Cryptography-Digest Digest #736, Volume #13 Fri, 23 Feb 01 04:13:01 EST
Contents:
Re: Super strong crypto (David Wagner)
Re: The Key Vanishes: Scientist Outlines Unbreakable Code, Read it and ("Douglas A.
Gwyn")
Re: Super strong crypto ("Douglas A. Gwyn")
Re: New unbreakable code from Rabin? ("Douglas A. Gwyn")
Re: Super strong crypto (David Wagner)
looking for 16-bit RNG... (Rik Blok)
Re: The Key Vanishes: Scientist Outlines Unbreakable Code, Read it and
([EMAIL PROTECTED])
Re: New unbreakable code from Rabin? ([EMAIL PROTECTED])
Re: PGP Public Keys (Paul Crowley)
Re: Rnadom Numbers (wint)
Re: АВТОШИНЫ НЕ ДОРОГО ИЗ ЯПОНИИ (wint)
Re: New unbreakable code from Rabin? (wint)
Re: Super strong crypto (wtshaw)
Any alternatives to PGP? (Alberto)
Re: "RSA vs. One-time-pad" or "the perfect enryption" ("Joseph Ashwood")
Re: PGP Public Keys ("Joseph Ashwood")
Re: question1,2,2a,3,4,5,5a,5b,5c,6 ("Joseph Ashwood")
Re: Key expansion. ("Joseph Ashwood")
Re: Key expansion. ("Joseph Ashwood")
Re: Anonymous web surfing? ("dcole100")
Re: Any alternatives to PGP? (Bryan Mongeau)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Super strong crypto
Date: 23 Feb 2001 04:18:34 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
Nicol So wrote:
>My understanding of Douglas Gwyn's proposal is that it does not purport
>to achieve anything that information theory says is impossible. As a
>heuristic, it does seem to make it necessary to use extraordinarily
>clever techniques if cryptanalysis were to succeed.
I do not understand why cryptanalysis should necessarily require
extraordinary cleverness.
After all, when Biham and Shamir wrote about differential cryptanalysis
of DES, they also noted that even changing the key very frequently does
not add much security against their attack. See ``Differential cryptanalysis
of the full 16-round DES'', where they say that even if you change keys
once every 2^14 blocks, the attacker can still recover his first key after
2^47 chosen plaintexts (the same as if the key had never changed). This
means that, if we instantiated Gwyn's proposal with DES and with key changes
every 2^14 blocks, Gwyn's proposal wouldn't provide any improvement in
security against differential cryptanalysis.
At this point, you might argue that such a failure mode ought to be less
likely if you change keys more frequently than once every 2^14 blocks, but
the above example suggests to me that the proposal might well be buying
you much less than you think.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: The Key Vanishes: Scientist Outlines Unbreakable Code, Read it and
Date: Fri, 23 Feb 2001 04:29:02 GMT
[EMAIL PROTECTED] wrote:
> (1) the "key vanishes" if and only if the sender/recipient destroy
> the key rather than retain it;
Of course they destroy it; it's a one-time key.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Super strong crypto
Date: Fri, 23 Feb 2001 04:39:34 GMT
David Wagner wrote:
> I do not understand why cryptanalysis should necessarily require
> extraordinary cleverness.
What requires cleverness is a *practical* attack against an
encrypted data channel, so that considerations like the
following are ludicrous:
> ..., where they say that even if you change keys
> once every 2^14 blocks, the attacker can still recover his first
> key after 2^47 chosen plaintexts ...
> the above example suggests to me that the proposal might well be
> buying you much less than you think.
Only if such a method of analysis is close to the best that
is possible against the basic algorithm. I took this thread
to be not about such woeful state of the public art, but
rather about working toward technology to withstand the best
possible cryptanalytic attacks. The particular straw-man
method I proposed is geared toward the common situation where
there is only a limited amount of shared secret available, so
one wants to stretch its viable span as far as possible.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: New unbreakable code from Rabin?
Date: Fri, 23 Feb 2001 04:43:32 GMT
[EMAIL PROTECTED] wrote:
> If the "random" bit stream is in fact algorithmically
> generated, then your adversary does not need to store it so the
> "unbreakable if attacker has limited storage" claim falls apart.
