Cryptography-Digest Digest #292, Volume #14 Fri, 4 May 01 12:13:01 EDT
Contents:
Re: OAP-L3: "The absurd weakness." ("Tom St Denis")
SAC'01 wannabe paper ("Tom St Denis")
debunk Anthony's crypto ("Tom St Denis")
linear vs nonlinear ("Tom St Denis")
Re: cryptographicaly secure prng ("Dobs")
Re: cryptographicaly secure prng ("Tom St Denis")
Re: linear vs nonlinear (jlcooke)
Re: cryptographicaly secure prng (SCOTT19U.ZIP_GUY)
Re: Avoiding bogus encryption products: Snake Oil FAQ (Stefek Zaba)
Re: linear vs nonlinear ("Tom St Denis")
Re: cryptographicaly secure prng ("Tom St Denis")
Re: linear vs nonlinear (Mark Wooding)
Re: linear vs nonlinear ("Tom St Denis")
Re: linear vs nonlinear ("Tom St Denis")
Re: Avoiding bogus encryption products: Snake Oil FAQ ("Frog2000")
Re: cryptographicaly secure prng (SCOTT19U.ZIP_GUY)
Re: cryptographicaly secure prng ("Tom St Denis")
----------------------------------------------------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Crossposted-To: alt.hacker,talk.politics.crypto
Subject: Re: OAP-L3: "The absurd weakness."
Date: Fri, 04 May 2001 10:38:38 GMT
"Anthony Stephen Szopa" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> OAP-L3: "The absurd weakness."
>
> The process of random digit generation used in OAP-L3 can be reduced
> to this simplicity:
<snip>
Just cause your cipher can use big numbers does not make it secure.
For example, Lucifer had a 128-bit key space but the best attack doesn't
require 2^128 work.
You have to prove that your cipher is statistically unbiassed using as many
tests as possible. And you also have to show that the information leakage
is minimal (if you think it's zero you really should go sell lawn umbrella's
instead).
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: SAC'01 wannabe paper
Date: Fri, 04 May 2001 10:41:43 GMT
I was preparing a paper (with some friends) on a very compact block cipher
geared towards embedded devices. My team achieved a code size of under 300
bytes (for encrypt/decrypt and keysetup routines) and a throughput of 185,
64-bit blocks per second (about 10kbit/sec).
The cipher is based on decorrelated functions and simple linear transforms.
The cipher in it's current form is about as secure as DES afaik with respect
to itterative attacks. This cipher of course can use a larger key...
I would not suggest anyone to use this cipher but if you want to read up on
what our design and attacks on it are you can get it at
http://tomstdenis.home.dhs.org/mdfc.ps.gz
or for a PDF copy
http://tomstdenis.home.dhs.org/mdfc.zip
Please post comments in the group not via email.
--
Tom St Denis
---
http://tomstdenis.home.dhs.org
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: debunk Anthony's crypto
Date: Fri, 04 May 2001 11:08:38 GMT
Simple way to debunk his "theory".
His cipher is based on the fact that the 10! element array is perfectly
randomly shuffled. Naively you can do this with
1. for I from 0 to 10! - 1 do
1.1 Get Random R in the interval 0 <= R < 10!
1.2 Swap elements I and R in the array
This requires at least 10! * log2(10!) bits of entropy or about 79075402.57
bits or 9.43 Mbytes. Better yet he says he does 10 passes on three files
that's 9.43 * 30 or 282.80 Mbytes.
Note that these can't be given from a PRNG since he assumes that his arrays
are truly randomly shuffled. This means you need some form of truly random
bits coming into the system.
Last I heard the average TRNG is not that fast, commercial ones run at about
19.2kbits or so. At that rate it would take 34.32 hours to make the
required bits.
Let's also not forget the fact that his cipher requires at least 10MB or so
just for the key and is very poorly described on his website (the dude has
to learn scientitific notation more then just 1E22,000,000 ..... )
--
Tom St Denis
---
http://tomstdenis.home.dhs.org
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: linear vs nonlinear
Date: Fri, 04 May 2001 11:23:20 GMT
It's my understanding that a function is only nonlinear wrt to a particular
group. For example, DES sboxes are nonlinear wrt to GF(2).
Is it not possible to always define a group in which a function is linear?
I.e
F(x) o F(x o A) o A = 0 for all A within the group and o is some form of a
group operator.
