Cryptography-Digest Digest #357, Volume #14 Tue, 15 May 01 08:13:01 EDT
Contents:
Re: Encryption/Hash Permissions (JustSoft)
where to get RSA/DSA code? ("Hilda")
Re: Comparison of Diff. Cryptanalysis countermeasures (Mok-Kong Shen)
Re: Security proof for Steak ("Henrick Hellstr�m")
Re: where to get RSA/DSA code? (Pascal Junod)
Re: where to get RSA/DSA code? ([EMAIL PROTECTED])
Re: What Is the Quality of Randomness? (Tim Tyler)
Re: Avoiding RSA padding altogether? (Paul Crowley)
Re: The GQ signature scheme ("Roger Schlafly")
Re: Are low exponents a problem with RSA? ("Tom St Denis")
Re: where to get RSA/DSA code? ("Tom St Denis")
Re: Comparison of Diff. Cryptanalysis countermeasures ("Tom St Denis")
Re: where to get RSA/DSA code? ("Tom St Denis")
Re: good x86 coders (help please) (Vincent Quesnoit)
Re: good x86 coders (help please) ("Tom St Denis")
MISTY objection ("Tom St Denis")
new cipher ("dexMilano")
Re: new cipher ("dexMilano")
Re: new cipher ("Jakob Jonsson")
Re: What Is the Quality of Randomness? (Mok-Kong Shen)
Re: Comparison of Diff. Cryptanalysis countermeasures (Mok-Kong Shen)
----------------------------------------------------------------------------
From: JustSoft <[EMAIL PROTECTED]>
Subject: Re: Encryption/Hash Permissions
Date: Tue, 15 May 2001 17:50:53 +1000
Reply-To: [EMAIL PROTECTED]
Hi Mark,Roger
We have a number of algorithms covering different encryption
and hash routines, is there some definitve source like an
association or organisation that we could peruse to determine
the legitimate use of these algorithms in a commercial application.
Our intention is to not use an algorithm where it has an active
patent in force or a copyright notice excluding the use in commercial
applications.
Attempting to determine the right to use or restricted use in problematic,
therefore any assistance in this area appreciated.
Oh, I wondering if it helps to view the source to these routines, as these
source files where downloaded from the internet.
>From Darryl Impey - JustSoft P/L, Australia
JustData Enterprise V2.2 Data Tools
Download trial from http://www.justsoft.com.au/
Import, export & create db data, SQL Server, Oracle, ADO, ADT, SQL, XML, CSV, TXT and
much more
mailto:mail [ at ] justsoft dot com dot au
------------------------------
From: "Hilda" <[EMAIL PROTECTED]>
Subject: where to get RSA/DSA code?
Date: Tue, 15 May 2001 20:05:34 +1200
hi, thanks for the replys
is there any way i can get free source codes for RSA/DSA?
there are so many algorithms to use... but i'm a new user to cryptography.
...
is RSA/DSA/others in that reply mails the best for beginners?
our system doesn't need to be v secure, just fairly secure is enough ..
anyway, the most important thing is, where to get the codes? (e.g. on web)
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Comparison of Diff. Cryptanalysis countermeasures
Date: Tue, 15 May 2001 09:51:21 +0200
Tom St Denis wrote:
>
> "Mok-Kong Shen" <[EMAIL PROTECTED]> wrote:
> > Simon Johnson wrote:
> > >
> > [snip]
> > > 2. Boxes should be large (16x16 is a good size), so that the chance of a
> box
> > > with bad properties is low.
> > [snip]
> >
> > I suppose I am not alone in considering the storage for
> > a 16*16 box to be excessive. Perhaps you want further
> > to have quite a number of these boxes, don't you?
>
> Algebraic sboxes.
O.k., but these are not arbitrary 'random' boxes.
M. K. Shen
------------------------------
From: "Henrick Hellstr�m" <[EMAIL PROTECTED]>
Subject: Re: Security proof for Steak
Date: Tue, 15 May 2001 10:24:33 +0200
"Benjamin Goldberg" <[EMAIL PROTECTED]> skrev i meddelandet
news:[EMAIL PROTECTED]...
