Cryptography-Digest Digest #312, Volume #14 Tue, 8 May 01 02:13:00 EDT
Contents:
Re: Back to the Drawing Board (John Savard)
Re: Free Triple DES Source code is needed. (Bryan Olson)
Re: A Question Regarding Backdoors ("Trevor L. Jackson, III")
Re: free en/decryption library ("Jeffrey Walton")
Re: Note on combining PRNGs with the method of Wichmann and Hill (Bryan Olson)
Re: free en/decryption library ("Tom St Denis")
Re: free en/decryption library ("Jeffrey Walton")
Re: linear vs nonlinear ("Douglas A. Gwyn")
Re: OAP-L3: "The absurd weakness." ("Douglas A. Gwyn")
Re: Cryptanalysis Question: Determing The Algorithm? (wtshaw)
Re: Simple cryptography technique: sound? ("Joseph Ashwood")
Re: Comp Results: Thomas Boschloo FAILS to prove himself, as everyone expected all
along... (Boschloo STINKS)
Re: RIP Act and OTP ("Joseph Ashwood")
Re: Tiny s-boxes ("Brian McKeever")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Back to the Drawing Board
Date: Tue, 08 May 2001 00:11:17 GMT
On Mon, 07 May 2001 23:10:50 +0200, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote, in part:
>Does that have an alternative name in the coding literature
>or could you recommend me a good text book where it is
>treated? Thanks.
The standard name _is_ "m out of n code", but these codes are
heuristic (although they have some relation to group code recording
(GCR) methods which are designed to have a zero DC component) unlike
such things as Hamming codes, Golay codes, Hadamard codes,
Reed-Solomon codes, Bose-Chaudhuri-Hocquenghem codes, and so on and so
forth. So there isn't that much literature on them, because there
isn't that much to say about them: they were used _before_ coding
theory became a science, or at least before its results percolated
down to general engineering practice.
A 2 out of 4 code, for example, simply uses all the combinations of
four bits in which two of them are one:
0011
0101
0110
1001
1010
1100
there's nothing more to it than that. It detects single errors, so it
isn't really very efficient as an error-correcting code, but it might
have other desirable properties for some applications.
John Savard
http://home.ecn.ab.ca/~jsavard/
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Free Triple DES Source code is needed.
Date: Mon, 07 May 2001 17:49:11 -0700
[EMAIL PROTECTED] wrote:
> I have looked every where on the web to find a Free C/C++ Source Code
> implementation of Triple-DES.
> I have found some, but it either has a damaged zip or tar file.
If you just want DES/triple-DES, I suggest Phil Karn's code:
http://people.qualcomm.com/karn/code/des/
For a complete C++ crypto library, look up Wei Dai's Crypto++.
--Bryan
------------------------------
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: A Question Regarding Backdoors
Date: Tue, 08 May 2001 00:51:36 GMT
"SCOTT19U.ZIP_GUY" wrote:
> [EMAIL PROTECTED] (Trevor L. Jackson, III) wrote in
> <[EMAIL PROTECTED]>:
>
> >Consider the variation suggested by RW: non-backdoored crypto is
> >outlawed. Such a draconian restriction would present the choice of
> >crippled crypto or jail to anyone promoting (in the vague DCMA sense)
> >non-bacdoored crypto. In that situation any professional with integrity
> >should visit jail in the tradition of Thoreau, Parks, & Zimmerman.
> >
>
> A professional with integrity isn't that kind of an oxymoron.
> A person is usually considered a profession if he sells out.
> If a personhas integrity they don't sell out.
David,
Can you tell us the difference between a reform poitician and a business
politician? The short answer is that a business politician is one who stays
bought. The long answer is that a reform politician can make promises and
break them as often as is convenient, whereas once a business politician
makes a commitment, he cannot repudiate it. In politics, that's integrity.
Every profession has its honest workers and those whose behavior is
dominated by short term self interest. So every profession has a criteria
for integrity.
------------------------------
Reply-To: "Jeffrey Walton" <[EMAIL PROTECTED]>
From: "Jeffrey Walton" <[EMAIL PROTECTED]>
Subject: Re: free en/decryption library
Date: Mon, 7 May 2001 22:19:12 -0400
I can't speak for Frank, but I would assume he wants to use someone's
library because he doesn't want to learn cryptography to the point that you
or I understand it (not that I have great depth and breadth in the subject).
I would consider using someone's code rather than writing it from scratch.
For example, if you implemented RSA or ElGamal, I would be happy to use it.
I think you have a good understanding of the cryptosystems. I could be
wrong about Frank, though...
Win32 is my platform of choice (though I have to do a lot on Linux/Unix due
to school). Also, C/C++ is my language of choice. A portable library would
be nice. I've tried to use LIP and MIT's BigInteger packages, but WIN32
barfs. Because of that, I usually punt and go to JAVA. I've been too lazy
to try the port.
