Cryptography-Digest Digest #493, Volume #13 Thu, 18 Jan 01 20:13:01 EST
Contents:
Re: Kooks (was: NSA and Linux Security) ("Douglas A. Gwyn")
Re: using AES finalists in series? ("Douglas A. Gwyn")
Re: [H] one-way hash functions (aWARe)
Re: [H] one-way hash functions (David Schwartz)
Re: Kooks (was: NSA and Linux Security) (Greggy)
Re: RSA sign in 40ms on a DSP ? ("Michael Scott")
Re: Comparison of ECDLP vs. DLP (Gregory G Rose)
Re: using AES finalists in series? ("Paul Pires")
Re: Any good source of cryptanalysis source code (C/C++)? (John Myre)
Re: Any good source of cryptanalysis source code (C/C++)? ("Paul Pires")
Re: Comparison of ECDLP vs. DLP (Roger Schlafly)
----------------------------------------------------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Kooks (was: NSA and Linux Security)
Date: Thu, 18 Jan 2001 22:24:02 GMT
Greggy wrote:
> > > > legally declared the citizens of the US enemies of the US
> "During time of war or during any other period of national emergency
> declared by the President, the President may ... regulate ...
> any transactions in foreign exchange, ... hoarding, melting, or
> earmarkings of gold or silver..., by any person within the United
> States or anyplace subject to the jurisdiction thereof".
That is not a declaration of US citizens as "enemies". You're
reading too much into the title of the Act -- does the Gun Owners'
Protection Act of 1968 really protect gun owners? The titles are
for mnemonic and reference purposes only.
It is obvious that the purpose behind the amendment was to close
a loophole whereby US citizens could abet the enemy by acting as
their agent in such transactions.
> When you get done reading through that stuff, if you are interested, do
> a search on the "missing thirteenth amendment"
The claim that it was ratified by a 13th state relies entirely on
the Virginia legislature's Act No. 280: "... there shall be published
an edition of the Laws of this Commonwealth in which shall be
contained ..." and the subsequent publication of the Virginia
Civil Code containing the proposed 13th Amendment among other
US and Virginia laws. At that time (1819) there were 21 states,
so even if Virginia had thereby ratified the amendment (which
is debatable, to say the least), it would have still failed to
gain the required 3/4 approval (16 states, not 13).
> Finally, after reading through all that, you may want to go to
> www.devvy.com in which Devvy Kidd asserts and backs up that several
> of our constitutional amendments were never properly ratified, ...
Strangely, those arguments rely on the idea that states must
follow certain strict procedures for their ratification to be
valid -- the exact opposite of the position taken for the
missing thirteenth amendment!
In fact, the Constitution does not spell out the procedure,
so it becomes a matter of judgment (judicial and political),
and historically we the people (and our representatives) have
accepted a certain well-known set of Amendments as properly
ratified.
> ... [Devvy] said:
> "It is mathematically impossible for the national debt to decrease.
The argument was ridiculous. By time reversal one could use
the same "deductive" chain to conclude that the national debt
can never *increase*. The fact is, it can do either, depending
on financial policy.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: using AES finalists in series?
Date: Thu, 18 Jan 2001 22:29:38 GMT
Terry Ritter wrote:
> AES is of course an attempt to limit cipher development, ...
No, it's an attempt to control the cost of implementation and
operation of commercial encryption by promoting interoperability.
It's similar to the function of standards for screw threads,
programming languages, etc.
------------------------------
From: aWARe <[EMAIL PROTECTED]>
Subject: Re: [H] one-way hash functions
Reply-To: swap "y" and "i"
Date: Thu, 18 Jan 2001 23:28:26 GMT
On Thu, 18 Jan 2001 14:15:49 -0800, "Joseph Ashwood" <[EMAIL PROTECTED]>
wrote:
>The best advice we can give you on this is to do it the simplest way, pick 8
>bytes you want to keep, and keep them. You can use the last 8 bytes, the
>first, the middle, the first half of each byte. Just don't start playing
>with extra has functions afterward, you run a very real risk of weakening
>the system (with hash functions in particular it is not difficult).
> Joe
hi Joe,
thanks for the reply.
but if MD5 (for example) gives this output
x -> MD5 -> 1abcd
y -> MD5 -> 2abcd
from the MD5's point of view the results are correct, but if I take
the first four chars (abcd) as you said, I have a collision...
