Cryptography-Digest Digest #285, Volume #14 Thu, 3 May 01 04:13:01 EDT
Contents:
Re: cryptographicaly secure prng ("Tom St Denis")
Re: ok newbie here ya go ("Tom St Denis")
Re: Blum-Micali generator ("Tom St Denis")
Re: Ciphertext only ("Douglas A. Gwyn")
Re: Best, Strongest Algorithm ("Douglas A. Gwyn")
Re: information theoretic stream cipher ("Henrick Hellstr�m")
Re: cryptographicaly secure prng ("Romek")
Re: information theoretic stream cipher ("Tom St Denis")
Re: cryptographicaly secure prng (Charles Blair)
Re: "UNCOBER" = Universal Code Breaker (Mark VandeWettering)
Re: A Question Regarding Backdoors (Tim Smith)
Re: Random and not random (Matthew Skala)
__(Q) The state of Hyperelliptic cryptography, submitted to sci.crypt. (kctang)
Re: Random and not random (John Savard)
Re: information theoretic stream cipher ("Henrick Hellstr�m")
Re: DES sample vector (=?iso-8859-1?Q?Fr=E9d=E9ric?= Donnat)
Re: MS OSs "swap" file: total breach of computer security. (Benjamin Goldberg)
----------------------------------------------------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: cryptographicaly secure prng
Date: Wed, 02 May 2001 23:00:50 GMT
"Dobs" <[EMAIL PROTECTED]> wrote in message news:9cpvt5$fe9$[EMAIL PROTECTED]...
> I have implemented generators such as BBS, RSA,Micali-Schnor and
> Blum-Micali generators.However I need one more cryptographicaly secure
> generator. Can U advise me one more such a generator which is very easy to
> implement(-short algorithm) and is secure. Can U also write me an
algorithm
> to it.
> Thanks
> Best regards
> Mike D
First off state your platform and requirements. Second spell "U" [sic]
correctly. Lastly what does "Can U also wriet me an algorithm to it" mean?
Do you want source code or a description?
Why do you need "one more"?
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: ok newbie here ya go
Date: Wed, 02 May 2001 23:02:03 GMT
"Anton Stiglic" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> for which 'xxd -r' gives us
>
> Tom St-Denis likes to start flames, especialy with Newbies.
> No one here really knows why, it's a big mistery.
> Tidley bee, twidle and dee.
I assume this is a joke post, but if it's not how do I start flames? Just
because I ask people to explain their "proofs"?
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Blum-Micali generator
Date: Wed, 02 May 2001 23:04:16 GMT
"Dobs" <[EMAIL PROTECTED]> wrote in message news:9cpv74$dh0$[EMAIL PROTECTED]...
> The main formula for this generator is Xi+1=(a^Xi) mod p.
> The generator to be cryptographicaly secure have to have p very big (512
> bit) and it have to be prime. What about a, can it be any
> number???????????????
> Should p have to have any more futures????
> I am using openSSL library but I can not find function to count a^x mod
p.
> Where can I find such a function or how to do it?
Dude post properly. 34 ?'s do not make the question any more important.
For Micali's generator you need 'a' to be a primitive element in Z*p and P
should be prime that's all.
I dunno about using openSSL todo it personally I just use MPI which is a
free big num lib.
Tom
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Ciphertext only
Date: Wed, 2 May 2001 23:28:09 GMT
Jeffrey Williams wrote:
> You really need to specify more information about your quest. The most
> extreme case, ciphertext only (in which you know nothing at all about the
> contents), you don't know the algorithm (but it's probably a modern,
> computer-based algorithm), in short, you have no information at all but some
> ciphertext, getting the key (or the plaintext) is pretty much an
> impossibility (IFF there's some flaw in the originator's system, it may be
> possible, but otherwise likely a waste of resources).
Cryptodiagnosis is hard, but not impossible. Ultimately it boils down
to how much ciphertext is available for study and how much one wants to
spend in resources. If the pay-off would justify the expenditure, then
the system must be considered at risk.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm
Date: Wed, 2 May 2001 23:21:07 GMT
jlcooke wrote:
> So it's in the their best interests to choose the best block cipher to
> assure everyone they can be trusted, why didn't they do this with DES?
At the time, DES *was* the best block cipher.