For example, F(x) = x + k mod p is nonlinear wrt to GF(2) but if we use
GF(p) it's linear, etc..
--
Tom St Denis
---
http://tomstdenis.home.dhs.org
------------------------------
From: "Dobs" <[EMAIL PROTECTED]>
Subject: Re: cryptographicaly secure prng
Date: Fri, 4 May 2001 13:27:57 +0200
>"Can U also wriet me an algorithm to it"
I just wanted somebody give my the site where I can find algorithm to any
secure generator
> Why do you need "one more"?
I need "one more" because the task from my school is to implement 5
generators and I have got so far 4 of them and that's whole story.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: cryptographicaly secure prng
Date: Fri, 04 May 2001 11:37:00 GMT
"Dobs" <[EMAIL PROTECTED]> wrote in message news:9cu403$7em$[EMAIL PROTECTED]...
> >"Can U also wriet me an algorithm to it"
> I just wanted somebody give my the site where I can find algorithm to any
> secure generator
You need source or descriptions?
> > Why do you need "one more"?
> I need "one more" because the task from my school is to implement 5
> generators and I have got so far 4 of them and that's whole story.
Perhaps they want you to try and invent 5 instead of ripping others ideas?
Off the top of my head the PRNG's I know of are
LFSRs, Linear Congruetial Generators, Lagged Fibonacci generators, BBS, Blum
Micali.
Note that the first three ain't too secure on their own, but you can
self shrink, shrink, Algorithm B or M
the output to make it a bit more secure
Tom
------------------------------
From: jlcooke <[EMAIL PROTECTED]>
Subject: Re: linear vs nonlinear
Date: Fri, 04 May 2001 12:24:30 GMT
Good block ciphers interleave linear and non-linear operations to
protect from linear and differential attacks (among other techniques).
ADD eax, ebx; bit wise non-linear, arithmetically linear
XOR eax, ecx; bit wise linear, arithmetically non-linear
MULT ecx; ??? Excretes for Tom.
Hint: What does the 32bit multiply do for RC5, RC6 and MARS?
JLC
Tom St Denis wrote:
>
> It's my understanding that a function is only nonlinear wrt to a particular
> group. For example, DES sboxes are nonlinear wrt to GF(2).
>
> Is it not possible to always define a group in which a function is linear?
> I.e
>
> F(x) o F(x o A) o A = 0 for all A within the group and o is some form of a
> group operator.
>
> For example, F(x) = x + k mod p is nonlinear wrt to GF(2) but if we use
> GF(p) it's linear, etc..
> --
> Tom St Denis
> ---
> http://tomstdenis.home.dhs.org
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: cryptographicaly secure prng
Date: 4 May 2001 12:45:20 GMT
[EMAIL PROTECTED] (Dobs) wrote in <9cu403$7em$[EMAIL PROTECTED]>:
>>"Can U also wriet me an algorithm to it"
>I just wanted somebody give my the site where I can find algorithm to any
>secure generator
>> Why do you need "one more"?
>I need "one more" because the task from my school is to implement 5
>generators and I have got so far 4 of them and that's whole story.
>
>
OK I will give you a fifth. Take scott19u.zip get a file of roughly
2 megs from random,org or whatever. Use that as the rawkey.key file
use another such file as the input file. Encrypt input file take
first byte out as random data. encrypt file again. Take next byte
out as random data. Keep repeating till you don't need more info.
Yes its slow. But you keep asking for more code so thought I
would bascially supply you with one. Oh if you want a different random
source out change your short password or get new files from random,org
or whatever. :)
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: [EMAIL PROTECTED] (Stefek Zaba)
Subject: Re: Avoiding bogus encryption products: Snake Oil FAQ
Date: 4 May 2001 13:38:48 GMT
In sci.crypt, Mok-Kong Shen ([EMAIL PROTECTED]) wrote:
> Is there no longer the 56 key bit restriction? When was
> the change of the document done? BTW, which country
> has implemented Wassenaar's crypto clause? (Germany
> hasn't, if I don't err.)
The keylength restriction on software products in the Cryptography Note had
an auto-expiry clause, which timed out in October 2000. Reference:
http://www.wassenaar.org/list/Summary.html
where we read, at Category 5P2 under 5.A.2 Cryptography Note,
"Cryptography Note d. has been deleted, as well as the related
Validity Note"
The text of Note d. read as follows: "Does not contain a "symmetric algorithm"
employing a key length exceeding 64 bits;". The "validity note", whose text
I don't have to hand, was the mechanism by which this bit-length limit would
automagically time out in October 2000 (I may have the date wrong by a few
months either way!) unless every participating state wished it to continue
in effect.
