Cryptography-Digest Digest #926, Volume #13 Sat, 17 Mar 01 12:13:01 EST
Contents:
Re: Computing power in the world (those who know me have no need of my name)
Re: Key Recovery System/Product ("Arnold Shore")
Re: OT: TV Licensing - final answer - sorry for xpost (Dave Howe)
Re: primes for Blum Blum Shub generator (those who know me have no need of my name)
Re: NTRU, continued... ("Daniel Lieman")
Re: NTRU, continued... ("Daniel Lieman")
Re: Key Recovery System/Product (those who know me have no need of my name)
Re: NTRU, continued... (Robert Harley)
Re: Anonymous web browsing (Anonymous)
Re: What do we mean when we say a cipher is broken? (Was Art of Cryptography)
(John Savard)
Re: What do we mean when we say a cipher is broken? (Was Art of Cryptography)
(John Savard)
Re: What do we mean when we say a cipher is broken? (Was Art of Cryptography)
(John Savard)
Re: Computing power in the world (Frank Gerlach)
Re: SSL secured servers and TEMPEST (Frank Gerlach)
Re: How to eliminate redondancy? (SCOTT19U.ZIP_GUY)
Re: What do we mean when we say a cipher is broken? (Was Art of (William Hugh
Murray)
Re: Computing power in the world ("Trevor L. Jackson, III")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (those who know me have no need of my name)
Subject: Re: Computing power in the world
Date: Sat, 17 Mar 2001 14:13:27 -0000
<98vile$2e1$[EMAIL PROTECTED]> divulged:
>But if a program runs in 3
>months on a 1 MIPS computer, then one would expect it to run in 5
>minutes on a 26 GIPS computer.
data volume and bandwidth will probably become factors, as i doubt that
the 26,000 times faster computer will have a corresponding increase in
memory size or bandwidth (between memory and processor, at least).
--
okay, have a sig then
------------------------------
From: "Arnold Shore" <[EMAIL PROTECTED]>
Subject: Re: Key Recovery System/Product
Date: Sat, 17 Mar 2001 09:21:33 -0500
Ummm, that'll do it for me. Tnx, and sorry for the nntp bandwidth, but ur
addr ... .
as
they told me to Resist Authority!
but I'm a contrarian, so I agreed
------------------------------
From: Dave Howe <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,talk.politics.crypto
Subject: Re: OT: TV Licensing - final answer - sorry for xpost
Date: Sat, 17 Mar 2001 14:18:47 +0000
In our last episode (<alt.security.pgp>[Sat, 17 Mar 2001 11:06:31
+0000]), David Hayward <[EMAIL PROTECTED]> said :
>The actual offence is "TV licence payment evasion" and is covered
>under the Wireless Telegraphy Act 1940 sect 1. I am fairly sure you
>would have to be "operating" a TV set without a licence for a
>prosecution to be worth while as I am led to understand that the
>guideline sentence is a discharge or fine for the offence. HTH
The current situation is odd though - a TV used only for a video
recorder to play pre-recorded movies does not require a licence, but
one used as a monitor for early computers that had a PAL output does -
Not entirely sure why.
--== DaveHowe ( is at) Bigfoot dot com ==--
------------------------------
From: [EMAIL PROTECTED] (those who know me have no need of my name)
Subject: Re: primes for Blum Blum Shub generator
Date: Sat, 17 Mar 2001 14:37:50 -0000
<98vl5k$r7a$[EMAIL PROTECTED]> divulged:
>I'm sorry I'm so boring ::)))))))))) but I must be blind ..or something.
>I am looking for BN_generate_prime for 2-3 hourse and I can not find it
>::((((( If it is not in bn_prime.c,
it is. line 132 in version 0.9.6.
--
okay, have a sig then
------------------------------
From: "Daniel Lieman" <[EMAIL PROTECTED]>
Subject: Re: NTRU, continued...
Date: Sat, 17 Mar 2001 14:43:05 GMT
Hi -
Dan Bailey recently posted performance numbers - I'll copy his post here.
