Cryptography-Digest Digest #161, Volume #13 Wed, 15 Nov 00 06:13:01 EST
Contents:
Re: RC4 on FPGAs? (Ian Goldberg)
Re: hardware RNG's (David Schwartz)
Re: Learning Differential and Linear Cryptanalysis? (David Wagner)
Re: vote buying... (David Wagner)
Re: vote buying... (Paul Rubin)
Re: Integer encoding on a stream ("D. He")
Re: Why remote electronic voting is a bad idea (was voting through pgp) (Tommy the
Terrorist)
Re: vote buying... ("Trevor L. Jackson, III")
Re: Black Market Internet Information - my visits and tradeshows (nemo outis)
Re: The SHAs ("kihdip")
Re: vote buying... (Volker Hetzer)
Re: sci.crypt archive ([EMAIL PROTECTED])
Re: MY BANANA REPUBLIC (Andre van Straaten)
Re: Thoughts on the sci.crypt cipher contest (David Formosa (aka ? the Platypus))
Re: vote buying... (David Wagner)
Re: The ultimate cipher (Mok-Kong Shen)
Re: On an idea of John Savard (Mok-Kong Shen)
Re: On an idea of John Savard (Mok-Kong Shen)
Re: On an idea of John Savard (Mok-Kong Shen)
Question about ANSI X9.19/X9.9 Message Authentication ("Paul Sheer")
Re: Thoughts on the sci.crypt cipher contest (Paul Crowley)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Ian Goldberg)
Subject: Re: RC4 on FPGAs?
Date: 15 Nov 2000 02:58:28 GMT
In article <[EMAIL PROTECTED]>,
ajd <[EMAIL PROTECTED]> wrote:
>Hi,
>
>Has anyone implemented the RC4 algorithm on an FPGA (or can anyone point me
>to someone who has)? What sort of throughput did you get?
You might also check out Dave's and my paper:
http://www.cs.berkeley.edu/~iang/isaac/hardware/main.html
This is the paper that became Chapter 10 of the EFF DES Cracker book, but
it's from 1996, and so the numbers are certainly out-of-date...
- Ian
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: hardware RNG's
Date: Tue, 14 Nov 2000 19:17:02 -0800
Paul Pires wrote:
>
> David Schwartz <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> >
> > Paul Pires wrote:
> >
> > > It seems to me that you have refined a usable output stream from a poor
> > > input stream by rejecting enough input to correct for it's flaws. You have
> not
> > > made a good output, just thrown out some bad. Can you deterministically fix
> it
> > > and leave the input/output ratio at 1:1?
> >
> > Yes, assuming by "input/output ratio" you mean the ratio of input
> > entropy to output entropy.
>
> No. I meant 1:1 input to output bit size. It is clear that output entropy only
> comes
> from input entropy.
Right. And output randomness only comes from input randomness. And
output unpredictability only comes from input unpredictability (assuming
an attacker who knows the algorithm).
> I wanted to know if you were saying something else. It seems
> to me that there are two axis to the problem. Make better input/Make better
> post processors. The latter seems less ideal since by definition, it requires
> trashing some of your hard earned entropy or a complex proccess to refine
> what you have in a way minimizing the loss. The quality of the "Miracle" you
> performed See:
>
> >>Now, if you insist on your original definition of "unpredictable", I've
> >>just performed a major miracle. I've taken a predictable input stream
> >>and deterministically produced an unpredictable output stream from it!
>
> is less astounding when it is seen to be simple surgery.
It is entirely astounding if you accept the suggested (and, IMO,
ridiculous) definition of "unpredictable".
> > The point is, if the input stream is deterministically fixable, then it
> > contained sufficient randomness. Otherwise no deterministic process
> > could fix it.
>
> How can Something contain "Sufficient Randomness"? Kinda paradoxical.
How is that paradoxicale?
> If you know it is, it isn't cause it wouldn't be random. "Sufficient
> unpredictability"
> is better but not much. How do you determine it's sufficiency and therefore know
> if
> you have fixed it?
I showed in my example exactly how you do that, so I'm not sure I
understand what you're asking me.
> I'm not raggin on you, I actually feel the same way but it
> does
> me no practical good. The problem is still there. If it starts out bad and you
> say
> you fixed it, how do I know?
Are you saying you don't believe that if I take an input bit stream
that is unpredictable but biased then the algorithm I suggested will
produce an unpredictable and unbiased output? A proof is not difficult
to compose. If I show a proof and you still don't believe me, then
you're beyond reason.
DS
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Learning Differential and Linear Cryptanalysis?