I have missed to say that I have no security needs, but only an
"absolute" collision-free necessity: so if I use two hash functions as
I said to reduce the Md5 output to 8bytes, I could risk to have a lot
of collision (or the problem is "only" the system weakening)?
really thanks for your help
aWARe
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: [H] one-way hash functions
Date: Thu, 18 Jan 2001 15:45:23 -0800
aWARe wrote:
> I have missed to say that I have no security needs, but only an
> "absolute" collision-free necessity: so if I use two hash functions as
> I said to reduce the Md5 output to 8bytes, I could risk to have a lot
> of collision (or the problem is "only" the system weakening)?
> really thanks for your help
The collision resistance will scale directly with the number of bits.
The expected number of elements hashed before a collision is found is
approximately 2^(n/2) where 'n' is the number of bits. So if you use an
8 byte (64-bit) hash, the expecter number of elements hashed before a
collision is 4 billion. That's not going to be enough.
So here's what you need to do: decide how many elements you want a
person to have to check before he has a 50% chance of finding a
collision. Then truncate the MD5 checksum to that number of bytes. 11
bytes would be about 17 trillion. 10 bytes would be about 1.1 trillion.
9 bytes would be about 69 billion.
DS
------------------------------
From: Greggy <[EMAIL PROTECTED]>
Subject: Re: Kooks (was: NSA and Linux Security)
Date: Thu, 18 Jan 2001 23:50:29 GMT
In article <[EMAIL PROTECTED]>,
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> Greggy wrote:
> > > > > legally declared the citizens of the US enemies of the US
> > "During time of war or during any other period of national emergency
> > declared by the President, the President may ... regulate ...
> > any transactions in foreign exchange, ... hoarding, melting, or
> > earmarkings of gold or silver..., by any person within the United
> > States or anyplace subject to the jurisdiction thereof".
>
> That is not a declaration of US citizens as "enemies". You're
> reading too much into the title of the Act -- does the Gun Owners'
> Protection Act of 1968 really protect gun owners? The titles are
> for mnemonic and reference purposes only.
>
> It is obvious that the purpose behind the amendment was to close
> a loophole whereby US citizens could abet the enemy by acting as
> their agent in such transactions.
Read the material before you comment. It is lengthy, but I don't go
into details here.
> > When you get done reading through that stuff, if you are
interested, do
> > a search on the "missing thirteenth amendment"
>
> The claim that it was ratified by a 13th state relies entirely on
> the Virginia legislature's Act No. 280: "... there shall be published
> an edition of the Laws of this Commonwealth in which shall be
> contained ..." and the subsequent publication of the Virginia
> Civil Code containing the proposed 13th Amendment among other
> US and Virginia laws. At that time (1819) there were 21 states,
> so even if Virginia had thereby ratified the amendment (which
> is debatable, to say the least), it would have still failed to
> gain the required 3/4 approval (16 states, not 13).
I know what you are saying. Jol Silversmith made similar claims and
actually convinced me I was wrong. Recently I came across an argument
not even you can refute that says I am right. Your statement shows you
are thinking and looking in the wrong place altogether - as I was.
> > Finally, after reading through all that, you may want to go to
> > www.devvy.com in which Devvy Kidd asserts and backs up that several
> > of our constitutional amendments were never properly ratified, ...
>
> Strangely, those arguments rely on the idea that states must
> follow certain strict procedures for their ratification to be
> valid -- the exact opposite of the position taken for the
> missing thirteenth amendment!
Obviously you did not read the material to understand their claims.
> In fact, the Constitution does not spell out the procedure,
> so it becomes a matter of judgment (judicial and political),
> and historically we the people (and our representatives) have
> accepted a certain well-known set of Amendments as properly
> ratified.
But when the wording is changed, the ratification is invalid because
what is being ratified is NOT what is put forth.
But then, you need to read what she has to offer and do the research
yourself.
>
> > ... [Devvy] said:
> > "It is mathematically impossible for the national debt to decrease.
>
> The argument was ridiculous. By time reversal one could use
> the same "deductive" chain to conclude that the national debt
> can never *increase*. The fact is, it can do either, depending
> on financial policy.
Then prove me wrong in the example I gave (that you snipped out).
YOU CAN'T!
--
13th amendment to the US Constitution:
If any citizen of the United States shall accept, claim, receive,
or retain any title of nobility or honour, or shall, without the
consent of Congress, accept and retain any present, pension, office,
or emolument of any kind whatever, from any emperor, king, prince,
or foreign power, such person shall cease to be a citizen of the
United States, and shall be incapable of holding any office of
trust or profit under them, or either of them.