Do you have a package that cross compiles? I'd _love_ to try it.
Jeff
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:FquJ6.36161$[EMAIL PROTECTED]...
"Jeffrey Walton" <[EMAIL PROTECTED]> wrote in message
news:3af61e8b$0$[EMAIL PROTECTED]...
> I wasn't aware those books provided libraries and APIs for Cryptographic
> Services.
>
> I have two of them, but they must be less recent than your versions.
Better
> get on Amazon or Bookpool :)
You're missing the point. If you want to write crypto apps become a
cryptographer, or at least read alot of texts to know what types of things
are wrong, etc...
> On the serious side, I'd like to see a nice WIN32 BigInt package. I've
> looked at a few out of academia (Linux/Unix), but got discouraged on the
> port.
Why win32? Why not just a portable library?
Tom
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers
Subject: Re: Note on combining PRNGs with the method of Wichmann and Hill
Date: Mon, 07 May 2001 19:27:31 -0700
Mok-Kong Shen wrote:
> To avoid unnecessary discussions, I like to cite the following
> from my answer to Bryan Olson of Mon, 16 Apr 2001 13:22:17 +0200:
>
> I like to add something to make my last paragraph better
> understandable: If one of the streams gets a factor 1.0
> (and it is uniform), isn't that everything is again
> (rigorously) theoretically o.k. in that particular issue?
And the answer was:
| Of course not. The theorem was:
| | as long as the streams are independent, if any of the
| | streams are uniform then the sum is uniform.
The modified method only guarantees uniformity when a particular
stream is uniform. If have a single random stream known to be
uniform then there's no point in the combining scheme at all.
The W-H scheme doesn't require that you know how good each stream
is. As long as they're independent, the result will be at least
as good as the best of them. In realistic cases we expect the
result to be better than the best of them.
The problems I noted are only loosely related to Gladman's work.
When I talk about a uniform sequence, I'm not just talking about
the individual values being uniform; I mean the entire sequence
so each values must also be independent of the list of
predecessors.
--Bryan
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: free en/decryption library
Date: Tue, 08 May 2001 02:31:35 GMT
"Jeffrey Walton" <[EMAIL PROTECTED]> wrote in message
news:3af756fd$0$[EMAIL PROTECTED]...
> I can't speak for Frank, but I would assume he wants to use someone's
> library because he doesn't want to learn cryptography to the point that
you
> or I understand it (not that I have great depth and breadth in the
subject).
> I would consider using someone's code rather than writing it from scratch.
> For example, if you implemented RSA or ElGamal, I would be happy to use
it.
> I think you have a good understanding of the cryptosystems. I could be
> wrong about Frank, though...
Well it's nice to use someone elses code but i don't trust a cryptographer
that hasn't implemented a copy of their own even if it's just for toying
around.
> Win32 is my platform of choice (though I have to do a lot on Linux/Unix
due
> to school). Also, C/C++ is my language of choice. A portable library
would
> be nice. I've tried to use LIP and MIT's BigInteger packages, but WIN32
> barfs. Because of that, I usually punt and go to JAVA. I've been too
lazy
> to try the port.
>
> Do you have a package that cross compiles? I'd _love_ to try it.
Hmm GMP and MPI come to mind. MPI is simple compact and decently fast.
Tom
------------------------------
Reply-To: "Jeffrey Walton" <[EMAIL PROTECTED]>
From: "Jeffrey Walton" <[EMAIL PROTECTED]>
Subject: Re: free en/decryption library
Date: Mon, 7 May 2001 23:29:40 -0400
Thanks Tom. I'll try them (GMP and MPI). Thanks very much.
Jeff
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:bUIJ6.40324$[EMAIL PROTECTED]...
"Jeffrey Walton" <[EMAIL PROTECTED]> wrote in message
news:3af756fd$0$[EMAIL PROTECTED]...
> I can't speak for Frank, but I would assume he wants to use someone's
> library because he doesn't want to learn cryptography to the point that
you
> or I understand it (not that I have great depth and breadth in the
subject).
> I would consider using someone's code rather than writing it from scratch.
> For example, if you implemented RSA or ElGamal, I would be happy to use
it.
> I think you have a good understanding of the cryptosystems. I could be
> wrong about Frank, though...
Well it's nice to use someone elses code but i don't trust a cryptographer
that hasn't implemented a copy of their own even if it's just for toying
around.
> Win32 is my platform of choice (though I have to do a lot on Linux/Unix
due
> to school). Also, C/C is my language of choice. A portable library
would
> be nice. I've tried to use LIP and MIT's BigInteger packages, but WIN32
> barfs. Because of that, I usually punt and go to JAVA. I've been too
lazy
> to try the port.