------------------------------
From: "Henrick Hellstr�m" <[EMAIL PROTECTED]>
Subject: Re: information theoretic stream cipher
Date: Thu, 3 May 2001 02:34:41 +0200
"Tom St Denis" <[EMAIL PROTECTED]> skrev i meddelandet
news:iS_H6.3085$[EMAIL PROTECTED]...
> Ok no secret primes here :-)
>
> Pick a public prime (say >2^128) you then divide the message into blocks
> M_1, M_2, such that 0 < M_i < p, eg they are all units wrt to Z*p.
>
> The cipher has two variables in it's state A and B both of which are the
> same magnitude as the prime. (say 128-bits). Both belong to Z*p as well.
> To encode a block you perform
>
> 1. C_i = M_i * A + B mod p
> 2. Update A
> 3. Update B
> 4. If A is zero goto 2
>
> Let's suppose the update in #2 and #3 is perfect,
What do you mean by the term "perfect"? How is such perfection achieved?
These questions seems a lot more relevant than the actual design of step #1.
If A is truly random, you could dispose of B and exchange step #1 for C_i =
M_i xor A, and you would have an OTP.
Note that you would only have to make two queries to the cipher at position
i to determine the value of A at that position, namely M_i = x, M'_i = x+1.
Clearly, A = C'_i - C_i = (x+1)*A + B - x*A - B modulo p. Three queries
would be sufficient for a high probability distinguisher for non-randomness,
because you could query M_i = x, M'_i = x+1, M''_i = x+2, and if C'_i - C_i
= C''_i - C'_i modulo p the distinguisher would output that your combiner
was used.
If you don't allow such adaptive attacks, then you might as well use xor.
--
Henrick Hellstr�m [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com>
------------------------------
From: "Romek" <[EMAIL PROTECTED]>
Subject: Re: cryptographicaly secure prng
Date: Thu, 3 May 2001 01:41:52 +0100
Your best bet is probably the FIPS PRNGs as recommended in
http://csrc.nist.gov/encryption/tkrng.html.
Romek
"Dobs" <[EMAIL PROTECTED]> wrote in message news:9cpvt5$fe9$[EMAIL PROTECTED]...
> I have implemented generators such as BBS, RSA,Micali-Schnor and
> Blum-Micali generators.However I need one more cryptographicaly secure
> generator. Can U advise me one more such a generator which is very easy to
> implement(-short algorithm) and is secure. Can U also write me an
algorithm
> to it.
> Thanks
> Best regards
> Mike D
>
>
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: information theoretic stream cipher
Date: Thu, 03 May 2001 01:49:20 GMT
"Henrick Hellstr�m" <[EMAIL PROTECTED]> wrote in message
news:9cq94h$cl1$[EMAIL PROTECTED]...
> "Tom St Denis" <[EMAIL PROTECTED]> skrev i meddelandet
> news:iS_H6.3085$[EMAIL PROTECTED]...
> > Ok no secret primes here :-)
> >
> > Pick a public prime (say >2^128) you then divide the message into blocks
> > M_1, M_2, such that 0 < M_i < p, eg they are all units wrt to Z*p.
> >
> > The cipher has two variables in it's state A and B both of which are the
> > same magnitude as the prime. (say 128-bits). Both belong to Z*p as
well.
> > To encode a block you perform
> >
> > 1. C_i = M_i * A + B mod p
> > 2. Update A
> > 3. Update B
> > 4. If A is zero goto 2
> >
> > Let's suppose the update in #2 and #3 is perfect,
>
> What do you mean by the term "perfect"? How is such perfection achieved?
> These questions seems a lot more relevant than the actual design of step
#1.
> If A is truly random, you could dispose of B and exchange step #1 for C_i
=
> M_i xor A, and you would have an OTP.
I mean that it's not truly random but uniformly distributed (or nicely).
The idea is to analyze the proposal disjunct of the update function. While
that won't give the complete picture it does allow us to analyze the first
step wrt any form of analysis irrespective of the update functions.
> Note that you would only have to make two queries to the cipher at
position
> i to determine the value of A at that position, namely M_i = x, M'_i =
x+1.
> Clearly, A = C'_i - C_i = (x+1)*A + B - x*A - B modulo p. Three queries
> would be sufficient for a high probability distinguisher for
non-randomness,
> because you could query M_i = x, M'_i = x+1, M''_i = x+2, and if C'_i -
C_i
> = C''_i - C'_i modulo p the distinguisher would output that your combiner
> was used.
>
> If you don't allow such adaptive attacks, then you might as well use xor.