> In this case, if your secret "location generator" is later
> compromised, then your adversary can now decrypt your ciphertext
> since he can re-generate the bit stream.
Obviously the random key-bit pool stream would be created
by a random physical source (with a reasonable degree of
bias removal).
Later compromise of the location generator would not help
the enemy, since to apply that knowledge he would have had
to capture at least the relevant bits of the pool stream,
which was postulated to be infeasible.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Super strong crypto
Date: 23 Feb 2001 05:04:59 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
Douglas A. Gwyn wrote:
>David Wagner wrote:
>> once every 2^14 blocks, the attacker can still recover his first
>> key after 2^47 chosen plaintexts ...
>> the above example suggests to me that the proposal might well be
>> buying you much less than you think.
>
>Only if such a method of analysis is close to the best that
>is possible against the basic algorithm.
Yes, but my experience is that differential cryptanalysis is close to the
best method of analysis known against many block ciphers. It is maybe
the most powerful general cryptanalytic technique I know of. Therefore,
my concern is that this bad case (where frequent key changes don't help)
might occur very frequently, meaning that for many ciphers the proposal
doesn't help much.
Let me sharpen my point. Consider any differential cryptanalytic attack
where a single right pair suffices to recover the key. Many (but not
all) differential cryptanalytic attacks have this property. In this
case, changing the key frequently doesn't help, unless you change key
every block. This seems to me to be an important common case where the
proposal doesn't provide any benefits.
I am certainly very interested in your goal of working toward techniques
to withstand the best possible cryptanalytic attacks, so please don't
take this as a discouraging note. You seem to be driving at some general
point that I would really like to understand.
However, here's where I get confused: If robustness is the goal, wouldn't
it be more reliable to just double the number of rounds, or triple the
cipher, or something? This makes most known attacks exponentially less
effective, so why isn't it a better way to get more bang for the buck?
Don't get me wrong -- I do think the proposal might add considerable
strength in many cases -- but I think the most interesting question is
how to get the most strength out of a given performance budget. And it
seems to me that there are standard techniques that would appear to add
robustness against cryptanalytic attack more reliably and at even lower
cost, e.g., doubling the number of rounds, or combining multiple ciphers
(take the XOR of an RC4 keystream and an AES-OFB keystream).
Am I missing the point somehow?
------------------------------
From: Rik Blok <[EMAIL PROTECTED]>
Subject: looking for 16-bit RNG...
Date: Fri, 23 Feb 2001 05:18:44 GMT
Does anybody know of a simple and fast 16-bit pseudo-random number
generator I could use? There are more constraints: I want to use it on
a Lego Mindstorms robot which can only handle 16-bit integers (and only
has enough storage for 32 of them...and no support for arrays). I was
thinking something like a linear congruential generator but is there
anything better? If I do use a LCG what are some good constants to use?
Thanks much.
- Rik.
--
Rik Blok <[EMAIL PROTECTED]>
Centre for Applied Ethics,
University of British Columbia, Canada
http://RikBlok.cjb.net
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: The Key Vanishes: Scientist Outlines Unbreakable Code, Read it and
Date: 23 Feb 2001 05:34:15 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
>[EMAIL PROTECTED] wrote:
>> (1) the "key vanishes" if and only if the sender/recipient destroy
>> the key rather than retain it;
> Of course they destroy it; it's a one-time key.
Well, yes, unless they are adherent to a key escrow or key recovery
requirement.
You may be forgetting part the original context of the "key vanishes"
claim, which included a claim that the proposed system could
not be made subject to key escrow or key recovery requirements,
because the "key vanishes". The claim seems to be that it is
somehow technically impossible for the key to be retained and recovered.
I'm saying instead that it is no different from any other private-key
system in this respect.
Steve
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: New unbreakable code from Rabin?
Date: 23 Feb 2001 05:38:59 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
>[EMAIL PROTECTED] wrote:
>> If the "random" bit stream is in fact algorithmically
>> generated, then your adversary does not need to store it so the
>> "unbreakable if attacker has limited storage" claim falls apart.
