Cryptography-Digest Digest #668, Volume #13 Sat, 10 Feb 01 05:13:01 EST
Contents:
Re: Phillo's alg is faster than index calculus ("Scott Fluhrer")
Re: Encrypting Predictable Files ("Matt Timmermans")
Re: Factoring (and not the Philippino :) ("Douglas A. Gwyn")
Re: Factoring (and not the Philippino :) ("Douglas A. Gwyn")
Re: OverWrite freeware completely removes unwanted files from hard drive (Anthony
Stephen Szopa)
Re: OverWrite freeware completely removes unwanted files from hard drive (Anthony
Stephen Szopa)
Re: CipherText patent still pending (Mok-Kong Shen)
Re: Shortening ElGamal encryption (lcs Mixmaster Remailer)
Re: OverWrite freeware completely removes unwanted files from hard drive (Anthony
Stephen Szopa)
----------------------------------------------------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Phillo's alg is faster than index calculus
Date: Fri, 9 Feb 2001 22:06:29 -0800
<[EMAIL PROTECTED]> wrote in message news:9623qg$18k$[EMAIL PROTECTED]...
>
> > Ok, I'll bite:
> >
> > b. No, it isn't because Phillo's algorithm is exponential in the
> size of
> > the number being factored, while index calculus is subexponential.
> >
> > --
> > poncho
> >
>
>
> YooHoo! Finally some response! Except that i ain't talking about
> factoring here!
Ok, simple correction:
b. No, it isn't because Phillo's algorithm is exponential in the size of
the number used as a modulus, while index calculus is subexponential.
Happy?
--
poncho
------------------------------
From: "Matt Timmermans" <[EMAIL PROTECTED]>
Subject: Re: Encrypting Predictable Files
Date: Sat, 10 Feb 2001 06:31:48 GMT
"David Hopwood" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> That's clearly incorrect. The identity function is bijective, for
instance.
The identity function works just fine -- it exposes no information about the
key, because the key isn't used.
> I note that you say in another follow-up that you meant "ciphertext-only
> attacks against the key". But this is such a restricted attack model, that
> IMHO it does not say anything useful about the practical security of a
> cipher.
Sorry, I _thought_ I made it clear at the outset that that was the model
under examination. Checking back, howerver, I find that I didn't mention
that until the last paragraph of my original post.
Whether or not it says anything useful about the cipher is the question I
posed, and I doubt it in the original post for the same reason you do.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Factoring (and not the Philippino :)
Date: Sat, 10 Feb 2001 03:21:25 -0500
Bob Silverman wrote:
> "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> > (2) Cracking RSA is not the same as merely being given N and
> > being asked to factor it. What we are actually given is (N,e)
> > *and* an algorithm for using them for arbitrary (controlled-PT)
> > encryptions. That means that we can "tickle" the system by
> > encrypting some suitable basis set, maybe the individual bits
> > 1, 2, 4, 8, 16, etc., or a batch of small primes 2, 3, 5, 7, etc.,
> > or a randomly chosen set as in an index-calculus attack, or
> > whatever else might fit a particular attack.
> This is just a chosen ciphertext attack, if I read your intent
> correctly. It isn't terrible helpful.
It would be nice to see an explanation of why it isn't helpful
in any possible attack on RSA. For other systems, tickling is
sometimes an exceedingly useful technique at the basis of a
practical attack.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Factoring (and not the Philippino :)
Date: Sat, 10 Feb 2001 03:18:04 -0500
Splaat23 wrote:
> In regards to (3), if gcd(n, e) <> 1, then it is a break of the
> modulus, because e will be either p or q (the only factors of n).
Oops, of course you're right -- I was tired when I added that one.
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.hacker,alt.conspiracy
Subject: Re: OverWrite freeware completely removes unwanted files from hard drive
Date: Sat, 10 Feb 2001 01:03:42 -0800
Midnight's Own Fire wrote:
>
> First sorry for the X-Post.
> Second. A.S.S. are both your initials and good description of you.
> Third. Tom, dont waste you time and everyones bandwidth trying to talk to
> the A.S.S.
> There really is no point. He's never going to be able to think using logic.
> Yes, comeone could probibly recover almost any data that was ever written.
> But... if he thought about it. there is no way that anyone is going to do
> it. because it either takes too long. or is too expensive. and even if it
> was cheap and quick. Who REALLY CARES enough about something that I would
> delete to bother?
