Cryptography-Digest Digest #150, Volume #13 Mon, 13 Nov 00 16:13:01 EST
Contents:
Re: Randomness from key presses and other user interaction (Dan Oetting)
Re: voting through pgp (Dan Oetting)
Re: Chimera ciphers (WAS Re: On an idea of John Savard) (Tom St Denis)
Re: voting through pgp (Jeffrey Williams)
Re: voting through pgp (John Myre)
Re: On an idea of John Savard (Tom St Denis)
Re: so many fuss about impossibility to backtrace from MD to original (David
Schwartz)
Re: Randomness from key presses and other user interaction (David Schwartz)
Re: voting through pgp (zapzing)
My rights were violated by the U.S. government and intelligence agencies since 1993
at least .... basically violated ofmy basic rights ... what Thomas Jefferson said
about�tyrannies and freedom is no reality in the U.S.A. .... I was tyranized by the
U.S. (Markku J. Saarelainen)
Re: Why remote electronic voting is a bad idea (was voting through pgp)
([EMAIL PROTECTED])
Re: so many fuss about impossibility to backtrace from MD to original text. (Bill
Unruh)
Re: Security of Norton YEO (Your Eyes Only) (Simon Johnson)
And you FBI people reading my messages ... this is just starting ...... :) ... I
know you are there ..... (Markku J. Saarelainen)
Re: On an idea of John Savard (Mok-Kong Shen)
Re: Chimera ciphers (WAS Re: On an idea of John Savard) (Mok-Kong Shen)
Anyone done/doing Schneier's self-study cryptanalysis course? (Fritz Schneider)
Re: Chimera ciphers (WAS Re: On an idea of John Savard) (John Savard)
sci.crypt archive ([EMAIL PROTECTED])
Re: Algorithm with minimum RAM usage? (Guy Macon)
----------------------------------------------------------------------------
From: Dan Oetting <[EMAIL PROTECTED]>
Subject: Re: Randomness from key presses and other user interaction
Date: Mon, 13 Nov 2000 10:15:31 -0700
In article <[EMAIL PROTECTED]>, David Schwartz
<[EMAIL PROTECTED]> wrote:
> Tim Tyler wrote:
> >
> > David Schwartz <[EMAIL PROTECTED]> wrote:
> > : Mack wrote:
> >
> > :> There seems to be some argument as to whether timing
> > :> keystrokes is a good source of randomness.
> > :>
> > :> So lets start a thread on that.
> > :>
> > :> 1) Key stroke timing is generally quantitized to about 20 ms
> > :> give or take.
> >
> > : It's the give or take in the 20 ms that contains the entropy.
> >
> > Well, *if* this is true, this is not "randomness from key presses and
> > other user interaction" - it's more randomness from clock signal drift.
>
> The question is whether timing keystokes is a good source of
> randomness. I'm arguing that it is. Some of the entropy comes from the
> human, some of it from the quantization of real values built into the
> hardware. I happen to have a pretty good idea of how much entropy comes
> from the fact that the two oscillators involved have uncorrelated
> frequencies. I'm not as knowledgeable about the entropy in the
> keystrokes themselves.
>
> DS
I have heard that the human senses can detect a differences of the order
of 1%. It should be a reasonable assumption that human timing would be
in the same ballpark. Using 1% human timing and 20ms quantitization
gives a lower bound of 1 bit of entropy every 2 seconds.
The timing of keys pressed faster than the keyboard read cycle should be
thrown out. And care should be taken to insure that the user is not
synchronizing keystrokes to an external beat.
------------------------------
From: Dan Oetting <[EMAIL PROTECTED]>
Subject: Re: voting through pgp
Date: Mon, 13 Nov 2000 10:31:05 -0700
"Scott Fluhrer" wrote:
> Actually, the idea of digital coins would seem to fill the bill nicely.
One Dollar - One Vote! The concept sounds familiar :)
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Chimera ciphers (WAS Re: On an idea of John Savard)
Date: Mon, 13 Nov 2000 17:38:51 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
>
> Paul Crowley wrote:
> >
> > Tom St Denis wrote:
> > > > But this is a way of constructing a better cipher. Alternating
rounds
> > > > - actually, for a Feistel cipher, pairs of rounds, but I think
my
> > > > suggestion with respect to SAFER+ and Rijndael is perhaps what
is
> > > > being referred to - by producing a cipher with a more varied
structure
> > > > makes it harder, I would think, to find the sort of things that
> > > > differential and linear cryptanalysis can exploit.
> > >
> > > This construction becomes harder to analyze, not essentially
harder to
> > > attack.