> Henrick Hellstr�m wrote:
> > 2. The transposition of the columns of the bit matrix was the "black
> > box" output of an experimental comparison of different permutations.
> > Its map representation is
[correction]
<0 8 9 16 1 24 25 17 10 18 26 11 2 19 27 3 28 4 20 29 21 5 12 13 22 30 6 7
14 15 23 31>.
[end of correction]
> > The transposition of the
> > rows was a rotate right by one. (A clarification: The row
> > transposition, i.e. the ror by one of the table values, was applied
> > prior to the column permutation.)
>
> Step 1 seems ok, but I don't like step 2 -- it looks to me that there's
> more muddle than math going on here. You say you got the permutation of
> columns through experiment... couldn't you do anything better than that?
> Some simple looking formula which would give just as good results? I
> bet that if you did a multiplication by 0xdeadbeef in GF(2^32) would be
> just as good (or some other constant, it doesn't matter much). The
> result would no weaker than transposition, assuming the right multiplier
> and field were used.
Well, I simply wanted a large constant that couldn't be reduced to a simple
formula, just to minimize the probability that someone somehow managed to
reduce the entire cipher to a solvable equation-system. The way I see it,
simple formulae with small constants are more likely to introduce backdoors
than complex formulae with large irreducible constants. But I can't really
prove that the transposition I chose is optimal, and I recognize the trust
issue, so I will probably take your advice (and Toms - he proposed the same
thing earlier in the thread).
--
Henrick Hellstr�m [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
------------------------------
Date: Tue, 15 May 2001 10:47:01 +0200
From: Pascal Junod <[EMAIL PROTECTED]>
Subject: Re: where to get RSA/DSA code?
On Tue, 15 May 2001, Hilda wrote:
> anyway, the most important thing is, where to get the codes? (e.g. on web)
Just have a look at http://www.openssl.org. It's the homepage of an open
source crypto toolkit project which is fairly good. But it could be
difficult to use it (in a secure way...) without a basic crypto
knowledge ! It's written in C.
If you prefer C++, the Wei Dai Crypto++ library is nice, too... (I don't
remember the URL, but a simple web search should be sufficient to find
it!)
A+
Pascal
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Pascal Junod, [EMAIL PROTECTED] *
* Security and Cryptography Laboratory (LASEC) *
* INF 240, EPFL, CH-1015 Lausanne, Switzerland ++41 (0)21 693 76 17 *
* Place de la Gare 12, CH-1020 Renens ++41 (0)79 617 28 57 *
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: where to get RSA/DSA code?
Date: 15 May 2001 02:23:39 -0700
>> anyway, the most important thing is, where to get the codes? (e.g. on web)
> Just have a look at http://www.openssl.org. It's the homepage of an open
> source crypto toolkit project which is fairly good. But it could be
> difficult to use it (in a secure way...) without a basic crypto
> knowledge ! It's written in C.
Could you briefly quantify the term, "a basic crypto knowledge" in
this context? For instance, what would be some required concepts? (I
don't mean just to successfully make the calls; I mean to be
reasonably confident that I'm not doing something to compromise
security.)
Thanks,
joelh
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: What Is the Quality of Randomness?
Reply-To: [EMAIL PROTECTED]
Date: Tue, 15 May 2001 09:53:23 GMT
Trevor L. Jackson, III <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> Benjamin Goldberg <[EMAIL PROTECTED]> wrote:
:> : There is no such thing as a random sequence, only a random source.
:>
:> Well, "random sequence" is a meaningul term - provided one uses the notion
:> of randomness that derives from Chaitin and Kolmogorov, rather than from
:> Shannon.
: I disagree. Chaitin's usage of the term random encompasses at least three
: otherwise distinct meanings. There is less there than meets the eye.
I've not heard that before:
According to the Chaitin/Kolmogorov ideas, randomness would be defined
with respect to a formal descriptive language. Random strings would be
those that are incompressible with respect to that language, and more
ordered strings would be compressible.
That's the idea I was referring to, anyway - such strings are sometimes
called "algorithmically random".
http://www.cs.unm.edu/~sto/files/chaitin.html puts it like this:
``the idea that I came up with - and Kolmogorov came up with at the same
time independently - is the idea that something is random if it can't
be compressed into a shorter description, if essentially you just have
to write it out as it is.''