Daniel Lieman
===============cut here for Dan Bailey's post=========================
NTRU works nicely in constrained environments because it's fast, taking
less time and battery life. For ease in comparison, consider Pentium
III/800 MHz performance. Consider Wei Dai's excellent Crypto++ library
since it runs thereon and most people can agree it's a good, independent
implementation of RSA and ECC. NTRU timings from NTRU's NERI toolkit:
Function Units NTRU 251 RSA 1024 ECC 155
Enc Keygen Keys/sec 1512 259
S/V Keygen Keys/sec 1996
Encrypt Blocks/sec 16556 2744 132
Decrypt Blocks/sec 8620 90 70
Sign Sigs/sec 3215 94 255
Verify Sigs/sec 3225 2949 151
NTRU code is portable C, no assembly. ECC numbers over GF(2^155) with
precomputation, signing is ECNR, encryption is ECIES. RSA 1024 has e=3.
There's a similar speed advantage on constrained devices, it's just that
reliable, independent RSA and ECC numbers are harder to come by.
Beyond that, anecdotal information suggests even with better
performance, NTRU's footprint and gate count are much smaller than
either RSA or ECC.
Cheers
Dan
PS Yes, I work for NTRU.
------------------------------
From: "Daniel Lieman" <[EMAIL PROTECTED]>
Subject: Re: NTRU, continued...
Date: Sat, 17 Mar 2001 15:00:15 GMT
> Hi -
>
> Dan Bailey recently posted performance numbers - I'll copy his post here.
OK, let me reformat that....his post is below (again!) but I've (tried to)
reformat the numbers so they are legible :).
Daniel Lieman
> ---------------cut here for Dan Bailey's post-------------------------
>
> NTRU works nicely in constrained environments because it's fast, taking
> less time and battery life. For ease in comparison, consider Pentium
> III/800 MHz performance. Consider Wei Dai's excellent Crypto++ library
> since it runs thereon and most people can agree it's a good, independent
> implementation of RSA and ECC. NTRU timings from NTRU's NERI toolkit:
>
> Function Units NTRU 251 RSA 1024 ECC 155
> Enc Keygen Keys/sec 1512 259
> S/V Keygen Keys/sec 1996
> Encrypt Blocks/sec 16556 2744 132
> Decrypt Blocks/sec 8620 90 70
> Sign Sigs/sec 3215 94 255
> Verify Sigs/sec 3225 2949 151
>
> NTRU code is portable C, no assembly. ECC numbers over GF(2^155) with
> precomputation, signing is ECNR, encryption is ECIES. RSA 1024 has e=3.
> There's a similar speed advantage on constrained devices, it's just that
> reliable, independent RSA and ECC numbers are harder to come by.
>
> Beyond that, anecdotal information suggests even with better
> performance, NTRU's footprint and gate count are much smaller than
> either RSA or ECC.
>
> Cheers
> Dan
>
> PS Yes, I work for NTRU.
>
>
------------------------------
From: [EMAIL PROTECTED] (those who know me have no need of my name)
Subject: Re: Key Recovery System/Product
Date: Sat, 17 Mar 2001 15:05:28 -0000
<991un8$7v0$[EMAIL PROTECTED]> divulged:
>Ummm, that'll do it for me. Tnx, and sorry for the nntp bandwidth, but ur
>addr ... .
use all the bandwidth you like. there's over 200 gig per day of netnews
these days, another few hundred or thousands of bytes won't kill anyone.
--
okay, have a sig then
------------------------------
From: Robert Harley <[EMAIL PROTECTED]>
Subject: Re: NTRU, continued...
Date: 17 Mar 2001 16:16:07 +0100
"Daniel Lieman" <[EMAIL PROTECTED]> writes:
> 4) NTRU has a speed advantage on EVERY platform I've seen, including
> constrained devices (ST Microelectronics platforms, Palms, SIM chips, etc.)
> as well as larger machines. *Perhaps* NTRU has a speed advantage? I'd call
> several orders of magnitude a speed advantage.
