Cryptography-Digest Digest #332, Volume #14 Fri, 11 May 01 07:13:00 EDT
Contents:
Re: SAC'01 wannabe paper ("Tom St Denis")
Re: Micali-Schnorr pseudorandom bit generator ("Tom St Denis")
Horst Feistel ("Vinokurov Andrey")
Re: Horst Feistel (Paul Rubin)
Re: OAP-L3: "The absurd weakness." (Anthony Stephen Szopa)
Re: OAP-L3: "The absurd weakness." (Anthony Stephen Szopa)
Re: free en/decryption library (Niklaus Schild)
Re: The novel _enigma_ by Robert Harris (Frode Weierud)
__Security Architect/Consultant wanted at HONG KONG (kctang)
Re: __Security Architect/Consultant wanted at HONG KONG (kctang)
Re: __Security Architect/Consultant wanted at HONG KONG ("Tom St Denis")
Re: __Security Architect/Consultant wanted at HONG KONG ("Tom St Denis")
Re: Horst Feistel ("Vinokurov Andrey")
Re: A simple encryption algorithm based on OTP ("Siva Prasad Gummadi [T]")
Re: Micali-Schnorr pseudorandom bit generator (Klaus Pommerening)
----------------------------------------------------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: SAC'01 wannabe paper
Date: Fri, 11 May 2001 06:11:18 GMT
"Benjamin Goldberg" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> In the discussion of GF multiplies...
>
> There are such instructions as conditional assign, which could be used
> to replace/avoid conditional jumps. One would use this by replacing
> things like this:
> if( x & 1 )
> y = (y << 1) ^ p;
> else
> y = (y << 1) ^ 0;
> with something like this:
> z = ( x & 1 ) ? p : 0;
> y = ( y << 1 ) ^ z;
>
> When turning this to assembler, the assignment to z would be an
> instruction something like the following:
> condassign $test, $target, $source1, $source2
> Where, if register $test is [==, !=, <, <=, >, >=] zero, then assign
> $source1 to $target, else assign $source2 to target.
>
> Conditional assignments can be done much faster than conditional jumps,
> and they take constant time, which is another benefit.
>
> Since I don't do much asm coding, I don't know for what architectures
> this kind of instruction exists, but I'm fairly sure that there are a
> number of machines which have it.
Since MDFC was designed for embedded platforms like the 8051 conditional
assignments don't exist. One must emulate them :-)
As a side note MDFC is not secure (attack in the paper) and I am growing
fonder of my new TC15 design (with the new key schedule).
http://tomstdenis.home.dhs.org/tc15.c
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Micali-Schnorr pseudorandom bit generator
Date: Fri, 11 May 2001 06:14:46 GMT
"Benjamin Goldberg" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Dobs wrote:
> If your modulus is n bits long, then you should be outputing at most
> log2(n) of the least significant bits of Yi. For a 1024 bit modulus,
> you should not be outputing more than log2(1024) or 10 bits at a time.
>
> Where did you get the idea that you could use 341 bits?
>
> Also, since the Micali-Schnorr generator seems to be similar in some
> ways to the Blum-Blum-Schub generator, why not implement that, instead?
> BBS is a much more well known and analysed PRNG.
>
> One: find two large N-bit "special" numbers, p and q. Special-ness is
> defined as follows:
> x is special, iff (
> x % 4 = 3, and
> x is prime, and
> (x-1)/2 is prime, and
> ((x-1)/2-1)/2 is prime, and
> *one* more condition which I can't remember ).
> Two: calculate pq. If we keep n secret, (I think) it's ok to use N=128.
> This makes pq a 256 bit number.
> Three: choose a random number X_0, such that 1 <= X_0 < pq
> Four: test for whether this generates a short sequence, and if so, go
> back to step Three.
> Five: calculate the sequences of numbers
> X_i = X_(i-1) ** 2 mod (pq)
> Y_i = X_i mod log2(pq)
>
> Use the Y_i values as your outputs. Note if pq is a 256 bit number,
> log2(pq) is the number 256 -- this means that all Y_i values are 8 bit
> numbers. Trying to use more bits of X_i without increasing the sizes of
> p and q is unsafe.
>
> Thus, the 8 lowest bits of X_i are your output bits.