>
> Ok, so maybe someone has some data thats been overwritten that they think
> might be sensative enought that someone would try to recover it.
> if the ppl who would try to recover it can actually get thier hands on the
> Drive, then they have a way worse security problem on thier hands.
>
> So when it comes right down to it... if anyone wanted to use this
> software... they have to first assume that someone can break thier security
> and steal the actual drive. And if thats a concern... they are not going to
> waste time using any software. they are going to be plugging the holes in
> thier physical security.
>
> So why would anyone want it.
> Wait I'll tell you... no one would.
> Its yet another trolling effort by the A.S.S.
> So dun feed the troll.
>
> ~~MoF
>
> "Anthony Stephen Szopa" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Not enough money.
> >
> > But I believe that there are those who have the capability.
> >
> > This is why I also believe that overwriting a file using the
> > technique employed in the OverWrite software will be that much more
> > effective than just overwriting it once your way.
> >
> > As I stated, your way isn't good enough for the reasons referred
> > to by a link in someone else's post in this thread.
> >
> > The hard drive is not read using software (DOS). The magnetic
> > fields and residual magnetic fields are detected using a state of
> > the art instrument as it is scanned over the hard drive surface.
> >
> > Perhaps even laser light is used now these days.
Notice in my post that I referred to "state of the art instrument"?
I know what it is and what it is called and how it works.
But I didn't say what it is or what it is called or explain how
it works because you all are so smart and knowledgeable that you
would just have said I was talking down to you anyway.
It is not an electron microscope though.
So I didn't bother.
But I sure like some of your theories. Like the one where it is
claimed that there exists the technology such that by knowing the 27
overwrite patterns in the OverWrite program that each one of these
overwrite pattern "layers" could be "peeled away" revealing the
28th layer underneath and thus find the original data.
Like we are talking about an onion? Give me a break.
Not to mention that the hard drive space where the data was written
to was not already written to tens or hundreds of times before
already. But some of you also think that if the hard drive space
were written to 100 times that the technology exists such that each
overwrite could be detected and read individually and that any
overwriting is therefore ineffective and hopeless.
Great hypothesis. Much better BS.
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.hacker,alt.conspiracy
Subject: Re: OverWrite freeware completely removes unwanted files from hard drive
Date: Sat, 10 Feb 2001 01:13:24 -0800
Richard Herring wrote:
>
> In article <[EMAIL PROTECTED]>, Anthony Stephen Szopa
>([EMAIL PROTECTED]) wrote:
> > Richard Heathfield wrote:
> > >
> > > Anthony Stephen Szopa wrote:
> > > >
> > > > OverWrite freeware completely removes unwanted files from hard drive
> > >
> > > I tried it and it didn't work. I got this error:
> > >
> > > ./OvrWrite.exe: Permission denied
> > >
> > > > and deleted data on magnetic media recoverable. Simply overwriting
> > > > a file a few times is just not good enough.
> > >
> > Sounds like you need permission to use your own computer as you
> > see fit. Someone you might know is not allowing you to run the
> > program.
>
> <fx>whhhhhhhhhhhhhhhhooooooooooooooooooooooosssssssssssssshhhhhhhhhhh!</fx>
>
> > There is no such error message generated as a result of
> > the OverWrite program.
>
> Yes there is.
>
> But here's a hint: it's not generated by MS Windows or MS DOS.
>
> --
> Richard Herring | <[EMAIL PROTECTED]>
Her Herring: I meant that the OverWrite Program does not contain
source code that would generate such an error message.
Thank you.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: CipherText patent still pending
Date: Sat, 10 Feb 2001 10:40:18 +0100
Bryan Olson wrote:
>
> Mok-Kong Shen wrote:
>
> > The quote in question was the following:
> >
> > Experts teaching writing say to write every day. I've never
> > heard an expert cryptologist recommend cipher design as an
> > exercise.
> >
> > There is very good reason to stress the importance of
> > analysis. A student should well do exercises in analysis
> > before going to design. But that doesn't mean that the
> > teacher does not give the student design excercises at a
> > later stage to do, if he is to do his teaching job properly.
> > That's why I considered the above quoted to be misleading
> > and argued against correspondingly.
>
> The quote is easy to refute if wrong; just look through the
> crypto textbooks, or course syllabi. I don't see the point
> of arguing against an observation with only conjecture and
> opinion.
