Cryptography-Digest Digest #97, Volume #14 Sat, 7 Apr 01 00:13:01 EDT
Contents:
[LOST AND FOUND] Brain cell belonging to Thomas J. Boschloo (Boschloo Tales)
Re: Dynamic Substitution Question (John Savard)
[LOST AND FOUND] Brain cell belonging to Thomas J. Boschloo (Boschloo Tales)
Re: approximating addition vs. xor? ("Peter L. Montgomery")
Re: Dynamic Substitution Question (Benjamin Goldberg)
Re: approximating addition vs. xor? ("Tom St Denis")
Re: approximating addition vs. xor? ("Matt Timmermans")
Re: Concerning United States Patent 4979832 (Dynamic Substitution) (Benjamin
Goldberg)
Re: Security of Triple-DES (David Hopwood)
Re: Security of Triple-DES (David Hopwood)
Re: RC4 test vectors after gigabyte output?. (David Hopwood)
Re: New PGP2.6.3(i)n (David Hopwood)
Re: approximating addition vs. xor? ("Tom St Denis")
Re: Self Enforcing Protocol (Slightly OT and Long!) (David Hopwood)
European patents (was Re: Data dependent arcfour ...) (David Hopwood)
----------------------------------------------------------------------------
Date: 7 Apr 2001 01:17:03 -0000
From: [EMAIL PROTECTED] (Boschloo Tales)
Subject: [LOST AND FOUND] Brain cell belonging to Thomas J. Boschloo
Crossposted-To: alt.privacy.anon-server,alt.security-pgp
Did somebody find Thomas J. Boschloo's brain cell?
It has been reported missing since
... well ...
a few years ?
birth ?
===============================================
HISTORY:
That Boschloo bozo is a clown and a troll who has been looming around for nearly a
year.
Don't mistake a "regular" (troll) with a knowledgeable person: that self-proclaimed
"security expert" is not even a remailer user. In the past, he proved himself unable
to check a PGP signature, and got ridicule from every single technical topic he wante
d to talk about.
Besides false or inaccurate or misleading technical misinformation, his posts are
about his avowed mental illness, or for bashing remops or real freedom fighters: he
likes to quarrel with every one, and stir shit. Sometimes, it is even pure delirium
(whe
n he misses his pills?)
One of his last actions was to stage a hoax about his own suicide, just to try to grab
some sympathy, after he had been exposed as a troll and technically incompetent.
The worst being his teasing of Script-Kiddie until it triggered a new flood on apas.
Of course, he refuses to apologize.
Actually, the level of contempt he shows for remailer users:
they don't give their names, while he does
that can't do anything against him, without giving their names
is in no way different from what is displayed by Pangborn, Burnore and the like
Ignore him completely, killfile him, respect others' killfiles
KILLFILE:
To put him in your killfile, put "Author: Boschloo"
That will make disappear both him and people who warn about him
If you want to tell him to buzz off, or warn about him,
use a nickname containing "Boschloo" (Boschloo Hater, Boschloo Sucks,...)
to accomodate such killfile for "regulars", and still warn newbies
COURAGE:
Boschloo is getting _no_ answer from apas any more.
He has to crosspost to various newsgroups to try to grab some attention.
In a few months, it will be gone.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Dynamic Substitution Question
Date: Sat, 07 Apr 2001 01:14:57 GMT
On 6 Apr 2001 18:45:37 -0600, [EMAIL PROTECTED] (Vernon
Schryver) wrote, in part:
>For decades, the
>free symmetric alternatives have been too good to allow the risks of
>dealing with patents.
I certainly agree with this point. I regard symmetric encryption as
essentially a solved problem.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
Date: Fri, 6 Apr 2001 21:23:37 -0400
Subject: [LOST AND FOUND] Brain cell belonging to Thomas J. Boschloo
Crossposted-To: alt.privacy.anon-server,alt.security-pgp
From: Boschloo Tales <[EMAIL PROTECTED]>
NOTICE: This message may not have been sent by the Sender Name
above. Always use cryptographic digital signatures to verify
the identity of the sender of any usenet post or e-mail.
Did somebody find Thomas J. Boschloo's brain cell?
It has been reported missing since
... well ...
a few years ?
birth ?