>
> If pq is sufficiently large (ie, too large to be factored (ie, is over
> 1024 bits)), it is perfectly safe to generate it once, and write it to
> disk (even a publicly readable disk), and use it again and again and
> again, without ever needing to create it anew. Of course, your X_0
> values need to remain secret, and a new one is needed for each message,
> but that's easy, since they need to be of no special form except to not
> be on a short cycle.
Ahem. Key Escrow.
Just felt I would say that.
Here is how you do Key Escrow with BBS in your system.
The "man" makes a Blum integer N and publishes it for the users to use. The
users then share a X_0 (say via DH) with each other.
They then encode the message using the lower 8 bits of X_i = X_i-1^2 mod N.
and publish X_i+1.
The "man" knows the length and can "rewind" X_{i+1} to their X_0 but nobody
without the factors can't.
.... :-)
Tom
------------------------------
From: "Vinokurov Andrey" <[EMAIL PROTECTED]>
Subject: Horst Feistel
Date: Fri, 11 May 2001 11:54:42 +0400
Hi!
I would appreciate it if someone could point me to URL with a biography of
Horst Feistel.
And I have a question to native americans: could you give me transcription
of Feistel's last name, please. How should I pronounce it?
WBR,
Andrey Vinokurov.
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: Horst Feistel
Date: 11 May 2001 02:04:47 -0700
"Vinokurov Andrey" <[EMAIL PROTECTED]> writes:
> And I have a question to native americans: could you give me transcription
> of Feistel's last name, please. How should I pronounce it?
FYE-stell. But it's a German name, not American.
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: alt.hacker,talk.politics.crypto
Subject: Re: OAP-L3: "The absurd weakness."
Date: Fri, 11 May 2001 02:45:06 -0700
James Felling wrote:
>
> Tom St Denis wrote:
>
> > "Anthony Stephen Szopa" <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]...
> > > Tom St Denis wrote:
> > > >
> > > > "Anthony Stephen Szopa" <[EMAIL PROTECTED]> wrote in message
> > > > news:[EMAIL PROTECTED]...
> > > > > With your many previous vague and less than precise posts you must
> > > > > explain exactly what YOU mean by "leakage."
> > > > >
> > > > > Not what "leakage" has been defined by others but in your own words
> > > > > what you understand this word / concept to mean.
> > > > >
> > > > > There can be no discussion on what YOU mean by "leakage" unless
> > > > > you define it in your own terms because you frequently are ambiguous
> > > > > and we cannot assume that you even know what you mean.
> > > >
> > > > Leakage means what it implies. Every output byte must leak some
> > (perhaps
> > > > little) info about the input state, this is always going to happen.
> > > >
> > > > The real question is how much info is leaked, i.e how many bytes (bits,
> > > > etc...) are required to learn enough about the internal state.
> > > >
> > > > Tom
> > >
> > > I think the place to start in answering this question is to read the
> > > Help Files: Theory, Processes, Operation, etc. and the recommended
> > > use.
> > >
> > > Good luck. You'll need it if you think you have a prayer in
> > > breaking the OTP files.
> >
> > Um that's your job not mine. You want to show how secure it is, you should
> > come up with attacks on the system.
> >
> > Tom
>
> Simply put: groups. This means that given any k1 and any k2 there exists a k3
> such that F(k1,F(k2,X)) = F(k3,X). This means that aplying that method N times
> will give exactly the same level of security as applying it once. ( the proof
> is left as an example for the student).
>
> All of the methods I havbe seen are groups or special cases of a more generic
> permuting method that is a group, and many of them are groups with other
> methods. This means that taking a method and using it over and over again is no
> more secure than the generic group operation that it is a special case of.
>
> Worse, some of the methods will comute. This menas F(k1,G(k2,X))=
> G(k2,F(k1,X).This is a weakness because it means that if only those two methods
> are used in whatever pattern you wish you are no better off than using them (or
> their generic equivalent) once.
>
> Some of the methods have fixed points. Data that that method cannot and will
> not alter. This means that you must alter the data by annother method. Yes,
> every data point can and will be adjusted by some process, but since some
> methods have fixed points it will produce a bias in the data at those fixed
> points.
>
> I have pointed this out to you in the past, and while I do accept that using
> your medhods over and over again you can and will eventually get good data, it
> requires more work to get to that point than it would with a conventional
> stream cypher.
Are you are under the delusion that the OTPs are derived directly
from the random digit output?
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: alt.hacker,talk.politics.crypto
Subject: Re: OAP-L3: "The absurd weakness."
