Cryptography-Digest Digest #310, Volume #14 Mon, 7 May 01 15:13:00 EDT
Contents:
Re: Free Triple DES Source code is needed. (Darren New)
Re: LUCIFER (Bo D�mstedt)
Re: Message mapping in EC. (Mike Rosing)
Re: Tiny s-boxes (David Wagner)
Re: Modification of S-Box attack (David Wagner)
Re: Modification of S-Box attack ("Simon Johnson")
Re: ECC question (Mike Rosing)
Re: Tiny s-boxes ("Tom St Denis")
Re: Modification of S-Box attack ("Tom St Denis")
Re: Free Triple DES Source code is needed. ("Tom St Denis")
Re: free en/decryption library ("Tom St Denis")
Re: A Question Regarding Backdoors ("Tom St Denis")
Re: Modification of S-Box attack ("Tom St Denis")
Re: ECC question ("Tom St Denis")
Re: Back to the Drawing Board (John Savard)
Re: GF(2^W) sboxes timings ("Tom St Denis")
Re: ISO 9796-1:1991 (Mok-Kong Shen)
Re: Free Triple DES Source code is needed. ("Tom St Denis")
Re: ECC question ("Tom St Denis")
Re: ISO 9796-1:1991 (Uwe Guenther)
Re: Comp Results: Thomas Boschloo FAILS to prove himself, as everyone expected all
along... ("Mika Hirvonen")
Re: Free Triple DES Source code is needed. ("Douglas A. Gwyn")
Re: Back to the Drawing Board (Mok-Kong Shen)
Re: ISO 9796-1:1991 (Mok-Kong Shen)
----------------------------------------------------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: Free Triple DES Source code is needed.
Date: Mon, 07 May 2001 16:28:01 GMT
Tom St Denis wrote:
> Second what is this C/C++ thing you talk about? It's C *OR* C++ not both.
Since C++ is a superset of C, if you're writing in C++, a library in C
or C++ would do. Hence, asking for a C/C++ program seems quite
reasonable.
--
Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
Invasion in chinese restaurant:
ALL YOUR RICE ARE BELONG TO US!
------------------------------
From: [EMAIL PROTECTED] (Bo D�mstedt)
Subject: Re: LUCIFER
Reply-To: [EMAIL PROTECTED]
Date: Mon, 07 May 2001 16:17:50 GMT
Ryan Sorensen wrote:
> I would appreciate it if someone could point me to a paper outlining LUCIFER.
>
Smith, J. L.
"The Design of Lucifer, A Cryptographic Device for Data
Communications"
RC-3326, #15211
IBM Thomas J. Watson Research Center
P.O. Box 218
Yorktown Heights, New York 10598
April 15, 1971
Includes a picture (p.4) of the Lucifer cipher machine.
In appendix (pp 59--) author investigates the error propagation
for single bit xor inputs ...
Bo D�mstedt
Chief Cryptographer
Protego Information AB
Ideon Gamma Science Park
http://www.protego.se
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Message mapping in EC.
Date: Mon, 07 May 2001 12:27:51 -0500
Doug Kuhlman wrote:
> My typo. You're supposed to read what I *mean*, not what I say! (yes,
> that's tongue-in-cheek). You're right, of course. 2^2^5 is 4 billion,
> not 4 trillion.
:-)
> Well, I am a mathematician. I've looked into it. For a while, I
> thought it might be my dissertation topic, but it's still too hard a
> problem. My advisor looked into it. I know guys like Menezes and
> Koblitz have asked that question.
>
> Now, as far as publications, I don't know of any. It's pretty hard to
> publish (well, uhh... we looked at this problem. And, well, we got the
> obvious heuristic value. But, well, that's about it.) Keywords might
> be "elliptic curve" (too many references), points, "Hamming sphere"
> wouldn't be bad, but my guess is very few (if any) papers include both
> Hamming sphere and elliptic curve.
OK, that explains a lot. If it's too hard for Koblitz and Menezes, it's
too hard for me :-)
> Yeah, but the 4-color problem has a lot of limiting structure that
> discussions of Hamming spheres in elliptic curves don't. For one thing,
> the size of the base field is allowed to be arbitrarily large, which
> leads to an asymptotic estimate, which is always harder to do. The
> rules of mappings are also very well-established, whereas point density
> locations in ECs aren't (to my knowledge, anyway).
