Cryptography-Digest Digest #259, Volume #14 Sat, 28 Apr 01 06:13:00 EDT
Contents:
Re: "I do not feel secure using your program any more." ("Tom St Denis")
Re: Secure Digital Music Initiative cracked? ("Douglas A. Gwyn")
Re: Question on p and q ("Scott Fluhrer")
new encryption idea ("G. Orme")
Re: There Is No Unbreakable Crypto ("Henrick Hellstr�m")
speeding up exponentiation ("Tom St Denis")
Re: speeding up exponentiation (Paul Rubin)
Re: Censorship Threat at Information Hiding Workshop (wtshaw)
Re: Combining two plaintexts into ciphertext (Ken Savage)
Re: Thames Bridge Cipher ("Brian Gladman")
Re: Thames Bridge Cipher ("Sam Simpson")
Re: Censorship Threat at Information Hiding Workshop (Jonathan Edwards)
Re: Shortcut ElGamal (Bryan Olson)
Re: Censorship Threat at Information Hiding Workshop (Bryan Olson)
----------------------------------------------------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.hacker
Subject: Re: "I do not feel secure using your program any more."
Date: Sat, 28 Apr 2001 04:16:36 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
"Anthony Stephen Szopa" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> anon wrote:
> >
> > Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]...
> > > "I do not feel secure using your program any more."
> > >
> > > You sure jumped to a hasty conclusion.
> > >
> > > Again, using the methods of OAP-L3 to generate your random
> > > digit sequences is just the first step of creating your OTPs.
> > > And since I believe you would agree that even if you started
> > > with a known file containing the sequences of 0123456789 of
> > > length 18,144,000 bytes and this becoming very quickly
> > > practicably impossible to guess using the methods from OAP-L3,
> > > then by actually generating the random digit files using OAP-L3
> > > makes this impossibility that much more impossible.
> >
> > What will you use to reorder those data?
> > Surely the process can easily be recreated, thus your data is ont
> > safe?
> >
> > - Dan
> >
> > "clearly you are an inDUHvidual, just like everyone else" -
> > unattributed.
>
> Please, admit you do not know what you are talking about, do you.
>
> What do you know about OAP-L3?
Well saying it's not safe may be a bit much, but it "can" be
recreated.
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
Comment: Key at: http://tomstdenis.home.dhs.org/key.asc
iQA/AwUBOupEJAULrT+pXe8cEQIo3gCgyR/L0O4xuzPBwS43nAqQ5kI633AAn0XG
MaSkLemsnS7E4dW1+FXhz2m7
=i0yN
=====END PGP SIGNATURE=====
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Secure Digital Music Initiative cracked?
Date: Sat, 28 Apr 2001 04:17:51 GMT
David A Molnar wrote:
> ... It still shocks me that the RIAA can do what the NSA did not -
> prevent a paper from being presented at a public conference.
Actually the paper you're thinking of was the subject of personal
attention by an NSA employee working outside the proper scope of
his duties, and the Agency didn't back him up. But anyway, the
big difference is that Congress passed that stupid unconstitutional
law, which the SDMI lawyers can wave as a big threatening stick.
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Question on p and q
Date: Fri, 27 Apr 2001 21:11:36 -0700
Dopefish <[EMAIL PROTECTED]> wrote in
message news:3aea37b8$[EMAIL PROTECTED]...
> Phi (N) = 1 if prime
Obnit: Phi(N) = N-1 if N is prime
>
> fish
>
>
> --
> ------BEGIN SIGNATURE------
> A.K.A "Dopefish" or "fish" for short on Usenet.
>
> Microsoft? Is that some kind of toilet paper?
>
> "Rockin' the town like a moldy crouton!"
> - Beck (Soul Suckin' Jerk - Reject)
>
> "Help me, I broke apart my insides. Help me,
> I've got no soul to sell. Help me, the only thing
> that works for me, help me get away from
> myself."
> - Nine Inch Nails (Closer)
>
>
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.12
> GO dpu s++:++ a---- C++++ U--->UL
> P L+ E? W++ N+++ o+ K--- w+>w+++++
> O--- M-- V? PS+++ PE Y-- PGP t 5--
> X+ R tv b+ DI D+ G-- e- h! r z
> ------END GEEK CODE BLOCK------
> (www.geekcode.com)
>
> ------END SIGNATURE------
> Brett <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> > Hi,
> >
> > Pardon if this is rediculously easy, but I consulted the FAQ
> > before posting and do not find it in there.
