Cryptography-Digest Digest #283, Volume #14 Wed, 2 May 01 14:13:00 EDT
Contents:
Re: impossible differentials (help please) (Ulrich Kuehn)
Re: Censorship Threat at Information Hiding Workshop ("David Thompson")
Re: Rijndael Galois Field construction problem. (Mark Wooding)
Ciphertext only (Kris Reyes)
Thank you all, guys. ("Yaniv Sapir")
Re: Question on Montgomery Multipliers... (Vincent Quesnoit)
Re: Ciphertext only (Jeffrey Williams)
Final Program CHES 2001 (Christof Paar)
Re: Avoiding bogus encryption products: Snake Oil FAQ ("Henrick Hellstr�m")
Re: RSA BRUTE FORCE ([EMAIL PROTECTED])
Re: Question on Montgomery Multipliers... ("Mahesh S. Maddury")
Re: Censorship Threat at Information Hiding Workshop (Darren New)
Re: Feige-Fiat-Shamir and Guillou-Quisquater Identification Schemes (Anton Stiglic)
Re: Feige-Fiat-Shamir and Guillou-Quisquater Identification Schemes (Anton Stiglic)
DES sample vector (=?iso-8859-1?Q?Fr=E9d=E9ric?= Donnat)
Re: Censorship Threat at Information Hiding Workshop ("Paul Pires")
Re: DES sample vector ("Roger Schlafly")
----------------------------------------------------------------------------
From: Ulrich Kuehn <[EMAIL PROTECTED]>
Subject: Re: impossible differentials (help please)
Date: Wed, 02 May 2001 08:45:46 +0200
Reply-To: [EMAIL PROTECTED]
Tom St Denis wrote:
>
[description of cryptanalysis with impossible differentials]
>
> This does help :-)
>
> Is it not possible that the incorrect keys will not be thrown away too?
>
Let me answer with a question: what would you do if finally a set of,
say, 2^{16} keys remains from the total set of 2^{128} keys?
Ulrich
------------------------------
From: "David Thompson" <[EMAIL PROTECTED]>
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Wed, 02 May 2001 07:45:25 GMT
AY <[EMAIL PROTECTED]> wrote :
...
> Oh, and what about (gasp) e-music? Suppose I have a MP3 backup of the music
> CD and my dog ate my CD. How should I share the music with my friends?
>
Lend them your dog.
Attributed IIRC to Groucho Marx and strangely apropos:
"Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read."
(For non-native English readers, this is sort of a pun.
"Outside of" is commonly used idiomatically to mean
"except for", but here it is (mis)used literally.)
--
- David.Thompson 1 now at worldnet.att.net
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Rijndael Galois Field construction problem.
Date: 2 May 2001 10:02:45 GMT
David Wagner <[EMAIL PROTECTED]> wrote:
> Maybe I don't understand finite field arithmetic well enough, but this
> remark doesn't look right to me.
You're correct: it's not right.
(I'm sure you really understand this stuff more than I do. I'm still
struggling through the optimal normal basis stuff in Dr Mike's book...)
-- [mdw]
------------------------------
From: Kris Reyes <[EMAIL PROTECTED]>
Subject: Ciphertext only
Date: Wed, 02 May 2001 05:51:25 -0600
Can someone please explain how or direct me to sources which can tell me
how, given the ciphertext, one can obtain the key.
Is this even possible, feasible?? Does this even make sense??
Thanks for any help in advanced.
------------------------------
From: "Yaniv Sapir" <[EMAIL PROTECTED]>
Subject: Thank you all, guys.
Date: Wed, 2 May 2001 14:43:57 +0200
Yaniv Sapir <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Hi all.
>
> In the Rijndael algorithm, there is an extensive use of Finite Field (GF)
> arithmetic. The primitive polynomial chosen is 0x11B = 283, and the field
is
> GF(256). Trying to construct this field I faced a problem when, instead of
> 255 distinct elements (1-255) I get 51 elements repeating five times (the
> 51'st element is 1 - while it should be element 255 - so the series
repeats
> itself).
>
> The method for constructing the field I use is:
>
> Alpha^i = (2^i) mod (11B)
>
> where Alpha is the primitive element and i is the element power and so the
> element position in the field. The calculation, of course, is done using
the
> binary representation of the numbers, which is analogous to the polynomial
> representation with coeffs from GF(2).
>
> This same method makes no problems when constructing GF(256) with the
'11D'
> polynomial (used for ADSL modems) and also for other polynomials, even of
> smaller degree.