===============================================
HISTORY:
That Boschloo bozo is a clown and a troll who has been looming around for nearly a
year.
Don't mistake a "regular" (troll) with a knowledgeable person: that self-proclaimed
"security expert" is not even a remailer user. In the past, he proved himself unable
to check a PGP signature, and got ridicule from every single technical topic he wanted
to talk about.
Besides false or inaccurate or misleading technical misinformation, his posts are
about his avowed mental illness, or for bashing remops or real freedom fighters: he
likes to quarrel with every one, and stir shit. Sometimes, it is even pure delirium
(when he misses his pills?)
One of his last actions was to stage a hoax about his own suicide, just to try to grab
some sympathy, after he had been exposed as a troll and technically incompetent.
The worst being his teasing of Script-Kiddie until it triggered a new flood on apas.
Of course, he refuses to apologize.
Actually, the level of contempt he shows for remailer users:
they don't give their names, while he does
that can't do anything against him, without giving their names
is in no way different from what is displayed by Pangborn, Burnore and the like
Ignore him completely, killfile him, respect others' killfiles
KILLFILE:
To put him in your killfile, put "Author: Boschloo"
That will make disappear both him and people who warn about him
If you want to tell him to buzz off, or warn about him,
use a nickname containing "Boschloo" (Boschloo Hater, Boschloo Sucks,...)
to accomodate such killfile for "regulars", and still warn newbies
COURAGE:
Boschloo is getting _no_ answer from apas any more.
He has to crosspost to various newsgroups to try to grab some attention.
In a few months, it will be gone.
------------------------------
From: "Peter L. Montgomery" <[EMAIL PROTECTED]>
Subject: Re: approximating addition vs. xor?
Date: Sat, 7 Apr 2001 02:01:03 GMT
In article <jrsz6.38769$[EMAIL PROTECTED]>
"Tom St Denis" <[EMAIL PROTECTED]> writes:
>
>"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
>news:Igsz6.38684$[EMAIL PROTECTED]...
>> So it's sum of R=0 to W of (Z(R) * 2^R) where Z(x) is the number of W-bit
>> integers that only have R bits.
>>
>> That should be the exact solution. Unfortunately I forgot the binomial
>> formula... time for a websearch... if I am remotely right please respond.
>
>Yup I checked and it appears this is the solution. I.e
>
>{ sum from R=0 to W { (W choose R)(1/2)^R } } over 2^W.
>
>Tom
Using the identities
x + y = OR(x, y) + AND(x, y)
EOR(x, y) = OR(x, y) - AND(x, y)
the equation x + y = EOR(x, y) reduces to 2*AND(x, y) == 0.
If by x + y you mean the twos' complement sum
(i.e., modulo 2^W) then you need AND(x, y) == 0 (mod 2^(W-1)).
The bottom W-1 bits of the AND must vanish.
These events (for different bits) are independent, each with probability 3/4.
The overall probability is (3/4)^(W-1).
If you also want the carry bit to be clear, then
you want AND(x, y) = 0, for which the probability is (3/4)^W.
Tom's formula
{ sum from R=0 to W { (W choose R)(1/2)^R } } over 2^W.
simplifies to (1 + 1/2)^W / 2^W = (3/4)^W, by the binomial theorem.
--
The 21st century is starting after 20 centuries complete,
but we say someone is age 21 after 21 years (plus fetus-hood) complete.
[EMAIL PROTECTED] Home: San Rafael, California
Microsoft Research and CWI
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Dynamic Substitution Question
Date: Sat, 07 Apr 2001 02:25:14 GMT
Benjamin Goldberg wrote:
>
> Leaving the internals of any functions and structures unspecified
> (except for their names), is the following an accurate model of Dyn
> Sub?
>
> opaque table;
>
> datum dynsub( datum d1, datum d2 ) {
> datum output = substitute( d1, table );
> table = permute( table, d1, d2 );
> return output;
> }
>
> We'll ignore *how* substitute works internally, and *how* permute
> works internally, so long as permute does indeed use both values to
> change table.
>
> Is this a valid representation of dynamic substitution, or isn't it?
Terry Ritter responded that this is a valid example of d.s., but d.s.
covers much more than this example.
Let's suppose that type "datum" is not an 8 bit value, but a 64 bit
value, and that "table" isn't a simple table, but the key for a block
cipher. Does anyone disagree that block ciphers are substitutions?