Date: 15 Nov 2000 03:49:26 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
Simon Johnson wrote:
>Where can i find refrence material, books etc. with a clear and consise
>explanation of these two attacks?
You could start with Bruce Schneier's description in Dr. Dobb's Journal
(check www.counterpane.com). Then, read _Differential Cryptanalysis of
the Data Encryption Standard_ (Biham and Shamir), if you can find it.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: vote buying...
Date: 15 Nov 2000 03:56:46 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
David Schwartz wrote:
> The problem is, this also means that there's no way for you to ensure
>that your vote actually got cast the way you meant it to.
That's not quite true. The great thing about our voting system is that
it's easy to check up on how they're operating. You can stand at the
polling place all day and make sure they always put all ballots in the
locked box. You can go watch the hand count. You can volunteer to help.
In other words, it's an open system, where one can readily verify that the
security procedures are not being violated, and where it is intuitive
why those procedures ensure that your vote will be counted fairly.
That's an important property.
IMHO, we should be reluctant to accept any electronic voting system that
does not preserve this transparency property.
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: vote buying...
Date: 14 Nov 2000 19:57:53 -0800
[EMAIL PROTECTED] (David Wagner) writes:
> That's not quite true. The great thing about our voting system is that
> it's easy to check up on how they're operating. You can stand at the
> polling place all day and make sure they always put all ballots in the
> locked box. You can go watch the hand count. You can volunteer to help.
As we're seeing in Florida, this is nowhere near enough, especially
with absentee ballots. But even with the ballots cast in person,
there are all sorts of reports of boxes of them disappearing and/or
turning up later in strange places; locked boxes apparently containing
ballots being opened and turning out to contain only voting supplies
like crayons; bags of ballots being mysteriously unsealed while locked
up; etc. Plus there's also the issue of enforcement on voting day.
Apparently large numbers of voters were turned away from the polls
without being being allowed to cast provisional (disputed) ballots and
without being given any documents saying they had been turned away.
It's a real mess.
> In other words, it's an open system, where one can readily verify that the
> security procedures are not being violated, and where it is intuitive
> why those procedures ensure that your vote will be counted fairly.
> That's an important property.
>
> IMHO, we should be reluctant to accept any electronic voting system that
> does not preserve this transparency property.
This, I agree with.
------------------------------
From: "D. He" <[EMAIL PROTECTED]>
Crossposted-To: comp.compression
Subject: Re: Integer encoding on a stream
Date: Tue, 14 Nov 2000 23:03:33 -0500
Elias has a paper about universal representations of integers published on
1976's IEEE Trans. on IT. Knuth's coding looks like one of the methods
proposed in that paper. I personally found interesting that there is a
perfect match between the Elias universal codes of integers and Kolmogrov
Complexity of integers.
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "D. He" wrote:
> > In theory, to represent an unbounded integer n by prefix-free code, it
> > requires at least 1 + log^*n bits, where log^*n = log n + log log n +
log
> > log log n + ...
>
> ... which implies that Knuth's coding is essentially optimal.
> Knuth wrote a remarkable paper (buried somewhere in my files)
> about this, also discussing efficient coding of exceedingly
> large numbers when the requirement that the coding be dense
> was dropped (i.e. some values would not have encodings). It
> is thus possible to define finite numbers that are literally
> inconceivable (except indirectly through the encoding scheme).
------------------------------
From: Tommy the Terrorist <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: Why remote electronic voting is a bad idea (was voting through pgp)
Date: 15 Nov 2000 03:27:43 GMT
In article <[EMAIL PROTECTED]> Tim May,
[EMAIL PROTECTED] writes:
>> You've already heard of the so-called "electronic signatures", right?
>Voting protocols are about MUCH more than "digital signatures."
>If this is not obvious to you, no point in further discussion.
We'll see...
What I referred to as an "electronic signature" is the legally
enforceable "electronic signature" issued by a [Supposedly] Trusted Third
Party under the terms of the law signed by Clinton on October 1 and Zemin
a few days afterward. This is of course absolutely distinct from a
"digital signature" as issued by PGP, which presumably doesn't fit into
their plans at all. The technology may be the same, but who holds it,
and what they've forced the sender to do, makes the difference. (Sort of
like guns, which are "good" in the hands of the narks bursting into
people's houses, but "bad" in the hands of the ordinary person.....)
Now, if you see some way that the voting protocol needs to go materially
beyond a standard commercial "electronic signature", other than in the
process of "voter registration", which to me appears distinct from the
actual vote count itself and an independent issue, do tell.