>
> A more fundamental problem is that a "Hamming sphere" is not a very nice
> abstract algebraic object. It doesn't obey rules like we want it, too.
> This makes proof extremely difficult.
>
> Since the proof appears to be very difficult and the heuristic appears
> to work pretty well, it's hard to justify why anyone should get into the
> problem right now.
>
> If you do succeed in finding anything on this topic, though, please let
> me know, as I would be quite interested.
Sounds like everyone would be interested :-) Thanks for the hints, I've learned
some new terms.
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Tiny s-boxes
Date: 7 May 2001 17:30:23 GMT
Simon Johnson wrote:
>Of course the next question is, can we make an algebraic 64x64 s-box that
>behaves as a random premutation and can not be 'decomposed' into small
>s-boxes to be analysed?
You mean, something like Triple-DES?
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Modification of S-Box attack
Date: 7 May 2001 17:31:57 GMT
Simon Johnson wrote:
>Because DES's s-box are so small, 6x4, a small change to their structure
>(say the swapping of two elements of the box) has massive implications to
>the effectiveness of differential and linear cryptanalysis. Thus, I propose
>an aggressive attack (which in practice would probably be delivered by
>Virus) where one actually swaps two of the elements in the one or more of
>the DES s-boxes, in a compiled implementation.
If you're able to modify the S-boxes, why not just zero out
all the entries in the S-boxes? Maybe I don't understand the
threat model you are considering: If the adversary can modify
the implementation, why would it be necessary to minimize the
number of changes to the S-box?
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Subject: Re: Modification of S-Box attack
Date: Mon, 7 May 2001 18:45:33 +0100
gilles <[EMAIL PROTECTED]> wrote in message
news:9d63eq$t0m$[EMAIL PROTECTED]...
> if you compress the file with
> UPX the attack is most difficult
> not ??
I havn't heard of UPX but if its a compression algorithm, like you suggest
then no. The attack is based on making the cipher vulnerable to attacks like
differential and linear cryptanalysis. These attacks do not care about the
redundancy in general (this is what I assume you'd want to use a compression
algorithm for, to reduce redundancy).. these attacks only care on whether a
particular plain-text pair is a right-pair or not.
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: ECC question
Date: Mon, 07 May 2001 12:43:56 -0500
Anthony Mulcahy wrote:
> Be careful, elliptic curves are very addictive and the more you learn about
> them, the more you will want to learn, in a never ending cycle.
Yeah, that's for sure!!
Patience, persistence, truth,
Dr. mike
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Tiny s-boxes
Date: Mon, 07 May 2001 17:55:01 GMT
"Simon Johnson" <[EMAIL PROTECTED]> wrote in message
news:9d5vn3$hds$[EMAIL PROTECTED]...
> Well, so far this tread has been damn intresting...
>
> So i'd like to take it in the other direction, what about massive s-boxes?
> Lets say we had a 64x64 s-box that could be implemented in some kind of
> algebraic fashion. In order to find the XOR difference table or the
> walsh-transform of the s-box would be suffiently intractable amount of
work
> to make cryptanalysis impossible. In which case, a cipher based on this
> 64x64 would be
> secure from linear and diff attack after just 3 rounds. The security is
not
> derived from the structure of the boxes but rather the intractability of
> determining the s-boxes structure.
This is not true. If the sbox is algebraic you simply use algebra to attack
it.
> Even if someone managed to recover the structure of the s-box it's very
> likely, that at this size, that you couldn't exploit it anyway.
If the 64x64 is just a random bijection (not algebraic) this may be true,
but consider the 16 bit sbox given by
F(x) = x xor 0x1234
.... :-)
> Of course the next question is, can we make an algebraic 64x64 s-box that
> behaves as a random premutation and can not be 'decomposed' into small
> s-boxes to be analysed?
>
> I assume the answer is no because such a system would be the perfect
cipher.
I think you have this backwards. Most algebraic structures can be viewed a
million different ways... i.e mod n analysis comes to mind.
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Modification of S-Box attack
Date: Mon, 07 May 2001 17:56:01 GMT
"Simon Johnson" <[EMAIL PROTECTED]> wrote in message
news:9d60o4$hsb$[EMAIL PROTECTED]...
> A lot of people use DES and/or its variants... I've not actually checked
if
> this would work.. but in theory it should work perfectly.