It's a stream cipher not a a block cipher so the condition M_i and M'_i is
impossible. Also you only need two queries if it were possible.
Tom
------------------------------
Subject: Re: cryptographicaly secure prng
From: [EMAIL PROTECTED] (Charles Blair)
Date: Thu, 03 May 2001 02:29:46 GMT
Is something wrong with the Impagliazzo-Naor prng? It seems
very attractive in not needing any multiplications.
------------------------------
From: [EMAIL PROTECTED] (Mark VandeWettering)
Subject: Re: "UNCOBER" = Universal Code Breaker
Date: Thu, 03 May 2001 02:41:31 GMT
On Fri, 20 Apr 2001 21:55:31 -0300, newbie <[EMAIL PROTECTED]> wrote:
>10100010010 is random string
>the inverse 01011101101 is random too.
>but if you Xor the two random string you will find
>111111111111111111111111111111
>random + random does not give you random result.
>random + non random does not give you 100 % random result.
>You have to meet some conditions before claiming that those equality are
>true.
You obviously don't understand what is meant by random.
Mark
--
/* __ __ __ ____ __*/float m,a,r,k,v;main(i){for(;r<4;r+=.1){for(a=0;
/*| \/ |\ \ / /\ \ / /*/a<4;a+=.06){k=v=0;for(i=99;--i&&k*k+v*v<4;)m=k*k
/*| |\/| | \ V / \ \/\/ / */-v*v+a-2,v=2*k*v+r-2,k=m;putchar("X =."[i&3]);}
/*|_| |_ark\_/ande\_/\_/ettering <[EMAIL PROTECTED]> */puts("");}}
------------------------------
From: [EMAIL PROTECTED] (Tim Smith)
Subject: Re: A Question Regarding Backdoors
Date: 2 May 2001 20:40:20 -0700
Reply-To: Tim Smith <[EMAIL PROTECTED]>
On Mon, 30 Apr 2001 11:11:33 GMT, Tom St Denis <[EMAIL PROTECTED]> wrote:
>Then he should ask the right question which is "Is it legal to use 256-bit
>symmetric keys in the US". This has nothing todo with AES or possible
That's not the right question. The right question is whether he has to
put a backdoor into his system, which is what he asked. No one else
seems to be having trouble understanding the question, so the problem
is you, not him.
--Tim Smith
------------------------------
From: [EMAIL PROTECTED] (Matthew Skala)
Subject: Re: Random and not random
Date: 2 May 2001 18:57:27 -0700
In article <[EMAIL PROTECTED]>, Tim Tyler <[EMAIL PROTECTED]> wrote:
>: I suspect that you know this and are pulling our legs [...]
>
>John's article seems quite serious and perfectly correct to me.
>
>I too can easily imagine advocating applying a conventional cypher -
>in addition to an OTP - in order to improve the security of the latter.
As a backup in case the OTP is compromised (by operator error or
key-distribution failure) it may make sense. John proposed it for a much
different purpose: as a measure to alleviate uninformed people's concerns
that "the OTP might randomly have a pad of all zeroes, resulting in no
encryption!". It might serve the goal of alleviating the uninformed
people's concerns, but it does so only by illusion. Instead of an OTP by
itself having a pad of all zeroes and a ciphertext equal to the plaintext,
it's equally likely that the OTP plus conventional cipher would undo each
other and also result in no encryption.
Any chain of encryptions with the perfect secrecy property of an OTP will
have that possibile "failure mode" - it's an inescapable part of perfect
secrecy, because if there is no possibility of your transmitting the
plaintext unencrypted, then every transmission reveals the tiny clue that
whatever your plaintext is, it *isn't* what you transmitted.
--
Matthew Skala
[EMAIL PROTECTED] "I fish stranger things than you
http://www.islandnet.com/~mskala/ out of my granola every morning."
------------------------------
From: kctang <[EMAIL PROTECTED]>
Subject: __(Q) The state of Hyperelliptic cryptography, submitted to sci.crypt.
Date: Thu, 03 May 2001 12:35:32 +0800
Dear Forum,
(Q) The state of Hyperelliptic cryptography:
=============================================
Does Hyperelliptic curves cryptography possess advantages or
*potential* advantages over elliptic curves cryptography?
What are the *existing* view points on its following aspects
such as
Key-length, Efficiency and Performance,
Discrete Log problem,
Generating secure curves, point counting .... etc. ?
Thanks, kctang
PS.