--
"Williams said the officer went to the car and found a mouse, which had
been injured and was bleeding.
The officer took the mouse to an animal hospital for treatment."
"6 Arrested in Rodent-Tossing Case", _The San Diego Union-Tribune_,
October 5, 2000
"Animal-rights groups have been watching the case and have told police
they want stiff punishment meted out, police said."
------------------------------
Date: Wed, 15 Nov 2000 01:06:14 -0500
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: vote buying...
David Wagner wrote:
> David Schwartz wrote:
> > The problem is, this also means that there's no way for you to ensure
> >that your vote actually got cast the way you meant it to.
>
> That's not quite true. The great thing about our voting system is that
> it's easy to check up on how they're operating. You can stand at the
> polling place all day and make sure they always put all ballots in the
> locked box. You can go watch the hand count. You can volunteer to help.
>
> In other words, it's an open system, where one can readily verify that the
> security procedures are not being violated, and where it is intuitive
> why those procedures ensure that your vote will be counted fairly.
> That's an important property.
>
> IMHO, we should be reluctant to accept any electronic voting system that
> does not preserve this transparency property.
Yes.
The only major weakness in this system is that it does not exclude forgeries
(ballot stuffing). It may be that a kind of ballot registration (blind
signatures?) would effectively exclude the possibility of injecting fraudulent
ballots.
------------------------------
Crossposted-To: alt.security,alt.2600,comp.security
From: [EMAIL PROTECTED] (nemo outis)
Subject: Re: Black Market Internet Information - my visits and tradeshows
Date: Wed, 15 Nov 2000 06:27:29 GMT
Why in the world wouldn't you expect your enemies to select a technique that
works rather than ones that don't?
Terrorists (or freedom fighters, depending on your point of view) have found
out a major weakness of the great empire and are exploiting it. The US is
extremely vulnerable to asymmetric warfare as it is sometimes called.
As for the Cole attack, it was against a military target, which is "pretty
ethical" by terrorist standards.
Regards,
In article <8usoct$3c6$[EMAIL PROTECTED]>, Futurist <[EMAIL PROTECTED]>
wrote:
..snip...
>>
>Did you know that third world scum blew up the U.S.S. Cole in another
>cowardly act because they know if they actually came out in the open
>and attacked the U.S. every last one their little brown bodies would be
>FRIED? Nuke the Middle East!!
>
------------------------------
From: "kihdip" <[EMAIL PROTECTED]>
Subject: Re: The SHAs
Date: Wed, 15 Nov 2000 08:30:55 +0100
Sorry for asking a (bit) different question in this thread, but reading it
made me wonder:
We're often discussing performance of cryptographic algorithms - but what
about hash algorithms ??
A hash algorithm is supposed to be fast (per definition), but how fast is
for instance a SHA-1 ?? (f.ex. compared to a DES or 3xDES implementation on
the same platform)
Kim
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: vote buying...
Date: Wed, 15 Nov 2000 08:59:26 +0100
Kristopher Johnson wrote:
>
> "Your vote" is not something you own; it is a privilege granted to you by
> the government, and the government can enforce whatever restrictions they
> want upon it.
Huh? How can the government own a vote when I can use it to oust it?
And, btw, most governments were forced to accept the vote system.
I don't think any monarchy granted the voting system without pressure
of the population.
> The government wants people to vote based upon their
> consciences, and not based upon the highest bid they've received.
Great. The government wants to tell me how to vote. Forget it.
Greetings!
Volker
--
The early bird gets the worm. If you want something else for
breakfast, get up later.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: sci.crypt archive
Date: Wed, 15 Nov 2000 07:58:56 GMT
In article <[EMAIL PROTECTED]>,
"Thomas J. Boschloo" <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote:
> >
> > Does anyone know where I can find an archive of sci.crypt postings
from
> > 1998-1999? The ftp sites listed in the FAQ only go up to 1997 as
far as
> > I can see, and deja.com only gives access to posts from sometime in
1999
> > onwards.
>
> I thought this at first too, but deja has older articles online. You
> just have to include a date at the bottom of your form. If your search
> turns up nothing, you are given the option to search in an older
> database
As far as I can see, the archive of messages before May 1999 is not
available from Deja, and hasn't been for some time. So there is a gap
between sometime in 1997 and May 1999 which doesn't seem to be filled
by any online archive :-(. Unless someone out there knows different ...
