Cryptography-Digest Digest #910, Volume #12 Fri, 13 Oct 00 09:13:01 EDT
Contents:
Re: Rijndael implementations (jungle)
algo to generate permutations ("stephane longchamp")
Re: Challenge... (Andre van Straaten)
Re: SHA-256 implementation in pure C (free) (Tom St Denis)
Re: SHA-256 implementation in pure C (free) (Tom St Denis)
Re: Idea for Twofish and Serpent Teams (Tom St Denis)
Re: SHA-256 implementation in pure C (free) (Tom St Denis)
Re: Dense feedback polynomials for LFSR (Tim Tyler)
Re: algo to generate permutations (Richard Heathfield)
Re: What is meant by non-Linear... (Tom St Denis)
Re: Rijndael implementations (Tom St Denis)
Re: SDMI - Answers to Major Questions (Tom St Denis)
My SHA code and Endianess (Tom St Denis)
Re: Why trust root CAs ? (Larry Kilgallen)
Re: What is meant by non-Linear... (Tim Tyler)
Re: Rijndael implementations (Tim Tyler)
Re: My SHA code and Endianess (Ed Kubaitis)
Re: My SHA code and Endianess (Jim Gillogly)
----------------------------------------------------------------------------
From: jungle <[EMAIL PROTECTED]>
Subject: Re: Rijndael implementations
Date: Fri, 13 Oct 2000 07:20:52 -0400
now we have [ byte n ]:
a sequence of 8 bits (enough to represent one character of alphanumeric data)
processed as a single unit of information
a byte may be 9 bits on 36-bit computers. Some older architectures used "byte"
for quantities of 6 or 7 bits, and the PDP-10 and IBM 7030 supported "bytes"
that were actually {bit-fields} of 1 to 36 (or 64) bits!
these usages are now obsolete.
even 9-bit bytes have become rare in the general trend toward power-of-2 word
sizes.
Rob Warnock wrote:
>
> David Eppstein <[EMAIL PROTECTED]> wrote:
> +---------------
> | [EMAIL PROTECTED] wrote:
> | > Having "byte" defined as "set of bits that represent a single character"
> | > seems like a really dumb idea to me.
> |
> | You've obviously never programmed a 36-bit architecture.
> +---------------
>
> Such as the venerable DEC PDP-10 -- in which the hardware supported bytes
> of *any* length from 1 to 36 bits; in which plain ASCII text files
> consisted of *7*-bit bytes (packed five to a word with one bit wasted)
> and filenames passed to system calls were "SIXBIT" ASCII (six chars to
> a word); in which at least one C compiler decided to use *9*-bit bytes
> just so they packed evenly into words.
>
------------------------------
From: "stephane longchamp" <[EMAIL PROTECTED]>
Subject: algo to generate permutations
Date: Fri, 13 Oct 2000 13:41:50 +0200
Do someone know an algo to generate all permutations of a string of letters
?
example :
ABCD
ABDC
ACBD
ACDB
.....
------------------------------
From: Andre van Straaten <[EMAIL PROTECTED]>
Subject: Re: Challenge...
Date: Fri, 13 Oct 2000 11:46:12 GMT
[EMAIL PROTECTED] wrote:
> I've got a challenge for anyone that is interested...
> I have developed my own encryption system, and it is extremely powerful
> and simple in it's intended environment. To see just how good the
> system is, I have decided to use it in another way. I have used it as
> simply as possible, and encrypted a short sentence. I do not know if
> it is uncrackable like this - (probably not), but in it's intended
> environment, it can be - it just depends how much effort you put in to
> it. I'm saying nothing else at this time...
> LKLUTHN_BROCDTRD_L_GHUYURNV__
I like this kind of jokes. I don't watch much TV and get my entertainment
mostly from Usenet.
For a private person it's easy to set up an unbreakable system from the
cryptoanalytic standpoint.
But how you is your key management? Which people can use it under which
circumstances?
You supplied no information about these questions.
What is "it's intended environment"?
-- avs
Andre van Straaten
http://www.vanstraatensoft.com
______________________________________________
flames please to [EMAIL PROTECTED]
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: SHA-256 implementation in pure C (free)
Date: Fri, 13 Oct 2000 11:36:13 GMT
In article <[EMAIL PROTECTED]>,
Dido Sevilla <[EMAIL PROTECTED]> wrote:
> Runu Knips wrote:
> >
> > Hmm your code looks good, but you have a macro S() and a variable
> > S, thats confusing, and your macro S() implements a _R_orate
> > (right) and your macro R() implements a _S_hift (also right)...