Please use simple sentences so that I can understand.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Random and not random
Date: Thu, 03 May 2001 04:49:00 GMT
On 2 May 2001 18:57:27 -0700, [EMAIL PROTECTED] (Matthew Skala)
wrote, in part:
>Any chain of encryptions with the perfect secrecy property of an OTP will
>have that possibile "failure mode" - it's an inescapable part of perfect
>secrecy, because if there is no possibility of your transmitting the
>plaintext unencrypted, then every transmission reveals the tiny clue that
>whatever your plaintext is, it *isn't* what you transmitted.
This is true. However, I add to my reply in this thread in my post "On
the Validity of Non-Logical Modes of Thought" that it's OK to have
this failure mode under certain circumstances, but not others.
How can that possibly be true? Well, read the post and find out.
John Savard
http://home.ecn.ab.ca/~jsavard/
------------------------------
From: "Henrick Hellstr�m" <[EMAIL PROTECTED]>
Subject: Re: information theoretic stream cipher
Date: Thu, 3 May 2001 09:11:14 +0200
"Tom St Denis" <[EMAIL PROTECTED]> skrev i meddelandet
news:AO2I6.4730$[EMAIL PROTECTED]...
>
> "Henrick Hellstr�m" <[EMAIL PROTECTED]> wrote in message
> news:9cq94h$cl1$[EMAIL PROTECTED]...
> > If A is truly random, you could dispose of B and exchange step #1 for
C_i
> =
> > M_i xor A, and you would have an OTP.
>
> I mean that it's not truly random but uniformly distributed (or nicely).
> The idea is to analyze the proposal disjunct of the update function.
While
> that won't give the complete picture it does allow us to analyze the first
> step wrt any form of analysis irrespective of the update functions.
Yes, it does allow you. The update function does not increase the security
level with a factor much larger than it's security of it's own. If there is
an attack against both of the update functions, it will not be prevented by
your combiner, but only made a little bit harder. I have already
demonstrated that any adaptive attack against either A or B will still work
with twice the amount of queries. If there are statistical attacks against
both A and B, both will still work with more known plain text. For example,
if both A and B are biased in such way that there are some values d_a, d_b
such that the probabilities P(d_a = A_i+1 - A_i) = p_a and P(d_b = B_i+1 -
B_i) = p_b, then the attacker would have a probability equal to p_a*p_b to
find an occurance of both differences at the same time.
> > Note that you would only have to make two queries to the cipher at
> position
> > i to determine the value of A at that position, namely M_i = x, M'_i =
> x+1.
> > Clearly, A = C'_i - C_i = (x+1)*A + B - x*A - B modulo p. Three queries
> > would be sufficient for a high probability distinguisher for
> non-randomness,
> > because you could query M_i = x, M'_i = x+1, M''_i = x+2, and if C'_i -
> C_i
> > = C''_i - C'_i modulo p the distinguisher would output that your
combiner
> > was used.
> >
> > If you don't allow such adaptive attacks, then you might as well use
xor.
>
> It's a stream cipher not a a block cipher so the condition M_i and M'_i is
> impossible...
I hope you are able to justify that. What if it is a seekable stream cipher?
Then an attacker with access to an encryption device would only have to
reset the position once to do what I described.
> Also you only need two queries if it were possible.
No, not if A really is secure. C'_i - C_i = A would then be a pseudorandom
number. The attacker would not know if he had got an answer from your oracle
or a true random function any more than he would know that if he was handed
A directly.
--
Henrick Hellstr�m [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
------------------------------
From: =?iso-8859-1?Q?Fr=E9d=E9ric?= Donnat <[EMAIL PROTECTED]>
Subject: Re: DES sample vector
Date: Thu, 03 May 2001 07:31:11 GMT
Paul Schlyter a �crit :
> In article <[EMAIL PROTECTED]>,
> Frederic Donnat <[EMAIL PROTECTED]> wrote:
>
> > I'd like to implemente DES algorithm in java but i don't manage to find
> > test vector ! :-(
> > I mean test vector to test each round and the final computation.
> > Can someone point me to a place where i can find that please. ;-)
>
> The first case below, "DES Codebok", is right from the FIPS document
> which describes the DES algorithm. The other three cases I constructed
> myself, and I've found them useful when testing new DES implementations.