--
__________ http://rockz.co.uk/ http://alife.co.uk/ http://hex.org.uk/
|im |yler http://atoms.org.uk/ http://mandala.co.uk/ [EMAIL PROTECTED]
------------------------------
Subject: Re: Avoiding RSA padding altogether?
From: Paul Crowley <[EMAIL PROTECTED]>
Date: Tue, 15 May 2001 10:04:10 GMT
"Jakob Jonsson" <[EMAIL PROTECTED]> writes:
> Indeed, Victor Shoup suggests this method ("simple RSA") in his proposal for
> an ISO standard for PKE; see Section 8 in the very first paper at
> http://shoup.net/papers/. The construction is provably secure.
Yay! I'm very unsure of my intuitions about PK constructions, so I'm
glad to hear this confirmed.
> Remove the nonce, and you have Full Domain Hashing (FDH) introduced by
> Bellare and Rogaway in 1993 ("Random oracles are practical...",
> http://www-cse.ucsd.edu/users/mihir/). Coron has given an improved security
> proof, which was presented at CRYPTO last year; the proof is very short.
Found it:
http://www.eleves.ens.fr:8080/home/coron/fdh.ps
> Unfortunately, the security proof for FDH is weaker than the security proof
> for PSS. With a random nonce of length say 160 bits, I think the security
> proof will be improved (without having checked all details, I guess that the
> proof will be just as strong as the PSS proof). Yet, the nonce must be
> transmitted together with the message and the signature, which means some
> overhead (silly, yes, but standards organizations tend to consider this a
> drawback).
So this might be original too? Excellent! From re-reading the PSS
paper, it seems as though getting roughly the same security bound for
NFDH (nonce-FDH) as for PSS should be straightforward, and the proof
should be much simpler, but I'll admit to finding the PSS proof quite
hard work - these exact security proofs always seem strangely
backwards, and you have to turn your head back-to-front to follow them
:-)
> The conclusion is that your suggestions are most appropriate -- the
> encryption scheme might even be subject to standardization (Shoup is the
> editor of the ISO standard).
Thanks for these kind words! Does anyone happen to know if NFDH has
been written up with an exact security proof anywhere? If not, would
it be worth me doing it?
--
__ Paul Crowley
\/ o\ [EMAIL PROTECTED]
/\__/ http://www.cluefactory.org.uk/paul/
"Conservation of angular momentum makes the world go around" - John Clark
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: The GQ signature scheme
Date: Tue, 15 May 2001 09:05:33 GMT
There are dozens of interesting signature schemes. P1363 made no
attempt to do them all. Do you think that there is enough commercial
interest in GQ that it need standardizing?
"Guy-Armand kamendje" <[EMAIL PROTECTED]> wrote in message
news:9dqjjj$9ge$[EMAIL PROTECTED]...
> Is there a reason why the Guillou-Quisquater signature scheme was never
> mentioned in the IEEE p1363x (unless I have overseen it)?
> I mean:
> 0) relevant security flaws
> 1) patents issues
> 2) the algorithm was never submitted to the IEEE p1363 board....
> thanks Guy-A
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Are low exponents a problem with RSA?
Date: Tue, 15 May 2001 10:08:54 GMT
"Roger Schlafly" <[EMAIL PROTECTED]> wrote in message
news:lT1M6.939$[EMAIL PROTECTED]...
> "David Wagner" <[EMAIL PROTECTED]> wrote in message
> news:9dfj1o$fn8$[EMAIL PROTECTED]...
> > Matthew Kwan wrote:
> > >Given the encryption function C = (P^e) mod n where (e,n) is
> > >the public key, is there any security weakness in choosing a small
> > >value of e?
> > If P is your message, without padding, there are issues. Use OAEP,
> > and they go away.
> > (There is also theoretical work which might be viewed as evidence that
> > RSA could be less secure with e=3 than with general e, but personally
> > I'm happy to stick with e=3 for the moment.)