> >
> > Public key cryptography relies on two very large primes p and
> > q to be multiplied together to form a larger number N that makes
> > up the public key. My question is: How does one find such
> > large primes in the first place and verify that they are primes
> > in a reasonable time. If you have a 4096-bit key, N is approx.
> > 10 ^ 1233 in size. p and q must be somewhere in the 10 ^ 600
> > range ... How does one go about creating a prime that big, and
> > making sure it is in fact prime?
> >
> >
> > Brett
>
>
------------------------------
From: "G. Orme" <[EMAIL PROTECTED]>
Subject: new encryption idea
Date: Sat, 28 Apr 2001 04:27:45 GMT
This is just an idea that will probably be flawed at this stage, but it
seems like a different approach. The idea is that one must guess an
encrypting algorithm instead of a password.
Here is a basic example. Say you are encrypting some text. Letters are
denoted as numbers a=1 to z=26, or some other combination. One has an
equation which on inputting the letter's number (e.g. c=3) outputs a number
which is the encryption of the letter, called here the output (this number
would be very large). As an illustration say the minimum difference between
any output is a billion or more. That is, no encrypted number representing a
letter is closer than a billion to any other. As an additional enhancement
one could have it so the algorithm changes sequentially after encrypting
each letter in a preagreed way so that for example all the "e"'s wouldn't be
the same number. For example one algorithm encrypts the first letter,
another encrypts the second letter, and so on. The algorithm could change in
a way that is itself algorithm based. Instead of sending a new password one
would send a new algorithm.
There would also be an additional input of for example random numbers
which can alter the encrypted output number by say plus or minus a million.
The person decoding this would look for say the 6th letter position and find
the number. They would know that with the algorithm and random input this
number should fall in certain ranges to be various letters (in this example
there would be 2 million numbers in the range that denotes a particular
letter).
If the number did not fall in a range of a letter it would not be
encrypted correctly. For someone to crack this they should have to work out
the algorithm but this is masked by the random numbers. Many algorithms
should fit the message, perhaps ones giving different messages. To further
mask the message instead of using a random number one could input numbers
that make other algorithms likely, point to false messages, mask certain
patterns, etc. The cipher could be used many times, then the algorithm and
random number range changed.
Any merit to this idea?
------------------------------
From: "Henrick Hellstr�m" <[EMAIL PROTECTED]>
Subject: Re: There Is No Unbreakable Crypto
Date: Sat, 28 Apr 2001 06:45:17 +0200
I couldn't find the original paper, only quotations of it, and I am
obviously trying to make David Wagner so upset so that he will send it to me
himself. ;-)
--
Henrick Hellstr�m [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
"David Wagner" <[EMAIL PROTECTED]> skrev i meddelandet
news:9cd9gb$qst$[EMAIL PROTECTED]...
> Henrick Hellstr�m wrote:
> >As far as I understand the idea of length-doubling PRG, you have to
compute
> >the entire tree in advance (or at least all N branches up to the first
leave
> >for a message with N blocks) before you use any part of the keystream.
>
> No, this is incorrect.
> Have you read the proof of security yet?
> If not, why are you commenting on something you don't know about?
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: speeding up exponentiation
Date: Sat, 28 Apr 2001 05:36:48 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
I was think of a nice way to speed up exponentiation in Z*p some.
Basically my idea is that at some level g^x can be expressed as
g^(z+y) = (g^z)(g^y) where x = z + y. Let's say you have a 256-bit
exponent (as in the case of DSA right or is it bigger?) anyways...
you do a series of tables say 8-bits wide on the input. So if you
did a 256 bit exponent there would be 32 8xp tables. Then you simply
look up each exponent and do 32 muls (instead of the 1.5 * 256 that
would have been required otherwise). If you were doing DSA with
q=256 bit prime and p=1024 bit integer that would be a series of 32
8x1024 tables which would require 1MB of data not a lot given the
available memory today on desktops.