> >
> > Tom is right. Look at the beautiful proof of resistance to
differential
> > and linear cryptanalysis in the Rijndael paper - no such proof
would be
> > possible with a mixed-up cipher like you propose. Look at the way
the
> > different layers do different work, but interact to create a strong
> > cipher. Look at the way the structure can be re-jigged to give
> > decryption the same structure as encryption. I'd have far more
> > confidence in pure Rijndael than in any such chimera cipher.
> >
> >
(http://www.unifi.it/unifi/surfchem/solid/bardi/chimera/origins.html)
>
> In the permuted one the opponent doesn't even konw the
> 'structure' to begin with.
Often key-dependent "designed ciphers" such as FROG are not
particularly strong. The problem is alot of keys can and will define
weak ciphers. You are better off just letting the key be a "blinding"
value such as an xor before a substitution then todo otherwise.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Jeffrey Williams <[EMAIL PROTECTED]>
Subject: Re: voting through pgp
Date: Mon, 13 Nov 2000 10:01:39 -0600
I'm not certain that it's inevitable.
Furthermore, as long as you are not forced to vote at home, I don't see this
as particularly relevant. IMHO, making it easier for more people to vote is
a fundamentally good thing.
David Wagner wrote:
> ...
> For social reasons, it occurs to me that many people might vote
> differently if their vote was at risk of becoming known to family members
> (as is inevitably the case when voting with your home PC).
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: voting through pgp
Date: Mon, 13 Nov 2000 11:00:35 -0700
David Wagner wrote:
<snip>
> For cryptographic and security reasons, see the recent California report
> on online voting.
Do you have an online reference? I'd be very interested in
reading that report.
> It really does an excellent job of making the case
> that we should go slow on voting in the home; they argue that the risks
> are fundamentally different when the voting equipment is not under the
> control of the election authorities.
Oh, I agree with going slowly, and I agree that the
risks are different. What I don't support is the notion
that it's fundamentally impossible to get right.
> For social reasons, it occurs to me that many people might vote
> differently if their vote was at risk of becoming known to family members
> (as is inevitably the case when voting with your home PC).
I don't see why we should insist that voting from home be
synonymous with using "home PC's" as we know them now. If
the problem with family members is that even your kid sister
can break the security of your home PC, that doesn't seem
like a hard problem to solve.
If, on the other hand, you are referring to coercion (spouse
watches while you vote), then I don't know how serious a problem
that could be. I don't actually know anyone that I can imagine
doing such a thing, but of course that could either be a restricted
set of friends or a limited imagination. I can't decide how big
an effect it would have.
I still think the idea of votes won at gunpoint is silly, without
widespread corruption including the police. At which point no
system is safe.
JM
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: On an idea of John Savard
Date: Mon, 13 Nov 2000 18:07:08 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> You missed my point that a (assumedly well designed) block
> cipher has rounds (cycles) that are equally good. So
> consider these as individual ciphers and are concatenated
> in the original design as a multiple encryption and yo
> see there can be no objection in taking these apart and
> mixing with those from another cipher.
You missed my point. Most ciphers are presumably secure because you
are iterating the same function over and over. Take Serpent for
example. One round is not particularly strong, but if you add 15 more
rounds the cipher is secure against known attacks. Similarly if you
mix Serpent and Safer arbitrarly the diffusion (linear mixing) are not
compatible and you are not guaranteed to have the same high level of
confusion.
Mixing up ciphers is a terribly bad idea. Now taking parts from
ciphers to build a new one can be done (I mixed IDEA+Twofish before)
but you have to be carefull of how you mix up the primitives. Just
mixing rounds is not a good idea.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: so many fuss about impossibility to backtrace from MD to original
Date: Mon, 13 Nov 2000 10:14:39 -0800
Paul Crowley wrote:
> A message digest function is considered broken if you can find *any*
> preimage of the hash; the challenge is not finding the exact preimage
> that generated a particular hash, which is as you say impossible if you
> don't have enough information to choose between the infinitely many
> possible preimages.
From a theoretical standpoint, it is very interesting if you can detect
any properties of the hashed data at all from the output of the hash.
>From a practical standpoint, if you are using an X-bit hash, and you
don't mind leaking up to X-bits of the hashed data, any hashing function
at all will work.
DS
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: Randomness from key presses and other user interaction
Date: Mon, 13 Nov 2000 10:18:26 -0800
Dan Oetting wrote:
> The timing of keys pressed faster than the keyboard read cycle should be
> thrown out. And care should be taken to insure that the user is not
> synchronizing keystrokes to an external beat.