>
> Because DES's s-box are so small, 6x4, a small change to their structure
> (say the swapping of two elements of the box) has massive implications to
> the effectiveness of differential and linear cryptanalysis. Thus, I
propose
> an aggressive attack (which in practice would probably be delivered by
> Virus) where one actually swaps two of the elements in the one or more of
> the DES s-boxes, in a compiled implementation.
You will notice the virus unless it takes effect simultaneously.
Also if you simply remove 16 xor's you can break DES way quicker.
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Free Triple DES Source code is needed.
Date: Mon, 07 May 2001 17:56:44 GMT
"Luis Duarte" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> ok, ok...
> mr. know-it-all
> you really think you're the owner of this newsgroup...
> shame on you...
Why? I am just answering all questions I know how to answer. If that
happens to filter out retards that can't use search engines... so be it.
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: free en/decryption library
Date: Mon, 07 May 2001 17:57:25 GMT
"Luis Duarte" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> In case you didn't notice, Jack was just kidding...
Why the attitude?
>
> On Sun, 06 May 2001 19:48:20 GMT, "Tom St Denis"
> <[EMAIL PROTECTED]> wrote:
>
> >
> >"Jack Lindso" <[EMAIL PROTECTED]> wrote in message
> >news:[EMAIL PROTECTED]...
> >> I think it's very noble of you Tom to volunteer for the job of this
> >> newsgroup's guard.
> >> Cheers.
> >
> >I do what I can :-)
> >
> >Tom
> >
> >
>
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: A Question Regarding Backdoors
Date: Mon, 07 May 2001 17:57:57 GMT
"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> [EMAIL PROTECTED] (Trevor L. Jackson, III) wrote in
> <[EMAIL PROTECTED]>:
>
> >Consider the variation suggested by RW: non-backdoored crypto is
> >outlawed. Such a draconian restriction would present the choice of
> >crippled crypto or jail to anyone promoting (in the vague DCMA sense)
> >non-bacdoored crypto. In that situation any professional with integrity
> >should visit jail in the tradition of Thoreau, Parks, & Zimmerman.
> >
>
> A professional with integrity isn't that kind of an oxymoron.
> A person is usually considered a profession if he sells out.
> If a personhas integrity they don't sell out.
Obvious you care alot about the world :-)
How about doctors? Do you call them sell outs too?
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Modification of S-Box attack
Date: Mon, 07 May 2001 17:58:27 GMT
"gilles" <[EMAIL PROTECTED]> wrote in message
news:9d63eq$t0m$[EMAIL PROTECTED]...
> if you compress the file with
> UPX the attack is most difficult
> not ??
No.
upx -d myfile.exe
attack myfile.exe
hmm... how is that hard?
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: ECC question
Date: Mon, 07 May 2001 18:05:04 GMT
"Mark Wooding" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Tom St Denis <[EMAIL PROTECTED]> wrote:
>
> > Would something like nP - kP (say k=n) be the point at infinity?
>
> Yes, iff k and n are congruent modulo the order of P.
Thanks,
Tom
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Back to the Drawing Board
Date: Mon, 07 May 2001 18:06:52 GMT
On Mon, 07 May 2001 13:34:11 GMT, [EMAIL PROTECTED]
(John Savard) wrote, in part:
>*Sixty* rounds, each round really being more like _two_ rounds in a
>more typical cipher?
I figured out how to bring that down to 20.
Essentially, have *five* rounds, each one composed of three rounds in
the 96-bit part, and four rounds in the 160-bit part.
Also, since a 4 of 8 code has 70 values, as used in other parts, I
could go from 6 to 8 as well as from 8 to 10, since 96 is a multiple
of both 8 and 6, and 160 is a multiple of both 10 and 8...