- --
Tom St Denis
- ---
http://tomstdenis.home.dhs.org
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
Comment: Key at: http://tomstdenis.home.dhs.org/key.asc
iQA/AwUBOupW7gULrT+pXe8cEQJlSgCg24Pn20X1GN7BiF5bQQMGKvWyyhwAoMkk
NPNGOCVyCpGsH4cL7lwtf9qq
=ooZZ
=====END PGP SIGNATURE=====
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: speeding up exponentiation
Date: 27 Apr 2001 23:13:13 -0700
"Tom St Denis" <[EMAIL PROTECTED]> writes:
> I was think of a nice way to speed up exponentiation in Z*p some.
>
> Basically my idea is that at some level g^x can be expressed as
> g^(z+y) = (g^z)(g^y) where x = z + y. Let's say you have a 256-bit
> exponent (as in the case of DSA right or is it bigger?) anyways...
> you do a series of tables say 8-bits wide on the input....
Yes, there are a whole lot of precomputation hacks like this. See
for example Brickell et al's paper in Eurocrypt 92(?).
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Crossposted-To: talk.politics.crypto
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Sat, 28 Apr 2001 00:33:10 -0600
In article <[EMAIL PROTECTED]>, Arturo
<aquiranNO$[EMAIL PROTECTED]> wrote:
> Years ago, some guy from the NSA told crypto researchers not to talk
> about their research at a crypto conference or else. He was finally rebuffed.
> Are we seeing a similar move from the RIAA? Perhaps they are just probing the
> ground, to see if they can cope with the academic community.
Some people must follow strange orders to survive or lack the insight to
know when they are being led by the nose. Academics tend to think without
such constraints, and to expect them to shake in their boots is to risk
being laughed off the stage.
How dast anyone push prior restraint to suppress insight except for being
seen as antiscientific and needing a good dose of castor oil to loosen
their nature. Consider that just conspiracies are born of such repressive
actions and that trying to be pious about a presumed right to limit logic
a rather diabolic exercise.
--
How many good wells were shut in by the VP's company so that oil
prices would raise? It's obvious who did what and why.
------------------------------
From: Ken Savage <[EMAIL PROTECTED]>
Subject: Re: Combining two plaintexts into ciphertext
Date: Sat, 28 Apr 2001 07:22:45 GMT
John Savard wrote:
> I think the idea is to make plain2 deniable - or at least to keep it
> well hidden - even when the message is decoded to yield plain1. And
> vice versa.
Exactly. The original statement of the problem is what I indend,
for the very reason of deniability.
> Using 16-bit quantities to represent bytes, however, is not a good way
> of achieving this. One should encrypt the message in larger chunks.
Could you elaborate a little more on this?
I figure that two 8-bit quantities can be concatenated together to
yield a 16-bit quantity --- a crude form of combining. However, a
more sophisticated form could combine them into a 16-bit value with
the added benefit of come cryptographic security. And for those
times that the mathematics of combining won't work, by peppering
in some error-correction codes, we can recover the plaintexts.
Ken
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: Thames Bridge Cipher
Date: Sat, 28 Apr 2001 08:51:35 +0100
"ben" <[EMAIL PROTECTED]> wrote in message
news:waoG6.355$[EMAIL PROTECTED]...
> Hi!
>
> I should be grateful if anyone can tell me where I can find more
information
> on the Thames Bridge Cipher.
Thames Bridge is a UK government cipher the details of which have never been
published as far as I know. It is made available to manufatcurers of
commercial security products under confidentiality agreements so that it can
be incorporated into special variants of their products for UK government
use.
Brian Gladman
------------------------------
From: "Sam Simpson" <[EMAIL PROTECTED]>
Subject: Re: Thames Bridge Cipher
Date: Sat, 28 Apr 2001 01:48:48 +0100
Most information on that algorithm is classified - you will find no useful
information without proper clearance.
A search on Google
(http://www.google.com/search?q=%22Thames+Bridge%22+%22red+pike%22&hl=en&lr=
&safe=off ) gives some information, but that's about it
Considering that the algorithms have been implemented in "nearly off the
shelf packages" I'm surprised that information hasn't yet been leaked.
--
Regards,
Sam
http://www.scramdisk.clara.net/
ben <[EMAIL PROTECTED]> wrote in message
news:waoG6.355$[EMAIL PROTECTED]...
> Hi!
>
> I should be grateful if anyone can tell me where I can find more
information
> on the Thames Bridge Cipher.
>
> Many thanks,
>
> [EMAIL PROTECTED] - Remove NOSPAM. to reply!