>> In this case, if your secret "location generator" is later
>> compromised, then your adversary can now decrypt your ciphertext
>> since he can re-generate the bit stream.
>Obviously the random key-bit pool stream would be
allegedly
>created by a random physical source (with a reasonable degree
>of bias removal).
but in fact it might be created algorithmically, if the source
of the bitstream (i.e. the broadcast satellite operator)
is untrustworthy.
I think we can agree that the "random" bit stream must come
from a completely trusted source for this approach to have any value.
Steve
------------------------------
Subject: Re: PGP Public Keys
From: Paul Crowley <[EMAIL PROTECTED]>
Date: Fri, 23 Feb 2001 06:33:18 GMT
John Atkins <[EMAIL PROTECTED]> writes:
> What kind of MIME encoding is used to encode PGP keys? If I wanted to
> decode all the information about a PGP key, how would I do it? Ex:
> Decoding this:
>
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: PGP Desktop Security 7.0.3 Evaluation
>
> mQGiBDqR984RBADxMxoPw7hkRdoGU3Wuzm6FshV50SFIUdcXgpWSLmkPiAvtXhcL
> /xEqLcicZkw4fIRa0JPvklgwLQyHKpj66mpJgdCai63qJ5Ob4BLVN8g3jn1yj7Ws
It's quite complex, but the full specifications of PGP's message
formats may be found here:
http://www.ietf.org/html.charters/openpgp-charter.html
hope this helps,
--
__
\/ o\ [EMAIL PROTECTED]
/\__/ http://www.cluefactory.org.uk/paul/
------------------------------
From: wint <[EMAIL PROTECTED]>
Subject: Re: Rnadom Numbers
Date: Fri, 23 Feb 2001 07:41:15 GMT
In article <968kvd$s48$[EMAIL PROTECTED]>, Viktor "CK" Pilpenok
<[EMAIL PROTECTED]> says...
> Hi Everybody!
>
> Is there any algorithm that allows to estimate the randomness of a
> stream of numbers?
>
> Thanks in advance. Viktor P
>
>
> Sent via Deja.com
> http://www.deja.com/
>
May find something of interest here
http://www.protego.se/statistictest_en.htm
------------------------------
From: wint <[EMAIL PROTECTED]>
Subject: Re: АВТОШИНЫ НЕ ДОРОГО ИЗ ЯПОНИИ
Date: Fri, 23 Feb 2001 08:01:45 GMT
In article <96m6uo$1s0e$[EMAIL PROTECTED]>, "ЧП "Кононец"" <vlad-
[EMAIL PROTECTED]> says...
>
> ЧП "Кононец" предлагает контрактные поставки крупным и
> мелким оптом автошин из Японии.
> Также вы можете преобрести автошины на складе, в наличии
> имеются автошины почти всех размеров, а так же литьё
> (разныообразных видов). Обращаться по адресу: Г.
> Владивосток, ул. Днепропетровская 19, склад Североторга, в
> р-не Бама. Т. 8(4232)46-72-89
> e-m@il:[EMAIL PROTECTED]
>
Please use a spell checker.
--
. . . . . . . . . . . . . . . . . . . . . . . .
Spammbait
root@localhost postmaster@localhost admin@localhost
abuse@localhost webmaster@localhost [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
------------------------------
From: wint <[EMAIL PROTECTED]>
Subject: Re: New unbreakable code from Rabin?
Date: Fri, 23 Feb 2001 08:08:36 GMT
In article <3a93968d$[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> John Savard <[EMAIL PROTECTED]> wrote:
>
> > Obviously, any random bit stream two participants are capable of
> > exchanging is capable of being stored by an adversary.
>
> The point is that this isn't such a bit stream.
> No one generates, transmits or exchanges this bit stream.
> They only exchange information on how to extract a bit
> stream from a transient, public pool of random data.
>
> The pool consists of ALL publicly accessible random,
> but transient, data (that can be munged into a fully
> entropic, n bits of entropy for n bits of length).
Except for size, how does this differ from the familiar spy-
novelist method of "page 173 of Gone With the Wind"?