> > but well its easy to fix that.
>
> If you read the SHA-256 spec it uses the symbol 'S' for a rotate, and
> 'R' for a shift. I wonder why that is? And anyhow the code already
> conforms to the test vectors (according to Tom), so I guess NIST knew
> what they were doing when they used an apparently reversed notation.
Well on my little endian comp the test 'abc' produces the right hash.
I would appreciate any test on big endian comps or with the other test
vectors...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: SHA-256 implementation in pure C (free)
Date: Fri, 13 Oct 2000 11:37:39 GMT
In article <[EMAIL PROTECTED]>,
Runu Knips <[EMAIL PROTECTED]> wrote:
> Tom St Denis wrote:
> > At http://www.geocities.com/tomstdenis/files/sha256.c you can find a
> > free copy of the SHA-256 hash function in C. It's rather easy to
drop
> > in and use. I hope SHA-256 is in fact secure though... heheheh
>
> Whow the same time I get SHA-256 spec there's already an
> implementation... cool.
I wanted to be the first to have some illustrative source out the
door. I hope I got it right though.
> Hmm your code looks good, but you have a macro S() and a variable
> S, thats confusing, and your macro S() implements a _R_orate
> (right) and your macro R() implements a _S_hift (also right)...
> but well its easy to fix that.
Well in the paper they use S for rotate and R for shift. You will note
that all my #defines are the original names such as "Sigma0" ... I am
trying to make the code easy to follow from the paper.
> Thank you very much for your code ! :-)
You're very welcome. I tested it against the 'abc' test vector but if
you find any problems please let me know.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Idea for Twofish and Serpent Teams
Date: Fri, 13 Oct 2000 11:40:14 GMT
In article <[EMAIL PROTECTED]>,
Runu Knips <[EMAIL PROTECTED]> wrote:
> Tom St Denis wrote:
> > I am also writting a book (which will be free) about block ciphers
> > where I will include descriptions + analysis of my ciphers (amongst
> > other public ones such as Blowfish, RC5, IDEA and TEA). The book is
> > slow going, I am on my chapter of "Cryptanalysis" right now and
alot of
> > work has to be done on the earlier chapters...
>
> Oh, you're still working on it ? I've already thought you've given
> it up. Cool thing ! :-)
It's on "hold" since I am at school. But next January I am off school
till may. So I will be working on it more then.
The book is geared towards novice cryptographers. So if you're already
proficient you may find it "boring". The book is free though so it
won't cost a penny to read it.
I expect a draft of the entire book by March 2001 and the first edition
by May. When I release it in March I will be looking for technical and
grammatical errors (etc)...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: SHA-256 implementation in pure C (free)
Date: Fri, 13 Oct 2000 11:44:54 GMT
In article <[EMAIL PROTECTED]>,
Runu Knips <[EMAIL PROTECTED]> wrote:
> Tom St Denis wrote:
> > At http://www.geocities.com/tomstdenis/files/sha256.c you can find a
> > free copy of the SHA-256 hash function in C. It's rather easy to
drop
> > in and use. I hope SHA-256 is in fact secure though... heheheh
>
> Whow the same time I get SHA-256 spec there's already an
> implementation... cool.
I forgot to mention in my other post that I uploaded several copies of
SHA256 last night.
The current version (same http url) has two "helper" functions if
you're lazy (like me) for sha_memory() and sha_file() kinda like from
James G. original SHA code...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Dense feedback polynomials for LFSR
Reply-To: [EMAIL PROTECTED]
Date: Fri, 13 Oct 2000 11:30:34 GMT
Joaquim Southby <[EMAIL PROTECTED]> wrote:
: In article <[EMAIL PROTECTED]> Tim Tyler, [EMAIL PROTECTED] writes:
:>zapzing <[EMAIL PROTECTED]> wrote:
:>: On another note, it seems to me that making the
:>: polynomial itself a part of the key would
:>: greatly increase security, but that possibility
:>: is barely mentioned in his book.
:>
:>Using an LFSR alone is not at all secure. Using a key-dependent
:>polynomial with an unknown tap sequence isn't at all secure either - you
:>can figure it out from the output using the Berlekamp-Massey algorithm.
:>
:>In both cases there's little or no security. Consequently, whether one is
:>an improvement over the other seems of marginal interest.
:
: I disagree. There is almost always a tradeoff between the strength of
: the encipherment and how long it has to last. If I was passing a hot tip
: on a horse race that was due to start in 10 minutes, what good would an
: 11-minute crack be?