As is often the case in the real world, there is the
interpretation problem. I suppose you mean modern textbooks
like AC contain much designs but much less about analysis.
Am I right? Analysis is indeed difficult to present
compared to design which can be rather easily described
mathematically or mechanically. But that does not mean
the topics are not both essential and that design could
be neglected as your original quote seemed to imply. On
the other hand, should your said observation mean that
the courses don't treat design (whether the name of the
courses contains that word is unessential), then that's
clearly a pedagogical fault. See also below.
>
> > I am not sure it is clear that cipher design is easy.
>
> I'm convinced it's very hard to do well. I recall spending
> many hours trying to convince you of the same.
That's why I am not an expert but only a very humble
learner and I am yet far from acquiring the needed level
of the art of good design.
Let me in this connection come back to your previous point
of there being too many bad designs around. This fact is
like there are too many paintings around. The vast majority
of these worth nothing or almost nothing exactly because
the art of painting is subtle. My point has been that
learners need excercises in design, otherwise they wouldn't
get any 'feeling' of that work, much like in engineering or
other practical branches of sciences. The problem of there
piles up lots of throw-away products fortunately isn't
in this case a real 'environment' problem like industrial
wastes, for you can simply ignore the bits that represent
them. (Use the delete key, if there is problem of storage
on your computer.)
As said in my response to John Myre, I agree on the high
importance of analysis. However, I haven't sofar seen any
posts in the group on suggestions of new methods of
analysis or improvements of old ones, at least in the
proper sense. The same is true about asymmetric encryption
or other topics of importance like e-commerce. That's
very undesirable but that's a problem of the ensemble of
subscribers of sci.crypt that, like elsewhere in life, is
inherently difficult to solve. Everyone is free to post
but is not pushed in anyway (through salary, teacher etc.)
to do so. That means people effectively do what they
personally think are fun. Benevolent experts could
'in principle' contribute much to change that situation
but apparently and very understandably they don't have the
time to do that. Thus one can only (optimistically or
utopically) hope that there will someday be a more or
less balance among the different topics of importance in
the posts. In the meantime the best that can be achieved
is to promote technical discussions and largely suppress
non-technical ones with the means that each subscriber
has at his disposal, namely posting one's own articles
(do the best that is possible within the framework of
one's own knowledge) and sending follow-ups (keeping to
technical matters as far as possible, without intentions
of personal attacks of any form). To insist that there
should be no posts on one topic on the ground there are
yet no posts on the other equally or much more valuable
topics would be putting the machinery of this group to
a full stop and is evidently unreasonable and undesirable.
For something is anyway better than nothing. (I happen to
know one internet mailing list where the volume has now
reduced to under one dozen per year. I doubt that could
be the ideal of people here in our group.) Those who are
annoyed by having to read much chaffs can well follow my
humble but very useful advices given in the previous posts.
M. K. Shen
============================
http://home.t-online.de/home/mok-kong.shen
------------------------------
Date: 10 Feb 2001 10:00:07 -0000
From: lcs Mixmaster Remailer <[EMAIL PROTECTED]>
Subject: Re: Shortening ElGamal encryption
David Wagner writes:
> Your suggestion was:
> To encrypt M, send (t, M * g^{x_s x_r t}), where x_s is the
> sender's private key and x_r is the receiver's private key.
>
> This is insecure against known-plaintext attacks.
>
> In particular, suppose I have a single known plaintext M along with
> its encryption (t, M * g^{x_s x_r t}). This reveals g^{x_r x_s}.
> Then, if I see any further ciphertexts from s to r, I can decrypt
> them myself without the help of the receiver.
Very good point! But that reminds me of an even better way to
shorten ElGamal encryption.
Instead of doing, for conventional ElGamal,
g^k, M*y_r^k
do:
g^k, E(y_r^k, M)
where E(K,M) is a symmetric encryption algorithm with key K and message M.
In practice we would hash y_r^k down to an appropriate size for whatever
encryption we are using. The output of E may typically be as small as
128 bits.
If we modify this with the proposed optimization,
k = t * x_s
where x_s is the private key of the sender, we send:
t, E(y_r^k, M)
and the recipient recovers y_r^k from y_s^(t*x_r), where x_r is the
recipient private key.
So instead of just multiplying M with g^{x_s x_r t}, we encrypt it with
a hash of that as the key. This should destroy any useful information
that comes from the algebraic structure of this key.