Chris
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Andre van Straaten <[EMAIL PROTECTED]>
Subject: Re: MY BANANA REPUBLIC
Date: 15 Nov 2000 03:17:09 -0600
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> Mok-Kong Shen wrote:
>> ... (In a previous thread
>> quite a time ago I learned that there is nothing to
>> prevent anyone in US to give more than one vote through
>> going to different voting locations, there being no
>> identity cards or registrations to rigourously control the
>> voters.
> It is dependent on individual states and precincts,
> but in general the polling places at least check the voter
> against a roster of registered voters by name, address,
> and date of birth. I think for this election, Virginia
> instituted a strict ID check, which was vociferously
> objected to by Democrats -- maybe they were counting
> on voting the graveyard?
There are also other, real, and living people. Not necessarily citizens.
"Cuando me buscan, yo no estoy. Cuando me encuentran, yo no soy."
(Manu Chao from his CD "Clandestino")
-- avs
Andre van Straaten
http://www.vanstraatensoft.com
______________________________________________
flames please to [EMAIL PROTECTED]
====== Posted via Newsfeeds.Com, Uncensored Usenet News ======
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
======= Over 80,000 Newsgroups = 16 Different Servers! ======
------------------------------
From: [EMAIL PROTECTED] (David Formosa (aka ? the Platypus))
Subject: Re: Thoughts on the sci.crypt cipher contest
Reply-To: [EMAIL PROTECTED]
Date: Wed, 15 Nov 2000 10:36:30 GMT
On Tue, 14 Nov 2000 20:56:29 GMT, Paul Crowley
<[EMAIL PROTECTED]> wrote:
> Extra credit for a PANAMA-like
>"push-pull" design that can do double duty as a hash function or MAC -
>that's much harder though I think!
I recon we should have a contest for a MAC.
--
Please excuse my spelling as I suffer from agraphia. See
http://dformosa.zeta.org.au/~dformosa/Spelling.html to find out more.
Free the Memes.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: vote buying...
Date: 15 Nov 2000 10:38:56 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
Paul Rubin wrote:
>[EMAIL PROTECTED] (David Wagner) writes:
>> That's not quite true. The great thing about our voting system is that
>> it's easy to check up on how they're operating. You can stand at the
>> polling place all day and make sure they always put all ballots in the
>> locked box. You can go watch the hand count. You can volunteer to help.
>
>As we're seeing in Florida, this is nowhere near enough, especially
>with absentee ballots. But even with the ballots cast in person,
>there are all sorts of reports of boxes of them disappearing and/or
>turning up later in strange places; locked boxes apparently containing
>ballots being opened and turning out to contain only voting supplies
>like crayons; bags of ballots being mysteriously unsealed while locked
>up; etc. Plus there's also the issue of enforcement on voting day.
>Apparently large numbers of voters were turned away from the polls
>without being being allowed to cast provisional (disputed) ballots and
>without being given any documents saying they had been turned away.
>It's a real mess.
Yes, absentee ballots don't really have this transparency property.
But I think the other failure modes _are_ observable, if you take the
time to look. You can probably go visit the polling places and write
down the id numbers on the boxes, then check at the vote counting station
that all boxes have shown up. And so forth.
Now of course, the mere _ability_ to monitor the system if we want to
doesn't mean that anyone will bother to do so, and you're right that
Florida is a fine example of that. But, the nice property is that if
anyone of the voting public becomes suspicious of the system, it is easy
to show them how they can verify pieces of it themselves. And, if the
American public were to become extremely distrustful of our system as
a result of the Florida screwups, there would be no barriers to having
widespread community observation -- by the public!, and anyone who cares,
not just by specially designated authorities -- of the process the next
time we vote.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: The ultimate cipher
Date: Wed, 15 Nov 2000 11:42:35 +0100
James Felling wrote:
>
> The problem here is that without defined sub modules all that can be said is
> may be, and should ,and similar vague murmurings. Spec something out, and
> see what you get. My guess is that first off you will run into some issues
> of speed( as keysetup is gonna be UGLY) and memory. Ignoring those you may
> come up with something of interest.
Actually the idea is nothing very spectacular and can be
considered as a resume of stuffs on variability already
discussed in the past. It relies mainly on the large (and
unknown) number of cases according to the combinatorics
that the opponent has to try. He may be able to crack
each single case. But, since he doesn't know which one he
has at hand, he has NO idea of how to start. Let's consider
multiple encryption with m ciphers (these may be of
different strengths). If m is fixed, the opponent may be
able to crack any special sequence of the ciphers in
concatenation. If some (additional) key material is used
to specify the permutation of the m ciphers, then he would
have to brute-force, trying guessed constellations. Now
we can vary this yet in some aspects. First, m could be a
variable that is e.g. determined by key material from a
range [m1, m2]. Second, each cipher may be parametrized
(e.g. number of rounds of block cipher or permutation of
the round keys). Third, the parameters may be dynamically
varied during the processing either through data obtained
in the computation or some external random data (to be
transmitted to the partner). There could be other ways
of introducing variability that I haven't yet considered
but I suppose the above suffices to explain that the goal
is to create a situation where the opponent is like a
stranger in a city without a map and wondering which way
he is going to take. Certainly, there is no free lunch.