Rot-13 is also faster than ECC and RSA. Given the history of
knapsack-based systems and their (lack of) security, this remark is
very relevant.
While NTRU is interesting, for real applications I wouldn't go near it
with a barge pole until a decade or so of peer review has passed.
Regards,
Rob.
.-. [EMAIL PROTECTED] .-.
/ \ .-. .-. / \
/ \ / \ .-. _ .-. / \ / \
/ \ / \ / \ / \ / \ / \ / \
/ \ / \ / `-' `-' \ / \ / \
\ / `-' `-' \ /
`-' http://www.xent.com/~harley/Top.html `-'
------------------------------
Date: Sat, 17 Mar 2001 16:54:03 +0100
From: Anonymous <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,talk.politics.crypto
Subject: Re: Anonymous web browsing
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
In article <[EMAIL PROTECTED]>
John M <[EMAIL PROTECTED]> wrote:
# "SCOTT19U.ZIP_GUY" wrote:
# >
# > [EMAIL PROTECTED] (Phil Zimmerman) wrote in
# > <[EMAIL PROTECTED]>:
# >
# > >-----BEGIN PGP SIGNED MESSAGE-----
# > >Hash: SHA1
# > >
# > >Does anyone use any of the anonymouse web browsing services such as
# > >Anonymizer or SafeWeb?
# > >
# >
# > I have used both. However I would bet they are run by the
# > NSA or something simalar. SafeWeb does not work with
# > Moziila or even the latest netscape. Makes me wonder if
# > they have stock in Microsoft.
# >
# Actually its the CIA not NSA.
#
# From http://cryptome.org/cia-safeboy.htm
#
# "By NEIL KING JR.
# Staff Reporter of THE WALL STREET JOURNAL
#
# How's this for a curious pairing? Stephen Hsu and his partners at
# SafeWeb Inc. launch a Web site (www.safeweb.com) offering the utmost in
# Internet privacy -- and then hook up with the notoriously intrusive
# Central Intelligence Agency."
have a look at http://anon.inf.tu-dresden.de/index_en.html
their product is under development but seems to be
interresting for normal anonymous web browsing
=====BEGIN PGP SIGNATURE=====
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjqzWEgACgkQf1//eZgmuNPwxQCfRx65YjKPCGwb0f64tysi2SWc
ufAAoKxqI22IHsvkxlckrK3Wb2RZ1cD5
=ySB5
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: What do we mean when we say a cipher is broken? (Was Art of
Cryptography)
Date: Sat, 17 Mar 2001 15:39:12 GMT
On Sat, 17 Mar 2001 07:10:51 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
wrote, in part:
>That is simply an argument from ignorance. When I looked into
>cryptanalyzing DES-like block ciphers a couple of years ago,
>there were several promising directions for successful C/A of
>such systems. I didn't get very far with the project due to
>lack of funding, but the more I learned, the less confidence I
>came to have in the strength of such systems.
Shh!!!
>That's a misconception. From what is now known about rotor
>systems, Enigma-like systems can be cracked with far greater
>ease than was actually done with the bombes. However, you're
>not going to find the techniques described in the open
>literature. This actually supports my point -- if you don't
>know how to crack the system, you are apt to place mistaken
>trust in its security.
Shh.
Actually, I suppose this illustrates one of the misconceptions of
secrecy; the assumption that if secrets considered worthy of high
levels of classification are disclosed, anyone will actually pay
attention.
Differential and linear cryptanalysis weren't "obvious" before someone
came up with them; I kicked myself when I first heard of the boomerang
attack, for not thinking of it (I wonder if my subconscious was
playing with it, to explain why I designed the original QUADIBLOC to
be particularly susceptible to it, in hopes to lead to its
invention...) but the fact still is, I didn't.
How many more clever ideas are there out there that might improve the
cryptanalysis of block ciphers? The people at the NSA doubtless know a
few of them that aren't in the open literature - but even *they* don't
know what they're going to come up with next year or next decade.