Does anyone disagree with the idea that a block cipher key represents
one [very large] substitution (if the block cipher is known/fixed)?
We can further state that ANY change in "table" (the cipher key) will
result a different substitution, and that the new substitution will be a
permutation of the one which "table" represented. Well, unless the
cipher has some equivilant keys, but we'll ignore that.
Lastly, let's suppose that "permute" is a secure hash function. After
all, it will with high probability produce a new value for "table", and
that new "table" value will be a permutation of the old one, so it isn't
invalid to call our hash function "permute."
Let's rewrite this, shall we?
int64 dynsub( int64 d1, int64 d2 ) {
int64 output = E_table( d1 );
table = H( table, d1, d2 );
return output;
}
Gee, looks like a variant on a cipher in key feedback mode, doesn't it?
--
Sometimes the journey *is* its own reward--but not when you're trying to
get to the bathroom in time.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: approximating addition vs. xor?
Date: Sat, 07 Apr 2001 02:27:11 GMT
"Peter L. Montgomery" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> In article <jrsz6.38769$[EMAIL PROTECTED]>
> "Tom St Denis" <[EMAIL PROTECTED]> writes:
> >
> >"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
> >news:Igsz6.38684$[EMAIL PROTECTED]...
> >> So it's sum of R=0 to W of (Z(R) * 2^R) where Z(x) is the number of
W-bit
> >> integers that only have R bits.
> >>
> >> That should be the exact solution. Unfortunately I forgot the binomial
> >> formula... time for a websearch... if I am remotely right please
respond.
> >
> >Yup I checked and it appears this is the solution. I.e
> >
> >{ sum from R=0 to W { (W choose R)(1/2)^R } } over 2^W.
> >
> >Tom
>
> Using the identities
>
> x + y = OR(x, y) + AND(x, y)
> EOR(x, y) = OR(x, y) - AND(x, y)
>
> the equation x + y = EOR(x, y) reduces to 2*AND(x, y) == 0.
>
> If by x + y you mean the twos' complement sum
> (i.e., modulo 2^W) then you need AND(x, y) == 0 (mod 2^(W-1)).
> The bottom W-1 bits of the AND must vanish.
> These events (for different bits) are independent, each with probability
3/4.
> The overall probability is (3/4)^(W-1).
>
> If you also want the carry bit to be clear, then
> you want AND(x, y) = 0, for which the probability is (3/4)^W.
>
> Tom's formula
>
> { sum from R=0 to W { (W choose R)(1/2)^R } } over 2^W.
>
> simplifies to (1 + 1/2)^W / 2^W = (3/4)^W, by the binomial theorem.
I am missing something... I originally did have (3/4)^W and I didn't think
it works... which is why I did the binomial way..
Arrg...
Tom
------------------------------
From: "Matt Timmermans" <[EMAIL PROTECTED]>
Subject: Re: approximating addition vs. xor?
Date: Sat, 07 Apr 2001 03:18:24 GMT
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:3Wuz6.39171$[EMAIL PROTECTED]...
> I am missing something... I originally did have (3/4)^W and I didn't think
> it works... which is why I did the binomial way..
(3/4)^7 is about 0.13348, which is pretty close to the value you arrived at
by experimentation.
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Concerning United States Patent 4979832 (Dynamic Substitution)
Date: Sat, 07 Apr 2001 03:28:57 GMT
John Savard wrote:
>
> I was startled to see Terry Ritter claiming a broader interpretation
> of his Dynamic Substitution patent than I had imagined had applied.
>
> However, I see even from the abstract of the patent that it does refer
> to more than I had associated with the term "Dynamic Substitution":
>
> As I quote from that patent: "Each data value from the first data
> source is transformed by substitution using one of potentially
> multiple translation tables. The translations within each table can be
> changed after each substitution operation using a changes controller.
If a cipher can be considered a substitution table [or rather a set of
substitution tables, of which one is selected by a key], we can define
an example of Dynamic Substitution cipher as the following:
int64 FWD; // FWD represents the table.
int64 ds(int64 DI, int64 RI) {
int64 DO = E_FWD(DI); // DI is substituted
FWD = E_RI(FWD); // The table is changed after each substitute.
return DO;
}
> Commonly, the just-used table is re-arranged or permuted; permutation
> retains invertibility, so that the ciphertext may be deciphered.