Why? Would not the number of keys per read cycle have some entropy? It
doesn't make sense to throw anything out. It can't hurt and might help.
DS
------------------------------
From: zapzing <[EMAIL PROTECTED]>
Subject: Re: voting through pgp
Date: Mon, 13 Nov 2000 18:16:48 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
>
>
> Zero-Knowledge MIME Encapsulated Message
>
> --MRFX72WTHHE29B23CS0V6S17
> Content-Type: text/plain
>
> Absentee ballots are already an overwhelming reality in elections all
> over the U.S. They are increasing rapidly in use, rather than
> decreasing. The state of Oregon did their entire ballot absentee this
> year. Calls to eliminate absentee ballots aren't going to go
> anywhere. Might as well rail against those new fangled horseless
> carriages.
>
> The real question, then, is whether electronic voting is more or less
> secure than absentee voting by mail. Can it eliminate some of the
> risks, or are new ones introduced?
I believe I have posted some crypto voting
protocols here before, and they were fairly
well unworkable for more than, say, ten or
more people. But maybe someone can come up
with something better.
As for the possibility of coersion, that does
make the problem more difficult, doesn't it.
None of the protocols I am aware of can even
approach this problem, because the coerser (sp?)
could be looking over your shoulder 24/7
and could know everything you know. So it does
seem impossible for any protocol based on
"what you know" alone could be secure from
coersion.
Perhaps something could be done where you
vote early, and then get a "fake" absentee
ballot to show the coerser. Of course I
can just imagine the headaches that would
cause. People can't even put it in the right
hole now! Sheesh!
--
Void where prohibited by law.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Markku J. Saarelainen <[EMAIL PROTECTED]>
Crossposted-To: alt.security,comp.security
Subject: My rights were violated by the U.S. government and intelligence agencies
since 1993 at least .... basically violated ofmy basic rights ... what Thomas
Jefferson said about�tyrannies and freedom is no reality in the U.S.A. .... I was
tyranized by the U.S.
Date: Mon, 13 Nov 2000 18:33:12 GMT
My rights were violated by the U.S. government and intelligence
agencies since 1993 at least .... basically violated ofmy basic
rights ... what Thomas Jefferson said about�tyrannies and freedom is no
reality in the U.S.A. .... I was tyranized by the U.S. government ....
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Why remote electronic voting is a bad idea (was voting through pgp)
Date: 13 Nov 2000 10:41:10 -0800
Zero-Knowledge MIME Encapsulated Message
--6LAI5MJVGP0T5LDPEDG04
Content-Type: text/plain
Jon Haugsand <[EMAIL PROTECTED]> writes:
> * [EMAIL PROTECTED]
> > > 5. verifiability of software and hardware,
> >
> > Not an issue, modulo existing electronic voting systems.
>
> Well, I do not believe this is not an issue. Too much of comments like
> "this cannot happen" from people in charge of electronic voting or
> other important integrety and availability systems are seen. In fact,
> I do not think most people who specifies and gets delivered such
> systems know anything about such issues.
This may be true, but the point is that electronic machines are used
to measure votes in probably 99% of elections in the U.S. It's not
clear that Internet voting would use less verifiable hardware and
software than existing methods.
Without meaning to offend anyone, this is sci.crypt after all.
Critics here are likely to be much more knowledgable about the
limitations of Internet security protocols than about the vagaries and
problems with existing vote counting systems. Hopefully the current
events in Florida are providing an education.
The problems in Florida are NOT unique or unusual! These issues arise
in every election in the world. A certain number of ballots are not
counted, lost, misplaced, or damaged. Speaking of the "absolute
sanctity of the voting process" is echoing patriotic propaganda.
Ob
--6LAI5MJVGP0T5LDPEDG04--
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: so many fuss about impossibility to backtrace from MD to original text.
Date: 13 Nov 2000 19:36:18 GMT
In <[EMAIL PROTECTED]> Ariel Burbaickij
<[EMAIL PROTECTED]> writes:
>Why is it so many discussion about this point ? Surely everyone should
>expect that let us say 4gb digested to 256 bytes or whatsoever are
>not backtraceable.Why should one expect that is backtraceable?
>Otherwise you have the very best compression algorithm ever suggested.
>With compression ratios of (choose some very big number/256 or your
>another favorite exponent of 2)
No hash is backtraceable, nor is it ever used in a situation in which
one would want to (well, ever is a strong term). Anyway, it is usually
used as a check that the contents of an article have not been changed.