Cheers, Stefek
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: linear vs nonlinear
Date: Fri, 04 May 2001 13:56:09 GMT
"jlcooke" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Good block ciphers interleave linear and non-linear operations to
> protect from linear and differential attacks (among other techniques).
That's not relevant.
>
> ADD eax, ebx; bit wise non-linear, arithmetically linear
> XOR eax, ecx; bit wise linear, arithmetically non-linear
> MULT ecx; ??? Excretes for Tom.
Techically mults are linear too, consider f(x) = ax + b.
My question was is it possible to always find a way to make a nonlinear
discrete function linear by inventing a new group operator? (we shall
assume the function is bijective).
> Hint: What does the 32bit multiply do for RC5, RC6 and MARS?
There is no mult in RC5, but in RC6 it tries to make the upper bits a
nonlinear function of all the other bits and "increase" diffusion. The
problem with mults in Z is that they have poor overall diffusion. Not all
output bits are functions of the input bits (hint: lsb).
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: cryptographicaly secure prng
Date: Fri, 04 May 2001 13:56:58 GMT
"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> [EMAIL PROTECTED] (Dobs) wrote in <9cu403$7em$[EMAIL PROTECTED]>:
>
> >>"Can U also wriet me an algorithm to it"
> >I just wanted somebody give my the site where I can find algorithm to any
> >secure generator
> >> Why do you need "one more"?
> >I need "one more" because the task from my school is to implement 5
> >generators and I have got so far 4 of them and that's whole story.
> >
> >
>
> OK I will give you a fifth. Take scott19u.zip get a file of roughly
> 2 megs from random,org or whatever. Use that as the rawkey.key file
> use another such file as the input file. Encrypt input file take
> first byte out as random data. encrypt file again. Take next byte
> out as random data. Keep repeating till you don't need more info.
> Yes its slow. But you keep asking for more code so thought I
> would bascially supply you with one. Oh if you want a different random
> source out change your short password or get new files from random,org
> or whatever. :)
That's just plain stupid. If you get your secure bits from a website they
ain't private. So if you plug them into a cipher (even if it's scottu) the
output cannot be random.
Tom
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: linear vs nonlinear
Date: 4 May 2001 13:58:16 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
> It's my understanding that a function is only nonlinear wrt to a particular
> group. For example, DES sboxes are nonlinear wrt to GF(2).
I think you mean with respect to a particular *ring*. To construct
linear functions, we must be able to multiply and add.
> Is it not possible to always define a group in which a function is
> linear?
Which ring do you think (for example) the Rijndael S-box is linear over?
-- [mdw]
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: linear vs nonlinear
Date: Fri, 04 May 2001 13:58:38 GMT
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:ZxyI6.14014$[EMAIL PROTECTED]...
>
> "jlcooke" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Good block ciphers interleave linear and non-linear operations to
> > protect from linear and differential attacks (among other techniques).
>
> That's not relevant.
>
> >
> > ADD eax, ebx; bit wise non-linear, arithmetically linear
I missed this... but ADD is not completely bitwise nonlinear. In fact it
can be reproduced with an xor with a prob of (3/4)^31 of the time.
> > XOR eax, ecx; bit wise linear, arithmetically non-linear
Similarly ADD can reproduce an xor as well.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: linear vs nonlinear
Date: Fri, 04 May 2001 14:07:00 GMT
"Mark Wooding" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Tom St Denis <[EMAIL PROTECTED]> wrote:
>
> > It's my understanding that a function is only nonlinear wrt to a
particular
> > group. For example, DES sboxes are nonlinear wrt to GF(2).
>
> I think you mean with respect to a particular *ring*. To construct
> linear functions, we must be able to multiply and add.
Bingo. So a ring is like a field except not all elements are units right?
>
> > Is it not possible to always define a group in which a function is
> > linear?
>
> Which ring do you think (for example) the Rijndael S-box is linear over?
Um I dunno. My only examples are additions in Zp vs GF(2).