>
> Shoup has a new paper that argues that OAEP is not as secure as is
> widely thought, but that RSA-OAEP with e=3 is ok. It raises the
> possibility that RSA-OAEP with large exponent might be *less* secure
> than e=3. See:
> http://shoup.net/papers/oaep.pdf'
I am wondering that all these talks are a good sign that RSA is not as
"ideal" as once thought.
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: where to get RSA/DSA code?
Date: Tue, 15 May 2001 10:09:40 GMT
"Hilda" <[EMAIL PROTECTED]> wrote in message
news:3h5M6.183$[EMAIL PROTECTED]...
> hi, thanks for the replys
>
> is there any way i can get free source codes for RSA/DSA?
> there are so many algorithms to use... but i'm a new user to cryptography.
> ...
> is RSA/DSA/others in that reply mails the best for beginners?
> our system doesn't need to be v secure, just fairly secure is enough ..
> anyway, the most important thing is, where to get the codes? (e.g. on web)
If you're going to write a program others are going to trust then I suggest
READ SOME TEXTS first.
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Comparison of Diff. Cryptanalysis countermeasures
Date: Tue, 15 May 2001 10:10:36 GMT
"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> Tom St Denis wrote:
> >
> > "Mok-Kong Shen" <[EMAIL PROTECTED]> wrote:
> > > Simon Johnson wrote:
> > > >
> > > [snip]
> > > > 2. Boxes should be large (16x16 is a good size), so that the chance
of a
> > box
> > > > with bad properties is low.
> > > [snip]
> > >
> > > I suppose I am not alone in considering the storage for
> > > a 16*16 box to be excessive. Perhaps you want further
> > > to have quite a number of these boxes, don't you?
> >
> > Algebraic sboxes.
>
> O.k., but these are not arbitrary 'random' boxes.
I would argue that they are a random subset of all sboxes.
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: where to get RSA/DSA code?
Date: Tue, 15 May 2001 10:11:43 GMT
<[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> >> anyway, the most important thing is, where to get the codes? (e.g. on
web)
> > Just have a look at http://www.openssl.org. It's the homepage of an open
> > source crypto toolkit project which is fairly good. But it could be
> > difficult to use it (in a secure way...) without a basic crypto
> > knowledge ! It's written in C.
>
> Could you briefly quantify the term, "a basic crypto knowledge" in
> this context? For instance, what would be some required concepts? (I
> don't mean just to successfully make the calls; I mean to be
> reasonably confident that I'm not doing something to compromise
> security.)
Well you should know some basic number theory first. Not only that but you
should know about the terminology used. Not only that but you should also
have read a few texts on the subject first such as AC2 or HAC.
Tom
------------------------------
From: Vincent Quesnoit
Subject: Re: good x86 coders (help please)
Date: Tue, 15 May 2001 11:48:39 +0200
Reply-To: [EMAIL PROTECTED]
I guess you also would have to consider using MMX code on the pentium, which
would perform two "ands", "xors", or "ors" at a time.
Unfortunately I dont currently have an assembler that supports the MMX
instructions.
The same is probably true on the Athlon.
Vincent
Tom St Denis a �crit :
> "Paul Rubin" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > "Tom St Denis" <[EMAIL PROTECTED]> writes:
> > > The problem is that if I optimize the code specially for the Athlon
> (which
> > > is what I am running) I lose out on all other platforms etc..
> >
> > Yes, if you're really going all out, your code has to figure out which
> > specific processor it's running on (that in itself is not always simple)
> > and choose a code sequence tweaked for that processor.
>
> Yup my current x86 assembler code runs at 300 cycles per block. I shaved 65
> cycles off of what GCC makes
>
> Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: good x86 coders (help please)
Date: Tue, 15 May 2001 10:37:34 GMT
"Vincent Quesnoit"
<[EMAIL PROTECTED]> wrote in
message
news:[EMAIL PROTECTED]...
> I guess you also would have to consider using MMX code on the pentium,
which
> would perform two "ands", "xors", or "ors" at a time.
> Unfortunately I dont currently have an assembler that supports the MMX
> instructions.
> The same is probably true on the Athlon.