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Super strong crypto
Date: Fri, 23 Feb 2001 01:44:36 -0600
In article <974oaq$6rf$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (David
Wagner) wrote:
> I do not understand why cryptanalysis should necessarily require
> extraordinary cleverness.
>
> At this point, you might argue that such a failure mode ought to be less
> likely if you change keys more frequently than once every 2^14 blocks, but
> the above example suggests to me that the proposal might well be buying
> you much less than you think.
As for blocks necessary for brute forcing DES, it's only two or three.
Perhaps you misunderstand Shannon, but the spirit of his unicity distance
is a whole different emphasis from that which you presume.
Either his or your coincept of strength is insufficient alone, even as
each is claimed to be sufficient. If you do not understand what is at
stake, you represent many others in the same boat, but it can sink.
--
Better to pardon hundreds of guilty people than execute one
that is innocent.
------------------------------
From: Alberto <[EMAIL PROTECTED]>
Subject: Any alternatives to PGP?
Date: Fri, 23 Feb 2001 08:25:46 GMT
I've decided to leave PGP.
What is a good alternative?
Thanks
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: "RSA vs. One-time-pad" or "the perfect enryption"
Date: Wed, 21 Feb 2001 11:10:48 -0800
"John Myre" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Joseph Ashwood wrote:
> > What you are searching for is purely unbreakable cryptography, even OTP
does
> > not qualify (you can given very large quantities of time generate each
> > possible decryption) under your rules.
> Huh? Do you mean this? If so, could you please explain?
Actually yes I did mean that, just I wasn't clear enough, I assumed there
was a need for unalterability without easy detection. OTP as typically
expressed (XOR and random stream) does not have this, I've referred to it
before as the bit-flip attack. At times you may not even need to know what's
being sent to get the desired effect (a single bit need to be twiddled,
regardless of what the bit was).
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: PGP Public Keys
Date: Wed, 21 Feb 2001 11:40:31 -0800
The shortest distance between here and there is to grab a copy of the gpg
code and dig out what you need. See http://www.gnupg.org/ for details.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: question1,2,2a,3,4,5,5a,5b,5c,6
Date: Wed, 21 Feb 2001 11:55:31 -0800
> 1.Do you have to be a good cryptanalyst before you can call yourself a
good
> cryptographer?
It certainly helps. You'll find that most publically identified good
cryptanalysts don't bother with ciphers designed by someone that they do not
also consider a good cryptanalyst, or is being used for something
substantial. Also if you are a good cryptanalyst you are less likely to make
mistakes in your cryptographic algorithms that would make attacks possible.
> 2.Do you learn by practicing with breaking codes? Can you break codes
> "theoretically"?
Yes, and yes. For a good example of this I suggest you look to the AES
competition, if I remember correctly not a single of the "broken" algorithms
was broken to the point where a short ciphertext could be decrypted without
extra accompanying information.
> 2a.Where can you find material to work on? (if you need to do so, but I
> strongly believe you do)
Well if you want to go for the big stuff, www.nist.gov/aes
www.cryptonessie.org and www.counterpane.com/biblio For practice you should
look to publically analyzed ciphers. Try finding the differential attack
against DES, uncover the attack against MacGuffin. If you make more progress
against them than anyone has so far publish, many conventions accept
cryptanalysis from unknowns.
> 3.What classic textbooks are a good source of practice problems?
Actually Paul Rubin's list was fairly complete
> 4.If you really want to crack difficult chipers mustn't you possess
> excellent programming tools/skills?
You really should, but it's not a necessity. Most of the work is actually
done in the brainm then you figure out how good it is, and never really
implement them, unless it's a major problem.
> 5.My user name is the encryption of my dog's name. Isn't this a rather
> stupid problem? Anyway, does it make sense to ask you what my dog's name
is?
> Will your answer tell me if you are a good cryptanalyst (I'm sure you'll
say
> "no"!)? DO you need to know the algorithm that I used to encrypt it?