: Many of the attacks mentioned in this newsgroup are actually quite labor
: intensive [...]
: The B-M algorithm requires at least 2n bits of output from an n-bit
: register for the attack. IIRC, that's 2n bits of the *register* output
: [...]
Which is pretty close to being the fastest attack imaginable.
An ordinary LFSR beats it by a mere factor of two - and both attacks
typically require tiny quantities of known plaintext and take the
blink of an eye ;-)
It may be true that making the polynomial part of the key may have
positive security implications - but you need to be doing something with
the LFSR that makes its output inaccessible to an attacker, as well,
for the security to get off rock bottom.
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
Date: Fri, 13 Oct 2000 13:03:23 +0100
From: Richard Heathfield <[EMAIL PROTECTED]>
Subject: Re: algo to generate permutations
stephane longchamp wrote:
>
> Do someone know an algo to generate all permutations of a string of letters
> ?
>
> example :
>
> ABCD
> ABDC
> ACBD
> ACDB
> .....
Usenet.
Unfortunately, it doesn't sort the permutations. ;-)
My Web search (keywords used at www.google.com were: combinatorial
algorithms source) turned up this site, among others:
http://www.math.mtu.edu/~kreher/cages.html
I hope it's of some use. Please bear in mind (in case you're thinking
what I'm thinking you're thinking) that brute force attacks are the last
resort, and with good reason - they take AGES.
--
Richard Heathfield
"Usenet is a strange place." - Dennis M Ritchie, 29 July 1999.
C FAQ: http://www.eskimo.com/~scs/C-faq/top.html
K&R Answers: http://users.powernet.co.uk/eton/kandr2/index.html
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: What is meant by non-Linear...
Date: Fri, 13 Oct 2000 11:54:05 GMT
In article <8s66b8$4hr$[EMAIL PROTECTED]>,
"Scott Fluhrer" <[EMAIL PROTECTED]> wrote:
>
> Tom St Denis <[EMAIL PROTECTED]> wrote in message
> news:8s4ukl$rc1$[EMAIL PROTECTED]...
> > In article <8s4dud$2q6$[EMAIL PROTECTED]>,
> > "Scott Fluhrer" <[EMAIL PROTECTED]> wrote:
> > >
> > > Rob Marston <[EMAIL PROTECTED]> wrote in message
> > > news:[EMAIL PROTECTED]...
> > > > So to put it in a nutshell, if I had two S-Box's {the first is
an
> > Xor
> > > > and the Second is an And} then...
> > > >
> > > > SBox Out Out
> > > > In Xor And
> > > > 00 0 0
> > > > 01 1 0
> > > > 10 1 0
> > > > 11 0 1
> > > >
> > > > I could reverse the Xor S-Box by knowing the output bit and
> > > > either input bit, but I could not reverse the And operation?
> > > >
> > > > Is that it?
> > > No. A function y = f(x) is linear if, as Mr Savard stated, it
can be
> > > expressed y = a*x + b [1], for some reasonable definition of *
and +
> > [2].
> >
> > That is wrong, normally it's a boolean dot product of several
vectors
> > (i.e a vector of input bits, a vector of output bits and a vector of
> > key bits). Look at the linear cryptanalysis of DES, they hardly
made
> > use of the function of a line to break it. They used the fact that
> > linear expressions such as "y0 = x0 xor x3 xor k1 xor 1" held for
some
> > part of the key space/input space where x and y are known, thus
> > yielding the key bit (obviously the expression must hold for
less/more
> > then 1/2 of all possible inputs).
>
> Actually it's quite correct. A boolean dot product (a form of matrix
> multiplication mod 2) and xor of constants (also known as addition
mod 2)
> do, in fact, form a ring, and thus meet my definition for
reasonableness.
> In addition, latter on, I stated that:
>
> > > This definition of * and +
> > > is, in fact, the most often used in cryptography.
>
> This agreed with what you wrote. You really should read what people
write
> before jumping in and correcting them...
>
> And, while we are being pedantic, that's not how Matsui's linear
> cryptanalysis of DES works -- it works by forming a linear
approximation
> over 14 rounds between the input and output bits, and using that to
test
> partial subkeys within the first and last rounds.
If I understood Bihams paper "On Matsuis Linear Cryptanalysis" (which I
might not have) they form a chain of linear approximations through the
rounds like one would for a differential attack.
Is the analogy not correct?