My example is invertable, if E has an inverse.
int54 dsinv(int64 DI, int64 RI) {
FWD = D_RI(FWD);
return D_FWD(DI);
}
> Thus, the specific design I associated with the term "Dynamic
> Substitution" is indicated as simply a *particular design*.
Right, so other things are Dyn Sub other than that one design.
> Changing elements in the table in other ways than by permuting them is
> also noted.
And surely a permutation which is done using some method other than a
simple swap would also be covered. Eg, if you added 3 to every element,
that's a permutation. If you multiply each by 5, mod 2 mod p, that too
would be a permutation. If you compose the permutation with another
permutation, the result is a permutation. If the table is a simulated
by a function, and isn't a "real" table, changing the key to the
function is also a permutation.
> Dynamic Substitution operates by taking a table, and modifying that
> table directly by an operation on its entries.
Whoops! No, it works by making a table, and modifying that table.
Where did you see mention of operations directly on its entries?
>From "http://www.io.com/~ritter/DYNSUB.HTM" :
"The Dynamic Substitution mechanism consists of one or more invertible
substitution tables, and some way to change the arrangement of the
values in the tables."
No mention is made of working with the entries *directly*. If the table
is E_K, then K+=X changes the arrangement of [most or all of] the values
in the table.
> Replacing an individual
> entry, adding or XORing a quantity with an entry, or exchanging that
> entry with another entry are possibilities.
Among others.
> This allows any possible
> arrangement of the table to be reached, and therefore has an effect
> different from merely producing an effective table from a fixed table
> and an operation with a varying quantity such as XOR or addition.
Ahh, now this is something new, introduced by you.
Nothing in DS requires that any possible arrangement of the table be
reachable. It's a nice property, and is certainly a property of the
"preferred embodiedment" but not one of DS in general.
--
Sometimes the journey *is* its own reward--but not when you're trying to
get to the bathroom in time.
------------------------------
Date: Sat, 07 Apr 2001 03:48:16 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Subject: Re: Security of Triple-DES
=====BEGIN PGP SIGNED MESSAGE=====
Jonathan Thornburg wrote:
> For further details, here are 2 references on 3DES attacks (which
> contain the results Joseph Ashwood referred to):
>
> Stefan Lucks,
> "Attacking Triple Encryption,"
> Fast Software Encryption '98, Volume 1372 of Lecture Notes in
> Computer Science (S. Vaudenay, ed.), Springer-Verlag, 1998.
> http://th.informatik.uni-mannheim.de/m/lucks/papers.html
>
> H. Handschuh, B. Preneel, On the security of double and 2-key
> triple modes of operation. L. Knudsen (Ed) 6th FSE, LNCS 1636.
> Springer-Verlag, 1999.
The latter is also at <http://perso.enst.fr/~handschu/fse6.ps>.
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOs5/5TkCAxeYt5gVAQET2Af/e8ByBONh/Vv6P1lH+7ND9KKNok61XBeE
PD1YE8n3PBGBE9FfbkJ4y8ntLaOwsOC47bAodxalFxtq0ta0Dh5WK1XIyqOD9YLe
Y0TDnej12FBukdn+rBndjyaqkPZDCRkfUMZOHyndabUQab2R414aMR2afN0AneYy
/kmXAUc02bVdvb/QlRdA7nwk2AfTaiG6N7sbE3UwyPGMJQ+0fRqo9KWeB642pdiw
P9hP847CpolAFklq9UUsl1vBZCdWPSZYA5ja+SSfXy/VK9T4f/gb5obhUCEBHWJp
UD9b52Nzwr502WCd80BMiovKMw1VGexMRze03sRACUQPYBPfEcqGZA==
=ebco
=====END PGP SIGNATURE=====
------------------------------
Date: Sat, 07 Apr 2001 04:03:23 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Subject: Re: Security of Triple-DES
=====BEGIN PGP SIGNED MESSAGE=====
David Hopwood wrote:
> Jonathan Thornburg wrote:
> > For further details, here are 2 references on 3DES attacks (which
> > contain the results Joseph Ashwood referred to):
> >
> > Stefan Lucks,
> > "Attacking Triple Encryption,"
> > Fast Software Encryption '98, Volume 1372 of Lecture Notes in
> > Computer Science (S. Vaudenay, ed.), Springer-Verlag, 1998.
