Cryptography-Digest Digest #337, Volume #13 Fri, 15 Dec 00 15:13:01 EST
Contents:
Blum Blum and Shub (Peter Fairbrother)
Re: Encryptian of data over radio transmission (Simon Best)
Re: Help with code generator/Formula (Mike Rosing)
Re: On using larger substitutions (Mok-Kong Shen)
Re: Sr. Cryptographer/mathematician (Simon Johnson)
Re: Homebrew Block Cipher: Moonshine (Simon Johnson)
Q: Result of an old thread? (Mok-Kong Shen)
Re: Homebrew Block Cipher: Moonshine (Simon Best)
Re: Help with code generator/Formula (Simon Johnson)
Reminder (Eric Lee Green)
Re: Homebrew Block Cipher: Moonshine (Simon Best)
Re: Blum Blum and Shub (Simon Johnson)
Re: Q: Result of an old thread? (Simon Best)
----------------------------------------------------------------------------
Subject: Blum Blum and Shub
From: Peter Fairbrother <[EMAIL PROTECTED]>
Date: Fri, 15 Dec 2000 18:21:13 +0000
Does anyone know the legal status of Blum Blum and Shub PRNG's? Any patents
etc?
Thanks
Peter
--
[EMAIL PROTECTED]
http://www.m-o-o-t.org
ps what wonderful names cryptologists have!
------------------------------
From: Simon Best <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Encryptian of data over radio transmission
Date: Fri, 15 Dec 2000 18:22:17 +0000
Tom St Denis wrote:
>
> In article <Bfo_5.159595$[EMAIL PROTECTED]>,
> "Jordan McCallum" <[EMAIL PROTECTED]> wrote:
> > How can i encrypt voice data over FM. Schematics would be
> appreciated.
> > Basically looking for a addon for a FM transciever i have. Also
> schematics
> > for the decryptor
>
> There is more to it then that. You need to input a key somehow or
> negotiate one. You probably want to be a digital mode not analogue
> either.
>
> Tom
Also, with the digital signal being broadcast for all to intercept, care
may be needed in the design of the digital to analogue part (probably
not a DAC, but there's some kind of conversion going on nevertheless).
It's possible to work out how bits were combined, and what those bits
were, with some schemes, if badly implemented. Logic gates tend to be
pretty noisy things, and generally aren't designed to hide the
identities of specific input bits at the analogue level.
For example, suppose I'm using OTP (one-time pad), with a single, two
input XOR gate on some old logic chip (74somethingorother, for
example). It wouldn't be at all surprising for the XOR gate to give
slightly different analogue responses to digitally equivalent input
pairs. If that bonus information ends up getting unwittingly
transmitted, I could recover much of the message without needing any key
material in advance!
Simon
--
_______________________________________________________________________________
Personal: [EMAIL PROTECTED]
Yellow Skies: [EMAIL PROTECTED] http://www.yellowskies.com
Everyone does their own signature to be different. How does that work?
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Help with code generator/Formula
Date: Fri, 15 Dec 2000 12:44:36 -0600
[EMAIL PROTECTED] wrote:
>
> Here is my situation. I am trying to figure out a formula/code for a
> number generator. I have 5000 pairs of the input number and the result.
> Let me explain. a certain number X is entered into a program. then it
> returns Y. I have 5000 XY pairs. Can someone lead me to what I need to
> do to find the formula that creates Y? Is 5000 pairs enough?
If x and y are 12 bits or less, it is enough. If they are larger, then
it's not enough - but you might be able to find something out. If the
x and y values are 100 bits long, forget it, unless you have some idea
what the algorithm might be.
Patience, persistence, truth,
Dr. mike
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On using larger substitutions
Date: Fri, 15 Dec 2000 19:48:36 +0100
Tom St Denis wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> >
> > Tom St Denis wrote:
> > >
> >
> > > Creating MDS matrices is a matter of choosing a non-cyclic field
> such
> > > as GF(2^w), a irreducible polynomial modulus and elements inside a
> > > matrix such that no sub-matrix is singular. For a 4x4 such as in
> > > Square/Rijndael/Twofish it is a matter of randomly making a matrix
> and
> > > stepping through all possible sub-matrices (i.e cutting 0,1,2,3
> > > rows/cols from the matrix). I haven't written a program todo this
> > > before but I imagine I could over the x-mas holiday.
> >
> > What is the difference in knowledge/experience/time needed
> > to do that im comparison to accessing a substitution table
> > and doing a cyclic shift?