>
> So, is there any problem with 11B? I checked and confirmed that this is an
> irreducible one. Or maybe there is a limitation on this (systematic)
> construction method, which makes it good for some polynomials but not for
> others?
>
> TIA,
> Yaniv.
>
>
>
------------------------------
From: Vincent Quesnoit
Subject: Re: Question on Montgomery Multipliers...
Date: Wed, 02 May 2001 14:08:20 +0200
Reply-To: [EMAIL PROTECTED]
One way of doing that computation is :
R=2^n
start loop
shift R left by one bit
if R>M
subtract M from R
loop until the number of shifts is n
That is because multiplying a binary number by two is equivalent to shifting
left by one bit. So you basically need shift operations on numbers with n+1
bits, and subtractions on the same.
HTH,
Vincent
Mahesh Maddury a �crit :
> Hi,
>
> I'm new to the whole crypotgraphic field and have a question on
> Montogomery multipliers. My understanding is that to calculate A*B(mod
> M), you require these extra constants to convert into "Montogomery
> residues". Basically, you need a value R which is 2^(2*n) mod M where n
> is such that
> 2^(n-1)<M<2^n. I guess the advantage is that M does not change often for
> cryptographic applications and so you can calculate R once in the
> beginning.
>
> I'm a hardware engineer and the question I have is whether it somehow
> trivial to calculate this R value in hardware? It seems like a chicken
> and egg problem since to calculate R you have to perform a Montgomery
> multiplication and for this you need R again!
>
> Thanks,
> Mahesh
------------------------------
From: Jeffrey Williams <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Ciphertext only
Date: Wed, 02 May 2001 07:43:58 -0500
Kris,
I'd suggest starting with the FAQ from this group, then move on to Applied
Cryptography (Schneier) and the Handbook of Applied Cryptography (author's
name escapes me).
You really need to specify more information about your quest. The most
extreme case, ciphertext only (in which you know nothing at all about the
contents), you don't know the algorithm (but it's probably a modern,
computer-based algorithm), in short, you have no information at all but some
ciphertext, getting the key (or the plaintext) is pretty much an
impossibility (IFF there's some flaw in the originator's system, it may be
possible, but otherwise likely a waste of resources).
OTOH, if you know the algorithm, there may be a know method of breaking it
(still may not be practical, of course). If you happen to know some
information about the cipher text (there's a known header or footer, etc),
that may help, depending on the algorithm.
Bottom line, in the most general case derived from your question, the
answers are "No" and "No".
Jeff
Kris Reyes wrote:
> Can someone please explain how or direct me to sources which can tell me
> how, given the ciphertext, one can obtain the key.
>
> Is this even possible, feasible?? Does this even make sense??
>
> Thanks for any help in advanced.
------------------------------
From: Christof Paar <[EMAIL PROTECTED]>
Crossposted-To: comp.arch.arithmetic,comp.arch.fpga
Subject: Final Program CHES 2001
Date: Wed, 2 May 2001 09:41:58 -0400
The Final Program for CHES 2001 in Paris can be found at
http://www.chesworkshop.org
For registration and hotel information, please also check the web site
above.
Regards,
Christof
! WORKSHOP ON CRYPTOGRAPHIC HARDWARE AND EMBEDDED SYSTEMS (CHES 2001) !
! Paris, France, May 13-16, 2001 !
! www.chesworkshop.org !
***********************************************************************
Christof Paar, Associate Professor
Cryptography and Information Security (CRIS) Group
ECE Dept., WPI, 100 Institute Rd., Worcester, MA 01609, USA
fon:(508) 831 5061 email: [EMAIL PROTECTED]
fax:(508) 831 5491 www: http://www.ece.wpi.edu/People/faculty/cxp.html
***********************************************************************
------------------------------
From: "Henrick Hellstr�m" <[EMAIL PROTECTED]>
Subject: Re: Avoiding bogus encryption products: Snake Oil FAQ
Date: Wed, 2 May 2001 15:55:34 +0200
> ``Military Grade''
>
> Many crypto vendors claim their system is ``military grade.'' This is a
> meaningless term, since there isn't a standard that defines ``military
> grade,'' other than actually being used by various armed forces. Since
these
> organizations don't reveal what crypto they use, it isn't possible to
prove
> or disprove that something is ``military grade.''
>
> Unfortunately, some good crypto products also use this term. Watch for
this
> in combination with other snake oil indicators, e.g., ``our military-grade
> encryption system is exportable from the US!''