It's not a stupid question. However you need to understand that we generally
do not respond to challenges to break encryption very well. You will get a
lot of responses saying things like "Well it's encrypted using a OTP, the
data was compressed but here it is "I'm a clueless newbie who wasn't smart
enough to read the faq before I tried to waste the time of everyone on this
newsgroup . . . " I think you get the idea. What many of us require before
we will even glance twice at your problems is a clear explanation of the
algorithm (I recommend something like the specification of the whirlpool
algorithm at cryptonessie for the explanation). The idea is to make the
algorithm as clear as possible, clear enough that anyone with a decent
knowledge of a programming language can write an implementation of the
algorithm, and most important do not put optimizations in the specification,
just the straightforward step by step instructions, later you can tell us
optimizations. From there we don't need ciphertext we can make our own for
analysis.
> 6. Am I the only one that doesn't particularly love "applied cryptography,
> 2nd ed."?
Probably, it's a very good start for the details of cryptanalysis. If you
don't like it maybe the Handbook of Applied Cryptography (Menezes et al)
would be more to your liking (http://cacr.math.uwaterloo.ca/hac/). Or
perhaps you're one of those people that finds the original papers more
useful, in which case I would recommend downloading the entire collection at
www.counterpane.com/biblio as a start.
Anyway, welcome.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Key expansion.
Date: Wed, 21 Feb 2001 12:23:07 -0800
"Cristiano" <[EMAIL PROTECTED]> wrote in message
news:9716it$9gl$[EMAIL PROTECTED]...
> Can you point me to some c or c++ code for SHA-256 and SHA-512 (I have
found
> only assembler code)?
www.cryptopp.com theres an implementation of pretty much everything you
could want.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Key expansion.
Date: Wed, 21 Feb 2001 14:12:49 -0800
"Thomas White" <[EMAIL PROTECTED]> wrote in message
news:971c09> "Joseph Ashwood" <[EMAIL PROTECTED]> wrote in message
> > No problem. If you want fewer bits from a cryptographic hash function
just
> > chop off the last bits
> Is it secure to use a sort of EOR system to reduce a longer hash to a more
> manageable one?
> I mean, if I take a 128-bit MD5 (of a key, for example, for validation)
and
> need a 32-bit hash, is it OK to split the 128 bits into four blocks of 32
> and the EOR them all together? It seems to make more sense to me to use
as
> much of the longer hash as possible rather than just chopping bits off.
If the hash algorithm is secure you can do (almost) whatever you want to the
bits and you won't endanger the security (or improve it without external
information), so yes you can EOR the bits together if you want. I just
suggested chopping bits off because it's faster (and equally secure).
Joe
------------------------------
From: "dcole100" <[EMAIL PROTECTED]>
Subject: Re: Anonymous web surfing?
Date: Wed, 21 Feb 2001 18:39:30 -0500
Speaking of the CIA, they just publically announced that they are going to
use Triangle Boy themselves to hide their own tracks while surfing.
Look it up on msnbc or cnet.
Dan Cole
------------------------------
From: Bryan Mongeau <[EMAIL PROTECTED]>
Subject: Re: Any alternatives to PGP?
Date: Fri, 23 Feb 2001 09:05:18 GMT
Alberto wrote:
> I've decided to leave PGP.
>
> What is a good alternative?
>
>
> Thanks
You can try Pegwit. It achieves the same functions as PGP but uses
different algorithms. Elliptic curves over GF2^255 are the public key
component and twofish (I believe, they keep changing it.) is the symmetric
cipher. It's also fast. Grab version 8 here:
http://disastry.dhs.org/pegwit/v8/pegwit.htm
They are working on version 9, it should be out soon. Version 8 is
susceptible to Nigel Smart's attack on GF2^m curves where m is not prime.
Although not fatal, it does reduce v8's overall security. Keep in mind it's
a work in progress.
Hope this helps.
--
<=====================================>
Bryan Mongeau
Lead Developer, Director
eEvolved Real-Time Technologies Inc.
Website: http://www.eevolved.com
Public key: http://eevolved.com/bcm.pk
<=====================================>
"Let us understand what our own selfish genes are up to, because we may
then at least have a chance to upset their designs, something that no other
species has ever aspired to do." -- Richard Dawkins
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