> > http://th.informatik.uni-mannheim.de/m/lucks/papers.html
> >
> > H. Handschuh, B. Preneel, On the security of double and 2-key
> > triple modes of operation. L. Knudsen (Ed) 6th FSE, LNCS 1636.
> > Springer-Verlag, 1999.
>
> The latter is also at <http://perso.enst.fr/~handschu/fse6.ps>.
Correction: although it is linked to from
<http://perso.enst.fr/~handschu/handschuh.html>, the paper
doesn't actually appear to be there.
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOs6DXDkCAxeYt5gVAQGDWwgAxe+dD3w6ShUVTvOof0G3zQMinhvYz0Sc
1jgm3wKr/ZJPaZQpdcREVyhs/Xi6+p1D/UYQ8SilG4ps2waLCvo4xB3gd0MykhzD
njmHBic9kIqHCxXbutVJz/EubAs5FCxMdJt0tH7Y+iF1ZlH6uv4agBAO06jajahE
UbQRb4hFphjdn+oDyNuAsyXwSW7gqOYs5zE5Xv0gwaJh/ttBn6H9ItT354UkQE25
K0BUHKi2MD5Af3Q5S1vmOjpq0wN3BW6XDodExvlC7xWotE5delFWii87sG/Osi8w
iadcYIlKyZBxZYbHJiWoYl4Bgpetjyaw0ZZsVeHdCrInhjXv0ngLeg==
=jdTt
=====END PGP SIGNATURE=====
------------------------------
Date: Sat, 07 Apr 2001 04:04:54 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Subject: Re: RC4 test vectors after gigabyte output?.
=====BEGIN PGP SIGNED MESSAGE=====
Scott Fluhrer wrote:
> Gregory G Rose <[EMAIL PROTECTED]> wrote in message
> news:99lpc0$[EMAIL PROTECTED]...
> > As Luis has pointed out, my test vectors don't
> > agree as stated with the normal RC4. This is
> > beacuse I forgot to tell you all one important
> > point.
> >
> > In my code, I throw away 256 outputs from RC4
> > automatically as part of the keying process. This
> > is to avoid the correlation of the first output
> > byte(s) with key bytes, as observed first by
> > Kocher I think.
> I thought it was Andrew Roos. If Kocher does have something published on
> it, could I have a reference? I'm trying to keep track of everything
> published on RC4.
- From the RC4 entry in SCAN
(http://www.users.zetnet.co.uk/hopwood/crypto/scan/):
[Def] Bruce Schneier,
"Section 17.1 RC4,"
Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
[Def] Anonymous,
Subject: RC4 Algorithm revealed,
Posting to Usenet newsgroups sci.crypt, alt.security, comp.security.misc,
and alt.privacy, September 14 1994 (reposting of a message to the
cipherpunks mailing list).
(Message-ID: <[EMAIL PROTECTED]>) Archived at
ftp://idea.sec.dsi.unimi.it/pub/security/crypt/code/rc4.revealed.gz
[An] Andrew Roos <[EMAIL PROTECTED]>,
A Class of Weak Keys in the RC4 Stream Cipher,
Preliminary draft, November 1997.
http://www.tik.ee.ethz.ch/~mwa/RC4/WeakKeys.txt
[An] David Wagner,
Subject: Re: Weak Keys in RC4,
Posting to sci.crypt, September 26 1995.
(Message-ID: <447o1l$[EMAIL PROTECTED]>) Archived at
http://www.cs.berkeley.edu/~daw/my-posts/my-rc4-weak-keys
[An] John Kelsey, Bruce Schneier, David Wagner,
"Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and
Triple-DES",
Advances in Cryptology - CRYPTO '96 Proceedings, pp. 237-251.
Springer-Verlag, August 1996.
http://www.counterpane.com/key_schedule.html
[An] Jovan Golic [c-acute],
"Linear Statistical Weakness of Alleged RC4 Keystream Generator,"
Advances in Cryptology - EUROCRYPT '97 Proceedings, Volume 1233 of
Lecture Notes in Computer Science (W. Fumy, ed.) Springer-Verlag, 1997.