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Rijndael implementations
Date: Fri, 13 Oct 2000 11:46:41 GMT
In article <[EMAIL PROTECTED]>,
jungle <[EMAIL PROTECTED]> wrote:
> now we have [ byte n ]:
> a sequence of 8 bits (enough to represent one character of
alphanumeric data)
> processed as a single unit of information
>
> a byte may be 9 bits on 36-bit computers. Some older architectures
used "byte"
> for quantities of 6 or 7 bits, and the PDP-10 and IBM 7030
supported "bytes"
> that were actually {bit-fields} of 1 to 36 (or 64) bits!
>
> these usages are now obsolete.
> even 9-bit bytes have become rare in the general trend toward power-
of-2 word
> sizes.
This arguments (and from the OP) are silly waste of time. On 99% of
all comps a byte is eight bits. I mean try finding a workstation where
you download 10 bytes but really have 60 bits...
*Plus* 99.9999% of the computer users (literate and illeterate alike)
think a byte is an extended ASCII char of eight bits. So it's best to
follow the mob.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: SDMI - Answers to Major Questions
Date: Fri, 13 Oct 2000 11:57:13 GMT
In article <O5oNAHMNAHA.328@cpmsnbbsa09>,
"Joseph Ashwood" <[EMAIL PROTECTED]> wrote:
>
> > Why won't the stupid business majors realize that crypto is
designed to
> > solve the problem of getting info from point A to point B, not point
> > C,D,E,F,G...
>
> It's not so much the getting from a to b, or c,d,e,f,g..... that
crypto can
> do. It's just that once you take somethign and put it in a completely
> hostile environment it is by nature impossible to protect. By this I
mean
> something along the lines of Alice wants to talk to Bob, so she uses
any of
> the billion or so protocols that we've designed that are secure,
however if
> Bob, Alice, Eve, and the rest of the gang (actually all it takes is
Alice
> and Bob) decide to break the protocol, the protocol is broken. The
problem
> that SDMI is attempting to deal with is one where Alice buys a CD,
she wants
> to share that CD with Bob, and doesn't care how many other people Bob
get's
> it from, the entire system is hostile, so Alice detects the SDMI
watermark
> (afterall if her CD player can detect it, she can detect it too by
observing
> the CD player, removes the watermark, and sends the music to Bob, Bob
checks
> for a watermark, sees that none exist (if one exists he removes it),
and
> passes it on. You simply can't protect something in a completely
hostile
> environment.
There are solutions though.
Consider your cable system, t.v used to be broadcasted on the air (so
to speak) such that anyone can grab it and watch it. Now they are on
thin cables that are fed to each home.
Sure you can video tape anything you want, but 99% of the time you
watch the program instead of copying it. It costs too much for me to
copy all tv shows and send them to my friends so they don't have to buy
cable.
Similarly on the Net I could broadcast 300kbps video/audio which is
encrypted with a key we agreed upon (each user has a unique key) and I
get a similar effect. Sure you can burn all my broadcasts onto a DVD
or CD but that costs too much.
In these cases the broadcaster is making money assuming you will not
copy and redistribute everything....
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: My SHA code and Endianess
Date: Fri, 13 Oct 2000 12:01:06 GMT
I have a strange feeling my code is not as "endian neutral" as I
wanted. Can someone on a big endian please test it out? This is
driving me mad...
http://www.geocities.com/tomstdenis/files/sha256.c
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Larry Kilgallen)
Subject: Re: Why trust root CAs ?
Date: 13 Oct 2000 09:15:12 -0500
In article <eMoD5.416654$[EMAIL PROTECTED]>, [EMAIL PROTECTED] writes:
> So, I can discover snakeoil CA's procedures for verifying bogus.com,
> and assure myself that they have checked out bogus.com.
> But how can I trust snakeoil CA itself ?
> I had a conversation with a CA on this subject and the answer was
> "because it's in the browser". But my browser was downloaded off
> the Internet in clear, and besides, do I really trust the browser
> vendor ? Do you trust Microsoft not to lie ? Do you trust Microsoft
> or Netscape to produce secure independantly verified code ?
If you obtained your browser via download, that does mark you as a
trusting individual.
But I do believe that Netscape allows you total control over what
root certificates it honors, so you can turn off their defaults and
load your own.
It was not until I heard a talk in Cambridge a few years ago by
Steve Kent that I understood "self-signed" certificates. The signing
does not convey any trust -- it is just an artifact to get certificates
into a form with which relying software is accustomed to dealing.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: What is meant by non-Linear...