In this sense the multi to one nature is a detriment, since there are
many many many articles with the same hash. Some of those could be
articles which completely change the sense of the original, and if those
alternative articles were easy to find, the hash would be useless as a
check that the article was not changed. This is the point. Can you find
other articles which have the same hash as the given article? Not, can
you find the original article which had this hash.
>Regards
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: Security of Norton YEO (Your Eyes Only)
Date: Mon, 13 Nov 2000 19:29:41 GMT
In article <[EMAIL PROTECTED]>,
"A [Temporary] Dog" <[EMAIL PROTECTED]> wrote:
> On Sat, 11 Nov 2000 19:13:50 -0500, [EMAIL PROTECTED] painted a
> red bull's eye on his forehead, ascended the altar of Fluffy and
> shouted:
>
> >Does anyone know of any security issues with Norton YEO? I know
that the
> >encryption methods that they use are good, but I'm wondering if
there are any
> >known bugs or if they left in a backdoor.
> >
> >Thanks,
> >
> >Brad
>
> I uninstalled YEO several years ago, and currently use Scramdisk to
> preform the main function of YEO. While the choice of algorithms in
> YIO was adequate (RC-4, RC-5, DEC, 3DES or 128 bit Blowfish) Scramdisk
> also supports a variety of algorithms and, for me at least, worked far
> better then YEO.
>
> see http://www.scramdisk.clara.net/
>
> Other programs worth having are Pgp, and Puffer
> http://cryptography.org/getpgp.htm
> http://www.briggsoft.com/
>
> --
> - A (Temporary) Dog |"Intelligent, reasonable
> The Domain is *erols dot com* |people understand that -
> The Name is tempdog |unfortunately, we're dealing
> http://users.erols.com/tempdog/ |with elected officials"
> Put together as name@domain | - name withheld
>
Hrm, it contains RC4? That's a bit dodgy, since if the same key is used
twice, the security of the system is effectivly destroyed.
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Markku J. Saarelainen <[EMAIL PROTECTED]>
Crossposted-To: alt.security,comp.security,soc.culture.usa
Subject: And you FBI people reading my messages ... this is just starting ...... :)
... I know you are there .....
Date: Mon, 13 Nov 2000 19:32:52 GMT
And you FBI people reading my messages ... this is just
starting ...... :) ... I know you are there .....
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On an idea of John Savard
Date: Mon, 13 Nov 2000 21:12:36 +0100
Tom St Denis wrote:
>
> In article <[EMAIL PROTECTED]>,
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> > You missed my point that a (assumedly well designed) block
> > cipher has rounds (cycles) that are equally good. So
> > consider these as individual ciphers and are concatenated
> > in the original design as a multiple encryption and yo
> > see there can be no objection in taking these apart and
> > mixing with those from another cipher.
>
> You missed my point. Most ciphers are presumably secure because you
> are iterating the same function over and over. Take Serpent for
> example. One round is not particularly strong, but if you add 15 more
> rounds the cipher is secure against known attacks. Similarly if you
> mix Serpent and Safer arbitrarly the diffusion (linear mixing) are not
> compatible and you are not guaranteed to have the same high level of
> confusion.
>
> Mixing up ciphers is a terribly bad idea. Now taking parts from
> ciphers to build a new one can be done (I mixed IDEA+Twofish before)
> but you have to be carefull of how you mix up the primitives. Just
> mixing rounds is not a good idea.
You can consider the rounds to be concatenation, can't
you? What distinguishes round 1 of Rijndael from round 2?
You add rounds to increase the strength. The increase
is not linear but super-linear. That's all. If a cipher
is designed that it somehow depends on the interplay
of the rounds for its strength, then that's a poor design
in my view.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Chimera ciphers (WAS Re: On an idea of John Savard)
Date: Mon, 13 Nov 2000 21:14:48 +0100
Tom St Denis schrieb:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> >
> >
> > Paul Crowley wrote:
> > >
> > > Tom St Denis wrote:
> > > > > But this is a way of constructing a better cipher. Alternating
> rounds
> > > > > - actually, for a Feistel cipher, pairs of rounds, but I think
> my
> > > > > suggestion with respect to SAFER+ and Rijndael is perhaps what
> is
> > > > > being referred to - by producing a cipher with a more varied
> structure
> > > > > makes it harder, I would think, to find the sort of things that
> > > > > differential and linear cryptanalysis can exploit.
> > > >
> > > > This construction becomes harder to analyze, not essentially
> harder to
> > > > attack.