Plus the whole encryption header is now 160 + 128 or 288 bits, much
shorter than conventional ElGamal.
Unfortunately this suggests another way to view this which calls the whole
shortening idea into question. It is essentially a variant on "static"
Diffie-Hellman encryption (where ElGamal is "ephemeral" DH encryption),
where the pair has a constant shared secret S = g^(x_s*x_r). In that case
we are sending (t, E(S^t, M)), and maybe t isn't really buying us much.
With static DH we just send E(S, M) and it's only 128 bits.
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.hacker,alt.conspiracy
Subject: Re: OverWrite freeware completely removes unwanted files from hard drive
Date: Sat, 10 Feb 2001 01:56:45 -0800
Tom St Denis wrote:
>
> In article <[EMAIL PROTECTED]>,
> Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote:
> > Tor Rustad wrote:
> > >
> > > "Anthony Stephen Szopa" <[EMAIL PROTECTED]> wrote in message
> > > > Joseph Ashwood wrote:
> > > >
> > > > You are nuts.
> > >
> > > ???
> > >
> > > > "...those patterns can be stripped away..."
> > > >
> > > > How? With cleanser and lots of elbow grease. What are you talking
> > > > about here? What utter BS.
> > >
> > > Next time you *try* to write such erase SW, as a *minimum* read DOD
> > > 5220.22-M first.
> > >
> > > Of course you should *not* overwrite with *only* known patterns!
> > >
> > > I am not up to date with the state-of-the-art in recovering data, nor are
> > > *you*, that information is classified.
> > >
> > > A well respected company in Norway, IBAS (www.ibas.com), does a pretty good
> > > recovery job in many cases, but AFAIK they will have trouble with recovering
> > > overwritten data. However, IBAS is *not* at military level on this, and
> > > there might be better comercial companies around at this.
> > >
> > > Your SW was snake oil anyway.
> > >
> > > --
> > > Tor <torust AT online DOT no>
> >
> > Using these 27 known and recommended patterns is certainly
> > preferrable to a single overwrite of hex FF or 00.
> >
> > Ciphile Software's OverWrite program Version 1.0 is certainly well
> > worth using for the purposes intended.
>
> Hello,
>
> I am a student in security and computer science. Could I see your source
> code? I want to learn how this stuff all works!
>
> Tom
>
> Sent via Deja.com
> http://www.deja.com/
Read the description in the Help Files at http://www.ciphile.com or
the instructions with the OverWrite software and read the link that
JA Malley posted.
Malley says that Ashwood is correct and that I am wrong(?) and that
as much is stated in the link. I beg to differ. The link states
that it would certainly be best to randomly use the patterns
suggested. But that to use the 27 overwrite patterns is still very
very good.
I would like to add that I do have another overwrite program that
is only going to be made available to those who purchased OAP-L3.
This OverWrite version 1.1 will also have a facility to overwrite
the file with random sequences entered in my the user in addition
to the fixed 27 sequences.
As stated in the link by Malley, it is shown that there should be
four (or more) random sequences written before and after the 27
fixed patterns. With this version 1.1 software the user may
overwrite the file as many times as they want with user entered
random bytes before and after the fixed 27 patterns.
And note that with the OverWrite program available for download at
the web site now that the user can overwrite with as many overwrites
as they want, both with sequences of all 27 patterns or with just
some of the 27 patterns, by using the switches as described in the
software.
Thus, the OverWrite program as it exists right now to all of you
allows for random overwrites.
Here is an example: overwrite the file using the entire 27 pattern
sequence but place an R switch in the directory. This will prevent
the file from being deleted after the overwrite. Then go back and
overwrite the file again but change the switch to a C switch, for
example. Then overwrite the file again changing the switch to a 7
switch. Etc.
Anyone trying to detect the original file may think they know the
patterns and they are right, they will. But they will not know how
many of the 27 patterns were used to overwrite the original
data and how many full or partial sequence overwrites were used or
in what order.
Satisfied?
So where are these technological sophisticates: these brain drained
mental armchair hackers, now?
NO_WHERE'S_VILLE, Man.
NoWhere'sville.
Your data can be wiped and beyond recovery. You decide when enough
is enough. You decide when you can sleep soundly at night with this
one less worry on your mind.
Why use the OverWrite software? Use it as I just suggested and you
can rest assured with no worries.
OverWrite your file with OverWrite from Ciphile Software then forget
about it.
Thanks for the grilling.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