[An] S. Fluhrer, D. McGrew,
"Statistical Analysis of the Alleged RC4 Keystream Generator,"
Presented at Fast Software Encryption 2000, New York.
http://www.mindspring.com/~dmcgrew/rc4-03.pdf
I don't know of anything published by Kocher on RC4.
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOs6DuDkCAxeYt5gVAQHGpggAwzd8n6+gh55HXmNlSYdQrA+QIOlyvj1y
V2CtV9YLZVAapt5kPid87onrfqWKPyMxbmob2Q9NQ7qV4/w9tcsKcL6RADy1SbWo
ousP/iM3EunQMu2zXoHPikSbt0Pu4w/swvcxpH5VQnGmGyvehkWt8ToJNS6gLUGc
m4YDL/UWnzPbWYg/SjDmAEupQ3dcVzsJFM263wQKnD2eQOKQm7GvOerZn5H62mwZ
c69H26CzFn2Xhk//E3efSHa3bV7jcac1/OEKxYwhole+nDk/zRC8IChCCmFq9hFi
alwh2i55pWWs6rR2b2hLqCLxuD1SoNLH6CzzvS4fEWudQ8wbB8CzpA==
=42jc
=====END PGP SIGNATURE=====
------------------------------
Date: Sat, 07 Apr 2001 04:05:23 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Crossposted-To: de.comp.security.misc
Subject: Re: New PGP2.6.3(i)n
=====BEGIN PGP SIGNED MESSAGE=====
Lutz Donnerhacke wrote:
> ftp://ftp.iks-jena.de/mitarb/lutz/crypt/software/pgp/pgp263in/
>
> 20010322:
> - Protect against the Czech attack of modified secret key files. (Cool!)
How exactly did you do this? The most obviously secure approach would be
to add authentication of the ciphertext (e.g. using a MAC), but that would
be an incompatible format change for keyring files. Other validity checks
are possible, but which ones did you use?
(I've thought for a long time that passphrase-based symmetric encryption
algorithms should be designed to be secure against chosen ciphertext
attacks, but I can't really say "I told you so" for this bug, since I
don't think I ever published that opinion.)
> - Protect against MPI computing errors. (more programm errors than
> Bellcore)
Has anyone gone through the MPI library with a fine tooth comb trying to
find bugs?
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOs4sGTkCAxeYt5gVAQE9GAf+N3a+0nQ/1DqlAtM9epmsnzDPKukJXD9v
4JcZXy+FNHVxDsQ6GbgW0WL40MuSDPvL4rqTX8aiZa04wq4UbtxLRrVq2dH4Vmlc
5/0A0bJQv2wpE6j2x82cKBG8za8NKSJ/NaTdYYzm2TbRrJRMzZsw2Sbq9G4FAnzx
JymGiOFUanbkAYnOv1bCLV6Z4a5M0p9/eS9RJU+fomQUat34SOF2Efd0qDXtQOvS
rGu5QwwCP8JGn0bmK21nQIE/v8tVizYcSiUUoXeHDGM83tjSMdCSJXKr5sbCTbXP
c1Wp74Gx48pexfQC4AclVTBueHJ545SPFQCiT5cKPGKzilujQ0moAA==
=qbIJ
=====END PGP SIGNATURE=====
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: approximating addition vs. xor?
Date: Sat, 07 Apr 2001 03:55:41 GMT
"Matt Timmermans" <[EMAIL PROTECTED]> wrote in message
news:4Gvz6.609165$[EMAIL PROTECTED]...
>
> "Tom St Denis" <[EMAIL PROTECTED]> wrote in message
> news:3Wuz6.39171$[EMAIL PROTECTED]...
> > I am missing something... I originally did have (3/4)^W and I didn't
think
> > it works... which is why I did the binomial way..
>
> (3/4)^7 is about 0.13348, which is pretty close to the value you arrived
at
> by experimentation.
Oh I did (3/4)^8 not 7...
Tom
------------------------------
Date: Sat, 07 Apr 2001 04:05:59 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Subject: Re: Self Enforcing Protocol (Slightly OT and Long!)