Reply-To: [EMAIL PROTECTED]
Date: Fri, 13 Oct 2000 11:51:07 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
: "Scott Fluhrer" <[EMAIL PROTECTED]> wrote:
:> Rob Marston <[EMAIL PROTECTED]> wrote:
:> > Is that it?
:> No. A function y = f(x) is linear if, as Mr Savard stated, it can be
:> expressed y = a*x + b [1], for some reasonable definition of * and +
:> [2].
: That is wrong, normally it's a boolean dot product of several vectors
: [...]
Actually, it was correct. A function y = f(x) *is* linear if it can be
expressed y = a*x + b, for some reasonable definition of * and +.
...give or take some fluff about affine functions that Scott relegated to
helpful footnotes.
FWIW, I've never liked the idea of categorising y = a*x + 1 as *not* a
linear function. IMO, linear should mean something like "pertaining to a
straight line", not "affine functions which happens to go through the
origin".
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Rijndael implementations
Reply-To: [EMAIL PROTECTED]
Date: Fri, 13 Oct 2000 12:10:24 GMT
Paul Schlyter <[EMAIL PROTECTED]> wrote:
:In article <[EMAIL PROTECTED]>, Tim Tyler <[EMAIL PROTECTED]> wrote:
:> I still think there should be a single term for units of 8 bits. [...]
:> I think that term should be "byte". To my mind that's more or less
:> the way things are at the moment.
: So that's why you want it to be "byte". [...]
Established use is the main reason. I would also cite smaller number of
syllables ;-)
:> Hopefully, the size of a "byte" will become fixed. This has already
:> happened in computer languages - if you look at C the size of int,
:> chars is implementation dependent. By contrast in Java, everything -
:> including bytes - are of predefined sizes. Hopefully normal usage will
:> follow suit.
:Java is also designed to to execute on only one single architecture, the
:Java virtual machine, while C was designed to execute on many different
:architectures.
There's no difference between C and Java in this respect. Java was
designed (from the first white paper) to be compiled to whatever
processing hardware is available. The difference from C in this respect
is that C is often shipped in compiled form, while Java is almost
always compiled on the target machine at some stage before being executed.
Any idea that Java was designed solely to be interpreted in a virtual
machine is not historically correct.
:> At the moment a 6-bit byte makes sense (according to the dictionary).
:>
:> I expect in the far future, it will appear to be contradictory nonsense.
:
:It will never be "contradictory nonsense" if the historical context is
:remembered. It will be no more contradictory nonsense than e.g. the
:meaning of the word "computer" 100+ years ago: a human, employed to do
:computations with pencil and paper. There were many such human computers
:back then.
An appropriate example. If calling a bunch of six bits a byte came to be
looked on in the same way that calling me a computer is considered today,
that would be enough for me.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ ILOVEYOU.
------------------------------
From: Ed Kubaitis <[EMAIL PROTECTED]>
Subject: Re: My SHA code and Endianess
Date: Fri, 13 Oct 2000 07:47:59 -0500
Tom St Denis wrote:
>
> I have a strange feeling my code is not as "endian neutral" as I
> wanted. Can someone on a big endian please test it out? This is
> driving me mad...
>
> http://www.geocities.com/tomstdenis/files/sha256.c
>
> Tom
> ...
Same output for a few files I tried on a Sun Ultra 2300 as
on a Pentium III. One of them was a ~280e6 byte compressed
tar file. If there were an endian problem, it would have
to be pretty subtle.
By the way, compiled with a simple -O on both platforms
it got a little under 8e6 bytes/cpu-second on a 500 MHz
PIII, and a little over 3e6 bytes/cpu-second on the
300 MHz UltraSPARC.
==========================
Ed Kubaitis ([EMAIL PROTECTED])
CCSO - University of Illinois - Urbana-Champaign
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: My SHA code and Endianess
Date: Fri, 13 Oct 2000 12:59:31 +0000
Tom St Denis wrote:
>
> I have a strange feeling my code is not as "endian neutral" as I
> wanted. Can someone on a big endian please test it out? This is
> driving me mad...
>
> http://www.geocities.com/tomstdenis/files/sha256.c
The "abc" test works fine with your code on at least one
big-endian machine, an HP 9000/785. Your clrscr() function
isn't portable, by the way.
--
Jim Gillogly
Sterday, 22 Winterfilth S.R. 2000, 12:56
12.19.7.11.6, 9 Cimi 9 Yax, First Lord of Night
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