A bit OT, but might be of some interest for some:
This is in particular true regarding export of encryption software from
Sweden (and most other EU countries I guess). Such export is primarily
regulated by "Lagen om export av produkter med dubbla anv�ndningsomr�den",
roughly "The act on export of products with double applications", i.e. both
military and civilian, e.g. nuclear technology. If your product is put on
the list of products not exportable under that law, then either the Swedish
government or the EU commision considers your product to be "military
grade".
Just out of curiousity, does anyone know of any security software actually
on this list?
--
Henrick Hellstr�m [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: RSA BRUTE FORCE
Date: Wed, 02 May 2001 14:23:16 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
: [EMAIL PROTECTED] wrote:
:> Even though you're factoring a number that has only two factors (presumably),
:> that doesn't mean that you'll only see one pair of digits that will work.
: How about in base 2 instead of base 10?
I think it's still the same problem, even though you have only two choices
for a digit.. If you look at the technique with binary numbers, what do
you choose for the digits to the right of your current decision point?
all 1's? It can't be all 0's. If you are weighing 01111111 against 11111111,
I don't see how you could get down to factor where one factor is a good bit
smaller than the other (i.e. you're looking at 01111111 and 11111111 when the
final factors may be 00000111 and 11101010). The first two may give you a
close number, too.
At some point, you must choose between 0 and 1, 1 and 1 or 0 and 0. There is
no clear-cut choice at any point in the decision making process. If the factors
end up being close together, then 0-0 might be the right choice, while if one
factor is significantly larger than another, 1-0 might be the right choice.
You end up with multiple possible decisions just as you do with base 10.
Assuming just two possibilities, you are looking at 2^1024 decisions for
a 1024-bit number.
Mark
--
Mark Wutka
------------------------------
From: "Mahesh S. Maddury" <[EMAIL PROTECTED]>
Subject: Re: Question on Montgomery Multipliers...
Date: Wed, 02 May 2001 09:37:48 -0700
Reply-To: [EMAIL PROTECTED]
Hi,
Thanks for your reponse. I did stumble on this method while working through it
yesterday. I guess this works since we have a pow_of_2 mod a number.
Thanks again,
Mahesh
Vincent Quesnoit wrote:
> One way of doing that computation is :
> R=2^n
> start loop
> shift R left by one bit
> if R>M
> subtract M from R
> loop until the number of shifts is n
>
> That is because multiplying a binary number by two is equivalent to shifting
> left by one bit. So you basically need shift operations on numbers with n+1
> bits, and subtractions on the same.
>
> HTH,
> Vincent
>
> Mahesh Maddury a �crit :
>
> > Hi,
> >
> > I'm new to the whole crypotgraphic field and have a question on
> > Montogomery multipliers. My understanding is that to calculate A*B(mod
> > M), you require these extra constants to convert into "Montogomery
> > residues". Basically, you need a value R which is 2^(2*n) mod M where n
> > is such that
> > 2^(n-1)<M<2^n. I guess the advantage is that M does not change often for
> > cryptographic applications and so you can calculate R once in the
> > beginning.
> >
> > I'm a hardware engineer and the question I have is whether it somehow
> > trivial to calculate this R value in hardware? It seems like a chicken
> > and egg problem since to calculate R you have to perform a Montgomery
> > multiplication and for this you need R again!
> >
> > Thanks,
> > Mahesh
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Wed, 02 May 2001 16:46:51 GMT
Paul Pires wrote:
> That's a stretch. You could interpret what Douglas Gwyn said in that
> way but why not just call it your own spin?
Well, I was simply pointing out that copyright isn't an agreement between
the author and the people he gives access to his work. It's not contractual
at all. I read Mr Gwyn's paragraph as implying that copyright could be
interpreted as contractual, but it isn't. I didn't mean to bash Mr Gwyn in
any way.
> > Imagine if this happened with patents. "Well, it expires in 6 months, so
> > we'll just wait." Five months later: "Whoops! Now we have to wait anouther
> > 10 years."
>
> Actually, I'd cry all the way to the bank.
Not if you were the company waiting for the patent to expire.
> Agreed, it is a bad way do do business but don't lay it at Doug's door.
Uh, I wasn't laying anything at Doug's door. I was just pointing out that
copyright can't be interpreted as enforcement of a private contract. I.e.,
that "copyright" isn't protecting the author's ability to make a living if
the terms of the contract change after the author is dead. :-)
--
Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
Invasion in chinese restaurant:
ALL YOUR RICE ARE BELONG TO US!
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Feige-Fiat-Shamir and Guillou-Quisquater Identification Schemes
Date: Wed, 02 May 2001 12:52:09 -0400
Also check out Schnorr signature (same time, more efficient, but
also patented).