>
>
------------------------------
From: Jonathan Edwards <[EMAIL PROTECTED]>
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Sat, 28 Apr 2001 04:43:05 -0400
On Sat, 28 Apr 2001, Darren New wrote:
> Jonathan Edwards wrote:
> > No, SDMI is an attempt to make it effectively impossible to
> > make a digital copy of the music (because the only commercially
> > available devices and software that create digital copies will only do so
> > if the watermark is not present).
>
> Which means the only way to use the music is locked to a particular device.
>
> It's the equivalent of selling you a CD that will only play in your CD
> player. To loan the CD to someone else, you have to loan them your CD player
> too.
>
I don't think so.
There's no encryption involved in digital watermarks - the plain music
(plus noise) is there and could in principle be played on anything that
understands the media format.
So I could lend you my CD and you could play it on your player.
The music industry's design, as I understand it, is to apply
watermarking in the distribution of digital music in new formats (for
which there are no existing legacy players), and to ensure (through
licensing of the new format, various business deals, and the DMCA's
anti-reverse-engineering provisions) that nobody makes a player
(hardware or software) for those formats that ignores the watermark. The
consumer will therefore be able to play the music but won't be able to
make copies. (This of course means it's easy to implement pay-per-use for
music delivered as data streamed off the web - you don't get to copy the
file, you get to run it through your MP3 player. And if you want to hear
it again, deposit another quarter...)
Watermarking in itself is harmless. The Grand Design of which it is a
part is repugnant, but hardly surprising.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Shortcut ElGamal
Date: Sat, 28 Apr 2001 02:10:12 -0700
Tom St Denis wrote:
> Just trying to figure this out. In DSA you pick a large prime p
> (1024 bits etc..) such that p-1/2 has a large prime factor q (of at
> least 512 bits) and such that g is a generator for the subgroup Z*q
> of Z*p. (Is that remotely right?)
Somewhat. In DSA, q must be 160 bits. The notation Z*n
generally means the multiplicative group modulo n. In DSA
we work in one of the order q subgroups of Z*p, but it's not
Z*q.
> This is such that one can use log2(q) bit exponents and speed up the
> computations (i.e signatures).
>
> Can't this trick also be used for ElGamal encryption?
Yes, and DSA key pairs work fine.
In the case of signatures, the trick is largely motivated
by making the signature short. There's no obvious way
to use a shorter block with ElGamal encryption.
The attacker can choose which subgroup to go after. Z*p is
larger but subject to sub-exponential attacks, of the same
complexity order as factoring. Working directly in Z*q, the
best known attack is exponential time, requiring roughly
square-root q operations.
--Bryan
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Sat, 28 Apr 2001 02:40:40 -0700
Terry Ritter wrote:
> Bryan Olson wrote:
> >Terry Ritter wrote:
> >> Bryan Olson
> >> >Can anyone cite where what is called "intellectual property
> >> >law" actually defines covered works as property, or
> >> >violations as theft?
> >>
> >> The dictionary first definitions:
> >
> >So I guess that's a "no". I couldn't find such a definition
> >in law either.
>
> Since when has sci.crypt become a courtroom?
Is this the same Terry Ritter who complained about the AES
process and asked about NIST, "what do they say when they
get to court?"
> Is sci.crypt more like a courtroom, or more like a classroom? And
> when was the last time any of us saw an instructor retreat into
> legalities to win a classroom point?
In the Usenet tradition of answering rhetorical questions, in
my case it was the day Al Gore conceded.
I don't think it makes sense to disregard the "legalities"
when naming a crime.
> >> Theft -- the act or an instance of stealing
> >> Steal -- to take without right or permission
> >
> >My dictionary's first definition:
> >
> > Take -- to get by conquering; capture; seize
> >
> >It's not the getting that's the crime; it's the subsequent
> >copying, or violation of some other exclusive right. That's
> >completely different from theft where the use is irrelevant.
> >
> >So with both the dictionary and the law indicating that such
> >acts are "infringement" and not "theft", can we switch to the
> >proper word?
>
> The correct word is "theft."
>
> "Theft" is a wholly appropriate common language term for the taking
> without permission which constitutes copyright infringement under law.
But we're not talking about stealing a copy. The "taking"
isn't the crime at all.
The one defense is of "theft" is that it's been mis-applied
to infringement so much that it's arguably entered the
language. One doesn't have to be overly cynical to notice
that the mis-use is primarily by those looking out for their
own interests.
--Bryan
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