>
> Your method is potentially weak. I told you this 8 times already. Sha-
> Whatever.
>
> > > I never said posting inferior stuff is a waste of time. I said
> posting
> > > stuff you know is inferior is a waste of time. Of which I tried to
> > > inform you your design was weak. Listen to me or not. In the end
> you
> > > will get some hotshot cryptographer shoot you down. It's better to
> > > learn now then after you work on it.
> >
> > You continue to igrnore my point that different stuffs
> > can be advantageously used in different circumstances
> > and one doesn't need the best of all in ALL cases. I
> > said in my original post that it is only (believed by me)
> > an improvement of Playfair. Hence no cryptographer,
> > who knows how strong/weak Playfair is, will shot me
> > down, unless he wants to argue just for the argumentation's
> > sake, like a few people who are often observed to do with
> > the intention to simply show-off their (self-supposed) very
> > deep knowledge in all matters on all possible occasions.
>
> Well (if I perceive the hint correctly) I never say "I am the king of
> the crop". I just point out things that make me stop and say "Nope
> doesn't seem right".
>
> Believe it or not but what I originally pointed out IS VALID. Why
> would you use a primitive that is weak? It's like replacing the sboxes
> in DES with addition because you know it's faster and ignore the fact
> it's weaker. Sure you could do it but why?
>
> Sure playfair (never seen it before btw) may be interesting. But
> you're proposed construction IS NOT secure. Why be inefficient.
>
> Heck if I make a feistel cipher with
>
> F(x, k) = ((x + k) <<< x) as the round function (assuming 64-bit block
> cipher) all I need is about 250 rounds before it's secure against
> linear/diff attacks (secure against linear after about six rounds).
> Would I propose such a cipher?
I said several times it is only a variation of Playfair
(hence is probably as weak as Playfair, though could be
better in my view) and also is to be used like it,
and I mentioned using it in the fashion of polyalphabetical
substitution (using a number of such substitutions). There
is no intention to use it as S-boxes of a block cipher.
The underlying 8-bit substitutions are to be randomly
generated. The substitution run can be combined with
transposition (all in the classical sense) and such
couple can be repeated (with different substitutions
and transpositions) several times, as I mentioned in
another follow-up. Is that now clear to you?
M. K. Shen
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: Sr. Cryptographer/mathematician
Date: Fri, 15 Dec 2000 18:50:54 GMT
In article <[EMAIL PROTECTED]>,
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> Simon Johnson wrote:
> > This is non-sensical. Simply because he doesn't know what name
> > something is called doesn't mean he cannot do math; it just means,
> > quite obviously, he doesn't known the name.
>
> What Tom did was ridicule somebody else's use of *standard*
> names for well-known branches of mathematics, which Tom
> strongly implied demonstrated that they didn't know what
> they were talking about. It's much like criticizing a
> physician for not knowing that the liver and the spleen
> are the same organ. Whose ignorance is actually shown?
>
I fully agree. You must use the correct terms when trying
to communicate your ideas to others. This is not in dispute, what i
believe is incorrect is saying this is direct evidence of
his inability at maths.
If i was some brilliant mathematician (which is extremly far from the
truth) a might have derived all the mathematical proofs and
relationships from scratch, without contacting the outside world. If i
did not know the terminology, it wouldn't make me bad at maths, it
would just make me bad add comunicating my ideas. Of course, i would
say that being able to communcating in cryptography is a required skill.
But at the end of the day, i don't think maths cares what we call it. :)
Simon.
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: Homebrew Block Cipher: Moonshine
Date: Fri, 15 Dec 2000 19:09:17 GMT
> Laziness. Or, rather, more interested in other bits of the cipher,
so I
> was just lazy with this bit. I will come up with one of my own,
though,
> and (hopefully) learn from it (as you suggest).
Actually, s-boxes (generally) give a cipher most of its security. Its a
good idea to spend your time designing a good set of s-boxes for your
cipher. After all, you want it to last as long as possible without a
break. :)
I'm glad to see more home-brewers out there :)
Yours,
Simon.
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Q: Result of an old thread?
Date: Fri, 15 Dec 2000 20:26:23 +0100
Quite a time ago someone posted a scheme of transmission of
message without using a shared secret key as follows (all
matrices are of the same size):
The message is in a singular matrix S (e.g. one with a zero
column). Alice chooses an arbitrary non-singluar matrix A
and sends AS to Bob. Bob chooses an arbitrary non-singular
matrix B and sends ASB to Alice. Alice multiplies it with
A^(-1) and sends SB to Bob, who can multiply it with B^(-1)
to obtain S.