Date: Fri, 11 May 2001 02:46:20 -0700
Xcott Craver wrote:
>
> Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote:
> >
> >I think the place to start in answering this question is to read the
> >Help Files: Theory, Processes, Operation, etc. and the recommended
> >use.
>
> You might be under the false impression that people respond
> to your posts out of interest in your cipher, when in fact
> they only do so to inform 3rd parties, who may have recently
> taken a peek into sci.crypt, that you are one of the regular
> crackpots.
>
> >Good luck. You'll need it if you think you have a prayer in
> >breaking the OTP files.
>
> I'd love to, but oooh, I just got an email, and in order
> to display it on the screen my software requires me to
> shuffle a deck of cards 10 times and do some long division
> on the back of an envelope.
>
> -S
Anyone who would let you do their thinking for them deserves
no better.
------------------------------
From: Niklaus Schild <[EMAIL PROTECTED]>
Subject: Re: free en/decryption library
Date: Fri, 11 May 2001 12:08:35 +0200
>
> > >Hi,
> > >I am new with en/decryption and I am looking for a free and open
> > >en/decryption C/C++ library that compiles with gcc and C++ Builder.
> >
> >
> > Try cryptlib
> >
> > http://www.cs.auckland.ac.nz/~pgut001/cryptlib/
>
> Very good library indeed and the documentation is excellent aswell, but
> there are some licence issues.
do you have a lot of experience with cryptlib? I'm using cryptlib since a
week and I agree with you, when
you say that this is a good library. But what I miss is, something like a
mailinglist or a discussion group for
users of this library. I have some problems (for example: cryptDecrypt() does
not encrypt the whole
buffer, the first bytes are still some curious ascii symbols) and cant find
something about it. Do you know something some discussion pages or
mailinglists? Or do you know a solution to my problem?
Nik
------------------------------
From: [EMAIL PROTECTED] (Frode Weierud)
Subject: Re: The novel _enigma_ by Robert Harris
Date: 11 May 2001 09:50:14 GMT
Reply-To: [EMAIL PROTECTED]
[EMAIL PROTECTED] (Ed Pugh) writes:
>Did Germain U-boats have AC electric power systems? If so,
>then did the U-boat Enigmas have an AC power supply? In short,
>would a U-boat Enigma "hum" when it was turned on? If so, then
>what, exactly, would cause the "hum"?
>
I do not have the details of the power supply systems on the German
U-boats but the Enigma was normally power through a small power supply
located under the radio mans desk. This supply would also power the
strip printer device that were used with the Enigma on some of
the U-boats. So if there was a "hum" it might have come from this
power supply. However, there were also other power supplies in the
radio room powering the receivers, transmitters and other auxiliary
equipment.
>While setting it up, he is about to plug in the Steckerboard
>connections:
>
> "The next ten letter pairs represented the cross-pluggings he
> needed to make on the steckerboard on the back of the Enigma."
>
>Any Engmas or pictures of Enigmas that I have seen always had
>the Steckerboard on the FRONT of the Enigma. Were there any
>Army Enigma machines that had the Steckerboard on the back?
>
Perhaps Robert Harris is more realistic that you think. Normally
BP used the modified Typex machines to decipher the Enigma traffic,
but they also had some captured German Enigma machines (some of
these were even modified at BP for special use) and they had one
or two of the Polish built Enigma clones. These Polish machines had
the Steckerboard at the top of the machine, behind the rotors, which
would make it at the rear or back of the Enigma.
Frode
--
Frode Weierud Phone : +41 22 7674794
CERN, SL, CH-1211 Geneva 23, Fax : +41 22 7679185
Switzerland E-mail : [EMAIL PROTECTED]
WWW : home.cern.ch/frode/
------------------------------
From: kctang <[EMAIL PROTECTED]>
Subject: __Security Architect/Consultant wanted at HONG KONG
Date: Fri, 11 May 2001 18:06:37 +0800
SECURITY ARCHITECT/CONSULTANT (11 May 2001)
Responsible for the overall Internet security solution
architecture, you will provide pre- and post security
architecture design and support for [High-Tech Company]'s
MultiSecure application-level Security Middleware,
OnlineGuardian Managed Security Services, as well as other
vendor- integrated (hardware/software) solutions. Job
responsibilities include requirement assessment, technical
guidance, solution design, hardware and software sizing
estimates, security policy definition and development and
involvement in pilot implementations.