John Savard
http://home.ecn.ab.ca/~jsavard/
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: GF(2^W) sboxes timings
Date: Mon, 07 May 2001 18:01:15 GMT
"Tim Olson" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> In article <6QfJ6.29036$[EMAIL PROTECTED]>, "Tom St
> Denis" <[EMAIL PROTECTED]> wrote:
>
> | /* Perform a multiplication in GF(2^32) returning ab */
> | unsigned long gf_mul(unsigned long a, unsigned long b)
> | {
> | unsigned long result = 0;
> | while (a) {
> | if (a & 1)
> | result ^= b;
> | a >>= 1;
> | if (b & 0x80000000ul)
> | b = (b << 1) ^ 0xd59c382dul;
> | else
> | b <<= 1;
>
>
> On deeply-pipelined processors like Athlon and Pentium-III, the
> if-then-else tests in the middle of the loop are going to cause a lot of
> branch mispredictions with large mispredict penalties. You might be able
> to speed up the loop quite a bit if you do the following trick to get rid
> of the conditional branches:
>
> unsigned long gf_mul(unsigned long a, unsigned long b)
> {
> unsigned long result = 0;
> long signB, lsbA;
>
> while (a) {
> lsbA = ((long)a << 31) >> 31;
> result ^= (b & lsbA);
> a >>= 1;
> signB = (long)b >> 31;
> b = (b << 1) ^ (0xd59c382dul & signB);
> }
> }
This new code takes 256 cycles... (running some other stuff so it's not
accurate timing). Nifty trick. So basically you sign extend the lsb to fill
the rest and and it. So unconditionally the result is found...
Tom
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: ISO 9796-1:1991
Date: Mon, 07 May 2001 20:01:30 +0200
Uwe Guenther wrote:
>
> I have to implement an client that uses german HBCI-Protocol
> (HomeBankingComputerInterface). There are references to
> the ISO 9796-1:1991(formating and signing). Since this standard
> are withdrawn, there is no way to get the standard from ISO.
>
> Has some one any ideas where I can get the withdrawn ISO standard.
> I know that there some security problems with the use of the standard.
> But there is now other way to implement HBCI.
As far as I know, BSI is overseeing the various security
issues of e-commerce in Germany. So you probably may get
help from there.
M. K. Shen
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Free Triple DES Source code is needed.
Date: Mon, 07 May 2001 18:06:47 GMT
"Darren New" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Tom St Denis wrote:
> > Second what is this C/C++ thing you talk about? It's C *OR* C++ not
both.
>
> Since C++ is a superset of C, if you're writing in C++, a library in C
> or C++ would do. Hence, asking for a C/C++ program seems quite
> reasonable.
It makes no sense. In fact C libraries will not work in C++ since you must
"extern "C" {" them. Therefore it becomes C++ source code.
I agree they share a common ground language but they are not the same. If
your program works in C++ it's a C++ program, if it's in C it's a C program.
Wonder why there is a gcc and gxx?
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: ECC question
Date: Mon, 07 May 2001 18:04:37 GMT
"Anthony Mulcahy" <[EMAIL PROTECTED]> wrote in message
news:9d6cok$kqq$[EMAIL PROTECTED]...
> "Tom St Denis" <[EMAIL PROTECTED]> wrote
> > I was just wondering about subtracting two points...
> >
> > Let's say you have the points P=(x1,y1) and Q=(x2,y2). If you wanted
P-Q
> > would you simply do P+(-Q) where -Q is (x2,-y2)?
>
> P + (-Q) is the correct way of writing it, because subtraction is defined
as
> adding the inverse, however the formula -Q = (x2, -y2) is only for
elliptic
> curves over rational numbers.
>
> ECC uses curves over finite fields and the general formula for that case
is:
>
> -Q = (x, -y-a1x-a3)
>
> where Q = (x, y) and the equation of the curve is
> y^2 + a1xy + a3y = x^3 + a2x^2 + a4x + a6
>
> Since the curves used in ECC are usually of the form
> y^2 = x^3 + a4x + a6 (over Fp) or
> y^2 + xy = x^3 + a2x^2 + a6 (over F2m)
> the equation for -Q reduces to:
>
> -Q = (x, -y-x) = (x, y+x)
I started reading the ECC section in Koblitz's book. It's a bit complicated
for a light read... I saw he mentions different curves for different chars
(p=2,3,>3) is that because they wouldn't exist or because they are weak?
> > Would something like nP - kP (say k=n) be the point at infinity?
> > Basically I am toying with the idea of an attack based on guessing
> > the multiplicand and subtracting. It's nothing serious just toying with
> > the math.
>
> nP - kP would be equal to the point at infinity if (n-k) is congruent to 0
> modulo the order of the group of points on the curve (or the order(s) of
the
> subgroup(s) containing P). Basically, nP - kP is equal to the point at
> infinity, if (n-k) is a multiple of the number of points on the curve.
Isn't that similar to factoring i.e x^2 - y^2 = 0 mod N, x-y may be a factor
of N?
> > Too much to learn, so little time.... hehehehe
>
> Be careful, elliptic curves are very addictive and the more you learn
about
> them, the more you will want to learn, in a never ending cycle.