If my memory is correct, nobody has commented at that time
whether the scheme is secure or not (or how secure it is).
Does anyone know more about the issue or can say something
concrete about the security of the scheme? Thanks.
M. K. Shen
------------------------------
From: Simon Best <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Homebrew Block Cipher: Moonshine
Date: Fri, 15 Dec 2000 19:26:05 +0000
Tom St Denis wrote:
>
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
[...]
> > > Are the "offset/stride" pairs key dependant? If so I smell WEAKKEYS...
> >
> > No, it's not key dependent, I don't think I described it very well.
> >
> > It does several slice array cyclings for each shuffle, but each shuffle
> > is identical. There's just one shuffle per round.
>
> Good this means at best you can optimize the shuffle for maximal
> potential diffusion.
>
> > I should probably replace this so called shuffling with something less
> > regular, and have a different shuffling in each round (but, of course,
> > with no key dependency).
>
> Try replacing the shuffle with a single convolution (i.e a permutation)
> that has additional properties that each byte affects each other after
> X rounds (X -> 0).
Cutting out some stuff, the cipher does this:
Repeat:
{
Shuffle block
Do diffusion by repeating:
{
Reorder bytes
Mix byte pairs
} until each byte has affected each other byte
}
The thinking is that byte reordering is optimal for getting each byte to
affect each other after log[2]Nb rounds of reordering and mixing (if
log[2]Nb is an integer, where "log[2]" means 'logarithm base 2' and "Nb"
is the block size in bytes). (For example, for a 256b block, five
rounds of reordering and mixing are needed for each byte to affect each
other.)
This has the property you mention of each byte interacting with each
other, but is, as you have previously pointed out, very regular. That's
why I wanted to add the extra shuffling step, so as to have the bytes in
different starting positions each time diffusion starts. I could have
had something different for byte reordering, but I wanted to keep that
bit simple.
[...]
> Well I learnt quite a bit about sbox generation from several papers
> (Don't read anything by the CAST team they suck!) and writting my own
> program to make them (on my website). My new ciphers either use
> Rijndael like sboxes (not the same) or randomly derived ones.
I'll have to have a look at your website.
[...]
> > > Of course this becomes a MDS matrix so at least diffusion is optimal
> > > here :-)
> >
> > Hooray! (I really will have to properly learn what an MDS matrix is...)
>
> Read Serge Vaudenay's paper "On the need for Multipermutations:
> Cryptannalysis of MD4 and SAFER". A MDS matrix is a special form of a
> (n,r)-multipermutation where n=r. Generally it means you two 2n
> dimmension vectors of the form <x, F(x)> and <x', F(x')> and the number
> of elements of each vector that differ is always at least n+1 provided
> that x != x'.
>
> In your case n=r=2 and if you change any input vector both must
> change. If you change both, only one has to change on the output but
> both will with higher probability.
Ah. I'll have to read up on these thing.
> > Thank you for your helpful, critical perusal!
>
> Well your welcome. You are taking on quite a bit in your first
> cipher :) Personally I like simple designs (such as TC5 :)).
>
> Tom
Seems I'm succeeding in my first goal of jumping in at the deep end!
Simon
--
_______________________________________________________________________________
Personal: [EMAIL PROTECTED]
Yellow Skies: [EMAIL PROTECTED] http://www.yellowskies.com
Everyone does their own signature to be different. How does that work?
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: Help with code generator/Formula
Date: Fri, 15 Dec 2000 19:17:44 GMT
In article <91d9qi$tak$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Here is my situation. I am trying to figure out a formula/code for a
> number generator. I have 5000 pairs of the input number and the
result.
> Let me explain. a certain number X is entered into a program. then it
> returns Y. I have 5000 XY pairs. Can someone lead me to what I need to
> do to find the formula that creates Y? Is 5000 pairs enough?
> Thanks,
> Topkat0
>
> Sent via Deja.com
> http://www.deja.com/
>
Hrm, this is tricky...... I'm not sure
if there is a standard algorithm to do this.... instinct tells me there
isn't. What you will have to do, is use trial and error to construct
the algorithm.
I'm sorry, cause this isn't much help.