Sent via Deja.com
http://www.deja.com/
------------------------------
From: "Michael Scott" <[EMAIL PROTECTED]>
Subject: Re: RSA sign in 40ms on a DSP ?
Date: Thu, 18 Jan 2001 18:00:21 -0600
The full paper Dusse & Kaliski paper is available from
http://imailab-www.iis.u-tokyo.ac.jp/limit/Papers/Crypto_Eurocrypt/HTML/PDF/
E90/230.PDF
although this would appear to be a blatant breach of copyright.
Mike Scott
"Paul Rubin" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "Charles Oram" <[EMAIL PROTECTED]> writes:
> > I'm looking at an application where I need to do a 512bit RSA encryption
> > using the private key (i.e. sign) on an 80MHz Motorola DSP56301 in
around
> > 40ms......
> See the paper "A cryptographic library for the Motorola 56000" by
> M. Dusse and B. Kaliski, which I think was in Crypto 90. They used around
a
> 25 mhz part and did a signature in around 50 ms, and it may have been
> a 1024 bit signature (two 512 bit modexps plus CRT recombination). I
> don't remember off the top of my head. You can probably license that
> code from RSA Security if you want to go that route and are willing to
> pay them enough.
------------------------------
From: [EMAIL PROTECTED] (Gregory G Rose)
Subject: Re: Comparison of ECDLP vs. DLP
Date: 18 Jan 2001 16:07:34 -0800
In article <93sqj3$a0b$[EMAIL PROTECTED]<,
Alfred John Menezes <[EMAIL PROTECTED]< wrote:
<Suppose, as with the DSA, that q is a prime divisor of p-1, and
<that a Diffie-Hellman key agreement scheme stipulates that we work
<using powers of g, where g is an element of order q in the integers
<modulo p. Thus, a valid public key is one that is a power of g,
<while an invalid public key is one that is not a power of g.
<
<Now suppose that Alice selects a public key that is *not*
<a power of g. When Bob subsequently engages in a Diffie-Hellman key
<agreement with Alice, he would like to be assured that Alice's public
<key is indeed valid -- that is, the public key is a power of g, so a
<logical private key does indeed exists. Note that this is important
<from Bob's perspective since he is about to combine his own private
<key with Alice's public key. If the latter is invalid, then subsequent
<use of the agreed key may leak information about Bob's private key
<to Alice -- this should not happen for properly-implemented
<Diffie-Hellman key agreement.
In this particular example, Alice's public key (call
it K) can easily be validated -- if q is prime
(and being a parameter of the system one can
probably assume it to be pre-validated, but you
can always check too), then if K^(q-1) mod P == 1
K was an element of order q, and hence is a power
of g since g is also an element of order q.
Technically, one must also check that K wasn't +/-1.
The DSA FIPS specifies parameter checks along
these lines before a signature is considered
valid, IIRC.
So I guess I'm not sure what point you were trying
to make with this example. Why do you need
certificates from a third party?
Greg.
--
Greg Rose INTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/
Gladesville NSW 2111 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: using AES finalists in series?
Date: Thu, 18 Jan 2001 16:11:22 -0800
Terry Ritter <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> On Thu, 18 Jan 2001 11:50:50 -0800, in
> <3a674992$[EMAIL PROTECTED]>, in sci.crypt "Paul Pires"
> <[EMAIL PROTECTED]> wrote:
>
> >Gary Watson <[EMAIL PROTECTED]> wrote in message
> >news:nuF96.1804$wL5.36733@NewsReader...
> >>
> >> If one had sufficient CPU power or minimal throughput requirements, is
there
> >> any reason why one couldn't use all five AES round two finalists in series?
> >> This would guard against a weakness being found in one of them, or if one
or
> >> two of the candidates were deliberately weak systems promulgated by
sinister
> >> government forces. (Is it necessarily true that security must improve at
> >> least a little each time you run the ciphertext through a new crypto
> >> algorithm? Don't know, this isn't my line of work...)
> >
> >Not binary answers here but something to think about...
> >
> >Is the security of a process only reduced when important elements
> >are omitted? Can a flaw be introduced by adding operations?
> >I believe this has been demonstrated in some cases.
>
> Sure, if we use the same cipher, in decipher mode, with the same key,
> we can say that has "weakened" the cipher.
>
> So don't do that.