Of course. Learning is good.
Tom
------------------------------
From: Uwe Guenther <[EMAIL PROTECTED]>
Subject: Re: ISO 9796-1:1991
Date: Mon, 07 May 2001 19:16:27 +0200
Mok-Kong Shen wrote:
>
> Uwe Guenther wrote:
> >
> > I have to implement an client that uses german HBCI-Protocol
> > (HomeBankingComputerInterface). There are references to
> > the ISO 9796-1:1991(formating and signing). Since this standard
> > are withdrawn, there is no way to get the standard from ISO.
> >
> > Has some one any ideas where I can get the withdrawn ISO standard.
> > I know that there some security problems with the use of the standard.
> > But there is now other way to implement HBCI.
>
> As far as I know, BSI is overseeing the various security
> issues of e-commerce in Germany. So you probably may get
> help from there.
>
> M. K. Shen
Do you have any e-mail from these BSI guys who work on these subject?
--
Uwe
------------------------------
From: "Mika Hirvonen" <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss,alt.privacy.anon-server
Subject: Re: Comp Results: Thomas Boschloo FAILS to prove himself, as everyone
expected all along...
Date: Mon, 7 May 2001 21:18:50 +0300
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
"Jim Deluca" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
Follow-ups set.
> I don't know what this shit is all about, but why not take it elsewhere,
> OR since you seem to be the injured party, just killfile the asshole(s)
> if there is a common characteristic of his/their posts?
Boschloo and "Chris" had a cracking contest a while ago. "Chris" first
claimed that PGP was notoriously insecure against keyloggers and presented
his own, patented program as a solution, claiming to defeat past, present
and future keyloggers. Boschloo claimed that he could write a keylogger to
defeat Chris' anti-keylogger and anti-tampering program, Netsafe.
A regular of this group, Sam Simpson, arranged a cracking contest between
the two. Chris would submit a version of Netsafe, Boschloo would have a
few weeks to crack it and Simpson would verify the results. Boschloo wrote
a working keylogger (I checked it myself) which Netsafe could not detect or
prevent from functioning and posted it on his site. Chris then declared
that he had "won" the contest and vanished from the newsgroup.
Shortly after, the newsgroup was flooded with anti-Boschloo messages,
posted via anonymous remailers and nym.alias.net's mail2news gateway. After
instructions were posted to killfile all of them, the flooding faded out of
view for a while. Now, when Boschloo has started to post actively again,
the flood messages are back too. Apparently whoever posting those has an
autoresponder script, which will flood the newsgroup every time Boschloo
posts anything.
> God I remember the good old days when we had a flame newsgroup and you
> were sometimes forced to got there or get booted from the newsgroup.
That's not an option with alt.* newsgroups, because they aren't moderated.
Anarchy, Lunatics and Terrorists, indeed. ;-)
- --
Mika Hirvonen <[EMAIL PROTECTED]>
http://www.saunalahti.fi/hirvox/
PGP key @ http://www.saunalahti.fi/hirvox/stormshadow.asc
=====BEGIN PGP SIGNATURE=====
Version: 6.5.8ckt http://www.ipgpp.com/
iQA/AwUBOvbK6qSfrEHp33TBEQJEtwCfdBqPBGR2Snox9NcbdQrOpIfEmcIAoLvl
czUmzECZrl1dzML28r0a+PRw
=tyss
=====END PGP SIGNATURE=====
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Free Triple DES Source code is needed.
Date: Mon, 07 May 2001 19:01:07 GMT
Darren New wrote:
> Since C++ is a superset of C, ...
Actually it isn't. E.g., the meaning of int foo(); is different
in the two languages.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Back to the Drawing Board
Date: Mon, 07 May 2001 21:01:51 +0200
John Savard wrote:
>
> After not having added a new cipher to the Quadibloc family, it
> happened that I chanced to investigate how many characters could be
> represented by a 5 out of 10 code.
[snip]
I am interested to know what you are working on. Unfortunately
there seems to be not enough standards of terminology in the
field of coding, so that I failed to find your code in
the register of a few books that I have. Could you please
give a bit explanations. Thanks.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: ISO 9796-1:1991
Date: Mon, 07 May 2001 21:05:41 +0200
Uwe Guenther wrote:
>
> Do you have any e-mail from these BSI guys who work on these subject?
Sorry, no. I learned only from newspapers that they are
involved in e-commerce.
M. K. Shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