Yours,
Simon
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com
http://www.deja.com/
------------------------------
From: [EMAIL PROTECTED] (Eric Lee Green)
Subject: Reminder
Reply-To: [EMAIL PROTECTED]
Date: Fri, 15 Dec 2000 19:41:27 GMT
I just got a call from a Ms. Curry with the Bureau of Export
Administration. She said she'd read my aescrypt page
(http://aescrypt.sourceforge.net), followed the link to my employer's
home page, and wished to remind us that even if the encryption
components themselves are released as Open Source, we still have to
file the proper paperwork if we wish to export a commercial product
that uses those encryption components. I had already made my
management aware of that, but I'm sure that others are not aware. Thus
I'm forwarding this reminder to this newsgroup as a public service for
others who may wish to use Open Source encryption components as part
of a larger system: You do need to file a seperate request for the entire
system too.
Followups to talk.politics.crypto, since I can't conceive of any
useful discussion relevant to sci.crypt.
--
Eric Lee Green There is No Conspiracy
[EMAIL PROTECTED] http://www.badtux.org
------------------------------
From: Simon Best <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Homebrew Block Cipher: Moonshine
Date: Fri, 15 Dec 2000 19:42:57 +0000
Simon Johnson wrote:
>
> > Laziness. Or, rather, more interested in other bits of the cipher, so I
> > was just lazy with this bit. I will come up with one of my own, though,
> > and (hopefully) learn from it (as you suggest).
>
> Actually, s-boxes (generally) give a cipher most of its security. Its a
> good idea to spend your time designing a good set of s-boxes for your
> cipher. After all, you want it to last as long as possible without a
> break. :)
Indeed. I'll have to spend time getting myself up to speed with good
S-box design and analysis. And, of course, spend time practicing these
things.
> I'm glad to see more home-brewers out there :)
>
> Yours,
>
> Simon.
Are you also a homebrewer, then?
Simon
--
_______________________________________________________________________________
Personal: [EMAIL PROTECTED]
Yellow Skies: [EMAIL PROTECTED] http://www.yellowskies.com
Everyone does their own signature to be different. How does that work?
------------------------------
From: Simon Johnson <[EMAIL PROTECTED]>
Subject: Re: Blum Blum and Shub
Date: Fri, 15 Dec 2000 19:37:46 GMT
In article <[EMAIL PROTECTED]>,
Peter Fairbrother <[EMAIL PROTECTED]> wrote:
> Does anyone know the legal status of Blum Blum and Shub PRNG's? Any
patents
> etc?
>
> Thanks
> Peter
> --
> [EMAIL PROTECTED]
> http://www.m-o-o-t.org
>
> ps what wonderful names cryptologists have!
>
>
Doubt there are. It isn't mentioned in Applied-Crypto, (which mentions
these things)
--
Hi, i'm the signuture virus,
help me spread by copying me into Signiture File
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Simon Best <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Q: Result of an old thread?
Date: Fri, 15 Dec 2000 19:59:51 +0000
Mok-Kong Shen wrote:
>
> Quite a time ago someone posted a scheme of transmission of
> message without using a shared secret key as follows (all
> matrices are of the same size):
>
> The message is in a singular matrix S (e.g. one with a zero
> column). Alice chooses an arbitrary non-singluar matrix A
> and sends AS to Bob.
And, unbeknownst to Alice and Bob, AS is intercepted by me...
> Bob chooses an arbitrary non-singular matrix B and sends ASB
> to Alice.
And, again, I intercept ASB...
> Alice multiplies it with A^(-1) and sends SB to Bob, who can
> multiply it with B^(-1) to obtain S.
While I intercept SB, too...
> If my memory is correct, nobody has commented at that time
> whether the scheme is secure or not (or how secure it is).
> Does anyone know more about the issue or can say something
> concrete about the security of the scheme? Thanks.
>
> M. K. Shen
Correct me if I am making a basic blunder with basic matrix arithmetic
here, but now that I have AS, ASB, and SB, can't I just get the
multiplicative inverse of AS, multiply that by ASB, and end up with B?
That get's me Bob's secret matrix. (I'm assuming that matrices are
transposed as necessary for all of this stuff.)
Then, I get the multiplicative inverse of B, multiply that by SB, and
I've got S, the secret message!
Then, I get the multiplicative inverse of S, multiply that by AS, and
I've got A, too. So I end up with the secret message, and Alice's and
Bob's secret matrices, too?
Seems hopelessly insecure to me.
Simon
--
_______________________________________________________________________________
Personal: [EMAIL PROTECTED]
Yellow Skies: [EMAIL PROTECTED] http://www.yellowskies.com
Everyone does their own signature to be different. How does that work?
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