However, I also know why it is felt that we *don't* need to improve on
128-bit block ciphers. If you have to use public-key methods to get
your key across - if you *insist* on that level of convenience - the
conventional cipher is NOT the weak link. It's very nearly _trivial_
to come up with a super-strong cipher mode or method - I've amused
myself by putting a few on my web page - and so I'm hardly surprised
if academic professionals don't exactly consider this a legitimate
direction of resarch. It isn't; it's closer to being a game, like
solving crossword puzzles.
What hasn't been found is any way, aside from using bigger prime
numbers, etc., of arbitrarily increasing the strength of public-key
systems. They can't just be made stronger by piling one complication
on another. (Conventional cryptosystems can't _quite_ be made stronger
that easily either; one does have to follow a few simple rules.)
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: What do we mean when we say a cipher is broken? (Was Art of
Cryptography)
Date: Sat, 17 Mar 2001 15:50:01 GMT
On Sat, 17 Mar 2001 03:46:33 GMT, "Trevor L. Jackson, III"
<[EMAIL PROTECTED]> wrote, in part:
>Eh? Your statement implies that the entropy of the plaintext plays no
>role in the calculation of unicity distance. I understood that to be
>false.
You are correct. I was hasty, because I wanted to emphasize that it
did _not_ depend, as the question seemed to imply, on the quality or
complexity (i.e. the work factor) of the cipher used.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: What do we mean when we say a cipher is broken? (Was Art of
Cryptography)
Date: Sat, 17 Mar 2001 15:26:28 GMT
On Sat, 17 Mar 2001 07:10:51 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
wrote, in part:
>William Hugh Murray wrote:
>> Both history and experience tell me that cryptography is not the
>> weak point in my "system" nor is cryptanalysis the most efficient
>> attack.
>I don't know what "your system" is, but historically that has not
>been true for other systems.
True, but at present the received wisdom is that since the advent of
the microprocessor, it has become possible to achieve this standard,
and this standard is achieved with modern block ciphers comparable to
the AES.
I think that this received wisdom is at least plausible, and therefore
I think it is a mistake to confront it head-on, in, say, the manner of
David A. Scott. I content myself with modestly and shyly noting that
the power of the microprocessor is such that we can fairly easily
employ cryptosystems quite a bit more elaborate than those in common
use at present.
It is, of course, also important to establish that one can do so
without making security worse instead of better, and that there are at
least grounds for hope that security will be improved.
Unlike most forms of intrusion into security, cryptanalysis (after
interception is accomplished) by an adversary off on his own computer
somewhere doesn't set off any 'alarm bells' for detection and
response. Hence, while it is only a very narrow part of computer
security, there is a class of attacker whose path into your data goes
through that "stake in the ground" in Bruce Schneier's words, and
therefore _some_ attention to cryptography is legitimate.
Incidentally, one trouble with super-high security encryption modes
is, though, that there is no way to pull that kind of trick with
public-key systems; therefore you need secure physical exchange of a
secret key if you want a hope of ascending into these Empyrean realms.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Re: Computing power in the world
Date: Sat, 17 Mar 2001 18:03:42 +0100
Paul Schlyter wrote:
> In article <[EMAIL PROTECTED]>,
> Frank Gerlach <[EMAIL PROTECTED]> wrote:
>
> > AirBete wrote:
> >
> >> Hi all,
> >>
> >> What is the up-to-date estimate of the total computing power in the world in
> >> mips-years?
> >
> > MIPS-years are a silly metric.
> > Its like asking "how many Megawatt-hours of processing capacity are there ?"
>
> Actually, on my electric bills I et billed after the number of
> kiloWatt-hours I've consumed.
>
Ok, I was imprecise. Maybe I was offended by people who cannot differentiate
between power (something/second) and energy (something).
Lots of reporters didn't understand the difference in the recent californian
energy crisis.
As this group is prefixed with sci.*, people should understand the difference...
