expect any answer when no question was asked.
>
--
If I were a cop, I would refuse to go on any no knock raid.
But then, I am not a cop for basically the same reasons.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