>
>
> DES CodeBook
>
> Key: 01 23 45 67 89 AB CD EF
>
> ASCII: N o w i s t h e t i m e f o r a l l
> Clear: 4E 6F 77 20 69 73 20 74 68 65 20 74 69 6D 65 20 66 6F 72 20 61 6C 6C 20
> Crypt: 3F A4 0E 8A 98 4D 48 15 6A 27 17 87 AB 88 83 F9 89 3D 51 EC 4B 56 3B 53
>
>
> DES CBC
>
> Key: 01 23 45 67 89 AB CD EF
> IV: 01 23 45 67 89 AB CD EF
>
> ASCII: N o w i s t h e t i m e f o r a l l
> Clear: 4E 6F 77 20 69 73 20 74 68 65 20 74 69 6D 65 20 66 6F 72 20 61 6C 6C 20
> XOR: 01 23 45 67 89 AB CD EF 96 C3 D4 A6 DC 1C 01 17 76 97 08 E9 C6 1D 28 58
> XClear: 4F 4C 32 47 E0 D8 ED 9B FE A6 F4 D2 B5 71 64 37 10 F8 7A C9 A7 71 44 78
> Crypt: 96 C3 D4 A6 DC 1C 01 17 76 97 08 E9 C6 1D 28 58 F1 05 77 7D D5 51 7D AB
>
>
>
> DES3 CodeBook
>
> Key 1: 00 11 22 33 44 55 66 77
> Key 2: 88 99 AA BB CC DD EE FF
>
> ASCII: N o w i s t h e t i m e f o r a l l
> Clear: 4E 6F 77 20 69 73 20 74 68 65 20 74 69 6D 65 20 66 6F 72 20 61 6C 6C 20
> Crypt1: ED FC 77 AE 9B 3C C0 47 A8 B4 D9 9D A7 29 F8 29 C6 C2 C4 3F 65 EC 4E 1A
> Decry2: 33 EE E1 6E 46 B9 19 42 A0 3C 62 5E C5 5F 3A 78 7D C8 34 95 89 B8 DE B4
> Crypt3: 1D 5D E8 95 51 03 3F DF E9 42 B9 E2 83 C7 88 46 25 3B A3 0E CE 0C DF F8
>
>
>
> DES3 CBC
>
> Key 1: 00 11 22 33 44 55 66 77
> Key 2: 88 99 AA BB CC DD EE FF
> IV: 01 23 45 67 89 AB CD EF
>
> ASCII: N o w i s t h e t i m e f o r a l l
> Clear: 4E 6F 77 20 69 73 20 74 68 65 20 74 69 6D 65 20 66 6F 72 20 61 6C 6C 20
> XOR: 01 23 45 67 89 AB CD EF 98 93 4C 64 A2 A3 F7 F5 2A 34 E7 E8 CD 9B 4D 87
> XClear: 4F 4C 32 47 E0 D8 ED 9B F0 F6 6C 10 CB CE 92 D5 4C 5B 95 C8 AC F7 21 A7
> Crypt: 98 93 4C 64 A2 A3 F7 F5 2A 34 E7 E8 CD 9B 4D 87 0A 74 4F 03 1F BE A3 53
>
>
> --
> ----------------------------------------------------------------
> Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
> Grev Turegatan 40, S-114 38 Stockholm, SWEDEN
> e-mail: pausch at saaf dot se or paul.schlyter at ausys dot se
> WWW: http://hotel04.ausys.se/pausch http://welcome.to/pausch
Thanks a lot for sharing your knowledge ! ;-)
In fact i manage to find example in Openssl TestDES.c, and "Now is the time for all"
seems to be a classic ! ;-)
But i didn't manage to find an example describing the result for each round. :-(
So, if someone can point me to a site where i can find an implementation having a dbug
mode to see these result, i would be very greatfull. ;-)
Bests regards.
Fred
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.hacker
Subject: Re: MS OSs "swap" file: total breach of computer security.
Date: Thu, 03 May 2001 08:03:00 GMT
Anthony Stephen Szopa wrote:
>
> David Hopwood wrote:
[big snip]
> But doesn't he always make it sound so easy and clear cut if only
> you just had his command of the subject matter?
>
> Once again, someone has stepped forward and put his sh-- in the
> street.
Yeah. You did.
If you had actually *read* what David wrote, you would know that he's
saying that it's *not* easy, nor clear cut, to lock data in memory, even
with a firm grasp of the subject matter.
--
Shift to the left, shift to the right, mask in, mask out, BYTE, BYTE,
BYTE !!!
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