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Re: SSL secured servers and TEMPEST
Date: Sat, 17 Mar 2001 18:07:31 +0100
those who know me have no need of my name wrote:
> <[EMAIL PROTECTED]> divulged:
> >
> >May calculation was as follows: a Video Signal has about 5 MHz of
> >Bandwith. Just split that 2 GHz signal into 2000/5=400 5 MHz bands,
> >transform them into the 0..5 MHz base band and then you "just" need
> >400 VCRs to store the signal.
>
> it may be that consumer vcr's aren't the optimum recording devices.
Most probably cheaper to use commercial technology and use it in a
massively parallel setup, instead of designing something
special-purpose.
Guess why Cray Research is on the demise. Lots of plain-vanialla
pentiums are much cheaper for the government...
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: How to eliminate redondancy?
Date: 17 Mar 2001 16:14:49 GMT
[EMAIL PROTECTED] (Joseph Ashwood) wrote in <eJPE0EnrAHA.298@cpmsnbbsa09>:
>No I prefer compression that meets the transform requirements to be
>called a 1-1 onto transform. This has a very well defined meaning in
>computer science, it means simply that every item in the input set maps
>to one and only one member of the output set, and every member of the
>output set maps to one and only one member of the input set.
>Cryptographically I prefer all transforms to be 1-1 onto. What you call
>"1-1" is neither a sub nor superset of the set of 1-1 onto transforms,
>it is a seperate set.
> Joe
>
Joe I think my compression is what your calling 1-1 onto.
But I also asked what compression you used before you encrypt something.
take h2com.exe it map every member of 8-bit binary files to
a one and only one member of the same set. The reverse maps
every member back.
For any file X then Uncompress( Compress ( X)) = X
and also for any file Y then Compress( Uncompress (Y)) = Y
does this not meet your defination. Does the compression you use
meet this criteria.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: William Hugh Murray <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: What do we mean when we say a cipher is broken? (Was Art of
Date: Sat, 17 Mar 2001 16:42:32 GMT
"Douglas A. Gwyn" wrote:
> William Hugh Murray wrote:
> > Both history and experience tell me that cryptography is not the
> > weak point in my "system" nor is cryptanalysis the most efficient
> > attack.
>
> I don't know what "your system" is, but historically that has not
> been true for other systems.
>
> > Indeed, cryptography is astronomically stronger than the weakest
> > link in my system.
>
> The only way such a claim could be justified is if you *know* that
> the protocol of your system is horribly flawed. In which case,
> why would you want to use it?
>
Perhaps. All I think that I need to know is that it has people in it.
------------------------------
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Computing power in the world
Date: Sat, 17 Mar 2001 17:09:35 GMT
Paul Schlyter wrote:
> In article <[EMAIL PROTECTED]>,
> Trevor L. Jackson, III <[EMAIL PROTECTED]> wrote:
>
> > A MIPS-year is an useful metric for measuring the quantity of computation
> > rather than the rate of computation. Factoring this composite, minimizing
> > that sales route, or extracting a 3DES key from a plaintext/ciphertext
> > pair are all tasks whose size might be measured in MIPS-years.
>
> Trying to crack 3DES, or even 1DES, is preferably done on special
> hardware implementing the DES algorithm: since DES was designed for
> hardware implementations, this will be much faster (= several orders
> of magnitude) than software implementations.
>
> Now, if DES is executed on custom hardware rather than on some CPU,
> it gets somewhat problematic to determine how many "instructions" a
> DES execution requires. We can measure the time it takes, but not
> how many "instructions" it takes - or one could argue it takes one
> single instruction!
I think the default standard MIPS was a VAX architecture. In comparison an x86
would not fare well, but an alpha or G4 might be a bit more productive per
instruction.
As for dedicated hardware, I dislike to consider such as device as executing
instructions in the classic JvN sense. But surely 1DES would take 16 "DES
instructions" and 3DES 48 of the same.
As far as exotica goes, when I find a CPU with a single cycle AES round
instruction and single cycle interval arithmetic instructions, I'll know I'm not
in Kansas any more. ;-)
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