>
> Do you have a package that cross compiles? I'd _love_ to try it.
Hmm GMP and MPI come to mind. MPI is simple compact and decently fast.
Tom
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: linear vs nonlinear
Date: Tue, 08 May 2001 04:06:06 GMT
Bryan Olson wrote:
> I believe the conjecture is false.
At this level of abstraction, Universal Algebra comes in handy.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: OAP-L3: "The absurd weakness."
Date: Tue, 08 May 2001 04:08:14 GMT
James Felling wrote:
> ... while I do accept that using your medhods over and over again
> you can and will eventually get good data, it requires more work to
> get to that point than it would with a conventional stream cypher.
Well put.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Cryptanalysis Question: Determing The Algorithm?
Date: Mon, 07 May 2001 22:05:25 -0600
In article <mpuJ6.36160$[EMAIL PROTECTED]>, "Tom St
Denis" <[EMAIL PROTECTED]> wrote:
> "wtshaw" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> >
> > Easy to say but might be extremely difficult to do. If the key setup is
> > time consuming, brute force is not very effective.
>
> You're arguing the wrong point. I never said brute force would be fast, I
> said it could be easily written.
>
So, easy to write, hard to perhaps use. However, the writing might be a
wasted exercise. Something easy implies that the motivation is also
there.
But, if you insist it is trivial to write such a program, might I suggest
an algorithm to attack to test your abilities.
--
Mother Nature always gets her revenge.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Simple cryptography technique: sound?
Date: Mon, 30 Apr 2001 10:40:07 -0700
Crossposted-To: comp.os.linux.security,comp.os.unix.security
You still rely completely on the security of that single very high reward
"master" password. Relying on the strength of a single small value that gets
embedded in everything is not a good way to do things. We already know MD5
has flaws, and a large number of {ID, host, user, master password} 4ple will
risk the master password. Scaling this up, I believe you will need at least
64-bits of entropy _per account_ this is a very serious problem, simply
because you have to determine the number of users when the master password
is set. There is the additional problem of where you will store this
password. Just as an example of the magnitude of this problem the University
of Southern Californoa has over 30,000 accounts, times the 64-bits per
account you'll need over 1 MB of permanently secure memory. In order to keep
that memory secure you need one of two situations, either that 1MB key is
entered by hand at each bootup, or you need to store it on a smartcard.
Smartcards don't like storing 1MB of data. It gets worse, if you move the
master password to being put in the function first, you actually risk
optimization-based attacks, so you need to keep it at the end. Every time a
password is verified you will have to compute the hash, and each computation
of the hash risks EVERY password on the system.
I'd suggest that instead of trying to find a way to make this kludgy method
secure you move to a secure password authentication scheme, there are quite
a number of them. Personally I like SRP (http://srp.stanford.edu), it
requires only a hash function and a method of modular exponentiation.
Joe
"Jem Berkes" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
------------------------------
Date: 6 May 2001 14:16:08 -0000
From: [EMAIL PROTECTED] (Boschloo STINKS)
Subject: Re: Comp Results: Thomas Boschloo FAILS to prove himself, as everyone
expected all along...
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss,alt.privacy.anon-server
On Sun, 06 May 2001, "Thomas J. Boschloo" <[EMAIL PROTECTED]> wrote:
Boschloo STINKS
Stop Boschloo posting diarrhea
Boschloo TOO MUCH
Boschloo NO
Boschloo TOO MUCH
Boschloo is a TROLL
Boschloo is a CLOWN
Against Boschloo
Neuter Boschloo
SCREW Boschloo
Stop Boschloo NUTS
Stop Boschloo NONSENSE
Stop Boschloo RAT
Stop Boschloo insanity
Boschloo is a PLAGUE
NONSENSE from Boschloo, as usual,
trying to occupy frontstage with his pretense of knowledge
HISTORY:
That Boschloo bozo is a clown and a troll who has been looming around for nearly a
year.
Don't mistake a "regular" (troll) with a knowledgeable person: that self-proclaimed
"security expert" is not even a remailer user. In the past, he proved himself unable
to check a PGP signature, and got ridicule from every single technical topic he wante
d to talk about.
Besides false or inaccurate or misleading technical misinformation, his posts are
about his avowed mental illness, or for bashing remops or real freedom fighters: he
likes to quarrel with every one, and stir shit. Sometimes, it is even pure delirium
(whe
n he misses his pills?)
One of his last actions was to stage a hoax about his own suicide, just to try to grab
some sympathy, after he had been exposed as a troll and technically incompetent.
The worst being his teasing of Script-Kiddie until it triggered a new flood on apas.
Of course, he refuses to apologize.