=====BEGIN PGP SIGNED MESSAGE=====
Jim Farrand wrote:
> John Joseph Trammell wrote:
>
> > [protocol snipped for brevity]
> > I like it. Have you done any research on other SEPs in this genre?
> > Maybe you (and I) are reinventing the wheel.
>
> I'm not that sure where to look. I did a search of the web but I didn't
> get anything more interesting than definitions of SEPs.
A lot of work was done on this (mainly) in the 1980s under the heading of
"poker protocols" or "mental poker" - the same techniques should apply to
any game that involves dealing random cards. If you have the Springer-Verlag
CD of CRYPTO/EUROCRYPT proceedings [*], use the search applet to look for
"poker".
[*] or if you don't, but can find the copy that is (illegally?) on the web.
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOs4y2DkCAxeYt5gVAQF4EwgAxFtI7uexn3oRu8ElztKXiCchxrM5pX0k
wTQJuL1onjBDmmQ4lPva0XsrXxjY4tjrR97DyOka/O83+NGX7fuCwGIeSE/DMpEh
kCI3tHoeI1/MqWhxRYrAuBpAzuKM79FaT+nT7VuymTr6vvrFHMHOZsjBIqwsWFmA
O4yJ7E/fuU2jh/xnfepeUtG4m/VOXrTamWGQ3zhn77pTNcCvBqV3Akip4e00VvGU
xlvjLTdb9BIKX312CreCT/0S9Zn45pUXu0BVIhll/mejSovResUabEwHqQni/ZZZ
DqNeJxGr4QC1u+g8T2QypYE0UxGp7HQ/UC6chh4hlMGNV5+BCfb77Q==
=aVXL
=====END PGP SIGNATURE=====
------------------------------
Date: Sat, 07 Apr 2001 04:06:39 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Subject: European patents (was Re: Data dependent arcfour ...)
=====BEGIN PGP SIGNED MESSAGE=====
Terry Ritter wrote:
> On Mon, 26 Mar 2001 02:43:01 +0200, in
> <99m37h$4p1$[EMAIL PROTECTED]>, in sci.crypt "Henrick
> Hellstr=F6m" <[EMAIL PROTECTED]> wrote:
> =
> >"Terry Ritter" <[EMAIL PROTECTED]> skrev i meddelandet
> >news:[EMAIL PROTECTED]...
> >> If "certain countries" is intended to slight the US, I just note tha=
t
> >> entirely similar patent laws are in force in Europe. Dynamic
> >> Substitution is not a "software patent."
> >
> >Sorry, no. You cannot get an European patent for software, algorithms =
etc.
More precisely, you *should not* be able to get such patents, under
European law. Whether you can actually get such a patent depends on wheth=
er
the examiner(s) are correctly applying the law.
> >You can only get European patents for inventions patentable in all EU
> >member states. Software etc does not belong to this category.
> =
> Sorry, no.
> =
> The IDEA cipher is patented in Europe. That granted patent protects
> against software implementations in Europe.
The European patent on IDEA is an example of a patent that should not hav=
e
been granted. (Clearly, patent examiners do not always take proper accoun=
t
of the restrictions on patentability; there are numerous instances of tha=
t.)
It has never been challenged, so there is no way to tell whether it would=
stand up in court.
- -- =
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 0=
1
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has b=
een
seized under the Regulation of Investigatory Powers Act; see www.fipr.org=
/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOs5h7TkCAxeYt5gVAQGw4ggAmYyyj8NTjLcfgML03KTI+wWYHIk/0LEs
MTyRL94lEuuGQjCb4GCcwLGt4v2ePpotapVr4/olPoGiWP3AJuhHcyv5UKVetOJ3
exagPC0M/jJDTSwn87DC1L8s7APOKmq0pkG2fE1QNO3HXHOFulJ1s++lWnSvgOCd
sfdsQWYSyKb5Nep2FNIZ/axcnKwWg1m0ibxdLDDsol5NP0WvsZDlo0Z48F8T9E0B
jxWxyLw7S3lbN3y4f18ZKJwb3HOQQb5p9ZGl95zsakV4mPTMU/gu85vIyEShMY7i
S1eyRvsjPI4fmD85MO1n/8nZ7vTtNUaO/Lf/mf9/yD9hwUiqQDzu4A=3D=3D
=3DuC7I
=====END PGP SIGNATURE=====
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