Tom
------------------------------
From: "Frog2000" <[EMAIL PROTECTED]>
Subject: Re: Avoiding bogus encryption products: Snake Oil FAQ
Date: Fri, 4 May 2001 10:35:31 -0400
"Henrick Hellstr�m" <[EMAIL PROTECTED]> wrote in message
news:9csmkm$503$[EMAIL PROTECTED]...
>
> "Mok-Kong Shen" <[EMAIL PROTECTED]> skrev i meddelandet
> news:[EMAIL PROTECTED]...
> >
> >
> > "Henrick Hellstr�m" wrote:
> > >
> >
> > > The recommendation ought to be: Don't trust a cipher unless you are an
> > > experienced cryptographer or you know for sure that a majority of
> > > experienced cryptographers trust it. Period.
> >
> > Nothing could be said against that. There is, however, a
> > difficulty of applying it in practice.
>
> Yes, of course. But that particular objection was pointed towards the
> statement that it was foolish to engage in both cipher development and
> commersial software development. It is probably true that practically all
> ciphers the layman might come in contact with and should beware of are
> developed by people with such engagements. On the other hand I guess that
a
That assumes that all commercial endeavors are by laymen, and that a
professional can't be engaged in commercialism.
--
http://welcome.to/speechsystemsfortheblind
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: cryptographicaly secure prng
Date: 4 May 2001 15:15:58 GMT
[EMAIL PROTECTED] (Tom St Denis) wrote in
<KyyI6.14018$[EMAIL PROTECTED]>:
>
>"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>> [EMAIL PROTECTED] (Dobs) wrote in <9cu403$7em$[EMAIL PROTECTED]>:
>>
>> >>"Can U also wriet me an algorithm to it"
>> >I just wanted somebody give my the site where I can find algorithm to
>> >any secure generator
>> >> Why do you need "one more"?
>> >I need "one more" because the task from my school is to implement 5
>> >generators and I have got so far 4 of them and that's whole story.
>> >
>> >
>>
>> OK I will give you a fifth. Take scott19u.zip get a file of roughly
>> 2 megs from random,org or whatever. Use that as the rawkey.key file
>> use another such file as the input file. Encrypt input file take
>> first byte out as random data. encrypt file again. Take next byte
>> out as random data. Keep repeating till you don't need more info.
>> Yes its slow. But you keep asking for more code so thought I
>> would bascially supply you with one. Oh if you want a different random
>> source out change your short password or get new files from random,org
>> or whatever. :)
>
>That's just plain stupid. If you get your secure bits from a website
>they ain't private. So if you plug them into a cipher (even if it's
>scottu) the output cannot be random.
>
Didn't you see the smiley I don't use them often. What the
hell is your porblem anyway. I young guy like you should be chasin
skirt or somthing before you get to old. Get a life Tom.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: cryptographicaly secure prng
Date: Fri, 04 May 2001 15:39:12 GMT
"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> [EMAIL PROTECTED] (Tom St Denis) wrote in
> <KyyI6.14018$[EMAIL PROTECTED]>:
>
> >
> >"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
> >news:[EMAIL PROTECTED]...
> >> [EMAIL PROTECTED] (Dobs) wrote in <9cu403$7em$[EMAIL PROTECTED]>:
> >>
> >> >>"Can U also wriet me an algorithm to it"
> >> >I just wanted somebody give my the site where I can find algorithm to
> >> >any secure generator
> >> >> Why do you need "one more"?
> >> >I need "one more" because the task from my school is to implement 5
> >> >generators and I have got so far 4 of them and that's whole story.
> >> >
> >> >
> >>
> >> OK I will give you a fifth. Take scott19u.zip get a file of roughly
> >> 2 megs from random,org or whatever. Use that as the rawkey.key file
> >> use another such file as the input file. Encrypt input file take
> >> first byte out as random data. encrypt file again. Take next byte
> >> out as random data. Keep repeating till you don't need more info.
> >> Yes its slow. But you keep asking for more code so thought I
> >> would bascially supply you with one. Oh if you want a different random
> >> source out change your short password or get new files from random,org
> >> or whatever. :)
> >
> >That's just plain stupid. If you get your secure bits from a website
> >they ain't private. So if you plug them into a cipher (even if it's
> >scottu) the output cannot be random.
> >
>
> Didn't you see the smiley I don't use them often. What the
> hell is your porblem anyway. I young guy like you should be chasin
> skirt or somthing before you get to old. Get a life Tom.
Actually I didn't see the smiley. I figure if I can't get work done here
neither can anyone else!
Tom
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