Brice Canvel wrote:
>
> Hi,
>
> I came across those two identification schemes while reading Applied
> Cryptography:
> a.. Feige-Fiat-Shamir
> a.. Guillou-Quisquater.
>
> I have never heard of those before. Are they use in practice ? If so, what
> kind of systems use these two schemes ? And are there any known
> weakneses/attacks for these shemes ?
>
> Any links to further information on the subject would be appreciated.
>
> Thank you.
>
> Brice.
--
___________________________________
Anton Stiglic <[EMAIL PROTECTED]>
Software developer & Cryptologist.
Zero-Knowledge Systems Inc.
___________________________________
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Feige-Fiat-Shamir and Guillou-Quisquater Identification Schemes
Date: Wed, 02 May 2001 13:16:50 -0400
Anton Stiglic wrote:
>
> Also check out Schnorr signature (same time, more efficient, but
> also patented).
I ment to say same type, not same time.
-- Anton
>
> Brice Canvel wrote:
> >
> > Hi,
> >
> > I came across those two identification schemes while reading Applied
> > Cryptography:
> > a.. Feige-Fiat-Shamir
> > a.. Guillou-Quisquater.
> >
> > I have never heard of those before. Are they use in practice ? If so, what
> > kind of systems use these two schemes ? And are there any known
> > weakneses/attacks for these shemes ?
> >
> > Any links to further information on the subject would be appreciated.
> >
> > Thank you.
> >
> > Brice.
>
------------------------------
From: =?iso-8859-1?Q?Fr=E9d=E9ric?= Donnat <[EMAIL PROTECTED]>
Subject: DES sample vector
Date: Wed, 02 May 2001 17:28:34 GMT
Hi,
I'd like to implemente DES algorithm in java but i don't manage to find
test vector ! :-(
I mean test vector to test each round and the final computation.
Can someone point me to a place where i can find that please. ;-)
Thanks in advance.
Best Regards.
Fred
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Wed, 2 May 2001 10:32:29 -0700
Darren New <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Paul Pires wrote:
> > That's a stretch. You could interpret what Douglas Gwyn said in that
> > way but why not just call it your own spin?
>
> Well, I was simply pointing out that copyright isn't an agreement between
> the author and the people he gives access to his work. It's not contractual
> at all. I read Mr Gwyn's paragraph as implying that copyright could be
> interpreted as contractual, but it isn't. I didn't mean to bash Mr Gwyn in
> any way.
>
> > > Imagine if this happened with patents. "Well, it expires in 6 months, so
> > > we'll just wait." Five months later: "Whoops! Now we have to wait anouther
> > > 10 years."
> >
> > Actually, I'd cry all the way to the bank.
>
> Not if you were the company waiting for the patent to expire.
Were do you get this? You make it sound as if companies are wasting
away just waiting for these barriers to be lifted. This is a nieve take
on what really happens. The patent is an asset. It has value. I can give
you many more examples of business's not proceeding because the
remaining term is not long enough. Cases where a new product is being
ignored by the entrenched market leaders but where a second tier player
knows that once the idea gets their attention, the big boys will wax him.
This is cause and effect reversal aided by 20/20 hindsight.
Can we agree to disagree?
>
> > Agreed, it is a bad way do do business but don't lay it at Doug's door.
>
> Uh, I wasn't laying anything at Doug's door. I was just pointing out that
> copyright can't be interpreted as enforcement of a private contract. I.e.,
> that "copyright" isn't protecting the author's ability to make a living if
> the terms of the contract change after the author is dead. :-)
Doug Gwyn said nothing like that. He did not say that it was
an agreement between two people he said it is an agreement of the
author to abide by the provisions of his government.
"He agrees to let use[us] use it for certain purposes under
certain conditions,...." Who is he agreeing with? The
government.
Author seeks grant, shows compliance, agrees to terms.
Government grants boon and enforces it.
Paul
>
> --
> Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
> San Diego, CA, USA (PST). Cryptokeys on demand.
> Invasion in chinese restaurant:
> ALL YOUR RICE ARE BELONG TO US!
>
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: DES sample vector
Date: Wed, 02 May 2001 16:42:57 GMT
"Fr�d�ric Donnat" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I'd like to implemente DES algorithm in java but i don't manage to find
> test vector ! :-(
> I mean test vector to test each round and the final computation.
> Can someone point me to a place where i can find that please. ;-)
Try this. The key "\x0E\x32\x92\x32\xEA\x6D\x0D\x73" will encrypt
all zeros to all 0x87.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