> > >
> > > Tom is right. Look at the beautiful proof of resistance to
> differential
> > > and linear cryptanalysis in the Rijndael paper - no such proof
> would be
> > > possible with a mixed-up cipher like you propose. Look at the way
> the
> > > different layers do different work, but interact to create a strong
> > > cipher. Look at the way the structure can be re-jigged to give
> > > decryption the same structure as encryption. I'd have far more
> > > confidence in pure Rijndael than in any such chimera cipher.
> > >
> > >
> (http://www.unifi.it/unifi/surfchem/solid/bardi/chimera/origins.html)
> >
> > In the permuted one the opponent doesn't even konw the
> > 'structure' to begin with.
>
> Often key-dependent "designed ciphers" such as FROG are not
> particularly strong. The problem is alot of keys can and will define
> weak ciphers. You are better off just letting the key be a "blinding"
> value such as an xor before a substitution then todo otherwise.
There are good and poor designs. And there are even also
designs that are considered good partly due to the name
of the designer.
M. K. Shen
------------------------------
From: Fritz Schneider <[EMAIL PROTECTED]>
Subject: Anyone done/doing Schneier's self-study cryptanalysis course?
Date: Mon, 13 Nov 2000 12:30:30 -0800
Reply-To: Fritz Schneider <[EMAIL PROTECTED]>
Hello all. I'm curious to see if there's anyone out there that
wouldn't mind corresponding with me about Bruce Schneier's self-study
block cipher cryptanalysis course. I've just started and would like to
compare notes with someone who has either been through it, is working
through it, or is well acquainted with the field. I think it would be
beneficial to be able to check different approaches, observations, and
results with others. It's pretty hard to judge your own progress when you
have no metrics to go by.
Note that I'm pretty busy so I'll be taking things kind of slowly:
perhaps one cipher every two or three weeks. Drop me an email if you'd
like to talk or wouldn't mind letting me pester you with questions once in
a while.
Perhaps if there's enough interest we could start a site where
people can post their progress at each stage in order to help each other
along?
-- fritz
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Chimera ciphers (WAS Re: On an idea of John Savard)
Date: Mon, 13 Nov 2000 20:41:22 GMT
On Mon, 13 Nov 2000 14:32:37 GMT, Paul Crowley
<[EMAIL PROTECTED]> wrote, in part:
>Tom is right. Look at the beautiful proof of resistance to differential
>and linear cryptanalysis in the Rijndael paper - no such proof would be
>possible with a mixed-up cipher like you propose. Look at the way the
>different layers do different work, but interact to create a strong
>cipher. Look at the way the structure can be re-jigged to give
>decryption the same structure as encryption. I'd have far more
>confidence in pure Rijndael than in any such chimera cipher.
I don't feel compelled to argue this too seriously. And I will
definitely agree that one could easily make a mistake, if one chooses
ciphers poorly.
Thus, with regards to my suggestion to alternate SAFER+ rounds with
Rijndael: for one thing, I would allow a complete sequence of the
Rijndael layers before applying a SAFER+ round in between.
For another, to prevent vitiating much of the analysis of Rijndael, I
should have pointed out that I would, after the SAFER+ round, re-order
the bytes so that no displacement of the bytes in the block occurs
during that round (it's either that, or omit the Shift Row step from
Rijndael).
Actually, it is better that a cipher with alternating round types be
designed from the ground up, rather than fitting together two existing
ciphers. I won't deny that either.
What I do still think, however, is that we need more than resistance
to the attacks we know about; thus, a cipher ought to be designed so
that no attack can even be imagined - in addition to having parts
strengthened against the attacks we know.
>(http://www.unifi.it/unifi/surfchem/solid/bardi/chimera/origins.html)
Cute URL.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED]
Subject: sci.crypt archive
Date: Mon, 13 Nov 2000 20:41:35 GMT
Does anyone know where I can find an archive of sci.crypt postings from
1998-1999? The ftp sites listed in the FAQ only go up to 1997 as far as
I can see, and deja.com only gives access to posts from sometime in 1999
onwards.
TIA
Chris
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Algorithm with minimum RAM usage?
Date: 13 Nov 2000 20:55:43 GMT
Runu Knips wrote:
>
>
>Guy Macon wrote:
>> The list of AES candidates I saw didn't include Skipjack.
>
>AES candidates have to have 128 bit blocks and 128, 196 and 256 bit key
>sizes.
>
>Skipjack has 64 bit blocks and a (very low) 80 bit key size.
>
>Too, Skipjack is from the NSA. In fact, it is the first algorithm ever
>published by the NSA. In fact, it was never intended to get published.
Ah. I see. Looks like Rijndael is the best choice if I want strong
encryption in minimum RAM.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