>
> In particular, when using multiple ciphers, the key for each cipher
> must be independently selected.
>
> If one could make a cipher weaker simply by adding another ciphering
> layer, that would be a way to attack the cipher. Yet we don't see
> such attacks. Why?
>
>
> >So,
> >how are you going to get any confidence in your process to justify
> >the added complexity? How are you going to maintain the confidence
> >in the components you use that are being used under different
> >conditions than they were analyzed?
>
> Ciphers are analyzed for arbitrary data. Ciphertext is data.
>
>
> >Can you randomly mix chemicals and achieve a non-toxic
> >result?
> >
> >Sure.
> >
> >Should you test them by ingestion?
>
> False analogy, false implication.
Come on Terry, I responded in the context of the original post.
Nothing in that original post suggested that the ciphers were
selected according to logic or science or even a plan. Looked
like a coin flip to me. He wanted to know what we "Think"
about his proposition and my basic response was to show him
something to think about.
He was clearly proposing the conglomeration of methods by
label. You have thought long and hard about this and present
rational arguments. Do I think YOU would be a target of
opportunity if you did this? Not hardly.
This isn't another "benefits of multiple encryption" argument. I just
think that having a notion of why VRS why not might be relevant.
I definately think his time would be better spent learning about
the art or in comming up with a better understanding of the
threat before slogging of into multiple encryption scenarios .
I personally think that there isn't a chance that the mentioned
method would be weaker but I think that design should be
driven by objectives and understanding not the simple heaping
of complexity that is so easy to do and yet so hard to figure
out why the heck you did it and what it really got you.
Do I think you could make a good argument for doing it?
Well, you've almost convinced me. Do I think he should
be fretting about it? Nope.
Paul
>
> ---
> Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
> Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
>
====== Posted via Newsfeeds.Com, Uncensored Usenet News ======
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
======= Over 80,000 Newsgroups = 16 Different Servers! ======
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Any good source of cryptanalysis source code (C/C++)?
Date: Thu, 18 Jan 2001 17:12:15 -0700
Bob Silverman wrote:
<snip>
> I don't think Tom was rude at all.
<snip>
Tom wrote, in part:
> This question is asked like 50 times a day here... For #### sake
> cryptanalysis is not some magic wand. Get a grip and read papers!
Perhaps the OP deserved it - I won't try to debate
that issue - but the above response is indeed rude.
It's still rude even if we say it is justified.
JM
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Any good source of cryptanalysis source code (C/C++)?
Date: Thu, 18 Jan 2001 16:47:47 -0800
John Myre <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Bob Silverman wrote:
> <snip>
> > I don't think Tom was rude at all.
> <snip>
>
> Tom wrote, in part:
> > This question is asked like 50 times a day here... For #### sake
> > cryptanalysis is not some magic wand. Get a grip and read papers!
>
> Perhaps the OP deserved it - I won't try to debate
> that issue - but the above response is indeed rude.
>
> It's still rude even if we say it is justified.
Every lofty bastion needs a Gargoyle over the portal.
Maybe Tom has a function if not a justification.
Naw, Gargoyles are kinda cute.
Paul
>
> JM
====== Posted via Newsfeeds.Com, Uncensored Usenet News ======
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
======= Over 80,000 Newsgroups = 16 Different Servers! ======
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: Comparison of ECDLP vs. DLP
Date: Thu, 18 Jan 2001 17:00:36 -0800
Wei Dai wrote:
> > DJ: Again you think there is no RSA PKV, but there is, how much to use of it is
> > a cost/benefit decision.
> Ok, I should have expected that a ZKP would exist for RSA public key
> validity. But certainly it's not in common use, ...
And with good reason. All it does is:
We give an interactive protocol for proving that a number such
as an RSA key, which is the product of two primes, is the product
of nearly equal primes.
Furthermore, it is not ZKP but "Statistical Limited-Knowledge".
The validity of an RSA does not equate to the factors being nearly
equal. There is not even any good reason for them to be nearly
equal, as long as each is sufficiently large. There are many other
other ways for an RSA key to be weak, if you buy into that concept.
Don promotes validating a bet-the-company key. But even in that
case, are you going to risk leaking bits in order to convince
someone that it is a product of nearly equal primes? Why would
anyone care? And why would anyone call this RSA PKV anyway?
It has almost nothing to do with DH PKV tests which check to see
if the public key belongs to the relevant group in order to
prevent a bogus key exchange.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