We need more key material but there isn't any computing
overhead apart from computations to do some small number
of decision making during the processing.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On an idea of John Savard
Date: Wed, 15 Nov 2000 11:42:54 +0100
Tom St Denis wrote:
>
[snip]
> Note that in DES two rounds are not "complete".
Sorry, I don't understand what you meant. DES repeats
its cycles (two rounds) eight times. Do you mean
'complete' by 'having sufficient strength' or 'as
specified in the standard' or something else?
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On an idea of John Savard
Date: Wed, 15 Nov 2000 11:42:45 +0100
David Schwartz wrote:
>
> Mok-Kong Shen wrote:
> >
> > David Schwartz wrote:
> > >
> > > Mok-Kong Shen wrote:
> > >
> > > > If you increase a common block cipher from its standar
> > > > number of rounds to a higher number of rounds, do you
> > > > think that you would thereby weaken it?
> > >
> > > Perhaps. If, for example, one side was doing X rounds and the other
> > > side was doing X+1 rounds, there might be imaginable compromises.
> >
> > I am afraid there is some misunderstanding between us.
> > What do you mean by 'side'? Do you mean the communication
> > partners? Of course they have to use the same algorithm.
>
> Right, the two sides have to use the same algorithm. That means the
> number of rounds must be chosen in advance.
See below.
>
> > If you mean that a DES-like cipher one round treats only
> > one half block, then one has to substitute 'cylce',
> > i.e. two rounds, for what I meant above, for e.g. a
> > 17 round DES is not very good, though I suppose it
> > should still be stronger than the 16 round one.
>
> No, I'm saying that if you create a cipher where the number of rounds
> is negotiable, you need a secure negotiation protocol. If you're
> creating a cipher where the number of rounds must be chosen in advance,
> then you might as well just choose a number.
Well, you could say that it needs a protocol. I view it
in a more simple perspective. One could use a longer key
(which one needs anyway) with the additional part to
determine the rounds (or eventual other parameters for
variability of the encryption scheme).
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On an idea of John Savard
Date: Wed, 15 Nov 2000 11:43:02 +0100
James Felling wrote:
>
> I can accept that barring rare cases this compostion would be stronger than
> the weaker of (m+n) round X and (m+n) round Y. But I still don't understand
> why the stronger of those two is not prefered to a mix.
The preference is indeed difficult to establish objectively.
But if one wants to extend a standard block cipher to more
rounds, one has to extend its keyscheduling to generate the
additional round keys. In the other case one does't have
that work and one may feel more at ease.
M. K. Shen
------------------------------
From: "Paul Sheer" <[EMAIL PROTECTED]>
Subject: Question about ANSI X9.19/X9.9 Message Authentication
Date: Wed, 15 Nov 2000 12:59:35 +0200
(please reply to: psheer (AT) icon.co.za )
Hi there
I don't have this ANSI standard, but need to implement it for
a project.
Does anyone know what the ANSIX9.19/X9.9 allgorithm actually is?
I assume its identical or very similar to des_cbc_cksum() from
the openssl package. i.e. CBC encryption of the blocks and
taking part of the last encrypted block.
My own implementation gives the same result as des_cbc_cksum()
but differs from the example data of the spec i am given. The spec
claims ANSI compliency.
I also have the FIPS113 standard http://www.itl.nist.gov/fipspubs/fip113.htm
which alooks very similar. Is this identical to the ANSI MAC?
thanks for any help
best
-paul
------------------------------
From: Paul Crowley <[EMAIL PROTECTED]>
Subject: Re: Thoughts on the sci.crypt cipher contest
Date: Wed, 15 Nov 2000 11:09:14 GMT
"David Formosa (aka ? the Platypus)" wrote:
> I recon we should have a contest for a MAC.
UMAC just wins, though. I want a contest in which our efforts are not
obviously overshadowed by existing work.
--
__
\/ o\ [EMAIL PROTECTED]
/\__/ http://www.cluefactory.org.uk/paul/
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