Actually, the level of contempt he shows for remailer users:
they don't give their names, while he does
that can't do anything against him, without giving their names
is in no way different from what is displayed by Pangborn, Burnore and the like
Ignore him completely, killfile him, respect others' killfiles
KILLFILE:
To put him in your killfile, put "Author: Boschloo"
That will make disappear both him and people who warn about him
If you want to tell him to buzz off, or warn about him,
use a nickname containing "Boschloo" (Boschloo Hater, Boschloo Sucks,...)
to accomodate such killfile for "regulars", and still warn newbies
COURAGE:
Boschloo is getting _no_ answer from apas any more.
He has to crosspost to various newsgroups to try to grab some attention.
In a few months, it will be gone.
Stop Boschloo diarrhea
Stop Boschloo posting diarrhea
Fight Boschloo
Stop Boschloo MADNESS
Stop Boschloo RAT
Stop Boschloo INSANITY
Stop Boschloo NONSENSE
Stop Boschloo NUTS
Boschloo TOO MUCH
Boschloo is a PLAGUE
SCREW Boschloo
Neuter Boschloo
Boschloo is a CLOWN
Boschloo TOO MUCH
Boschloo STINKS
Boschloo NO
Boschloo PLAGUE
Stop Boschloo posting diarrhea
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: RIP Act and OTP
Date: Mon, 30 Apr 2001 20:39:21 -0700
I don't think that's what was meant. What I think was meant was to build a
formatting around PGP, in such a way that when you unformat you get only the
encrypted data of the length desired, and then building a OTP that gives the
data you want/need it to give. This does several things, most importantly
for most would be the fact that under RIP you could be forced to reveal a
key that gives an accurate decryption to the officers, since you have 2; the
PGP-based key, and the OTP-key, you should be able to reveal either. Of
course this presumes that the officers will be equally satisfied by "Here's
the data" as "Here's the key so you can read every &^%$# thing I've ever
written" which simply may not be the case. Now in a sane society the
officers would have to prove you wrong, which since you gave them a valid
key, to get a valid decryption that matches exactly what was said will be
extremely difficult, and you could certainly argue that you wanted to retain
your non-repudiation while complying with what you felt were the
"legitimate" rights of law enforcement. In reality they'd be just as likely
to admit that you gave them a OTP and present one that turns the file into
child pornography just to spite you, or simply deny that you gave them
anything.
That of course places the burden of proof on you to disprove them, which
will be very difficult.
Joe
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:fCpH6.103635$[EMAIL PROTECTED]...
>
> "AY" <[EMAIL PROTECTED]> wrote in message
> news:9cl8cg$3bh$[EMAIL PROTECTED]...
> > I thought someone must have thought of this before but I can find no
such
> > information on deja (or whatever it's now).
> >
> > Basically it's this: the RIP Act (in the UK) gives the authorities the
> power
> > to demand the from the owner the key (or passphrase) to encrypted data,
so
> > why can't one just claim that the data was encrypted with an OTP and
> supply
> > a decryption key that when XOR'ed with the ciphertext, produces any
> > arbitrary data? Is there any flaw to this argument?
> >
> > And surely such a feature could be incorporated into encryption
utilities
> > such as PGP, which sounds like a good school project!
>
> Not really. The purpose of PGP is to solve the OTP main problem "Key
> Distribution".
>
> Also it would seem hard to make a PRNG that outputs the desired pads as
> required.
>
> Tom
>
>
------------------------------
Reply-To: "Brian McKeever" <[EMAIL PROTECTED]>
From: "Brian McKeever" <[EMAIL PROTECTED]>
Subject: Re: Tiny s-boxes
Date: Tue, 08 May 2001 05:55:47 GMT
"Simon Johnson" <[EMAIL PROTECTED]> wrote in message
news:9d5vn3$hds$[EMAIL PROTECTED]...
> Of course the next question is, can we make an algebraic 64x64 s-box that
> behaves as a random premutation and can not be 'decomposed' into small
> s-boxes to be analysed?
I've played around a little bit with something similar to what you're
suggesting. Inspired by the IDEA 16x16 algebraic s-box, I tried to come up
with ways to make huge substitutions that had enough algebraic structure
such that they were computable (vs having to be implemented as a lookup
table), but which were large enough that they were probably pretty good(TM).
I have an extraordinarily unimpressive web page at
http://www.geocities.com/reveekcm_nairb/maverick/Maverick.html that
describes it a little bit. The basic idea was to find a large group for
which the group operation can be performed without much trouble, and for
which there exist easily implemented functions to and from vectors of bits.
For the algorithm on the web page, I used the multiplicative group of GF(p),
for p of the form k*2^(2^n)+1 (where IDEA has k=1, n=4).
As for your point about not being decomposable, I agree that it's desirable
(and in fact, you probably wouldn't want it to be 'too close' to a
decomposable transform, either), but I don't know how to check for that
given a modest-sized s-box, much less a huge one. Any ideas?
Brian
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