Requirements
* A sound technical competence and practical experience in IT
security and related technologies is required. This includes:
Internet Security (PKI, encryption, directory and proxy servers,
SSL, firewalls and VPN's, specific experience with CheckPoint's
Firewall-1 TM, Cisco's Pix TM or Axent's Raptor TM), networking
and routing, and knowledge of SUN/UNIX/NT environments.
Financial Application knowledge is a plus.
* Outgoing, sales-oriented personality, with excellent
presentation and communications skills.
* At least 5 years experience of communicating at management
level in an external (pre- sales) function is desirable.
* Must be self-motivated, and have a desire to continuously
learn in this dynamic technology environment.
* Available to travel occasionally, mainly in Greater China
region.
* Fluent English, Cantonese & Mandarin.
We offer excellent career opportunities and remuneration
package, as well as comprehensive product training.
============================================================
[High-Tech Company] specializes in the area of securing
e-business and is considered as one of the market leaders for
total security solutions. Co-headquartered in U.S. & Belgium
with operations in the USA, Europe and Asia, [High-Tech Company]
has over 550 staff worldwide, and counts numerous Fortune 500
companies amongst its client base. As part of our globalization
drive, we are seeking high caliber professionals to join our
team in Hong Kong.
------------------------------
From: kctang <[EMAIL PROTECTED]>
Subject: Re: __Security Architect/Consultant wanted at HONG KONG
Date: Fri, 11 May 2001 18:10:59 +0800
Those who know and understand, to a substantial degree,
standard textbook material like that of Stinson's, Menezes's,
and Schneier's need NOT apply.
Don't waste time!
Those who can comprehend sheets of papers like that in
EuroCrypt, Crypto and AsiaCrypt should of course go back to
school and ask for continuing education.
Learning for life!
Any Comments?
kctang
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: __Security Architect/Consultant wanted at HONG KONG
Date: Fri, 11 May 2001 10:27:15 GMT
"kctang" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> SECURITY ARCHITECT/CONSULTANT (11 May 2001)
Let's have fun with this post shall we?
> Responsible for the overall Internet security solution
> architecture, you will provide pre- and post security
"Internet security solution architecture"? You mean "computer security
dude"?.
> architecture design and support for [High-Tech Company]'s
> MultiSecure application-level Security Middleware,
MultiSecure? Why isn't it SuperSecure (tm). "application-level Security
Middleware" ???? I'm baffled.
> OnlineGuardian Managed Security Services, as well as other
> vendor- integrated (hardware/software) solutions. Job
Why are you calling them "solutions" they are "programs". I wouldn't call
"GCC" an all around "High level to low level optimizing architectural
solution".
> responsibilities include requirement assessment, technical
> guidance, solution design, hardware and software sizing
> estimates, security policy definition and development and
> involvement in pilot implementations.
"e.g. responsiblities include being a half-way competent cryptographer".
> Requirements
>
> * A sound technical competence and practical experience in IT
What the hell is IT? A librarian is an IT specialist. I wouldn't count the
80 year old lady with 3" glasses to be a big cryptographer.
> security and related technologies is required. This includes:
> Internet Security (PKI, encryption, directory and proxy servers,
> SSL, firewalls and VPN's, specific experience with CheckPoint's
> Firewall-1 TM, Cisco's Pix TM or Axent's Raptor TM), networking
> and routing, and knowledge of SUN/UNIX/NT environments.
> Financial Application knowledge is a plus.
So basically be aware of modern crypto.
> * Outgoing, sales-oriented personality, with excellent
> presentation and communications skills.
Be a complete BS generator.
> * At least 5 years experience of communicating at management
> level in an external (pre- sales) function is desirable.
>
> * Must be self-motivated, and have a desire to continuously
> learn in this dynamic technology environment.
ooooh "dynamic". Dude if you find me a static situation I will give you a
trillion dollars.
> * Available to travel occasionally, mainly in Greater China
> region.
>
> * Fluent English, Cantonese & Mandarin.
Hmmm... well I strike out here.
> We offer excellent career opportunities and remuneration
> package, as well as comprehensive product training.
Neato.
Well that was fun.
Adios,
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: __Security Architect/Consultant wanted at HONG KONG
Date: Fri, 11 May 2001 10:30:08 GMT
"kctang" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> Those who know and understand, to a substantial degree,
> standard textbook material like that of Stinson's, Menezes's,
> and Schneier's need NOT apply.
>
> Don't waste time!