Use NASM if you like. It's free and very capable :-o
Well I could try using MMX the problem lies in the rotates I must perform.
A rotate in MMX requires 3 ops (shift+shift+or) and for most MMX ops you get
a latency of 1 and a througput of 1/2. So it would take upto 6 cycles to
perform a rotate vs 1 or 2 in the normal ALU.
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: MISTY objection
Date: Tue, 15 May 2001 10:41:40 GMT
Turning my attack fangs to MISTY (nessie submission)
There is a function for applying key material called FL which splits the
16-bit input into two halves and does
R = R xor (Key_R or L)
L = L xor (Key_L and R)
I was thinking wouldn't low hamming weight L/R be devastating throughout
this?
Also looking at FI (32-bit sbox essentially) which uses cubing in 7 and 9
degree fields (over GF(2^7) and GF(2^9) etc...) wouldn't that feistel be
rather weak? In one round one must extend and in the other chop off bits.
I could see a class of truncated differentials that are of the form
[Anything in the upper two bits] => [Anything in the upper two bits]. It
doesn't matter what the differences are as long as they remain in the upper
bits.
I should calc that truncated diff and get back to y'all
--
Tom St Denis
---
http://tomstdenis.home.dhs.org
------------------------------
From: "dexMilano" <[EMAIL PROTECTED]>
Subject: new cipher
Date: Tue, 15 May 2001 12:49:53 +0200
from NTT
http://www.securitywatch.com/newsforward/default.asp?AID=7188
------------------------------
From: "dexMilano" <[EMAIL PROTECTED]>
Subject: Re: new cipher
Date: Tue, 15 May 2001 13:09:52 +0200
I can't find any source/document related to this news.
Any suggestion?
dex
"dexMilano" <[EMAIL PROTECTED]> ha scritto nel messaggio
news:9dr1kj$jr6qf$[EMAIL PROTECTED]...
> from NTT
>
> http://www.securitywatch.com/newsforward/default.asp?AID=7188
>
>
------------------------------
From: "Jakob Jonsson" <[EMAIL PROTECTED]>
Subject: Re: new cipher
Date: Tue, 15 May 2001 13:28:20 +0200
"dexMilano" <[EMAIL PROTECTED]> skrev i meddelandet
news:9dr2q1$junp9$[EMAIL PROTECTED]...
> I can't find any source/document related to this news.
>
> Any suggestion?
>
> dex
Camellia, EPOC, PSEC, and ESIGN are all submissions to NESSIE, so you can
find documentation at
https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions.html
The algorithms have been publicly available for at least eight months, so
the announcement does not make sense to me (clearly, they don't mean that
the algorithms are to be released into the public domain).
Jakob
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: What Is the Quality of Randomness?
Date: Tue, 15 May 2001 13:45:49 +0200
Tim Tyler wrote:
>
> According to the Chaitin/Kolmogorov ideas, randomness would be defined
> with respect to a formal descriptive language. Random strings would be
> those that are incompressible with respect to that language, and more
> ordered strings would be compressible.
Doesn't the 'a' in 'a formal ...' imply the existence
of others? I mean couldn't different such descriptive
languages lead to quite different evaluations (relative
values of 'qualities') of the same set of strings that
are given? Thanks.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Comparison of Diff. Cryptanalysis countermeasures
Date: Tue, 15 May 2001 13:54:50 +0200
Tom St Denis wrote:
>
> "Mok-Kong Shen" <[EMAIL PROTECTED]> wrote:
> > > > I suppose I am not alone in considering the storage for
> > > > a 16*16 box to be excessive. Perhaps you want further
> > > > to have quite a number of these boxes, don't you?
> > >
> > > Algebraic sboxes.
> >
> > O.k., but these are not arbitrary 'random' boxes.
>
> I would argue that they are a random subset of all sboxes.
But, given a chosen algebraic stucture, the set of
n-n S-boxes realizable, when compared to all possible
n-n S-boxes, will be increasingly small as n increases,
isn't it? Thus one sacrifices much from the original
idea of 'random' S-boxes. Further, for larger n the
computing time (when one drops look-up table) could,
depending on the math, be essential, I suppose.
M. K. Shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