>
> Those who can comprehend sheets of papers like that in
> EuroCrypt, Crypto and AsiaCrypt should of course go back to
> school and ask for continuing education.
>
> Learning for life!
>
> Any Comments?
So you want a smart academic cryptographer who hasn't read AC or HAC.
You're completely nuts dude.
Tom
------------------------------
From: "Vinokurov Andrey" <[EMAIL PROTECTED]>
Subject: Re: Horst Feistel
Date: Fri, 11 May 2001 13:51:36 +0400
Hi!
"Paul Rubin" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> FYE-stell.
Thanks a lot. So, right pronounsation is [faistel], isn't it?
I saw different transriptions In articles (in Russian) : [feistel],
[faistel], [fei(sh)tel] and so on. And I decided to learn the true one. :)
>But it's a German name, not American.
I know. So, now I have to ask this question to native German people.
Is Horst Feistel native American or an immigrant?
WBR,
Andrey Vinokurov
------------------------------
From: "Siva Prasad Gummadi [T]" <[EMAIL PROTECTED]>
Subject: Re: A simple encryption algorithm based on OTP
Date: Fri, 11 May 2001 16:06:34 +0530
Bill Unruh wrote:
>
> But here given that you know the permutation program, you know
> which bits are the same. You also know that the number
> of 1 bits is the same in each block (they are just permuatations).
>
> If the permutation program is a shared secret, then this becomes just an
> "security through obscurity" and if the enemy ever gets one cleartext
> encrypted text pair he will know the permutations (or at least a lot
> about them).
You are right. I now understand I've proposed a stupid system.
I wanted to offer a computationally secure algo., which has some
properties of OTP and of course the key should be reusable. In
case my previous system, even if I keep the permutation program
secret, and even if the enemy is unable to get much info. from
a known cipher text- plain text pair, the entire string with
which I am encrypting the text, and hence the key, is not reusable.
It's true that I was unaware of the stream ciphers when I've
proposed that. I was just proposing what ever stupid ideas come
to mind. That is purely out of enthusiasm and excuse me if I am
wasting your time in this news group. I think I got a good algo.
now, it is based on Hash Functions. There are some algos based on
one-way hash before, but let me tell you my idea.
I want to make the key reusable and I want to generate a key
which is almost an OTP key. Start with a key of appropriate length.
We will never use it direclty in encryption, but generate sub-keys,
to suite the length of the plain text. Since the key must be reusable,
when we encrypt another message we generate another key (session key)
from the curret one and in turn generate subkeys from that.
Let's decide the actual operation to simply XORing the plain text
block with corresponding sub-key. So we now need two algorithms: for
generating sub-keys and for generating next session key.
In case the opponent obtains particular sub-key, the prevoius/next
subkey (for that matter the session key also) should be difficult to
compute. So we use a some good hash algorithm whose input is some
simple, long string generated with the session key and the current
sub-key. Output is the next sub-key.
Similar procedure can be followed for generating the next session key.
For each iteration we use input composed of the original key and the
current session key.As long as the hash algo. used is secure, the keys
should also be.
There are so many ciphers that basically use the concept of
generating
sub-keys. I am just trying to put my ideas here, so that I get good
comments, to better myself. Nothing more than that!
Siva
--
************************************************************
Siva Prasad Gummadi
Motorola India Electronics Ltd.
No 33A, Ulsoor Road,
Bangalore - 560042
Phone No: 5598615-4007
email id: [EMAIL PROTECTED]
************************************************************
[x] General Information
[ ] Motorola Internal Use only
[ ] Motorola Confidential Proprietary
************************************************************
------------------------------
From: [EMAIL PROTECTED] (Klaus Pommerening)
Subject: Re: Micali-Schnorr pseudorandom bit generator
Date: 11 May 2001 11:06:54 GMT
In <[EMAIL PROTECTED]> Benjamin Goldberg wrote:
> Also, since the Micali-Schnorr generator seems to be similar in some
> ways to the Blum-Blum-Schub generator, why not implement that, instead?
> BBS is a much more well known and analysed PRNG.
>
Because Micali-Schnorr is faster by several orders of magnitude.
BBS is notorious as the slowest PRNG of all times :-)
--
Klaus Pommerening [http://www.Uni-Mainz.DE/~pommeren/]
Institut fuer Medizinische Statistik und Dokumentation
der Johannes-Gutenberg-Universitaet, D-55101 Mainz, Germany
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
